aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-15 01:17:31 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-15 01:17:31 +0200
commit5f08b34c5247ee0c4de2a9264d059b69271e3473 (patch)
treeb8a8db5ae02e9a8022e1e565c6f3f9deebd4687c /nixops
parenta840a21c954be6342603ae7a45dde6c005761696 (diff)
downloadNix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.gz
Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.tar.zst
Nix-5f08b34c5247ee0c4de2a9264d059b69271e3473.zip
Move shaarli passwords to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/websites/phpfpm/default.nix13
-rw-r--r--nixops/modules/websites/tools/tools/default.nix6
-rw-r--r--nixops/modules/websites/tools/tools/shaarli.nix22
3 files changed, 35 insertions, 6 deletions
diff --git a/nixops/modules/websites/phpfpm/default.nix b/nixops/modules/websites/phpfpm/default.nix
index 882babc..9c068bf 100644
--- a/nixops/modules/websites/phpfpm/default.nix
+++ b/nixops/modules/websites/phpfpm/default.nix
@@ -83,6 +83,18 @@ in {
83 ''; 83 '';
84 }; 84 };
85 85
86 envFile = mkOption {
87 default = {};
88 type = types.attrsOf types.string;
89 example = literalExample ''
90 { mypool = "path/to/file";
91 }
92 '';
93 description = ''
94 Extra environment file go into the service script.
95 '';
96 };
97
86 poolPhpConfigs = mkOption { 98 poolPhpConfigs = mkOption {
87 default = {}; 99 default = {};
88 type = types.attrsOf types.lines; 100 type = types.attrsOf types.lines;
@@ -174,6 +186,7 @@ in {
174 cfgFile = fpmCfgFile pool poolConfig; 186 cfgFile = fpmCfgFile pool poolConfig;
175 poolPhpIni = cfg.poolPhpConfigs.${pool} or ""; 187 poolPhpIni = cfg.poolPhpConfigs.${pool} or "";
176 in { 188 in {
189 EnvironmentFile = if builtins.hasAttr pool cfg.envFile then [cfg.envFile.${pool}] else [];
177 Slice = "phpfpm.slice"; 190 Slice = "phpfpm.slice";
178 PrivateDevices = true; 191 PrivateDevices = true;
179 ProtectSystem = "full"; 192 ProtectSystem = "full";
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index 3d5465f..31ed035 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -50,6 +50,7 @@ in {
50 kanboard.keys 50 kanboard.keys
51 // ldap.keys 51 // ldap.keys
52 // roundcubemail.keys 52 // roundcubemail.keys
53 // shaarli.keys
53 // ttrss.keys 54 // ttrss.keys
54 // wallabag.keys 55 // wallabag.keys
55 // yourls.keys; 56 // yourls.keys;
@@ -137,12 +138,17 @@ in {
137 ]; 138 ];
138 }; 139 };
139 140
141 services.myPhpfpm.envFile = {
142 shaarli = shaarli.phpFpm.envFile;
143 };
144
140 services.myPhpfpm.serviceDependencies = { 145 services.myPhpfpm.serviceDependencies = {
141 dokuwiki = dokuwiki.phpFpm.serviceDeps; 146 dokuwiki = dokuwiki.phpFpm.serviceDeps;
142 kanboard = kanboard.phpFpm.serviceDeps; 147 kanboard = kanboard.phpFpm.serviceDeps;
143 ldap = ldap.phpFpm.serviceDeps; 148 ldap = ldap.phpFpm.serviceDeps;
144 rainloop = rainloop.phpFpm.serviceDeps; 149 rainloop = rainloop.phpFpm.serviceDeps;
145 roundcubemail = roundcubemail.phpFpm.serviceDeps; 150 roundcubemail = roundcubemail.phpFpm.serviceDeps;
151 shaarli = shaarli.phpFpm.serviceDeps;
146 ttrss = ttrss.phpFpm.serviceDeps; 152 ttrss = ttrss.phpFpm.serviceDeps;
147 wallabag = wallabag.phpFpm.serviceDeps; 153 wallabag = wallabag.phpFpm.serviceDeps;
148 yourls = yourls.phpFpm.serviceDeps; 154 yourls = yourls.phpFpm.serviceDeps;
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
index 0f6b460..157c4de 100644
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/nixops/modules/websites/tools/tools/shaarli.nix
@@ -50,12 +50,6 @@ in rec {
50 Alias /Shaarli "${root}" 50 Alias /Shaarli "${root}"
51 51
52 <Directory "${root}"> 52 <Directory "${root}">
53 SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
54 SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}"
55 SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}"
56 SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}"
57 SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}"
58
59 DirectoryIndex index.php index.htm index.html 53 DirectoryIndex index.php index.htm index.html
60 Options Indexes FollowSymLinks MultiViews Includes 54 Options Indexes FollowSymLinks MultiViews Includes
61 AllowOverride All 55 AllowOverride All
@@ -66,7 +60,22 @@ in rec {
66 </Directory> 60 </Directory>
67 ''; 61 '';
68 }; 62 };
63 keys.tools-shaarli = {
64 destDir = "/run/keys/webapps";
65 user = apache.user;
66 group = apache.group;
67 permissions = "0700";
68 text = ''
69 SHAARLI_LDAP_PASSWORD="${env.ldap.password}"
70 SHAARLI_LDAP_DN="${env.ldap.dn}"
71 SHAARLI_LDAP_HOST="ldaps://${env.ldap.host}"
72 SHAARLI_LDAP_BASE="${env.ldap.base}"
73 SHAARLI_LDAP_FILTER="${env.ldap.search}"
74 '';
75 };
69 phpFpm = rec { 76 phpFpm = rec {
77 serviceDeps = [ "openldap.service" "tools-shaarli-key.service" ];
78 envFile = "/run/keys/webapps/tools-shaarli";
70 basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; 79 basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
71 socket = "/var/run/phpfpm/shaarli.sock"; 80 socket = "/var/run/phpfpm/shaarli.sock";
72 pool = '' 81 pool = ''
@@ -78,6 +87,7 @@ in rec {
78 pm = ondemand 87 pm = ondemand
79 pm.max_children = 60 88 pm.max_children = 60
80 pm.process_idle_timeout = 60 89 pm.process_idle_timeout = 60
90 clear_env = no
81 91
82 ; Needed to avoid clashes in browser cookies (same domain) 92 ; Needed to avoid clashes in browser cookies (same domain)
83 php_value[session.name] = ShaarliPHPSESSID 93 php_value[session.name] = ShaarliPHPSESSID