From e905cd0bda71f359597ecb1f4554d3edb27e2ccb Mon Sep 17 00:00:00 2001 From: =?utf8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 20 Apr 2019 15:50:00 +0200 Subject: [PATCH] Move missing passwords in etherpad to secure location Related issue: https://git.immae.eu/mantisbt/view.php?id=122 --- .../modules/websites/tools/ether/default.nix | 6 +- .../websites/tools/ether/etherpad_lite.nix | 214 +++++++++--------- 2 files changed, 116 insertions(+), 104 deletions(-) diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index 6d845ac..7fdcb57 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix @@ -16,8 +16,8 @@ in { systemd.services.etherpad-lite = { description = "Etherpad-lite"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ]; - wants = [ "postgresql.service" "tools-etherpad-key.service" ]; + after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; + wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; environment.NODE_ENV = "production"; environment.HOME = etherpad.webappDir; @@ -44,7 +44,7 @@ in { Restart = "always"; Type = "simple"; TimeoutSec = 60; - ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad"; + ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey"; }; }; diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index bc62262..689156e 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix @@ -30,109 +30,121 @@ let "ep_subscript_and_superscript" "ep_timesliderdiff" ]; - keys.tools-etherpad = { - destDir = "/run/keys/webapps"; - permissions = "0400"; - text = - # Make sure we’re not rebuilding whole libreoffice just because of a - # dependency - let libreoffice = (import {}).libreoffice-fresh; - in - '' - { - "title": "Etherpad", - "favicon": "favicon.ico", + keys = { + tools-etherpad-apikey = { + destDir = "/run/keys/webapps"; + permissions = "0400"; + text = env.api_key; + }; + tools-etherpad-sessionkey = { + destDir = "/run/keys/webapps"; + permissions = "0400"; + text = env.session_key; + }; + tools-etherpad = { + destDir = "/run/keys/webapps"; + permissions = "0400"; + text = + # Make sure we’re not rebuilding whole libreoffice just because of a + # dependency + let libreoffice = (import {}).libreoffice-fresh; + in + '' + { + "title": "Etherpad", + "favicon": "favicon.ico", - "ip": "127.0.0.1", - "port" : ${env.listenPort}, - "showSettingsInAdminPage" : false, - "dbType" : "postgres", - "dbSettings" : { - "user" : "${env.postgresql.user}", - "host" : "${env.postgresql.socket}", - "password": "${env.postgresql.password}", - "database": "${env.postgresql.database}", - "charset" : "utf8mb4" - }, + "ip": "127.0.0.1", + "port" : ${env.listenPort}, + "showSettingsInAdminPage" : false, + "dbType" : "postgres", + "dbSettings" : { + "user" : "${env.postgresql.user}", + "host" : "${env.postgresql.socket}", + "password": "${env.postgresql.password}", + "database": "${env.postgresql.database}", + "charset" : "utf8mb4" + }, - "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", - "padOptions": { - "noColors": false, - "showControls": true, - "showChat": true, - "showLineNumbers": true, - "useMonospaceFont": false, - "userName": false, - "userColor": false, - "rtl": false, - "alwaysShowChat": false, - "chatAndUsers": false, - "lang": "en-gb" - }, + "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", + "padOptions": { + "noColors": false, + "showControls": true, + "showChat": true, + "showLineNumbers": true, + "useMonospaceFont": false, + "userName": false, + "userColor": false, + "rtl": false, + "alwaysShowChat": false, + "chatAndUsers": false, + "lang": "en-gb" + }, - "suppressErrorsInPadText" : false, - "requireSession" : false, - "editOnly" : false, - "sessionNoPassword" : false, - "minify" : true, - "maxAge" : 21600, - "abiword" : null, - "soffice" : "${libreoffice}/bin/soffice", - "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", - "allowUnknownFileEnds" : true, - "requireAuthentication" : false, - "requireAuthorization" : false, - "trustProxy" : false, - "disableIPlogging" : false, - "automaticReconnectionTimeout" : 0, - "scrollWhenFocusLineIsOutOfViewport": { - "percentage": { - "editionAboveViewport": 0, - "editionBelowViewport": 0 + "suppressErrorsInPadText" : false, + "requireSession" : false, + "editOnly" : false, + "sessionNoPassword" : false, + "minify" : true, + "maxAge" : 21600, + "abiword" : null, + "soffice" : "${libreoffice}/bin/soffice", + "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", + "allowUnknownFileEnds" : true, + "requireAuthentication" : false, + "requireAuthorization" : false, + "trustProxy" : false, + "disableIPlogging" : false, + "automaticReconnectionTimeout" : 0, + "scrollWhenFocusLineIsOutOfViewport": { + "percentage": { + "editionAboveViewport": 0, + "editionBelowViewport": 0 + }, + "duration": 0, + "scrollWhenCaretIsInTheLastLineOfViewport": false, + "percentageToScrollWhenUserPressesArrowUp": 0 }, - "duration": 0, - "scrollWhenCaretIsInTheLastLineOfViewport": false, - "percentageToScrollWhenUserPressesArrowUp": 0 - }, - "users": { - "ldapauth": { - "url": "ldaps://${env.ldap.host}", - "accountBase": "${env.ldap.base}", - "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", - "displayNameAttribute": "cn", - "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", - "searchPWD": "${env.ldap.password}", - "groupSearchBase": "${env.ldap.base}", - "groupAttribute": "member", - "groupAttributeIsDN": true, - "searchScope": "sub", - "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", - "anonymousReadonly": false - } - }, - "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], - "loadTest": false, - "indentationOnNewLine": false, - "toolbar": { - "left": [ - ["bold", "italic", "underline", "strikethrough"], - ["orderedlist", "unorderedlist", "indent", "outdent"], - ["undo", "redo"], - ["clearauthorship"] - ], - "right": [ - ["importexport", "timeslider", "savedrevision"], - ["settings", "embed"], - ["showusers"] - ], - "timeslider": [ - ["timeslider_export", "timeslider_returnToPad"] - ] - }, - "loglevel": "INFO", - "logconfig" : { "appenders": [ { "type": "console" } ] } - } - ''; + "users": { + "ldapauth": { + "url": "ldaps://${env.ldap.host}", + "accountBase": "${env.ldap.base}", + "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", + "displayNameAttribute": "cn", + "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", + "searchPWD": "${env.ldap.password}", + "groupSearchBase": "${env.ldap.base}", + "groupAttribute": "member", + "groupAttributeIsDN": true, + "searchScope": "sub", + "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", + "anonymousReadonly": false + } + }, + "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], + "loadTest": false, + "indentationOnNewLine": false, + "toolbar": { + "left": [ + ["bold", "italic", "underline", "strikethrough"], + ["orderedlist", "unorderedlist", "indent", "outdent"], + ["undo", "redo"], + ["clearauthorship"] + ], + "right": [ + ["importexport", "timeslider", "savedrevision"], + ["settings", "embed"], + ["showusers"] + ], + "timeslider": [ + ["timeslider_export", "timeslider_returnToPad"] + ] + }, + "loglevel": "INFO", + "logconfig" : { "appenders": [ { "type": "console" } ] } + } + ''; + }; }; webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { __noChroot = true; @@ -170,8 +182,8 @@ let install -t $out/src/ -vDm 644 src/.ep_initialized cp -a node_modules $out/ cp -a src/* $out/src/ - ln -sf ${sessionkey} $out/SESSIONKEY.txt - ln -sf ${apikey} $out/APIKEY.txt + ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt + ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt cp ${jquery} $out/src/static/js/jquery.js mkdir $out/doc -- 2.41.0