From 32c84ff89c2b8931f58cea63961a178a9b1d0efe Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Thu, 25 Apr 2019 09:05:46 +0200 Subject: [PATCH] Move etherpad mastodon mediagoblin task and peertube to new secrets --- nixops/modules/task/default.nix | 8 +++--- .../modules/websites/tools/ether/default.nix | 10 +++---- .../websites/tools/ether/etherpad_lite.nix | 26 +++++++++---------- .../websites/tools/mastodon/default.nix | 8 +++--- .../websites/tools/mastodon/mastodon.nix | 9 ++++--- .../websites/tools/mediagoblin/default.nix | 6 ++--- .../tools/mediagoblin/mediagoblin.nix | 8 +++--- .../websites/tools/peertube/default.nix | 12 ++++----- 8 files changed, 44 insertions(+), 43 deletions(-) diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 2001eaa..9671725 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix @@ -87,8 +87,8 @@ in { }; config = lib.mkIf cfg.enable { - deployment.keys.tools-taskwarrior-web = { - destDir = "/run/keys/webapps"; + mySecrets.keys = [{ + dest = "webapps/tools-taskwarrior-web"; user = "wwwrun"; group = "wwwrun"; permissions = "0400"; @@ -101,7 +101,7 @@ in { SetEnv TASKD_LDAP_BASE "${env.ldap.base}" SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" ''; - }; + }]; security.acme.certs."eldiron".extraDomains.${fqdn} = null; services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ]; services.myWebsites.tools.vhostConfs.task = { @@ -116,7 +116,7 @@ in { SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" - Include /run/keys/webapps/tools-taskwarrior-web + Include /var/secrets/webapps/tools-taskwarrior-web '' '' diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index 7fdcb57..0d04c36 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix @@ -12,12 +12,12 @@ in { }; config = lib.mkIf cfg.enable { - deployment.keys = etherpad.keys; + mySecrets.keys = etherpad.keys; systemd.services.etherpad-lite = { description = "Etherpad-lite"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; - wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; + after = [ "network.target" "postgresql.service" ]; + wants = [ "postgresql.service" ]; environment.NODE_ENV = "production"; environment.HOME = etherpad.webappDir; @@ -26,7 +26,7 @@ in { script = '' exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ - --settings /run/keys/webapps/tools-etherpad + --settings /var/secrets/webapps/tools-etherpad ''; serviceConfig = { @@ -44,7 +44,7 @@ in { Restart = "always"; Type = "simple"; TimeoutSec = 60; - ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey"; + ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"; }; }; diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index 689156e..14ad565 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix @@ -30,19 +30,19 @@ let "ep_subscript_and_superscript" "ep_timesliderdiff" ]; - keys = { - tools-etherpad-apikey = { - destDir = "/run/keys/webapps"; + keys = [ + { + dest = "webapps/tools-etherpad-apikey"; permissions = "0400"; text = env.api_key; - }; - tools-etherpad-sessionkey = { - destDir = "/run/keys/webapps"; + } + { + dest = "webapps/tools-etherpad-sessionkey"; permissions = "0400"; text = env.session_key; - }; - tools-etherpad = { - destDir = "/run/keys/webapps"; + } + { + dest = "webapps/tools-etherpad"; permissions = "0400"; text = # Make sure we’re not rebuilding whole libreoffice just because of a @@ -144,8 +144,8 @@ let "logconfig" : { "appenders": [ { "type": "console" } ] } } ''; - }; - }; + } + ]; webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { __noChroot = true; patches = [ ./libreoffice_patch.diff ]; @@ -182,8 +182,8 @@ let install -t $out/src/ -vDm 644 src/.ep_initialized cp -a node_modules $out/ cp -a src/* $out/src/ - ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt - ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt + ln -sf /var/secrets/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt + ln -sf /var/secrets/webapps/tools-etherpad-apikey $out/APIKEY.txt cp ${jquery} $out/src/static/js/jquery.js mkdir $out/doc diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix index 048d845..a3f2364 100644 --- a/nixops/modules/websites/tools/mastodon/default.nix +++ b/nixops/modules/websites/tools/mastodon/default.nix @@ -13,7 +13,7 @@ in { }; config = lib.mkIf cfg.enable { - deployment.keys = mastodon.keys; + mySecrets.keys = mastodon.keys; ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid; ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid; @@ -55,7 +55,7 @@ in { serviceConfig = { User = "mastodon"; - EnvironmentFile = "/run/keys/webapps/tools-mastodon"; + EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; PrivateTmp = true; Restart = "always"; TimeoutSec = 15; @@ -88,7 +88,7 @@ in { serviceConfig = { User = "mastodon"; - EnvironmentFile = "/run/keys/webapps/tools-mastodon"; + EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; PrivateTmp = true; Restart = "always"; TimeoutSec = 60; @@ -117,7 +117,7 @@ in { serviceConfig = { User = "mastodon"; - EnvironmentFile = "/run/keys/webapps/tools-mastodon"; + EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; PrivateTmp = true; Restart = "always"; TimeoutSec = 15; diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix index 944b2db..3ee3552 100644 --- a/nixops/modules/websites/tools/mastodon/mastodon.nix +++ b/nixops/modules/websites/tools/mastodon/mastodon.nix @@ -58,8 +58,8 @@ let ''; buildInputs = [ yarnModules ]; }); - keys.tools-mastodon = { - destDir = "/run/keys/webapps"; + keys.mastodon = { + dest = "webapps/tools-mastodon"; user = "mastodon"; group = "mastodon"; permissions = "0400"; @@ -113,7 +113,7 @@ let builder = writeText "build_mastodon_immae" '' source $stdenv/setup set -a - ${keys.tools-mastodon.text} + ${keys.mastodon.text} set +a cp -a $mastodon $out cd $out @@ -128,7 +128,8 @@ let }; in { - inherit railsRoot keys varDir socketsDir gems; + inherit railsRoot varDir socketsDir gems; + keys = builtins.attrValues keys; nodeSocket = "${socketsDir}/live_immae_node.sock"; railsSocket = "${socketsDir}/live_immae_puma.sock"; } diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix index 9b058be..36329d9 100644 --- a/nixops/modules/websites/tools/mediagoblin/default.nix +++ b/nixops/modules/websites/tools/mediagoblin/default.nix @@ -12,7 +12,7 @@ in { }; config = lib.mkIf cfg.enable { - deployment.keys = mediagoblin.keys; + mySecrets.keys = mediagoblin.keys; ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; @@ -31,8 +31,8 @@ in { systemd.services.mediagoblin-web = { description = "Mediagoblin service"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "tools-mediagoblin-key.service" ]; - wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ]; + after = [ "network.target" ]; + wants = [ "postgresql.service" "redis.service" ]; environment.SCRIPT_NAME = "/mediagoblin/"; diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix index 23ee24d..bc423db 100644 --- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix @@ -190,8 +190,8 @@ in url_scheme = https ''; - keys.tools-mediagoblin = { - destDir = "/run/keys/webapps"; + keys = [{ + dest = "webapps/tools-mediagoblin"; user = "mediagoblin"; group = "mediagoblin"; permissions = "0400"; @@ -250,7 +250,7 @@ in [[mediagoblin.media_types.image]] [[mediagoblin.media_types.video]] ''; - }; + }]; pythonRoot = with pkgs.gst_all_1; stdenv.mkDerivation { @@ -287,7 +287,7 @@ in --prefix GI_TYPELIB_PATH : ${typelib_paths} find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; ln -s ${paste_local} ./paste_local.ini - ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini + ln -s /var/secrets/webapps/tools-mediagoblin ./mediagoblin_local.ini ln -sf ${varDir} ./user_dev ''; }; diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix index bb601af..1ad79d7 100644 --- a/nixops/modules/websites/tools/peertube/default.nix +++ b/nixops/modules/websites/tools/peertube/default.nix @@ -30,8 +30,8 @@ in { systemd.services.peertube = { description = "Peertube"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ]; - wants = [ "postgresql.service" "tools-peertube-key.service" ]; + after = [ "network.target" "postgresql.service" ]; + wants = [ "postgresql.service" ]; environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; environment.NODE_ENV = "production"; @@ -58,20 +58,20 @@ in { unitConfig.RequiresMountsFor = peertube.varDir; }; - deployment.keys.tools-peertube = { - destDir = "/run/keys/webapps"; + mySecrets.keys = [{ + dest = "webapps/tools-peertube"; user = "peertube"; group = "peertube"; permissions = "0640"; text = peertube.config; - }; + }]; system.activationScripts.peertube = { deps = [ "users" ]; text = '' install -m 0750 -o peertube -g peertube -d ${peertube.varDir} install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config - ln -sf /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml + ln -sf /var/secrets/webapps/tools-peertube ${peertube.varDir}/config/production.yaml ''; }; -- 2.41.0