diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 14:07:47 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 14:07:47 +0200 |
commit | 50933a04f9db56a6368f40bdfe33e988d1a269df (patch) | |
tree | 232bf8de417e15841d75c313bc02fb7aaa0ede42 /nixops/modules/websites/tools/mastodon/mastodon.nix | |
parent | 51900e3488284b0711083819a5ecb1b0f280a913 (diff) | |
download | Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.tar.gz Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.tar.zst Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.zip |
Move mastodon secret to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/websites/tools/mastodon/mastodon.nix')
-rw-r--r-- | nixops/modules/websites/tools/mastodon/mastodon.nix | 79 |
1 files changed, 43 insertions, 36 deletions
diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix index 90e537f..944b2db 100644 --- a/nixops/modules/websites/tools/mastodon/mastodon.nix +++ b/nixops/modules/websites/tools/mastodon/mastodon.nix | |||
@@ -58,55 +58,62 @@ let | |||
58 | ''; | 58 | ''; |
59 | buildInputs = [ yarnModules ]; | 59 | buildInputs = [ yarnModules ]; |
60 | }); | 60 | }); |
61 | config = writeText "mastodon_environment" '' | 61 | keys.tools-mastodon = { |
62 | REDIS_HOST=${env.redis.host} | 62 | destDir = "/run/keys/webapps"; |
63 | REDIS_PORT=${env.redis.port} | 63 | user = "mastodon"; |
64 | REDIS_DB=${env.redis.db} | 64 | group = "mastodon"; |
65 | DB_HOST=${env.postgresql.socket} | 65 | permissions = "0400"; |
66 | DB_USER=${env.postgresql.user} | 66 | text = '' |
67 | DB_NAME=${env.postgresql.database} | 67 | REDIS_HOST=${env.redis.host} |
68 | DB_PASS=${env.postgresql.password} | 68 | REDIS_PORT=${env.redis.port} |
69 | DB_PORT=${env.postgresql.port} | 69 | REDIS_DB=${env.redis.db} |
70 | DB_HOST=${env.postgresql.socket} | ||
71 | DB_USER=${env.postgresql.user} | ||
72 | DB_NAME=${env.postgresql.database} | ||
73 | DB_PASS=${env.postgresql.password} | ||
74 | DB_PORT=${env.postgresql.port} | ||
70 | 75 | ||
71 | LOCAL_DOMAIN=mastodon.immae.eu | 76 | LOCAL_DOMAIN=mastodon.immae.eu |
72 | LOCAL_HTTPS=true | 77 | LOCAL_HTTPS=true |
73 | ALTERNATE_DOMAINS=immae.eu | 78 | ALTERNATE_DOMAINS=immae.eu |
74 | 79 | ||
75 | PAPERCLIP_SECRET=${env.paperclip_secret} | 80 | PAPERCLIP_SECRET=${env.paperclip_secret} |
76 | SECRET_KEY_BASE=${env.secret_key_base} | 81 | SECRET_KEY_BASE=${env.secret_key_base} |
77 | OTP_SECRET=${env.otp_secret} | 82 | OTP_SECRET=${env.otp_secret} |
78 | 83 | ||
79 | VAPID_PRIVATE_KEY=${env.vapid.private} | 84 | VAPID_PRIVATE_KEY=${env.vapid.private} |
80 | VAPID_PUBLIC_KEY=${env.vapid.public} | 85 | VAPID_PUBLIC_KEY=${env.vapid.public} |
81 | 86 | ||
82 | SMTP_DELIVERY_METHOD=sendmail | 87 | SMTP_DELIVERY_METHOD=sendmail |
83 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu | 88 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu |
84 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" | 89 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" |
85 | PAPERCLIP_ROOT_PATH=${varDir} | 90 | PAPERCLIP_ROOT_PATH=${varDir} |
86 | 91 | ||
87 | STREAMING_CLUSTER_NUM=1 | 92 | STREAMING_CLUSTER_NUM=1 |
88 | 93 | ||
89 | RAILS_LOG_LEVEL=warn | 94 | RAILS_LOG_LEVEL=warn |
90 | 95 | ||
91 | # LDAP authentication (optional) | 96 | # LDAP authentication (optional) |
92 | LDAP_ENABLED=true | 97 | LDAP_ENABLED=true |
93 | LDAP_HOST=ldap.immae.eu | 98 | LDAP_HOST=ldap.immae.eu |
94 | LDAP_PORT=636 | 99 | LDAP_PORT=636 |
95 | LDAP_METHOD=simple_tls | 100 | LDAP_METHOD=simple_tls |
96 | LDAP_BASE="dc=immae,dc=eu" | 101 | LDAP_BASE="dc=immae,dc=eu" |
97 | LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" | 102 | LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" |
98 | LDAP_PASSWORD="${env.ldap.password}" | 103 | LDAP_PASSWORD="${env.ldap.password}" |
99 | LDAP_UID="uid" | 104 | LDAP_UID="uid" |
100 | LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" | 105 | LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" |
101 | ''; | 106 | ''; |
107 | }; | ||
102 | 108 | ||
109 | # FIXME: build machine will contain some passwords in the nix store | ||
103 | railsRoot = stdenv.mkDerivation { | 110 | railsRoot = stdenv.mkDerivation { |
104 | name = "mastodon_immae"; | 111 | name = "mastodon_immae"; |
105 | inherit config mastodon; | 112 | inherit mastodon; |
106 | builder = writeText "build_mastodon_immae" '' | 113 | builder = writeText "build_mastodon_immae" '' |
107 | source $stdenv/setup | 114 | source $stdenv/setup |
108 | set -a | 115 | set -a |
109 | source $config | 116 | ${keys.tools-mastodon.text} |
110 | set +a | 117 | set +a |
111 | cp -a $mastodon $out | 118 | cp -a $mastodon $out |
112 | cd $out | 119 | cd $out |
@@ -121,7 +128,7 @@ let | |||
121 | }; | 128 | }; |
122 | in | 129 | in |
123 | { | 130 | { |
124 | inherit railsRoot config varDir socketsDir gems; | 131 | inherit railsRoot keys varDir socketsDir gems; |
125 | nodeSocket = "${socketsDir}/live_immae_node.sock"; | 132 | nodeSocket = "${socketsDir}/live_immae_node.sock"; |
126 | railsSocket = "${socketsDir}/live_immae_puma.sock"; | 133 | railsSocket = "${socketsDir}/live_immae_puma.sock"; |
127 | } | 134 | } |