diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 13:46:47 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 13:49:24 +0200 |
commit | 51900e3488284b0711083819a5ecb1b0f280a913 (patch) | |
tree | 2367f6ac79eb9198d4890cf51add27b37cd7b6b0 /nixops/modules/websites/tools/ether/default.nix | |
parent | 3b45d5f2afc3a48809d0353a3133025525247331 (diff) | |
download | Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.gz Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.zst Nix-51900e3488284b0711083819a5ecb1b0f280a913.zip |
Move etherpad and mediagoblin keys to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/websites/tools/ether/default.nix')
-rw-r--r-- | nixops/modules/websites/tools/ether/default.nix | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index c4a9932..6d845ac 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix | |||
@@ -12,11 +12,12 @@ in { | |||
12 | }; | 12 | }; |
13 | 13 | ||
14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
15 | deployment.keys = etherpad.keys; | ||
15 | systemd.services.etherpad-lite = { | 16 | systemd.services.etherpad-lite = { |
16 | description = "Etherpad-lite"; | 17 | description = "Etherpad-lite"; |
17 | wantedBy = [ "multi-user.target" ]; | 18 | wantedBy = [ "multi-user.target" ]; |
18 | after = [ "network.target" "postgresql.service" ]; | 19 | after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ]; |
19 | wants = [ "postgresql.service" ]; | 20 | wants = [ "postgresql.service" "tools-etherpad-key.service" ]; |
20 | 21 | ||
21 | environment.NODE_ENV = "production"; | 22 | environment.NODE_ENV = "production"; |
22 | environment.HOME = etherpad.webappDir; | 23 | environment.HOME = etherpad.webappDir; |
@@ -25,13 +26,14 @@ in { | |||
25 | 26 | ||
26 | script = '' | 27 | script = '' |
27 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ | 28 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ |
28 | --settings ${etherpad.config} | 29 | --settings /run/keys/webapps/tools-etherpad |
29 | ''; | 30 | ''; |
30 | 31 | ||
31 | serviceConfig = { | 32 | serviceConfig = { |
32 | DynamicUser = true; | 33 | DynamicUser = true; |
33 | User = "etherpad-lite"; | 34 | User = "etherpad-lite"; |
34 | Group = "etherpad-lite"; | 35 | Group = "etherpad-lite"; |
36 | SupplementaryGroups = "keys"; | ||
35 | WorkingDirectory = etherpad.webappDir; | 37 | WorkingDirectory = etherpad.webappDir; |
36 | PrivateTmp = true; | 38 | PrivateTmp = true; |
37 | NoNewPrivileges = true; | 39 | NoNewPrivileges = true; |
@@ -42,6 +44,7 @@ in { | |||
42 | Restart = "always"; | 44 | Restart = "always"; |
43 | Type = "simple"; | 45 | Type = "simple"; |
44 | TimeoutSec = 60; | 46 | TimeoutSec = 60; |
47 | ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad"; | ||
45 | }; | 48 | }; |
46 | }; | 49 | }; |
47 | 50 | ||