Move taskwarrior keys to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

1 files changed, 16 insertions, 7 deletions

diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index cda2302..2001eaa 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -87,6 +87,21 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    deployment.keys.tools-taskwarrior-web = {
+      destDir = "/run/keys/webapps";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+          SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
+          SetEnv TASKD_VARDIR        "${vardir}"
+          SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
+          SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
+          SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+          SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
+          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
+        '';
+    };
     security.acme.certs."eldiron".extraDomains.${fqdn} = null;
     services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ];
     services.myWebsites.tools.vhostConfs.task = {
@@ -101,13 +116,7 @@ in {
           <FilesMatch "\.php$">
             SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
           </FilesMatch>
-          SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
-          SetEnv TASKD_VARDIR        "${vardir}"
-          SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
-          SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
-          SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
-          SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
-          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
+          Include /run/keys/webapps/tools-taskwarrior-web
         </Directory>
         ''
         ''