Move nextcloud passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-22 15:32:34 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-22 15:32:34 +0200
commit: 42fa50f1fa75f62c6e9cada076860196e8185641 (patch)
tree: 6144a0f3c1e1fc7094e5bd2885a7f575f4dcb35c /nixops
parent: 8eded9ecb6220bb26599419a4aaea1743d3d187e (diff)
download: Nix-42fa50f1fa75f62c6e9cada076860196e8185641.tar.gz
Nix-42fa50f1fa75f62c6e9cada076860196e8185641.tar.zst
Nix-42fa50f1fa75f62c6e9cada076860196e8185641.zip
2 files changed, 60 insertions, 66 deletions
diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix
index dc3dde2..7dd37f5 100644
--- a/nixops/modules/websites/tools/cloud/default.nix
+++ b/nixops/modules/websites/tools/cloud/default.nix
@@ -24,6 +24,7 @@ in {
      ];
    };
+    deployment.keys = nextcloud.keys;
    users.users.root.packages = let
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
diff --git a/nixops/modules/websites/tools/cloud/nextcloud.nix b/nixops/modules/websites/tools/cloud/nextcloud.nix
index 59930fb..b339038 100644
--- a/nixops/modules/websites/tools/cloud/nextcloud.nix
+++ b/nixops/modules/websites/tools/cloud/nextcloud.nix
@@ -113,66 +113,62 @@ let
    };
  in rec {
    varDir = "/var/lib/nextcloud";
-    config_php = writeText "config.php" ''
+    keys.tools-nextcloud = {
-      <?php
+      destDir = "/run/keys/webapps";
-      $CONFIG = array (
+      user = apache.user;
-        // FIXME: change this value when nextcloud starts getting slow
+      group = apache.group;
-        'instanceid' => '${env.instance_id}1',
+      permissions = "0600";
-        'datadirectory' => '/var/lib/nextcloud/',
+      text = ''
-        'passwordsalt' => '${env.password_salt}',
+        <?php
-        'debug' => false,
+        $CONFIG = array (
-        'dbtype' => 'pgsql',
+          // FIXME: change this value when nextcloud starts getting slow
-        'version' => '15.0.0.10',
+          'instanceid' => '${env.instance_id}1',
-        'dbname' => '${env.postgresql.database}',
+          'datadirectory' => '/var/lib/nextcloud/',
-        'dbhost' => '${env.postgresql.socket}',
+          'passwordsalt' => '${env.password_salt}',
-        'dbtableprefix' => 'oc_',
+          'debug' => false,
-        'dbuser' => '${env.postgresql.user}',
+          'dbtype' => 'pgsql',
-        'dbpassword' => '${env.postgresql.password}',
+          'version' => '15.0.4.0',
-        'installed' => true,
+          'dbname' => '${env.postgresql.database}',
-        'maxZipInputSize' => 0,
+          'dbhost' => '${env.postgresql.socket}',
-        'allowZipDownload' => true,
+          'dbtableprefix' => 'oc_',
-        'forcessl' => true,
+          'dbuser' => '${env.postgresql.user}',
-        'theme' => ${"''"},
+          'dbpassword' => '${env.postgresql.password}',
-        'maintenance' => false,
+          'installed' => true,
-        'trusted_domains' =>
+          'maxZipInputSize' => 0,
-        array (
+          'allowZipDownload' => true,
-          0 => 'cloud.immae.eu',
+          'forcessl' => true,
-        ),
+          'theme' => ${"''"},
-        'secret' => '${env.secret}',
+          'maintenance' => false,
-        'appstoreenabled' => false,
+          'trusted_domains' => 
-        'appstore.experimental.enabled' => true,
+          array (
-        'loglevel' => 2,
+            0 => 'cloud.immae.eu',
-        'trashbin_retention_obligation' => 'auto',
+          ),
-        'htaccess.RewriteBase' => '/',
+          'secret' => '${env.secret}',
-        'mail_smtpmode' => 'sendmail',
+          'appstoreenabled' => false,
-        'mail_smtphost' => '127.0.0.1',
+          'appstore.experimental.enabled' => true,
-        'mail_smtpname' => ''',
+          'loglevel' => 2,
-        'mail_smtppassword' => ''',
+          'trashbin_retention_obligation' => 'auto',
-        'mail_from_address' => 'nextcloud',
+          'htaccess.RewriteBase' => '/',
-        'mail_smtpauth' => false,
+          'mail_smtpmode' => 'sendmail',
-        'mail_domain' => 'tools.immae.eu',
+          'mail_smtphost' => '127.0.0.1',
-        'memcache.local' => '\\OC\\Memcache\\APCu',
+          'mail_smtpname' => ''',
-        'memcache.locking' => '\\OC\\Memcache\\Redis',
+          'mail_smtppassword' => ''',
-        'filelocking.enabled' => true,
+          'mail_from_address' => 'nextcloud',
-        'redis' =>
+          'mail_smtpauth' => false,
-        array (
+          'mail_domain' => 'tools.immae.eu',
-          'host' => '${env.redis.socket}',
+          'memcache.local' => '\\OC\\Memcache\\APCu',
-          'port' => 0,
+          'memcache.locking' => '\\OC\\Memcache\\Redis',
-          'dbindex' => ${env.redis.db_index},
+          'filelocking.enabled' => true,
-        ),
+          'redis' => 
-        'overwrite.cli.url' => 'https://cloud.immae.eu',
+          array (
-        'ldapIgnoreNamingRules' => false,
+            'host' => '${env.redis.socket}',
-        'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
+            'port' => 0,
-      );
+            'dbindex' => ${env.redis.db_index},
-      '';
+          ),
-    config = stdenv.mkDerivation rec {
+          'overwrite.cli.url' => 'https://cloud.immae.eu',
-      name = "nextcloud-config";
+          'ldapIgnoreNamingRules' => false,
-      src = ./nextcloud-config;
+          'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
-      phases = "installPhase";
+        );
-      installPhase = ''
-        mkdir -p $out
-        cp -r $src/* $out
-        cp ${config_php} $out/config.php
      '';
    };
    webRoot = stdenv.mkDerivation rec {
@@ -207,11 +203,8 @@ let
      text = ''
        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
-        if [ ! -e ${varDir}/config ]; then
+        install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config
-          cp -a ${config} ${varDir}/config
+        install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php
-          chown -R ${apache.user}:${apache.group} ${varDir}/config
-          chmod -R u+w ${varDir}/config
-        fi
      '';
    };
    apache = rec {
@@ -243,7 +236,7 @@ let
    };
    phpFpm = rec {
      basedir = builtins.concatStringsSep ":" (
-        [ webRoot varDir config ]
+        [ webRoot varDir ]
        ++ lib.attrsets.mapAttrsToList (name: value: value) apps);
      socket = "/var/run/phpfpm/nextcloud.sock";
      phpConfig = ''
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-22 15:32:34 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-22 15:32:34 +0200
commit	42fa50f1fa75f62c6e9cada076860196e8185641 (patch)
tree	6144a0f3c1e1fc7094e5bd2885a7f575f4dcb35c /nixops
parent	8eded9ecb6220bb26599419a4aaea1743d3d187e (diff)
download	Nix-42fa50f1fa75f62c6e9cada076860196e8185641.tar.gz Nix-42fa50f1fa75f62c6e9cada076860196e8185641.tar.zst Nix-42fa50f1fa75f62c6e9cada076860196e8185641.zip

diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix index dc3dde2..7dd37f5 100644 --- a/nixops/modules/websites/tools/cloud/default.nix +++ b/nixops/modules/websites/tools/cloud/default.nix
@@ -24,6 +24,7 @@ in {
24	];	24	];
25	};	25	};
26		26
		27	deployment.keys = nextcloud.keys;
27	users.users.root.packages = let	28	users.users.root.packages = let
28	occ = pkgs.writeScriptBin "nextcloud-occ" ''	29	occ = pkgs.writeScriptBin "nextcloud-occ" ''
29	#! ${pkgs.stdenv.shell}	30	#! ${pkgs.stdenv.shell}


diff --git a/nixops/modules/websites/tools/cloud/nextcloud.nix b/nixops/modules/websites/tools/cloud/nextcloud.nix index 59930fb..b339038 100644 --- a/nixops/modules/websites/tools/cloud/nextcloud.nix +++ b/nixops/modules/websites/tools/cloud/nextcloud.nix
@@ -113,66 +113,62 @@ let
113	};	113	};
114	in rec {	114	in rec {
115	varDir = "/var/lib/nextcloud";	115	varDir = "/var/lib/nextcloud";
116	config_php = writeText "config.php" ''	116	keys.tools-nextcloud = {
117	<?php	117	destDir = "/run/keys/webapps";
118	$CONFIG = array (	118	user = apache.user;
119	// FIXME: change this value when nextcloud starts getting slow	119	group = apache.group;
120	'instanceid' => '${env.instance_id}1',	120	permissions = "0600";
121	'datadirectory' => '/var/lib/nextcloud/',	121	text = ''
122	'passwordsalt' => '${env.password_salt}',	122	<?php
123	'debug' => false,	123	$CONFIG = array (
124	'dbtype' => 'pgsql',	124	// FIXME: change this value when nextcloud starts getting slow
125	'version' => '15.0.0.10',	125	'instanceid' => '${env.instance_id}1',
126	'dbname' => '${env.postgresql.database}',	126	'datadirectory' => '/var/lib/nextcloud/',
127	'dbhost' => '${env.postgresql.socket}',	127	'passwordsalt' => '${env.password_salt}',
128	'dbtableprefix' => 'oc_',	128	'debug' => false,
129	'dbuser' => '${env.postgresql.user}',	129	'dbtype' => 'pgsql',
130	'dbpassword' => '${env.postgresql.password}',	130	'version' => '15.0.4.0',
131	'installed' => true,	131	'dbname' => '${env.postgresql.database}',
132	'maxZipInputSize' => 0,	132	'dbhost' => '${env.postgresql.socket}',
133	'allowZipDownload' => true,	133	'dbtableprefix' => 'oc_',
134	'forcessl' => true,	134	'dbuser' => '${env.postgresql.user}',
135	'theme' => ${"''"},	135	'dbpassword' => '${env.postgresql.password}',
136	'maintenance' => false,	136	'installed' => true,
137	'trusted_domains' =>	137	'maxZipInputSize' => 0,
138	array (	138	'allowZipDownload' => true,
139	0 => 'cloud.immae.eu',	139	'forcessl' => true,
140	),	140	'theme' => ${"''"},
141	'secret' => '${env.secret}',	141	'maintenance' => false,
142	'appstoreenabled' => false,	142	'trusted_domains' =>
143	'appstore.experimental.enabled' => true,	143	array (
144	'loglevel' => 2,	144	0 => 'cloud.immae.eu',
145	'trashbin_retention_obligation' => 'auto',	145	),
146	'htaccess.RewriteBase' => '/',	146	'secret' => '${env.secret}',
147	'mail_smtpmode' => 'sendmail',	147	'appstoreenabled' => false,
148	'mail_smtphost' => '127.0.0.1',	148	'appstore.experimental.enabled' => true,
149	'mail_smtpname' => ''',	149	'loglevel' => 2,
150	'mail_smtppassword' => ''',	150	'trashbin_retention_obligation' => 'auto',
151	'mail_from_address' => 'nextcloud',	151	'htaccess.RewriteBase' => '/',
152	'mail_smtpauth' => false,	152	'mail_smtpmode' => 'sendmail',
153	'mail_domain' => 'tools.immae.eu',	153	'mail_smtphost' => '127.0.0.1',
154	'memcache.local' => '\\OC\\Memcache\\APCu',	154	'mail_smtpname' => ''',
155	'memcache.locking' => '\\OC\\Memcache\\Redis',	155	'mail_smtppassword' => ''',
156	'filelocking.enabled' => true,	156	'mail_from_address' => 'nextcloud',
157	'redis' =>	157	'mail_smtpauth' => false,
158	array (	158	'mail_domain' => 'tools.immae.eu',
159	'host' => '${env.redis.socket}',	159	'memcache.local' => '\\OC\\Memcache\\APCu',
160	'port' => 0,	160	'memcache.locking' => '\\OC\\Memcache\\Redis',
161	'dbindex' => ${env.redis.db_index},	161	'filelocking.enabled' => true,
162	),	162	'redis' =>
163	'overwrite.cli.url' => 'https://cloud.immae.eu',	163	array (
164	'ldapIgnoreNamingRules' => false,	164	'host' => '${env.redis.socket}',
165	'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',	165	'port' => 0,
166	);	166	'dbindex' => ${env.redis.db_index},
167	'';	167	),
168	config = stdenv.mkDerivation rec {	168	'overwrite.cli.url' => 'https://cloud.immae.eu',
169	name = "nextcloud-config";	169	'ldapIgnoreNamingRules' => false,
170	src = ./nextcloud-config;	170	'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
171	phases = "installPhase";	171	);
172	installPhase = ''
173	mkdir -p $out
174	cp -r $src/* $out
175	cp ${config_php} $out/config.php
176	'';	172	'';
177	};	173	};
178	webRoot = stdenv.mkDerivation rec {	174	webRoot = stdenv.mkDerivation rec {
@@ -207,11 +203,8 @@ let
207	text = ''	203	text = ''
208	install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}	204	install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
209	install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions	205	install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
210	if [ ! -e ${varDir}/config ]; then	206	install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config
211	cp -a ${config} ${varDir}/config	207	install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php
212	chown -R ${apache.user}:${apache.group} ${varDir}/config
213	chmod -R u+w ${varDir}/config
214	fi
215	'';	208	'';
216	};	209	};
217	apache = rec {	210	apache = rec {
@@ -243,7 +236,7 @@ let
243	};	236	};
244	phpFpm = rec {	237	phpFpm = rec {
245	basedir = builtins.concatStringsSep ":" (	238	basedir = builtins.concatStringsSep ":" (
246	[ webRoot varDir config ]	239	[ webRoot varDir ]
247	++ lib.attrsets.mapAttrsToList (name: value: value) apps);	240	++ lib.attrsets.mapAttrsToList (name: value: value) apps);
248	socket = "/var/run/phpfpm/nextcloud.sock";	241	socket = "/var/run/phpfpm/nextcloud.sock";
249	phpConfig = ''	242	phpConfig = ''