aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 00:35:59 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 00:35:59 +0200
commit6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1 (patch)
treed253f7271d6e28bb119e4399059b55d42eccf0cc
parenta754e9dbf5d6c35398f3c4ec52c3daf5f8ed2dd3 (diff)
downloadNix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.gz
Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.zst
Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.zip
Move Ludivine Piedsjaloux and Florian's websites passwords to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
-rw-r--r--nixops/modules/websites/ludivine/default.nix2
-rw-r--r--nixops/modules/websites/ludivine/ludivinecassal.nix21
-rw-r--r--nixops/modules/websites/piedsjaloux/default.nix2
-rw-r--r--nixops/modules/websites/piedsjaloux/piedsjaloux.nix13
-rw-r--r--nixops/modules/websites/tellesflorian/default.nix1
-rw-r--r--nixops/modules/websites/tellesflorian/tellesflorian.nix25
6 files changed, 49 insertions, 15 deletions
diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix
index 3dd0ee7..220f5c2 100644
--- a/nixops/modules/websites/ludivine/default.nix
+++ b/nixops/modules/websites/ludivine/default.nix
@@ -21,6 +21,7 @@ in {
21 21
22 config = lib.mkMerge [ 22 config = lib.mkMerge [
23 (lib.mkIf cfg.production.enable { 23 (lib.mkIf cfg.production.enable {
24 deployment.keys = ludivinecassal_prod.keys;
24 services.myWebsites.commons.stats.enable = true; 25 services.myWebsites.commons.stats.enable = true;
25 services.myWebsites.commons.stats.sites = [ 26 services.myWebsites.commons.stats.sites = [
26 { 27 {
@@ -51,6 +52,7 @@ in {
51 }; 52 };
52 }) 53 })
53 (lib.mkIf cfg.integration.enable { 54 (lib.mkIf cfg.integration.enable {
55 deployment.keys = ludivinecassal_dev.keys;
54 security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; 56 security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null;
55 57
56 services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal_dev.phpFpm.pool; 58 services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal_dev.phpFpm.pool;
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix
index 114c4ac..244b05e 100644
--- a/nixops/modules/websites/ludivine/ludivinecassal.nix
+++ b/nixops/modules/websites/ludivine/ludivinecassal.nix
@@ -3,8 +3,12 @@ let
3 ludivinecassal = { config }: rec { 3 ludivinecassal = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/ludivinecassal_${environment}"; 5 varDir = "/var/lib/ludivinecassal_${environment}";
6 configRoot = 6 keys."${environment}-ludivinecassal" = {
7 writeText "parameters.yml" '' 7 destDir = "/run/keys/webapps";
8 user = apache.user;
9 group = apache.group;
10 permissions = "0700";
11 text = ''
8 # This file is auto-generated during the composer install 12 # This file is auto-generated during the composer install
9 parameters: 13 parameters:
10 database_host: ${config.mysql.host} 14 database_host: ${config.mysql.host}
@@ -34,6 +38,7 @@ let
34 sass: ${sass}/bin/sass 38 sass: ${sass}/bin/sass
35 ruby: ${ruby}/bin/ruby 39 ruby: ${ruby}/bin/ruby
36 ''; 40 '';
41 };
37 phpFpm = rec { 42 phpFpm = rec {
38 socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; 43 socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock";
39 pool = '' 44 pool = ''
@@ -45,7 +50,7 @@ let
45 php_admin_value[upload_max_filesize] = 20M 50 php_admin_value[upload_max_filesize] = 20M
46 php_admin_value[post_max_size] = 20M 51 php_admin_value[post_max_size] = 20M
47 ;php_admin_flag[log_errors] = on 52 ;php_admin_flag[log_errors] = on
48 php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" 53 php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp"
49 php_admin_value[session.save_path] = "${varDir}/phpSessions" 54 php_admin_value[session.save_path] = "${varDir}/phpSessions"
50 ${if environment == "dev" then '' 55 ${if environment == "dev" then ''
51 pm = ondemand 56 pm = ondemand
@@ -151,7 +156,14 @@ let
151 noDev = (environment == "prod"); 156 noDev = (environment == "prod");
152 preInstall = '' 157 preInstall = ''
153 export SYMFONY_ENV="${environment}" 158 export SYMFONY_ENV="${environment}"
154 ln -sf ${configRoot} app/config/parameters.yml 159 cp app/config/parameters.yml.dist app/config/parameters.yml
160 cat >> app/config/parameters.yml <<EOF
161 leapt_im:
162 binary_path: ${imagemagick}/bin
163 assetic:
164 sass: ${sass}/bin/sass
165 ruby: ${ruby}/bin/ruby
166 EOF
155 sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json 167 sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json
156 ''; 168 '';
157 # /!\ miniatures and data need to be in the same physical dir due to a 169 # /!\ miniatures and data need to be in the same physical dir due to a
@@ -159,6 +171,7 @@ let
159 postInstall = '' 171 postInstall = ''
160 rm -rf var/{logs,cache,data,miniatures,tmp} 172 rm -rf var/{logs,cache,data,miniatures,tmp}
161 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ 173 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/
174 ln -sf /run/keys/webapps/${environment}-ludivinecassal app/config/parameters.yml
162 ''; 175 '';
163 buildInputs = [ sass ]; 176 buildInputs = [ sass ];
164 }); 177 });
diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix
index 54e063d..1c6864c 100644
--- a/nixops/modules/websites/piedsjaloux/default.nix
+++ b/nixops/modules/websites/piedsjaloux/default.nix
@@ -25,6 +25,7 @@ in {
25 25
26 config = lib.mkMerge [ 26 config = lib.mkMerge [
27 (lib.mkIf cfg.production.enable { 27 (lib.mkIf cfg.production.enable {
28 deployment.keys = piedsjaloux_prod.keys;
28 services.myWebsites.commons.stats.enable = true; 29 services.myWebsites.commons.stats.enable = true;
29 services.myWebsites.commons.stats.sites = [ 30 services.myWebsites.commons.stats.sites = [
30 { 31 {
@@ -55,6 +56,7 @@ in {
55 }; 56 };
56 }) 57 })
57 (lib.mkIf cfg.integration.enable { 58 (lib.mkIf cfg.integration.enable {
59 deployment.keys = piedsjaloux_dev.keys;
58 security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; 60 security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null;
59 services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux_dev.phpFpm.pool; 61 services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux_dev.phpFpm.pool;
60 system.activationScripts.piedsjaloux_dev = piedsjaloux_dev.activationScript; 62 system.activationScripts.piedsjaloux_dev = piedsjaloux_dev.activationScript;
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
index bb17262..688b9fd 100644
--- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
+++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
@@ -3,8 +3,12 @@ let
3 piedsjaloux = { config }: rec { 3 piedsjaloux = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/piedsjaloux_${environment}"; 5 varDir = "/var/lib/piedsjaloux_${environment}";
6 configRoot = 6 keys."${environment}-piedsjaloux" = {
7 writeText "parameters.yml" '' 7 destDir = "/run/keys/webapps";
8 user = apache.user;
9 group = apache.group;
10 permissions = "0700";
11 text = ''
8 # This file is auto-generated during the composer install 12 # This file is auto-generated during the composer install
9 parameters: 13 parameters:
10 database_host: ${config.mysql.host} 14 database_host: ${config.mysql.host}
@@ -22,6 +26,7 @@ let
22 leapt_im: 26 leapt_im:
23 binary_path: ${imagemagick}/bin 27 binary_path: ${imagemagick}/bin
24 ''; 28 '';
29 };
25 phpFpm = rec { 30 phpFpm = rec {
26 socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock"; 31 socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock";
27 pool = '' 32 pool = ''
@@ -33,7 +38,7 @@ let
33 php_admin_value[upload_max_filesize] = 20M 38 php_admin_value[upload_max_filesize] = 20M
34 php_admin_value[post_max_size] = 20M 39 php_admin_value[post_max_size] = 20M
35 ;php_admin_flag[log_errors] = on 40 ;php_admin_flag[log_errors] = on
36 php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" 41 php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-piedsjaloux:${webappDir}:${varDir}:/tmp"
37 php_admin_value[session.save_path] = "${varDir}/phpSessions" 42 php_admin_value[session.save_path] = "${varDir}/phpSessions"
38 env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} 43 env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]}
39 ${if environment == "dev" then '' 44 ${if environment == "dev" then ''
@@ -146,7 +151,7 @@ let
146 postInstall = '' 151 postInstall = ''
147 cd $out 152 cd $out
148 rm app/config/parameters.yml 153 rm app/config/parameters.yml
149 ln -sf ${configRoot} app/config/parameters.yml 154 ln -sf /run/keys/webapps/${environment}-piedsjaloux app/config/parameters.yml
150 rm -rf var/{logs,cache,data,miniatures,tmp} 155 rm -rf var/{logs,cache,data,miniatures,tmp}
151 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ 156 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/
152 ''; 157 '';
diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix
index 389c491..97931b9 100644
--- a/nixops/modules/websites/tellesflorian/default.nix
+++ b/nixops/modules/websites/tellesflorian/default.nix
@@ -16,6 +16,7 @@ in {
16 }; 16 };
17 17
18 config = lib.mkIf cfg.integration.enable { 18 config = lib.mkIf cfg.integration.enable {
19 deployment.keys = tellesflorian_dev.keys;
19 security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; 20 security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null;
20 services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian_dev.phpFpm.pool; 21 services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian_dev.phpFpm.pool;
21 system.activationScripts.tellesflorian_dev = tellesflorian_dev.activationScript; 22 system.activationScripts.tellesflorian_dev = tellesflorian_dev.activationScript;
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix
index e421581..4c76a76 100644
--- a/nixops/modules/websites/tellesflorian/tellesflorian.nix
+++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix
@@ -3,8 +3,12 @@ let
3 tellesflorian = { config }: rec { 3 tellesflorian = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/tellesflorian_${environment}"; 5 varDir = "/var/lib/tellesflorian_${environment}";
6 configRoot = 6 keys."${environment}-tellesflorian" = {
7 writeText "parameters.yml" '' 7 destDir = "/run/keys/webapps";
8 user = apache.user;
9 group = apache.group;
10 permissions = "0700";
11 text = ''
8 # This file is auto-generated during the composer install 12 # This file is auto-generated during the composer install
9 parameters: 13 parameters:
10 database_host: ${config.mysql.host} 14 database_host: ${config.mysql.host}
@@ -18,6 +22,7 @@ let
18 mailer_password: null 22 mailer_password: null
19 secret: ${config.secret} 23 secret: ${config.secret}
20 ''; 24 '';
25 };
21 phpFpm = rec { 26 phpFpm = rec {
22 socket = "/var/run/phpfpm/floriantelles-${environment}.sock"; 27 socket = "/var/run/phpfpm/floriantelles-${environment}.sock";
23 pool = '' 28 pool = ''
@@ -29,7 +34,7 @@ let
29 php_admin_value[upload_max_filesize] = 20M 34 php_admin_value[upload_max_filesize] = 20M
30 php_admin_value[post_max_size] = 20M 35 php_admin_value[post_max_size] = 20M
31 ;php_admin_flag[log_errors] = on 36 ;php_admin_flag[log_errors] = on
32 php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" 37 php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp"
33 php_admin_value[session.save_path] = "${varDir}/phpSessions" 38 php_admin_value[session.save_path] = "${varDir}/phpSessions"
34 ${if environment == "dev" then '' 39 ${if environment == "dev" then ''
35 pm = ondemand 40 pm = ondemand
@@ -44,9 +49,15 @@ let
44 pm.max_spare_servers = 3 49 pm.max_spare_servers = 3
45 ''}''; 50 ''}'';
46 }; 51 };
47 passwords = writeText "tellesflorian_passwords" '' 52 keys."${environment}-tellesflorian-passwords" = {
48 invite:${config.invite_passwords} 53 destDir = "/run/keys/webapps";
54 user = apache.user;
55 group = apache.group;
56 permissions = "0700";
57 text = ''
58 invite:${config.invite_passwords}
49 ''; 59 '';
60 };
50 apache = rec { 61 apache = rec {
51 user = "wwwrun"; 62 user = "wwwrun";
52 group = "wwwrun"; 63 group = "wwwrun";
@@ -64,7 +75,7 @@ let
64 Use LDAPConnect 75 Use LDAPConnect
65 Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu 76 Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
66 77
67 AuthUserFile "${passwords}" 78 AuthUserFile "/run/keys/webapps/${environment}-tellesflorian-passwords"
68 Require user "invite" 79 Require user "invite"
69 80
70 ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" 81 ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
@@ -145,7 +156,7 @@ let
145 postInstall = '' 156 postInstall = ''
146 cd $out 157 cd $out
147 rm app/config/parameters.yml 158 rm app/config/parameters.yml
148 ln -sf ${configRoot} app/config/parameters.yml 159 ln -sf /run/keys/webapps/${environment}-tellesflorian app/config/parameters.yml
149 rm -rf var/{logs,cache} 160 rm -rf var/{logs,cache}
150 ln -sf ${varDir}/var/{logs,cache,sessions} var/ 161 ln -sf ${varDir}/var/{logs,cache,sessions} var/
151 ''; 162 '';