Move shaarli passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-15 01:17:31 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-15 01:17:31 +0200
commit: 5f08b34c5247ee0c4de2a9264d059b69271e3473 (patch)
tree: b8a8db5ae02e9a8022e1e565c6f3f9deebd4687c /nixops/modules/websites/tools
parent: a840a21c954be6342603ae7a45dde6c005761696 (diff)
download: Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.gz
Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.zst
Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.zip
2 files changed, 22 insertions, 6 deletions
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 3d5465f..31ed035 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -50,6 +50,7 @@ in {
      kanboard.keys
      // ldap.keys
      // roundcubemail.keys
+      // shaarli.keys
      // ttrss.keys
      // wallabag.keys
      // yourls.keys;
@@ -137,12 +138,17 @@ in {
      ];
    };
+    services.myPhpfpm.envFile = {
+      shaarli = shaarli.phpFpm.envFile;
+    };
    services.myPhpfpm.serviceDependencies = {
      dokuwiki = dokuwiki.phpFpm.serviceDeps;
      kanboard = kanboard.phpFpm.serviceDeps;
      ldap = ldap.phpFpm.serviceDeps;
      rainloop = rainloop.phpFpm.serviceDeps;
      roundcubemail = roundcubemail.phpFpm.serviceDeps;
+      shaarli = shaarli.phpFpm.serviceDeps;
      ttrss = ttrss.phpFpm.serviceDeps;
      wallabag = wallabag.phpFpm.serviceDeps;
      yourls = yourls.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 0f6b460..157c4de 100644
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -50,12 +50,6 @@ in rec {
      Alias /Shaarli "${root}"
      <Directory "${root}">
-        SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
-        SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
-        SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
-        SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
-        SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
        DirectoryIndex index.php index.htm index.html
        Options Indexes FollowSymLinks MultiViews Includes
        AllowOverride All
@@ -66,7 +60,22 @@ in rec {
      </Directory>
      '';
  };
+  keys.tools-shaarli = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      SHAARLI_LDAP_PASSWORD="${env.ldap.password}"
+      SHAARLI_LDAP_DN="${env.ldap.dn}"
+      SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}"
+      SHAARLI_LDAP_BASE="${env.ldap.base}"
+      SHAARLI_LDAP_FILTER="${env.ldap.search}"
+      '';
+  };
  phpFpm = rec {
+    serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ];
+    envFile = "/run/keys/webapps/tools-shaarli";
    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
    socket = "/var/run/phpfpm/shaarli.sock";
    pool = ''
@@ -78,6 +87,7 @@ in rec {
        pm = ondemand
        pm.max_children = 60
        pm.process_idle_timeout = 60
+        clear_env = no
        ; Needed to avoid clashes in browser cookies (same domain)
        php_value[session.name] = ShaarliPHPSESSID
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-15 01:17:31 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-15 01:17:31 +0200
commit	5f08b34c5247ee0c4de2a9264d059b69271e3473 (patch)
tree	b8a8db5ae02e9a8022e1e565c6f3f9deebd4687c /nixops/modules/websites/tools
parent	a840a21c954be6342603ae7a45dde6c005761696 (diff)
download	Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.gz Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.zst Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.zip