aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-22 15:32:34 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-22 15:32:34 +0200
commit42fa50f1fa75f62c6e9cada076860196e8185641 (patch)
tree6144a0f3c1e1fc7094e5bd2885a7f575f4dcb35c
parent8eded9ecb6220bb26599419a4aaea1743d3d187e (diff)
downloadNix-42fa50f1fa75f62c6e9cada076860196e8185641.tar.gz
Nix-42fa50f1fa75f62c6e9cada076860196e8185641.tar.zst
Nix-42fa50f1fa75f62c6e9cada076860196e8185641.zip
Move nextcloud passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
-rw-r--r--nixops/modules/websites/tools/cloud/default.nix1
-rw-r--r--nixops/modules/websites/tools/cloud/nextcloud.nix125
2 files changed, 60 insertions, 66 deletions
diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix
index dc3dde2..7dd37f5 100644
--- a/nixops/modules/websites/tools/cloud/default.nix
+++ b/nixops/modules/websites/tools/cloud/default.nix
@@ -24,6 +24,7 @@ in {
24 ]; 24 ];
25 }; 25 };
26 26
27 deployment.keys = nextcloud.keys;
27 users.users.root.packages = let 28 users.users.root.packages = let
28 occ = pkgs.writeScriptBin "nextcloud-occ" '' 29 occ = pkgs.writeScriptBin "nextcloud-occ" ''
29 #! ${pkgs.stdenv.shell} 30 #! ${pkgs.stdenv.shell}
diff --git a/nixops/modules/websites/tools/cloud/nextcloud.nix b/nixops/modules/websites/tools/cloud/nextcloud.nix
index 59930fb..b339038 100644
--- a/nixops/modules/websites/tools/cloud/nextcloud.nix
+++ b/nixops/modules/websites/tools/cloud/nextcloud.nix
@@ -113,66 +113,62 @@ let
113 }; 113 };
114 in rec { 114 in rec {
115 varDir = "/var/lib/nextcloud"; 115 varDir = "/var/lib/nextcloud";
116 config_php = writeText "config.php" '' 116 keys.tools-nextcloud = {
117 <?php 117 destDir = "/run/keys/webapps";
118 $CONFIG = array ( 118 user = apache.user;
119 // FIXME: change this value when nextcloud starts getting slow 119 group = apache.group;
120 'instanceid' => '${env.instance_id}1', 120 permissions = "0600";
121 'datadirectory' => '/var/lib/nextcloud/', 121 text = ''
122 'passwordsalt' => '${env.password_salt}', 122 <?php
123 'debug' => false, 123 $CONFIG = array (
124 'dbtype' => 'pgsql', 124 // FIXME: change this value when nextcloud starts getting slow
125 'version' => '15.0.0.10', 125 'instanceid' => '${env.instance_id}1',
126 'dbname' => '${env.postgresql.database}', 126 'datadirectory' => '/var/lib/nextcloud/',
127 'dbhost' => '${env.postgresql.socket}', 127 'passwordsalt' => '${env.password_salt}',
128 'dbtableprefix' => 'oc_', 128 'debug' => false,
129 'dbuser' => '${env.postgresql.user}', 129 'dbtype' => 'pgsql',
130 'dbpassword' => '${env.postgresql.password}', 130 'version' => '15.0.4.0',
131 'installed' => true, 131 'dbname' => '${env.postgresql.database}',
132 'maxZipInputSize' => 0, 132 'dbhost' => '${env.postgresql.socket}',
133 'allowZipDownload' => true, 133 'dbtableprefix' => 'oc_',
134 'forcessl' => true, 134 'dbuser' => '${env.postgresql.user}',
135 'theme' => ${"''"}, 135 'dbpassword' => '${env.postgresql.password}',
136 'maintenance' => false, 136 'installed' => true,
137 'trusted_domains' => 137 'maxZipInputSize' => 0,
138 array ( 138 'allowZipDownload' => true,
139 0 => 'cloud.immae.eu', 139 'forcessl' => true,
140 ), 140 'theme' => ${"''"},
141 'secret' => '${env.secret}', 141 'maintenance' => false,
142 'appstoreenabled' => false, 142 'trusted_domains' =>
143 'appstore.experimental.enabled' => true, 143 array (
144 'loglevel' => 2, 144 0 => 'cloud.immae.eu',
145 'trashbin_retention_obligation' => 'auto', 145 ),
146 'htaccess.RewriteBase' => '/', 146 'secret' => '${env.secret}',
147 'mail_smtpmode' => 'sendmail', 147 'appstoreenabled' => false,
148 'mail_smtphost' => '127.0.0.1', 148 'appstore.experimental.enabled' => true,
149 'mail_smtpname' => ''', 149 'loglevel' => 2,
150 'mail_smtppassword' => ''', 150 'trashbin_retention_obligation' => 'auto',
151 'mail_from_address' => 'nextcloud', 151 'htaccess.RewriteBase' => '/',
152 'mail_smtpauth' => false, 152 'mail_smtpmode' => 'sendmail',
153 'mail_domain' => 'tools.immae.eu', 153 'mail_smtphost' => '127.0.0.1',
154 'memcache.local' => '\\OC\\Memcache\\APCu', 154 'mail_smtpname' => ''',
155 'memcache.locking' => '\\OC\\Memcache\\Redis', 155 'mail_smtppassword' => ''',
156 'filelocking.enabled' => true, 156 'mail_from_address' => 'nextcloud',
157 'redis' => 157 'mail_smtpauth' => false,
158 array ( 158 'mail_domain' => 'tools.immae.eu',
159 'host' => '${env.redis.socket}', 159 'memcache.local' => '\\OC\\Memcache\\APCu',
160 'port' => 0, 160 'memcache.locking' => '\\OC\\Memcache\\Redis',
161 'dbindex' => ${env.redis.db_index}, 161 'filelocking.enabled' => true,
162 ), 162 'redis' =>
163 'overwrite.cli.url' => 'https://cloud.immae.eu', 163 array (
164 'ldapIgnoreNamingRules' => false, 164 'host' => '${env.redis.socket}',
165 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', 165 'port' => 0,
166 ); 166 'dbindex' => ${env.redis.db_index},
167 ''; 167 ),
168 config = stdenv.mkDerivation rec { 168 'overwrite.cli.url' => 'https://cloud.immae.eu',
169 name = "nextcloud-config"; 169 'ldapIgnoreNamingRules' => false,
170 src = ./nextcloud-config; 170 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
171 phases = "installPhase"; 171 );
172 installPhase = ''
173 mkdir -p $out
174 cp -r $src/* $out
175 cp ${config_php} $out/config.php
176 ''; 172 '';
177 }; 173 };
178 webRoot = stdenv.mkDerivation rec { 174 webRoot = stdenv.mkDerivation rec {
@@ -207,11 +203,8 @@ let
207 text = '' 203 text = ''
208 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} 204 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
209 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions 205 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
210 if [ ! -e ${varDir}/config ]; then 206 install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config
211 cp -a ${config} ${varDir}/config 207 install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php
212 chown -R ${apache.user}:${apache.group} ${varDir}/config
213 chmod -R u+w ${varDir}/config
214 fi
215 ''; 208 '';
216 }; 209 };
217 apache = rec { 210 apache = rec {
@@ -243,7 +236,7 @@ let
243 }; 236 };
244 phpFpm = rec { 237 phpFpm = rec {
245 basedir = builtins.concatStringsSep ":" ( 238 basedir = builtins.concatStringsSep ":" (
246 [ webRoot varDir config ] 239 [ webRoot varDir ]
247 ++ lib.attrsets.mapAttrsToList (name: value: value) apps); 240 ++ lib.attrsets.mapAttrsToList (name: value: value) apps);
248 socket = "/var/run/phpfpm/nextcloud.sock"; 241 socket = "/var/run/phpfpm/nextcloud.sock";
249 phpConfig = '' 242 phpConfig = ''