Move kanboard passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

2 files changed, 31 insertions, 21 deletions

diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index aa59e28..14b5934 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -46,6 +46,8 @@ in {
     security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
     security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
 
+    deployment.keys = kanboard.keys;
+
     services.myWebsites.integration.modules =
       rainloop.apache.modules;
 
@@ -129,6 +131,7 @@ in {
       ];
     };
 
+    services.myPhpfpm.serviceDependencies.kanboard = kanboard.phpFpm.serviceDeps;
     services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig;
     services.myPhpfpm.poolConfigs = {
       adminer = adminer.phpFpm.pool;
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
index 8408ffa..35ed2aa 100644
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ b/nixops/modules/websites/tools/tools/kanboard.nix
@@ -10,33 +10,39 @@ rec {
       install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
     '';
   };
-  config = writeText "config.php" ''
-    <?php
-    define('MAIL_FROM', 'kanboard@tools.immae.eu');
+  keys.tools-kanboard = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      <?php
+      define('MAIL_FROM', 'kanboard@tools.immae.eu');
 
-    define('DB_DRIVER', 'postgres');
-    define('DB_USERNAME', '${env.postgresql.user}');
-    define('DB_PASSWORD', '${env.postgresql.password}');
-    define('DB_HOSTNAME', '${env.postgresql.socket}');
-    define('DB_NAME', '${env.postgresql.database}');
+      define('DB_DRIVER', 'postgres');
+      define('DB_USERNAME', '${env.postgresql.user}');
+      define('DB_PASSWORD', '${env.postgresql.password}');
+      define('DB_HOSTNAME', '${env.postgresql.socket}');
+      define('DB_NAME', '${env.postgresql.database}');
 
-    define('LDAP_AUTH', true);
-    define('LDAP_SERVER', '${env.ldap.host}');
-    define('LDAP_START_TLS', true);
+      define('LDAP_AUTH', true);
+      define('LDAP_SERVER', '${env.ldap.host}');
+      define('LDAP_START_TLS', true);
 
-    define('LDAP_BIND_TYPE', 'proxy');
-    define('LDAP_USERNAME', '${env.ldap.dn}');
-    define('LDAP_PASSWORD', '${env.ldap.password}');
-    define('LDAP_USER_BASE_DN', '${env.ldap.base}');
-    define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
-    define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
-    ?>
-    '';
+      define('LDAP_BIND_TYPE', 'proxy');
+      define('LDAP_USERNAME', '${env.ldap.dn}');
+      define('LDAP_PASSWORD', '${env.ldap.password}');
+      define('LDAP_USER_BASE_DN', '${env.ldap.base}');
+      define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
+      define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
+      ?>
+      '';
+  };
   webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec {
     dontBuild = true;
     installPhase = ''
       cp -a . $out
-      ln -s ${config} $out/config.php
+      ln -s /run/keys/webapps/tools-kanboard $out/config.php
       mv $out/data $out/dataold
       ln -s ${varDir}/data $out/data
       '';
@@ -65,7 +71,8 @@ rec {
       '';
   };
   phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir config ];
+    serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ];
     socket = "/var/run/phpfpm/kanboard.sock";
     pool = ''
       listen = ${socket}