diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-15 01:17:31 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-15 01:17:31 +0200 |
commit | 5f08b34c5247ee0c4de2a9264d059b69271e3473 (patch) | |
tree | b8a8db5ae02e9a8022e1e565c6f3f9deebd4687c /nixops | |
parent | a840a21c954be6342603ae7a45dde6c005761696 (diff) | |
download | Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.gz Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.zst Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.zip |
Move shaarli passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r-- | nixops/modules/websites/phpfpm/default.nix | 13 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/default.nix | 6 | ||||
-rw-r--r-- | nixops/modules/websites/tools/tools/shaarli.nix | 22 |
3 files changed, 35 insertions, 6 deletions
diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix index 882babc..9c068bf 100644 --- a/nixops/modules/websites/phpfpm/default.nix +++ b/nixops/modules/websites/phpfpm/default.nix | |||
@@ -83,6 +83,18 @@ in { | |||
83 | ''; | 83 | ''; |
84 | }; | 84 | }; |
85 | 85 | ||
86 | envFile = mkOption { | ||
87 | default = {}; | ||
88 | type = types.attrsOf types.string; | ||
89 | example = literalExample '' | ||
90 | { mypool = "path/to/file"; | ||
91 | } | ||
92 | ''; | ||
93 | description = '' | ||
94 | Extra environment file go into the service script. | ||
95 | ''; | ||
96 | }; | ||
97 | |||
86 | poolPhpConfigs = mkOption { | 98 | poolPhpConfigs = mkOption { |
87 | default = {}; | 99 | default = {}; |
88 | type = types.attrsOf types.lines; | 100 | type = types.attrsOf types.lines; |
@@ -174,6 +186,7 @@ in { | |||
174 | cfgFile = fpmCfgFile pool poolConfig; | 186 | cfgFile = fpmCfgFile pool poolConfig; |
175 | poolPhpIni = cfg.poolPhpConfigs.${pool} or ""; | 187 | poolPhpIni = cfg.poolPhpConfigs.${pool} or ""; |
176 | in { | 188 | in { |
189 | EnvironmentFile = if builtins.hasAttr pool cfg.envFile then [cfg.envFile.${pool}] else []; | ||
177 | Slice = "phpfpm.slice"; | 190 | Slice = "phpfpm.slice"; |
178 | PrivateDevices = true; | 191 | PrivateDevices = true; |
179 | ProtectSystem = "full"; | 192 | ProtectSystem = "full"; |
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index 3d5465f..31ed035 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix | |||
@@ -50,6 +50,7 @@ in { | |||
50 | kanboard.keys | 50 | kanboard.keys |
51 | // ldap.keys | 51 | // ldap.keys |
52 | // roundcubemail.keys | 52 | // roundcubemail.keys |
53 | // shaarli.keys | ||
53 | // ttrss.keys | 54 | // ttrss.keys |
54 | // wallabag.keys | 55 | // wallabag.keys |
55 | // yourls.keys; | 56 | // yourls.keys; |
@@ -137,12 +138,17 @@ in { | |||
137 | ]; | 138 | ]; |
138 | }; | 139 | }; |
139 | 140 | ||
141 | services.myPhpfpm.envFile = { | ||
142 | shaarli = shaarli.phpFpm.envFile; | ||
143 | }; | ||
144 | |||
140 | services.myPhpfpm.serviceDependencies = { | 145 | services.myPhpfpm.serviceDependencies = { |
141 | dokuwiki = dokuwiki.phpFpm.serviceDeps; | 146 | dokuwiki = dokuwiki.phpFpm.serviceDeps; |
142 | kanboard = kanboard.phpFpm.serviceDeps; | 147 | kanboard = kanboard.phpFpm.serviceDeps; |
143 | ldap = ldap.phpFpm.serviceDeps; | 148 | ldap = ldap.phpFpm.serviceDeps; |
144 | rainloop = rainloop.phpFpm.serviceDeps; | 149 | rainloop = rainloop.phpFpm.serviceDeps; |
145 | roundcubemail = roundcubemail.phpFpm.serviceDeps; | 150 | roundcubemail = roundcubemail.phpFpm.serviceDeps; |
151 | shaarli = shaarli.phpFpm.serviceDeps; | ||
146 | ttrss = ttrss.phpFpm.serviceDeps; | 152 | ttrss = ttrss.phpFpm.serviceDeps; |
147 | wallabag = wallabag.phpFpm.serviceDeps; | 153 | wallabag = wallabag.phpFpm.serviceDeps; |
148 | yourls = yourls.phpFpm.serviceDeps; | 154 | yourls = yourls.phpFpm.serviceDeps; |
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix index 0f6b460..157c4de 100644 --- a/nixops/modules/websites/tools/tools/shaarli.nix +++ b/nixops/modules/websites/tools/tools/shaarli.nix | |||
@@ -50,12 +50,6 @@ in rec { | |||
50 | Alias /Shaarli "${root}" | 50 | Alias /Shaarli "${root}" |
51 | 51 | ||
52 | <Directory "${root}"> | 52 | <Directory "${root}"> |
53 | SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}" | ||
54 | SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}" | ||
55 | SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}" | ||
56 | SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" | ||
57 | SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" | ||
58 | |||
59 | DirectoryIndex index.php index.htm index.html | 53 | DirectoryIndex index.php index.htm index.html |
60 | Options Indexes FollowSymLinks MultiViews Includes | 54 | Options Indexes FollowSymLinks MultiViews Includes |
61 | AllowOverride All | 55 | AllowOverride All |
@@ -66,7 +60,22 @@ in rec { | |||
66 | </Directory> | 60 | </Directory> |
67 | ''; | 61 | ''; |
68 | }; | 62 | }; |
63 | keys.tools-shaarli = { | ||
64 | destDir = "/run/keys/webapps"; | ||
65 | user = apache.user; | ||
66 | group = apache.group; | ||
67 | permissions = "0700"; | ||
68 | text = '' | ||
69 | SHAARLI_LDAP_PASSWORD="${env.ldap.password}" | ||
70 | SHAARLI_LDAP_DN="${env.ldap.dn}" | ||
71 | SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}" | ||
72 | SHAARLI_LDAP_BASE="${env.ldap.base}" | ||
73 | SHAARLI_LDAP_FILTER="${env.ldap.search}" | ||
74 | ''; | ||
75 | }; | ||
69 | phpFpm = rec { | 76 | phpFpm = rec { |
77 | serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ]; | ||
78 | envFile = "/run/keys/webapps/tools-shaarli"; | ||
70 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 79 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
71 | socket = "/var/run/phpfpm/shaarli.sock"; | 80 | socket = "/var/run/phpfpm/shaarli.sock"; |
72 | pool = '' | 81 | pool = '' |
@@ -78,6 +87,7 @@ in rec { | |||
78 | pm = ondemand | 87 | pm = ondemand |
79 | pm.max_children = 60 | 88 | pm.max_children = 60 |
80 | pm.process_idle_timeout = 60 | 89 | pm.process_idle_timeout = 60 |
90 | clear_env = no | ||
81 | 91 | ||
82 | ; Needed to avoid clashes in browser cookies (same domain) | 92 | ; Needed to avoid clashes in browser cookies (same domain) |
83 | php_value[session.name] = ShaarliPHPSESSID | 93 | php_value[session.name] = ShaarliPHPSESSID |