From a840a21c954be6342603ae7a45dde6c005761696 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Mon, 15 Apr 2019 00:23:03 +0200
Subject: [PATCH] Move ttrss, wallabag, ldap and roundcubemail passwords to
 secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
---
 .../modules/websites/tools/tools/default.nix  |  20 ++-
 .../modules/websites/tools/tools/dokuwiki.nix |   1 +
 nixops/modules/websites/tools/tools/ldap.nix  |  45 ++++---
 .../modules/websites/tools/tools/rainloop.nix |   1 +
 .../websites/tools/tools/roundcubemail.nix    | 101 +++++++-------
 nixops/modules/websites/tools/tools/ttrss.nix | 103 +++++++-------
 .../modules/websites/tools/tools/wallabag.nix | 127 +++++++++---------
 .../modules/websites/tools/tools/yourls.nix   |  13 +-
 8 files changed, 232 insertions(+), 179 deletions(-)

diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 14b5934..3d5465f 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -46,7 +46,13 @@ in {
     security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
     security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
 
-    deployment.keys = kanboard.keys;
+    deployment.keys =
+      kanboard.keys
+      // ldap.keys
+      // roundcubemail.keys
+      // ttrss.keys
+      // wallabag.keys
+      // yourls.keys;
 
     services.myWebsites.integration.modules =
       rainloop.apache.modules;
@@ -131,7 +137,17 @@ in {
       ];
     };
 
-    services.myPhpfpm.serviceDependencies.kanboard = kanboard.phpFpm.serviceDeps;
+    services.myPhpfpm.serviceDependencies = {
+      dokuwiki = dokuwiki.phpFpm.serviceDeps;
+      kanboard = kanboard.phpFpm.serviceDeps;
+      ldap = ldap.phpFpm.serviceDeps;
+      rainloop = rainloop.phpFpm.serviceDeps;
+      roundcubemail = roundcubemail.phpFpm.serviceDeps;
+      ttrss = ttrss.phpFpm.serviceDeps;
+      wallabag = wallabag.phpFpm.serviceDeps;
+      yourls = yourls.phpFpm.serviceDeps;
+    };
+
     services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig;
     services.myPhpfpm.poolConfigs = {
       adminer = adminer.phpFpm.pool;
diff --git a/nixops/modules/websites/tools/tools/dokuwiki.nix b/nixops/modules/websites/tools/tools/dokuwiki.nix
index 2f4e8c1..2cd19f1 100644
--- a/nixops/modules/websites/tools/tools/dokuwiki.nix
+++ b/nixops/modules/websites/tools/tools/dokuwiki.nix
@@ -76,6 +76,7 @@ let
         '';
     };
     phpFpm = rec {
+      serviceDeps = [ "openldap.service" ];
       basedir = builtins.concatStringsSep ":" (
         [ webRoot varDir ]
         ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix
index 6cde881..9d98837 100644
--- a/nixops/modules/websites/tools/tools/ldap.nix
+++ b/nixops/modules/websites/tools/tools/ldap.nix
@@ -1,24 +1,30 @@
 { lib, php, env, writeText, stdenv, optipng, fetchurl }:
 rec {
-  config = writeText "config.php" ''
-    <?php
-    $config->custom->appearance['show_clear_password'] = true;
-    $config->custom->appearance['hide_template_warning'] = true;
-    $config->custom->appearance['theme'] = "tango";
-    $config->custom->appearance['minimalMode'] = true;
+  keys.tools-ldap = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      <?php
+      $config->custom->appearance['show_clear_password'] = true;
+      $config->custom->appearance['hide_template_warning'] = true;
+      $config->custom->appearance['theme'] = "tango";
+      $config->custom->appearance['minimalMode'] = true;
 
-    $servers = new Datastore();
+      $servers = new Datastore();
 
-    $servers->newServer('ldap_pla');
-    $servers->setValue('server','name','Immaeâs LDAP');
-    $servers->setValue('server','host','ldaps://${env.ldap.host}');
-    $servers->setValue('login','auth_type','cookie');
-    $servers->setValue('login','bind_id','${env.ldap.dn}');
-    $servers->setValue('login','bind_pass','${env.ldap.password}');
-    $servers->setValue('appearance','password_hash','ssha');
-    $servers->setValue('login','attr','uid');
-    $servers->setValue('login','fallback_dn',true);
-    '';
+      $servers->newServer('ldap_pla');
+      $servers->setValue('server','name','Immae&#x2019;s LDAP');
+      $servers->setValue('server','host','ldaps://${env.ldap.host}');
+      $servers->setValue('login','auth_type','cookie');
+      $servers->setValue('login','bind_id','${env.ldap.dn}');
+      $servers->setValue('login','bind_pass','${env.ldap.password}');
+      $servers->setValue('appearance','password_hash','ssha');
+      $servers->setValue('login','attr','uid');
+      $servers->setValue('login','fallback_dn',true);
+      '';
+  };
   webRoot = stdenv.mkDerivation rec {
     version = "1.2.3";
     name = "phpldapadmin-${version}";
@@ -39,7 +45,7 @@ rec {
     '';
     installPhase = ''
       cp -a . $out
-      ln -sf ${config} $out/config/config.php
+      ln -sf /run/keys/webapps/tools-ldap $out/config/config.php
     '';
   };
   apache = rec {
@@ -62,7 +68,8 @@ rec {
       '';
   };
   phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" [ webRoot config ];
+    serviceDeps = [ "openldap.service" "tools-ldap-key.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot "/run/keys/webapps/tools-ldap" ];
     socket = "/var/run/phpfpm/ldap.sock";
     pool = ''
       listen = ${socket}
diff --git a/nixops/modules/websites/tools/tools/rainloop.nix b/nixops/modules/websites/tools/tools/rainloop.nix
index 7aaa4eb..457e546 100644
--- a/nixops/modules/websites/tools/tools/rainloop.nix
+++ b/nixops/modules/websites/tools/tools/rainloop.nix
@@ -39,6 +39,7 @@ rec {
     '';
   };
   phpFpm = rec {
+    serviceDeps = [ "postgresql.service" ];
     basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
     socket = "/var/run/phpfpm/rainloop.sock";
     pool = ''
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix
index 1e1f95b..3806679 100644
--- a/nixops/modules/websites/tools/tools/roundcubemail.nix
+++ b/nixops/modules/websites/tools/tools/roundcubemail.nix
@@ -78,59 +78,65 @@ let
         install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
       '';
     };
-    config = writeText "config.php" ''
-      <?php
-        $config['db_dsnw'] = '${env.psql_url}';
-        $config['default_host'] = 'ssl://mail.immae.eu';
-        $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
-        $config['smtp_server'] = 'tls://mail.immae.eu';
-        $config['smtp_port'] = '25';
-        $config['managesieve_host'] = 'mail.immae.eu';
-        $config['managesieve_port'] = '4190';
-        $config['managesieve_usetls'] = true;
-        $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
+    keys.tools-roundcube = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
+        <?php
+          $config['db_dsnw'] = '${env.psql_url}';
+          $config['default_host'] = 'ssl://mail.immae.eu';
+          $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
+          $config['smtp_server'] = 'tls://mail.immae.eu';
+          $config['smtp_port'] = '25';
+          $config['managesieve_host'] = 'mail.immae.eu';
+          $config['managesieve_port'] = '4190';
+          $config['managesieve_usetls'] = true;
+          $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
 
-        $config['imap_cache'] = 'db';
-        $config['messages_cache'] = 'db';
+          $config['imap_cache'] = 'db';
+          $config['messages_cache'] = 'db';
 
-        $config['support_url'] = ''';
+          $config['support_url'] = ''';
 
-        $config['des_key'] = '${env.secret}';
+          $config['des_key'] = '${env.secret}';
 
-        $config['skin'] = 'elastic';
-        $config['plugins'] = array(
-          'attachment_reminder',
-          'emoticons',
-          'filesystem_attachments',
-          'hide_blockquote',
-          'identicon',
-          'identity_select',
-          'jqueryui',
-          'managesieve',
-          'newmail_notifier',
-          'vcard_attachments',
-          'zipdownload',
+          $config['skin'] = 'elastic';
+          $config['plugins'] = array(
+            'attachment_reminder',
+            'emoticons',
+            'filesystem_attachments',
+            'hide_blockquote',
+            'identicon',
+            'identity_select',
+            'jqueryui',
+            'managesieve',
+            'newmail_notifier',
+            'vcard_attachments',
+            'zipdownload',
 
-          'automatic_addressbook',
-          'message_highlight',
-          'carddav',
-          // Ne marche pas ?: 'ident_switch',
-          // Ne marche pas ?: 'thunderbird_labels',
-        );
+            'automatic_addressbook',
+            'message_highlight',
+            'carddav',
+            // Ne marche pas ?: 'ident_switch',
+            // Ne marche pas ?: 'thunderbird_labels',
+          );
 
-        $config['language'] = 'fr_FR';
+          $config['language'] = 'fr_FR';
 
-        $config['drafts_mbox'] = 'Mail/Drafts';
-        $config['junk_mbox'] = 'Mail/Spam';
-        $config['sent_mbox'] = 'Mail/sent';
-        $config['trash_mbox'] = ''';
-        $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
-        $config['draft_autosave'] = 60;
-        $config['enable_installer'] = false;
-        $config['log_driver'] = 'file';
-        $config['temp_dir'] = '${varDir}/cache';
-        $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
+          $config['drafts_mbox'] = 'Mail/Drafts';
+          $config['junk_mbox'] = 'Mail/Spam';
+          $config['sent_mbox'] = 'Mail/sent';
+          $config['trash_mbox'] = ''';
+          $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
+          $config['draft_autosave'] = 60;
+          $config['enable_installer'] = false;
+          $config['log_driver'] = 'file';
+          $config['temp_dir'] = '${varDir}/cache';
+          $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
       '';
+    };
     webRoot = stdenv.mkDerivation rec {
       version = "1.4-rc1";
       name = "roundcubemail-${version}";
@@ -148,7 +154,7 @@ let
       '';
       installPhase = ''
         cp -a . $out
-        ln -s ${config} $out/config/config.inc.php
+        ln -s /run/keys/webapps/tools-roundcube $out/config/config.inc.php
         ${builtins.concatStringsSep "\n" (
           lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
         )}
@@ -178,8 +184,9 @@ let
         '';
     };
     phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "tools-roundcube-key.service" ];
       basedir = builtins.concatStringsSep ":" (
-        [ webRoot config varDir ]
+        [ webRoot "/run/keys/webapps/tools-roundcube" varDir ]
         ++ lib.attrsets.mapAttrsToList (name: value: value) plugins
         ++ lib.attrsets.mapAttrsToList (name: value: value) skins);
       phpConfig = ''
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix
index ca049e6..6a5efd9 100644
--- a/nixops/modules/websites/tools/tools/ttrss.nix
+++ b/nixops/modules/websites/tools/tools/ttrss.nix
@@ -52,69 +52,75 @@ let
         install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
       '';
     };
-    config = writeText "config.php" ''
-      <?php
+    keys.tools-ttrss = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
+        <?php
 
-        define('PHP_EXECUTABLE', '${php}/bin/php');
+          define('PHP_EXECUTABLE', '${php}/bin/php');
 
-        define('LOCK_DIRECTORY', 'lock');
-        define('CACHE_DIR', 'cache');
-        define('ICONS_DIR', 'feed-icons');
-        define('ICONS_URL', 'feed-icons');
-        define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/');
+          define('LOCK_DIRECTORY', 'lock');
+          define('CACHE_DIR', 'cache');
+          define('ICONS_DIR', 'feed-icons');
+          define('ICONS_URL', 'feed-icons');
+          define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/');
 
-        define('MYSQL_CHARSET', 'UTF8');
+          define('MYSQL_CHARSET', 'UTF8');
 
-        define('DB_TYPE', 'pgsql');
-        define('DB_HOST', '${env.postgresql.socket}');
-        define('DB_USER', '${env.postgresql.user}');
-        define('DB_NAME', '${env.postgresql.database}');
-        define('DB_PASS', '${env.postgresql.password}');
-        define('DB_PORT', '${env.postgresql.port}');
+          define('DB_TYPE', 'pgsql');
+          define('DB_HOST', '${env.postgresql.socket}');
+          define('DB_USER', '${env.postgresql.user}');
+          define('DB_NAME', '${env.postgresql.database}');
+          define('DB_PASS', '${env.postgresql.password}');
+          define('DB_PORT', '${env.postgresql.port}');
 
-        define('AUTH_AUTO_CREATE', true);
-        define('AUTH_AUTO_LOGIN', true);
+          define('AUTH_AUTO_CREATE', true);
+          define('AUTH_AUTO_LOGIN', true);
 
-        define('SINGLE_USER_MODE', false);
+          define('SINGLE_USER_MODE', false);
 
-        define('SIMPLE_UPDATE_MODE', false);
-        define('CHECK_FOR_UPDATES', true);
+          define('SIMPLE_UPDATE_MODE', false);
+          define('CHECK_FOR_UPDATES', true);
 
-        define('FORCE_ARTICLE_PURGE', 0);
-        define('SESSION_COOKIE_LIFETIME', 60*60*24*120);
-        define('ENABLE_GZIP_OUTPUT', false);
+          define('FORCE_ARTICLE_PURGE', 0);
+          define('SESSION_COOKIE_LIFETIME', 60*60*24*120);
+          define('ENABLE_GZIP_OUTPUT', false);
 
-        define('PLUGINS', 'auth_ldap, note, instances');
+          define('PLUGINS', 'auth_ldap, note, instances');
 
-        define('LOG_DESTINATION', ''');
-        define('CONFIG_VERSION', 26);
+          define('LOG_DESTINATION', ''');
+          define('CONFIG_VERSION', 26);
 
 
-        define('SPHINX_SERVER', 'localhost:9312');
-        define('SPHINX_INDEX', 'ttrss, delta');
+          define('SPHINX_SERVER', 'localhost:9312');
+          define('SPHINX_INDEX', 'ttrss, delta');
 
-        define('ENABLE_REGISTRATION', false);
-        define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu');
-        define('REG_MAX_USERS', 10);
+          define('ENABLE_REGISTRATION', false);
+          define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu');
+          define('REG_MAX_USERS', 10);
 
-        define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
-        define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu');
-        define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
+          define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
+          define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu');
+          define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
 
-        define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
-        define('LDAP_AUTH_USETLS', TRUE);
-        define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
-        define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
-        define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
-        define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
+          define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
+          define('LDAP_AUTH_USETLS', TRUE);
+          define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
+          define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
+          define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
+          define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
 
-        define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
-        define('LDAP_AUTH_BINDPW', '${env.ldap.password}');
-        define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
+          define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
+          define('LDAP_AUTH_BINDPW', '${env.ldap.password}');
+          define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
 
-        define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
-        define('LDAP_AUTH_DEBUG', FALSE);
-      '';
+          define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
+          define('LDAP_AUTH_DEBUG', FALSE);
+        '';
+    };
     webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec {
       buildPhase = ''
         rm -rf lock feed-icons cache
@@ -122,7 +128,7 @@ let
       '';
       installPhase = ''
         cp -a . $out
-        ln -s ${config} $out/config.php
+        ln -s /run/keys/webapps/tools-ttrss $out/config.php
         ${builtins.concatStringsSep "\n" (
           lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
         )}
@@ -149,8 +155,9 @@ let
         '';
     };
     phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "openldap.service" "tools-ttrss-key.service" ];
       basedir = builtins.concatStringsSep ":" (
-        [ webRoot config varDir ]
+        [ webRoot "/run/keys/webapps/tools-ttrss" varDir ]
         ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
       socket = "/var/run/phpfpm/ttrss.sock";
       pool = ''
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix
index 0b28ccb..c808eb1 100644
--- a/nixops/modules/websites/tools/tools/wallabag.nix
+++ b/nixops/modules/websites/tools/tools/wallabag.nix
@@ -2,64 +2,70 @@
 let
   wallabag = rec {
     varDir = "/var/lib/wallabag";
-    parameters = writeText "parameters.yml" ''
-      # This file is auto-generated during the composer install
-      parameters:
-          database_driver: pdo_pgsql
-          database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
-          database_host: ${env.postgresql.socket}
-          database_port: ${env.postgresql.port}
-          database_name: ${env.postgresql.database}
-          database_user: ${env.postgresql.user}
-          database_password: ${env.postgresql.password}
-          database_path: null
-          database_table_prefix: wallabag_
-          database_socket: null
-          database_charset: utf8
-          domain_name: https://tools.immae.eu/wallabag
-          mailer_transport: sendmail
-          mailer_host: 127.0.0.1
-          mailer_user: null
-          mailer_password: null
-          locale: fr
-          secret: ${env.secret}
-          twofactor_auth: true
-          twofactor_sender: wallabag@tools.immae.eu
-          fosuser_registration: false
-          fosuser_confirmation: true
-          from_email: wallabag@tools.immae.eu
-          rss_limit: 50
-          rabbitmq_host: localhost
-          rabbitmq_port: 5672
-          rabbitmq_user: guest
-          rabbitmq_password: guest
-          rabbitmq_prefetch_count: 10
-          redis_scheme: unix
-          redis_host: null
-          redis_port: null
-          redis_path: ${env.redis.socket}
-          redis_password: null
-          sites_credentials: {  }
-          ldap_enabled: true
-          ldap_host: ldap.immae.eu
-          ldap_port: 636
-          ldap_tls: false
-          ldap_ssl: true
-          ldap_bind_requires_dn: true
-          ldap_base: 'dc=immae,dc=eu'
-          ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
-          ldap_manager_pw: ${env.ldap.password}
-          ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
-          ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
-          ldap_username_attribute: uid
-          ldap_email_attribute: mail
-          ldap_name_attribute: cn
-          ldap_enabled_attribute: null
-      services:
-          swiftmailer.mailer.default.transport:
-              class:     Swift_SendmailTransport
-              arguments: ['/run/wrappers/bin/sendmail -bs']
-      '';
+    keys.tools-wallabag = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+            database_driver: pdo_pgsql
+            database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
+            database_host: ${env.postgresql.socket}
+            database_port: ${env.postgresql.port}
+            database_name: ${env.postgresql.database}
+            database_user: ${env.postgresql.user}
+            database_password: ${env.postgresql.password}
+            database_path: null
+            database_table_prefix: wallabag_
+            database_socket: null
+            database_charset: utf8
+            domain_name: https://tools.immae.eu/wallabag
+            mailer_transport: sendmail
+            mailer_host: 127.0.0.1
+            mailer_user: null
+            mailer_password: null
+            locale: fr
+            secret: ${env.secret}
+            twofactor_auth: true
+            twofactor_sender: wallabag@tools.immae.eu
+            fosuser_registration: false
+            fosuser_confirmation: true
+            from_email: wallabag@tools.immae.eu
+            rss_limit: 50
+            rabbitmq_host: localhost
+            rabbitmq_port: 5672
+            rabbitmq_user: guest
+            rabbitmq_password: guest
+            rabbitmq_prefetch_count: 10
+            redis_scheme: unix
+            redis_host: null
+            redis_port: null
+            redis_path: ${env.redis.socket}
+            redis_password: null
+            sites_credentials: {  }
+            ldap_enabled: true
+            ldap_host: ldap.immae.eu
+            ldap_port: 636
+            ldap_tls: false
+            ldap_ssl: true
+            ldap_bind_requires_dn: true
+            ldap_base: 'dc=immae,dc=eu'
+            ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
+            ldap_manager_pw: ${env.ldap.password}
+            ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
+            ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
+            ldap_username_attribute: uid
+            ldap_email_attribute: mail
+            ldap_name_attribute: cn
+            ldap_enabled_attribute: null
+        services:
+            swiftmailer.mailer.default.transport:
+                class:     Swift_SendmailTransport
+                arguments: ['/run/wrappers/bin/sendmail -bs']
+        '';
+    };
     webappDir = composerEnv.buildPackage rec {
       packages = {
         "fr3d/ldap-bundle" = {
@@ -104,7 +110,7 @@ let
       '';
       postInstall = ''
         rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data
-        ln -sf ${parameters} app/config/parameters.yml
+        ln -sf /run/keys/webapps/tools-wallabag app/config/parameters.yml
         ln -sf ${varDir}/var/{cache,logs,sessions} var
         ln -sf ${varDir}/data data
         ln -sf ${varDir}/assets web/assets
@@ -163,7 +169,8 @@ let
         '';
     };
     phpFpm = rec {
-      basedir = builtins.concatStringsSep ":" [ webappDir parameters varDir ];
+      serviceDeps = [ "postgresql.service" "openldap.service" "tools-wallabag-key.service" ];
+      basedir = builtins.concatStringsSep ":" [ webappDir "/run/keys/webapps/tools-wallabag" varDir ];
       socket = "/var/run/phpfpm/wallabag.sock";
       pool = ''
         listen = ${socket}
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix
index b12edfa..64ec48a 100644
--- a/nixops/modules/websites/tools/tools/yourls.nix
+++ b/nixops/modules/websites/tools/tools/yourls.nix
@@ -13,7 +13,12 @@ let
     activationScript = ''
       install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
     '';
-    config = writeText "config.php" ''
+    keys.tools-yourls = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
         <?php
         define( 'YOURLS_DB_USER', '${env.mysql.user}' );
         define( 'YOURLS_DB_PASS', '${env.mysql.password}' );
@@ -41,12 +46,13 @@ let
 
         define( 'LDAPAUTH_USERCACHE_TYPE', 0);
       '';
+    };
     webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec {
       installPhase = ''
         mkdir -p $out
         cp -a */ *.php $out/
         cp sample-robots.txt $out/robots.txt
-        ln -sf ${config} $out/includes/config.php
+        ln -sf /run/keys/webapps/tools-yourls $out/includes/config.php
         ${builtins.concatStringsSep "\n" (
           lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins
         )}
@@ -79,8 +85,9 @@ let
         '';
     };
     phpFpm = rec {
+      serviceDeps = [ "mysql.service" "openldap.service" "tools-yourls-key.service" ];
       basedir = builtins.concatStringsSep ":" (
-        [ webRoot config ]
+        [ webRoot "/run/keys/webapps/tools-yourls" ]
         ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
       socket = "/var/run/phpfpm/yourls.sock";
       pool = ''
-- 
2.41.0