From 0966f95c6968963988d7ebc846eb0e6087091acc Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Sat, 30 Jan 2021 00:41:57 +0100
Subject: [PATCH] Move csp report credentials out of the store

---
 modules/private/websites/tools/tools/csp_reports.nix | 12 ++++++++++++
 modules/private/websites/tools/tools/default.nix     |  7 +++++--
 nixops/secrets                                       |  2 +-
 3 files changed, 18 insertions(+), 3 deletions(-)
 create mode 100644 modules/private/websites/tools/tools/csp_reports.nix

diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix
new file mode 100644
index 0000000..4660251
--- /dev/null
+++ b/modules/private/websites/tools/tools/csp_reports.nix
@@ -0,0 +1,12 @@
+{ env }:
+rec {
+  keys = [{
+    dest = "webapps/tools-csp-reports.conf";
+    user = "wwwrun";
+    group = "wwwrun";
+    permissions = "0400";
+    text = with env.postgresql; ''
+      env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}"
+    '';
+  }];
+}
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 1e30eed..7903ca5 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -55,6 +55,9 @@ let
   dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
     env = config.myEnv.tools.dmarc_reports;
   };
+  csp-reports = pkgs.callPackage ./csp_reports.nix {
+    env = config.myEnv.tools.csp_reports;
+  };
 
   landing = pkgs.callPackage ./landing.nix {};
 
@@ -74,6 +77,7 @@ in {
       ++ wallabag.keys
       ++ yourls.keys
       ++ dmarc-reports.keys
+      ++ csp-reports.keys
       ++ webhooks.keys;
 
     services.duplyBackup.profiles = {
@@ -302,11 +306,10 @@ in {
             "/run/wrappers/bin/sendmail" landing "/tmp"
             "${config.secrets.location}/webapps/webhooks"
           ];
+          "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf";
         };
         phpEnv = {
           CONTACT_EMAIL = config.myEnv.tools.contact;
-          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
-            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
         };
         phpPackage = pkgs.php72;
       };
diff --git a/nixops/secrets b/nixops/secrets
index 1b3be53..d3e1cb5 160000
--- a/nixops/secrets
+++ b/nixops/secrets
@@ -1 +1 @@
-Subproject commit 1b3be53dd5e79ba1af9207aff17486a0558a40a5
+Subproject commit d3e1cb5463246bbf7b42a0fc3bf542d24c4597b8
-- 
2.41.0