diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 01:37:42 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 01:37:42 +0200 |
commit | 1b3154e40a568a296c74759d68827366b5f26da9 (patch) | |
tree | 77fb426f72c73c806c95ced7eeb2cc62ece48287 | |
parent | ca330baa14da56456ec538b232a91e1c443241bb (diff) | |
download | Nix-1b3154e40a568a296c74759d68827366b5f26da9.tar.gz Nix-1b3154e40a568a296c74759d68827366b5f26da9.tar.zst Nix-1b3154e40a568a296c74759d68827366b5f26da9.zip |
Move websites to new secrets
-rw-r--r-- | nixops/modules/websites/aten/aten.nix | 12 | ||||
-rw-r--r-- | nixops/modules/websites/aten/default.nix | 4 | ||||
-rw-r--r-- | nixops/modules/websites/chloe/chloe.nix | 10 | ||||
-rw-r--r-- | nixops/modules/websites/chloe/default.nix | 4 | ||||
-rw-r--r-- | nixops/modules/websites/connexionswing/connexionswing.nix | 14 | ||||
-rw-r--r-- | nixops/modules/websites/connexionswing/default.nix | 4 | ||||
-rw-r--r-- | nixops/modules/websites/ftp/jerome.nix | 12 | ||||
-rw-r--r-- | nixops/modules/websites/ludivine/default.nix | 4 | ||||
-rw-r--r-- | nixops/modules/websites/ludivine/ludivinecassal.nix | 14 | ||||
-rw-r--r-- | nixops/modules/websites/piedsjaloux/default.nix | 4 | ||||
-rw-r--r-- | nixops/modules/websites/piedsjaloux/piedsjaloux.nix | 14 | ||||
-rw-r--r-- | nixops/modules/websites/tellesflorian/default.nix | 2 | ||||
-rw-r--r-- | nixops/modules/websites/tellesflorian/tellesflorian.nix | 54 |
13 files changed, 75 insertions, 77 deletions
diff --git a/nixops/modules/websites/aten/aten.nix b/nixops/modules/websites/aten/aten.nix index 567dcd1..46a7361 100644 --- a/nixops/modules/websites/aten/aten.nix +++ b/nixops/modules/websites/aten/aten.nix | |||
@@ -13,10 +13,10 @@ let | |||
13 | /run/wrappers/bin/sudo -u wwwrun APP_ENV=${environment} ./bin/console --env=${environment} cache:clear --no-warmup | 13 | /run/wrappers/bin/sudo -u wwwrun APP_ENV=${environment} ./bin/console --env=${environment} cache:clear --no-warmup |
14 | popd > /dev/null | 14 | popd > /dev/null |
15 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 15 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
16 | sha512sum /run/keys/webapps/${environment}-aten > ${varDir}/currentKey | 16 | sha512sum /var/secrets/webapps/${environment}-aten > ${varDir}/currentKey |
17 | fi | 17 | fi |
18 | ''; | 18 | ''; |
19 | serviceDeps = [ "postgresql.service" "${environment}-aten-key.service" ]; | 19 | serviceDeps = [ "postgresql.service" ]; |
20 | socket = "/var/run/phpfpm/aten-${environment}.sock"; | 20 | socket = "/var/run/phpfpm/aten-${environment}.sock"; |
21 | pool = '' | 21 | pool = '' |
22 | listen = ${socket} | 22 | listen = ${socket} |
@@ -42,8 +42,8 @@ let | |||
42 | pm.max_spare_servers = 3 | 42 | pm.max_spare_servers = 3 |
43 | ''}''; | 43 | ''}''; |
44 | }; | 44 | }; |
45 | keys."${environment}-aten" = { | 45 | keys = [{ |
46 | destDir = "/run/keys/webapps"; | 46 | dest = "webapps/${environment}-aten"; |
47 | user = apache.user; | 47 | user = apache.user; |
48 | group = apache.group; | 48 | group = apache.group; |
49 | permissions = "0400"; | 49 | permissions = "0400"; |
@@ -52,7 +52,7 @@ let | |||
52 | SetEnv APP_SECRET "${config.secret}" | 52 | SetEnv APP_SECRET "${config.secret}" |
53 | SetEnv DATABASE_URL "${config.psql_url}" | 53 | SetEnv DATABASE_URL "${config.psql_url}" |
54 | ''; | 54 | ''; |
55 | }; | 55 | }]; |
56 | apache = rec { | 56 | apache = rec { |
57 | user = "wwwrun"; | 57 | user = "wwwrun"; |
58 | group = "wwwrun"; | 58 | group = "wwwrun"; |
@@ -64,7 +64,7 @@ let | |||
64 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 64 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" |
65 | </FilesMatch> | 65 | </FilesMatch> |
66 | 66 | ||
67 | Include /run/keys/webapps/${environment}-aten | 67 | Include /var/secrets/webapps/${environment}-aten |
68 | 68 | ||
69 | ${if environment == "dev" then '' | 69 | ${if environment == "dev" then '' |
70 | <Location /> | 70 | <Location /> |
diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix index b0f7fdb..6f58d3c 100644 --- a/nixops/modules/websites/aten/default.nix +++ b/nixops/modules/websites/aten/default.nix | |||
@@ -25,7 +25,7 @@ in { | |||
25 | 25 | ||
26 | config = lib.mkMerge [ | 26 | config = lib.mkMerge [ |
27 | (lib.mkIf cfg.production.enable { | 27 | (lib.mkIf cfg.production.enable { |
28 | deployment.keys = aten_prod.keys; | 28 | mySecrets.keys = aten_prod.keys; |
29 | services.myWebsites.commons.stats.enable = true; | 29 | services.myWebsites.commons.stats.enable = true; |
30 | services.myWebsites.commons.stats.sites = [ | 30 | services.myWebsites.commons.stats.sites = [ |
31 | { | 31 | { |
@@ -59,7 +59,7 @@ in { | |||
59 | }; | 59 | }; |
60 | }) | 60 | }) |
61 | (lib.mkIf cfg.integration.enable { | 61 | (lib.mkIf cfg.integration.enable { |
62 | deployment.keys = aten_dev.keys; | 62 | mySecrets.keys = aten_dev.keys; |
63 | security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null; | 63 | security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null; |
64 | services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart; | 64 | services.myPhpfpm.preStart.aten_dev = aten_dev.phpFpm.preStart; |
65 | services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps; | 65 | services.myPhpfpm.serviceDependencies.aten_dev = aten_dev.phpFpm.serviceDeps; |
diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix index 0861cdf..e2381d8 100644 --- a/nixops/modules/websites/chloe/chloe.nix +++ b/nixops/modules/websites/chloe/chloe.nix | |||
@@ -3,7 +3,7 @@ let | |||
3 | chloe = { config }: rec { | 3 | chloe = { config }: rec { |
4 | environment = config.environment; | 4 | environment = config.environment; |
5 | phpFpm = rec { | 5 | phpFpm = rec { |
6 | serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ]; | 6 | serviceDeps = [ "mysql.service" ]; |
7 | socket = "/var/run/phpfpm/chloe-${environment}.sock"; | 7 | socket = "/var/run/phpfpm/chloe-${environment}.sock"; |
8 | pool = '' | 8 | pool = '' |
9 | listen = ${socket} | 9 | listen = ${socket} |
@@ -28,8 +28,8 @@ let | |||
28 | pm.max_spare_servers = 3 | 28 | pm.max_spare_servers = 3 |
29 | ''}''; | 29 | ''}''; |
30 | }; | 30 | }; |
31 | keys."${environment}-chloe" = { | 31 | keys = [{ |
32 | destDir = "/run/keys/webapps"; | 32 | dest = "webapps/${environment}-chloe"; |
33 | user = apache.user; | 33 | user = apache.user; |
34 | group = apache.group; | 34 | group = apache.group; |
35 | permissions = "0400"; | 35 | permissions = "0400"; |
@@ -48,7 +48,7 @@ let | |||
48 | SetEnv SPIP_MYSQL_USER "${config.mysql.user}" | 48 | SetEnv SPIP_MYSQL_USER "${config.mysql.user}" |
49 | SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" | 49 | SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" |
50 | ''; | 50 | ''; |
51 | }; | 51 | }]; |
52 | apache = rec { | 52 | apache = rec { |
53 | user = "wwwrun"; | 53 | user = "wwwrun"; |
54 | group = "wwwrun"; | 54 | group = "wwwrun"; |
@@ -56,7 +56,7 @@ let | |||
56 | webappName = "chloe_${environment}"; | 56 | webappName = "chloe_${environment}"; |
57 | root = "/run/current-system/webapps/${webappName}"; | 57 | root = "/run/current-system/webapps/${webappName}"; |
58 | vhostConf = '' | 58 | vhostConf = '' |
59 | Include /run/keys/webapps/${environment}-chloe | 59 | Include /var/secrets/webapps/${environment}-chloe |
60 | 60 | ||
61 | RewriteEngine On | 61 | RewriteEngine On |
62 | ${if environment == "prod" then '' | 62 | ${if environment == "prod" then '' |
diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix index 451a248..33ced2e 100644 --- a/nixops/modules/websites/chloe/default.nix +++ b/nixops/modules/websites/chloe/default.nix | |||
@@ -25,7 +25,7 @@ in { | |||
25 | 25 | ||
26 | config = lib.mkMerge [ | 26 | config = lib.mkMerge [ |
27 | (lib.mkIf cfg.production.enable { | 27 | (lib.mkIf cfg.production.enable { |
28 | deployment.keys = chloe_prod.keys; | 28 | mySecrets.keys = chloe_prod.keys; |
29 | services.myWebsites.commons.stats.enable = true; | 29 | services.myWebsites.commons.stats.enable = true; |
30 | services.myWebsites.commons.stats.sites = [ | 30 | services.myWebsites.commons.stats.sites = [ |
31 | { | 31 | { |
@@ -60,7 +60,7 @@ in { | |||
60 | }; | 60 | }; |
61 | }) | 61 | }) |
62 | (lib.mkIf cfg.integration.enable { | 62 | (lib.mkIf cfg.integration.enable { |
63 | deployment.keys = chloe_dev.keys; | 63 | mySecrets.keys = chloe_dev.keys; |
64 | security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; | 64 | security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; |
65 | services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; | 65 | services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; |
66 | services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; | 66 | services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; |
diff --git a/nixops/modules/websites/connexionswing/connexionswing.nix b/nixops/modules/websites/connexionswing/connexionswing.nix index 13d4fba..60ddb63 100644 --- a/nixops/modules/websites/connexionswing/connexionswing.nix +++ b/nixops/modules/websites/connexionswing/connexionswing.nix | |||
@@ -3,8 +3,8 @@ let | |||
3 | connexionswing = { config }: rec { | 3 | connexionswing = { config }: rec { |
4 | environment = config.environment; | 4 | environment = config.environment; |
5 | varDir = "/var/lib/connexionswing_${environment}"; | 5 | varDir = "/var/lib/connexionswing_${environment}"; |
6 | keys."${environment}-connexionswing" = { | 6 | keys = [{ |
7 | destDir = "/run/keys/webapps"; | 7 | dest = "webapps/${environment}-connexionswing"; |
8 | user = apache.user; | 8 | user = apache.user; |
9 | group = apache.group; | 9 | group = apache.group; |
10 | permissions = "0400"; | 10 | permissions = "0400"; |
@@ -31,7 +31,7 @@ let | |||
31 | arguments: ['/run/wrappers/bin/sendmail -bs'] | 31 | arguments: ['/run/wrappers/bin/sendmail -bs'] |
32 | '' else ""} | 32 | '' else ""} |
33 | ''; | 33 | ''; |
34 | }; | 34 | }]; |
35 | phpFpm = rec { | 35 | phpFpm = rec { |
36 | preStart = '' | 36 | preStart = '' |
37 | if [ ! -f "${varDir}/currentWebappDir" -o \ | 37 | if [ ! -f "${varDir}/currentWebappDir" -o \ |
@@ -42,10 +42,10 @@ let | |||
42 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup | 42 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup |
43 | popd > /dev/null | 43 | popd > /dev/null |
44 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 44 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
45 | sha512sum /run/keys/webapps/${environment}-connexionswing > ${varDir}/currentKey | 45 | sha512sum /var/secrets/webapps/${environment}-connexionswing > ${varDir}/currentKey |
46 | fi | 46 | fi |
47 | ''; | 47 | ''; |
48 | serviceDeps = [ "mysql.service" "${environment}-connexionswing-key.service" ]; | 48 | serviceDeps = [ "mysql.service" ]; |
49 | socket = "/var/run/phpfpm/connexionswing-${environment}.sock"; | 49 | socket = "/var/run/phpfpm/connexionswing-${environment}.sock"; |
50 | phpConfig = '' | 50 | phpConfig = '' |
51 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | 51 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so |
@@ -59,7 +59,7 @@ let | |||
59 | php_admin_value[upload_max_filesize] = 20M | 59 | php_admin_value[upload_max_filesize] = 20M |
60 | php_admin_value[post_max_size] = 20M | 60 | php_admin_value[post_max_size] = 20M |
61 | ;php_admin_flag[log_errors] = on | 61 | ;php_admin_flag[log_errors] = on |
62 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/run/keys/webapps/${environment}-connexionswing:${webappDir}:${varDir}:/tmp" | 62 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${environment}-connexionswing:${webappDir}:${varDir}:/tmp" |
63 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 63 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
64 | ${if environment == "dev" then '' | 64 | ${if environment == "dev" then '' |
65 | pm = ondemand | 65 | pm = ondemand |
@@ -177,7 +177,7 @@ let | |||
177 | cd $out | 177 | cd $out |
178 | ${if environment == "prod" then "php ./bin/console assetic:dump --env=prod --no-debug" else ""} | 178 | ${if environment == "prod" then "php ./bin/console assetic:dump --env=prod --no-debug" else ""} |
179 | rm app/config/parameters.yml | 179 | rm app/config/parameters.yml |
180 | ln -sf /run/keys/webapps/${environment}-connexionswing app/config/parameters.yml | 180 | ln -sf /var/secrets/webapps/${environment}-connexionswing app/config/parameters.yml |
181 | rm -rf var/{logs,cache} | 181 | rm -rf var/{logs,cache} |
182 | ln -sf ${varDir}/var/{logs,cache} var/ | 182 | ln -sf ${varDir}/var/{logs,cache} var/ |
183 | ln -sf ${varDir}/{medias,uploads} web/images/ | 183 | ln -sf ${varDir}/{medias,uploads} web/images/ |
diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix index ccbaa02..c0036d8 100644 --- a/nixops/modules/websites/connexionswing/default.nix +++ b/nixops/modules/websites/connexionswing/default.nix | |||
@@ -25,7 +25,7 @@ in { | |||
25 | 25 | ||
26 | config = lib.mkMerge [ | 26 | config = lib.mkMerge [ |
27 | (lib.mkIf cfg.production.enable { | 27 | (lib.mkIf cfg.production.enable { |
28 | deployment.keys = connexionswing_prod.keys; | 28 | mySecrets.keys = connexionswing_prod.keys; |
29 | services.myWebsites.commons.stats.enable = true; | 29 | services.myWebsites.commons.stats.enable = true; |
30 | services.myWebsites.commons.stats.sites = [ | 30 | services.myWebsites.commons.stats.sites = [ |
31 | { | 31 | { |
@@ -61,7 +61,7 @@ in { | |||
61 | }; | 61 | }; |
62 | }) | 62 | }) |
63 | (lib.mkIf cfg.integration.enable { | 63 | (lib.mkIf cfg.integration.enable { |
64 | deployment.keys = connexionswing_dev.keys; | 64 | mySecrets.keys = connexionswing_dev.keys; |
65 | security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null; | 65 | security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null; |
66 | security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null; | 66 | security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null; |
67 | services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart; | 67 | services.myPhpfpm.preStart.connexionswing_dev = connexionswing_dev.phpFpm.preStart; |
diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix index 6c0decd..18d16a1 100644 --- a/nixops/modules/websites/ftp/jerome.nix +++ b/nixops/modules/websites/ftp/jerome.nix | |||
@@ -29,8 +29,8 @@ in { | |||
29 | domain = "naturaloutil.immae.eu"; | 29 | domain = "naturaloutil.immae.eu"; |
30 | }; | 30 | }; |
31 | 31 | ||
32 | deployment.keys."prod-naturaloutil" = { | 32 | mySecrets.keys = [{ |
33 | destDir = "/run/keys/webapps"; | 33 | dest = "webapps/prod-naturaloutil"; |
34 | user = "wwwrun"; | 34 | user = "wwwrun"; |
35 | group = "wwwrun"; | 35 | group = "wwwrun"; |
36 | permissions = "0400"; | 36 | permissions = "0400"; |
@@ -49,8 +49,8 @@ in { | |||
49 | $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); | 49 | $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); |
50 | ?> | 50 | ?> |
51 | ''; | 51 | ''; |
52 | }; | 52 | }]; |
53 | services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" "prod-naturaloutil-key.service" ]; | 53 | services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" ]; |
54 | services.myPhpfpm.poolConfigs.jerome = '' | 54 | services.myPhpfpm.poolConfigs.jerome = '' |
55 | listen = /run/phpfpm/naturaloutil.sock | 55 | listen = /run/phpfpm/naturaloutil.sock |
56 | user = wwwrun | 56 | user = wwwrun |
@@ -62,8 +62,8 @@ in { | |||
62 | pm.max_children = 5 | 62 | pm.max_children = 5 |
63 | pm.process_idle_timeout = 60 | 63 | pm.process_idle_timeout = 60 |
64 | 64 | ||
65 | env[BDD_CONNECT] = "/run/keys/webapps/prod-naturaloutil" | 65 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" |
66 | php_admin_value[open_basedir] = "/run/keys/webapps/prod-naturaloutil:${varDir}:/tmp" | 66 | php_admin_value[open_basedir] = "/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" |
67 | ''; | 67 | ''; |
68 | services.myPhpfpm.poolPhpConfigs.jerome = '' | 68 | services.myPhpfpm.poolPhpConfigs.jerome = '' |
69 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 69 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix index 814764f..a3d3922 100644 --- a/nixops/modules/websites/ludivine/default.nix +++ b/nixops/modules/websites/ludivine/default.nix | |||
@@ -21,7 +21,7 @@ in { | |||
21 | 21 | ||
22 | config = lib.mkMerge [ | 22 | config = lib.mkMerge [ |
23 | (lib.mkIf cfg.production.enable { | 23 | (lib.mkIf cfg.production.enable { |
24 | deployment.keys = ludivinecassal_prod.keys; | 24 | mySecrets.keys = ludivinecassal_prod.keys; |
25 | services.myWebsites.commons.stats.enable = true; | 25 | services.myWebsites.commons.stats.enable = true; |
26 | services.myWebsites.commons.stats.sites = [ | 26 | services.myWebsites.commons.stats.sites = [ |
27 | { | 27 | { |
@@ -54,7 +54,7 @@ in { | |||
54 | }; | 54 | }; |
55 | }) | 55 | }) |
56 | (lib.mkIf cfg.integration.enable { | 56 | (lib.mkIf cfg.integration.enable { |
57 | deployment.keys = ludivinecassal_dev.keys; | 57 | mySecrets.keys = ludivinecassal_dev.keys; |
58 | security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; | 58 | security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; |
59 | 59 | ||
60 | services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart; | 60 | services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal_dev.phpFpm.preStart; |
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix index 439d3c9..c12d89c 100644 --- a/nixops/modules/websites/ludivine/ludivinecassal.nix +++ b/nixops/modules/websites/ludivine/ludivinecassal.nix | |||
@@ -3,8 +3,8 @@ let | |||
3 | ludivinecassal = { config }: rec { | 3 | ludivinecassal = { config }: rec { |
4 | environment = config.environment; | 4 | environment = config.environment; |
5 | varDir = "/var/lib/ludivinecassal_${environment}"; | 5 | varDir = "/var/lib/ludivinecassal_${environment}"; |
6 | keys."${environment}-ludivinecassal" = { | 6 | keys = [{ |
7 | destDir = "/run/keys/webapps"; | 7 | dest = "webapps/${environment}-ludivinecassal"; |
8 | user = apache.user; | 8 | user = apache.user; |
9 | group = apache.group; | 9 | group = apache.group; |
10 | permissions = "0400"; | 10 | permissions = "0400"; |
@@ -38,7 +38,7 @@ let | |||
38 | sass: ${sass}/bin/sass | 38 | sass: ${sass}/bin/sass |
39 | ruby: ${ruby}/bin/ruby | 39 | ruby: ${ruby}/bin/ruby |
40 | ''; | 40 | ''; |
41 | }; | 41 | }]; |
42 | phpFpm = rec { | 42 | phpFpm = rec { |
43 | preStart = '' | 43 | preStart = '' |
44 | if [ ! -f "${varDir}/currentWebappDir" -o \ | 44 | if [ ! -f "${varDir}/currentWebappDir" -o \ |
@@ -49,10 +49,10 @@ let | |||
49 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup | 49 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup |
50 | popd > /dev/null | 50 | popd > /dev/null |
51 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 51 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
52 | sha512sum /run/keys/webapps/${environment}-ludivinecassal > ${varDir}/currentKey | 52 | sha512sum /var/secrets/webapps/${environment}-ludivinecassal > ${varDir}/currentKey |
53 | fi | 53 | fi |
54 | ''; | 54 | ''; |
55 | serviceDeps = [ "mysql.service" "${environment}-ludivinecassal-key.service" ]; | 55 | serviceDeps = [ "mysql.service" ]; |
56 | socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; | 56 | socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; |
57 | pool = '' | 57 | pool = '' |
58 | listen = ${socket} | 58 | listen = ${socket} |
@@ -63,7 +63,7 @@ let | |||
63 | php_admin_value[upload_max_filesize] = 20M | 63 | php_admin_value[upload_max_filesize] = 20M |
64 | php_admin_value[post_max_size] = 20M | 64 | php_admin_value[post_max_size] = 20M |
65 | ;php_admin_flag[log_errors] = on | 65 | ;php_admin_flag[log_errors] = on |
66 | php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp" | 66 | php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp" |
67 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 67 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
68 | ${if environment == "dev" then '' | 68 | ${if environment == "dev" then '' |
69 | pm = ondemand | 69 | pm = ondemand |
@@ -177,7 +177,7 @@ let | |||
177 | postInstall = '' | 177 | postInstall = '' |
178 | rm -rf var/{logs,cache,data,miniatures,tmp} | 178 | rm -rf var/{logs,cache,data,miniatures,tmp} |
179 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ | 179 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ |
180 | ln -sf /run/keys/webapps/${environment}-ludivinecassal app/config/parameters.yml | 180 | ln -sf /var/secrets/webapps/${environment}-ludivinecassal app/config/parameters.yml |
181 | ''; | 181 | ''; |
182 | buildInputs = [ sass ]; | 182 | buildInputs = [ sass ]; |
183 | }); | 183 | }); |
diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix index 57849a3..b2bd2fd 100644 --- a/nixops/modules/websites/piedsjaloux/default.nix +++ b/nixops/modules/websites/piedsjaloux/default.nix | |||
@@ -25,7 +25,7 @@ in { | |||
25 | 25 | ||
26 | config = lib.mkMerge [ | 26 | config = lib.mkMerge [ |
27 | (lib.mkIf cfg.production.enable { | 27 | (lib.mkIf cfg.production.enable { |
28 | deployment.keys = piedsjaloux_prod.keys; | 28 | mySecrets.keys = piedsjaloux_prod.keys; |
29 | services.myWebsites.commons.stats.enable = true; | 29 | services.myWebsites.commons.stats.enable = true; |
30 | services.myWebsites.commons.stats.sites = [ | 30 | services.myWebsites.commons.stats.sites = [ |
31 | { | 31 | { |
@@ -58,7 +58,7 @@ in { | |||
58 | }; | 58 | }; |
59 | }) | 59 | }) |
60 | (lib.mkIf cfg.integration.enable { | 60 | (lib.mkIf cfg.integration.enable { |
61 | deployment.keys = piedsjaloux_dev.keys; | 61 | mySecrets.keys = piedsjaloux_dev.keys; |
62 | security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; | 62 | security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; |
63 | services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart; | 63 | services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux_dev.phpFpm.preStart; |
64 | services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps; | 64 | services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux_dev.phpFpm.serviceDeps; |
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix index 87699db..5461e5d 100644 --- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix +++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix | |||
@@ -3,8 +3,8 @@ let | |||
3 | piedsjaloux = { config }: rec { | 3 | piedsjaloux = { config }: rec { |
4 | environment = config.environment; | 4 | environment = config.environment; |
5 | varDir = "/var/lib/piedsjaloux_${environment}"; | 5 | varDir = "/var/lib/piedsjaloux_${environment}"; |
6 | keys."${environment}-piedsjaloux" = { | 6 | keys = [{ |
7 | destDir = "/run/keys/webapps"; | 7 | dest = "webapps/${environment}-piedsjaloux"; |
8 | user = apache.user; | 8 | user = apache.user; |
9 | group = apache.group; | 9 | group = apache.group; |
10 | permissions = "0400"; | 10 | permissions = "0400"; |
@@ -26,7 +26,7 @@ let | |||
26 | leapt_im: | 26 | leapt_im: |
27 | binary_path: ${imagemagick}/bin | 27 | binary_path: ${imagemagick}/bin |
28 | ''; | 28 | ''; |
29 | }; | 29 | }]; |
30 | phpFpm = rec { | 30 | phpFpm = rec { |
31 | preStart = '' | 31 | preStart = '' |
32 | if [ ! -f "${varDir}/currentWebappDir" -o \ | 32 | if [ ! -f "${varDir}/currentWebappDir" -o \ |
@@ -37,10 +37,10 @@ let | |||
37 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup | 37 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup |
38 | popd > /dev/null | 38 | popd > /dev/null |
39 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 39 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
40 | sha512sum /run/keys/webapps/${environment}-piedsjaloux > ${varDir}/currentKey | 40 | sha512sum /var/secrets/webapps/${environment}-piedsjaloux > ${varDir}/currentKey |
41 | fi | 41 | fi |
42 | ''; | 42 | ''; |
43 | serviceDeps = [ "mysql.service" "${environment}-piedsjaloux-key.service" ]; | 43 | serviceDeps = [ "mysql.service" ]; |
44 | socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock"; | 44 | socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock"; |
45 | pool = '' | 45 | pool = '' |
46 | listen = ${socket} | 46 | listen = ${socket} |
@@ -51,7 +51,7 @@ let | |||
51 | php_admin_value[upload_max_filesize] = 20M | 51 | php_admin_value[upload_max_filesize] = 20M |
52 | php_admin_value[post_max_size] = 20M | 52 | php_admin_value[post_max_size] = 20M |
53 | ;php_admin_flag[log_errors] = on | 53 | ;php_admin_flag[log_errors] = on |
54 | php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-piedsjaloux:${webappDir}:${varDir}:/tmp" | 54 | php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-piedsjaloux:${webappDir}:${varDir}:/tmp" |
55 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 55 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
56 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 56 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} |
57 | ${if environment == "dev" then '' | 57 | ${if environment == "dev" then '' |
@@ -157,7 +157,7 @@ let | |||
157 | postInstall = '' | 157 | postInstall = '' |
158 | cd $out | 158 | cd $out |
159 | rm app/config/parameters.yml | 159 | rm app/config/parameters.yml |
160 | ln -sf /run/keys/webapps/${environment}-piedsjaloux app/config/parameters.yml | 160 | ln -sf /var/secrets/webapps/${environment}-piedsjaloux app/config/parameters.yml |
161 | rm -rf var/{logs,cache,data,miniatures,tmp} | 161 | rm -rf var/{logs,cache,data,miniatures,tmp} |
162 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ | 162 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ |
163 | ''; | 163 | ''; |
diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix index 9bf4a48..16d788f 100644 --- a/nixops/modules/websites/tellesflorian/default.nix +++ b/nixops/modules/websites/tellesflorian/default.nix | |||
@@ -16,7 +16,7 @@ in { | |||
16 | }; | 16 | }; |
17 | 17 | ||
18 | config = lib.mkIf cfg.integration.enable { | 18 | config = lib.mkIf cfg.integration.enable { |
19 | deployment.keys = tellesflorian_dev.keys; | 19 | mySecrets.keys = tellesflorian_dev.keys; |
20 | security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; | 20 | security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; |
21 | services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart; | 21 | services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian_dev.phpFpm.preStart; |
22 | services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps; | 22 | services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian_dev.phpFpm.serviceDeps; |
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix index ba46c0c..afd723c 100644 --- a/nixops/modules/websites/tellesflorian/tellesflorian.nix +++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix | |||
@@ -3,14 +3,24 @@ let | |||
3 | tellesflorian = { config }: rec { | 3 | tellesflorian = { config }: rec { |
4 | environment = config.environment; | 4 | environment = config.environment; |
5 | varDir = "/var/lib/tellesflorian_${environment}"; | 5 | varDir = "/var/lib/tellesflorian_${environment}"; |
6 | keys."${environment}-tellesflorian" = { | 6 | keys = [ |
7 | destDir = "/run/keys/webapps"; | 7 | { |
8 | user = apache.user; | 8 | dest = "webapps/${environment}-tellesflorian-passwords"; |
9 | group = apache.group; | 9 | user = apache.user; |
10 | permissions = "0400"; | 10 | group = apache.group; |
11 | text = '' | 11 | permissions = "0400"; |
12 | # This file is auto-generated during the composer install | 12 | text = '' |
13 | parameters: | 13 | invite:${config.invite_passwords} |
14 | ''; | ||
15 | } | ||
16 | { | ||
17 | dest = "webapps/${environment}-tellesflorian"; | ||
18 | user = apache.user; | ||
19 | group = apache.group; | ||
20 | permissions = "0400"; | ||
21 | text = '' | ||
22 | # This file is auto-generated during the composer install | ||
23 | parameters: | ||
14 | database_host: ${config.mysql.host} | 24 | database_host: ${config.mysql.host} |
15 | database_port: ${config.mysql.port} | 25 | database_port: ${config.mysql.port} |
16 | database_name: ${config.mysql.name} | 26 | database_name: ${config.mysql.name} |
@@ -21,8 +31,9 @@ let | |||
21 | mailer_user: null | 31 | mailer_user: null |
22 | mailer_password: null | 32 | mailer_password: null |
23 | secret: ${config.secret} | 33 | secret: ${config.secret} |
24 | ''; | 34 | ''; |
25 | }; | 35 | } |
36 | ]; | ||
26 | phpFpm = rec { | 37 | phpFpm = rec { |
27 | preStart = '' | 38 | preStart = '' |
28 | if [ ! -f "${varDir}/currentWebappDir" -o \ | 39 | if [ ! -f "${varDir}/currentWebappDir" -o \ |
@@ -33,14 +44,10 @@ let | |||
33 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup | 44 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup |
34 | popd > /dev/null | 45 | popd > /dev/null |
35 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 46 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
36 | sha512sum /run/keys/webapps/${environment}-tellesflorian > ${varDir}/currentKey | 47 | sha512sum /var/secrets/webapps/${environment}-tellesflorian > ${varDir}/currentKey |
37 | fi | 48 | fi |
38 | ''; | 49 | ''; |
39 | serviceDeps = [ | 50 | serviceDeps = [ "mysql.service" ]; |
40 | "mysql.service" | ||
41 | "${environment}-tellesflorian-passwords-key.service" | ||
42 | "${environment}-tellesflorian-key.service" | ||
43 | ]; | ||
44 | socket = "/var/run/phpfpm/floriantelles-${environment}.sock"; | 51 | socket = "/var/run/phpfpm/floriantelles-${environment}.sock"; |
45 | pool = '' | 52 | pool = '' |
46 | listen = ${socket} | 53 | listen = ${socket} |
@@ -51,7 +58,7 @@ let | |||
51 | php_admin_value[upload_max_filesize] = 20M | 58 | php_admin_value[upload_max_filesize] = 20M |
52 | php_admin_value[post_max_size] = 20M | 59 | php_admin_value[post_max_size] = 20M |
53 | ;php_admin_flag[log_errors] = on | 60 | ;php_admin_flag[log_errors] = on |
54 | php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp" | 61 | php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp" |
55 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 62 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
56 | ${if environment == "dev" then '' | 63 | ${if environment == "dev" then '' |
57 | pm = ondemand | 64 | pm = ondemand |
@@ -66,15 +73,6 @@ let | |||
66 | pm.max_spare_servers = 3 | 73 | pm.max_spare_servers = 3 |
67 | ''}''; | 74 | ''}''; |
68 | }; | 75 | }; |
69 | keys."${environment}-tellesflorian-passwords" = { | ||
70 | destDir = "/run/keys/webapps"; | ||
71 | user = apache.user; | ||
72 | group = apache.group; | ||
73 | permissions = "0400"; | ||
74 | text = '' | ||
75 | invite:${config.invite_passwords} | ||
76 | ''; | ||
77 | }; | ||
78 | apache = rec { | 76 | apache = rec { |
79 | user = "wwwrun"; | 77 | user = "wwwrun"; |
80 | group = "wwwrun"; | 78 | group = "wwwrun"; |
@@ -92,7 +90,7 @@ let | |||
92 | Use LDAPConnect | 90 | Use LDAPConnect |
93 | Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu | 91 | Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu |
94 | 92 | ||
95 | AuthUserFile "/run/keys/webapps/${environment}-tellesflorian-passwords" | 93 | AuthUserFile "/var/secrets/webapps/${environment}-tellesflorian-passwords" |
96 | Require user "invite" | 94 | Require user "invite" |
97 | 95 | ||
98 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" | 96 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" |
@@ -166,7 +164,7 @@ let | |||
166 | postInstall = '' | 164 | postInstall = '' |
167 | cd $out | 165 | cd $out |
168 | rm app/config/parameters.yml | 166 | rm app/config/parameters.yml |
169 | ln -sf /run/keys/webapps/${environment}-tellesflorian app/config/parameters.yml | 167 | ln -sf /var/secrets/webapps/${environment}-tellesflorian app/config/parameters.yml |
170 | rm -rf var/{logs,cache} | 168 | rm -rf var/{logs,cache} |
171 | ln -sf ${varDir}/var/{logs,cache,sessions} var/ | 169 | ln -sf ${varDir}/var/{logs,cache,sessions} var/ |
172 | ''; | 170 | ''; |