Move kanboard passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

4 files changed, 49 insertions, 24 deletions

diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index ad97d7f..307af08 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -167,6 +167,7 @@ in
   };
 
   config = {
+    users.users.wwwrun.extraGroups = [ "keys" ];
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     nixpkgs.overlays = [ (self: super: rec {
@@ -415,8 +416,10 @@ in
       phpOptions = ''
         session.save_path = "/var/lib/php/sessions"
         post_max_size = 20M
-        session.gc_maxlifetime = 60*60*24*15
-        session.cache_expire = 60*24*30
+        ; 15 days (seconds)
+        session.gc_maxlifetime = 1296000
+        ; 30 days (minutes)
+        session.cache_expire = 43200
         '';
       extraConfig = ''
         log_level = notice
diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix
index 3c6f027..882babc 100644
--- a/nixops/modules/websites/phpfpm/default.nix
+++ b/nixops/modules/websites/phpfpm/default.nix
@@ -72,6 +72,17 @@ in {
           "Options appended to the PHP configuration file <filename>php.ini</filename>.";
       };
 
+      serviceDependencies = mkOption {
+        default = {};
+        type = types.attrsOf (types.listOf types.string);
+        example = literalExample ''
+          { mypool = ["postgresql.service"]; }
+        '';
+        description = ''
+          Extra service dependencies specific to pool.
+        '';
+      };
+
       poolPhpConfigs = mkOption {
         default = {};
         type = types.attrsOf types.lines;
@@ -152,7 +163,8 @@ in {
     systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig:
       nameValuePair "phpfpm-${pool}" {
         description = "PHP FastCGI Process Manager service for pool ${pool}";
-        after = [ "network.target" ];
+        after = [ "network.target" ] ++ (cfg.serviceDependencies.${pool} or []);
+        wants = cfg.serviceDependencies.${pool} or [];
         wantedBy = [ "phpfpm.target" ];
         partOf = [ "phpfpm.target" ];
         preStart = ''
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index aa59e28..14b5934 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -46,6 +46,8 @@ in {
     security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
     security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
 
+    deployment.keys = kanboard.keys;
+
     services.myWebsites.integration.modules =
       rainloop.apache.modules;
 
@@ -129,6 +131,7 @@ in {
       ];
     };
 
+    services.myPhpfpm.serviceDependencies.kanboard = kanboard.phpFpm.serviceDeps;
     services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig;
     services.myPhpfpm.poolConfigs = {
       adminer = adminer.phpFpm.pool;
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
index 8408ffa..35ed2aa 100644
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ b/nixops/modules/websites/tools/tools/kanboard.nix
@@ -10,33 +10,39 @@ rec {
       install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
     '';
   };
-  config = writeText "config.php" ''
-    <?php
-    define('MAIL_FROM', 'kanboard@tools.immae.eu');
+  keys.tools-kanboard = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      <?php
+      define('MAIL_FROM', 'kanboard@tools.immae.eu');
 
-    define('DB_DRIVER', 'postgres');
-    define('DB_USERNAME', '${env.postgresql.user}');
-    define('DB_PASSWORD', '${env.postgresql.password}');
-    define('DB_HOSTNAME', '${env.postgresql.socket}');
-    define('DB_NAME', '${env.postgresql.database}');
+      define('DB_DRIVER', 'postgres');
+      define('DB_USERNAME', '${env.postgresql.user}');
+      define('DB_PASSWORD', '${env.postgresql.password}');
+      define('DB_HOSTNAME', '${env.postgresql.socket}');
+      define('DB_NAME', '${env.postgresql.database}');
 
-    define('LDAP_AUTH', true);
-    define('LDAP_SERVER', '${env.ldap.host}');
-    define('LDAP_START_TLS', true);
+      define('LDAP_AUTH', true);
+      define('LDAP_SERVER', '${env.ldap.host}');
+      define('LDAP_START_TLS', true);
 
-    define('LDAP_BIND_TYPE', 'proxy');
-    define('LDAP_USERNAME', '${env.ldap.dn}');
-    define('LDAP_PASSWORD', '${env.ldap.password}');
-    define('LDAP_USER_BASE_DN', '${env.ldap.base}');
-    define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
-    define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
-    ?>
-    '';
+      define('LDAP_BIND_TYPE', 'proxy');
+      define('LDAP_USERNAME', '${env.ldap.dn}');
+      define('LDAP_PASSWORD', '${env.ldap.password}');
+      define('LDAP_USER_BASE_DN', '${env.ldap.base}');
+      define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
+      define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
+      ?>
+      '';
+  };
   webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec {
     dontBuild = true;
     installPhase = ''
       cp -a . $out
-      ln -s ${config} $out/config.php
+      ln -s /run/keys/webapps/tools-kanboard $out/config.php
       mv $out/data $out/dataold
       ln -s ${varDir}/data $out/data
       '';
@@ -65,7 +71,8 @@ rec {
       '';
   };
   phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir config ];
+    serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ];
     socket = "/var/run/phpfpm/kanboard.sock";
     pool = ''
       listen = ${socket}