Move davical and Jerome's website passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

3 files changed, 22 insertions, 9 deletions

diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 199bfab..218060f 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -29,8 +29,11 @@ in {
       domain = "naturaloutil.immae.eu";
     };
 
-    services.myPhpfpm.poolConfigs.jerome = let
-      configFile = pkgs.writeText "naturaloutil.inc.php" ''
+    deployment.keys."prod-naturaloutil" = {
+      destDir = "/run/keys/webapps";
+      user = "wwwrun";
+      group = "wwwrun";
+      text = ''
         <?php
         $mysql_user = '${env.mysql.user}' ;
         $mysql_server = '${env.mysql.host}' ;
@@ -44,8 +47,10 @@ in {
         '' else ""}
         $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
         ?>
-        '';
-      in ''
+      '';
+    };
+    services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" "prod-naturaloutil-key.service" ];
+    services.myPhpfpm.poolConfigs.jerome = ''
       listen = /run/phpfpm/naturaloutil.sock
       user = wwwrun
       group = wwwrun
@@ -56,8 +61,8 @@ in {
       pm.max_children = 5
       pm.process_idle_timeout = 60
 
-      env[BDD_CONNECT] = "${configFile}"
-      php_admin_value[open_basedir] = "${configFile}:${varDir}:/tmp"
+      env[BDD_CONNECT] = "/run/keys/webapps/prod-naturaloutil"
+      php_admin_value[open_basedir] = "/run/keys/webapps/prod-naturaloutil:${varDir}:/tmp"
       '';
     services.myPhpfpm.poolPhpConfigs.jerome = ''
       extension=${pkgs.php}/lib/php/extensions/mysqli.so
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix
index f6cb5bb..4e464eb 100644
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ b/nixops/modules/websites/tools/dav/davical.nix
@@ -16,7 +16,12 @@ let
     '';
   };
   davical = rec {
-    config = writeText "davical_config.php" ''
+    keys."dav-davical" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
         <?php
         $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
 
@@ -69,6 +74,7 @@ let
         $c->do_not_sync_from_ldap = array('admin' => true);
         include('drivers_ldap.php');
       '';
+    };
     webapp = stdenv.mkDerivation rec {
       version = "1.1.7";
       name = "davical-${version}";
@@ -84,7 +90,7 @@ let
       installPhase = ''
         mkdir -p $out
         cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out
-        ln -s ${config} $out/config/config.php
+        ln -s /run/keys/webapps/dav-davical $out/config/config.php
       '';
       buildInputs = [ gettext ];
     };
@@ -131,7 +137,8 @@ let
         '';
     };
     phpFpm = rec {
-      basedir = builtins.concatStringsSep ":" [ webapp config awl ];
+      serviceDeps = [ "postgresql.service" "openldap.service" "dav-davical-key.service" ];
+      basedir = builtins.concatStringsSep ":" [ webapp "/run/keys/webapps/dav-davical" awl ];
       socket = "/var/run/phpfpm/davical.sock";
       pool = ''
         listen = ${socket}
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
index 5b5d21e..56b3006 100644
--- a/nixops/modules/websites/tools/dav/default.nix
+++ b/nixops/modules/websites/tools/dav/default.nix
@@ -14,6 +14,7 @@ in {
   config = lib.mkIf cfg.enable {
     security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
 
+    deployment.keys = davical.keys;
     services.myWebsites.tools.modules = davical.apache.modules;
 
     services.myWebsites.tools.vhostConfs.dav = {