Move mastodon secret to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 14:07:47 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 14:07:47 +0200
commit: 50933a04f9db56a6368f40bdfe33e988d1a269df (patch)
tree: 232bf8de417e15841d75c313bc02fb7aaa0ede42 /nixops
parent: 51900e3488284b0711083819a5ecb1b0f280a913 (diff)
download: Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.tar.gz
Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.tar.zst
Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.zip
2 files changed, 47 insertions, 39 deletions
diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix
index ebea48f..048d845 100644
--- a/nixops/modules/websites/tools/mastodon/default.nix
+++ b/nixops/modules/websites/tools/mastodon/default.nix
@@ -13,6 +13,7 @@ in {
  };
  config = lib.mkIf cfg.enable {
+    deployment.keys = mastodon.keys;
    ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;
    ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;
@@ -54,7 +55,7 @@ in {
      serviceConfig = {
        User = "mastodon";
-        EnvironmentFile = mastodon.config;
+        EnvironmentFile = "/run/keys/webapps/tools-mastodon";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 15;
@@ -87,7 +88,7 @@ in {
      serviceConfig = {
        User = "mastodon";
-        EnvironmentFile = mastodon.config;
+        EnvironmentFile = "/run/keys/webapps/tools-mastodon";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 60;
@@ -116,7 +117,7 @@ in {
      serviceConfig = {
        User = "mastodon";
-        EnvironmentFile = mastodon.config;
+        EnvironmentFile = "/run/keys/webapps/tools-mastodon";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 15;
diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix
index 90e537f..944b2db 100644
--- a/nixops/modules/websites/tools/mastodon/mastodon.nix
+++ b/nixops/modules/websites/tools/mastodon/mastodon.nix
@@ -58,55 +58,62 @@ let
    '';
    buildInputs = [ yarnModules ];
  });
-  config = writeText "mastodon_environment" ''
+  keys.tools-mastodon = {
-    REDIS_HOST=${env.redis.host}
+    destDir = "/run/keys/webapps";
-    REDIS_PORT=${env.redis.port}
+    user = "mastodon";
-    REDIS_DB=${env.redis.db}
+    group = "mastodon";
-    DB_HOST=${env.postgresql.socket}
+    permissions = "0400";
-    DB_USER=${env.postgresql.user}
+    text = ''
-    DB_NAME=${env.postgresql.database}
+      REDIS_HOST=${env.redis.host}
-    DB_PASS=${env.postgresql.password}
+      REDIS_PORT=${env.redis.port}
-    DB_PORT=${env.postgresql.port}
+      REDIS_DB=${env.redis.db}
+      DB_HOST=${env.postgresql.socket}
+      DB_USER=${env.postgresql.user}
+      DB_NAME=${env.postgresql.database}
+      DB_PASS=${env.postgresql.password}
+      DB_PORT=${env.postgresql.port}
-    LOCAL_DOMAIN=mastodon.immae.eu
+      LOCAL_DOMAIN=mastodon.immae.eu
-    LOCAL_HTTPS=true
+      LOCAL_HTTPS=true
-    ALTERNATE_DOMAINS=immae.eu
+      ALTERNATE_DOMAINS=immae.eu
-    PAPERCLIP_SECRET=${env.paperclip_secret}
+      PAPERCLIP_SECRET=${env.paperclip_secret}
-    SECRET_KEY_BASE=${env.secret_key_base}
+      SECRET_KEY_BASE=${env.secret_key_base}
-    OTP_SECRET=${env.otp_secret}
+      OTP_SECRET=${env.otp_secret}
-    VAPID_PRIVATE_KEY=${env.vapid.private}
+      VAPID_PRIVATE_KEY=${env.vapid.private}
-    VAPID_PUBLIC_KEY=${env.vapid.public}
+      VAPID_PUBLIC_KEY=${env.vapid.public}
-    SMTP_DELIVERY_METHOD=sendmail
+      SMTP_DELIVERY_METHOD=sendmail
-    SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
+      SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
-    SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
+      SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
-    PAPERCLIP_ROOT_PATH=${varDir}
+      PAPERCLIP_ROOT_PATH=${varDir}
-    STREAMING_CLUSTER_NUM=1
+      STREAMING_CLUSTER_NUM=1
-    RAILS_LOG_LEVEL=warn
+      RAILS_LOG_LEVEL=warn
-    # LDAP authentication (optional)
+      # LDAP authentication (optional)
-    LDAP_ENABLED=true
+      LDAP_ENABLED=true
-    LDAP_HOST=ldap.immae.eu
+      LDAP_HOST=ldap.immae.eu
-    LDAP_PORT=636
+      LDAP_PORT=636
-    LDAP_METHOD=simple_tls
+      LDAP_METHOD=simple_tls
-    LDAP_BASE="dc=immae,dc=eu"
+      LDAP_BASE="dc=immae,dc=eu"
-    LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+      LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
-    LDAP_PASSWORD="${env.ldap.password}"
+      LDAP_PASSWORD="${env.ldap.password}"
-    LDAP_UID="uid"
+      LDAP_UID="uid"
-    LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+      LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
    '';
+  };
+    # FIXME: build machine will contain some passwords in the nix store
    railsRoot = stdenv.mkDerivation {
      name = "mastodon_immae";
-      inherit config mastodon;
+      inherit mastodon;
      builder = writeText "build_mastodon_immae" ''
        source $stdenv/setup
        set -a
-        source $config
+        ${keys.tools-mastodon.text}
        set +a
        cp -a $mastodon $out
        cd $out
@@ -121,7 +128,7 @@ let
    };
 in
  {
-    inherit railsRoot config varDir socketsDir gems;
+    inherit railsRoot keys varDir socketsDir gems;
    nodeSocket = "${socketsDir}/live_immae_node.sock";
    railsSocket = "${socketsDir}/live_immae_puma.sock";
  }
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 14:07:47 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 14:07:47 +0200
commit	50933a04f9db56a6368f40bdfe33e988d1a269df (patch)
tree	232bf8de417e15841d75c313bc02fb7aaa0ede42 /nixops
parent	51900e3488284b0711083819a5ecb1b0f280a913 (diff)
download	Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.tar.gz Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.tar.zst Nix-50933a04f9db56a6368f40bdfe33e988d1a269df.zip

diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix index ebea48f..048d845 100644 --- a/nixops/modules/websites/tools/mastodon/default.nix +++ b/nixops/modules/websites/tools/mastodon/default.nix
@@ -13,6 +13,7 @@ in {
13	};	13	};
14		14
15	config = lib.mkIf cfg.enable {	15	config = lib.mkIf cfg.enable {
		16	deployment.keys = mastodon.keys;
16	ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;	17	ids.uids.mastodon = myconfig.env.tools.mastodon.user.uid;
17	ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;	18	ids.gids.mastodon = myconfig.env.tools.mastodon.user.gid;
18		19
@@ -54,7 +55,7 @@ in {
54		55
55	serviceConfig = {	56	serviceConfig = {
56	User = "mastodon";	57	User = "mastodon";
57	EnvironmentFile = mastodon.config;	58	EnvironmentFile = "/run/keys/webapps/tools-mastodon";
58	PrivateTmp = true;	59	PrivateTmp = true;
59	Restart = "always";	60	Restart = "always";
60	TimeoutSec = 15;	61	TimeoutSec = 15;
@@ -87,7 +88,7 @@ in {
87		88
88	serviceConfig = {	89	serviceConfig = {
89	User = "mastodon";	90	User = "mastodon";
90	EnvironmentFile = mastodon.config;	91	EnvironmentFile = "/run/keys/webapps/tools-mastodon";
91	PrivateTmp = true;	92	PrivateTmp = true;
92	Restart = "always";	93	Restart = "always";
93	TimeoutSec = 60;	94	TimeoutSec = 60;
@@ -116,7 +117,7 @@ in {
116		117
117	serviceConfig = {	118	serviceConfig = {
118	User = "mastodon";	119	User = "mastodon";
119	EnvironmentFile = mastodon.config;	120	EnvironmentFile = "/run/keys/webapps/tools-mastodon";
120	PrivateTmp = true;	121	PrivateTmp = true;
121	Restart = "always";	122	Restart = "always";
122	TimeoutSec = 15;	123	TimeoutSec = 15;


diff --git a/nixops/modules/websites/tools/mastodon/mastodon.nix b/nixops/modules/websites/tools/mastodon/mastodon.nix index 90e537f..944b2db 100644 --- a/nixops/modules/websites/tools/mastodon/mastodon.nix +++ b/nixops/modules/websites/tools/mastodon/mastodon.nix
@@ -58,55 +58,62 @@ let
58	'';	58	'';
59	buildInputs = [ yarnModules ];	59	buildInputs = [ yarnModules ];
60	});	60	});
61	config = writeText "mastodon_environment" ''	61	keys.tools-mastodon = {
62	REDIS_HOST=${env.redis.host}	62	destDir = "/run/keys/webapps";
63	REDIS_PORT=${env.redis.port}	63	user = "mastodon";
64	REDIS_DB=${env.redis.db}	64	group = "mastodon";
65	DB_HOST=${env.postgresql.socket}	65	permissions = "0400";
66	DB_USER=${env.postgresql.user}	66	text = ''
67	DB_NAME=${env.postgresql.database}	67	REDIS_HOST=${env.redis.host}
68	DB_PASS=${env.postgresql.password}	68	REDIS_PORT=${env.redis.port}
69	DB_PORT=${env.postgresql.port}	69	REDIS_DB=${env.redis.db}
		70	DB_HOST=${env.postgresql.socket}
		71	DB_USER=${env.postgresql.user}
		72	DB_NAME=${env.postgresql.database}
		73	DB_PASS=${env.postgresql.password}
		74	DB_PORT=${env.postgresql.port}
70		75
71	LOCAL_DOMAIN=mastodon.immae.eu	76	LOCAL_DOMAIN=mastodon.immae.eu
72	LOCAL_HTTPS=true	77	LOCAL_HTTPS=true
73	ALTERNATE_DOMAINS=immae.eu	78	ALTERNATE_DOMAINS=immae.eu
74		79
75	PAPERCLIP_SECRET=${env.paperclip_secret}	80	PAPERCLIP_SECRET=${env.paperclip_secret}
76	SECRET_KEY_BASE=${env.secret_key_base}	81	SECRET_KEY_BASE=${env.secret_key_base}
77	OTP_SECRET=${env.otp_secret}	82	OTP_SECRET=${env.otp_secret}
78		83
79	VAPID_PRIVATE_KEY=${env.vapid.private}	84	VAPID_PRIVATE_KEY=${env.vapid.private}
80	VAPID_PUBLIC_KEY=${env.vapid.public}	85	VAPID_PUBLIC_KEY=${env.vapid.public}
81		86
82	SMTP_DELIVERY_METHOD=sendmail	87	SMTP_DELIVERY_METHOD=sendmail
83	SMTP_FROM_ADDRESS=mastodon@tools.immae.eu	88	SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
84	SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"	89	SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
85	PAPERCLIP_ROOT_PATH=${varDir}	90	PAPERCLIP_ROOT_PATH=${varDir}
86		91
87	STREAMING_CLUSTER_NUM=1	92	STREAMING_CLUSTER_NUM=1
88		93
89	RAILS_LOG_LEVEL=warn	94	RAILS_LOG_LEVEL=warn
90		95
91	# LDAP authentication (optional)	96	# LDAP authentication (optional)
92	LDAP_ENABLED=true	97	LDAP_ENABLED=true
93	LDAP_HOST=ldap.immae.eu	98	LDAP_HOST=ldap.immae.eu
94	LDAP_PORT=636	99	LDAP_PORT=636
95	LDAP_METHOD=simple_tls	100	LDAP_METHOD=simple_tls
96	LDAP_BASE="dc=immae,dc=eu"	101	LDAP_BASE="dc=immae,dc=eu"
97	LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"	102	LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
98	LDAP_PASSWORD="${env.ldap.password}"	103	LDAP_PASSWORD="${env.ldap.password}"
99	LDAP_UID="uid"	104	LDAP_UID="uid"
100	LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"	105	LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
101	'';	106	'';
		107	};
102		108
		109	# FIXME: build machine will contain some passwords in the nix store
103	railsRoot = stdenv.mkDerivation {	110	railsRoot = stdenv.mkDerivation {
104	name = "mastodon_immae";	111	name = "mastodon_immae";
105	inherit config mastodon;	112	inherit mastodon;
106	builder = writeText "build_mastodon_immae" ''	113	builder = writeText "build_mastodon_immae" ''
107	source $stdenv/setup	114	source $stdenv/setup
108	set -a	115	set -a
109	source $config	116	${keys.tools-mastodon.text}
110	set +a	117	set +a
111	cp -a $mastodon $out	118	cp -a $mastodon $out
112	cd $out	119	cd $out
@@ -121,7 +128,7 @@ let
121	};	128	};
122	in	129	in
123	{	130	{
124	inherit railsRoot config varDir socketsDir gems;	131	inherit railsRoot keys varDir socketsDir gems;
125	nodeSocket = "${socketsDir}/live_immae_node.sock";	132	nodeSocket = "${socketsDir}/live_immae_node.sock";
126	railsSocket = "${socketsDir}/live_immae_puma.sock";	133	railsSocket = "${socketsDir}/live_immae_puma.sock";
127	}	134	}