From ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 16 Apr 2019 01:44:03 +0200
Subject: [PATCH] Move diaspora and mantisbt passwords to a secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
---
 .../websites/tools/diaspora/default.nix       | 16 +++-
 .../websites/tools/diaspora/diaspora.nix      | 39 +++++++---
 nixops/modules/websites/tools/git/default.nix |  1 +
 .../websites/tools/git/mantisbt/mantisbt.nix  | 78 ++++++++++---------
 4 files changed, 87 insertions(+), 47 deletions(-)

diff --git a/nixops/modules/websites/tools/diaspora/default.nix b/nixops/modules/websites/tools/diaspora/default.nix
index b1cb6f2..5d36ce7 100644
--- a/nixops/modules/websites/tools/diaspora/default.nix
+++ b/nixops/modules/websites/tools/diaspora/default.nix
@@ -24,15 +24,27 @@ in {
       home = diaspora.varDir;
       useDefaultShell = true;
       packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ];
+      extraGroups = [ "keys" ];
     };
 
     users.groups.diaspora.gid = config.ids.gids.diaspora;
 
+    deployment.keys = diaspora.keys;
     systemd.services.diaspora = {
       description = "Diaspora";
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "redis.service" "postgresql.service" ];
-      wants = [ "redis.service" "postgresql.service" ];
+      after = [
+        "network.target" "redis.service" "postgresql.service"
+        "tools-diaspora-secret_token.service"
+        "tools-diaspora-config.service"
+        "tools-diaspora-database_config.service"
+      ];
+      wants = [
+        "redis.service" "postgresql.service"
+        "tools-diaspora-secret_token.service"
+        "tools-diaspora-config.service"
+        "tools-diaspora-database_config.service"
+      ];
 
       environment.RAILS_ENV = "production";
       environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}";
diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix
index 82bca8c..074dfb2 100644
--- a/nixops/modules/websites/tools/diaspora/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -29,10 +29,21 @@ let
       };
     };
   };
-  secret_token = writeText "secret_token.rb" ''
-    Diaspora::Application.config.secret_key_base = '${env.secret_token}'
+  keys.tools-diaspora-secret_token = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0700";
+    text = ''
+      Diaspora::Application.config.secret_key_base = '${env.secret_token}'
     '';
-  config = writeText "diaspora.yml" ''
+  };
+  keys.tools-diaspora-config = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0700";
+    text = ''
       configuration:
         environment:
           url: "https://diaspora.immae.eu/"
@@ -105,7 +116,13 @@ let
       development:
         environment:
     '';
-  database_config = writeText "database.yml" ''
+  };
+  keys.tools-diaspora-database_config = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0700";
+    text = ''
       postgresql: &postgresql
         adapter: postgresql
         host: "${env.postgresql.socket}"
@@ -133,23 +150,27 @@ let
         <<: *combined
         database: diaspora_integration2
     '';
-
+  };
     railsRoot = stdenv.mkDerivation {
       name = "diaspora_immae";
       inherit diaspora;
+      # FIXME: build machine will contain some passwords in the nix store
       builder = writeText "build_diaspora_immae" ''
         source $stdenv/setup
         cp -a $diaspora $out
         cd $out
         chmod -R u+rwX .
         tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}
-        ln -s ${database_config} config/database.yml
-        ln -s ${config} config/diaspora.yml
-        ln -s ${secret_token} config/initializers/secret_token.rb
+        ln -s ${writeText "database.yml" keys.tools-diaspora-database_config.text} config/database.yml
+        ln -s ${writeText "diaspora.yml" keys.tools-diaspora-config.text} config/diaspora.yml
+        ln -s ${writeText "secret_token.rb" keys.tools-diaspora-secret_token.text} config/initializers/secret_token.rb
         ln -sf ${varDir}/schedule.yml config/schedule.yml
         ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem
         ln -sf ${varDir}/uploads public/uploads
         RAILS_ENV=production ${gems}/bin/rake assets:precompile
+        ln -sf /run/keys/webapps/tools-diaspora-database_config config/database.yml
+        ln -sf /run/keys/webapps/tools-diaspora-config config/diaspora.yml
+        ln -sf /run/keys/webapps/tools-diaspora-secret_token config/initializers/secret_token.rb
         rm -rf tmp log
         ln -sf ${varDir}/tmp tmp
         ln -sf ${varDir}/log log
@@ -158,6 +179,6 @@ let
     };
 in
   {
-    inherit railsRoot varDir socketsDir gems;
+    inherit railsRoot varDir socketsDir gems keys;
     railsSocket = "${socketsDir}/diaspora.sock";
   }
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
index 11b0245..28b3c2d 100644
--- a/nixops/modules/websites/tools/git/default.nix
+++ b/nixops/modules/websites/tools/git/default.nix
@@ -23,6 +23,7 @@ in {
       });
     }) ];
 
+    deployment.keys = mantisbt.keys;
     services.myWebsites.tools.modules =
       gitweb.apache.modules ++
       mantisbt.apache.modules;
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
index 0cd98a1..00580b5 100644
--- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
+++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -17,41 +17,46 @@ let
       });
     };
   in rec {
-    config = 
-      writeText "config_inc.php" ''
-      <?php
-      $g_hostname              = '${env.postgresql.socket}';
-      $g_db_username           = '${env.postgresql.user}';
-      $g_db_password           = '${env.postgresql.password}';
-      $g_database_name         = '${env.postgresql.database}';
-      $g_db_type               = 'pgsql';
-      $g_crypto_master_salt    = '${env.master_salt}';
-      $g_allow_signup          = OFF;
-      $g_allow_anonymous_login = ON;
-      $g_anonymous_account     = 'anonymous';
+    keys."tools-mantisbt" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
+        <?php
+        $g_hostname              = '${env.postgresql.socket}';
+        $g_db_username           = '${env.postgresql.user}';
+        $g_db_password           = '${env.postgresql.password}';
+        $g_database_name         = '${env.postgresql.database}';
+        $g_db_type               = 'pgsql';
+        $g_crypto_master_salt    = '${env.master_salt}';
+        $g_allow_signup          = OFF;
+        $g_allow_anonymous_login = ON;
+        $g_anonymous_account     = 'anonymous';
 
-      $g_phpMailer_method	= PHPMAILER_METHOD_SENDMAIL;
-      $g_smtp_host		= 'localhost';
-      $g_smtp_username		= ''';
-      $g_smtp_password		= ''';
-      $g_webmaster_email	= 'mantisbt@tools.immae.eu';
-      $g_from_email		= 'mantisbt@tools.immae.eu';
-      $g_return_path_email	= 'mantisbt@tools.immae.eu';
-      $g_from_name		= 'Mantis Bug Tracker at git.immae.eu';
-      $g_email_receive_own	= OFF;
-      # --- LDAP ---
-      $g_login_method = LDAP;
-      $g_ldap_protocol_version = 3;
-      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
-      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
-      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
-      $g_ldap_bind_passwd = '${env.ldap.password}';
-      $g_use_ldap_email = ON;
-      $g_use_ldap_realname = ON;
-      $g_ldap_uid_field = 'uid'; 
-      $g_ldap_realname_field = 'cn';
-      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
+        $g_phpMailer_method	= PHPMAILER_METHOD_SENDMAIL;
+        $g_smtp_host		= 'localhost';
+        $g_smtp_username		= ''';
+        $g_smtp_password		= ''';
+        $g_webmaster_email	= 'mantisbt@tools.immae.eu';
+        $g_from_email		= 'mantisbt@tools.immae.eu';
+        $g_return_path_email	= 'mantisbt@tools.immae.eu';
+        $g_from_name		= 'Mantis Bug Tracker at git.immae.eu';
+        $g_email_receive_own	= OFF;
+        # --- LDAP ---
+        $g_login_method = LDAP;
+        $g_ldap_protocol_version = 3;
+        $g_ldap_server = 'ldaps://ldap.immae.eu:636';
+        $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
+        $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
+        $g_ldap_bind_passwd = '${env.ldap.password}';
+        $g_use_ldap_email = ON;
+        $g_use_ldap_realname = ON;
+        $g_ldap_uid_field = 'uid';
+        $g_ldap_realname_field = 'cn';
+        $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
       '';
+    };
     webRoot = stdenv.mkDerivation rec {
       name = "mantisbt-${version}";
       version = "2.11.1";
@@ -67,7 +72,7 @@ let
         ];
       installPhase = ''
         cp -a . $out
-        ln -s ${config} $out/config/config_inc.php
+        ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php
         ln -s ${plugins.slack} $out/plugins/Slack
         ln -s ${plugins.source-integration}/Source* $out/plugins/
       '';
@@ -97,8 +102,9 @@ let
         '';
     };
     phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ];
       basedir = builtins.concatStringsSep ":" (
-        [ webRoot config ]
+        [ webRoot "/run/keys/webapps/tools-mantisbt" ]
         ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
       socket = "/var/run/phpfpm/mantisbt.sock";
       pool = ''
@@ -118,5 +124,5 @@ let
         '';
     };
   };
-in 
+in
   mantisbt
-- 
2.41.0