aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 09:05:46 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 09:05:46 +0200
commit32c84ff89c2b8931f58cea63961a178a9b1d0efe (patch)
tree7a90c28e1db3d8c704b2371737f2f2fae471db67
parent742697c95318d3625298437995e948ee00a00ba5 (diff)
downloadNix-32c84ff89c2b8931f58cea63961a178a9b1d0efe.tar.gz
Nix-32c84ff89c2b8931f58cea63961a178a9b1d0efe.tar.zst
Nix-32c84ff89c2b8931f58cea63961a178a9b1d0efe.zip
Move etherpad mastodon mediagoblin task and peertube to new secrets
-rw-r--r--nixops/modules/task/default.nix8
-rw-r--r--nixops/modules/websites/tools/ether/default.nix10
-rw-r--r--nixops/modules/websites/tools/ether/etherpad_lite.nix26
-rw-r--r--nixops/modules/websites/tools/mastodon/default.nix8
-rw-r--r--nixops/modules/websites/tools/mastodon/mastodon.nix9
-rw-r--r--nixops/modules/websites/tools/mediagoblin/default.nix6
-rw-r--r--nixops/modules/websites/tools/mediagoblin/mediagoblin.nix8
-rw-r--r--nixops/modules/websites/tools/peertube/default.nix12
8 files changed, 44 insertions, 43 deletions
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index 2001eaa..9671725 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -87,8 +87,8 @@ in {
87 }; 87 };
88 88
89 config = lib.mkIf cfg.enable { 89 config = lib.mkIf cfg.enable {
90 deployment.keys.tools-taskwarrior-web = { 90 mySecrets.keys = [{
91 destDir = "/run/keys/webapps"; 91 dest = "webapps/tools-taskwarrior-web";
92 user = "wwwrun"; 92 user = "wwwrun";
93 group = "wwwrun"; 93 group = "wwwrun";
94 permissions = "0400"; 94 permissions = "0400";
@@ -101,7 +101,7 @@ in {
101 SetEnv TASKD_LDAP_BASE "${env.ldap.base}" 101 SetEnv TASKD_LDAP_BASE "${env.ldap.base}"
102 SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" 102 SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
103 ''; 103 '';
104 }; 104 }];
105 security.acme.certs."eldiron".extraDomains.${fqdn} = null; 105 security.acme.certs."eldiron".extraDomains.${fqdn} = null;
106 services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ]; 106 services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ];
107 services.myWebsites.tools.vhostConfs.task = { 107 services.myWebsites.tools.vhostConfs.task = {
@@ -116,7 +116,7 @@ in {
116 <FilesMatch "\.php$"> 116 <FilesMatch "\.php$">
117 SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" 117 SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
118 </FilesMatch> 118 </FilesMatch>
119 Include /run/keys/webapps/tools-taskwarrior-web 119 Include /var/secrets/webapps/tools-taskwarrior-web
120 </Directory> 120 </Directory>
121 '' 121 ''
122 '' 122 ''
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix
index 7fdcb57..0d04c36 100644
--- a/nixops/modules/websites/tools/ether/default.nix
+++ b/nixops/modules/websites/tools/ether/default.nix
@@ -12,12 +12,12 @@ in {
12 }; 12 };
13 13
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 deployment.keys = etherpad.keys; 15 mySecrets.keys = etherpad.keys;
16 systemd.services.etherpad-lite = { 16 systemd.services.etherpad-lite = {
17 description = "Etherpad-lite"; 17 description = "Etherpad-lite";
18 wantedBy = [ "multi-user.target" ]; 18 wantedBy = [ "multi-user.target" ];
19 after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; 19 after = [ "network.target" "postgresql.service" ];
20 wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; 20 wants = [ "postgresql.service" ];
21 21
22 environment.NODE_ENV = "production"; 22 environment.NODE_ENV = "production";
23 environment.HOME = etherpad.webappDir; 23 environment.HOME = etherpad.webappDir;
@@ -26,7 +26,7 @@ in {
26 26
27 script = '' 27 script = ''
28 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ 28 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
29 --settings /run/keys/webapps/tools-etherpad 29 --settings /var/secrets/webapps/tools-etherpad
30 ''; 30 '';
31 31
32 serviceConfig = { 32 serviceConfig = {
@@ -44,7 +44,7 @@ in {
44 Restart = "always"; 44 Restart = "always";
45 Type = "simple"; 45 Type = "simple";
46 TimeoutSec = 60; 46 TimeoutSec = 60;
47 ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey"; 47 ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey";
48 }; 48 };
49 }; 49 };
50 50
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix
index 689156e..14ad565 100644
--- a/nixops/modules/websites/tools/ether/etherpad_lite.nix
+++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix
@@ -30,19 +30,19 @@ let
30 "ep_subscript_and_superscript" 30 "ep_subscript_and_superscript"
31 "ep_timesliderdiff" 31 "ep_timesliderdiff"
32 ]; 32 ];
33 keys = { 33 keys = [
34 tools-etherpad-apikey = { 34 {
35 destDir = "/run/keys/webapps"; 35 dest = "webapps/tools-etherpad-apikey";
36 permissions = "0400"; 36 permissions = "0400";
37 text = env.api_key; 37 text = env.api_key;
38 }; 38 }
39 tools-etherpad-sessionkey = { 39 {
40 destDir = "/run/keys/webapps"; 40 dest = "webapps/tools-etherpad-sessionkey";
41 permissions = "0400"; 41 permissions = "0400";
42 text = env.session_key; 42 text = env.session_key;
43 }; 43 }
44 tools-etherpad = { 44 {
45 destDir = "/run/keys/webapps"; 45 dest = "webapps/tools-etherpad";
46 permissions = "0400"; 46 permissions = "0400";
47 text = 47 text =
48 # Make sure we’re not rebuilding whole libreoffice just because of a 48 # Make sure we’re not rebuilding whole libreoffice just because of a
@@ -144,8 +144,8 @@ let
144 "logconfig" : { "appenders": [ { "type": "console" } ] } 144 "logconfig" : { "appenders": [ { "type": "console" } ] }
145 } 145 }
146 ''; 146 '';
147 }; 147 }
148 }; 148 ];
149 webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { 149 webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec {
150 __noChroot = true; 150 __noChroot = true;
151 patches = [ ./libreoffice_patch.diff ]; 151 patches = [ ./libreoffice_patch.diff ];
@@ -182,8 +182,8 @@ let
182 install -t $out/src/ -vDm 644 src/.ep_initialized 182 install -t $out/src/ -vDm 644 src/.ep_initialized
183 cp -a node_modules $out/ 183 cp -a node_modules $out/
184 cp -a src/* $out/src/ 184 cp -a src/* $out/src/
185 ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt 185 ln -sf /var/secrets/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt
186 ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt 186 ln -sf /var/secrets/webapps/tools-etherpad-apikey $out/APIKEY.txt
187 cp ${jquery} $out/src/static/js/jquery.js 187 cp ${jquery} $out/src/static/js/jquery.js
188 188
189 mkdir $out/doc 189 mkdir $out/doc
diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix
index 048d845..a3f2364 100644
--- a/nixops/modules/websites/tools/mastodon/default.nix
+++ b/nixops/modules/websites/tools/mastodon/default.nix
@@ -13,7 +13,7 @@ in {
13 }; 13 };
14 14
15 config = lib.mkIf cfg.enable { 15 config = lib.mkIf cfg.enable {
16 deployment.keys = mastodon.keys; 16 mySecrets.keys = mastodon.keys;
17 ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid; 17 ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;
18 ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid; 18 ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;
19 19
@@ -55,7 +55,7 @@ in {
55 55
56 serviceConfig = { 56 serviceConfig = {
57 User = "mastodon"; 57 User = "mastodon";
58 EnvironmentFile = "/run/keys/webapps/tools-mastodon"; 58 EnvironmentFile = "/var/secrets/webapps/tools-mastodon";
59 PrivateTmp = true; 59 PrivateTmp = true;
60 Restart = "always"; 60 Restart = "always";
61 TimeoutSec = 15; 61 TimeoutSec = 15;
@@ -88,7 +88,7 @@ in {
88 88
89 serviceConfig = { 89 serviceConfig = {
90 User = "mastodon"; 90 User = "mastodon";
91 EnvironmentFile = "/run/keys/webapps/tools-mastodon"; 91 EnvironmentFile = "/var/secrets/webapps/tools-mastodon";
92 PrivateTmp = true; 92 PrivateTmp = true;
93 Restart = "always"; 93 Restart = "always";
94 TimeoutSec = 60; 94 TimeoutSec = 60;
@@ -117,7 +117,7 @@ in {
117 117
118 serviceConfig = { 118 serviceConfig = {
119 User = "mastodon"; 119 User = "mastodon";
120 EnvironmentFile = "/run/keys/webapps/tools-mastodon"; 120 EnvironmentFile = "/var/secrets/webapps/tools-mastodon";
121 PrivateTmp = true; 121 PrivateTmp = true;
122 Restart = "always"; 122 Restart = "always";
123 TimeoutSec = 15; 123 TimeoutSec = 15;
diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix
index 944b2db..3ee3552 100644
--- a/nixops/modules/websites/tools/mastodon/mastodon.nix
+++ b/nixops/modules/websites/tools/mastodon/mastodon.nix
@@ -58,8 +58,8 @@ let
58 ''; 58 '';
59 buildInputs = [ yarnModules ]; 59 buildInputs = [ yarnModules ];
60 }); 60 });
61 keys.tools-mastodon = { 61 keys.mastodon = {
62 destDir = "/run/keys/webapps"; 62 dest = "webapps/tools-mastodon";
63 user = "mastodon"; 63 user = "mastodon";
64 group = "mastodon"; 64 group = "mastodon";
65 permissions = "0400"; 65 permissions = "0400";
@@ -113,7 +113,7 @@ let
113 builder = writeText "build_mastodon_immae" '' 113 builder = writeText "build_mastodon_immae" ''
114 source $stdenv/setup 114 source $stdenv/setup
115 set -a 115 set -a
116 ${keys.tools-mastodon.text} 116 ${keys.mastodon.text}
117 set +a 117 set +a
118 cp -a $mastodon $out 118 cp -a $mastodon $out
119 cd $out 119 cd $out
@@ -128,7 +128,8 @@ let
128 }; 128 };
129in 129in
130 { 130 {
131 inherit railsRoot keys varDir socketsDir gems; 131 inherit railsRoot varDir socketsDir gems;
132 keys = builtins.attrValues keys;
132 nodeSocket = "${socketsDir}/live_immae_node.sock"; 133 nodeSocket = "${socketsDir}/live_immae_node.sock";
133 railsSocket = "${socketsDir}/live_immae_puma.sock"; 134 railsSocket = "${socketsDir}/live_immae_puma.sock";
134 } 135 }
diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix
index 9b058be..36329d9 100644
--- a/nixops/modules/websites/tools/mediagoblin/default.nix
+++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -12,7 +12,7 @@ in {
12 }; 12 };
13 13
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 deployment.keys = mediagoblin.keys; 15 mySecrets.keys = mediagoblin.keys;
16 ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; 16 ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
17 ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; 17 ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
18 18
@@ -31,8 +31,8 @@ in {
31 systemd.services.mediagoblin-web = { 31 systemd.services.mediagoblin-web = {
32 description = "Mediagoblin service"; 32 description = "Mediagoblin service";
33 wantedBy = [ "multi-user.target" ]; 33 wantedBy = [ "multi-user.target" ];
34 after = [ "network.target" "tools-mediagoblin-key.service" ]; 34 after = [ "network.target" ];
35 wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ]; 35 wants = [ "postgresql.service" "redis.service" ];
36 36
37 environment.SCRIPT_NAME = "/mediagoblin/"; 37 environment.SCRIPT_NAME = "/mediagoblin/";
38 38
diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
index 23ee24d..bc423db 100644
--- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
+++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
@@ -190,8 +190,8 @@ in
190 url_scheme = https 190 url_scheme = https
191 ''; 191 '';
192 192
193 keys.tools-mediagoblin = { 193 keys = [{
194 destDir = "/run/keys/webapps"; 194 dest = "webapps/tools-mediagoblin";
195 user = "mediagoblin"; 195 user = "mediagoblin";
196 group = "mediagoblin"; 196 group = "mediagoblin";
197 permissions = "0400"; 197 permissions = "0400";
@@ -250,7 +250,7 @@ in
250 [[mediagoblin.media_types.image]] 250 [[mediagoblin.media_types.image]]
251 [[mediagoblin.media_types.video]] 251 [[mediagoblin.media_types.video]]
252 ''; 252 '';
253 }; 253 }];
254 pythonRoot = 254 pythonRoot =
255 with pkgs.gst_all_1; 255 with pkgs.gst_all_1;
256 stdenv.mkDerivation { 256 stdenv.mkDerivation {
@@ -287,7 +287,7 @@ in
287 --prefix GI_TYPELIB_PATH : ${typelib_paths} 287 --prefix GI_TYPELIB_PATH : ${typelib_paths}
288 find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; 288 find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \;
289 ln -s ${paste_local} ./paste_local.ini 289 ln -s ${paste_local} ./paste_local.ini
290 ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini 290 ln -s /var/secrets/webapps/tools-mediagoblin ./mediagoblin_local.ini
291 ln -sf ${varDir} ./user_dev 291 ln -sf ${varDir} ./user_dev
292 ''; 292 '';
293 }; 293 };
diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix
index bb601af..1ad79d7 100644
--- a/nixops/modules/websites/tools/peertube/default.nix
+++ b/nixops/modules/websites/tools/peertube/default.nix
@@ -30,8 +30,8 @@ in {
30 systemd.services.peertube = { 30 systemd.services.peertube = {
31 description = "Peertube"; 31 description = "Peertube";
32 wantedBy = [ "multi-user.target" ]; 32 wantedBy = [ "multi-user.target" ];
33 after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ]; 33 after = [ "network.target" "postgresql.service" ];
34 wants = [ "postgresql.service" "tools-peertube-key.service" ]; 34 wants = [ "postgresql.service" ];
35 35
36 environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; 36 environment.NODE_CONFIG_DIR = "${peertube.varDir}/config";
37 environment.NODE_ENV = "production"; 37 environment.NODE_ENV = "production";
@@ -58,20 +58,20 @@ in {
58 unitConfig.RequiresMountsFor = peertube.varDir; 58 unitConfig.RequiresMountsFor = peertube.varDir;
59 }; 59 };
60 60
61 deployment.keys.tools-peertube = { 61 mySecrets.keys = [{
62 destDir = "/run/keys/webapps"; 62 dest = "webapps/tools-peertube";
63 user = "peertube"; 63 user = "peertube";
64 group = "peertube"; 64 group = "peertube";
65 permissions = "0640"; 65 permissions = "0640";
66 text = peertube.config; 66 text = peertube.config;
67 }; 67 }];
68 68
69 system.activationScripts.peertube = { 69 system.activationScripts.peertube = {
70 deps = [ "users" ]; 70 deps = [ "users" ];
71 text = '' 71 text = ''
72 install -m 0750 -o peertube -g peertube -d ${peertube.varDir} 72 install -m 0750 -o peertube -g peertube -d ${peertube.varDir}
73 install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config 73 install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config
74 ln -sf /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml 74 ln -sf /var/secrets/webapps/tools-peertube ${peertube.varDir}/config/production.yaml
75 ''; 75 '';
76 }; 76 };
77 77