Move shaarli passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

1 files changed, 16 insertions, 6 deletions

diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 0f6b460..157c4de 100644
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -50,12 +50,6 @@ in rec {
       Alias /Shaarli "${root}"
 
       <Directory "${root}">
-        SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
-        SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
-        SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
-        SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
-        SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
-
         DirectoryIndex index.php index.htm index.html
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride All
@@ -66,7 +60,22 @@ in rec {
       </Directory>
       '';
   };
+  keys.tools-shaarli = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      SHAARLI_LDAP_PASSWORD="${env.ldap.password}"
+      SHAARLI_LDAP_DN="${env.ldap.dn}"
+      SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}"
+      SHAARLI_LDAP_BASE="${env.ldap.base}"
+      SHAARLI_LDAP_FILTER="${env.ldap.search}"
+      '';
+  };
   phpFpm = rec {
+    serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ];
+    envFile = "/run/keys/webapps/tools-shaarli";
     basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
     socket = "/var/run/phpfpm/shaarli.sock";
     pool = ''
@@ -78,6 +87,7 @@ in rec {
         pm = ondemand
         pm.max_children = 60
         pm.process_idle_timeout = 60
+        clear_env = no
 
         ; Needed to avoid clashes in browser cookies (same domain)
         php_value[session.name] = ShaarliPHPSESSID