aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 13:46:47 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-16 13:49:24 +0200
commit51900e3488284b0711083819a5ecb1b0f280a913 (patch)
tree2367f6ac79eb9198d4890cf51add27b37cd7b6b0 /nixops
parent3b45d5f2afc3a48809d0353a3133025525247331 (diff)
downloadNix-51900e3488284b0711083819a5ecb1b0f280a913.tar.gz
Nix-51900e3488284b0711083819a5ecb1b0f280a913.tar.zst
Nix-51900e3488284b0711083819a5ecb1b0f280a913.zip
Move etherpad and mediagoblin keys to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/websites/tools/ether/default.nix9
-rw-r--r--nixops/modules/websites/tools/ether/etherpad_lite.nix198
-rw-r--r--nixops/modules/websites/tools/mediagoblin/default.nix5
-rw-r--r--nixops/modules/websites/tools/mediagoblin/mediagoblin.nix98
4 files changed, 163 insertions, 147 deletions
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix
index c4a9932..6d845ac 100644
--- a/nixops/modules/websites/tools/ether/default.nix
+++ b/nixops/modules/websites/tools/ether/default.nix
@@ -12,11 +12,12 @@ in {
12 }; 12 };
13 13
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 deployment.keys = etherpad.keys;
15 systemd.services.etherpad-lite = { 16 systemd.services.etherpad-lite = {
16 description = "Etherpad-lite"; 17 description = "Etherpad-lite";
17 wantedBy = [ "multi-user.target" ]; 18 wantedBy = [ "multi-user.target" ];
18 after = [ "network.target" "postgresql.service" ]; 19 after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" ];
19 wants = [ "postgresql.service" ]; 20 wants = [ "postgresql.service" "tools-etherpad-key.service" ];
20 21
21 environment.NODE_ENV = "production"; 22 environment.NODE_ENV = "production";
22 environment.HOME = etherpad.webappDir; 23 environment.HOME = etherpad.webappDir;
@@ -25,13 +26,14 @@ in {
25 26
26 script = '' 27 script = ''
27 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ 28 exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \
28 --settings ${etherpad.config} 29 --settings /run/keys/webapps/tools-etherpad
29 ''; 30 '';
30 31
31 serviceConfig = { 32 serviceConfig = {
32 DynamicUser = true; 33 DynamicUser = true;
33 User = "etherpad-lite"; 34 User = "etherpad-lite";
34 Group = "etherpad-lite"; 35 Group = "etherpad-lite";
36 SupplementaryGroups = "keys";
35 WorkingDirectory = etherpad.webappDir; 37 WorkingDirectory = etherpad.webappDir;
36 PrivateTmp = true; 38 PrivateTmp = true;
37 NoNewPrivileges = true; 39 NoNewPrivileges = true;
@@ -42,6 +44,7 @@ in {
42 Restart = "always"; 44 Restart = "always";
43 Type = "simple"; 45 Type = "simple";
44 TimeoutSec = 60; 46 TimeoutSec = 60;
47 ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad";
45 }; 48 };
46 }; 49 };
47 50
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix
index 02071f1..bc62262 100644
--- a/nixops/modules/websites/tools/ether/etherpad_lite.nix
+++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix
@@ -30,106 +30,110 @@ let
30 "ep_subscript_and_superscript" 30 "ep_subscript_and_superscript"
31 "ep_timesliderdiff" 31 "ep_timesliderdiff"
32 ]; 32 ];
33 config = 33 keys.tools-etherpad = {
34 # Make sure we’re not rebuilding whole libreoffice just because of a 34 destDir = "/run/keys/webapps";
35 # dependency 35 permissions = "0400";
36 let libreoffice = (import <nixpkgs> {}).libreoffice-fresh; 36 text =
37 in 37 # Make sure we’re not rebuilding whole libreoffice just because of a
38 writeText "settings.json" '' 38 # dependency
39 { 39 let libreoffice = (import <nixpkgs> {}).libreoffice-fresh;
40 "title": "Etherpad", 40 in
41 "favicon": "favicon.ico", 41 ''
42 {
43 "title": "Etherpad",
44 "favicon": "favicon.ico",
42 45
43 "ip": "127.0.0.1", 46 "ip": "127.0.0.1",
44 "port" : ${env.listenPort}, 47 "port" : ${env.listenPort},
45 "showSettingsInAdminPage" : false, 48 "showSettingsInAdminPage" : false,
46 "dbType" : "postgres", 49 "dbType" : "postgres",
47 "dbSettings" : { 50 "dbSettings" : {
48 "user" : "${env.postgresql.user}", 51 "user" : "${env.postgresql.user}",
49 "host" : "${env.postgresql.socket}", 52 "host" : "${env.postgresql.socket}",
50 "password": "${env.postgresql.password}", 53 "password": "${env.postgresql.password}",
51 "database": "${env.postgresql.database}", 54 "database": "${env.postgresql.database}",
52 "charset" : "utf8mb4" 55 "charset" : "utf8mb4"
53 }, 56 },
54 57
55 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", 58 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
56 "padOptions": { 59 "padOptions": {
57 "noColors": false, 60 "noColors": false,
58 "showControls": true, 61 "showControls": true,
59 "showChat": true, 62 "showChat": true,
60 "showLineNumbers": true, 63 "showLineNumbers": true,
61 "useMonospaceFont": false, 64 "useMonospaceFont": false,
62 "userName": false, 65 "userName": false,
63 "userColor": false, 66 "userColor": false,
64 "rtl": false, 67 "rtl": false,
65 "alwaysShowChat": false, 68 "alwaysShowChat": false,
66 "chatAndUsers": false, 69 "chatAndUsers": false,
67 "lang": "en-gb" 70 "lang": "en-gb"
68 }, 71 },
69 72
70 "suppressErrorsInPadText" : false, 73 "suppressErrorsInPadText" : false,
71 "requireSession" : false, 74 "requireSession" : false,
72 "editOnly" : false, 75 "editOnly" : false,
73 "sessionNoPassword" : false, 76 "sessionNoPassword" : false,
74 "minify" : true, 77 "minify" : true,
75 "maxAge" : 21600, 78 "maxAge" : 21600,
76 "abiword" : null, 79 "abiword" : null,
77 "soffice" : "${libreoffice}/bin/soffice", 80 "soffice" : "${libreoffice}/bin/soffice",
78 "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", 81 "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
79 "allowUnknownFileEnds" : true, 82 "allowUnknownFileEnds" : true,
80 "requireAuthentication" : false, 83 "requireAuthentication" : false,
81 "requireAuthorization" : false, 84 "requireAuthorization" : false,
82 "trustProxy" : false, 85 "trustProxy" : false,
83 "disableIPlogging" : false, 86 "disableIPlogging" : false,
84 "automaticReconnectionTimeout" : 0, 87 "automaticReconnectionTimeout" : 0,
85 "scrollWhenFocusLineIsOutOfViewport": { 88 "scrollWhenFocusLineIsOutOfViewport": {
86 "percentage": { 89 "percentage": {
87 "editionAboveViewport": 0, 90 "editionAboveViewport": 0,
88 "editionBelowViewport": 0 91 "editionBelowViewport": 0
92 },
93 "duration": 0,
94 "scrollWhenCaretIsInTheLastLineOfViewport": false,
95 "percentageToScrollWhenUserPressesArrowUp": 0
89 }, 96 },
90 "duration": 0, 97 "users": {
91 "scrollWhenCaretIsInTheLastLineOfViewport": false, 98 "ldapauth": {
92 "percentageToScrollWhenUserPressesArrowUp": 0 99 "url": "ldaps://${env.ldap.host}",
93 }, 100 "accountBase": "${env.ldap.base}",
94 "users": { 101 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
95 "ldapauth": { 102 "displayNameAttribute": "cn",
96 "url": "ldaps://${env.ldap.host}", 103 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
97 "accountBase": "${env.ldap.base}", 104 "searchPWD": "${env.ldap.password}",
98 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", 105 "groupSearchBase": "${env.ldap.base}",
99 "displayNameAttribute": "cn", 106 "groupAttribute": "member",
100 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", 107 "groupAttributeIsDN": true,
101 "searchPWD": "${env.ldap.password}", 108 "searchScope": "sub",
102 "groupSearchBase": "${env.ldap.base}", 109 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
103 "groupAttribute": "member", 110 "anonymousReadonly": false
104 "groupAttributeIsDN": true, 111 }
105 "searchScope": "sub", 112 },
106 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", 113 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
107 "anonymousReadonly": false 114 "loadTest": false,
108 } 115 "indentationOnNewLine": false,
109 }, 116 "toolbar": {
110 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], 117 "left": [
111 "loadTest": false, 118 ["bold", "italic", "underline", "strikethrough"],
112 "indentationOnNewLine": false, 119 ["orderedlist", "unorderedlist", "indent", "outdent"],
113 "toolbar": { 120 ["undo", "redo"],
114 "left": [ 121 ["clearauthorship"]
115 ["bold", "italic", "underline", "strikethrough"], 122 ],
116 ["orderedlist", "unorderedlist", "indent", "outdent"], 123 "right": [
117 ["undo", "redo"], 124 ["importexport", "timeslider", "savedrevision"],
118 ["clearauthorship"] 125 ["settings", "embed"],
119 ], 126 ["showusers"]
120 "right": [ 127 ],
121 ["importexport", "timeslider", "savedrevision"], 128 "timeslider": [
122 ["settings", "embed"], 129 ["timeslider_export", "timeslider_returnToPad"]
123 ["showusers"] 130 ]
124 ], 131 },
125 "timeslider": [ 132 "loglevel": "INFO",
126 ["timeslider_export", "timeslider_returnToPad"] 133 "logconfig" : { "appenders": [ { "type": "console" } ] }
127 ] 134 }
128 }, 135 '';
129 "loglevel": "INFO", 136 };
130 "logconfig" : { "appenders": [ { "type": "console" } ] }
131 }
132 '';
133 webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { 137 webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec {
134 __noChroot = true; 138 __noChroot = true;
135 patches = [ ./libreoffice_patch.diff ]; 139 patches = [ ./libreoffice_patch.diff ];
@@ -179,5 +183,5 @@ let
179 }); 183 });
180in 184in
181 { 185 {
182 inherit webappDir config listenPort; 186 inherit webappDir keys listenPort;
183 } 187 }
diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix
index 54c0478..9b058be 100644
--- a/nixops/modules/websites/tools/mediagoblin/default.nix
+++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -12,6 +12,7 @@ in {
12 }; 12 };
13 13
14 config = lib.mkIf cfg.enable { 14 config = lib.mkIf cfg.enable {
15 deployment.keys = mediagoblin.keys;
15 ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; 16 ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
16 ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; 17 ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
17 18
@@ -22,6 +23,7 @@ in {
22 description = "Mediagoblin user"; 23 description = "Mediagoblin user";
23 home = mediagoblin.varDir; 24 home = mediagoblin.varDir;
24 useDefaultShell = true; 25 useDefaultShell = true;
26 extraGroups = [ "keys" ];
25 }; 27 };
26 28
27 users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; 29 users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
@@ -29,7 +31,8 @@ in {
29 systemd.services.mediagoblin-web = { 31 systemd.services.mediagoblin-web = {
30 description = "Mediagoblin service"; 32 description = "Mediagoblin service";
31 wantedBy = [ "multi-user.target" ]; 33 wantedBy = [ "multi-user.target" ];
32 after = [ "network.target" ]; 34 after = [ "network.target" "tools-mediagoblin-key.service" ];
35 wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ];
33 36
34 environment.SCRIPT_NAME = "/mediagoblin/"; 37 environment.SCRIPT_NAME = "/mediagoblin/";
35 38
diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
index e1876ae..23ee24d 100644
--- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
+++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix
@@ -190,61 +190,67 @@ in
190 url_scheme = https 190 url_scheme = https
191 ''; 191 '';
192 192
193 mediagoblin_local = writeText "mediagoblin_local.ini" '' 193 keys.tools-mediagoblin = {
194 [DEFAULT] 194 destDir = "/run/keys/webapps";
195 data_basedir = "${varDir}" 195 user = "mediagoblin";
196 group = "mediagoblin";
197 permissions = "0400";
198 text = ''
199 [DEFAULT]
200 data_basedir = "${varDir}"
196 201
197 [mediagoblin] 202 [mediagoblin]
198 direct_remote_path = /mgoblin_static/ 203 direct_remote_path = /mgoblin_static/
199 email_sender_address = "mediagoblin@tools.immae.eu" 204 email_sender_address = "mediagoblin@tools.immae.eu"
200 205
201 #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db 206 #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
202 sql_engine = ${env.psql_url} 207 sql_engine = ${env.psql_url}
203 208
204 email_debug_mode = false 209 email_debug_mode = false
205 allow_registration = false 210 allow_registration = false
206 allow_reporting = true 211 allow_reporting = true
207 212
208 theme = airymodified 213 theme = airymodified
209 214
210 user_privilege_scheme = "uploader,commenter,reporter" 215 user_privilege_scheme = "uploader,commenter,reporter"
211 216
212 # We need to redefine them here since we override data_basedir 217 # We need to redefine them here since we override data_basedir
213 # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini 218 # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
214 workbench_path = %(data_basedir)s/media/workbench 219 workbench_path = %(data_basedir)s/media/workbench
215 crypto_path = %(data_basedir)s/crypto 220 crypto_path = %(data_basedir)s/crypto
216 theme_install_dir = %(data_basedir)s/themes/ 221 theme_install_dir = %(data_basedir)s/themes/
217 theme_linked_assets_dir = %(data_basedir)s/theme_static/ 222 theme_linked_assets_dir = %(data_basedir)s/theme_static/
218 plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ 223 plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
219 224
220 [storage:queuestore] 225 [storage:queuestore]
221 base_dir = %(data_basedir)s/media/queue 226 base_dir = %(data_basedir)s/media/queue
222 227
223 [storage:publicstore] 228 [storage:publicstore]
224 base_dir = %(data_basedir)s/media/public 229 base_dir = %(data_basedir)s/media/public
225 base_url = /mgoblin_media/ 230 base_url = /mgoblin_media/
226 231
227 [celery] 232 [celery]
228 CELERY_RESULT_DBURI = ${env.redis_url} 233 CELERY_RESULT_DBURI = ${env.redis_url}
229 BROKER_URL = ${env.redis_url} 234 BROKER_URL = ${env.redis_url}
230 CELERYD_CONCURRENCY = 1 235 CELERYD_CONCURRENCY = 1
231 236
232 [plugins] 237 [plugins]
233 [[mediagoblin.plugins.geolocation]] 238 [[mediagoblin.plugins.geolocation]]
234 [[mediagoblin.plugins.ldap]] 239 [[mediagoblin.plugins.ldap]]
235 [[[immae.eu]]] 240 [[[immae.eu]]]
236 LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' 241 LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
237 LDAP_SEARCH_BASE = 'dc=immae,dc=eu' 242 LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
238 LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' 243 LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
239 LDAP_BIND_PW = '${env.ldap.password}' 244 LDAP_BIND_PW = '${env.ldap.password}'
240 LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' 245 LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
241 EMAIL_SEARCH_FIELD = 'mail' 246 EMAIL_SEARCH_FIELD = 'mail'
242 [[mediagoblin.plugins.basicsearch]] 247 [[mediagoblin.plugins.basicsearch]]
243 [[mediagoblin.plugins.piwigo]] 248 [[mediagoblin.plugins.piwigo]]
244 [[mediagoblin.plugins.processing_info]] 249 [[mediagoblin.plugins.processing_info]]
245 [[mediagoblin.media_types.image]] 250 [[mediagoblin.media_types.image]]
246 [[mediagoblin.media_types.video]] 251 [[mediagoblin.media_types.video]]
247 ''; 252 '';
253 };
248 pythonRoot = 254 pythonRoot =
249 with pkgs.gst_all_1; 255 with pkgs.gst_all_1;
250 stdenv.mkDerivation { 256 stdenv.mkDerivation {
@@ -281,7 +287,7 @@ in
281 --prefix GI_TYPELIB_PATH : ${typelib_paths} 287 --prefix GI_TYPELIB_PATH : ${typelib_paths}
282 find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; 288 find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \;
283 ln -s ${paste_local} ./paste_local.ini 289 ln -s ${paste_local} ./paste_local.ini
284 ln -s ${mediagoblin_local} ./mediagoblin_local.ini 290 ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini
285 ln -sf ${varDir} ./user_dev 291 ln -sf ${varDir} ./user_dev
286 ''; 292 '';
287 }; 293 };