Move diaspora and mantisbt passwords to a secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 01:44:03 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 01:44:03 +0200
commit: ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c (patch)
tree: 0775b4d0338706e069f166836d7797e73bbe9b0f /nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
parent: a0c845b436329624ad33432a701658dc1b52cca6 (diff)
download: Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.gz
Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.zst
Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.zip
1 files changed, 42 insertions, 36 deletions
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
index 0cd98a1..00580b5 100644
--- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
+++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -17,41 +17,46 @@ let
      });
    };
  in rec {
-    config = 
+    keys."tools-mantisbt" = {
-      writeText "config_inc.php" ''
+      destDir = "/run/keys/webapps";
-      <?php
+      user = apache.user;
-      $g_hostname              = '${env.postgresql.socket}';
+      group = apache.group;
-      $g_db_username           = '${env.postgresql.user}';
+      permissions = "0700";
-      $g_db_password           = '${env.postgresql.password}';
+      text = ''
-      $g_database_name         = '${env.postgresql.database}';
+        <?php
-      $g_db_type               = 'pgsql';
+        $g_hostname              = '${env.postgresql.socket}';
-      $g_crypto_master_salt    = '${env.master_salt}';
+        $g_db_username           = '${env.postgresql.user}';
-      $g_allow_signup          = OFF;
+        $g_db_password           = '${env.postgresql.password}';
-      $g_allow_anonymous_login = ON;
+        $g_database_name         = '${env.postgresql.database}';
-      $g_anonymous_account     = 'anonymous';
+        $g_db_type               = 'pgsql';
+        $g_crypto_master_salt    = '${env.master_salt}';
+        $g_allow_signup          = OFF;
+        $g_allow_anonymous_login = ON;
+        $g_anonymous_account     = 'anonymous';
-      $g_phpMailer_method       = PHPMAILER_METHOD_SENDMAIL;
+        $g_phpMailer_method     = PHPMAILER_METHOD_SENDMAIL;
-      $g_smtp_host              = 'localhost';
+        $g_smtp_host            = 'localhost';
-      $g_smtp_username          = ''';
+        $g_smtp_username                = ''';
-      $g_smtp_password          = ''';
+        $g_smtp_password                = ''';
-      $g_webmaster_email        = 'mantisbt@tools.immae.eu';
+        $g_webmaster_email      = 'mantisbt@tools.immae.eu';
-      $g_from_email             = 'mantisbt@tools.immae.eu';
+        $g_from_email           = 'mantisbt@tools.immae.eu';
-      $g_return_path_email      = 'mantisbt@tools.immae.eu';
+        $g_return_path_email    = 'mantisbt@tools.immae.eu';
-      $g_from_name              = 'Mantis Bug Tracker at git.immae.eu';
+        $g_from_name            = 'Mantis Bug Tracker at git.immae.eu';
-      $g_email_receive_own      = OFF;
+        $g_email_receive_own    = OFF;
-      # --- LDAP ---
+        # --- LDAP ---
-      $g_login_method = LDAP;
+        $g_login_method = LDAP;
-      $g_ldap_protocol_version = 3;
+        $g_ldap_protocol_version = 3;
-      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
+        $g_ldap_server = 'ldaps://ldap.immae.eu:636';
-      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
+        $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
-      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
+        $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
-      $g_ldap_bind_passwd = '${env.ldap.password}';
+        $g_ldap_bind_passwd = '${env.ldap.password}';
-      $g_use_ldap_email = ON;
+        $g_use_ldap_email = ON;
-      $g_use_ldap_realname = ON;
+        $g_use_ldap_realname = ON;
-      $g_ldap_uid_field = 'uid'; 
+        $g_ldap_uid_field = 'uid';
-      $g_ldap_realname_field = 'cn';
+        $g_ldap_realname_field = 'cn';
-      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
+        $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
      '';
+    };
    webRoot = stdenv.mkDerivation rec {
      name = "mantisbt-${version}";
      version = "2.11.1";
@@ -67,7 +72,7 @@ let
        ];
      installPhase = ''
        cp -a . $out
-        ln -s ${config} $out/config/config_inc.php
+        ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php
        ln -s ${plugins.slack} $out/plugins/Slack
        ln -s ${plugins.source-integration}/Source* $out/plugins/
      '';
@@ -97,8 +102,9 @@ let
        '';
    };
    phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ];
      basedir = builtins.concatStringsSep ":" (
-        [ webRoot config ]
+        [ webRoot "/run/keys/webapps/tools-mantisbt" ]
        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
      socket = "/var/run/phpfpm/mantisbt.sock";
      pool = ''
@@ -118,5 +124,5 @@ let
        '';
    };
  };
-in 
+in
  mantisbt
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 01:44:03 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 01:44:03 +0200
commit	ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c (patch)
tree	0775b4d0338706e069f166836d7797e73bbe9b0f /nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
parent	a0c845b436329624ad33432a701658dc1b52cca6 (diff)
download	Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.gz Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.zst Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.zip

diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix index 0cd98a1..00580b5 100644 --- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix +++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -17,41 +17,46 @@ let
17	});	17	});
18	};	18	};
19	in rec {	19	in rec {
20	config =	20	keys."tools-mantisbt" = {
21	writeText "config_inc.php" ''	21	destDir = "/run/keys/webapps";
22	<?php	22	user = apache.user;
23	$g_hostname = '${env.postgresql.socket}';	23	group = apache.group;
24	$g_db_username = '${env.postgresql.user}';	24	permissions = "0700";
25	$g_db_password = '${env.postgresql.password}';	25	text = ''
26	$g_database_name = '${env.postgresql.database}';	26	<?php
27	$g_db_type = 'pgsql';	27	$g_hostname = '${env.postgresql.socket}';
28	$g_crypto_master_salt = '${env.master_salt}';	28	$g_db_username = '${env.postgresql.user}';
29	$g_allow_signup = OFF;	29	$g_db_password = '${env.postgresql.password}';
30	$g_allow_anonymous_login = ON;	30	$g_database_name = '${env.postgresql.database}';
31	$g_anonymous_account = 'anonymous';	31	$g_db_type = 'pgsql';
		32	$g_crypto_master_salt = '${env.master_salt}';
		33	$g_allow_signup = OFF;
		34	$g_allow_anonymous_login = ON;
		35	$g_anonymous_account = 'anonymous';
32		36
33	$g_phpMailer_method = PHPMAILER_METHOD_SENDMAIL;	37	$g_phpMailer_method = PHPMAILER_METHOD_SENDMAIL;
34	$g_smtp_host = 'localhost';	38	$g_smtp_host = 'localhost';
35	$g_smtp_username = ''';	39	$g_smtp_username = ''';
36	$g_smtp_password = ''';	40	$g_smtp_password = ''';
37	$g_webmaster_email = 'mantisbt@tools.immae.eu';	41	$g_webmaster_email = 'mantisbt@tools.immae.eu';
38	$g_from_email = 'mantisbt@tools.immae.eu';	42	$g_from_email = 'mantisbt@tools.immae.eu';
39	$g_return_path_email = 'mantisbt@tools.immae.eu';	43	$g_return_path_email = 'mantisbt@tools.immae.eu';
40	$g_from_name = 'Mantis Bug Tracker at git.immae.eu';	44	$g_from_name = 'Mantis Bug Tracker at git.immae.eu';
41	$g_email_receive_own = OFF;	45	$g_email_receive_own = OFF;
42	# --- LDAP ---	46	# --- LDAP ---
43	$g_login_method = LDAP;	47	$g_login_method = LDAP;
44	$g_ldap_protocol_version = 3;	48	$g_ldap_protocol_version = 3;
45	$g_ldap_server = 'ldaps://ldap.immae.eu:636';	49	$g_ldap_server = 'ldaps://ldap.immae.eu:636';
46	$g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';	50	$g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
47	$g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';	51	$g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
48	$g_ldap_bind_passwd = '${env.ldap.password}';	52	$g_ldap_bind_passwd = '${env.ldap.password}';
49	$g_use_ldap_email = ON;	53	$g_use_ldap_email = ON;
50	$g_use_ldap_realname = ON;	54	$g_use_ldap_realname = ON;
51	$g_ldap_uid_field = 'uid';	55	$g_ldap_uid_field = 'uid';
52	$g_ldap_realname_field = 'cn';	56	$g_ldap_realname_field = 'cn';
53	$g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';	57	$g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
54	'';	58	'';
		59	};
55	webRoot = stdenv.mkDerivation rec {	60	webRoot = stdenv.mkDerivation rec {
56	name = "mantisbt-${version}";	61	name = "mantisbt-${version}";
57	version = "2.11.1";	62	version = "2.11.1";
@@ -67,7 +72,7 @@ let
67	];	72	];
68	installPhase = ''	73	installPhase = ''
69	cp -a . $out	74	cp -a . $out
70	ln -s ${config} $out/config/config_inc.php	75	ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php
71	ln -s ${plugins.slack} $out/plugins/Slack	76	ln -s ${plugins.slack} $out/plugins/Slack
72	ln -s ${plugins.source-integration}/Source* $out/plugins/	77	ln -s ${plugins.source-integration}/Source* $out/plugins/
73	'';	78	'';
@@ -97,8 +102,9 @@ let
97	'';	102	'';
98	};	103	};
99	phpFpm = rec {	104	phpFpm = rec {
		105	serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ];
100	basedir = builtins.concatStringsSep ":" (	106	basedir = builtins.concatStringsSep ":" (
101	[ webRoot config ]	107	[ webRoot "/run/keys/webapps/tools-mantisbt" ]
102	++ lib.attrsets.mapAttrsToList (name: value: value) plugins);	108	++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
103	socket = "/var/run/phpfpm/mantisbt.sock";	109	socket = "/var/run/phpfpm/mantisbt.sock";
104	pool = ''	110	pool = ''
@@ -118,5 +124,5 @@ let
118	'';	124	'';
119	};	125	};
120	};	126	};
121	in	127	in
122	mantisbt	128	mantisbt