diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 09:05:46 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 09:05:46 +0200 |
| commit | 32c84ff89c2b8931f58cea63961a178a9b1d0efe (patch) | |
| tree | 7a90c28e1db3d8c704b2371737f2f2fae471db67 /nixops | |
| parent | 742697c95318d3625298437995e948ee00a00ba5 (diff) | |
| download | Nix-32c84ff89c2b8931f58cea63961a178a9b1d0efe.tar.gz Nix-32c84ff89c2b8931f58cea63961a178a9b1d0efe.tar.zst Nix-32c84ff89c2b8931f58cea63961a178a9b1d0efe.zip | |
Move etherpad mastodon mediagoblin task and peertube to new secrets
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/modules/task/default.nix | 8 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/ether/default.nix | 10 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/ether/etherpad_lite.nix | 26 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/mastodon/default.nix | 8 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/mastodon/mastodon.nix | 9 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/mediagoblin/default.nix | 6 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/mediagoblin/mediagoblin.nix | 8 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/peertube/default.nix | 12 |
8 files changed, 44 insertions, 43 deletions
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index 2001eaa..9671725 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix | |||
| @@ -87,8 +87,8 @@ in { | |||
| 87 | }; | 87 | }; |
| 88 | 88 | ||
| 89 | config = lib.mkIf cfg.enable { | 89 | config = lib.mkIf cfg.enable { |
| 90 | deployment.keys.tools-taskwarrior-web = { | 90 | mySecrets.keys = [{ |
| 91 | destDir = "/run/keys/webapps"; | 91 | dest = "webapps/tools-taskwarrior-web"; |
| 92 | user = "wwwrun"; | 92 | user = "wwwrun"; |
| 93 | group = "wwwrun"; | 93 | group = "wwwrun"; |
| 94 | permissions = "0400"; | 94 | permissions = "0400"; |
| @@ -101,7 +101,7 @@ in { | |||
| 101 | SetEnv TASKD_LDAP_BASE "${env.ldap.base}" | 101 | SetEnv TASKD_LDAP_BASE "${env.ldap.base}" |
| 102 | SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" | 102 | SetEnv TASKD_LDAP_FILTER "${env.ldap.search}" |
| 103 | ''; | 103 | ''; |
| 104 | }; | 104 | }]; |
| 105 | security.acme.certs."eldiron".extraDomains.${fqdn} = null; | 105 | security.acme.certs."eldiron".extraDomains.${fqdn} = null; |
| 106 | services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ]; | 106 | services.myWebsites.tools.modules = [ "proxy_fcgi" "sed" ]; |
| 107 | services.myWebsites.tools.vhostConfs.task = { | 107 | services.myWebsites.tools.vhostConfs.task = { |
| @@ -116,7 +116,7 @@ in { | |||
| 116 | <FilesMatch "\.php$"> | 116 | <FilesMatch "\.php$"> |
| 117 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" | 117 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" |
| 118 | </FilesMatch> | 118 | </FilesMatch> |
| 119 | Include /run/keys/webapps/tools-taskwarrior-web | 119 | Include /var/secrets/webapps/tools-taskwarrior-web |
| 120 | </Directory> | 120 | </Directory> |
| 121 | '' | 121 | '' |
| 122 | '' | 122 | '' |
diff --git a/nixops/modules/websites/tools/ether/default.nix b/nixops/modules/websites/tools/ether/default.nix index 7fdcb57..0d04c36 100644 --- a/nixops/modules/websites/tools/ether/default.nix +++ b/nixops/modules/websites/tools/ether/default.nix | |||
| @@ -12,12 +12,12 @@ in { | |||
| 12 | }; | 12 | }; |
| 13 | 13 | ||
| 14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
| 15 | deployment.keys = etherpad.keys; | 15 | mySecrets.keys = etherpad.keys; |
| 16 | systemd.services.etherpad-lite = { | 16 | systemd.services.etherpad-lite = { |
| 17 | description = "Etherpad-lite"; | 17 | description = "Etherpad-lite"; |
| 18 | wantedBy = [ "multi-user.target" ]; | 18 | wantedBy = [ "multi-user.target" ]; |
| 19 | after = [ "network.target" "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; | 19 | after = [ "network.target" "postgresql.service" ]; |
| 20 | wants = [ "postgresql.service" "tools-etherpad-key.service" "tools-etherpad-apikey-key.service" "tools-etherpad-sessionkey-key.service" ]; | 20 | wants = [ "postgresql.service" ]; |
| 21 | 21 | ||
| 22 | environment.NODE_ENV = "production"; | 22 | environment.NODE_ENV = "production"; |
| 23 | environment.HOME = etherpad.webappDir; | 23 | environment.HOME = etherpad.webappDir; |
| @@ -26,7 +26,7 @@ in { | |||
| 26 | 26 | ||
| 27 | script = '' | 27 | script = '' |
| 28 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ | 28 | exec ${pkgs.nodejs}/bin/node ${etherpad.webappDir}/src/node/server.js \ |
| 29 | --settings /run/keys/webapps/tools-etherpad | 29 | --settings /var/secrets/webapps/tools-etherpad |
| 30 | ''; | 30 | ''; |
| 31 | 31 | ||
| 32 | serviceConfig = { | 32 | serviceConfig = { |
| @@ -44,7 +44,7 @@ in { | |||
| 44 | Restart = "always"; | 44 | Restart = "always"; |
| 45 | Type = "simple"; | 45 | Type = "simple"; |
| 46 | TimeoutSec = 60; | 46 | TimeoutSec = 60; |
| 47 | ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /run/keys/webapps/tools-etherpad /run/keys/webapps/tools-etherpad-sessionkey /run/keys/webapps/tools-etherpad-apikey"; | 47 | ExecStartPre = "+${pkgs.coreutils}/bin/chown etherpad-lite:etherpad-lite /var/secrets/webapps/tools-etherpad /var/secrets/webapps/tools-etherpad-sessionkey /var/secrets/webapps/tools-etherpad-apikey"; |
| 48 | }; | 48 | }; |
| 49 | }; | 49 | }; |
| 50 | 50 | ||
diff --git a/nixops/modules/websites/tools/ether/etherpad_lite.nix b/nixops/modules/websites/tools/ether/etherpad_lite.nix index 689156e..14ad565 100644 --- a/nixops/modules/websites/tools/ether/etherpad_lite.nix +++ b/nixops/modules/websites/tools/ether/etherpad_lite.nix | |||
| @@ -30,19 +30,19 @@ let | |||
| 30 | "ep_subscript_and_superscript" | 30 | "ep_subscript_and_superscript" |
| 31 | "ep_timesliderdiff" | 31 | "ep_timesliderdiff" |
| 32 | ]; | 32 | ]; |
| 33 | keys = { | 33 | keys = [ |
| 34 | tools-etherpad-apikey = { | 34 | { |
| 35 | destDir = "/run/keys/webapps"; | 35 | dest = "webapps/tools-etherpad-apikey"; |
| 36 | permissions = "0400"; | 36 | permissions = "0400"; |
| 37 | text = env.api_key; | 37 | text = env.api_key; |
| 38 | }; | 38 | } |
| 39 | tools-etherpad-sessionkey = { | 39 | { |
| 40 | destDir = "/run/keys/webapps"; | 40 | dest = "webapps/tools-etherpad-sessionkey"; |
| 41 | permissions = "0400"; | 41 | permissions = "0400"; |
| 42 | text = env.session_key; | 42 | text = env.session_key; |
| 43 | }; | 43 | } |
| 44 | tools-etherpad = { | 44 | { |
| 45 | destDir = "/run/keys/webapps"; | 45 | dest = "webapps/tools-etherpad"; |
| 46 | permissions = "0400"; | 46 | permissions = "0400"; |
| 47 | text = | 47 | text = |
| 48 | # Make sure we’re not rebuilding whole libreoffice just because of a | 48 | # Make sure we’re not rebuilding whole libreoffice just because of a |
| @@ -144,8 +144,8 @@ let | |||
| 144 | "logconfig" : { "appenders": [ { "type": "console" } ] } | 144 | "logconfig" : { "appenders": [ { "type": "console" } ] } |
| 145 | } | 145 | } |
| 146 | ''; | 146 | ''; |
| 147 | }; | 147 | } |
| 148 | }; | 148 | ]; |
| 149 | webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { | 149 | webappDir = stdenv.mkDerivation (fetchedGithub ./etherpad-lite.json // rec { |
| 150 | __noChroot = true; | 150 | __noChroot = true; |
| 151 | patches = [ ./libreoffice_patch.diff ]; | 151 | patches = [ ./libreoffice_patch.diff ]; |
| @@ -182,8 +182,8 @@ let | |||
| 182 | install -t $out/src/ -vDm 644 src/.ep_initialized | 182 | install -t $out/src/ -vDm 644 src/.ep_initialized |
| 183 | cp -a node_modules $out/ | 183 | cp -a node_modules $out/ |
| 184 | cp -a src/* $out/src/ | 184 | cp -a src/* $out/src/ |
| 185 | ln -sf /run/keys/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt | 185 | ln -sf /var/secrets/webapps/tools-etherpad-sessionkey $out/SESSIONKEY.txt |
| 186 | ln -sf /run/keys/webapps/tools-etherpad-apikey $out/APIKEY.txt | 186 | ln -sf /var/secrets/webapps/tools-etherpad-apikey $out/APIKEY.txt |
| 187 | cp ${jquery} $out/src/static/js/jquery.js | 187 | cp ${jquery} $out/src/static/js/jquery.js |
| 188 | 188 | ||
| 189 | mkdir $out/doc | 189 | mkdir $out/doc |
diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix index 048d845..a3f2364 100644 --- a/nixops/modules/websites/tools/mastodon/default.nix +++ b/nixops/modules/websites/tools/mastodon/default.nix | |||
| @@ -13,7 +13,7 @@ in { | |||
| 13 | }; | 13 | }; |
| 14 | 14 | ||
| 15 | config = lib.mkIf cfg.enable { | 15 | config = lib.mkIf cfg.enable { |
| 16 | deployment.keys = mastodon.keys; | 16 | mySecrets.keys = mastodon.keys; |
| 17 | ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid; | 17 | ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid; |
| 18 | ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid; | 18 | ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid; |
| 19 | 19 | ||
| @@ -55,7 +55,7 @@ in { | |||
| 55 | 55 | ||
| 56 | serviceConfig = { | 56 | serviceConfig = { |
| 57 | User = "mastodon"; | 57 | User = "mastodon"; |
| 58 | EnvironmentFile = "/run/keys/webapps/tools-mastodon"; | 58 | EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; |
| 59 | PrivateTmp = true; | 59 | PrivateTmp = true; |
| 60 | Restart = "always"; | 60 | Restart = "always"; |
| 61 | TimeoutSec = 15; | 61 | TimeoutSec = 15; |
| @@ -88,7 +88,7 @@ in { | |||
| 88 | 88 | ||
| 89 | serviceConfig = { | 89 | serviceConfig = { |
| 90 | User = "mastodon"; | 90 | User = "mastodon"; |
| 91 | EnvironmentFile = "/run/keys/webapps/tools-mastodon"; | 91 | EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; |
| 92 | PrivateTmp = true; | 92 | PrivateTmp = true; |
| 93 | Restart = "always"; | 93 | Restart = "always"; |
| 94 | TimeoutSec = 60; | 94 | TimeoutSec = 60; |
| @@ -117,7 +117,7 @@ in { | |||
| 117 | 117 | ||
| 118 | serviceConfig = { | 118 | serviceConfig = { |
| 119 | User = "mastodon"; | 119 | User = "mastodon"; |
| 120 | EnvironmentFile = "/run/keys/webapps/tools-mastodon"; | 120 | EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; |
| 121 | PrivateTmp = true; | 121 | PrivateTmp = true; |
| 122 | Restart = "always"; | 122 | Restart = "always"; |
| 123 | TimeoutSec = 15; | 123 | TimeoutSec = 15; |
diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix index 944b2db..3ee3552 100644 --- a/nixops/modules/websites/tools/mastodon/mastodon.nix +++ b/nixops/modules/websites/tools/mastodon/mastodon.nix | |||
| @@ -58,8 +58,8 @@ let | |||
| 58 | ''; | 58 | ''; |
| 59 | buildInputs = [ yarnModules ]; | 59 | buildInputs = [ yarnModules ]; |
| 60 | }); | 60 | }); |
| 61 | keys.tools-mastodon = { | 61 | keys.mastodon = { |
| 62 | destDir = "/run/keys/webapps"; | 62 | dest = "webapps/tools-mastodon"; |
| 63 | user = "mastodon"; | 63 | user = "mastodon"; |
| 64 | group = "mastodon"; | 64 | group = "mastodon"; |
| 65 | permissions = "0400"; | 65 | permissions = "0400"; |
| @@ -113,7 +113,7 @@ let | |||
| 113 | builder = writeText "build_mastodon_immae" '' | 113 | builder = writeText "build_mastodon_immae" '' |
| 114 | source $stdenv/setup | 114 | source $stdenv/setup |
| 115 | set -a | 115 | set -a |
| 116 | ${keys.tools-mastodon.text} | 116 | ${keys.mastodon.text} |
| 117 | set +a | 117 | set +a |
| 118 | cp -a $mastodon $out | 118 | cp -a $mastodon $out |
| 119 | cd $out | 119 | cd $out |
| @@ -128,7 +128,8 @@ let | |||
| 128 | }; | 128 | }; |
| 129 | in | 129 | in |
| 130 | { | 130 | { |
| 131 | inherit railsRoot keys varDir socketsDir gems; | 131 | inherit railsRoot varDir socketsDir gems; |
| 132 | keys = builtins.attrValues keys; | ||
| 132 | nodeSocket = "${socketsDir}/live_immae_node.sock"; | 133 | nodeSocket = "${socketsDir}/live_immae_node.sock"; |
| 133 | railsSocket = "${socketsDir}/live_immae_puma.sock"; | 134 | railsSocket = "${socketsDir}/live_immae_puma.sock"; |
| 134 | } | 135 | } |
diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix index 9b058be..36329d9 100644 --- a/nixops/modules/websites/tools/mediagoblin/default.nix +++ b/nixops/modules/websites/tools/mediagoblin/default.nix | |||
| @@ -12,7 +12,7 @@ in { | |||
| 12 | }; | 12 | }; |
| 13 | 13 | ||
| 14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
| 15 | deployment.keys = mediagoblin.keys; | 15 | mySecrets.keys = mediagoblin.keys; |
| 16 | ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; | 16 | ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; |
| 17 | ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; | 17 | ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; |
| 18 | 18 | ||
| @@ -31,8 +31,8 @@ in { | |||
| 31 | systemd.services.mediagoblin-web = { | 31 | systemd.services.mediagoblin-web = { |
| 32 | description = "Mediagoblin service"; | 32 | description = "Mediagoblin service"; |
| 33 | wantedBy = [ "multi-user.target" ]; | 33 | wantedBy = [ "multi-user.target" ]; |
| 34 | after = [ "network.target" "tools-mediagoblin-key.service" ]; | 34 | after = [ "network.target" ]; |
| 35 | wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ]; | 35 | wants = [ "postgresql.service" "redis.service" ]; |
| 36 | 36 | ||
| 37 | environment.SCRIPT_NAME = "/mediagoblin/"; | 37 | environment.SCRIPT_NAME = "/mediagoblin/"; |
| 38 | 38 | ||
diff --git a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix index 23ee24d..bc423db 100644 --- a/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix +++ b/nixops/modules/websites/tools/mediagoblin/mediagoblin.nix | |||
| @@ -190,8 +190,8 @@ in | |||
| 190 | url_scheme = https | 190 | url_scheme = https |
| 191 | ''; | 191 | ''; |
| 192 | 192 | ||
| 193 | keys.tools-mediagoblin = { | 193 | keys = [{ |
| 194 | destDir = "/run/keys/webapps"; | 194 | dest = "webapps/tools-mediagoblin"; |
| 195 | user = "mediagoblin"; | 195 | user = "mediagoblin"; |
| 196 | group = "mediagoblin"; | 196 | group = "mediagoblin"; |
| 197 | permissions = "0400"; | 197 | permissions = "0400"; |
| @@ -250,7 +250,7 @@ in | |||
| 250 | [[mediagoblin.media_types.image]] | 250 | [[mediagoblin.media_types.image]] |
| 251 | [[mediagoblin.media_types.video]] | 251 | [[mediagoblin.media_types.video]] |
| 252 | ''; | 252 | ''; |
| 253 | }; | 253 | }]; |
| 254 | pythonRoot = | 254 | pythonRoot = |
| 255 | with pkgs.gst_all_1; | 255 | with pkgs.gst_all_1; |
| 256 | stdenv.mkDerivation { | 256 | stdenv.mkDerivation { |
| @@ -287,7 +287,7 @@ in | |||
| 287 | --prefix GI_TYPELIB_PATH : ${typelib_paths} | 287 | --prefix GI_TYPELIB_PATH : ${typelib_paths} |
| 288 | find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; | 288 | find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \; |
| 289 | ln -s ${paste_local} ./paste_local.ini | 289 | ln -s ${paste_local} ./paste_local.ini |
| 290 | ln -s /run/keys/webapps/tools-mediagoblin ./mediagoblin_local.ini | 290 | ln -s /var/secrets/webapps/tools-mediagoblin ./mediagoblin_local.ini |
| 291 | ln -sf ${varDir} ./user_dev | 291 | ln -sf ${varDir} ./user_dev |
| 292 | ''; | 292 | ''; |
| 293 | }; | 293 | }; |
diff --git a/nixops/modules/websites/tools/peertube/default.nix b/nixops/modules/websites/tools/peertube/default.nix index bb601af..1ad79d7 100644 --- a/nixops/modules/websites/tools/peertube/default.nix +++ b/nixops/modules/websites/tools/peertube/default.nix | |||
| @@ -30,8 +30,8 @@ in { | |||
| 30 | systemd.services.peertube = { | 30 | systemd.services.peertube = { |
| 31 | description = "Peertube"; | 31 | description = "Peertube"; |
| 32 | wantedBy = [ "multi-user.target" ]; | 32 | wantedBy = [ "multi-user.target" ]; |
| 33 | after = [ "network.target" "postgresql.service" "tools-peertube-key.service" ]; | 33 | after = [ "network.target" "postgresql.service" ]; |
| 34 | wants = [ "postgresql.service" "tools-peertube-key.service" ]; | 34 | wants = [ "postgresql.service" ]; |
| 35 | 35 | ||
| 36 | environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; | 36 | environment.NODE_CONFIG_DIR = "${peertube.varDir}/config"; |
| 37 | environment.NODE_ENV = "production"; | 37 | environment.NODE_ENV = "production"; |
| @@ -58,20 +58,20 @@ in { | |||
| 58 | unitConfig.RequiresMountsFor = peertube.varDir; | 58 | unitConfig.RequiresMountsFor = peertube.varDir; |
| 59 | }; | 59 | }; |
| 60 | 60 | ||
| 61 | deployment.keys.tools-peertube = { | 61 | mySecrets.keys = [{ |
| 62 | destDir = "/run/keys/webapps"; | 62 | dest = "webapps/tools-peertube"; |
| 63 | user = "peertube"; | 63 | user = "peertube"; |
| 64 | group = "peertube"; | 64 | group = "peertube"; |
| 65 | permissions = "0640"; | 65 | permissions = "0640"; |
| 66 | text = peertube.config; | 66 | text = peertube.config; |
| 67 | }; | 67 | }]; |
| 68 | 68 | ||
| 69 | system.activationScripts.peertube = { | 69 | system.activationScripts.peertube = { |
| 70 | deps = [ "users" ]; | 70 | deps = [ "users" ]; |
| 71 | text = '' | 71 | text = '' |
| 72 | install -m 0750 -o peertube -g peertube -d ${peertube.varDir} | 72 | install -m 0750 -o peertube -g peertube -d ${peertube.varDir} |
| 73 | install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config | 73 | install -m 0750 -o peertube -g peertube -d ${peertube.varDir}/config |
| 74 | ln -sf /run/keys/webapps/tools-peertube ${peertube.varDir}/config/production.yaml | 74 | ln -sf /var/secrets/webapps/tools-peertube ${peertube.varDir}/config/production.yaml |
| 75 | ''; | 75 | ''; |
| 76 | }; | 76 | }; |
| 77 | 77 | ||