Move shaarli passwords to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

3 files changed, 35 insertions, 6 deletions

diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix
index 882babc..9c068bf 100644
--- a/nixops/modules/websites/phpfpm/default.nix
+++ b/nixops/modules/websites/phpfpm/default.nix
@@ -83,6 +83,18 @@ in {
         '';
       };
 
+      envFile = mkOption {
+        default = {};
+        type = types.attrsOf types.string;
+        example = literalExample ''
+          { mypool = "path/to/file";
+          }
+        '';
+        description = ''
+          Extra environment file go into the service script.
+        '';
+      };
+
       poolPhpConfigs = mkOption {
         default = {};
         type = types.attrsOf types.lines;
@@ -174,6 +186,7 @@ in {
           cfgFile = fpmCfgFile pool poolConfig;
           poolPhpIni = cfg.poolPhpConfigs.${pool} or "";
         in {
+          EnvironmentFile = if builtins.hasAttr pool cfg.envFile then [cfg.envFile.${pool}] else [];
           Slice = "phpfpm.slice";
           PrivateDevices = true;
           ProtectSystem = "full";
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 3d5465f..31ed035 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -50,6 +50,7 @@ in {
       kanboard.keys
       // ldap.keys
       // roundcubemail.keys
+      // shaarli.keys
       // ttrss.keys
       // wallabag.keys
       // yourls.keys;
@@ -137,12 +138,17 @@ in {
       ];
     };
 
+    services.myPhpfpm.envFile = {
+      shaarli = shaarli.phpFpm.envFile;
+    };
+
     services.myPhpfpm.serviceDependencies = {
       dokuwiki = dokuwiki.phpFpm.serviceDeps;
       kanboard = kanboard.phpFpm.serviceDeps;
       ldap = ldap.phpFpm.serviceDeps;
       rainloop = rainloop.phpFpm.serviceDeps;
       roundcubemail = roundcubemail.phpFpm.serviceDeps;
+      shaarli = shaarli.phpFpm.serviceDeps;
       ttrss = ttrss.phpFpm.serviceDeps;
       wallabag = wallabag.phpFpm.serviceDeps;
       yourls = yourls.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 0f6b460..157c4de 100644
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -50,12 +50,6 @@ in rec {
       Alias /Shaarli "${root}"
 
       <Directory "${root}">
-        SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
-        SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
-        SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
-        SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
-        SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
-
         DirectoryIndex index.php index.htm index.html
         Options Indexes FollowSymLinks MultiViews Includes
         AllowOverride All
@@ -66,7 +60,22 @@ in rec {
       </Directory>
       '';
   };
+  keys.tools-shaarli = {
+    destDir = "/run/keys/webapps";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0700";
+    text = ''
+      SHAARLI_LDAP_PASSWORD="${env.ldap.password}"
+      SHAARLI_LDAP_DN="${env.ldap.dn}"
+      SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}"
+      SHAARLI_LDAP_BASE="${env.ldap.base}"
+      SHAARLI_LDAP_FILTER="${env.ldap.search}"
+      '';
+  };
   phpFpm = rec {
+    serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ];
+    envFile = "/run/keys/webapps/tools-shaarli";
     basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
     socket = "/var/run/phpfpm/shaarli.sock";
     pool = ''
@@ -78,6 +87,7 @@ in rec {
         pm = ondemand
         pm.max_children = 60
         pm.process_idle_timeout = 60
+        clear_env = no
 
         ; Needed to avoid clashes in browser cookies (same domain)
         php_value[session.name] = ShaarliPHPSESSID