Move Ludivine Piedsjaloux and Florian's websites passwords to a secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 00:35:59 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 00:35:59 +0200
commit: 6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1 (patch)
tree: d253f7271d6e28bb119e4399059b55d42eccf0cc /nixops/modules/websites/ludivine/ludivinecassal.nix
parent: a754e9dbf5d6c35398f3c4ec52c3daf5f8ed2dd3 (diff)
download: Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.gz
Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.zst
Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.zip
1 files changed, 17 insertions, 4 deletions
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix
index 114c4ac..244b05e 100644
--- a/nixops/modules/websites/ludivine/ludivinecassal.nix
+++ b/nixops/modules/websites/ludivine/ludivinecassal.nix
@@ -3,8 +3,12 @@ let
  ludivinecassal = { config }: rec {
    environment = config.environment;
    varDir = "/var/lib/ludivinecassal_${environment}";
-    configRoot =
+    keys."${environment}-ludivinecassal" = {
-      writeText "parameters.yml" ''
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
        # This file is auto-generated during the composer install
        parameters:
            database_host: ${config.mysql.host}
@@ -34,6 +38,7 @@ let
            sass: ${sass}/bin/sass
            ruby: ${ruby}/bin/ruby
      '';
+    };
    phpFpm = rec {
      socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock";
      pool = ''
@@ -45,7 +50,7 @@ let
        php_admin_value[upload_max_filesize] = 20M
        php_admin_value[post_max_size] = 20M
        ;php_admin_flag[log_errors] = on
-        php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp"
+        php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp"
        php_admin_value[session.save_path] = "${varDir}/phpSessions"
        ${if environment == "dev" then ''
        pm = ondemand
@@ -151,7 +156,14 @@ let
        noDev = (environment == "prod");
        preInstall = ''
          export SYMFONY_ENV="${environment}"
-          ln -sf ${configRoot} app/config/parameters.yml
+          cp app/config/parameters.yml.dist app/config/parameters.yml
+          cat >> app/config/parameters.yml <<EOF
+          leapt_im:
+              binary_path: ${imagemagick}/bin
+          assetic:
+              sass: ${sass}/bin/sass
+              ruby: ${ruby}/bin/ruby
+          EOF
          sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json
          '';
        # /!\ miniatures and data need to be in the same physical dir due to a
@@ -159,6 +171,7 @@ let
        postInstall = ''
          rm -rf var/{logs,cache,data,miniatures,tmp}
          ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/
+          ln -sf /run/keys/webapps/${environment}-ludivinecassal app/config/parameters.yml
          '';
        buildInputs = [ sass ];
      });
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 00:35:59 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 00:35:59 +0200
commit	6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1 (patch)
tree	d253f7271d6e28bb119e4399059b55d42eccf0cc /nixops/modules/websites/ludivine/ludivinecassal.nix
parent	a754e9dbf5d6c35398f3c4ec52c3daf5f8ed2dd3 (diff)
download	Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.gz Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.zst Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.zip