diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 14:59:22 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-16 14:59:22 +0200 |
commit | 906065a0b7aada3282309791a051e71e5e1cf16d (patch) | |
tree | a26564f732116b4a2b5784f65566caab6e90a8e2 /nixops/modules | |
parent | 50933a04f9db56a6368f40bdfe33e988d1a269df (diff) | |
download | Nix-906065a0b7aada3282309791a051e71e5e1cf16d.tar.gz Nix-906065a0b7aada3282309791a051e71e5e1cf16d.tar.zst Nix-906065a0b7aada3282309791a051e71e5e1cf16d.zip |
Move chloe's website keys to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops/modules')
-rw-r--r-- | nixops/modules/websites/chloe/chloe.nix | 37 | ||||
-rw-r--r-- | nixops/modules/websites/chloe/default.nix | 4 |
2 files changed, 28 insertions, 13 deletions
diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix index 7ad23fe..0861cdf 100644 --- a/nixops/modules/websites/chloe/chloe.nix +++ b/nixops/modules/websites/chloe/chloe.nix | |||
@@ -3,6 +3,7 @@ let | |||
3 | chloe = { config }: rec { | 3 | chloe = { config }: rec { |
4 | environment = config.environment; | 4 | environment = config.environment; |
5 | phpFpm = rec { | 5 | phpFpm = rec { |
6 | serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ]; | ||
6 | socket = "/var/run/phpfpm/chloe-${environment}.sock"; | 7 | socket = "/var/run/phpfpm/chloe-${environment}.sock"; |
7 | pool = '' | 8 | pool = '' |
8 | listen = ${socket} | 9 | listen = ${socket} |
@@ -15,19 +16,6 @@ let | |||
15 | ;php_admin_flag[log_errors] = on | 16 | ;php_admin_flag[log_errors] = on |
16 | php_admin_value[open_basedir] = "${../commons/spip/spip_mes_options.php}:${configDir}:${webRoot}:${varDir}:/tmp" | 17 | php_admin_value[open_basedir] = "${../commons/spip/spip_mes_options.php}:${configDir}:${webRoot}:${varDir}:/tmp" |
17 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 18 | php_admin_value[session.save_path] = "${varDir}/phpSessions" |
18 | env[SPIP_CONFIG_DIR] = "${configDir}" | ||
19 | env[SPIP_VAR_DIR] = "${varDir}" | ||
20 | env[SPIP_SITE] = "chloe-${environment}" | ||
21 | env[SPIP_LDAP_BASE] = "dc=immae,dc=eu" | ||
22 | env[SPIP_LDAP_HOST] = "ldaps://ldap.immae.eu" | ||
23 | env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}" | ||
24 | env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}" | ||
25 | env[SPIP_LDAP_SEARCH] = "${config.ldap.search}" | ||
26 | env[SPIP_MYSQL_HOST] = "${config.mysql.host}" | ||
27 | env[SPIP_MYSQL_PORT] = "${config.mysql.port}" | ||
28 | env[SPIP_MYSQL_DB] = "${config.mysql.name}" | ||
29 | env[SPIP_MYSQL_USER] = "${config.mysql.user}" | ||
30 | env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}" | ||
31 | ${if environment == "dev" then '' | 19 | ${if environment == "dev" then '' |
32 | pm = ondemand | 20 | pm = ondemand |
33 | pm.max_children = 5 | 21 | pm.max_children = 5 |
@@ -40,6 +28,27 @@ let | |||
40 | pm.max_spare_servers = 3 | 28 | pm.max_spare_servers = 3 |
41 | ''}''; | 29 | ''}''; |
42 | }; | 30 | }; |
31 | keys."${environment}-chloe" = { | ||
32 | destDir = "/run/keys/webapps"; | ||
33 | user = apache.user; | ||
34 | group = apache.group; | ||
35 | permissions = "0400"; | ||
36 | text = '' | ||
37 | SetEnv SPIP_CONFIG_DIR "${configDir}" | ||
38 | SetEnv SPIP_VAR_DIR "${varDir}" | ||
39 | SetEnv SPIP_SITE "chloe-${environment}" | ||
40 | SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" | ||
41 | SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" | ||
42 | SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" | ||
43 | SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" | ||
44 | SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}" | ||
45 | SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" | ||
46 | SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" | ||
47 | SetEnv SPIP_MYSQL_DB "${config.mysql.name}" | ||
48 | SetEnv SPIP_MYSQL_USER "${config.mysql.user}" | ||
49 | SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" | ||
50 | ''; | ||
51 | }; | ||
43 | apache = rec { | 52 | apache = rec { |
44 | user = "wwwrun"; | 53 | user = "wwwrun"; |
45 | group = "wwwrun"; | 54 | group = "wwwrun"; |
@@ -47,6 +56,8 @@ let | |||
47 | webappName = "chloe_${environment}"; | 56 | webappName = "chloe_${environment}"; |
48 | root = "/run/current-system/webapps/${webappName}"; | 57 | root = "/run/current-system/webapps/${webappName}"; |
49 | vhostConf = '' | 58 | vhostConf = '' |
59 | Include /run/keys/webapps/${environment}-chloe | ||
60 | |||
50 | RewriteEngine On | 61 | RewriteEngine On |
51 | ${if environment == "prod" then '' | 62 | ${if environment == "prod" then '' |
52 | RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 | 63 | RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 |
diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix index f561834..451a248 100644 --- a/nixops/modules/websites/chloe/default.nix +++ b/nixops/modules/websites/chloe/default.nix | |||
@@ -25,6 +25,7 @@ in { | |||
25 | 25 | ||
26 | config = lib.mkMerge [ | 26 | config = lib.mkMerge [ |
27 | (lib.mkIf cfg.production.enable { | 27 | (lib.mkIf cfg.production.enable { |
28 | deployment.keys = chloe_prod.keys; | ||
28 | services.myWebsites.commons.stats.enable = true; | 29 | services.myWebsites.commons.stats.enable = true; |
29 | services.myWebsites.commons.stats.sites = [ | 30 | services.myWebsites.commons.stats.sites = [ |
30 | { | 31 | { |
@@ -40,6 +41,7 @@ in { | |||
40 | }; | 41 | }; |
41 | }; | 42 | }; |
42 | 43 | ||
44 | services.myPhpfpm.serviceDependencies.chloe_prod = chloe_prod.phpFpm.serviceDeps; | ||
43 | services.myPhpfpm.poolConfigs.chloe_prod = chloe_prod.phpFpm.pool; | 45 | services.myPhpfpm.poolConfigs.chloe_prod = chloe_prod.phpFpm.pool; |
44 | services.myPhpfpm.poolPhpConfigs.chloe_prod = '' | 46 | services.myPhpfpm.poolPhpConfigs.chloe_prod = '' |
45 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 47 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -58,7 +60,9 @@ in { | |||
58 | }; | 60 | }; |
59 | }) | 61 | }) |
60 | (lib.mkIf cfg.integration.enable { | 62 | (lib.mkIf cfg.integration.enable { |
63 | deployment.keys = chloe_dev.keys; | ||
61 | security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; | 64 | security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null; |
65 | services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps; | ||
62 | services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; | 66 | services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool; |
63 | services.myPhpfpm.poolPhpConfigs.chloe_dev = '' | 67 | services.myPhpfpm.poolPhpConfigs.chloe_dev = '' |
64 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 68 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |