diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 00:35:59 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 00:35:59 +0200 |
| commit | 6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1 (patch) | |
| tree | d253f7271d6e28bb119e4399059b55d42eccf0cc /nixops/modules | |
| parent | a754e9dbf5d6c35398f3c4ec52c3daf5f8ed2dd3 (diff) | |
| download | Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.gz Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.tar.zst Nix-6e23a06b9d5e0bdb21c737285e36dbe76b2d3ac1.zip | |
Move Ludivine Piedsjaloux and Florian's websites passwords to a secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules')
6 files changed, 49 insertions, 15 deletions
diff --git a/nixops/modules/websites/ludivine/default.nix b/nixops/modules/websites/ludivine/default.nix index 3dd0ee7..220f5c2 100644 --- a/nixops/modules/websites/ludivine/default.nix +++ b/nixops/modules/websites/ludivine/default.nix | |||
| @@ -21,6 +21,7 @@ in { | |||
| 21 | 21 | ||
| 22 | config = lib.mkMerge [ | 22 | config = lib.mkMerge [ |
| 23 | (lib.mkIf cfg.production.enable { | 23 | (lib.mkIf cfg.production.enable { |
| 24 | deployment.keys = ludivinecassal_prod.keys; | ||
| 24 | services.myWebsites.commons.stats.enable = true; | 25 | services.myWebsites.commons.stats.enable = true; |
| 25 | services.myWebsites.commons.stats.sites = [ | 26 | services.myWebsites.commons.stats.sites = [ |
| 26 | { | 27 | { |
| @@ -51,6 +52,7 @@ in { | |||
| 51 | }; | 52 | }; |
| 52 | }) | 53 | }) |
| 53 | (lib.mkIf cfg.integration.enable { | 54 | (lib.mkIf cfg.integration.enable { |
| 55 | deployment.keys = ludivinecassal_dev.keys; | ||
| 54 | security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; | 56 | security.acme.certs."eldiron".extraDomains."ludivine.immae.eu" = null; |
| 55 | 57 | ||
| 56 | services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal_dev.phpFpm.pool; | 58 | services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal_dev.phpFpm.pool; |
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix index 114c4ac..244b05e 100644 --- a/nixops/modules/websites/ludivine/ludivinecassal.nix +++ b/nixops/modules/websites/ludivine/ludivinecassal.nix | |||
| @@ -3,8 +3,12 @@ let | |||
| 3 | ludivinecassal = { config }: rec { | 3 | ludivinecassal = { config }: rec { |
| 4 | environment = config.environment; | 4 | environment = config.environment; |
| 5 | varDir = "/var/lib/ludivinecassal_${environment}"; | 5 | varDir = "/var/lib/ludivinecassal_${environment}"; |
| 6 | configRoot = | 6 | keys."${environment}-ludivinecassal" = { |
| 7 | writeText "parameters.yml" '' | 7 | destDir = "/run/keys/webapps"; |
| 8 | user = apache.user; | ||
| 9 | group = apache.group; | ||
| 10 | permissions = "0700"; | ||
| 11 | text = '' | ||
| 8 | # This file is auto-generated during the composer install | 12 | # This file is auto-generated during the composer install |
| 9 | parameters: | 13 | parameters: |
| 10 | database_host: ${config.mysql.host} | 14 | database_host: ${config.mysql.host} |
| @@ -34,6 +38,7 @@ let | |||
| 34 | sass: ${sass}/bin/sass | 38 | sass: ${sass}/bin/sass |
| 35 | ruby: ${ruby}/bin/ruby | 39 | ruby: ${ruby}/bin/ruby |
| 36 | ''; | 40 | ''; |
| 41 | }; | ||
| 37 | phpFpm = rec { | 42 | phpFpm = rec { |
| 38 | socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; | 43 | socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; |
| 39 | pool = '' | 44 | pool = '' |
| @@ -45,7 +50,7 @@ let | |||
| 45 | php_admin_value[upload_max_filesize] = 20M | 50 | php_admin_value[upload_max_filesize] = 20M |
| 46 | php_admin_value[post_max_size] = 20M | 51 | php_admin_value[post_max_size] = 20M |
| 47 | ;php_admin_flag[log_errors] = on | 52 | ;php_admin_flag[log_errors] = on |
| 48 | php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" | 53 | php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp" |
| 49 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 54 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
| 50 | ${if environment == "dev" then '' | 55 | ${if environment == "dev" then '' |
| 51 | pm = ondemand | 56 | pm = ondemand |
| @@ -151,7 +156,14 @@ let | |||
| 151 | noDev = (environment == "prod"); | 156 | noDev = (environment == "prod"); |
| 152 | preInstall = '' | 157 | preInstall = '' |
| 153 | export SYMFONY_ENV="${environment}" | 158 | export SYMFONY_ENV="${environment}" |
| 154 | ln -sf ${configRoot} app/config/parameters.yml | 159 | cp app/config/parameters.yml.dist app/config/parameters.yml |
| 160 | cat >> app/config/parameters.yml <<EOF | ||
| 161 | leapt_im: | ||
| 162 | binary_path: ${imagemagick}/bin | ||
| 163 | assetic: | ||
| 164 | sass: ${sass}/bin/sass | ||
| 165 | ruby: ${ruby}/bin/ruby | ||
| 166 | EOF | ||
| 155 | sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json | 167 | sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json |
| 156 | ''; | 168 | ''; |
| 157 | # /!\ miniatures and data need to be in the same physical dir due to a | 169 | # /!\ miniatures and data need to be in the same physical dir due to a |
| @@ -159,6 +171,7 @@ let | |||
| 159 | postInstall = '' | 171 | postInstall = '' |
| 160 | rm -rf var/{logs,cache,data,miniatures,tmp} | 172 | rm -rf var/{logs,cache,data,miniatures,tmp} |
| 161 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ | 173 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ |
| 174 | ln -sf /run/keys/webapps/${environment}-ludivinecassal app/config/parameters.yml | ||
| 162 | ''; | 175 | ''; |
| 163 | buildInputs = [ sass ]; | 176 | buildInputs = [ sass ]; |
| 164 | }); | 177 | }); |
diff --git a/nixops/modules/websites/piedsjaloux/default.nix b/nixops/modules/websites/piedsjaloux/default.nix index 54e063d..1c6864c 100644 --- a/nixops/modules/websites/piedsjaloux/default.nix +++ b/nixops/modules/websites/piedsjaloux/default.nix | |||
| @@ -25,6 +25,7 @@ in { | |||
| 25 | 25 | ||
| 26 | config = lib.mkMerge [ | 26 | config = lib.mkMerge [ |
| 27 | (lib.mkIf cfg.production.enable { | 27 | (lib.mkIf cfg.production.enable { |
| 28 | deployment.keys = piedsjaloux_prod.keys; | ||
| 28 | services.myWebsites.commons.stats.enable = true; | 29 | services.myWebsites.commons.stats.enable = true; |
| 29 | services.myWebsites.commons.stats.sites = [ | 30 | services.myWebsites.commons.stats.sites = [ |
| 30 | { | 31 | { |
| @@ -55,6 +56,7 @@ in { | |||
| 55 | }; | 56 | }; |
| 56 | }) | 57 | }) |
| 57 | (lib.mkIf cfg.integration.enable { | 58 | (lib.mkIf cfg.integration.enable { |
| 59 | deployment.keys = piedsjaloux_dev.keys; | ||
| 58 | security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; | 60 | security.acme.certs."eldiron".extraDomains."piedsjaloux.immae.eu" = null; |
| 59 | services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux_dev.phpFpm.pool; | 61 | services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux_dev.phpFpm.pool; |
| 60 | system.activationScripts.piedsjaloux_dev = piedsjaloux_dev.activationScript; | 62 | system.activationScripts.piedsjaloux_dev = piedsjaloux_dev.activationScript; |
diff --git a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix index bb17262..688b9fd 100644 --- a/nixops/modules/websites/piedsjaloux/piedsjaloux.nix +++ b/nixops/modules/websites/piedsjaloux/piedsjaloux.nix | |||
| @@ -3,8 +3,12 @@ let | |||
| 3 | piedsjaloux = { config }: rec { | 3 | piedsjaloux = { config }: rec { |
| 4 | environment = config.environment; | 4 | environment = config.environment; |
| 5 | varDir = "/var/lib/piedsjaloux_${environment}"; | 5 | varDir = "/var/lib/piedsjaloux_${environment}"; |
| 6 | configRoot = | 6 | keys."${environment}-piedsjaloux" = { |
| 7 | writeText "parameters.yml" '' | 7 | destDir = "/run/keys/webapps"; |
| 8 | user = apache.user; | ||
| 9 | group = apache.group; | ||
| 10 | permissions = "0700"; | ||
| 11 | text = '' | ||
| 8 | # This file is auto-generated during the composer install | 12 | # This file is auto-generated during the composer install |
| 9 | parameters: | 13 | parameters: |
| 10 | database_host: ${config.mysql.host} | 14 | database_host: ${config.mysql.host} |
| @@ -22,6 +26,7 @@ let | |||
| 22 | leapt_im: | 26 | leapt_im: |
| 23 | binary_path: ${imagemagick}/bin | 27 | binary_path: ${imagemagick}/bin |
| 24 | ''; | 28 | ''; |
| 29 | }; | ||
| 25 | phpFpm = rec { | 30 | phpFpm = rec { |
| 26 | socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock"; | 31 | socket = "/var/run/phpfpm/piedsjaloux-${environment}.sock"; |
| 27 | pool = '' | 32 | pool = '' |
| @@ -33,7 +38,7 @@ let | |||
| 33 | php_admin_value[upload_max_filesize] = 20M | 38 | php_admin_value[upload_max_filesize] = 20M |
| 34 | php_admin_value[post_max_size] = 20M | 39 | php_admin_value[post_max_size] = 20M |
| 35 | ;php_admin_flag[log_errors] = on | 40 | ;php_admin_flag[log_errors] = on |
| 36 | php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" | 41 | php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-piedsjaloux:${webappDir}:${varDir}:/tmp" |
| 37 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 42 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
| 38 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 43 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} |
| 39 | ${if environment == "dev" then '' | 44 | ${if environment == "dev" then '' |
| @@ -146,7 +151,7 @@ let | |||
| 146 | postInstall = '' | 151 | postInstall = '' |
| 147 | cd $out | 152 | cd $out |
| 148 | rm app/config/parameters.yml | 153 | rm app/config/parameters.yml |
| 149 | ln -sf ${configRoot} app/config/parameters.yml | 154 | ln -sf /run/keys/webapps/${environment}-piedsjaloux app/config/parameters.yml |
| 150 | rm -rf var/{logs,cache,data,miniatures,tmp} | 155 | rm -rf var/{logs,cache,data,miniatures,tmp} |
| 151 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ | 156 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ |
| 152 | ''; | 157 | ''; |
diff --git a/nixops/modules/websites/tellesflorian/default.nix b/nixops/modules/websites/tellesflorian/default.nix index 389c491..97931b9 100644 --- a/nixops/modules/websites/tellesflorian/default.nix +++ b/nixops/modules/websites/tellesflorian/default.nix | |||
| @@ -16,6 +16,7 @@ in { | |||
| 16 | }; | 16 | }; |
| 17 | 17 | ||
| 18 | config = lib.mkIf cfg.integration.enable { | 18 | config = lib.mkIf cfg.integration.enable { |
| 19 | deployment.keys = tellesflorian_dev.keys; | ||
| 19 | security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; | 20 | security.acme.certs."eldiron".extraDomains."app.tellesflorian.com" = null; |
| 20 | services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian_dev.phpFpm.pool; | 21 | services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian_dev.phpFpm.pool; |
| 21 | system.activationScripts.tellesflorian_dev = tellesflorian_dev.activationScript; | 22 | system.activationScripts.tellesflorian_dev = tellesflorian_dev.activationScript; |
diff --git a/nixops/modules/websites/tellesflorian/tellesflorian.nix b/nixops/modules/websites/tellesflorian/tellesflorian.nix index e421581..4c76a76 100644 --- a/nixops/modules/websites/tellesflorian/tellesflorian.nix +++ b/nixops/modules/websites/tellesflorian/tellesflorian.nix | |||
| @@ -3,8 +3,12 @@ let | |||
| 3 | tellesflorian = { config }: rec { | 3 | tellesflorian = { config }: rec { |
| 4 | environment = config.environment; | 4 | environment = config.environment; |
| 5 | varDir = "/var/lib/tellesflorian_${environment}"; | 5 | varDir = "/var/lib/tellesflorian_${environment}"; |
| 6 | configRoot = | 6 | keys."${environment}-tellesflorian" = { |
| 7 | writeText "parameters.yml" '' | 7 | destDir = "/run/keys/webapps"; |
| 8 | user = apache.user; | ||
| 9 | group = apache.group; | ||
| 10 | permissions = "0700"; | ||
| 11 | text = '' | ||
| 8 | # This file is auto-generated during the composer install | 12 | # This file is auto-generated during the composer install |
| 9 | parameters: | 13 | parameters: |
| 10 | database_host: ${config.mysql.host} | 14 | database_host: ${config.mysql.host} |
| @@ -18,6 +22,7 @@ let | |||
| 18 | mailer_password: null | 22 | mailer_password: null |
| 19 | secret: ${config.secret} | 23 | secret: ${config.secret} |
| 20 | ''; | 24 | ''; |
| 25 | }; | ||
| 21 | phpFpm = rec { | 26 | phpFpm = rec { |
| 22 | socket = "/var/run/phpfpm/floriantelles-${environment}.sock"; | 27 | socket = "/var/run/phpfpm/floriantelles-${environment}.sock"; |
| 23 | pool = '' | 28 | pool = '' |
| @@ -29,7 +34,7 @@ let | |||
| 29 | php_admin_value[upload_max_filesize] = 20M | 34 | php_admin_value[upload_max_filesize] = 20M |
| 30 | php_admin_value[post_max_size] = 20M | 35 | php_admin_value[post_max_size] = 20M |
| 31 | ;php_admin_flag[log_errors] = on | 36 | ;php_admin_flag[log_errors] = on |
| 32 | php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" | 37 | php_admin_value[open_basedir] = "/run/keys/webapps/${environment}-tellesflorian:${webappDir}:${varDir}:/tmp" |
| 33 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 38 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
| 34 | ${if environment == "dev" then '' | 39 | ${if environment == "dev" then '' |
| 35 | pm = ondemand | 40 | pm = ondemand |
| @@ -44,9 +49,15 @@ let | |||
| 44 | pm.max_spare_servers = 3 | 49 | pm.max_spare_servers = 3 |
| 45 | ''}''; | 50 | ''}''; |
| 46 | }; | 51 | }; |
| 47 | passwords = writeText "tellesflorian_passwords" '' | 52 | keys."${environment}-tellesflorian-passwords" = { |
| 48 | invite:${config.invite_passwords} | 53 | destDir = "/run/keys/webapps"; |
| 54 | user = apache.user; | ||
| 55 | group = apache.group; | ||
| 56 | permissions = "0700"; | ||
| 57 | text = '' | ||
| 58 | invite:${config.invite_passwords} | ||
| 49 | ''; | 59 | ''; |
| 60 | }; | ||
| 50 | apache = rec { | 61 | apache = rec { |
| 51 | user = "wwwrun"; | 62 | user = "wwwrun"; |
| 52 | group = "wwwrun"; | 63 | group = "wwwrun"; |
| @@ -64,7 +75,7 @@ let | |||
| 64 | Use LDAPConnect | 75 | Use LDAPConnect |
| 65 | Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu | 76 | Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu |
| 66 | 77 | ||
| 67 | AuthUserFile "${passwords}" | 78 | AuthUserFile "/run/keys/webapps/${environment}-tellesflorian-passwords" |
| 68 | Require user "invite" | 79 | Require user "invite" |
| 69 | 80 | ||
| 70 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" | 81 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" |
| @@ -145,7 +156,7 @@ let | |||
| 145 | postInstall = '' | 156 | postInstall = '' |
| 146 | cd $out | 157 | cd $out |
| 147 | rm app/config/parameters.yml | 158 | rm app/config/parameters.yml |
| 148 | ln -sf ${configRoot} app/config/parameters.yml | 159 | ln -sf /run/keys/webapps/${environment}-tellesflorian app/config/parameters.yml |
| 149 | rm -rf var/{logs,cache} | 160 | rm -rf var/{logs,cache} |
| 150 | ln -sf ${varDir}/var/{logs,cache,sessions} var/ | 161 | ln -sf ${varDir}/var/{logs,cache,sessions} var/ |
| 151 | ''; | 162 | ''; |