aboutsummaryrefslogtreecommitdiff
path: root/nixops/modules/websites
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-14 23:58:56 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-14 23:58:56 +0200
commit981634865c275c1f35e78a27c6d76cd9708fd7ef (patch)
treec4902578bdf9facf3452c1eca8b0031ece865d1a /nixops/modules/websites
parentbf74850963eeba3efc755bb517aba0197df80493 (diff)
downloadNix-981634865c275c1f35e78a27c6d76cd9708fd7ef.tar.gz
Nix-981634865c275c1f35e78a27c6d76cd9708fd7ef.tar.zst
Nix-981634865c275c1f35e78a27c6d76cd9708fd7ef.zip
Move kanboard passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/websites')
-rw-r--r--nixops/modules/websites/default.nix7
-rw-r--r--nixops/modules/websites/phpfpm/default.nix14
-rw-r--r--nixops/modules/websites/tools/tools/default.nix3
-rw-r--r--nixops/modules/websites/tools/tools/kanboard.nix49
4 files changed, 49 insertions, 24 deletions
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
index ad97d7f..307af08 100644
--- a/nixops/modules/websites/default.nix
+++ b/nixops/modules/websites/default.nix
@@ -167,6 +167,7 @@ in
167 }; 167 };
168 168
169 config = { 169 config = {
170 users.users.wwwrun.extraGroups = [ "keys" ];
170 networking.firewall.allowedTCPPorts = [ 80 443 ]; 171 networking.firewall.allowedTCPPorts = [ 80 443 ];
171 172
172 nixpkgs.overlays = [ (self: super: rec { 173 nixpkgs.overlays = [ (self: super: rec {
@@ -415,8 +416,10 @@ in
415 phpOptions = '' 416 phpOptions = ''
416 session.save_path = "/var/lib/php/sessions" 417 session.save_path = "/var/lib/php/sessions"
417 post_max_size = 20M 418 post_max_size = 20M
418 session.gc_maxlifetime = 60*60*24*15 419 ; 15 days (seconds)
419 session.cache_expire = 60*24*30 420 session.gc_maxlifetime = 1296000
421 ; 30 days (minutes)
422 session.cache_expire = 43200
420 ''; 423 '';
421 extraConfig = '' 424 extraConfig = ''
422 log_level = notice 425 log_level = notice
diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix
index 3c6f027..882babc 100644
--- a/nixops/modules/websites/phpfpm/default.nix
+++ b/nixops/modules/websites/phpfpm/default.nix
@@ -72,6 +72,17 @@ in {
72 "Options appended to the PHP configuration file <filename>php.ini</filename>."; 72 "Options appended to the PHP configuration file <filename>php.ini</filename>.";
73 }; 73 };
74 74
75 serviceDependencies = mkOption {
76 default = {};
77 type = types.attrsOf (types.listOf types.string);
78 example = literalExample ''
79 { mypool = ["postgresql.service"]; }
80 '';
81 description = ''
82 Extra service dependencies specific to pool.
83 '';
84 };
85
75 poolPhpConfigs = mkOption { 86 poolPhpConfigs = mkOption {
76 default = {}; 87 default = {};
77 type = types.attrsOf types.lines; 88 type = types.attrsOf types.lines;
@@ -152,7 +163,8 @@ in {
152 systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig: 163 systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig:
153 nameValuePair "phpfpm-${pool}" { 164 nameValuePair "phpfpm-${pool}" {
154 description = "PHP FastCGI Process Manager service for pool ${pool}"; 165 description = "PHP FastCGI Process Manager service for pool ${pool}";
155 after = [ "network.target" ]; 166 after = [ "network.target" ] ++ (cfg.serviceDependencies.${pool} or []);
167 wants = cfg.serviceDependencies.${pool} or [];
156 wantedBy = [ "phpfpm.target" ]; 168 wantedBy = [ "phpfpm.target" ];
157 partOf = [ "phpfpm.target" ]; 169 partOf = [ "phpfpm.target" ];
158 preStart = '' 170 preStart = ''
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index aa59e28..14b5934 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -46,6 +46,8 @@ in {
46 security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; 46 security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
47 security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; 47 security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null;
48 48
49 deployment.keys = kanboard.keys;
50
49 services.myWebsites.integration.modules = 51 services.myWebsites.integration.modules =
50 rainloop.apache.modules; 52 rainloop.apache.modules;
51 53
@@ -129,6 +131,7 @@ in {
129 ]; 131 ];
130 }; 132 };
131 133
134 services.myPhpfpm.serviceDependencies.kanboard = kanboard.phpFpm.serviceDeps;
132 services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig; 135 services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig;
133 services.myPhpfpm.poolConfigs = { 136 services.myPhpfpm.poolConfigs = {
134 adminer = adminer.phpFpm.pool; 137 adminer = adminer.phpFpm.pool;
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
index 8408ffa..35ed2aa 100644
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ b/nixops/modules/websites/tools/tools/kanboard.nix
@@ -10,33 +10,39 @@ rec {
10 install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config 10 install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
11 ''; 11 '';
12 }; 12 };
13 config = writeText "config.php" '' 13 keys.tools-kanboard = {
14 <?php 14 destDir = "/run/keys/webapps";
15 define('MAIL_FROM', 'kanboard@tools.immae.eu'); 15 user = apache.user;
16 group = apache.group;
17 permissions = "0700";
18 text = ''
19 <?php
20 define('MAIL_FROM', 'kanboard@tools.immae.eu');
16 21
17 define('DB_DRIVER', 'postgres'); 22 define('DB_DRIVER', 'postgres');
18 define('DB_USERNAME', '${env.postgresql.user}'); 23 define('DB_USERNAME', '${env.postgresql.user}');
19 define('DB_PASSWORD', '${env.postgresql.password}'); 24 define('DB_PASSWORD', '${env.postgresql.password}');
20 define('DB_HOSTNAME', '${env.postgresql.socket}'); 25 define('DB_HOSTNAME', '${env.postgresql.socket}');
21 define('DB_NAME', '${env.postgresql.database}'); 26 define('DB_NAME', '${env.postgresql.database}');
22 27
23 define('LDAP_AUTH', true); 28 define('LDAP_AUTH', true);
24 define('LDAP_SERVER', '${env.ldap.host}'); 29 define('LDAP_SERVER', '${env.ldap.host}');
25 define('LDAP_START_TLS', true); 30 define('LDAP_START_TLS', true);
26 31
27 define('LDAP_BIND_TYPE', 'proxy'); 32 define('LDAP_BIND_TYPE', 'proxy');
28 define('LDAP_USERNAME', '${env.ldap.dn}'); 33 define('LDAP_USERNAME', '${env.ldap.dn}');
29 define('LDAP_PASSWORD', '${env.ldap.password}'); 34 define('LDAP_PASSWORD', '${env.ldap.password}');
30 define('LDAP_USER_BASE_DN', '${env.ldap.base}'); 35 define('LDAP_USER_BASE_DN', '${env.ldap.base}');
31 define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))'); 36 define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
32 define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); 37 define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
33 ?> 38 ?>
34 ''; 39 '';
40 };
35 webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec { 41 webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec {
36 dontBuild = true; 42 dontBuild = true;
37 installPhase = '' 43 installPhase = ''
38 cp -a . $out 44 cp -a . $out
39 ln -s ${config} $out/config.php 45 ln -s /run/keys/webapps/tools-kanboard $out/config.php
40 mv $out/data $out/dataold 46 mv $out/data $out/dataold
41 ln -s ${varDir}/data $out/data 47 ln -s ${varDir}/data $out/data
42 ''; 48 '';
@@ -65,7 +71,8 @@ rec {
65 ''; 71 '';
66 }; 72 };
67 phpFpm = rec { 73 phpFpm = rec {
68 basedir = builtins.concatStringsSep ":" [ webRoot varDir config ]; 74 serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ];
75 basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ];
69 socket = "/var/run/phpfpm/kanboard.sock"; 76 socket = "/var/run/phpfpm/kanboard.sock";
70 pool = '' 77 pool = ''
71 listen = ${socket} 78 listen = ${socket}