Move diaspora and mantisbt passwords to a secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 01:44:03 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 01:44:03 +0200
commit: ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c (patch)
tree: 0775b4d0338706e069f166836d7797e73bbe9b0f /nixops/modules/websites
parent: a0c845b436329624ad33432a701658dc1b52cca6 (diff)
download: Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.gz
Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.zst
Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.zip
4 files changed, 87 insertions, 47 deletions
diff --git a/nixops/modules/websites/tools/diaspora/default.nix b/nixops/modules/websites/tools/diaspora/default.nix
index b1cb6f2..5d36ce7 100644
--- a/nixops/modules/websites/tools/diaspora/default.nix
+++ b/nixops/modules/websites/tools/diaspora/default.nix
@@ -24,15 +24,27 @@ in {
      home = diaspora.varDir;
      useDefaultShell = true;
      packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ];
+      extraGroups = [ "keys" ];
    };
    users.groups.diaspora.gid = config.ids.gids.diaspora;
+    deployment.keys = diaspora.keys;
    systemd.services.diaspora = {
      description = "Diaspora";
      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "redis.service" "postgresql.service" ];
+      after = [
-      wants = [ "redis.service" "postgresql.service" ];
+        "network.target" "redis.service" "postgresql.service"
+        "tools-diaspora-secret_token.service"
+        "tools-diaspora-config.service"
+        "tools-diaspora-database_config.service"
+      ];
+      wants = [
+        "redis.service" "postgresql.service"
+        "tools-diaspora-secret_token.service"
+        "tools-diaspora-config.service"
+        "tools-diaspora-database_config.service"
+      ];
      environment.RAILS_ENV = "production";
      environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}";
diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix
index 82bca8c..074dfb2 100644
--- a/nixops/modules/websites/tools/diaspora/diaspora.nix
+++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -29,10 +29,21 @@ let
      };
    };
  };
-  secret_token = writeText "secret_token.rb" ''
+  keys.tools-diaspora-secret_token = {
-    Diaspora::Application.config.secret_key_base = '${env.secret_token}'
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0700";
+    text = ''
+      Diaspora::Application.config.secret_key_base = '${env.secret_token}'
    '';
-  config = writeText "diaspora.yml" ''
+  };
+  keys.tools-diaspora-config = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0700";
+    text = ''
      configuration:
        environment:
          url: "https://diaspora.immae.eu/"
@@ -105,7 +116,13 @@ let
      development:
        environment:
    '';
-  database_config = writeText "database.yml" ''
+  };
+  keys.tools-diaspora-database_config = {
+    destDir = "/run/keys/webapps";
+    user = "diaspora";
+    group = "diaspora";
+    permissions = "0700";
+    text = ''
      postgresql: &postgresql
        adapter: postgresql
        host: "${env.postgresql.socket}"
@@ -133,23 +150,27 @@ let
        <<: *combined
        database: diaspora_integration2
    '';
+  };
    railsRoot = stdenv.mkDerivation {
      name = "diaspora_immae";
      inherit diaspora;
+      # FIXME: build machine will contain some passwords in the nix store
      builder = writeText "build_diaspora_immae" ''
        source $stdenv/setup
        cp -a $diaspora $out
        cd $out
        chmod -R u+rwX .
        tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}
-        ln -s ${database_config} config/database.yml
+        ln -s ${writeText "database.yml" keys.tools-diaspora-database_config.text} config/database.yml
-        ln -s ${config} config/diaspora.yml
+        ln -s ${writeText "diaspora.yml" keys.tools-diaspora-config.text} config/diaspora.yml
-        ln -s ${secret_token} config/initializers/secret_token.rb
+        ln -s ${writeText "secret_token.rb" keys.tools-diaspora-secret_token.text} config/initializers/secret_token.rb
        ln -sf ${varDir}/schedule.yml config/schedule.yml
        ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem
        ln -sf ${varDir}/uploads public/uploads
        RAILS_ENV=production ${gems}/bin/rake assets:precompile
+        ln -sf /run/keys/webapps/tools-diaspora-database_config config/database.yml
+        ln -sf /run/keys/webapps/tools-diaspora-config config/diaspora.yml
+        ln -sf /run/keys/webapps/tools-diaspora-secret_token config/initializers/secret_token.rb
        rm -rf tmp log
        ln -sf ${varDir}/tmp tmp
        ln -sf ${varDir}/log log
@@ -158,6 +179,6 @@ let
    };
 in
  {
-    inherit railsRoot varDir socketsDir gems;
+    inherit railsRoot varDir socketsDir gems keys;
    railsSocket = "${socketsDir}/diaspora.sock";
  }
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
index 11b0245..28b3c2d 100644
--- a/nixops/modules/websites/tools/git/default.nix
+++ b/nixops/modules/websites/tools/git/default.nix
@@ -23,6 +23,7 @@ in {
      });
    }) ];
+    deployment.keys = mantisbt.keys;
    services.myWebsites.tools.modules =
      gitweb.apache.modules ++
      mantisbt.apache.modules;
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
index 0cd98a1..00580b5 100644
--- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
+++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -17,41 +17,46 @@ let
      });
    };
  in rec {
-    config = 
+    keys."tools-mantisbt" = {
-      writeText "config_inc.php" ''
+      destDir = "/run/keys/webapps";
-      <?php
+      user = apache.user;
-      $g_hostname              = '${env.postgresql.socket}';
+      group = apache.group;
-      $g_db_username           = '${env.postgresql.user}';
+      permissions = "0700";
-      $g_db_password           = '${env.postgresql.password}';
+      text = ''
-      $g_database_name         = '${env.postgresql.database}';
+        <?php
-      $g_db_type               = 'pgsql';
+        $g_hostname              = '${env.postgresql.socket}';
-      $g_crypto_master_salt    = '${env.master_salt}';
+        $g_db_username           = '${env.postgresql.user}';
-      $g_allow_signup          = OFF;
+        $g_db_password           = '${env.postgresql.password}';
-      $g_allow_anonymous_login = ON;
+        $g_database_name         = '${env.postgresql.database}';
-      $g_anonymous_account     = 'anonymous';
+        $g_db_type               = 'pgsql';
+        $g_crypto_master_salt    = '${env.master_salt}';
+        $g_allow_signup          = OFF;
+        $g_allow_anonymous_login = ON;
+        $g_anonymous_account     = 'anonymous';
-      $g_phpMailer_method       = PHPMAILER_METHOD_SENDMAIL;
+        $g_phpMailer_method     = PHPMAILER_METHOD_SENDMAIL;
-      $g_smtp_host              = 'localhost';
+        $g_smtp_host            = 'localhost';
-      $g_smtp_username          = ''';
+        $g_smtp_username                = ''';
-      $g_smtp_password          = ''';
+        $g_smtp_password                = ''';
-      $g_webmaster_email        = 'mantisbt@tools.immae.eu';
+        $g_webmaster_email      = 'mantisbt@tools.immae.eu';
-      $g_from_email             = 'mantisbt@tools.immae.eu';
+        $g_from_email           = 'mantisbt@tools.immae.eu';
-      $g_return_path_email      = 'mantisbt@tools.immae.eu';
+        $g_return_path_email    = 'mantisbt@tools.immae.eu';
-      $g_from_name              = 'Mantis Bug Tracker at git.immae.eu';
+        $g_from_name            = 'Mantis Bug Tracker at git.immae.eu';
-      $g_email_receive_own      = OFF;
+        $g_email_receive_own    = OFF;
-      # --- LDAP ---
+        # --- LDAP ---
-      $g_login_method = LDAP;
+        $g_login_method = LDAP;
-      $g_ldap_protocol_version = 3;
+        $g_ldap_protocol_version = 3;
-      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
+        $g_ldap_server = 'ldaps://ldap.immae.eu:636';
-      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
+        $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
-      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
+        $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
-      $g_ldap_bind_passwd = '${env.ldap.password}';
+        $g_ldap_bind_passwd = '${env.ldap.password}';
-      $g_use_ldap_email = ON;
+        $g_use_ldap_email = ON;
-      $g_use_ldap_realname = ON;
+        $g_use_ldap_realname = ON;
-      $g_ldap_uid_field = 'uid'; 
+        $g_ldap_uid_field = 'uid';
-      $g_ldap_realname_field = 'cn';
+        $g_ldap_realname_field = 'cn';
-      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
+        $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
      '';
+    };
    webRoot = stdenv.mkDerivation rec {
      name = "mantisbt-${version}";
      version = "2.11.1";
@@ -67,7 +72,7 @@ let
        ];
      installPhase = ''
        cp -a . $out
-        ln -s ${config} $out/config/config_inc.php
+        ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php
        ln -s ${plugins.slack} $out/plugins/Slack
        ln -s ${plugins.source-integration}/Source* $out/plugins/
      '';
@@ -97,8 +102,9 @@ let
        '';
    };
    phpFpm = rec {
+      serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ];
      basedir = builtins.concatStringsSep ":" (
-        [ webRoot config ]
+        [ webRoot "/run/keys/webapps/tools-mantisbt" ]
        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
      socket = "/var/run/phpfpm/mantisbt.sock";
      pool = ''
@@ -118,5 +124,5 @@ let
        '';
    };
  };
-in 
+in
  mantisbt
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 01:44:03 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 01:44:03 +0200
commit	ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c (patch)
tree	0775b4d0338706e069f166836d7797e73bbe9b0f /nixops/modules/websites
parent	a0c845b436329624ad33432a701658dc1b52cca6 (diff)
download	Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.gz Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.tar.zst Nix-ec2a5ffb986e9b21dff31e16d112aa9052a4bc5c.zip

diff --git a/nixops/modules/websites/tools/diaspora/default.nix b/nixops/modules/websites/tools/diaspora/default.nix index b1cb6f2..5d36ce7 100644 --- a/nixops/modules/websites/tools/diaspora/default.nix +++ b/nixops/modules/websites/tools/diaspora/default.nix
@@ -24,15 +24,27 @@ in {
24	home = diaspora.varDir;	24	home = diaspora.varDir;
25	useDefaultShell = true;	25	useDefaultShell = true;
26	packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ];	26	packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ];
		27	extraGroups = [ "keys" ];
27	};	28	};
28		29
29	users.groups.diaspora.gid = config.ids.gids.diaspora;	30	users.groups.diaspora.gid = config.ids.gids.diaspora;
30		31
		32	deployment.keys = diaspora.keys;
31	systemd.services.diaspora = {	33	systemd.services.diaspora = {
32	description = "Diaspora";	34	description = "Diaspora";
33	wantedBy = [ "multi-user.target" ];	35	wantedBy = [ "multi-user.target" ];
34	after = [ "network.target" "redis.service" "postgresql.service" ];	36	after = [
35	wants = [ "redis.service" "postgresql.service" ];	37	"network.target" "redis.service" "postgresql.service"
		38	"tools-diaspora-secret_token.service"
		39	"tools-diaspora-config.service"
		40	"tools-diaspora-database_config.service"
		41	];
		42	wants = [
		43	"redis.service" "postgresql.service"
		44	"tools-diaspora-secret_token.service"
		45	"tools-diaspora-config.service"
		46	"tools-diaspora-database_config.service"
		47	];
36		48
37	environment.RAILS_ENV = "production";	49	environment.RAILS_ENV = "production";
38	environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}";	50	environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}";


diff --git a/nixops/modules/websites/tools/diaspora/diaspora.nix b/nixops/modules/websites/tools/diaspora/diaspora.nix index 82bca8c..074dfb2 100644 --- a/nixops/modules/websites/tools/diaspora/diaspora.nix +++ b/nixops/modules/websites/tools/diaspora/diaspora.nix
@@ -29,10 +29,21 @@ let
29	};	29	};
30	};	30	};
31	};	31	};
32	secret_token = writeText "secret_token.rb" ''	32	keys.tools-diaspora-secret_token = {
33	Diaspora::Application.config.secret_key_base = '${env.secret_token}'	33	destDir = "/run/keys/webapps";
		34	user = "diaspora";
		35	group = "diaspora";
		36	permissions = "0700";
		37	text = ''
		38	Diaspora::Application.config.secret_key_base = '${env.secret_token}'
34	'';	39	'';
35	config = writeText "diaspora.yml" ''	40	};
		41	keys.tools-diaspora-config = {
		42	destDir = "/run/keys/webapps";
		43	user = "diaspora";
		44	group = "diaspora";
		45	permissions = "0700";
		46	text = ''
36	configuration:	47	configuration:
37	environment:	48	environment:
38	url: "https://diaspora.immae.eu/"	49	url: "https://diaspora.immae.eu/"
@@ -105,7 +116,13 @@ let
105	development:	116	development:
106	environment:	117	environment:
107	'';	118	'';
108	database_config = writeText "database.yml" ''	119	};
		120	keys.tools-diaspora-database_config = {
		121	destDir = "/run/keys/webapps";
		122	user = "diaspora";
		123	group = "diaspora";
		124	permissions = "0700";
		125	text = ''
109	postgresql: &postgresql	126	postgresql: &postgresql
110	adapter: postgresql	127	adapter: postgresql
111	host: "${env.postgresql.socket}"	128	host: "${env.postgresql.socket}"
@@ -133,23 +150,27 @@ let
133	<<: *combined	150	<<: *combined
134	database: diaspora_integration2	151	database: diaspora_integration2
135	'';	152	'';
136		153	};
137	railsRoot = stdenv.mkDerivation {	154	railsRoot = stdenv.mkDerivation {
138	name = "diaspora_immae";	155	name = "diaspora_immae";
139	inherit diaspora;	156	inherit diaspora;
		157	# FIXME: build machine will contain some passwords in the nix store
140	builder = writeText "build_diaspora_immae" ''	158	builder = writeText "build_diaspora_immae" ''
141	source $stdenv/setup	159	source $stdenv/setup
142	cp -a $diaspora $out	160	cp -a $diaspora $out
143	cd $out	161	cd $out
144	chmod -R u+rwX .	162	chmod -R u+rwX .
145	tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}	163	tar -czf public/source.tar.gz ./{app,db,lib,script,Gemfile,Gemfile.lock,Rakefile,config.ru}
146	ln -s ${database_config} config/database.yml	164	ln -s ${writeText "database.yml" keys.tools-diaspora-database_config.text} config/database.yml
147	ln -s ${config} config/diaspora.yml	165	ln -s ${writeText "diaspora.yml" keys.tools-diaspora-config.text} config/diaspora.yml
148	ln -s ${secret_token} config/initializers/secret_token.rb	166	ln -s ${writeText "secret_token.rb" keys.tools-diaspora-secret_token.text} config/initializers/secret_token.rb
149	ln -sf ${varDir}/schedule.yml config/schedule.yml	167	ln -sf ${varDir}/schedule.yml config/schedule.yml
150	ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem	168	ln -sf ${varDir}/oidc_key.pem config/oidc_key.pem
151	ln -sf ${varDir}/uploads public/uploads	169	ln -sf ${varDir}/uploads public/uploads
152	RAILS_ENV=production ${gems}/bin/rake assets:precompile	170	RAILS_ENV=production ${gems}/bin/rake assets:precompile
		171	ln -sf /run/keys/webapps/tools-diaspora-database_config config/database.yml
		172	ln -sf /run/keys/webapps/tools-diaspora-config config/diaspora.yml
		173	ln -sf /run/keys/webapps/tools-diaspora-secret_token config/initializers/secret_token.rb
153	rm -rf tmp log	174	rm -rf tmp log
154	ln -sf ${varDir}/tmp tmp	175	ln -sf ${varDir}/tmp tmp
155	ln -sf ${varDir}/log log	176	ln -sf ${varDir}/log log
@@ -158,6 +179,6 @@ let
158	};	179	};
159	in	180	in
160	{	181	{
161	inherit railsRoot varDir socketsDir gems;	182	inherit railsRoot varDir socketsDir gems keys;
162	railsSocket = "${socketsDir}/diaspora.sock";	183	railsSocket = "${socketsDir}/diaspora.sock";
163	}	184	}


diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix index 11b0245..28b3c2d 100644 --- a/nixops/modules/websites/tools/git/default.nix +++ b/nixops/modules/websites/tools/git/default.nix
@@ -23,6 +23,7 @@ in {
23	});	23	});
24	}) ];	24	}) ];
25		25
		26	deployment.keys = mantisbt.keys;
26	services.myWebsites.tools.modules =	27	services.myWebsites.tools.modules =
27	gitweb.apache.modules ++	28	gitweb.apache.modules ++
28	mantisbt.apache.modules;	29	mantisbt.apache.modules;


diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix index 0cd98a1..00580b5 100644 --- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix +++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -17,41 +17,46 @@ let
17	});	17	});
18	};	18	};
19	in rec {	19	in rec {
20	config =	20	keys."tools-mantisbt" = {
21	writeText "config_inc.php" ''	21	destDir = "/run/keys/webapps";
22	<?php	22	user = apache.user;
23	$g_hostname = '${env.postgresql.socket}';	23	group = apache.group;
24	$g_db_username = '${env.postgresql.user}';	24	permissions = "0700";
25	$g_db_password = '${env.postgresql.password}';	25	text = ''
26	$g_database_name = '${env.postgresql.database}';	26	<?php
27	$g_db_type = 'pgsql';	27	$g_hostname = '${env.postgresql.socket}';
28	$g_crypto_master_salt = '${env.master_salt}';	28	$g_db_username = '${env.postgresql.user}';
29	$g_allow_signup = OFF;	29	$g_db_password = '${env.postgresql.password}';
30	$g_allow_anonymous_login = ON;	30	$g_database_name = '${env.postgresql.database}';
31	$g_anonymous_account = 'anonymous';	31	$g_db_type = 'pgsql';
		32	$g_crypto_master_salt = '${env.master_salt}';
		33	$g_allow_signup = OFF;
		34	$g_allow_anonymous_login = ON;
		35	$g_anonymous_account = 'anonymous';
32		36
33	$g_phpMailer_method = PHPMAILER_METHOD_SENDMAIL;	37	$g_phpMailer_method = PHPMAILER_METHOD_SENDMAIL;
34	$g_smtp_host = 'localhost';	38	$g_smtp_host = 'localhost';
35	$g_smtp_username = ''';	39	$g_smtp_username = ''';
36	$g_smtp_password = ''';	40	$g_smtp_password = ''';
37	$g_webmaster_email = 'mantisbt@tools.immae.eu';	41	$g_webmaster_email = 'mantisbt@tools.immae.eu';
38	$g_from_email = 'mantisbt@tools.immae.eu';	42	$g_from_email = 'mantisbt@tools.immae.eu';
39	$g_return_path_email = 'mantisbt@tools.immae.eu';	43	$g_return_path_email = 'mantisbt@tools.immae.eu';
40	$g_from_name = 'Mantis Bug Tracker at git.immae.eu';	44	$g_from_name = 'Mantis Bug Tracker at git.immae.eu';
41	$g_email_receive_own = OFF;	45	$g_email_receive_own = OFF;
42	# --- LDAP ---	46	# --- LDAP ---
43	$g_login_method = LDAP;	47	$g_login_method = LDAP;
44	$g_ldap_protocol_version = 3;	48	$g_ldap_protocol_version = 3;
45	$g_ldap_server = 'ldaps://ldap.immae.eu:636';	49	$g_ldap_server = 'ldaps://ldap.immae.eu:636';
46	$g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';	50	$g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
47	$g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';	51	$g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
48	$g_ldap_bind_passwd = '${env.ldap.password}';	52	$g_ldap_bind_passwd = '${env.ldap.password}';
49	$g_use_ldap_email = ON;	53	$g_use_ldap_email = ON;
50	$g_use_ldap_realname = ON;	54	$g_use_ldap_realname = ON;
51	$g_ldap_uid_field = 'uid';	55	$g_ldap_uid_field = 'uid';
52	$g_ldap_realname_field = 'cn';	56	$g_ldap_realname_field = 'cn';
53	$g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';	57	$g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
54	'';	58	'';
		59	};
55	webRoot = stdenv.mkDerivation rec {	60	webRoot = stdenv.mkDerivation rec {
56	name = "mantisbt-${version}";	61	name = "mantisbt-${version}";
57	version = "2.11.1";	62	version = "2.11.1";
@@ -67,7 +72,7 @@ let
67	];	72	];
68	installPhase = ''	73	installPhase = ''
69	cp -a . $out	74	cp -a . $out
70	ln -s ${config} $out/config/config_inc.php	75	ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php
71	ln -s ${plugins.slack} $out/plugins/Slack	76	ln -s ${plugins.slack} $out/plugins/Slack
72	ln -s ${plugins.source-integration}/Source* $out/plugins/	77	ln -s ${plugins.source-integration}/Source* $out/plugins/
73	'';	78	'';
@@ -97,8 +102,9 @@ let
97	'';	102	'';
98	};	103	};
99	phpFpm = rec {	104	phpFpm = rec {
		105	serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ];
100	basedir = builtins.concatStringsSep ":" (	106	basedir = builtins.concatStringsSep ":" (
101	[ webRoot config ]	107	[ webRoot "/run/keys/webapps/tools-mantisbt" ]
102	++ lib.attrsets.mapAttrsToList (name: value: value) plugins);	108	++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
103	socket = "/var/run/phpfpm/mantisbt.sock";	109	socket = "/var/run/phpfpm/mantisbt.sock";
104	pool = ''	110	pool = ''
@@ -118,5 +124,5 @@ let
118	'';	124	'';
119	};	125	};
120	};	126	};
121	in	127	in
122	mantisbt	128	mantisbt