From 51900e3488284b0711083819a5ecb1b0f280a913 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 16 Apr 2019 13:46:47 +0200 Subject: [PATCH] Move etherpad and mediagoblin keys to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- .../modules/websites/tools/ether/default.nix | 9 +- .../websites/tools/ether/etherpad_lite.nix | 198 +++++++++--------- .../websites/tools/mediagoblin/default.nix | 5 +- .../tools/mediagoblin/mediagoblin.nix | 98 +++++---- 4 files changed, 163 insertions(+), 147 deletions(-) diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index c4a9932..6d845ac 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix @@ -12,11 +12,12 @@ in { }; config = lib.mkIf cfg.enable { + deployment.keys = etherpad.keys; systemd.services.etherpad-lite = { description = "Etherpad-lite"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" ]; - wants = [ "postgresql.service" ]; + after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ]; + wants = [ "postgresql.service" "tools-etherpad-key.service" ]; environment.NODE_ENV = "production"; environment.HOME = etherpad.webappDir; @@ -25,13 +26,14 @@ in { script = '' exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ - --settings ${etherpad.config} + --settings /run/keys/webapps/tools-etherpad ''; serviceConfig = { DynamicUser = true; User = "etherpad-lite"; Group = "etherpad-lite"; + SupplementaryGroups = "keys"; WorkingDirectory = etherpad.webappDir; PrivateTmp = true; NoNewPrivileges = true; @@ -42,6 +44,7 @@ in { Restart = "always"; Type = "simple"; TimeoutSec = 60; + ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad"; }; }; diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index 02071f1..bc62262 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix @@ -30,106 +30,110 @@ let "ep_subscript_and_superscript" "ep_timesliderdiff" ]; - config = - # Make sure we’re not rebuilding whole libreoffice just because of a - # dependency - let libreoffice = (import {}).libreoffice-fresh; - in - writeText "settings.json" '' - { - "title": "Etherpad", - "favicon": "favicon.ico", + keys.tools-etherpad = { + destDir = "/run/keys/webapps"; + permissions = "0400"; + text = + # Make sure we’re not rebuilding whole libreoffice just because of a + # dependency + let libreoffice = (import {}).libreoffice-fresh; + in + '' + { + "title": "Etherpad", + "favicon": "favicon.ico", - "ip": "127.0.0.1", - "port" : ${env.listenPort}, - "showSettingsInAdminPage" : false, - "dbType" : "postgres", - "dbSettings" : { - "user" : "${env.postgresql.user}", - "host" : "${env.postgresql.socket}", - "password": "${env.postgresql.password}", - "database": "${env.postgresql.database}", - "charset" : "utf8mb4" - }, + "ip": "127.0.0.1", + "port" : ${env.listenPort}, + "showSettingsInAdminPage" : false, + "dbType" : "postgres", + "dbSettings" : { + "user" : "${env.postgresql.user}", + "host" : "${env.postgresql.socket}", + "password": "${env.postgresql.password}", + "database": "${env.postgresql.database}", + "charset" : "utf8mb4" + }, - "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": true, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, + "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", + "padOptions": { + "noColors": false, + "showControls": true, + "showChat": true, + "showLineNumbers": true, + "useMonospaceFont": false, + "userName": false, + "userColor": false, + "rtl": false, + "alwaysShowChat": false, + "chatAndUsers": false, + "lang": "en-gb" + }, - "suppressErrorsInPadText" : false, - "requireSession" : false, - "editOnly" : false, - "sessionNoPassword" : false, - "minify" : true, - "maxAge" : 21600, - "abiword" : null, - "soffice" : "${libreoffice}/bin/soffice", - "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", - "allowUnknownFileEnds" : true, - "requireAuthentication" : false, - "requireAuthorization" : false, - "trustProxy" : false, - "disableIPlogging" : false, - "automaticReconnectionTimeout" : 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 + "suppressErrorsInPadText" : false, + "requireSession" : false, + "editOnly" : false, + "sessionNoPassword" : false, + "minify" : true, + "maxAge" : 21600, + "abiword" : null, + "soffice" : "${libreoffice}/bin/soffice", + "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", + "allowUnknownFileEnds" : true, + "requireAuthentication" : false, + "requireAuthorization" : false, + "trustProxy" : false, + "disableIPlogging" : false, + "automaticReconnectionTimeout" : 0, + "scrollWhenFocusLineIsOutOfViewport": { + "percentage": { + "editionAboveViewport": 0, + "editionBelowViewport": 0 + }, + "duration": 0, + "scrollWhenCaretIsInTheLastLineOfViewport": false, + "percentageToScrollWhenUserPressesArrowUp": 0 }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "users": { - "ldapauth": { - "url": "ldaps://${env.ldap.host}", - "accountBase": "${env.ldap.base}", - "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", - "displayNameAttribute": "cn", - "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", - "searchPWD": "${env.ldap.password}", - "groupSearchBase": "${env.ldap.base}", - "groupAttribute": "member", - "groupAttributeIsDN": true, - "searchScope": "sub", - "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", - "anonymousReadonly": false - } - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "loadTest": false, - "indentationOnNewLine": false, - "toolbar": { - "left": [ - ["bold", "italic", "underline", "strikethrough"], - ["orderedlist", "unorderedlist", "indent", "outdent"], - ["undo", "redo"], - ["clearauthorship"] - ], - "right": [ - ["importexport", "timeslider", "savedrevision"], - ["settings", "embed"], - ["showusers"] - ], - "timeslider": [ - ["timeslider_export", "timeslider_returnToPad"] - ] - }, - "loglevel": "INFO", - "logconfig" : { "appenders": [ { "type": "console" } ] } - } - ''; + "users": { + "ldapauth": { + "url": "ldaps://${env.ldap.host}", + "accountBase": "${env.ldap.base}", + "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", + "displayNameAttribute": "cn", + "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", + "searchPWD": "${env.ldap.password}", + "groupSearchBase": "${env.ldap.base}", + "groupAttribute": "member", + "groupAttributeIsDN": true, + "searchScope": "sub", + "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", + "anonymousReadonly": false + } + }, + "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "loadTest": false, + "indentationOnNewLine": false, + "toolbar": { + "left": [ + ["bold", "italic", "underline", "strikethrough"], + ["orderedlist", "unorderedlist", "indent", "outdent"], + ["undo", "redo"], + ["clearauthorship"] + ], + "right": [ + ["importexport", "timeslider", "savedrevision"], + ["settings", "embed"], + ["showusers"] + ], + "timeslider": [ + ["timeslider_export", "timeslider_returnToPad"] + ] + }, + "loglevel": "INFO", + "logconfig" : { "appenders": [ { "type": "console" } ] } + } + ''; + }; webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { __noChroot = true; patches = [ ./libreoffice_patch.diff ]; @@ -179,5 +183,5 @@ let }); in { - inherit webappDir config listenPort; + inherit webappDir keys listenPort; } diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix index 54c0478..9b058be 100644 --- a/nixops/modules/websites/tools/mediagoblin/default.nix +++ b/nixops/modules/websites/tools/mediagoblin/default.nix @@ -12,6 +12,7 @@ in { }; config = lib.mkIf cfg.enable { + deployment.keys = mediagoblin.keys; ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; @@ -22,6 +23,7 @@ in { description = "Mediagoblin user"; home = mediagoblin.varDir; useDefaultShell = true; + extraGroups = [ "keys" ]; }; users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; @@ -29,7 +31,8 @@ in { systemd.services.mediagoblin-web = { description = "Mediagoblin service"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + after = [ "network.target" "tools-mediagoblin-key.service" ]; + wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ]; environment.SCRIPT_NAME = "/mediagoblin/"; diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix index e1876ae..23ee24d 100644 --- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix @@ -190,61 +190,67 @@ in url_scheme = https ''; - mediagoblin_local = writeText "mediagoblin_local.ini" '' - [DEFAULT] - data_basedir = "${varDir}" + keys.tools-mediagoblin = { + destDir = "/run/keys/webapps"; + user = "mediagoblin"; + group = "mediagoblin"; + permissions = "0400"; + text = '' + [DEFAULT] + data_basedir = "${varDir}" - [mediagoblin] - direct_remote_path = /mgoblin_static/ - email_sender_address = "mediagoblin@tools.immae.eu" + [mediagoblin] + direct_remote_path = /mgoblin_static/ + email_sender_address = "mediagoblin@tools.immae.eu" - #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db - sql_engine = ${env.psql_url} + #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db + sql_engine = ${env.psql_url} - email_debug_mode = false - allow_registration = false - allow_reporting = true + email_debug_mode = false + allow_registration = false + allow_reporting = true - theme = airymodified + theme = airymodified - user_privilege_scheme = "uploader,commenter,reporter" + user_privilege_scheme = "uploader,commenter,reporter" - # We need to redefine them here since we override data_basedir - # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini - workbench_path = %(data_basedir)s/media/workbench - crypto_path = %(data_basedir)s/crypto - theme_install_dir = %(data_basedir)s/themes/ - theme_linked_assets_dir = %(data_basedir)s/theme_static/ - plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ + # We need to redefine them here since we override data_basedir + # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini + workbench_path = %(data_basedir)s/media/workbench + crypto_path = %(data_basedir)s/crypto + theme_install_dir = %(data_basedir)s/themes/ + theme_linked_assets_dir = %(data_basedir)s/theme_static/ + plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ - [storage:queuestore] - base_dir = %(data_basedir)s/media/queue + [storage:queuestore] + base_dir = %(data_basedir)s/media/queue - [storage:publicstore] - base_dir = %(data_basedir)s/media/public - base_url = /mgoblin_media/ + [storage:publicstore] + base_dir = %(data_basedir)s/media/public + base_url = /mgoblin_media/ - [celery] - CELERY_RESULT_DBURI = ${env.redis_url} - BROKER_URL = ${env.redis_url} - CELERYD_CONCURRENCY = 1 + [celery] + CELERY_RESULT_DBURI = ${env.redis_url} + BROKER_URL = ${env.redis_url} + CELERYD_CONCURRENCY = 1 - [plugins] - [[mediagoblin.plugins.geolocation]] - [[mediagoblin.plugins.ldap]] - [[[immae.eu]]] - LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' - LDAP_SEARCH_BASE = 'dc=immae,dc=eu' - LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' - LDAP_BIND_PW = '${env.ldap.password}' - LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' - EMAIL_SEARCH_FIELD = 'mail' - [[mediagoblin.plugins.basicsearch]] - [[mediagoblin.plugins.piwigo]] - [[mediagoblin.plugins.processing_info]] - [[mediagoblin.media_types.image]] - [[mediagoblin.media_types.video]] - ''; + [plugins] + [[mediagoblin.plugins.geolocation]] + [[mediagoblin.plugins.ldap]] + [[[immae.eu]]] + LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' + LDAP_SEARCH_BASE = 'dc=immae,dc=eu' + LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' + LDAP_BIND_PW = '${env.ldap.password}' + LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' + EMAIL_SEARCH_FIELD = 'mail' + [[mediagoblin.plugins.basicsearch]] + [[mediagoblin.plugins.piwigo]] + [[mediagoblin.plugins.processing_info]] + [[mediagoblin.media_types.image]] + [[mediagoblin.media_types.video]] + ''; + }; pythonRoot = with pkgs.gst_all_1; stdenv.mkDerivation { @@ -281,7 +287,7 @@ in --prefix GI_TYPELIB_PATH : ${typelib_paths} find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; ln -s ${paste_local} ./paste_local.ini - ln -s ${mediagoblin_local} ./mediagoblin_local.ini + ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini ln -sf ${varDir} ./user_dev ''; }; -- 2.41.0