From 85f5ed68104de9edd8f8e532dc0c2de931e3ca1b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 16 Apr 2019 01:48:11 +0200
Subject: [PATCH] Fix secret permissions

---
 nixops/modules/websites/aten/aten.nix                     | 2 +-
 nixops/modules/websites/connexionswing/connexionswing.nix | 2 +-
 nixops/modules/websites/default.nix                       | 2 +-
 nixops/modules/websites/ftp/jerome.nix                    | 1 +
 nixops/modules/websites/ludivine/ludivinecassal.nix       | 2 +-
 nixops/modules/websites/piedsjaloux/piedsjaloux.nix       | 2 +-
 nixops/modules/websites/tellesflorian/tellesflorian.nix   | 4 ++--
 nixops/modules/websites/tools/dav/davical.nix             | 2 +-
 nixops/modules/websites/tools/diaspora/diaspora.nix       | 6 +++---
 nixops/modules/websites/tools/git/mantisbt/mantisbt.nix   | 2 +-
 nixops/modules/websites/tools/peertube/default.nix        | 2 +-
 nixops/modules/websites/tools/tools/kanboard.nix          | 2 +-
 nixops/modules/websites/tools/tools/ldap.nix              | 2 +-
 nixops/modules/websites/tools/tools/roundcubemail.nix     | 2 +-
 nixops/modules/websites/tools/tools/shaarli.nix           | 2 +-
 nixops/modules/websites/tools/tools/ttrss.nix             | 2 +-
 nixops/modules/websites/tools/tools/wallabag.nix          | 2 +-
 nixops/modules/websites/tools/tools/yourls.nix            | 2 +-
 18 files changed, 21 insertions(+), 20 deletions(-)

diff --git a/nixops/modules/websites/aten/aten.nix b/nixops/modules/websites/aten/aten.nix
index ac102c9..6059eb6 100644
--- a/nixops/modules/websites/aten/aten.nix
+++ b/nixops/modules/websites/aten/aten.nix
@@ -34,7 +34,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         SetEnv APP_ENV      "${environment}"
         SetEnv APP_SECRET   "${config.secret}"
diff --git a/nixops/modules/websites/connexionswing/connexionswing.nix b/nixops/modules/websites/connexionswing/connexionswing.nix
index 7bc1d51..2960c6a 100644
--- a/nixops/modules/websites/connexionswing/connexionswing.nix
+++ b/nixops/modules/websites/connexionswing/connexionswing.nix
@@ -7,7 +7,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         # This file is auto-generated during the composer install
         parameters:
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index 9782e68..cd2b38a 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -232,7 +232,7 @@ in
     deployment.keys.apache-ldap = {
       user = "wwwrun";
       group = "wwwrun";
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         <Macro LDAPConnect>
           <IfModule authnz_ldap_module>
diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 218060f..6c0decd 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -33,6 +33,7 @@ in {
       destDir = "/run/keys/webapps";
       user = "wwwrun";
       group = "wwwrun";
+      permissions = "0400";
       text = ''
         <?php
         $mysql_user = '${env.mysql.user}' ;
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix
index b5450e6..423bbda 100644
--- a/nixops/modules/websites/ludivine/ludivinecassal.nix
+++ b/nixops/modules/websites/ludivine/ludivinecassal.nix
@@ -7,7 +7,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         # This file is auto-generated during the composer install
         parameters:
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
index 8dab8dd..1c7e983 100644
--- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
+++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
@@ -7,7 +7,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         # This file is auto-generated during the composer install
         parameters:
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix
index 142ba98..a8e741e 100644
--- a/nixops/modules/websites/tellesflorian/tellesflorian.nix
+++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix
@@ -7,7 +7,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         # This file is auto-generated during the composer install
         parameters:
@@ -58,7 +58,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         invite:${config.invite_passwords}
       '';
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix
index 4e464eb..32f5483 100644
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ b/nixops/modules/websites/tools/dav/davical.nix
@@ -20,7 +20,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         <?php
         $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix
index 074dfb2..c7af9da 100644
--- a/nixops/modules/websites/tools/diaspora/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -33,7 +33,7 @@ let
     destDir = "/run/keys/webapps";
     user = "diaspora";
     group = "diaspora";
-    permissions = "0700";
+    permissions = "0400";
     text = ''
       Diaspora::Application.config.secret_key_base = '${env.secret_token}'
     '';
@@ -42,7 +42,7 @@ let
     destDir = "/run/keys/webapps";
     user = "diaspora";
     group = "diaspora";
-    permissions = "0700";
+    permissions = "0400";
     text = ''
       configuration:
         environment:
@@ -121,7 +121,7 @@ let
     destDir = "/run/keys/webapps";
     user = "diaspora";
     group = "diaspora";
-    permissions = "0700";
+    permissions = "0400";
     text = ''
       postgresql: &postgresql
         adapter: postgresql
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
index 00580b5..2c7422d 100644
--- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
+++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -21,7 +21,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         <?php
         $g_hostname              = '${env.postgresql.socket}';
diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix
index dbdeb76..1f88a15 100644
--- a/nixops/modules/websites/tools/peertube/default.nix
+++ b/nixops/modules/websites/tools/peertube/default.nix
@@ -61,7 +61,7 @@ in {
       destDir = "/run/keys/webapps";
       user = "peertube";
       group = "peertube";
-      permissions = "0700";
+      permissions = "0400";
       text = peertube.config;
     };
 
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
index 35ed2aa..dd5b18f 100644
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ b/nixops/modules/websites/tools/tools/kanboard.nix
@@ -14,7 +14,7 @@ rec {
     destDir = "/run/keys/webapps";
     user = apache.user;
     group = apache.group;
-    permissions = "0700";
+    permissions = "0400";
     text = ''
       <?php
       define('MAIL_FROM', 'kanboard@tools.immae.eu');
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix
index 9d98837..008dffe 100644
--- a/nixops/modules/websites/tools/tools/ldap.nix
+++ b/nixops/modules/websites/tools/tools/ldap.nix
@@ -4,7 +4,7 @@ rec {
     destDir = "/run/keys/webapps";
     user = apache.user;
     group = apache.group;
-    permissions = "0700";
+    permissions = "0400";
     text = ''
       <?php
       $config->custom->appearance['show_clear_password'] = true;
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix
index 3806679..5fc3412 100644
--- a/nixops/modules/websites/tools/tools/roundcubemail.nix
+++ b/nixops/modules/websites/tools/tools/roundcubemail.nix
@@ -82,7 +82,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         <?php
           $config['db_dsnw'] = '${env.psql_url}';
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 5435181..56658fd 100644
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -65,7 +65,7 @@ in rec {
     destDir = "/run/keys/webapps";
     user = apache.user;
     group = apache.group;
-    permissions = "0700";
+    permissions = "0400";
     text = ''
       SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
       SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix
index 6a5efd9..0fe94f9 100644
--- a/nixops/modules/websites/tools/tools/ttrss.nix
+++ b/nixops/modules/websites/tools/tools/ttrss.nix
@@ -56,7 +56,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         <?php
 
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix
index c808eb1..0cacad3 100644
--- a/nixops/modules/websites/tools/tools/wallabag.nix
+++ b/nixops/modules/websites/tools/tools/wallabag.nix
@@ -6,7 +6,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         # This file is auto-generated during the composer install
         parameters:
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix
index 64ec48a..e82856f 100644
--- a/nixops/modules/websites/tools/tools/yourls.nix
+++ b/nixops/modules/websites/tools/tools/yourls.nix
@@ -17,7 +17,7 @@ let
       destDir = "/run/keys/webapps";
       user = apache.user;
       group = apache.group;
-      permissions = "0700";
+      permissions = "0400";
       text = ''
         <?php
         define( 'YOURLS_DB_USER', '${env.mysql.user}' );
-- 
2.41.0