aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 01:37:42 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-25 01:37:42 +0200
commit1b3154e40a568a296c74759d68827366b5f26da9 (patch)
tree77fb426f72c73c806c95ced7eeb2cc62ece48287
parentca330baa14da56456ec538b232a91e1c443241bb (diff)
downloadNix-1b3154e40a568a296c74759d68827366b5f26da9.tar.gz
Nix-1b3154e40a568a296c74759d68827366b5f26da9.tar.zst
Nix-1b3154e40a568a296c74759d68827366b5f26da9.zip
Move websites to new secrets
-rw-r--r--nixops/modules/websites/aten/aten.nix12
-rw-r--r--nixops/modules/websites/aten/default.nix4
-rw-r--r--nixops/modules/websites/chloe/chloe.nix10
-rw-r--r--nixops/modules/websites/chloe/default.nix4
-rw-r--r--nixops/modules/websites/connexionswing/connexionswing.nix14
-rw-r--r--nixops/modules/websites/connexionswing/default.nix4
-rw-r--r--nixops/modules/websites/ftp/jerome.nix12
-rw-r--r--nixops/modules/websites/ludivine/default.nix4
-rw-r--r--nixops/modules/websites/ludivine/ludivinecassal.nix14
-rw-r--r--nixops/modules/websites/piedsjaloux/default.nix4
-rw-r--r--nixops/modules/websites/piedsjaloux/piedsjaloux.nix14
-rw-r--r--nixops/modules/websites/tellesflorian/default.nix2
-rw-r--r--nixops/modules/websites/tellesflorian/tellesflorian.nix54
13 files changed, 75 insertions, 77 deletions
diff --git a/nixops/modules/websites/aten/aten.nix b/nixops/modules/websites/aten/aten.nix
index 567dcd1..46a7361 100644
--- a/nixops/modules/websites/aten/aten.nix
+++ b/nixops/modules/websites/aten/aten.nix
@@ -13,10 +13,10 @@ let
13 /run/wrappers/bin/sudo -u wwwrun APP_ENV=${environment} ./bin/console --env=${environment} cache:clear --no-warmup 13 /run/wrappers/bin/sudo -u wwwrun APP_ENV=${environment} ./bin/console --env=${environment} cache:clear --no-warmup
14 popd > /dev/null 14 popd > /dev/null
15 echo -n "${webappDir}" > ${varDir}/currentWebappDir 15 echo -n "${webappDir}" > ${varDir}/currentWebappDir
16 sha512sum /run/keys/webapps/${environment}-aten > ${varDir}/currentKey 16 sha512sum /var/secrets/webapps/${environment}-aten > ${varDir}/currentKey
17 fi 17 fi
18 ''; 18 '';
19 serviceDeps = [ "postgresql.service" "${environment}-aten-key.service" ]; 19 serviceDeps = [ "postgresql.service" ];
20 socket = "/var/run/phpfpm/aten-${environment}.sock"; 20 socket = "/var/run/phpfpm/aten-${environment}.sock";
21 pool = '' 21 pool = ''
22 listen = ${socket} 22 listen = ${socket}
@@ -42,8 +42,8 @@ let
42 pm.max_spare_servers = 3 42 pm.max_spare_servers = 3
43 ''}''; 43 ''}'';
44 }; 44 };
45 keys."${environment}-aten" = { 45 keys = [{
46 destDir = "/run/keys/webapps"; 46 dest = "webapps/${environment}-aten";
47 user = apache.user; 47 user = apache.user;
48 group = apache.group; 48 group = apache.group;
49 permissions = "0400"; 49 permissions = "0400";
@@ -52,7 +52,7 @@ let
52 SetEnv APP_SECRET "${config.secret}" 52 SetEnv APP_SECRET "${config.secret}"
53 SetEnv DATABASE_URL "${config.psql_url}" 53 SetEnv DATABASE_URL "${config.psql_url}"
54 ''; 54 '';
55 }; 55 }];
56 apache = rec { 56 apache = rec {
57 user = "wwwrun"; 57 user = "wwwrun";
58 group = "wwwrun"; 58 group = "wwwrun";
@@ -64,7 +64,7 @@ let
64 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" 64 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
65 </FilesMatch> 65 </FilesMatch>
66 66
67 Include /run/keys/webapps/${environment}-aten 67 Include /var/secrets/webapps/${environment}-aten
68 68
69 ${if environment == "dev" then '' 69 ${if environment == "dev" then ''
70 <Location /> 70 <Location />
diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix
index b0f7fdb..6f58d3c 100644
--- a/nixops/modules/websites/aten/default.nix
+++ b/nixops/modules/websites/aten/default.nix
@@ -25,7 +25,7 @@ in {
25 25
26 config = lib.mkMerge [ 26 config = lib.mkMerge [
27 (lib.mkIf cfg.production.enable { 27 (lib.mkIf cfg.production.enable {
28 deployment.keys = aten_prod.keys; 28 mySecrets.keys = aten_prod.keys;
29 services.myWebsites.commons.stats.enable = true; 29 services.myWebsites.commons.stats.enable = true;
30 services.myWebsites.commons.stats.sites = [ 30 services.myWebsites.commons.stats.sites = [
31 { 31 {
@@ -59,7 +59,7 @@ in {
59 }; 59 };
60 }) 60 })
61 (lib.mkIf cfg.integration.enable { 61 (lib.mkIf cfg.integration.enable {
62 deployment.keys = aten_dev.keys; 62 mySecrets.keys = aten_dev.keys;
63 security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null; 63 security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null;
64 services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart; 64 services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart;
65 services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps; 65 services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix
index 0861cdf..e2381d8 100644
--- a/nixops/modules/websites/chloe/chloe.nix
+++ b/nixops/modules/websites/chloe/chloe.nix
@@ -3,7 +3,7 @@ let
3 chloe = { config }: rec { 3 chloe = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 phpFpm = rec { 5 phpFpm = rec {
6 serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ]; 6 serviceDeps = [ "mysql.service" ];
7 socket = "/var/run/phpfpm/chloe-${environment}.sock"; 7 socket = "/var/run/phpfpm/chloe-${environment}.sock";
8 pool = '' 8 pool = ''
9 listen = ${socket} 9 listen = ${socket}
@@ -28,8 +28,8 @@ let
28 pm.max_spare_servers = 3 28 pm.max_spare_servers = 3
29 ''}''; 29 ''}'';
30 }; 30 };
31 keys."${environment}-chloe" = { 31 keys = [{
32 destDir = "/run/keys/webapps"; 32 dest = "webapps/${environment}-chloe";
33 user = apache.user; 33 user = apache.user;
34 group = apache.group; 34 group = apache.group;
35 permissions = "0400"; 35 permissions = "0400";
@@ -48,7 +48,7 @@ let
48 SetEnv SPIP_MYSQL_USER "${config.mysql.user}" 48 SetEnv SPIP_MYSQL_USER "${config.mysql.user}"
49 SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" 49 SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
50 ''; 50 '';
51 }; 51 }];
52 apache = rec { 52 apache = rec {
53 user = "wwwrun"; 53 user = "wwwrun";
54 group = "wwwrun"; 54 group = "wwwrun";
@@ -56,7 +56,7 @@ let
56 webappName = "chloe_${environment}"; 56 webappName = "chloe_${environment}";
57 root = "/run/current-system/webapps/${webappName}"; 57 root = "/run/current-system/webapps/${webappName}";
58 vhostConf = '' 58 vhostConf = ''
59 Include /run/keys/webapps/${environment}-chloe 59 Include /var/secrets/webapps/${environment}-chloe
60 60
61 RewriteEngine On 61 RewriteEngine On
62 ${if environment == "prod" then '' 62 ${if environment == "prod" then ''
diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix
index 451a248..33ced2e 100644
--- a/nixops/modules/websites/chloe/default.nix
+++ b/nixops/modules/websites/chloe/default.nix
@@ -25,7 +25,7 @@ in {
25 25
26 config = lib.mkMerge [ 26 config = lib.mkMerge [
27 (lib.mkIf cfg.production.enable { 27 (lib.mkIf cfg.production.enable {
28 deployment.keys = chloe_prod.keys; 28 mySecrets.keys = chloe_prod.keys;
29 services.myWebsites.commons.stats.enable = true; 29 services.myWebsites.commons.stats.enable = true;
30 services.myWebsites.commons.stats.sites = [ 30 services.myWebsites.commons.stats.sites = [
31 { 31 {
@@ -60,7 +60,7 @@ in {
60 }; 60 };
61 }) 61 })
62 (lib.mkIf cfg.integration.enable { 62 (lib.mkIf cfg.integration.enable {
63 deployment.keys = chloe_dev.keys; 63 mySecrets.keys = chloe_dev.keys;
64 security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; 64 security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null;
65 services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; 65 services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps;
66 services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; 66 services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool;
diff --git a/nixops/modules/websites/connexionswing/connexionswing.nix b/nixops/modules/websites/connexionswing/connexionswing.nix
index 13d4fba..60ddb63 100644
--- a/nixops/modules/websites/connexionswing/connexionswing.nix
+++ b/nixops/modules/websites/connexionswing/connexionswing.nix
@@ -3,8 +3,8 @@ let
3 connexionswing = { config }: rec { 3 connexionswing = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/connexionswing_${environment}"; 5 varDir = "/var/lib/connexionswing_${environment}";
6 keys."${environment}-connexionswing" = { 6 keys = [{
7 destDir = "/run/keys/webapps"; 7 dest = "webapps/${environment}-connexionswing";
8 user = apache.user; 8 user = apache.user;
9 group = apache.group; 9 group = apache.group;
10 permissions = "0400"; 10 permissions = "0400";
@@ -31,7 +31,7 @@ let
31 arguments: ['/run/wrappers/bin/sendmail -bs'] 31 arguments: ['/run/wrappers/bin/sendmail -bs']
32 '' else ""} 32 '' else ""}
33 ''; 33 '';
34 }; 34 }];
35 phpFpm = rec { 35 phpFpm = rec {
36 preStart = '' 36 preStart = ''
37 if [ ! -f "${varDir}/currentWebappDir" -o \ 37 if [ ! -f "${varDir}/currentWebappDir" -o \
@@ -42,10 +42,10 @@ let
42 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup 42 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup
43 popd > /dev/null 43 popd > /dev/null
44 echo -n "${webappDir}" > ${varDir}/currentWebappDir 44 echo -n "${webappDir}" > ${varDir}/currentWebappDir
45 sha512sum /run/keys/webapps/${environment}-connexionswing > ${varDir}/currentKey 45 sha512sum /var/secrets/webapps/${environment}-connexionswing > ${varDir}/currentKey
46 fi 46 fi
47 ''; 47 '';
48 serviceDeps = [ "mysql.service" "${environment}-connexionswing-key.service" ]; 48 serviceDeps = [ "mysql.service" ];
49 socket = "/var/run/phpfpm/connexionswing-${environment}.sock"; 49 socket = "/var/run/phpfpm/connexionswing-${environment}.sock";
50 phpConfig = '' 50 phpConfig = ''
51 extension=${phpPackages.imagick}/lib/php/extensions/imagick.so 51 extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
@@ -59,7 +59,7 @@ let
59 php_admin_value[upload_max_filesize] = 20M 59 php_admin_value[upload_max_filesize] = 20M
60 php_admin_value[post_max_size] = 20M 60 php_admin_value[post_max_size] = 20M
61 ;php_admin_flag[log_errors] = on 61 ;php_admin_flag[log_errors] = on
62 php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/run/keys/webapps/${environment}-connexionswing:${webappDir}:${varDir}:/tmp" 62 php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${environment}-connexionswing:${webappDir}:${varDir}:/tmp"
63 php_admin_value[session.save_path] = "${varDir}/phpSessions" 63 php_admin_value[session.save_path] = "${varDir}/phpSessions"
64 ${if environment == "dev" then '' 64 ${if environment == "dev" then ''
65 pm = ondemand 65 pm = ondemand
@@ -177,7 +177,7 @@ let
177 cd $out 177 cd $out
178 ${if environment == "prod" then "php ./bin/console assetic:dump --env=prod --no-debug" else ""} 178 ${if environment == "prod" then "php ./bin/console assetic:dump --env=prod --no-debug" else ""}
179 rm app/config/parameters.yml 179 rm app/config/parameters.yml
180 ln -sf /run/keys/webapps/${environment}-connexionswing app/config/parameters.yml 180 ln -sf /var/secrets/webapps/${environment}-connexionswing app/config/parameters.yml
181 rm -rf var/{logs,cache} 181 rm -rf var/{logs,cache}
182 ln -sf ${varDir}/var/{logs,cache} var/ 182 ln -sf ${varDir}/var/{logs,cache} var/
183 ln -sf ${varDir}/{medias,uploads} web/images/ 183 ln -sf ${varDir}/{medias,uploads} web/images/
diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix
index ccbaa02..c0036d8 100644
--- a/nixops/modules/websites/connexionswing/default.nix
+++ b/nixops/modules/websites/connexionswing/default.nix
@@ -25,7 +25,7 @@ in {
25 25
26 config = lib.mkMerge [ 26 config = lib.mkMerge [
27 (lib.mkIf cfg.production.enable { 27 (lib.mkIf cfg.production.enable {
28 deployment.keys = connexionswing_prod.keys; 28 mySecrets.keys = connexionswing_prod.keys;
29 services.myWebsites.commons.stats.enable = true; 29 services.myWebsites.commons.stats.enable = true;
30 services.myWebsites.commons.stats.sites = [ 30 services.myWebsites.commons.stats.sites = [
31 { 31 {
@@ -61,7 +61,7 @@ in {
61 }; 61 };
62 }) 62 })
63 (lib.mkIf cfg.integration.enable { 63 (lib.mkIf cfg.integration.enable {
64 deployment.keys = connexionswing_dev.keys; 64 mySecrets.keys = connexionswing_dev.keys;
65 security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null; 65 security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null;
66 security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null; 66 security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null;
67 services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart; 67 services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart;
diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 6c0decd..18d16a1 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -29,8 +29,8 @@ in {
29 domain = "naturaloutil.immae.eu"; 29 domain = "naturaloutil.immae.eu";
30 }; 30 };
31 31
32 deployment.keys."prod-naturaloutil" = { 32 mySecrets.keys = [{
33 destDir = "/run/keys/webapps"; 33 dest = "webapps/prod-naturaloutil";
34 user = "wwwrun"; 34 user = "wwwrun";
35 group = "wwwrun"; 35 group = "wwwrun";
36 permissions = "0400"; 36 permissions = "0400";
@@ -49,8 +49,8 @@ in {
49 $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); 49 $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
50 ?> 50 ?>
51 ''; 51 '';
52 }; 52 }];
53 services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" "prod-naturaloutil-key.service" ]; 53 services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" ];
54 services.myPhpfpm.poolConfigs.jerome = '' 54 services.myPhpfpm.poolConfigs.jerome = ''
55 listen = /run/phpfpm/naturaloutil.sock 55 listen = /run/phpfpm/naturaloutil.sock
56 user = wwwrun 56 user = wwwrun
@@ -62,8 +62,8 @@ in {
62 pm.max_children = 5 62 pm.max_children = 5
63 pm.process_idle_timeout = 60 63 pm.process_idle_timeout = 60
64 64
65 env[BDD_CONNECT] = "/run/keys/webapps/prod-naturaloutil" 65 env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil"
66 php_admin_value[open_basedir] = "/run/keys/webapps/prod-naturaloutil:${varDir}:/tmp" 66 php_admin_value[open_basedir] = "/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"
67 ''; 67 '';
68 services.myPhpfpm.poolPhpConfigs.jerome = '' 68 services.myPhpfpm.poolPhpConfigs.jerome = ''
69 extension=${pkgs.php}/lib/php/extensions/mysqli.so 69 extension=${pkgs.php}/lib/php/extensions/mysqli.so
diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix
index 814764f..a3d3922 100644
--- a/nixops/modules/websites/ludivine/default.nix
+++ b/nixops/modules/websites/ludivine/default.nix
@@ -21,7 +21,7 @@ in {
21 21
22 config = lib.mkMerge [ 22 config = lib.mkMerge [
23 (lib.mkIf cfg.production.enable { 23 (lib.mkIf cfg.production.enable {
24 deployment.keys = ludivinecassal_prod.keys; 24 mySecrets.keys = ludivinecassal_prod.keys;
25 services.myWebsites.commons.stats.enable = true; 25 services.myWebsites.commons.stats.enable = true;
26 services.myWebsites.commons.stats.sites = [ 26 services.myWebsites.commons.stats.sites = [
27 { 27 {
@@ -54,7 +54,7 @@ in {
54 }; 54 };
55 }) 55 })
56 (lib.mkIf cfg.integration.enable { 56 (lib.mkIf cfg.integration.enable {
57 deployment.keys = ludivinecassal_dev.keys; 57 mySecrets.keys = ludivinecassal_dev.keys;
58 security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; 58 security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null;
59 59
60 services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart; 60 services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart;
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix
index 439d3c9..c12d89c 100644
--- a/nixops/modules/websites/ludivine/ludivinecassal.nix
+++ b/nixops/modules/websites/ludivine/ludivinecassal.nix
@@ -3,8 +3,8 @@ let
3 ludivinecassal = { config }: rec { 3 ludivinecassal = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/ludivinecassal_${environment}"; 5 varDir = "/var/lib/ludivinecassal_${environment}";
6 keys."${environment}-ludivinecassal" = { 6 keys = [{
7 destDir = "/run/keys/webapps"; 7 dest = "webapps/${environment}-ludivinecassal";
8 user = apache.user; 8 user = apache.user;
9 group = apache.group; 9 group = apache.group;
10 permissions = "0400"; 10 permissions = "0400";
@@ -38,7 +38,7 @@ let
38 sass: ${sass}/bin/sass 38 sass: ${sass}/bin/sass
39 ruby: ${ruby}/bin/ruby 39 ruby: ${ruby}/bin/ruby
40 ''; 40 '';
41 }; 41 }];
42 phpFpm = rec { 42 phpFpm = rec {
43 preStart = '' 43 preStart = ''
44 if [ ! -f "${varDir}/currentWebappDir" -o \ 44 if [ ! -f "${varDir}/currentWebappDir" -o \
@@ -49,10 +49,10 @@ let
49 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup 49 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup
50 popd > /dev/null 50 popd > /dev/null
51 echo -n "${webappDir}" > ${varDir}/currentWebappDir 51 echo -n "${webappDir}" > ${varDir}/currentWebappDir
52 sha512sum /run/keys/webapps/${environment}-ludivinecassal > ${varDir}/currentKey 52 sha512sum /var/secrets/webapps/${environment}-ludivinecassal > ${varDir}/currentKey
53 fi 53 fi
54 ''; 54 '';
55 serviceDeps = [ "mysql.service" "${environment}-ludivinecassal-key.service" ]; 55 serviceDeps = [ "mysql.service" ];
56 socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; 56 socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock";
57 pool = '' 57 pool = ''
58 listen = ${socket} 58 listen = ${socket}
@@ -63,7 +63,7 @@ let
63 php_admin_value[upload_max_filesize] = 20M 63 php_admin_value[upload_max_filesize] = 20M
64 php_admin_value[post_max_size] = 20M 64 php_admin_value[post_max_size] = 20M
65 ;php_admin_flag[log_errors] = on 65 ;php_admin_flag[log_errors] = on
66 php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp" 66 php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp"
67 php_admin_value[session.save_path] = "${varDir}/phpSessions" 67 php_admin_value[session.save_path] = "${varDir}/phpSessions"
68 ${if environment == "dev" then '' 68 ${if environment == "dev" then ''
69 pm = ondemand 69 pm = ondemand
@@ -177,7 +177,7 @@ let
177 postInstall = '' 177 postInstall = ''
178 rm -rf var/{logs,cache,data,miniatures,tmp} 178 rm -rf var/{logs,cache,data,miniatures,tmp}
179 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ 179 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/
180 ln -sf /run/keys/webapps/${environment}-ludivinecassal app/config/parameters.yml 180 ln -sf /var/secrets/webapps/${environment}-ludivinecassal app/config/parameters.yml
181 ''; 181 '';
182 buildInputs = [ sass ]; 182 buildInputs = [ sass ];
183 }); 183 });
diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix
index 57849a3..b2bd2fd 100644
--- a/nixops/modules/websites/piedsjaloux/default.nix
+++ b/nixops/modules/websites/piedsjaloux/default.nix
@@ -25,7 +25,7 @@ in {
25 25
26 config = lib.mkMerge [ 26 config = lib.mkMerge [
27 (lib.mkIf cfg.production.enable { 27 (lib.mkIf cfg.production.enable {
28 deployment.keys = piedsjaloux_prod.keys; 28 mySecrets.keys = piedsjaloux_prod.keys;
29 services.myWebsites.commons.stats.enable = true; 29 services.myWebsites.commons.stats.enable = true;
30 services.myWebsites.commons.stats.sites = [ 30 services.myWebsites.commons.stats.sites = [
31 { 31 {
@@ -58,7 +58,7 @@ in {
58 }; 58 };
59 }) 59 })
60 (lib.mkIf cfg.integration.enable { 60 (lib.mkIf cfg.integration.enable {
61 deployment.keys = piedsjaloux_dev.keys; 61 mySecrets.keys = piedsjaloux_dev.keys;
62 security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; 62 security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null;
63 services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart; 63 services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart;
64 services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps; 64 services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
index 87699db..5461e5d 100644
--- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
+++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix
@@ -3,8 +3,8 @@ let
3 piedsjaloux = { config }: rec { 3 piedsjaloux = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/piedsjaloux_${environment}"; 5 varDir = "/var/lib/piedsjaloux_${environment}";
6 keys."${environment}-piedsjaloux" = { 6 keys = [{
7 destDir = "/run/keys/webapps"; 7 dest = "webapps/${environment}-piedsjaloux";
8 user = apache.user; 8 user = apache.user;
9 group = apache.group; 9 group = apache.group;
10 permissions = "0400"; 10 permissions = "0400";
@@ -26,7 +26,7 @@ let
26 leapt_im: 26 leapt_im:
27 binary_path: ${imagemagick}/bin 27 binary_path: ${imagemagick}/bin
28 ''; 28 '';
29 }; 29 }];
30 phpFpm = rec { 30 phpFpm = rec {
31 preStart = '' 31 preStart = ''
32 if [ ! -f "${varDir}/currentWebappDir" -o \ 32 if [ ! -f "${varDir}/currentWebappDir" -o \
@@ -37,10 +37,10 @@ let
37 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup 37 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup
38 popd > /dev/null 38 popd > /dev/null
39 echo -n "${webappDir}" > ${varDir}/currentWebappDir 39 echo -n "${webappDir}" > ${varDir}/currentWebappDir
40 sha512sum /run/keys/webapps/${environment}-piedsjaloux > ${varDir}/currentKey 40 sha512sum /var/secrets/webapps/${environment}-piedsjaloux > ${varDir}/currentKey
41 fi 41 fi
42 ''; 42 '';
43 serviceDeps = [ "mysql.service" "${environment}-piedsjaloux-key.service" ]; 43 serviceDeps = [ "mysql.service" ];
44 socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock"; 44 socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock";
45 pool = '' 45 pool = ''
46 listen = ${socket} 46 listen = ${socket}
@@ -51,7 +51,7 @@ let
51 php_admin_value[upload_max_filesize] = 20M 51 php_admin_value[upload_max_filesize] = 20M
52 php_admin_value[post_max_size] = 20M 52 php_admin_value[post_max_size] = 20M
53 ;php_admin_flag[log_errors] = on 53 ;php_admin_flag[log_errors] = on
54 php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-piedsjaloux:${webappDir}:${varDir}:/tmp" 54 php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-piedsjaloux:${webappDir}:${varDir}:/tmp"
55 php_admin_value[session.save_path] = "${varDir}/phpSessions" 55 php_admin_value[session.save_path] = "${varDir}/phpSessions"
56 env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} 56 env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]}
57 ${if environment == "dev" then '' 57 ${if environment == "dev" then ''
@@ -157,7 +157,7 @@ let
157 postInstall = '' 157 postInstall = ''
158 cd $out 158 cd $out
159 rm app/config/parameters.yml 159 rm app/config/parameters.yml
160 ln -sf /run/keys/webapps/${environment}-piedsjaloux app/config/parameters.yml 160 ln -sf /var/secrets/webapps/${environment}-piedsjaloux app/config/parameters.yml
161 rm -rf var/{logs,cache,data,miniatures,tmp} 161 rm -rf var/{logs,cache,data,miniatures,tmp}
162 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ 162 ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/
163 ''; 163 '';
diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix
index 9bf4a48..16d788f 100644
--- a/nixops/modules/websites/tellesflorian/default.nix
+++ b/nixops/modules/websites/tellesflorian/default.nix
@@ -16,7 +16,7 @@ in {
16 }; 16 };
17 17
18 config = lib.mkIf cfg.integration.enable { 18 config = lib.mkIf cfg.integration.enable {
19 deployment.keys = tellesflorian_dev.keys; 19 mySecrets.keys = tellesflorian_dev.keys;
20 security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; 20 security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null;
21 services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart; 21 services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart;
22 services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps; 22 services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix
index ba46c0c..afd723c 100644
--- a/nixops/modules/websites/tellesflorian/tellesflorian.nix
+++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix
@@ -3,14 +3,24 @@ let
3 tellesflorian = { config }: rec { 3 tellesflorian = { config }: rec {
4 environment = config.environment; 4 environment = config.environment;
5 varDir = "/var/lib/tellesflorian_${environment}"; 5 varDir = "/var/lib/tellesflorian_${environment}";
6 keys."${environment}-tellesflorian" = { 6 keys = [
7 destDir = "/run/keys/webapps"; 7 {
8 user = apache.user; 8 dest = "webapps/${environment}-tellesflorian-passwords";
9 group = apache.group; 9 user = apache.user;
10 permissions = "0400"; 10 group = apache.group;
11 text = '' 11 permissions = "0400";
12 # This file is auto-generated during the composer install 12 text = ''
13 parameters: 13 invite:${config.invite_passwords}
14 '';
15 }
16 {
17 dest = "webapps/${environment}-tellesflorian";
18 user = apache.user;
19 group = apache.group;
20 permissions = "0400";
21 text = ''
22 # This file is auto-generated during the composer install
23 parameters:
14 database_host: ${config.mysql.host} 24 database_host: ${config.mysql.host}
15 database_port: ${config.mysql.port} 25 database_port: ${config.mysql.port}
16 database_name: ${config.mysql.name} 26 database_name: ${config.mysql.name}
@@ -21,8 +31,9 @@ let
21 mailer_user: null 31 mailer_user: null
22 mailer_password: null 32 mailer_password: null
23 secret: ${config.secret} 33 secret: ${config.secret}
24 ''; 34 '';
25 }; 35 }
36 ];
26 phpFpm = rec { 37 phpFpm = rec {
27 preStart = '' 38 preStart = ''
28 if [ ! -f "${varDir}/currentWebappDir" -o \ 39 if [ ! -f "${varDir}/currentWebappDir" -o \
@@ -33,14 +44,10 @@ let
33 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup 44 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup
34 popd > /dev/null 45 popd > /dev/null
35 echo -n "${webappDir}" > ${varDir}/currentWebappDir 46 echo -n "${webappDir}" > ${varDir}/currentWebappDir
36 sha512sum /run/keys/webapps/${environment}-tellesflorian > ${varDir}/currentKey 47 sha512sum /var/secrets/webapps/${environment}-tellesflorian > ${varDir}/currentKey
37 fi 48 fi
38 ''; 49 '';
39 serviceDeps = [ 50 serviceDeps = [ "mysql.service" ];
40 "mysql.service"
41 "${environment}-tellesflorian-passwords-key.service"
42 "${environment}-tellesflorian-key.service"
43 ];
44 socket = "/var/run/phpfpm/floriantelles-${environment}.sock"; 51 socket = "/var/run/phpfpm/floriantelles-${environment}.sock";
45 pool = '' 52 pool = ''
46 listen = ${socket} 53 listen = ${socket}
@@ -51,7 +58,7 @@ let
51 php_admin_value[upload_max_filesize] = 20M 58 php_admin_value[upload_max_filesize] = 20M
52 php_admin_value[post_max_size] = 20M 59 php_admin_value[post_max_size] = 20M
53 ;php_admin_flag[log_errors] = on 60 ;php_admin_flag[log_errors] = on
54 php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp" 61 php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp"
55 php_admin_value[session.save_path] = "${varDir}/phpSessions" 62 php_admin_value[session.save_path] = "${varDir}/phpSessions"
56 ${if environment == "dev" then '' 63 ${if environment == "dev" then ''
57 pm = ondemand 64 pm = ondemand
@@ -66,15 +73,6 @@ let
66 pm.max_spare_servers = 3 73 pm.max_spare_servers = 3
67 ''}''; 74 ''}'';
68 }; 75 };
69 keys."${environment}-tellesflorian-passwords" = {
70 destDir = "/run/keys/webapps";
71 user = apache.user;
72 group = apache.group;
73 permissions = "0400";
74 text = ''
75 invite:${config.invite_passwords}
76 '';
77 };
78 apache = rec { 76 apache = rec {
79 user = "wwwrun"; 77 user = "wwwrun";
80 group = "wwwrun"; 78 group = "wwwrun";
@@ -92,7 +90,7 @@ let
92 Use LDAPConnect 90 Use LDAPConnect
93 Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu 91 Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
94 92
95 AuthUserFile "/run/keys/webapps/${environment}-tellesflorian-passwords" 93 AuthUserFile "/var/secrets/webapps/${environment}-tellesflorian-passwords"
96 Require user "invite" 94 Require user "invite"
97 95
98 ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" 96 ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
@@ -166,7 +164,7 @@ let
166 postInstall = '' 164 postInstall = ''
167 cd $out 165 cd $out
168 rm app/config/parameters.yml 166 rm app/config/parameters.yml
169 ln -sf /run/keys/webapps/${environment}-tellesflorian app/config/parameters.yml 167 ln -sf /var/secrets/webapps/${environment}-tellesflorian app/config/parameters.yml
170 rm -rf var/{logs,cache} 168 rm -rf var/{logs,cache}
171 ln -sf ${varDir}/var/{logs,cache,sessions} var/ 169 ln -sf ${varDir}/var/{logs,cache,sessions} var/
172 ''; 170 '';