Move etherpad and mediagoblin keys to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 13:46:47 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 13:49:24 +0200
commit: 51900e3488284b0711083819a5ecb1b0f280a913 (patch)
tree: 2367f6ac79eb9198d4890cf51add27b37cd7b6b0 /nixops/modules/websites/tools/mediagoblin
parent: 3b45d5f2afc3a48809d0353a3133025525247331 (diff)
download: Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.gz
Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.zst
Nix-51900e3488284b0711083819a5ecb1b0f280a913.zip
2 files changed, 56 insertions, 47 deletions
diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix
index 54c0478..9b058be 100644
--- a/nixops/modules/websites/tools/mediagoblin/default.nix
+++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -12,6 +12,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    deployment.keys = mediagoblin.keys;
    ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
    ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
@@ -22,6 +23,7 @@ in {
      description = "Mediagoblin user";
      home = mediagoblin.varDir;
      useDefaultShell = true;
+      extraGroups = [ "keys" ];
    };
    users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
@@ -29,7 +31,8 @@ in {
    systemd.services.mediagoblin-web = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
+      after = [ "network.target" "tools-mediagoblin-key.service" ];
+      wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ];
      environment.SCRIPT_NAME = "/mediagoblin/";
diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
index e1876ae..23ee24d 100644
--- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
+++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
@@ -190,61 +190,67 @@ in
      url_scheme = https
      '';
-    mediagoblin_local = writeText "mediagoblin_local.ini" ''
+    keys.tools-mediagoblin = {
-      [DEFAULT]
+      destDir = "/run/keys/webapps";
-      data_basedir = "${varDir}"
+      user = "mediagoblin";
+      group = "mediagoblin";
+      permissions = "0400";
+      text = ''
+        [DEFAULT]
+        data_basedir = "${varDir}"
-      [mediagoblin]
+        [mediagoblin]
-      direct_remote_path = /mgoblin_static/
+        direct_remote_path = /mgoblin_static/
-      email_sender_address = "mediagoblin@tools.immae.eu"
+        email_sender_address = "mediagoblin@tools.immae.eu"
-      #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
+        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
-      sql_engine = ${env.psql_url}
+        sql_engine = ${env.psql_url}
-      email_debug_mode = false
+        email_debug_mode = false
-      allow_registration = false
+        allow_registration = false
-      allow_reporting = true
+        allow_reporting = true
-      theme = airymodified
+        theme = airymodified
-      user_privilege_scheme = "uploader,commenter,reporter"
+        user_privilege_scheme = "uploader,commenter,reporter"
-      # We need to redefine them here since we override data_basedir
+        # We need to redefine them here since we override data_basedir
-      # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
+        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
-      workbench_path = %(data_basedir)s/media/workbench
+        workbench_path = %(data_basedir)s/media/workbench
-      crypto_path = %(data_basedir)s/crypto
+        crypto_path = %(data_basedir)s/crypto
-      theme_install_dir = %(data_basedir)s/themes/
+        theme_install_dir = %(data_basedir)s/themes/
-      theme_linked_assets_dir = %(data_basedir)s/theme_static/
+        theme_linked_assets_dir = %(data_basedir)s/theme_static/
-      plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
+        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
-      [storage:queuestore]
+        [storage:queuestore]
-      base_dir = %(data_basedir)s/media/queue
+        base_dir = %(data_basedir)s/media/queue
-      [storage:publicstore]
+        [storage:publicstore]
-      base_dir = %(data_basedir)s/media/public
+        base_dir = %(data_basedir)s/media/public
-      base_url = /mgoblin_media/
+        base_url = /mgoblin_media/
-      [celery]
+        [celery]
-      CELERY_RESULT_DBURI = ${env.redis_url}
+        CELERY_RESULT_DBURI = ${env.redis_url}
-      BROKER_URL = ${env.redis_url}
+        BROKER_URL = ${env.redis_url}
-      CELERYD_CONCURRENCY = 1
+        CELERYD_CONCURRENCY = 1
-      [plugins]
+        [plugins]
-        [[mediagoblin.plugins.geolocation]]
+          [[mediagoblin.plugins.geolocation]]
-        [[mediagoblin.plugins.ldap]]
+          [[mediagoblin.plugins.ldap]]
-          [[[immae.eu]]]
+            [[[immae.eu]]]
-            LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
+              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
-            LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
+              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
-            LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
+              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
-            LDAP_BIND_PW = '${env.ldap.password}'
+              LDAP_BIND_PW = '${env.ldap.password}'
-            LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
+              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
-            EMAIL_SEARCH_FIELD = 'mail'
+              EMAIL_SEARCH_FIELD = 'mail'
-        [[mediagoblin.plugins.basicsearch]]
+          [[mediagoblin.plugins.basicsearch]]
-        [[mediagoblin.plugins.piwigo]]
+          [[mediagoblin.plugins.piwigo]]
-        [[mediagoblin.plugins.processing_info]]
+          [[mediagoblin.plugins.processing_info]]
-        [[mediagoblin.media_types.image]]
+          [[mediagoblin.media_types.image]]
-        [[mediagoblin.media_types.video]]
+          [[mediagoblin.media_types.video]]
-      '';
+        '';
+    };
    pythonRoot =
      with pkgs.gst_all_1;
      stdenv.mkDerivation {
@@ -281,7 +287,7 @@ in
            --prefix GI_TYPELIB_PATH : ${typelib_paths}
          find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \;
          ln -s ${paste_local} ./paste_local.ini
-          ln -s ${mediagoblin_local} ./mediagoblin_local.ini
+          ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini
          ln -sf ${varDir} ./user_dev
          '';
      };
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 13:46:47 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 13:49:24 +0200
commit	51900e3488284b0711083819a5ecb1b0f280a913 (patch)
tree	2367f6ac79eb9198d4890cf51add27b37cd7b6b0 /nixops/modules/websites/tools/mediagoblin
parent	3b45d5f2afc3a48809d0353a3133025525247331 (diff)
download	Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.gz Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.zst Nix-51900e3488284b0711083819a5ecb1b0f280a913.zip

diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix index 54c0478..9b058be 100644 --- a/nixops/modules/websites/tools/mediagoblin/default.nix +++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -12,6 +12,7 @@ in {
12	};	12	};
13		13
14	config = lib.mkIf cfg.enable {	14	config = lib.mkIf cfg.enable {
		15	deployment.keys = mediagoblin.keys;
15	ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;	16	ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
16	ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;	17	ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
17		18
@@ -22,6 +23,7 @@ in {
22	description = "Mediagoblin user";	23	description = "Mediagoblin user";
23	home = mediagoblin.varDir;	24	home = mediagoblin.varDir;
24	useDefaultShell = true;	25	useDefaultShell = true;
		26	extraGroups = [ "keys" ];
25	};	27	};
26		28
27	users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;	29	users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
@@ -29,7 +31,8 @@ in {
29	systemd.services.mediagoblin-web = {	31	systemd.services.mediagoblin-web = {
30	description = "Mediagoblin service";	32	description = "Mediagoblin service";
31	wantedBy = [ "multi-user.target" ];	33	wantedBy = [ "multi-user.target" ];
32	after = [ "network.target" ];	34	after = [ "network.target" "tools-mediagoblin-key.service" ];
		35	wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ];
33		36
34	environment.SCRIPT_NAME = "/mediagoblin/";	37	environment.SCRIPT_NAME = "/mediagoblin/";
35		38


diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix index e1876ae..23ee24d 100644 --- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
@@ -190,61 +190,67 @@ in
190	url_scheme = https	190	url_scheme = https
191	'';	191	'';
192		192
193	mediagoblin_local = writeText "mediagoblin_local.ini" ''	193	keys.tools-mediagoblin = {
194	[DEFAULT]	194	destDir = "/run/keys/webapps";
195	data_basedir = "${varDir}"	195	user = "mediagoblin";
		196	group = "mediagoblin";
		197	permissions = "0400";
		198	text = ''
		199	[DEFAULT]
		200	data_basedir = "${varDir}"
196		201
197	[mediagoblin]	202	[mediagoblin]
198	direct_remote_path = /mgoblin_static/	203	direct_remote_path = /mgoblin_static/
199	email_sender_address = "mediagoblin@tools.immae.eu"	204	email_sender_address = "mediagoblin@tools.immae.eu"
200		205
201	#sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db	206	#sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
202	sql_engine = ${env.psql_url}	207	sql_engine = ${env.psql_url}
203		208
204	email_debug_mode = false	209	email_debug_mode = false
205	allow_registration = false	210	allow_registration = false
206	allow_reporting = true	211	allow_reporting = true
207		212
208	theme = airymodified	213	theme = airymodified
209		214
210	user_privilege_scheme = "uploader,commenter,reporter"	215	user_privilege_scheme = "uploader,commenter,reporter"
211		216
212	# We need to redefine them here since we override data_basedir	217	# We need to redefine them here since we override data_basedir
213	# cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini	218	# cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
214	workbench_path = %(data_basedir)s/media/workbench	219	workbench_path = %(data_basedir)s/media/workbench
215	crypto_path = %(data_basedir)s/crypto	220	crypto_path = %(data_basedir)s/crypto
216	theme_install_dir = %(data_basedir)s/themes/	221	theme_install_dir = %(data_basedir)s/themes/
217	theme_linked_assets_dir = %(data_basedir)s/theme_static/	222	theme_linked_assets_dir = %(data_basedir)s/theme_static/
218	plugin_linked_assets_dir = %(data_basedir)s/plugin_static/	223	plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
219		224
220	[storage:queuestore]	225	[storage:queuestore]
221	base_dir = %(data_basedir)s/media/queue	226	base_dir = %(data_basedir)s/media/queue
222		227
223	[storage:publicstore]	228	[storage:publicstore]
224	base_dir = %(data_basedir)s/media/public	229	base_dir = %(data_basedir)s/media/public
225	base_url = /mgoblin_media/	230	base_url = /mgoblin_media/
226		231
227	[celery]	232	[celery]
228	CELERY_RESULT_DBURI = ${env.redis_url}	233	CELERY_RESULT_DBURI = ${env.redis_url}
229	BROKER_URL = ${env.redis_url}	234	BROKER_URL = ${env.redis_url}
230	CELERYD_CONCURRENCY = 1	235	CELERYD_CONCURRENCY = 1
231		236
232	[plugins]	237	[plugins]
233	[[mediagoblin.plugins.geolocation]]	238	[[mediagoblin.plugins.geolocation]]
234	[[mediagoblin.plugins.ldap]]	239	[[mediagoblin.plugins.ldap]]
235	[[[immae.eu]]]	240	[[[immae.eu]]]
236	LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'	241	LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
237	LDAP_SEARCH_BASE = 'dc=immae,dc=eu'	242	LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
238	LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'	243	LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
239	LDAP_BIND_PW = '${env.ldap.password}'	244	LDAP_BIND_PW = '${env.ldap.password}'
240	LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'	245	LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
241	EMAIL_SEARCH_FIELD = 'mail'	246	EMAIL_SEARCH_FIELD = 'mail'
242	[[mediagoblin.plugins.basicsearch]]	247	[[mediagoblin.plugins.basicsearch]]
243	[[mediagoblin.plugins.piwigo]]	248	[[mediagoblin.plugins.piwigo]]
244	[[mediagoblin.plugins.processing_info]]	249	[[mediagoblin.plugins.processing_info]]
245	[[mediagoblin.media_types.image]]	250	[[mediagoblin.media_types.image]]
246	[[mediagoblin.media_types.video]]	251	[[mediagoblin.media_types.video]]
247	'';	252	'';
		253	};
248	pythonRoot =	254	pythonRoot =
249	with pkgs.gst_all_1;	255	with pkgs.gst_all_1;
250	stdenv.mkDerivation {	256	stdenv.mkDerivation {
@@ -281,7 +287,7 @@ in
281	--prefix GI_TYPELIB_PATH : ${typelib_paths}	287	--prefix GI_TYPELIB_PATH : ${typelib_paths}
282	find . -type f -exec sed -i "s\|$mediagoblin\|$out\|g" {} \;	288	find . -type f -exec sed -i "s\|$mediagoblin\|$out\|g" {} \;
283	ln -s ${paste_local} ./paste_local.ini	289	ln -s ${paste_local} ./paste_local.ini
284	ln -s ${mediagoblin_local} ./mediagoblin_local.ini	290	ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini
285	ln -sf ${varDir} ./user_dev	291	ln -sf ${varDir} ./user_dev
286	'';	292	'';
287	};	293	};