aboutsummaryrefslogtreecommitdiff
path: root/nixops/modules
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 01:08:15 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 01:08:15 +0200
commit60dbbd12253f2f7b6994fea1c56fdf3818d0a025 (patch)
treee58fd97aa9734ea7c7e830aa343f807a5a95cb1b /nixops/modules
parent6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1 (diff)
downloadNix-60dbbd12253f2f7b6994fea1c56fdf3818d0a025.tar.gz
Nix-60dbbd12253f2f7b6994fea1c56fdf3818d0a025.tar.zst
Nix-60dbbd12253f2f7b6994fea1c56fdf3818d0a025.zip
Move davical and Jerome's website passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules')
-rw-r--r--nixops/modules/websites/ftp/jerome.nix17
-rw-r--r--nixops/modules/websites/tools/dav/davical.nix13
-rw-r--r--nixops/modules/websites/tools/dav/default.nix1
3 files changed, 22 insertions, 9 deletions
diff --git a/nixops/modules/websites/ftp/jerome.nix b/nixops/modules/websites/ftp/jerome.nix
index 199bfab..218060f 100644
--- a/nixops/modules/websites/ftp/jerome.nix
+++ b/nixops/modules/websites/ftp/jerome.nix
@@ -29,8 +29,11 @@ in {
29 domain = "naturaloutil.immae.eu"; 29 domain = "naturaloutil.immae.eu";
30 }; 30 };
31 31
32 services.myPhpfpm.poolConfigs.jerome = let 32 deployment.keys."prod-naturaloutil" = {
33 configFile = pkgs.writeText "naturaloutil.inc.php" '' 33 destDir = "/run/keys/webapps";
34 user = "wwwrun";
35 group = "wwwrun";
36 text = ''
34 <?php 37 <?php
35 $mysql_user = '${env.mysql.user}' ; 38 $mysql_user = '${env.mysql.user}' ;
36 $mysql_server = '${env.mysql.host}' ; 39 $mysql_server = '${env.mysql.host}' ;
@@ -44,8 +47,10 @@ in {
44 '' else ""} 47 '' else ""}
45 $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); 48 $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
46 ?> 49 ?>
47 ''; 50 '';
48 in '' 51 };
52 services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" "prod-naturaloutil-key.service" ];
53 services.myPhpfpm.poolConfigs.jerome = ''
49 listen = /run/phpfpm/naturaloutil.sock 54 listen = /run/phpfpm/naturaloutil.sock
50 user = wwwrun 55 user = wwwrun
51 group = wwwrun 56 group = wwwrun
@@ -56,8 +61,8 @@ in {
56 pm.max_children = 5 61 pm.max_children = 5
57 pm.process_idle_timeout = 60 62 pm.process_idle_timeout = 60
58 63
59 env[BDD_CONNECT] = "${configFile}" 64 env[BDD_CONNECT] = "/run/keys/webapps/prod-naturaloutil"
60 php_admin_value[open_basedir] = "${configFile}:${varDir}:/tmp" 65 php_admin_value[open_basedir] = "/run/keys/webapps/prod-naturaloutil:${varDir}:/tmp"
61 ''; 66 '';
62 services.myPhpfpm.poolPhpConfigs.jerome = '' 67 services.myPhpfpm.poolPhpConfigs.jerome = ''
63 extension=${pkgs.php}/lib/php/extensions/mysqli.so 68 extension=${pkgs.php}/lib/php/extensions/mysqli.so
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix
index f6cb5bb..4e464eb 100644
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ b/nixops/modules/websites/tools/dav/davical.nix
@@ -16,7 +16,12 @@ let
16 ''; 16 '';
17 }; 17 };
18 davical = rec { 18 davical = rec {
19 config = writeText "davical_config.php" '' 19 keys."dav-davical" = {
20 destDir = "/run/keys/webapps";
21 user = apache.user;
22 group = apache.group;
23 permissions = "0700";
24 text = ''
20 <?php 25 <?php
21 $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}"; 26 $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
22 27
@@ -69,6 +74,7 @@ let
69 $c->do_not_sync_from_ldap = array('admin' => true); 74 $c->do_not_sync_from_ldap = array('admin' => true);
70 include('drivers_ldap.php'); 75 include('drivers_ldap.php');
71 ''; 76 '';
77 };
72 webapp = stdenv.mkDerivation rec { 78 webapp = stdenv.mkDerivation rec {
73 version = "1.1.7"; 79 version = "1.1.7";
74 name = "davical-${version}"; 80 name = "davical-${version}";
@@ -84,7 +90,7 @@ let
84 installPhase = '' 90 installPhase = ''
85 mkdir -p $out 91 mkdir -p $out
86 cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out 92 cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out
87 ln -s ${config} $out/config/config.php 93 ln -s /run/keys/webapps/dav-davical $out/config/config.php
88 ''; 94 '';
89 buildInputs = [ gettext ]; 95 buildInputs = [ gettext ];
90 }; 96 };
@@ -131,7 +137,8 @@ let
131 ''; 137 '';
132 }; 138 };
133 phpFpm = rec { 139 phpFpm = rec {
134 basedir = builtins.concatStringsSep ":" [ webapp config awl ]; 140 serviceDeps = [ "postgresql.service" "openldap.service" "dav-davical-key.service" ];
141 basedir = builtins.concatStringsSep ":" [ webapp "/run/keys/webapps/dav-davical" awl ];
135 socket = "/var/run/phpfpm/davical.sock"; 142 socket = "/var/run/phpfpm/davical.sock";
136 pool = '' 143 pool = ''
137 listen = ${socket} 144 listen = ${socket}
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
index 5b5d21e..56b3006 100644
--- a/nixops/modules/websites/tools/dav/default.nix
+++ b/nixops/modules/websites/tools/dav/default.nix
@@ -14,6 +14,7 @@ in {
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null; 15 security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
16 16
17 deployment.keys = davical.keys;
17 services.myWebsites.tools.modules = davical.apache.modules; 18 services.myWebsites.tools.modules = davical.apache.modules;
18 19
19 services.myWebsites.tools.vhostConfs.dav = { 20 services.myWebsites.tools.vhostConfs.dav = {