Move ympd password to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

diff --git a/nixops/modules/mpd/default.nix b/nixops/modules/mpd/default.nix
index 7781b363dba7bbbaaff1b38297047e602c32537a..d59a34cd0b5048858e6e025d1b2ffcbcca6b47b8 100644 (file)
--- a/nixops/modules/mpd/default.nix
+++ b/nixops/modules/mpd/default.nix
@@ -1,6 +1,12 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 {
   config = {
+    deployment.keys = {
+      mpd = {
+        permissions = "0400";
+        text = myconfig.env.mpd.password;
+      };
+    };
     networking.firewall.allowedTCPPorts = [ 6600 ];
     users.users.mpd.extraGroups = [ "wwwrun" ];
     services.mpd = {

diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index d3092876169b03e9941c20b2d22721621907ed0d..fc5b48d29b3b43cc1748ac6355806065093bb689 100644 (file)
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -72,7 +72,14 @@ in {
       ++ ldap.apache.modules
       ++ kanboard.apache.modules;
 
-    services.ympd = ympd.config // { enable = true; };
+    systemd.services.ympd = {
+      description = "Standalone MPD Web GUI written in C";
+      wantedBy = [ "multi-user.target" ];
+      script = ''
+        export MPD_PASSWORD=$(cat /run/keys/mpd)
+        ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
+        '';
+    };
 
     services.myWebsites.integration.vhostConfs.devtools = {
       certName    = "eldiron";
@@ -239,7 +246,9 @@ in {
       '';
 
     nixpkgs.overlays = [ (self: super: rec {
-      ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json);
+      ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json // {
+        patches = (old.patches or []) ++ [ ./ympd-password-env.patch ];
+      });
     }) ];
 
     systemd.services.tt-rss = {

diff --git a/nixops/modules/websites/tools/tools/ympd-password-env.patch b/nixops/modules/websites/tools/tools/ympd-password-env.patch
new file mode 100644 (file)
index 0000000..2bbe188
--- /dev/null
+++ b/nixops/modules/websites/tools/tools/ympd-password-env.patch
@@ -0,0 +1,23 @@
+diff --git a/src/ympd.c b/src/ympd.c
+index 3aed7e6..b3b6fda 100644
+--- a/src/ympd.c
++++ b/src/ympd.c
+@@ -71,6 +71,7 @@ int main(int argc, char **argv)
+     char *run_as_user = NULL;
+     char const *error_msg = NULL;
+     char *webport = "8080";
++    const char *s;
+ 
+     atexit(bye);
+ #ifdef WITH_DYNAMIC_ASSETS
+@@ -92,6 +93,10 @@ int main(int argc, char **argv)
+         {0,              0,                 0,  0 }
+     };
+ 
++    if ((s = getenv("MPD_PASSWORD")) != NULL) {
++        mpd.password = strdup(s);
++    }
++
+     while((n = getopt_long(argc, argv, "h:p:w:u:vm:",
+                 long_options, &option_index)) != -1) {
+         switch (n) {

diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix
index 613a171c6c8275898f6a86cf479c3f888659cd8f..82d9321d1d77b53454ed17181f9a5eb668d80680 100644 (file)
--- a/nixops/modules/websites/tools/tools/ympd.nix
+++ b/nixops/modules/websites/tools/tools/ympd.nix
@@ -3,10 +3,8 @@ let
   ympd = rec {
     config = {
       webPort = "localhost:${env.listenPort}";
-      mpd = {
-        host = "${env.mpd.host} --mpdpass ${env.mpd.password}";
-        port = env.mpd.port;
-      };
+      host = env.mpd.host;
+      port = env.mpd.port;
     };
     apache = {
       modules = [