From 906065a0b7aada3282309791a051e71e5e1cf16d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 16 Apr 2019 14:59:22 +0200 Subject: [PATCH] Move chloe's website keys to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- nixops/modules/websites/chloe/chloe.nix | 37 +++++++++++++++-------- nixops/modules/websites/chloe/default.nix | 4 +++ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix index 7ad23fe..0861cdf 100644 --- a/nixops/modules/websites/chloe/chloe.nix +++ b/nixops/modules/websites/chloe/chloe.nix @@ -3,6 +3,7 @@ let chloe = { config }: rec { environment = config.environment; phpFpm = rec { + serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ]; socket = "/var/run/phpfpm/chloe-${environment}.sock"; pool = '' listen = ${socket} @@ -15,19 +16,6 @@ let ;php_admin_flag[log_errors] = on php_admin_value[open_basedir] = "${../commons/spip/spip_mes_options.php}:${configDir}:${webRoot}:${varDir}:/tmp" php_admin_value[session.save_path] = "${varDir}/phpSessions" - env[SPIP_CONFIG_DIR] = "${configDir}" - env[SPIP_VAR_DIR] = "${varDir}" - env[SPIP_SITE] = "chloe-${environment}" - env[SPIP_LDAP_BASE] = "dc=immae,dc=eu" - env[SPIP_LDAP_HOST] = "ldaps://ldap.immae.eu" - env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}" - env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}" - env[SPIP_LDAP_SEARCH] = "${config.ldap.search}" - env[SPIP_MYSQL_HOST] = "${config.mysql.host}" - env[SPIP_MYSQL_PORT] = "${config.mysql.port}" - env[SPIP_MYSQL_DB] = "${config.mysql.name}" - env[SPIP_MYSQL_USER] = "${config.mysql.user}" - env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}" ${if environment == "dev" then '' pm = ondemand pm.max_children = 5 @@ -40,6 +28,27 @@ let pm.max_spare_servers = 3 ''}''; }; + keys."${environment}-chloe" = { + destDir = "/run/keys/webapps"; + user = apache.user; + group = apache.group; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${configDir}" + SetEnv SPIP_VAR_DIR "${varDir}" + SetEnv SPIP_SITE "chloe-${environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}" + SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" + SetEnv SPIP_MYSQL_DB "${config.mysql.name}" + SetEnv SPIP_MYSQL_USER "${config.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" + ''; + }; apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -47,6 +56,8 @@ let webappName = "chloe_${environment}"; root = "/run/current-system/webapps/${webappName}"; vhostConf = '' + Include /run/keys/webapps/${environment}-chloe + RewriteEngine On ${if environment == "prod" then '' RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix index f561834..451a248 100644 --- a/nixops/modules/websites/chloe/default.nix +++ b/nixops/modules/websites/chloe/default.nix @@ -25,6 +25,7 @@ in { config = lib.mkMerge [ (lib.mkIf cfg.production.enable { + deployment.keys = chloe_prod.keys; services.myWebsites.commons.stats.enable = true; services.myWebsites.commons.stats.sites = [ { @@ -40,6 +41,7 @@ in { }; }; + services.myPhpfpm.serviceDependencies.chloe_prod = chloe_prod.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.chloe_prod = chloe_prod.phpFpm.pool; services.myPhpfpm.poolPhpConfigs.chloe_prod = '' extension=${pkgs.php}/lib/php/extensions/mysqli.so @@ -58,7 +60,9 @@ in { }; }) (lib.mkIf cfg.integration.enable { + deployment.keys = chloe_dev.keys; security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; + services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; services.myPhpfpm.poolPhpConfigs.chloe_dev = '' extension=${pkgs.php}/lib/php/extensions/mysqli.so -- 2.41.0