Move davical and Jerome's website passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

1 files changed, 11 insertions, 6 deletions

diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 199bfab..218060f 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -29,8 +29,11 @@ in {
       domain = "naturaloutil.immae.eu";
     };
 
-    services.myPhpfpm.poolConfigs.jerome = let
-      configFile = pkgs.writeText "naturaloutil.inc.php" ''
+    deployment.keys."prod-naturaloutil" = {
+      destDir = "/run/keys/webapps";
+      user = "wwwrun";
+      group = "wwwrun";
+      text = ''
         <?php
         $mysql_user = '${env.mysql.user}' ;
         $mysql_server = '${env.mysql.host}' ;
@@ -44,8 +47,10 @@ in {
         '' else ""}
         $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
         ?>
-        '';
-      in ''
+      '';
+    };
+    services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" "prod-naturaloutil-key.service" ];
+    services.myPhpfpm.poolConfigs.jerome = ''
       listen = /run/phpfpm/naturaloutil.sock
       user = wwwrun
       group = wwwrun
@@ -56,8 +61,8 @@ in {
       pm.max_children = 5
       pm.process_idle_timeout = 60
 
-      env[BDD_CONNECT] = "${configFile}"
-      php_admin_value[open_basedir] = "${configFile}:${varDir}:/tmp"
+      env[BDD_CONNECT] = "/run/keys/webapps/prod-naturaloutil"
+      php_admin_value[open_basedir] = "/run/keys/webapps/prod-naturaloutil:${varDir}:/tmp"
       '';
     services.myPhpfpm.poolPhpConfigs.jerome = ''
       extension=${pkgs.php}/lib/php/extensions/mysqli.so