Move csp report credentials out of the store

2 files changed, 17 insertions, 2 deletions

diff --git a/modules/private/websites/tools/tools/csp_reports.nix b/modules/private/websites/tools/tools/csp_reports.nix
new file mode 100644
index 0000000..4660251
--- /dev/null
+++ b/modules/private/websites/tools/tools/csp_reports.nix
@@ -0,0 +1,12 @@
+{ env }:
+rec {
+  keys = [{
+    dest = "webapps/tools-csp-reports.conf";
+    user = "wwwrun";
+    group = "wwwrun";
+    permissions = "0400";
+    text = with env.postgresql; ''
+      env[CSP_REPORT_URI] = "host=${socket} dbname=${database} user=${user} password=${password}"
+    '';
+  }];
+}
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 1e30eed..7903ca5 100644
--- a/modules/private/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -55,6 +55,9 @@ let
   dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
     env = config.myEnv.tools.dmarc_reports;
   };
+  csp-reports = pkgs.callPackage ./csp_reports.nix {
+    env = config.myEnv.tools.csp_reports;
+  };
 
   landing = pkgs.callPackage ./landing.nix {};
 
@@ -74,6 +77,7 @@ in {
       ++ wallabag.keys
       ++ yourls.keys
       ++ dmarc-reports.keys
+      ++ csp-reports.keys
       ++ webhooks.keys;
 
     services.duplyBackup.profiles = {
@@ -302,11 +306,10 @@ in {
             "/run/wrappers/bin/sendmail" landing "/tmp"
             "${config.secrets.location}/webapps/webhooks"
           ];
+          "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf";
         };
         phpEnv = {
           CONTACT_EMAIL = config.myEnv.tools.contact;
-          CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
-            "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
         };
         phpPackage = pkgs.php72;
       };