};
};
config = let
- oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys;
keys = config.mySecrets.keys;
empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
- dumpOldKey = k: v: let
- dest = if v.destDir == "/run/keys"
- then k
- else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k;
- in ''
- mkdir -p secrets/$(dirname ${dest})
- echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest}
- cat >> mods <<EOF
- ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest}
- EOF
- '';
dumpKey = v: ''
mkdir -p secrets/$(dirname ${v.dest})
echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
secrets = pkgs.runCommand "secrets.tar" {} ''
touch mods
tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
- ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)}
${builtins.concatStringsSep "\n" (map dumpKey keys)}
cat mods | while read u g p k; do
tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
services.myWebsites.TellesFlorian.integration.enable = true;
services.myWebsites.Florian.integration.enable = true;
- deployment.keys.apache-ldap = {
+ mySecrets.keys = [{
+ dest = "apache-ldap";
user = "wwwrun";
group = "wwwrun";
permissions = "0400";
</IfModule>
</Macro>
'';
- };
+ }];
services.myWebsites.apacheConfig = {
gzip = {
LDAPOpCacheTTL 600
</IfModule>
- Include /run/keys/apache-ldap
+ Include /var/secrets/apache-ldap
'';
};
global = {
];
};
- deployment.keys = nextcloud.keys;
+ mySecrets.keys = nextcloud.keys;
users.users.root.packages = let
occ = pkgs.writeScriptBin "nextcloud-occ" ''
#! ${pkgs.stdenv.shell}
};
in rec {
varDir = "/var/lib/nextcloud";
- keys.tools-nextcloud = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-nextcloud";
user = apache.user;
group = apache.group;
permissions = "0600";
'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
);
'';
- };
+ }];
webRoot = stdenv.mkDerivation rec {
name = "nextcloud-${version}";
version = "15.0.4";
install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config
- install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php
+ install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php
'';
};
apache = rec {
'';
};
davical = rec {
- keys."dav-davical" = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/dav-davical";
user = apache.user;
group = apache.group;
permissions = "0400";
$c->do_not_sync_from_ldap = array('admin' => true);
include('drivers_ldap.php');
'';
- };
+ }];
webapp = stdenv.mkDerivation rec {
version = "1.1.7";
name = "davical-${version}";
installPhase = ''
mkdir -p $out
cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out
- ln -s /run/keys/webapps/dav-davical $out/config/config.php
+ ln -s /var/secrets/webapps/dav-davical $out/config/config.php
'';
buildInputs = [ gettext ];
};
'';
};
phpFpm = rec {
- serviceDeps = [ "postgresql.service" "openldap.service" "dav-davical-key.service" ];
- basedir = builtins.concatStringsSep ":" [ webapp "/run/keys/webapps/dav-davical" awl ];
+ serviceDeps = [ "postgresql.service" "openldap.service" ];
+ basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
socket = "/var/run/phpfpm/davical.sock";
pool = ''
listen = ${socket}
config = lib.mkIf cfg.enable {
security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
- deployment.keys = davical.keys;
+ mySecrets.keys = davical.keys;
services.myWebsites.tools.modules = davical.apache.modules;
services.myWebsites.tools.vhostConfs.dav = {
});
}) ];
- deployment.keys = mantisbt.keys;
+ mySecrets.keys = mantisbt.keys;
services.myWebsites.tools.modules =
gitweb.apache.modules ++
mantisbt.apache.modules;
});
};
in rec {
- keys."tools-mantisbt" = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-mantisbt";
user = apache.user;
group = apache.group;
permissions = "0400";
$g_ldap_realname_field = 'cn';
$g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
'';
- };
+ }];
webRoot = stdenv.mkDerivation rec {
name = "mantisbt-${version}";
version = "2.11.1";
];
installPhase = ''
cp -a . $out
- ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php
+ ln -s /var/secrets/webapps/tools-mantisbt $out/config/config_inc.php
ln -s ${plugins.slack} $out/plugins/Slack
ln -s ${plugins.source-integration}/Source* $out/plugins/
'';
'';
};
phpFpm = rec {
- serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ];
+ serviceDeps = [ "postgresql.service" "openldap.service" ];
basedir = builtins.concatStringsSep ":" (
- [ webRoot "/run/keys/webapps/tools-mantisbt" ]
+ [ webRoot "/var/secrets/webapps/tools-mantisbt" ]
++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
socket = "/var/run/phpfpm/mantisbt.sock";
pool = ''
security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
- deployment.keys =
+ mySecrets.keys =
kanboard.keys
- // ldap.keys
- // roundcubemail.keys
- // shaarli.keys
- // ttrss.keys
- // wallabag.keys
- // yourls.keys;
+ ++ ldap.keys
+ ++ roundcubemail.keys
+ ++ shaarli.keys
+ ++ ttrss.keys
+ ++ wallabag.keys
+ ++ yourls.keys;
services.myWebsites.integration.modules =
rainloop.apache.modules;
install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
'';
};
- keys.tools-kanboard = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-kanboard";
user = apache.user;
group = apache.group;
permissions = "0400";
define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
?>
'';
- };
+ }];
webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec {
dontBuild = true;
installPhase = ''
cp -a . $out
- ln -s /run/keys/webapps/tools-kanboard $out/config.php
+ ln -s /var/secrets/webapps/tools-kanboard $out/config.php
mv $out/data $out/dataold
ln -s ${varDir}/data $out/data
'';
'';
};
phpFpm = rec {
- serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ];
- basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ];
+ serviceDeps = [ "postgresql.service" "openldap.service" ];
+ basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ];
socket = "/var/run/phpfpm/kanboard.sock";
pool = ''
listen = ${socket}
{ lib, php, env, writeText, stdenv, optipng, fetchurl }:
rec {
- keys.tools-ldap = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-ldap";
user = apache.user;
group = apache.group;
permissions = "0400";
$servers->setValue('login','attr','uid');
$servers->setValue('login','fallback_dn',true);
'';
- };
+ }];
webRoot = stdenv.mkDerivation rec {
version = "1.2.3";
name = "phpldapadmin-${version}";
'';
installPhase = ''
cp -a . $out
- ln -sf /run/keys/webapps/tools-ldap $out/config/config.php
+ ln -sf /var/secrets/webapps/tools-ldap $out/config/config.php
'';
};
apache = rec {
'';
};
phpFpm = rec {
- serviceDeps = [ "openldap.service" "tools-ldap-key.service" ];
- basedir = builtins.concatStringsSep ":" [ webRoot "/run/keys/webapps/tools-ldap" ];
+ serviceDeps = [ "openldap.service" ];
+ basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ];
socket = "/var/run/phpfpm/ldap.sock";
pool = ''
listen = ${socket}
install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
'';
};
- keys.tools-roundcube = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-roundcube";
user = apache.user;
group = apache.group;
permissions = "0400";
$config['temp_dir'] = '${varDir}/cache';
$config['mime_types'] = '${apacheHttpd}/conf/mime.types';
'';
- };
+ }];
webRoot = stdenv.mkDerivation rec {
version = "1.4-rc1";
name = "roundcubemail-${version}";
'';
installPhase = ''
cp -a . $out
- ln -s /run/keys/webapps/tools-roundcube $out/config/config.inc.php
+ ln -s /var/secrets/webapps/tools-roundcube $out/config/config.inc.php
${builtins.concatStringsSep "\n" (
lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
)}
'';
};
phpFpm = rec {
- serviceDeps = [ "postgresql.service" "tools-roundcube-key.service" ];
+ serviceDeps = [ "postgresql.service" ];
basedir = builtins.concatStringsSep ":" (
- [ webRoot "/run/keys/webapps/tools-roundcube" varDir ]
+ [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ]
++ lib.attrsets.mapAttrsToList (name: value: value) plugins
++ lib.attrsets.mapAttrsToList (name: value: value) skins);
phpConfig = ''
vhostConf = ''
Alias /Shaarli "${root}"
- Include /run/keys/webapps/tools-shaarli
+ Include /var/secrets/webapps/tools-shaarli
<Directory "${root}">
DirectoryIndex index.php index.htm index.html
Options Indexes FollowSymLinks MultiViews Includes
</Directory>
'';
};
- keys.tools-shaarli = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-shaarli";
user = apache.user;
group = apache.group;
permissions = "0400";
SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}"
SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}"
'';
- };
+ }];
phpFpm = rec {
serviceDeps = [ "openldap.service" ];
basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
'';
};
- keys.tools-ttrss = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-ttrss";
user = apache.user;
group = apache.group;
permissions = "0400";
define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
define('LDAP_AUTH_DEBUG', FALSE);
'';
- };
+ }];
webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec {
buildPhase = ''
rm -rf lock feed-icons cache
'';
installPhase = ''
cp -a . $out
- ln -s /run/keys/webapps/tools-ttrss $out/config.php
+ ln -s /var/secrets/webapps/tools-ttrss $out/config.php
${builtins.concatStringsSep "\n" (
lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
)}
'';
};
phpFpm = rec {
- serviceDeps = [ "postgresql.service" "openldap.service" "tools-ttrss-key.service" ];
+ serviceDeps = [ "postgresql.service" "openldap.service" ];
basedir = builtins.concatStringsSep ":" (
- [ webRoot "/run/keys/webapps/tools-ttrss" varDir ]
+ [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ]
++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
socket = "/var/run/phpfpm/ttrss.sock";
pool = ''
let
wallabag = rec {
varDir = "/var/lib/wallabag";
- keys.tools-wallabag = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-wallabag";
user = apache.user;
group = apache.group;
permissions = "0400";
class: Swift_SendmailTransport
arguments: ['/run/wrappers/bin/sendmail -bs']
'';
- };
+ }];
webappDir = composerEnv.buildPackage rec {
packages = {
"fr3d/ldap-bundle" = {
'';
postInstall = ''
rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data
- ln -sf /run/keys/webapps/tools-wallabag app/config/parameters.yml
+ ln -sf /var/secrets/webapps/tools-wallabag app/config/parameters.yml
ln -sf ${varDir}/var/{cache,logs,sessions} var
ln -sf ${varDir}/data data
ln -sf ${varDir}/assets web/assets
/run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction
popd > /dev/null
echo -n "${webappDir}" > ${varDir}/currentWebappDir
- sha512sum /run/keys/webapps/tools-wallabag > ${varDir}/currentKey
+ sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey
fi
'';
- serviceDeps = [ "postgresql.service" "openldap.service" "tools-wallabag-key.service" ];
- basedir = builtins.concatStringsSep ":" [ webappDir "/run/keys/webapps/tools-wallabag" varDir ];
+ serviceDeps = [ "postgresql.service" "openldap.service" ];
+ basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ];
socket = "/var/run/phpfpm/wallabag.sock";
pool = ''
listen = ${socket}
activationScript = ''
install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
'';
- keys.tools-yourls = {
- destDir = "/run/keys/webapps";
+ keys = [{
+ dest = "webapps/tools-yourls";
user = apache.user;
group = apache.group;
permissions = "0400";
define( 'LDAPAUTH_USERCACHE_TYPE', 0);
'';
- };
+ }];
webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec {
installPhase = ''
mkdir -p $out
cp -a */ *.php $out/
cp sample-robots.txt $out/robots.txt
- ln -sf /run/keys/webapps/tools-yourls $out/includes/config.php
+ ln -sf /var/secrets/webapps/tools-yourls $out/includes/config.php
${builtins.concatStringsSep "\n" (
lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins
)}
'';
};
phpFpm = rec {
- serviceDeps = [ "mysql.service" "openldap.service" "tools-yourls-key.service" ];
+ serviceDeps = [ "mysql.service" "openldap.service" ];
basedir = builtins.concatStringsSep ":" (
- [ webRoot "/run/keys/webapps/tools-yourls" ]
+ [ webRoot "/var/secrets/webapps/tools-yourls" ]
++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
socket = "/var/run/phpfpm/yourls.sock";
pool = ''
projects / perso / Immae / Config / Nix.git / commitdiff
