From 415bcd272a0cbd65494fbb245bd94f0420656044 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Mon, 15 Apr 2019 12:30:08 +0200
Subject: [PATCH] Move ldap keys to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
---
 nixops/modules/websites/default.nix | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 307af08..f820c83 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -229,6 +229,24 @@ in
     services.myWebsites.TellesFlorian.integration.enable = true;
     services.myWebsites.Florian.integration.enable = true;
 
+    deployment.keys.apache-ldap = {
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0700";
+      text = ''
+        <Macro LDAPConnect>
+          <IfModule authnz_ldap_module>
+            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
+            AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+            AuthType             Basic
+            AuthName             "Authentification requise (Acces LDAP)"
+            AuthBasicProvider    ldap
+          </IfModule>
+        </Macro>
+        '';
+    };
+
     services.myWebsites.apacheConfig = {
       gzip = {
         modules = [ "deflate" "filter" ];
@@ -266,16 +284,7 @@ in
             LDAPOpCacheTTL 600
           </IfModule>
 
-          <Macro LDAPConnect>
-            <IfModule authnz_ldap_module>
-              AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
-              AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
-              AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
-              AuthType             Basic
-              AuthName             "Authentification requise (Acces LDAP)"
-              AuthBasicProvider    ldap
-            </IfModule>
-          </Macro>
+          Include /run/keys/apache-ldap
         '';
       };
       global = {
-- 
2.41.0