diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-15 00:23:03 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-15 00:44:49 +0200 |
commit | a840a21c954be6342603ae7a45dde6c005761696 (patch) | |
tree | e2d2c547d5e6a4a74aa3cca53d97e3b39f8b8625 | |
parent | 981634865c275c1f35e78a27c6d76cd9708fd7ef (diff) | |
download | Nix-a840a21c954be6342603ae7a45dde6c005761696.tar.gz Nix-a840a21c954be6342603ae7a45dde6c005761696.tar.zst Nix-a840a21c954be6342603ae7a45dde6c005761696.zip |
Move ttrss, wallabag, ldap and roundcubemail passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
-rw-r--r-- | nixops/modules/websites/tools/tools/default.nix | 20 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/dokuwiki.nix | 1 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/ldap.nix | 45 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/rainloop.nix | 1 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/roundcubemail.nix | 101 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/ttrss.nix | 103 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/wallabag.nix | 127 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/yourls.nix | 13 |
8 files changed, 232 insertions, 179 deletions
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index 14b5934..3d5465f 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix | |||
@@ -46,7 +46,13 @@ in { | |||
46 | security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; | 46 | security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; |
47 | security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; | 47 | security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; |
48 | 48 | ||
49 | deployment.keys = kanboard.keys; | 49 | deployment.keys = |
50 | kanboard.keys | ||
51 | // ldap.keys | ||
52 | // roundcubemail.keys | ||
53 | // ttrss.keys | ||
54 | // wallabag.keys | ||
55 | // yourls.keys; | ||
50 | 56 | ||
51 | services.myWebsites.integration.modules = | 57 | services.myWebsites.integration.modules = |
52 | rainloop.apache.modules; | 58 | rainloop.apache.modules; |
@@ -131,7 +137,17 @@ in { | |||
131 | ]; | 137 | ]; |
132 | }; | 138 | }; |
133 | 139 | ||
134 | services.myPhpfpm.serviceDependencies.kanboard = kanboard.phpFpm.serviceDeps; | 140 | services.myPhpfpm.serviceDependencies = { |
141 | dokuwiki = dokuwiki.phpFpm.serviceDeps; | ||
142 | kanboard = kanboard.phpFpm.serviceDeps; | ||
143 | ldap = ldap.phpFpm.serviceDeps; | ||
144 | rainloop = rainloop.phpFpm.serviceDeps; | ||
145 | roundcubemail = roundcubemail.phpFpm.serviceDeps; | ||
146 | ttrss = ttrss.phpFpm.serviceDeps; | ||
147 | wallabag = wallabag.phpFpm.serviceDeps; | ||
148 | yourls = yourls.phpFpm.serviceDeps; | ||
149 | }; | ||
150 | |||
135 | services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig; | 151 | services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig; |
136 | services.myPhpfpm.poolConfigs = { | 152 | services.myPhpfpm.poolConfigs = { |
137 | adminer = adminer.phpFpm.pool; | 153 | adminer = adminer.phpFpm.pool; |
diff --git a/nixops/modules/websites/tools/tools/dokuwiki.nix b/nixops/modules/websites/tools/tools/dokuwiki.nix index 2f4e8c1..2cd19f1 100644 --- a/nixops/modules/websites/tools/tools/dokuwiki.nix +++ b/nixops/modules/websites/tools/tools/dokuwiki.nix | |||
@@ -76,6 +76,7 @@ let | |||
76 | ''; | 76 | ''; |
77 | }; | 77 | }; |
78 | phpFpm = rec { | 78 | phpFpm = rec { |
79 | serviceDeps = [ "openldap.service" ]; | ||
79 | basedir = builtins.concatStringsSep ":" ( | 80 | basedir = builtins.concatStringsSep ":" ( |
80 | [ webRoot varDir ] | 81 | [ webRoot varDir ] |
81 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); | 82 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); |
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix index 6cde881..9d98837 100644 --- a/nixops/modules/websites/tools/tools/ldap.nix +++ b/nixops/modules/websites/tools/tools/ldap.nix | |||
@@ -1,24 +1,30 @@ | |||
1 | { lib, php, env, writeText, stdenv, optipng, fetchurl }: | 1 | { lib, php, env, writeText, stdenv, optipng, fetchurl }: |
2 | rec { | 2 | rec { |
3 | config = writeText "config.php" '' | 3 | keys.tools-ldap = { |
4 | <?php | 4 | destDir = "/run/keys/webapps"; |
5 | $config->custom->appearance['show_clear_password'] = true; | 5 | user = apache.user; |
6 | $config->custom->appearance['hide_template_warning'] = true; | 6 | group = apache.group; |
7 | $config->custom->appearance['theme'] = "tango"; | 7 | permissions = "0700"; |
8 | $config->custom->appearance['minimalMode'] = true; | 8 | text = '' |
9 | <?php | ||
10 | $config->custom->appearance['show_clear_password'] = true; | ||
11 | $config->custom->appearance['hide_template_warning'] = true; | ||
12 | $config->custom->appearance['theme'] = "tango"; | ||
13 | $config->custom->appearance['minimalMode'] = true; | ||
9 | 14 | ||
10 | $servers = new Datastore(); | 15 | $servers = new Datastore(); |
11 | 16 | ||
12 | $servers->newServer('ldap_pla'); | 17 | $servers->newServer('ldap_pla'); |
13 | $servers->setValue('server','name','Immae’s LDAP'); | 18 | $servers->setValue('server','name','Immae’s LDAP'); |
14 | $servers->setValue('server','host','ldaps://${env.ldap.host}'); | 19 | $servers->setValue('server','host','ldaps://${env.ldap.host}'); |
15 | $servers->setValue('login','auth_type','cookie'); | 20 | $servers->setValue('login','auth_type','cookie'); |
16 | $servers->setValue('login','bind_id','${env.ldap.dn}'); | 21 | $servers->setValue('login','bind_id','${env.ldap.dn}'); |
17 | $servers->setValue('login','bind_pass','${env.ldap.password}'); | 22 | $servers->setValue('login','bind_pass','${env.ldap.password}'); |
18 | $servers->setValue('appearance','password_hash','ssha'); | 23 | $servers->setValue('appearance','password_hash','ssha'); |
19 | $servers->setValue('login','attr','uid'); | 24 | $servers->setValue('login','attr','uid'); |
20 | $servers->setValue('login','fallback_dn',true); | 25 | $servers->setValue('login','fallback_dn',true); |
21 | ''; | 26 | ''; |
27 | }; | ||
22 | webRoot = stdenv.mkDerivation rec { | 28 | webRoot = stdenv.mkDerivation rec { |
23 | version = "1.2.3"; | 29 | version = "1.2.3"; |
24 | name = "phpldapadmin-${version}"; | 30 | name = "phpldapadmin-${version}"; |
@@ -39,7 +45,7 @@ rec { | |||
39 | ''; | 45 | ''; |
40 | installPhase = '' | 46 | installPhase = '' |
41 | cp -a . $out | 47 | cp -a . $out |
42 | ln -sf ${config} $out/config/config.php | 48 | ln -sf /run/keys/webapps/tools-ldap $out/config/config.php |
43 | ''; | 49 | ''; |
44 | }; | 50 | }; |
45 | apache = rec { | 51 | apache = rec { |
@@ -62,7 +68,8 @@ rec { | |||
62 | ''; | 68 | ''; |
63 | }; | 69 | }; |
64 | phpFpm = rec { | 70 | phpFpm = rec { |
65 | basedir = builtins.concatStringsSep ":" [ webRoot config ]; | 71 | serviceDeps = [ "openldap.service" "tools-ldap-key.service" ]; |
72 | basedir = builtins.concatStringsSep ":" [ webRoot "/run/keys/webapps/tools-ldap" ]; | ||
66 | socket = "/var/run/phpfpm/ldap.sock"; | 73 | socket = "/var/run/phpfpm/ldap.sock"; |
67 | pool = '' | 74 | pool = '' |
68 | listen = ${socket} | 75 | listen = ${socket} |
diff --git a/nixops/modules/websites/tools/tools/rainloop.nix b/nixops/modules/websites/tools/tools/rainloop.nix index 7aaa4eb..457e546 100644 --- a/nixops/modules/websites/tools/tools/rainloop.nix +++ b/nixops/modules/websites/tools/tools/rainloop.nix | |||
@@ -39,6 +39,7 @@ rec { | |||
39 | ''; | 39 | ''; |
40 | }; | 40 | }; |
41 | phpFpm = rec { | 41 | phpFpm = rec { |
42 | serviceDeps = [ "postgresql.service" ]; | ||
42 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 43 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
43 | socket = "/var/run/phpfpm/rainloop.sock"; | 44 | socket = "/var/run/phpfpm/rainloop.sock"; |
44 | pool = '' | 45 | pool = '' |
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix index 1e1f95b..3806679 100644 --- a/nixops/modules/websites/tools/tools/roundcubemail.nix +++ b/nixops/modules/websites/tools/tools/roundcubemail.nix | |||
@@ -78,59 +78,65 @@ let | |||
78 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | 78 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions |
79 | ''; | 79 | ''; |
80 | }; | 80 | }; |
81 | config = writeText "config.php" '' | 81 | keys.tools-roundcube = { |
82 | <?php | 82 | destDir = "/run/keys/webapps"; |
83 | $config['db_dsnw'] = '${env.psql_url}'; | 83 | user = apache.user; |
84 | $config['default_host'] = 'ssl://mail.immae.eu'; | 84 | group = apache.group; |
85 | $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false)); | 85 | permissions = "0700"; |
86 | $config['smtp_server'] = 'tls://mail.immae.eu'; | 86 | text = '' |
87 | $config['smtp_port'] = '25'; | 87 | <?php |
88 | $config['managesieve_host'] = 'mail.immae.eu'; | 88 | $config['db_dsnw'] = '${env.psql_url}'; |
89 | $config['managesieve_port'] = '4190'; | 89 | $config['default_host'] = 'ssl://mail.immae.eu'; |
90 | $config['managesieve_usetls'] = true; | 90 | $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false)); |
91 | $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false)); | 91 | $config['smtp_server'] = 'tls://mail.immae.eu'; |
92 | $config['smtp_port'] = '25'; | ||
93 | $config['managesieve_host'] = 'mail.immae.eu'; | ||
94 | $config['managesieve_port'] = '4190'; | ||
95 | $config['managesieve_usetls'] = true; | ||
96 | $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false)); | ||
92 | 97 | ||
93 | $config['imap_cache'] = 'db'; | 98 | $config['imap_cache'] = 'db'; |
94 | $config['messages_cache'] = 'db'; | 99 | $config['messages_cache'] = 'db'; |
95 | 100 | ||
96 | $config['support_url'] = '''; | 101 | $config['support_url'] = '''; |
97 | 102 | ||
98 | $config['des_key'] = '${env.secret}'; | 103 | $config['des_key'] = '${env.secret}'; |
99 | 104 | ||
100 | $config['skin'] = 'elastic'; | 105 | $config['skin'] = 'elastic'; |
101 | $config['plugins'] = array( | 106 | $config['plugins'] = array( |
102 | 'attachment_reminder', | 107 | 'attachment_reminder', |
103 | 'emoticons', | 108 | 'emoticons', |
104 | 'filesystem_attachments', | 109 | 'filesystem_attachments', |
105 | 'hide_blockquote', | 110 | 'hide_blockquote', |
106 | 'identicon', | 111 | 'identicon', |
107 | 'identity_select', | 112 | 'identity_select', |
108 | 'jqueryui', | 113 | 'jqueryui', |
109 | 'managesieve', | 114 | 'managesieve', |
110 | 'newmail_notifier', | 115 | 'newmail_notifier', |
111 | 'vcard_attachments', | 116 | 'vcard_attachments', |
112 | 'zipdownload', | 117 | 'zipdownload', |
113 | 118 | ||
114 | 'automatic_addressbook', | 119 | 'automatic_addressbook', |
115 | 'message_highlight', | 120 | 'message_highlight', |
116 | 'carddav', | 121 | 'carddav', |
117 | // Ne marche pas ?: 'ident_switch', | 122 | // Ne marche pas ?: 'ident_switch', |
118 | // Ne marche pas ?: 'thunderbird_labels', | 123 | // Ne marche pas ?: 'thunderbird_labels', |
119 | ); | 124 | ); |
120 | 125 | ||
121 | $config['language'] = 'fr_FR'; | 126 | $config['language'] = 'fr_FR'; |
122 | 127 | ||
123 | $config['drafts_mbox'] = 'Mail/Drafts'; | 128 | $config['drafts_mbox'] = 'Mail/Drafts'; |
124 | $config['junk_mbox'] = 'Mail/Spam'; | 129 | $config['junk_mbox'] = 'Mail/Spam'; |
125 | $config['sent_mbox'] = 'Mail/sent'; | 130 | $config['sent_mbox'] = 'Mail/sent'; |
126 | $config['trash_mbox'] = '''; | 131 | $config['trash_mbox'] = '''; |
127 | $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', '''); | 132 | $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', '''); |
128 | $config['draft_autosave'] = 60; | 133 | $config['draft_autosave'] = 60; |
129 | $config['enable_installer'] = false; | 134 | $config['enable_installer'] = false; |
130 | $config['log_driver'] = 'file'; | 135 | $config['log_driver'] = 'file'; |
131 | $config['temp_dir'] = '${varDir}/cache'; | 136 | $config['temp_dir'] = '${varDir}/cache'; |
132 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; | 137 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; |
133 | ''; | 138 | ''; |
139 | }; | ||
134 | webRoot = stdenv.mkDerivation rec { | 140 | webRoot = stdenv.mkDerivation rec { |
135 | version = "1.4-rc1"; | 141 | version = "1.4-rc1"; |
136 | name = "roundcubemail-${version}"; | 142 | name = "roundcubemail-${version}"; |
@@ -148,7 +154,7 @@ let | |||
148 | ''; | 154 | ''; |
149 | installPhase = '' | 155 | installPhase = '' |
150 | cp -a . $out | 156 | cp -a . $out |
151 | ln -s ${config} $out/config/config.inc.php | 157 | ln -s /run/keys/webapps/tools-roundcube $out/config/config.inc.php |
152 | ${builtins.concatStringsSep "\n" ( | 158 | ${builtins.concatStringsSep "\n" ( |
153 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins | 159 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins |
154 | )} | 160 | )} |
@@ -178,8 +184,9 @@ let | |||
178 | ''; | 184 | ''; |
179 | }; | 185 | }; |
180 | phpFpm = rec { | 186 | phpFpm = rec { |
187 | serviceDeps = [ "postgresql.service" "tools-roundcube-key.service" ]; | ||
181 | basedir = builtins.concatStringsSep ":" ( | 188 | basedir = builtins.concatStringsSep ":" ( |
182 | [ webRoot config varDir ] | 189 | [ webRoot "/run/keys/webapps/tools-roundcube" varDir ] |
183 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins | 190 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins |
184 | ++ lib.attrsets.mapAttrsToList (name: value: value) skins); | 191 | ++ lib.attrsets.mapAttrsToList (name: value: value) skins); |
185 | phpConfig = '' | 192 | phpConfig = '' |
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix index ca049e6..6a5efd9 100644 --- a/nixops/modules/websites/tools/tools/ttrss.nix +++ b/nixops/modules/websites/tools/tools/ttrss.nix | |||
@@ -52,69 +52,75 @@ let | |||
52 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | 52 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions |
53 | ''; | 53 | ''; |
54 | }; | 54 | }; |
55 | config = writeText "config.php" '' | 55 | keys.tools-ttrss = { |
56 | <?php | 56 | destDir = "/run/keys/webapps"; |
57 | user = apache.user; | ||
58 | group = apache.group; | ||
59 | permissions = "0700"; | ||
60 | text = '' | ||
61 | <?php | ||
57 | 62 | ||
58 | define('PHP_EXECUTABLE', '${php}/bin/php'); | 63 | define('PHP_EXECUTABLE', '${php}/bin/php'); |
59 | 64 | ||
60 | define('LOCK_DIRECTORY', 'lock'); | 65 | define('LOCK_DIRECTORY', 'lock'); |
61 | define('CACHE_DIR', 'cache'); | 66 | define('CACHE_DIR', 'cache'); |
62 | define('ICONS_DIR', 'feed-icons'); | 67 | define('ICONS_DIR', 'feed-icons'); |
63 | define('ICONS_URL', 'feed-icons'); | 68 | define('ICONS_URL', 'feed-icons'); |
64 | define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/'); | 69 | define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/'); |
65 | 70 | ||
66 | define('MYSQL_CHARSET', 'UTF8'); | 71 | define('MYSQL_CHARSET', 'UTF8'); |
67 | 72 | ||
68 | define('DB_TYPE', 'pgsql'); | 73 | define('DB_TYPE', 'pgsql'); |
69 | define('DB_HOST', '${env.postgresql.socket}'); | 74 | define('DB_HOST', '${env.postgresql.socket}'); |
70 | define('DB_USER', '${env.postgresql.user}'); | 75 | define('DB_USER', '${env.postgresql.user}'); |
71 | define('DB_NAME', '${env.postgresql.database}'); | 76 | define('DB_NAME', '${env.postgresql.database}'); |
72 | define('DB_PASS', '${env.postgresql.password}'); | 77 | define('DB_PASS', '${env.postgresql.password}'); |
73 | define('DB_PORT', '${env.postgresql.port}'); | 78 | define('DB_PORT', '${env.postgresql.port}'); |
74 | 79 | ||
75 | define('AUTH_AUTO_CREATE', true); | 80 | define('AUTH_AUTO_CREATE', true); |
76 | define('AUTH_AUTO_LOGIN', true); | 81 | define('AUTH_AUTO_LOGIN', true); |
77 | 82 | ||
78 | define('SINGLE_USER_MODE', false); | 83 | define('SINGLE_USER_MODE', false); |
79 | 84 | ||
80 | define('SIMPLE_UPDATE_MODE', false); | 85 | define('SIMPLE_UPDATE_MODE', false); |
81 | define('CHECK_FOR_UPDATES', true); | 86 | define('CHECK_FOR_UPDATES', true); |
82 | 87 | ||
83 | define('FORCE_ARTICLE_PURGE', 0); | 88 | define('FORCE_ARTICLE_PURGE', 0); |
84 | define('SESSION_COOKIE_LIFETIME', 60*60*24*120); | 89 | define('SESSION_COOKIE_LIFETIME', 60*60*24*120); |
85 | define('ENABLE_GZIP_OUTPUT', false); | 90 | define('ENABLE_GZIP_OUTPUT', false); |
86 | 91 | ||
87 | define('PLUGINS', 'auth_ldap, note, instances'); | 92 | define('PLUGINS', 'auth_ldap, note, instances'); |
88 | 93 | ||
89 | define('LOG_DESTINATION', '''); | 94 | define('LOG_DESTINATION', '''); |
90 | define('CONFIG_VERSION', 26); | 95 | define('CONFIG_VERSION', 26); |
91 | 96 | ||
92 | 97 | ||
93 | define('SPHINX_SERVER', 'localhost:9312'); | 98 | define('SPHINX_SERVER', 'localhost:9312'); |
94 | define('SPHINX_INDEX', 'ttrss, delta'); | 99 | define('SPHINX_INDEX', 'ttrss, delta'); |
95 | 100 | ||
96 | define('ENABLE_REGISTRATION', false); | 101 | define('ENABLE_REGISTRATION', false); |
97 | define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu'); | 102 | define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu'); |
98 | define('REG_MAX_USERS', 10); | 103 | define('REG_MAX_USERS', 10); |
99 | 104 | ||
100 | define('SMTP_FROM_NAME', 'Tiny Tiny RSS'); | 105 | define('SMTP_FROM_NAME', 'Tiny Tiny RSS'); |
101 | define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu'); | 106 | define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu'); |
102 | define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours'); | 107 | define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours'); |
103 | 108 | ||
104 | define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/'); | 109 | define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/'); |
105 | define('LDAP_AUTH_USETLS', TRUE); | 110 | define('LDAP_AUTH_USETLS', TRUE); |
106 | define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); | 111 | define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); |
107 | define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu'); | 112 | define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu'); |
108 | define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); | 113 | define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); |
109 | define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))'); | 114 | define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))'); |
110 | 115 | ||
111 | define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu'); | 116 | define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu'); |
112 | define('LDAP_AUTH_BINDPW', '${env.ldap.password}'); | 117 | define('LDAP_AUTH_BINDPW', '${env.ldap.password}'); |
113 | define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin'); | 118 | define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin'); |
114 | 119 | ||
115 | define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); | 120 | define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); |
116 | define('LDAP_AUTH_DEBUG', FALSE); | 121 | define('LDAP_AUTH_DEBUG', FALSE); |
117 | ''; | 122 | ''; |
123 | }; | ||
118 | webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec { | 124 | webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec { |
119 | buildPhase = '' | 125 | buildPhase = '' |
120 | rm -rf lock feed-icons cache | 126 | rm -rf lock feed-icons cache |
@@ -122,7 +128,7 @@ let | |||
122 | ''; | 128 | ''; |
123 | installPhase = '' | 129 | installPhase = '' |
124 | cp -a . $out | 130 | cp -a . $out |
125 | ln -s ${config} $out/config.php | 131 | ln -s /run/keys/webapps/tools-ttrss $out/config.php |
126 | ${builtins.concatStringsSep "\n" ( | 132 | ${builtins.concatStringsSep "\n" ( |
127 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins | 133 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins |
128 | )} | 134 | )} |
@@ -149,8 +155,9 @@ let | |||
149 | ''; | 155 | ''; |
150 | }; | 156 | }; |
151 | phpFpm = rec { | 157 | phpFpm = rec { |
158 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-ttrss-key.service" ]; | ||
152 | basedir = builtins.concatStringsSep ":" ( | 159 | basedir = builtins.concatStringsSep ":" ( |
153 | [ webRoot config varDir ] | 160 | [ webRoot "/run/keys/webapps/tools-ttrss" varDir ] |
154 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); | 161 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); |
155 | socket = "/var/run/phpfpm/ttrss.sock"; | 162 | socket = "/var/run/phpfpm/ttrss.sock"; |
156 | pool = '' | 163 | pool = '' |
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix index 0b28ccb..c808eb1 100644 --- a/nixops/modules/websites/tools/tools/wallabag.nix +++ b/nixops/modules/websites/tools/tools/wallabag.nix | |||
@@ -2,64 +2,70 @@ | |||
2 | let | 2 | let |
3 | wallabag = rec { | 3 | wallabag = rec { |
4 | varDir = "/var/lib/wallabag"; | 4 | varDir = "/var/lib/wallabag"; |
5 | parameters = writeText "parameters.yml" '' | 5 | keys.tools-wallabag = { |
6 | # This file is auto-generated during the composer install | 6 | destDir = "/run/keys/webapps"; |
7 | parameters: | 7 | user = apache.user; |
8 | database_driver: pdo_pgsql | 8 | group = apache.group; |
9 | database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver | 9 | permissions = "0700"; |
10 | database_host: ${env.postgresql.socket} | 10 | text = '' |
11 | database_port: ${env.postgresql.port} | 11 | # This file is auto-generated during the composer install |
12 | database_name: ${env.postgresql.database} | 12 | parameters: |
13 | database_user: ${env.postgresql.user} | 13 | database_driver: pdo_pgsql |
14 | database_password: ${env.postgresql.password} | 14 | database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver |
15 | database_path: null | 15 | database_host: ${env.postgresql.socket} |
16 | database_table_prefix: wallabag_ | 16 | database_port: ${env.postgresql.port} |
17 | database_socket: null | 17 | database_name: ${env.postgresql.database} |
18 | database_charset: utf8 | 18 | database_user: ${env.postgresql.user} |
19 | domain_name: https://tools.immae.eu/wallabag | 19 | database_password: ${env.postgresql.password} |
20 | mailer_transport: sendmail | 20 | database_path: null |
21 | mailer_host: 127.0.0.1 | 21 | database_table_prefix: wallabag_ |
22 | mailer_user: null | 22 | database_socket: null |
23 | mailer_password: null | 23 | database_charset: utf8 |
24 | locale: fr | 24 | domain_name: https://tools.immae.eu/wallabag |
25 | secret: ${env.secret} | 25 | mailer_transport: sendmail |
26 | twofactor_auth: true | 26 | mailer_host: 127.0.0.1 |
27 | twofactor_sender: wallabag@tools.immae.eu | 27 | mailer_user: null |
28 | fosuser_registration: false | 28 | mailer_password: null |
29 | fosuser_confirmation: true | 29 | locale: fr |
30 | from_email: wallabag@tools.immae.eu | 30 | secret: ${env.secret} |
31 | rss_limit: 50 | 31 | twofactor_auth: true |
32 | rabbitmq_host: localhost | 32 | twofactor_sender: wallabag@tools.immae.eu |
33 | rabbitmq_port: 5672 | 33 | fosuser_registration: false |
34 | rabbitmq_user: guest | 34 | fosuser_confirmation: true |
35 | rabbitmq_password: guest | 35 | from_email: wallabag@tools.immae.eu |
36 | rabbitmq_prefetch_count: 10 | 36 | rss_limit: 50 |
37 | redis_scheme: unix | 37 | rabbitmq_host: localhost |
38 | redis_host: null | 38 | rabbitmq_port: 5672 |
39 | redis_port: null | 39 | rabbitmq_user: guest |
40 | redis_path: ${env.redis.socket} | 40 | rabbitmq_password: guest |
41 | redis_password: null | 41 | rabbitmq_prefetch_count: 10 |
42 | sites_credentials: { } | 42 | redis_scheme: unix |
43 | ldap_enabled: true | 43 | redis_host: null |
44 | ldap_host: ldap.immae.eu | 44 | redis_port: null |
45 | ldap_port: 636 | 45 | redis_path: ${env.redis.socket} |
46 | ldap_tls: false | 46 | redis_password: null |
47 | ldap_ssl: true | 47 | sites_credentials: { } |
48 | ldap_bind_requires_dn: true | 48 | ldap_enabled: true |
49 | ldap_base: 'dc=immae,dc=eu' | 49 | ldap_host: ldap.immae.eu |
50 | ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu' | 50 | ldap_port: 636 |
51 | ldap_manager_pw: ${env.ldap.password} | 51 | ldap_tls: false |
52 | ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))' | 52 | ldap_ssl: true |
53 | ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))' | 53 | ldap_bind_requires_dn: true |
54 | ldap_username_attribute: uid | 54 | ldap_base: 'dc=immae,dc=eu' |
55 | ldap_email_attribute: mail | 55 | ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu' |
56 | ldap_name_attribute: cn | 56 | ldap_manager_pw: ${env.ldap.password} |
57 | ldap_enabled_attribute: null | 57 | ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))' |
58 | services: | 58 | ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))' |
59 | swiftmailer.mailer.default.transport: | 59 | ldap_username_attribute: uid |
60 | class: Swift_SendmailTransport | 60 | ldap_email_attribute: mail |
61 | arguments: ['/run/wrappers/bin/sendmail -bs'] | 61 | ldap_name_attribute: cn |
62 | ''; | 62 | ldap_enabled_attribute: null |
63 | services: | ||
64 | swiftmailer.mailer.default.transport: | ||
65 | class: Swift_SendmailTransport | ||
66 | arguments: ['/run/wrappers/bin/sendmail -bs'] | ||
67 | ''; | ||
68 | }; | ||
63 | webappDir = composerEnv.buildPackage rec { | 69 | webappDir = composerEnv.buildPackage rec { |
64 | packages = { | 70 | packages = { |
65 | "fr3d/ldap-bundle" = { | 71 | "fr3d/ldap-bundle" = { |
@@ -104,7 +110,7 @@ let | |||
104 | ''; | 110 | ''; |
105 | postInstall = '' | 111 | postInstall = '' |
106 | rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data | 112 | rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data |
107 | ln -sf ${parameters} app/config/parameters.yml | 113 | ln -sf /run/keys/webapps/tools-wallabag app/config/parameters.yml |
108 | ln -sf ${varDir}/var/{cache,logs,sessions} var | 114 | ln -sf ${varDir}/var/{cache,logs,sessions} var |
109 | ln -sf ${varDir}/data data | 115 | ln -sf ${varDir}/data data |
110 | ln -sf ${varDir}/assets web/assets | 116 | ln -sf ${varDir}/assets web/assets |
@@ -163,7 +169,8 @@ let | |||
163 | ''; | 169 | ''; |
164 | }; | 170 | }; |
165 | phpFpm = rec { | 171 | phpFpm = rec { |
166 | basedir = builtins.concatStringsSep ":" [ webappDir parameters varDir ]; | 172 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-wallabag-key.service" ]; |
173 | basedir = builtins.concatStringsSep ":" [ webappDir "/run/keys/webapps/tools-wallabag" varDir ]; | ||
167 | socket = "/var/run/phpfpm/wallabag.sock"; | 174 | socket = "/var/run/phpfpm/wallabag.sock"; |
168 | pool = '' | 175 | pool = '' |
169 | listen = ${socket} | 176 | listen = ${socket} |
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix index b12edfa..64ec48a 100644 --- a/nixops/modules/websites/tools/tools/yourls.nix +++ b/nixops/modules/websites/tools/tools/yourls.nix | |||
@@ -13,7 +13,12 @@ let | |||
13 | activationScript = '' | 13 | activationScript = '' |
14 | install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls | 14 | install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls |
15 | ''; | 15 | ''; |
16 | config = writeText "config.php" '' | 16 | keys.tools-yourls = { |
17 | destDir = "/run/keys/webapps"; | ||
18 | user = apache.user; | ||
19 | group = apache.group; | ||
20 | permissions = "0700"; | ||
21 | text = '' | ||
17 | <?php | 22 | <?php |
18 | define( 'YOURLS_DB_USER', '${env.mysql.user}' ); | 23 | define( 'YOURLS_DB_USER', '${env.mysql.user}' ); |
19 | define( 'YOURLS_DB_PASS', '${env.mysql.password}' ); | 24 | define( 'YOURLS_DB_PASS', '${env.mysql.password}' ); |
@@ -41,12 +46,13 @@ let | |||
41 | 46 | ||
42 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); | 47 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); |
43 | ''; | 48 | ''; |
49 | }; | ||
44 | webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec { | 50 | webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec { |
45 | installPhase = '' | 51 | installPhase = '' |
46 | mkdir -p $out | 52 | mkdir -p $out |
47 | cp -a */ *.php $out/ | 53 | cp -a */ *.php $out/ |
48 | cp sample-robots.txt $out/robots.txt | 54 | cp sample-robots.txt $out/robots.txt |
49 | ln -sf ${config} $out/includes/config.php | 55 | ln -sf /run/keys/webapps/tools-yourls $out/includes/config.php |
50 | ${builtins.concatStringsSep "\n" ( | 56 | ${builtins.concatStringsSep "\n" ( |
51 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins | 57 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins |
52 | )} | 58 | )} |
@@ -79,8 +85,9 @@ let | |||
79 | ''; | 85 | ''; |
80 | }; | 86 | }; |
81 | phpFpm = rec { | 87 | phpFpm = rec { |
88 | serviceDeps = [ "mysql.service" "openldap.service" "tools-yourls-key.service" ]; | ||
82 | basedir = builtins.concatStringsSep ":" ( | 89 | basedir = builtins.concatStringsSep ":" ( |
83 | [ webRoot config ] | 90 | [ webRoot "/run/keys/webapps/tools-yourls" ] |
84 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); | 91 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); |
85 | socket = "/var/run/phpfpm/yourls.sock"; | 92 | socket = "/var/run/phpfpm/yourls.sock"; |
86 | pool = '' | 93 | pool = '' |