diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-14 23:58:56 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-14 23:58:56 +0200 |
commit | 981634865c275c1f35e78a27c6d76cd9708fd7ef (patch) | |
tree | c4902578bdf9facf3452c1eca8b0031ece865d1a /nixops/modules/websites | |
parent | bf74850963eeba3efc755bb517aba0197df80493 (diff) | |
download | Nix-981634865c275c1f35e78a27c6d76cd9708fd7ef.tar.gz Nix-981634865c275c1f35e78a27c6d76cd9708fd7ef.tar.zst Nix-981634865c275c1f35e78a27c6d76cd9708fd7ef.zip |
Move kanboard passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules/websites')
-rw-r--r-- | nixops/modules/websites/default.nix | 7 | ||||
-rw-r--r-- | nixops/modules/websites/phpfpm/default.nix | 14 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/default.nix | 3 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/kanboard.nix | 49 |
4 files changed, 49 insertions, 24 deletions
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index ad97d7f..307af08 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix | |||
@@ -167,6 +167,7 @@ in | |||
167 | }; | 167 | }; |
168 | 168 | ||
169 | config = { | 169 | config = { |
170 | users.users.wwwrun.extraGroups = [ "keys" ]; | ||
170 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | 171 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
171 | 172 | ||
172 | nixpkgs.overlays = [ (self: super: rec { | 173 | nixpkgs.overlays = [ (self: super: rec { |
@@ -415,8 +416,10 @@ in | |||
415 | phpOptions = '' | 416 | phpOptions = '' |
416 | session.save_path = "/var/lib/php/sessions" | 417 | session.save_path = "/var/lib/php/sessions" |
417 | post_max_size = 20M | 418 | post_max_size = 20M |
418 | session.gc_maxlifetime = 60*60*24*15 | 419 | ; 15 days (seconds) |
419 | session.cache_expire = 60*24*30 | 420 | session.gc_maxlifetime = 1296000 |
421 | ; 30 days (minutes) | ||
422 | session.cache_expire = 43200 | ||
420 | ''; | 423 | ''; |
421 | extraConfig = '' | 424 | extraConfig = '' |
422 | log_level = notice | 425 | log_level = notice |
diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix index 3c6f027..882babc 100644 --- a/nixops/modules/websites/phpfpm/default.nix +++ b/nixops/modules/websites/phpfpm/default.nix | |||
@@ -72,6 +72,17 @@ in { | |||
72 | "Options appended to the PHP configuration file <filename>php.ini</filename>."; | 72 | "Options appended to the PHP configuration file <filename>php.ini</filename>."; |
73 | }; | 73 | }; |
74 | 74 | ||
75 | serviceDependencies = mkOption { | ||
76 | default = {}; | ||
77 | type = types.attrsOf (types.listOf types.string); | ||
78 | example = literalExample '' | ||
79 | { mypool = ["postgresql.service"]; } | ||
80 | ''; | ||
81 | description = '' | ||
82 | Extra service dependencies specific to pool. | ||
83 | ''; | ||
84 | }; | ||
85 | |||
75 | poolPhpConfigs = mkOption { | 86 | poolPhpConfigs = mkOption { |
76 | default = {}; | 87 | default = {}; |
77 | type = types.attrsOf types.lines; | 88 | type = types.attrsOf types.lines; |
@@ -152,7 +163,8 @@ in { | |||
152 | systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig: | 163 | systemd.services = flip mapAttrs' poolConfigs (pool: poolConfig: |
153 | nameValuePair "phpfpm-${pool}" { | 164 | nameValuePair "phpfpm-${pool}" { |
154 | description = "PHP FastCGI Process Manager service for pool ${pool}"; | 165 | description = "PHP FastCGI Process Manager service for pool ${pool}"; |
155 | after = [ "network.target" ]; | 166 | after = [ "network.target" ] ++ (cfg.serviceDependencies.${pool} or []); |
167 | wants = cfg.serviceDependencies.${pool} or []; | ||
156 | wantedBy = [ "phpfpm.target" ]; | 168 | wantedBy = [ "phpfpm.target" ]; |
157 | partOf = [ "phpfpm.target" ]; | 169 | partOf = [ "phpfpm.target" ]; |
158 | preStart = '' | 170 | preStart = '' |
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index aa59e28..14b5934 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix | |||
@@ -46,6 +46,8 @@ in { | |||
46 | security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; | 46 | security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; |
47 | security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; | 47 | security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; |
48 | 48 | ||
49 | deployment.keys = kanboard.keys; | ||
50 | |||
49 | services.myWebsites.integration.modules = | 51 | services.myWebsites.integration.modules = |
50 | rainloop.apache.modules; | 52 | rainloop.apache.modules; |
51 | 53 | ||
@@ -129,6 +131,7 @@ in { | |||
129 | ]; | 131 | ]; |
130 | }; | 132 | }; |
131 | 133 | ||
134 | services.myPhpfpm.serviceDependencies.kanboard = kanboard.phpFpm.serviceDeps; | ||
132 | services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig; | 135 | services.myPhpfpm.poolPhpConfigs.roundcubemail = roundcubemail.phpFpm.phpConfig; |
133 | services.myPhpfpm.poolConfigs = { | 136 | services.myPhpfpm.poolConfigs = { |
134 | adminer = adminer.phpFpm.pool; | 137 | adminer = adminer.phpFpm.pool; |
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix index 8408ffa..35ed2aa 100644 --- a/nixops/modules/websites/tools/tools/kanboard.nix +++ b/nixops/modules/websites/tools/tools/kanboard.nix | |||
@@ -10,33 +10,39 @@ rec { | |||
10 | install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config | 10 | install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config |
11 | ''; | 11 | ''; |
12 | }; | 12 | }; |
13 | config = writeText "config.php" '' | 13 | keys.tools-kanboard = { |
14 | <?php | 14 | destDir = "/run/keys/webapps"; |
15 | define('MAIL_FROM', 'kanboard@tools.immae.eu'); | 15 | user = apache.user; |
16 | group = apache.group; | ||
17 | permissions = "0700"; | ||
18 | text = '' | ||
19 | <?php | ||
20 | define('MAIL_FROM', 'kanboard@tools.immae.eu'); | ||
16 | 21 | ||
17 | define('DB_DRIVER', 'postgres'); | 22 | define('DB_DRIVER', 'postgres'); |
18 | define('DB_USERNAME', '${env.postgresql.user}'); | 23 | define('DB_USERNAME', '${env.postgresql.user}'); |
19 | define('DB_PASSWORD', '${env.postgresql.password}'); | 24 | define('DB_PASSWORD', '${env.postgresql.password}'); |
20 | define('DB_HOSTNAME', '${env.postgresql.socket}'); | 25 | define('DB_HOSTNAME', '${env.postgresql.socket}'); |
21 | define('DB_NAME', '${env.postgresql.database}'); | 26 | define('DB_NAME', '${env.postgresql.database}'); |
22 | 27 | ||
23 | define('LDAP_AUTH', true); | 28 | define('LDAP_AUTH', true); |
24 | define('LDAP_SERVER', '${env.ldap.host}'); | 29 | define('LDAP_SERVER', '${env.ldap.host}'); |
25 | define('LDAP_START_TLS', true); | 30 | define('LDAP_START_TLS', true); |
26 | 31 | ||
27 | define('LDAP_BIND_TYPE', 'proxy'); | 32 | define('LDAP_BIND_TYPE', 'proxy'); |
28 | define('LDAP_USERNAME', '${env.ldap.dn}'); | 33 | define('LDAP_USERNAME', '${env.ldap.dn}'); |
29 | define('LDAP_PASSWORD', '${env.ldap.password}'); | 34 | define('LDAP_PASSWORD', '${env.ldap.password}'); |
30 | define('LDAP_USER_BASE_DN', '${env.ldap.base}'); | 35 | define('LDAP_USER_BASE_DN', '${env.ldap.base}'); |
31 | define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))'); | 36 | define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))'); |
32 | define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); | 37 | define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); |
33 | ?> | 38 | ?> |
34 | ''; | 39 | ''; |
40 | }; | ||
35 | webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec { | 41 | webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec { |
36 | dontBuild = true; | 42 | dontBuild = true; |
37 | installPhase = '' | 43 | installPhase = '' |
38 | cp -a . $out | 44 | cp -a . $out |
39 | ln -s ${config} $out/config.php | 45 | ln -s /run/keys/webapps/tools-kanboard $out/config.php |
40 | mv $out/data $out/dataold | 46 | mv $out/data $out/dataold |
41 | ln -s ${varDir}/data $out/data | 47 | ln -s ${varDir}/data $out/data |
42 | ''; | 48 | ''; |
@@ -65,7 +71,8 @@ rec { | |||
65 | ''; | 71 | ''; |
66 | }; | 72 | }; |
67 | phpFpm = rec { | 73 | phpFpm = rec { |
68 | basedir = builtins.concatStringsSep ":" [ webRoot varDir config ]; | 74 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ]; |
75 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ]; | ||
69 | socket = "/var/run/phpfpm/kanboard.sock"; | 76 | socket = "/var/run/phpfpm/kanboard.sock"; |
70 | pool = '' | 77 | pool = '' |
71 | listen = ${socket} | 78 | listen = ${socket} |