From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Fri, 29 Jan 2021 23:41:57 +0000 (+0100)
Subject: Move csp report credentials out of the store
X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=0966f95c6968963988d7ebc846eb0e6087091acc

Move csp report credentials out of the store
---

diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix
new file mode 100644
index 0000000..4660251
--- /dev/null
+++ b/modules/private/websites/tools/tools/csp_reports.nix
@@ -0,0 +1,12 @@
+{ env }:
+rec {
+  keys = [{
+    dest = "webapps/tools-csp-reports.conf";
+    user = "wwwrun";
+    group = "wwwrun";
+    permissions = "0400";
+    text = with env.postgresql; ''
+      env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}"
+    '';
+  }];
+}
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 1e30eed..7903ca5 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -55,6 +55,9 @@ let
   dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
     env = config.myEnv.tools.dmarc_reports;
   };
+  csp-reports = pkgs.callPackage ./csp_reports.nix {
+    env = config.myEnv.tools.csp_reports;
+  };
 
   landing = pkgs.callPackage ./landing.nix {};
 
@@ -74,6 +77,7 @@ in {
       ++ wallabag.keys
       ++ yourls.keys
       ++ dmarc-reports.keys
+      ++ csp-reports.keys
       ++ webhooks.keys;
 
     services.duplyBackup.profiles = {
@@ -302,11 +306,10 @@ in {
             "/run/wrappers/bin/sendmail" landing "/tmp"
             "${config.secrets.location}/webapps/webhooks"
           ];
+          "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf";
         };
         phpEnv = {
           CONTACT_EMAIL = config.myEnv.tools.contact;
-          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
-            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
         };
         phpPackage = pkgs.php72;
       };
diff --git a/nixops/secrets b/nixops/secrets
index 1b3be53..d3e1cb5 160000
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit 1b3be53dd5e79ba1af9207aff17486a0558a40a5
+Subproject commit d3e1cb5463246bbf7b42a0fc3bf542d24c4597b8