Move peertube configuration to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

1 files changed, 13 insertions, 5 deletions

diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix
index c4f3817..dbdeb76 100644
--- a/nixops/modules/websites/tools/peertube/default.nix
+++ b/nixops/modules/websites/tools/peertube/default.nix
@@ -29,8 +29,8 @@ in {
     systemd.services.peertube = {
       description = "Peertube";
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "postgresql.service" ];
-      wants = [ "postgresql.service" ];
+      after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ];
+      wants = [ "postgresql.service" "tools-peertube-key.service" ];
 
       environment.NODE_CONFIG_DIR = "${peertube.varDir}/config";
       environment.NODE_ENV = "production";
@@ -57,12 +57,20 @@ in {
       unitConfig.RequiresMountsFor = peertube.varDir;
     };
 
+    deployment.keys.tools-peertube = {
+      destDir = "/run/keys/webapps";
+      user = "peertube";
+      group = "peertube";
+      permissions = "0700";
+      text = peertube.config;
+    };
+
     system.activationScripts.peertube = {
       deps = [ "users" ];
       text = ''
-        install -m 0755 -o peertube -g peertube -d ${peertube.varDir}
-        install -m 0755 -o peertube -g peertube -d ${peertube.varDir}/config
-        install -m 0644 -o peertube -g peertube -T ${peertube.config} ${peertube.varDir}/config/production.yaml
+        install -m 0750 -o peertube -g peertube -d ${peertube.varDir}
+        install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config
+        install -m 0640 -o peertube -g peertube -T /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml
         '';
     };