diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 13:46:47 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 13:49:24 +0200 |
commit | 51900e3488284b0711083819a5ecb1b0f280a913 (patch) | |
tree | 2367f6ac79eb9198d4890cf51add27b37cd7b6b0 /nixops/modules/websites | |
parent | 3b45d5f2afc3a48809d0353a3133025525247331 (diff) | |
download | Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.gz Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.zst Nix-51900e3488284b0711083819a5ecb1b0f280a913.zip |
Move etherpad and mediagoblin keys to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/websites')
4 files changed, 163 insertions, 147 deletions
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index c4a9932..6d845ac 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix | |||
@@ -12,11 +12,12 @@ in { | |||
12 | }; | 12 | }; |
13 | 13 | ||
14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
15 | deployment.keys = etherpad.keys; | ||
15 | systemd.services.etherpad-lite = { | 16 | systemd.services.etherpad-lite = { |
16 | description = "Etherpad-lite"; | 17 | description = "Etherpad-lite"; |
17 | wantedBy = [ "multi-user.target" ]; | 18 | wantedBy = [ "multi-user.target" ]; |
18 | after = [ "network.target" "postgresql.service" ]; | 19 | after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ]; |
19 | wants = [ "postgresql.service" ]; | 20 | wants = [ "postgresql.service" "tools-etherpad-key.service" ]; |
20 | 21 | ||
21 | environment.NODE_ENV = "production"; | 22 | environment.NODE_ENV = "production"; |
22 | environment.HOME = etherpad.webappDir; | 23 | environment.HOME = etherpad.webappDir; |
@@ -25,13 +26,14 @@ in { | |||
25 | 26 | ||
26 | script = '' | 27 | script = '' |
27 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ | 28 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ |
28 | --settings ${etherpad.config} | 29 | --settings /run/keys/webapps/tools-etherpad |
29 | ''; | 30 | ''; |
30 | 31 | ||
31 | serviceConfig = { | 32 | serviceConfig = { |
32 | DynamicUser = true; | 33 | DynamicUser = true; |
33 | User = "etherpad-lite"; | 34 | User = "etherpad-lite"; |
34 | Group = "etherpad-lite"; | 35 | Group = "etherpad-lite"; |
36 | SupplementaryGroups = "keys"; | ||
35 | WorkingDirectory = etherpad.webappDir; | 37 | WorkingDirectory = etherpad.webappDir; |
36 | PrivateTmp = true; | 38 | PrivateTmp = true; |
37 | NoNewPrivileges = true; | 39 | NoNewPrivileges = true; |
@@ -42,6 +44,7 @@ in { | |||
42 | Restart = "always"; | 44 | Restart = "always"; |
43 | Type = "simple"; | 45 | Type = "simple"; |
44 | TimeoutSec = 60; | 46 | TimeoutSec = 60; |
47 | ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad"; | ||
45 | }; | 48 | }; |
46 | }; | 49 | }; |
47 | 50 | ||
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index 02071f1..bc62262 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix | |||
@@ -30,106 +30,110 @@ let | |||
30 | "ep_subscript_and_superscript" | 30 | "ep_subscript_and_superscript" |
31 | "ep_timesliderdiff" | 31 | "ep_timesliderdiff" |
32 | ]; | 32 | ]; |
33 | config = | 33 | keys.tools-etherpad = { |
34 | # Make sure we’re not rebuilding whole libreoffice just because of a | 34 | destDir = "/run/keys/webapps"; |
35 | # dependency | 35 | permissions = "0400"; |
36 | let libreoffice = (import <nixpkgs> {}).libreoffice-fresh; | 36 | text = |
37 | in | 37 | # Make sure we’re not rebuilding whole libreoffice just because of a |
38 | writeText "settings.json" '' | 38 | # dependency |
39 | { | 39 | let libreoffice = (import <nixpkgs> {}).libreoffice-fresh; |
40 | "title": "Etherpad", | 40 | in |
41 | "favicon": "favicon.ico", | 41 | '' |
42 | { | ||
43 | "title": "Etherpad", | ||
44 | "favicon": "favicon.ico", | ||
42 | 45 | ||
43 | "ip": "127.0.0.1", | 46 | "ip": "127.0.0.1", |
44 | "port" : ${env.listenPort}, | 47 | "port" : ${env.listenPort}, |
45 | "showSettingsInAdminPage" : false, | 48 | "showSettingsInAdminPage" : false, |
46 | "dbType" : "postgres", | 49 | "dbType" : "postgres", |
47 | "dbSettings" : { | 50 | "dbSettings" : { |
48 | "user" : "${env.postgresql.user}", | 51 | "user" : "${env.postgresql.user}", |
49 | "host" : "${env.postgresql.socket}", | 52 | "host" : "${env.postgresql.socket}", |
50 | "password": "${env.postgresql.password}", | 53 | "password": "${env.postgresql.password}", |
51 | "database": "${env.postgresql.database}", | 54 | "database": "${env.postgresql.database}", |
52 | "charset" : "utf8mb4" | 55 | "charset" : "utf8mb4" |
53 | }, | 56 | }, |
54 | 57 | ||
55 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | 58 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", |
56 | "padOptions": { | 59 | "padOptions": { |
57 | "noColors": false, | 60 | "noColors": false, |
58 | "showControls": true, | 61 | "showControls": true, |
59 | "showChat": true, | 62 | "showChat": true, |
60 | "showLineNumbers": true, | 63 | "showLineNumbers": true, |
61 | "useMonospaceFont": false, | 64 | "useMonospaceFont": false, |
62 | "userName": false, | 65 | "userName": false, |
63 | "userColor": false, | 66 | "userColor": false, |
64 | "rtl": false, | 67 | "rtl": false, |
65 | "alwaysShowChat": false, | 68 | "alwaysShowChat": false, |
66 | "chatAndUsers": false, | 69 | "chatAndUsers": false, |
67 | "lang": "en-gb" | 70 | "lang": "en-gb" |
68 | }, | 71 | }, |
69 | 72 | ||
70 | "suppressErrorsInPadText" : false, | 73 | "suppressErrorsInPadText" : false, |
71 | "requireSession" : false, | 74 | "requireSession" : false, |
72 | "editOnly" : false, | 75 | "editOnly" : false, |
73 | "sessionNoPassword" : false, | 76 | "sessionNoPassword" : false, |
74 | "minify" : true, | 77 | "minify" : true, |
75 | "maxAge" : 21600, | 78 | "maxAge" : 21600, |
76 | "abiword" : null, | 79 | "abiword" : null, |
77 | "soffice" : "${libreoffice}/bin/soffice", | 80 | "soffice" : "${libreoffice}/bin/soffice", |
78 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | 81 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", |
79 | "allowUnknownFileEnds" : true, | 82 | "allowUnknownFileEnds" : true, |
80 | "requireAuthentication" : false, | 83 | "requireAuthentication" : false, |
81 | "requireAuthorization" : false, | 84 | "requireAuthorization" : false, |
82 | "trustProxy" : false, | 85 | "trustProxy" : false, |
83 | "disableIPlogging" : false, | 86 | "disableIPlogging" : false, |
84 | "automaticReconnectionTimeout" : 0, | 87 | "automaticReconnectionTimeout" : 0, |
85 | "scrollWhenFocusLineIsOutOfViewport": { | 88 | "scrollWhenFocusLineIsOutOfViewport": { |
86 | "percentage": { | 89 | "percentage": { |
87 | "editionAboveViewport": 0, | 90 | "editionAboveViewport": 0, |
88 | "editionBelowViewport": 0 | 91 | "editionBelowViewport": 0 |
92 | }, | ||
93 | "duration": 0, | ||
94 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | ||
95 | "percentageToScrollWhenUserPressesArrowUp": 0 | ||
89 | }, | 96 | }, |
90 | "duration": 0, | 97 | "users": { |
91 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | 98 | "ldapauth": { |
92 | "percentageToScrollWhenUserPressesArrowUp": 0 | 99 | "url": "ldaps://${env.ldap.host}", |
93 | }, | 100 | "accountBase": "${env.ldap.base}", |
94 | "users": { | 101 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", |
95 | "ldapauth": { | 102 | "displayNameAttribute": "cn", |
96 | "url": "ldaps://${env.ldap.host}", | 103 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", |
97 | "accountBase": "${env.ldap.base}", | 104 | "searchPWD": "${env.ldap.password}", |
98 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | 105 | "groupSearchBase": "${env.ldap.base}", |
99 | "displayNameAttribute": "cn", | 106 | "groupAttribute": "member", |
100 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | 107 | "groupAttributeIsDN": true, |
101 | "searchPWD": "${env.ldap.password}", | 108 | "searchScope": "sub", |
102 | "groupSearchBase": "${env.ldap.base}", | 109 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", |
103 | "groupAttribute": "member", | 110 | "anonymousReadonly": false |
104 | "groupAttributeIsDN": true, | 111 | } |
105 | "searchScope": "sub", | 112 | }, |
106 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | 113 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], |
107 | "anonymousReadonly": false | 114 | "loadTest": false, |
108 | } | 115 | "indentationOnNewLine": false, |
109 | }, | 116 | "toolbar": { |
110 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | 117 | "left": [ |
111 | "loadTest": false, | 118 | ["bold", "italic", "underline", "strikethrough"], |
112 | "indentationOnNewLine": false, | 119 | ["orderedlist", "unorderedlist", "indent", "outdent"], |
113 | "toolbar": { | 120 | ["undo", "redo"], |
114 | "left": [ | 121 | ["clearauthorship"] |
115 | ["bold", "italic", "underline", "strikethrough"], | 122 | ], |
116 | ["orderedlist", "unorderedlist", "indent", "outdent"], | 123 | "right": [ |
117 | ["undo", "redo"], | 124 | ["importexport", "timeslider", "savedrevision"], |
118 | ["clearauthorship"] | 125 | ["settings", "embed"], |
119 | ], | 126 | ["showusers"] |
120 | "right": [ | 127 | ], |
121 | ["importexport", "timeslider", "savedrevision"], | 128 | "timeslider": [ |
122 | ["settings", "embed"], | 129 | ["timeslider_export", "timeslider_returnToPad"] |
123 | ["showusers"] | 130 | ] |
124 | ], | 131 | }, |
125 | "timeslider": [ | 132 | "loglevel": "INFO", |
126 | ["timeslider_export", "timeslider_returnToPad"] | 133 | "logconfig" : { "appenders": [ { "type": "console" } ] } |
127 | ] | 134 | } |
128 | }, | 135 | ''; |
129 | "loglevel": "INFO", | 136 | }; |
130 | "logconfig" : { "appenders": [ { "type": "console" } ] } | ||
131 | } | ||
132 | ''; | ||
133 | webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { | 137 | webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { |
134 | __noChroot = true; | 138 | __noChroot = true; |
135 | patches = [ ./libreoffice_patch.diff ]; | 139 | patches = [ ./libreoffice_patch.diff ]; |
@@ -179,5 +183,5 @@ let | |||
179 | }); | 183 | }); |
180 | in | 184 | in |
181 | { | 185 | { |
182 | inherit webappDir config listenPort; | 186 | inherit webappDir keys listenPort; |
183 | } | 187 | } |
diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix index 54c0478..9b058be 100644 --- a/nixops/modules/websites/tools/mediagoblin/default.nix +++ b/nixops/modules/websites/tools/mediagoblin/default.nix | |||
@@ -12,6 +12,7 @@ in { | |||
12 | }; | 12 | }; |
13 | 13 | ||
14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
15 | deployment.keys = mediagoblin.keys; | ||
15 | ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; | 16 | ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; |
16 | ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; | 17 | ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; |
17 | 18 | ||
@@ -22,6 +23,7 @@ in { | |||
22 | description = "Mediagoblin user"; | 23 | description = "Mediagoblin user"; |
23 | home = mediagoblin.varDir; | 24 | home = mediagoblin.varDir; |
24 | useDefaultShell = true; | 25 | useDefaultShell = true; |
26 | extraGroups = [ "keys" ]; | ||
25 | }; | 27 | }; |
26 | 28 | ||
27 | users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; | 29 | users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; |
@@ -29,7 +31,8 @@ in { | |||
29 | systemd.services.mediagoblin-web = { | 31 | systemd.services.mediagoblin-web = { |
30 | description = "Mediagoblin service"; | 32 | description = "Mediagoblin service"; |
31 | wantedBy = [ "multi-user.target" ]; | 33 | wantedBy = [ "multi-user.target" ]; |
32 | after = [ "network.target" ]; | 34 | after = [ "network.target" "tools-mediagoblin-key.service" ]; |
35 | wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ]; | ||
33 | 36 | ||
34 | environment.SCRIPT_NAME = "/mediagoblin/"; | 37 | environment.SCRIPT_NAME = "/mediagoblin/"; |
35 | 38 | ||
diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix index e1876ae..23ee24d 100644 --- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix | |||
@@ -190,61 +190,67 @@ in | |||
190 | url_scheme = https | 190 | url_scheme = https |
191 | ''; | 191 | ''; |
192 | 192 | ||
193 | mediagoblin_local = writeText "mediagoblin_local.ini" '' | 193 | keys.tools-mediagoblin = { |
194 | [DEFAULT] | 194 | destDir = "/run/keys/webapps"; |
195 | data_basedir = "${varDir}" | 195 | user = "mediagoblin"; |
196 | group = "mediagoblin"; | ||
197 | permissions = "0400"; | ||
198 | text = '' | ||
199 | [DEFAULT] | ||
200 | data_basedir = "${varDir}" | ||
196 | 201 | ||
197 | [mediagoblin] | 202 | [mediagoblin] |
198 | direct_remote_path = /mgoblin_static/ | 203 | direct_remote_path = /mgoblin_static/ |
199 | email_sender_address = "mediagoblin@tools.immae.eu" | 204 | email_sender_address = "mediagoblin@tools.immae.eu" |
200 | 205 | ||
201 | #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db | 206 | #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db |
202 | sql_engine = ${env.psql_url} | 207 | sql_engine = ${env.psql_url} |
203 | 208 | ||
204 | email_debug_mode = false | 209 | email_debug_mode = false |
205 | allow_registration = false | 210 | allow_registration = false |
206 | allow_reporting = true | 211 | allow_reporting = true |
207 | 212 | ||
208 | theme = airymodified | 213 | theme = airymodified |
209 | 214 | ||
210 | user_privilege_scheme = "uploader,commenter,reporter" | 215 | user_privilege_scheme = "uploader,commenter,reporter" |
211 | 216 | ||
212 | # We need to redefine them here since we override data_basedir | 217 | # We need to redefine them here since we override data_basedir |
213 | # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini | 218 | # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini |
214 | workbench_path = %(data_basedir)s/media/workbench | 219 | workbench_path = %(data_basedir)s/media/workbench |
215 | crypto_path = %(data_basedir)s/crypto | 220 | crypto_path = %(data_basedir)s/crypto |
216 | theme_install_dir = %(data_basedir)s/themes/ | 221 | theme_install_dir = %(data_basedir)s/themes/ |
217 | theme_linked_assets_dir = %(data_basedir)s/theme_static/ | 222 | theme_linked_assets_dir = %(data_basedir)s/theme_static/ |
218 | plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ | 223 | plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ |
219 | 224 | ||
220 | [storage:queuestore] | 225 | [storage:queuestore] |
221 | base_dir = %(data_basedir)s/media/queue | 226 | base_dir = %(data_basedir)s/media/queue |
222 | 227 | ||
223 | [storage:publicstore] | 228 | [storage:publicstore] |
224 | base_dir = %(data_basedir)s/media/public | 229 | base_dir = %(data_basedir)s/media/public |
225 | base_url = /mgoblin_media/ | 230 | base_url = /mgoblin_media/ |
226 | 231 | ||
227 | [celery] | 232 | [celery] |
228 | CELERY_RESULT_DBURI = ${env.redis_url} | 233 | CELERY_RESULT_DBURI = ${env.redis_url} |
229 | BROKER_URL = ${env.redis_url} | 234 | BROKER_URL = ${env.redis_url} |
230 | CELERYD_CONCURRENCY = 1 | 235 | CELERYD_CONCURRENCY = 1 |
231 | 236 | ||
232 | [plugins] | 237 | [plugins] |
233 | [[mediagoblin.plugins.geolocation]] | 238 | [[mediagoblin.plugins.geolocation]] |
234 | [[mediagoblin.plugins.ldap]] | 239 | [[mediagoblin.plugins.ldap]] |
235 | [[[immae.eu]]] | 240 | [[[immae.eu]]] |
236 | LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' | 241 | LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' |
237 | LDAP_SEARCH_BASE = 'dc=immae,dc=eu' | 242 | LDAP_SEARCH_BASE = 'dc=immae,dc=eu' |
238 | LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' | 243 | LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' |
239 | LDAP_BIND_PW = '${env.ldap.password}' | 244 | LDAP_BIND_PW = '${env.ldap.password}' |
240 | LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' | 245 | LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' |
241 | EMAIL_SEARCH_FIELD = 'mail' | 246 | EMAIL_SEARCH_FIELD = 'mail' |
242 | [[mediagoblin.plugins.basicsearch]] | 247 | [[mediagoblin.plugins.basicsearch]] |
243 | [[mediagoblin.plugins.piwigo]] | 248 | [[mediagoblin.plugins.piwigo]] |
244 | [[mediagoblin.plugins.processing_info]] | 249 | [[mediagoblin.plugins.processing_info]] |
245 | [[mediagoblin.media_types.image]] | 250 | [[mediagoblin.media_types.image]] |
246 | [[mediagoblin.media_types.video]] | 251 | [[mediagoblin.media_types.video]] |
247 | ''; | 252 | ''; |
253 | }; | ||
248 | pythonRoot = | 254 | pythonRoot = |
249 | with pkgs.gst_all_1; | 255 | with pkgs.gst_all_1; |
250 | stdenv.mkDerivation { | 256 | stdenv.mkDerivation { |
@@ -281,7 +287,7 @@ in | |||
281 | --prefix GI_TYPELIB_PATH : ${typelib_paths} | 287 | --prefix GI_TYPELIB_PATH : ${typelib_paths} |
282 | find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; | 288 | find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; |
283 | ln -s ${paste_local} ./paste_local.ini | 289 | ln -s ${paste_local} ./paste_local.ini |
284 | ln -s ${mediagoblin_local} ./mediagoblin_local.ini | 290 | ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini |
285 | ln -sf ${varDir} ./user_dev | 291 | ln -sf ${varDir} ./user_dev |
286 | ''; | 292 | ''; |
287 | }; | 293 | }; |