diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 09:26:26 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-25 09:26:26 +0200 |
| commit | 8db8e666707a0e51af9353c76c5863e1a5482ed5 (patch) | |
| tree | 64bfdc2cb62f84250955424ad202fc875d4ddbc4 /nixops | |
| parent | 32c84ff89c2b8931f58cea63961a178a9b1d0efe (diff) | |
| download | Nix-8db8e666707a0e51af9353c76c5863e1a5482ed5.tar.gz Nix-8db8e666707a0e51af9353c76c5863e1a5482ed5.tar.zst Nix-8db8e666707a0e51af9353c76c5863e1a5482ed5.zip | |
Move tools to new secrets location
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/modules/secrets/default.nix | 13 | ||||
| -rw-r--r-- | nixops/modules/websites/default.nix | 7 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/cloud/default.nix | 2 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/cloud/nextcloud.nix | 8 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/dav/davical.nix | 12 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/dav/default.nix | 2 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/git/default.nix | 2 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/git/mantisbt/mantisbt.nix | 12 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/default.nix | 14 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/kanboard.nix | 12 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/ldap.nix | 12 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/roundcubemail.nix | 12 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/shaarli.nix | 8 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/ttrss.nix | 12 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/wallabag.nix | 14 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/yourls.nix | 12 |
16 files changed, 71 insertions, 83 deletions
diff --git a/nixops/modules/secrets/default.nix b/nixops/modules/secrets/default.nix index 7096e48..8500088 100644 --- a/nixops/modules/secrets/default.nix +++ b/nixops/modules/secrets/default.nix | |||
| @@ -8,20 +8,8 @@ | |||
| 8 | }; | 8 | }; |
| 9 | }; | 9 | }; |
| 10 | config = let | 10 | config = let |
| 11 | oldkeys = lib.attrsets.filterAttrs (n: v: n != "secrets.tar") config.deployment.keys; | ||
| 12 | keys = config.mySecrets.keys; | 11 | keys = config.mySecrets.keys; |
| 13 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; | 12 | empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done"; |
| 14 | dumpOldKey = k: v: let | ||
| 15 | dest = if v.destDir == "/run/keys" | ||
| 16 | then k | ||
| 17 | else (builtins.replaceStrings ["/run/keys/"] [""] v.destDir) + "/" + k; | ||
| 18 | in '' | ||
| 19 | mkdir -p secrets/$(dirname ${dest}) | ||
| 20 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${dest} | ||
| 21 | cat >> mods <<EOF | ||
| 22 | ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${dest} | ||
| 23 | EOF | ||
| 24 | ''; | ||
| 25 | dumpKey = v: '' | 13 | dumpKey = v: '' |
| 26 | mkdir -p secrets/$(dirname ${v.dest}) | 14 | mkdir -p secrets/$(dirname ${v.dest}) |
| 27 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest} | 15 | echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest} |
| @@ -32,7 +20,6 @@ | |||
| 32 | secrets = pkgs.runCommand "secrets.tar" {} '' | 20 | secrets = pkgs.runCommand "secrets.tar" {} '' |
| 33 | touch mods | 21 | touch mods |
| 34 | tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done | 22 | tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done |
| 35 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList dumpOldKey oldkeys)} | ||
| 36 | ${builtins.concatStringsSep "\n" (map dumpKey keys)} | 23 | ${builtins.concatStringsSep "\n" (map dumpKey keys)} |
| 37 | cat mods | while read u g p k; do | 24 | cat mods | while read u g p k; do |
| 38 | tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" | 25 | tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k" |
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix index 927243b..b0bc7a4 100644 --- a/nixops/modules/websites/default.nix +++ b/nixops/modules/websites/default.nix | |||
| @@ -229,7 +229,8 @@ in | |||
| 229 | services.myWebsites.TellesFlorian.integration.enable = true; | 229 | services.myWebsites.TellesFlorian.integration.enable = true; |
| 230 | services.myWebsites.Florian.integration.enable = true; | 230 | services.myWebsites.Florian.integration.enable = true; |
| 231 | 231 | ||
| 232 | deployment.keys.apache-ldap = { | 232 | mySecrets.keys = [{ |
| 233 | dest = "apache-ldap"; | ||
| 233 | user = "wwwrun"; | 234 | user = "wwwrun"; |
| 234 | group = "wwwrun"; | 235 | group = "wwwrun"; |
| 235 | permissions = "0400"; | 236 | permissions = "0400"; |
| @@ -245,7 +246,7 @@ in | |||
| 245 | </IfModule> | 246 | </IfModule> |
| 246 | </Macro> | 247 | </Macro> |
| 247 | ''; | 248 | ''; |
| 248 | }; | 249 | }]; |
| 249 | 250 | ||
| 250 | services.myWebsites.apacheConfig = { | 251 | services.myWebsites.apacheConfig = { |
| 251 | gzip = { | 252 | gzip = { |
| @@ -284,7 +285,7 @@ in | |||
| 284 | LDAPOpCacheTTL 600 | 285 | LDAPOpCacheTTL 600 |
| 285 | </IfModule> | 286 | </IfModule> |
| 286 | 287 | ||
| 287 | Include /run/keys/apache-ldap | 288 | Include /var/secrets/apache-ldap |
| 288 | ''; | 289 | ''; |
| 289 | }; | 290 | }; |
| 290 | global = { | 291 | global = { |
diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix index 7dd37f5..5c3e9a8 100644 --- a/nixops/modules/websites/tools/cloud/default.nix +++ b/nixops/modules/websites/tools/cloud/default.nix | |||
| @@ -24,7 +24,7 @@ in { | |||
| 24 | ]; | 24 | ]; |
| 25 | }; | 25 | }; |
| 26 | 26 | ||
| 27 | deployment.keys = nextcloud.keys; | 27 | mySecrets.keys = nextcloud.keys; |
| 28 | users.users.root.packages = let | 28 | users.users.root.packages = let |
| 29 | occ = pkgs.writeScriptBin "nextcloud-occ" '' | 29 | occ = pkgs.writeScriptBin "nextcloud-occ" '' |
| 30 | #! ${pkgs.stdenv.shell} | 30 | #! ${pkgs.stdenv.shell} |
diff --git a/nixops/modules/websites/tools/cloud/nextcloud.nix b/nixops/modules/websites/tools/cloud/nextcloud.nix index b339038..b62606f 100644 --- a/nixops/modules/websites/tools/cloud/nextcloud.nix +++ b/nixops/modules/websites/tools/cloud/nextcloud.nix | |||
| @@ -113,8 +113,8 @@ let | |||
| 113 | }; | 113 | }; |
| 114 | in rec { | 114 | in rec { |
| 115 | varDir = "/var/lib/nextcloud"; | 115 | varDir = "/var/lib/nextcloud"; |
| 116 | keys.tools-nextcloud = { | 116 | keys = [{ |
| 117 | destDir = "/run/keys/webapps"; | 117 | dest = "webapps/tools-nextcloud"; |
| 118 | user = apache.user; | 118 | user = apache.user; |
| 119 | group = apache.group; | 119 | group = apache.group; |
| 120 | permissions = "0600"; | 120 | permissions = "0600"; |
| @@ -170,7 +170,7 @@ let | |||
| 170 | 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', | 170 | 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', |
| 171 | ); | 171 | ); |
| 172 | ''; | 172 | ''; |
| 173 | }; | 173 | }]; |
| 174 | webRoot = stdenv.mkDerivation rec { | 174 | webRoot = stdenv.mkDerivation rec { |
| 175 | name = "nextcloud-${version}"; | 175 | name = "nextcloud-${version}"; |
| 176 | version = "15.0.4"; | 176 | version = "15.0.4"; |
| @@ -204,7 +204,7 @@ let | |||
| 204 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} | 204 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} |
| 205 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | 205 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions |
| 206 | install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config | 206 | install -D -m 0644 -o ${apache.user} -g ${apache.group} ${./nextcloud-config}/* -t ${varDir}/config |
| 207 | install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /run/keys/webapps/tools-nextcloud ${varDir}/config/config.php | 207 | install -D -m 0600 -o ${apache.user} -g ${apache.group} -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php |
| 208 | ''; | 208 | ''; |
| 209 | }; | 209 | }; |
| 210 | apache = rec { | 210 | apache = rec { |
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix index 89ba568..1e3893f 100644 --- a/nixops/modules/websites/tools/dav/davical.nix +++ b/nixops/modules/websites/tools/dav/davical.nix | |||
| @@ -16,8 +16,8 @@ let | |||
| 16 | ''; | 16 | ''; |
| 17 | }; | 17 | }; |
| 18 | davical = rec { | 18 | davical = rec { |
| 19 | keys."dav-davical" = { | 19 | keys = [{ |
| 20 | destDir = "/run/keys/webapps"; | 20 | dest = "webapps/dav-davical"; |
| 21 | user = apache.user; | 21 | user = apache.user; |
| 22 | group = apache.group; | 22 | group = apache.group; |
| 23 | permissions = "0400"; | 23 | permissions = "0400"; |
| @@ -74,7 +74,7 @@ let | |||
| 74 | $c->do_not_sync_from_ldap = array('admin' => true); | 74 | $c->do_not_sync_from_ldap = array('admin' => true); |
| 75 | include('drivers_ldap.php'); | 75 | include('drivers_ldap.php'); |
| 76 | ''; | 76 | ''; |
| 77 | }; | 77 | }]; |
| 78 | webapp = stdenv.mkDerivation rec { | 78 | webapp = stdenv.mkDerivation rec { |
| 79 | version = "1.1.7"; | 79 | version = "1.1.7"; |
| 80 | name = "davical-${version}"; | 80 | name = "davical-${version}"; |
| @@ -90,7 +90,7 @@ let | |||
| 90 | installPhase = '' | 90 | installPhase = '' |
| 91 | mkdir -p $out | 91 | mkdir -p $out |
| 92 | cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out | 92 | cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out |
| 93 | ln -s /run/keys/webapps/dav-davical $out/config/config.php | 93 | ln -s /var/secrets/webapps/dav-davical $out/config/config.php |
| 94 | ''; | 94 | ''; |
| 95 | buildInputs = [ gettext ]; | 95 | buildInputs = [ gettext ]; |
| 96 | }; | 96 | }; |
| @@ -137,8 +137,8 @@ let | |||
| 137 | ''; | 137 | ''; |
| 138 | }; | 138 | }; |
| 139 | phpFpm = rec { | 139 | phpFpm = rec { |
| 140 | serviceDeps = [ "postgresql.service" "openldap.service" "dav-davical-key.service" ]; | 140 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 141 | basedir = builtins.concatStringsSep ":" [ webapp "/run/keys/webapps/dav-davical" awl ]; | 141 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; |
| 142 | socket = "/var/run/phpfpm/davical.sock"; | 142 | socket = "/var/run/phpfpm/davical.sock"; |
| 143 | pool = '' | 143 | pool = '' |
| 144 | listen = ${socket} | 144 | listen = ${socket} |
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix index 56b3006..2a82a1d 100644 --- a/nixops/modules/websites/tools/dav/default.nix +++ b/nixops/modules/websites/tools/dav/default.nix | |||
| @@ -14,7 +14,7 @@ in { | |||
| 14 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
| 15 | security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null; | 15 | security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null; |
| 16 | 16 | ||
| 17 | deployment.keys = davical.keys; | 17 | mySecrets.keys = davical.keys; |
| 18 | services.myWebsites.tools.modules = davical.apache.modules; | 18 | services.myWebsites.tools.modules = davical.apache.modules; |
| 19 | 19 | ||
| 20 | services.myWebsites.tools.vhostConfs.dav = { | 20 | services.myWebsites.tools.vhostConfs.dav = { |
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix index 28b3c2d..4a1457f 100644 --- a/nixops/modules/websites/tools/git/default.nix +++ b/nixops/modules/websites/tools/git/default.nix | |||
| @@ -23,7 +23,7 @@ in { | |||
| 23 | }); | 23 | }); |
| 24 | }) ]; | 24 | }) ]; |
| 25 | 25 | ||
| 26 | deployment.keys = mantisbt.keys; | 26 | mySecrets.keys = mantisbt.keys; |
| 27 | services.myWebsites.tools.modules = | 27 | services.myWebsites.tools.modules = |
| 28 | gitweb.apache.modules ++ | 28 | gitweb.apache.modules ++ |
| 29 | mantisbt.apache.modules; | 29 | mantisbt.apache.modules; |
diff --git a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix index b564058..41c5e90 100644 --- a/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix +++ b/nixops/modules/websites/tools/git/mantisbt/mantisbt.nix | |||
| @@ -17,8 +17,8 @@ let | |||
| 17 | }); | 17 | }); |
| 18 | }; | 18 | }; |
| 19 | in rec { | 19 | in rec { |
| 20 | keys."tools-mantisbt" = { | 20 | keys = [{ |
| 21 | destDir = "/run/keys/webapps"; | 21 | dest = "webapps/tools-mantisbt"; |
| 22 | user = apache.user; | 22 | user = apache.user; |
| 23 | group = apache.group; | 23 | group = apache.group; |
| 24 | permissions = "0400"; | 24 | permissions = "0400"; |
| @@ -56,7 +56,7 @@ let | |||
| 56 | $g_ldap_realname_field = 'cn'; | 56 | $g_ldap_realname_field = 'cn'; |
| 57 | $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)'; | 57 | $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)'; |
| 58 | ''; | 58 | ''; |
| 59 | }; | 59 | }]; |
| 60 | webRoot = stdenv.mkDerivation rec { | 60 | webRoot = stdenv.mkDerivation rec { |
| 61 | name = "mantisbt-${version}"; | 61 | name = "mantisbt-${version}"; |
| 62 | version = "2.11.1"; | 62 | version = "2.11.1"; |
| @@ -72,7 +72,7 @@ let | |||
| 72 | ]; | 72 | ]; |
| 73 | installPhase = '' | 73 | installPhase = '' |
| 74 | cp -a . $out | 74 | cp -a . $out |
| 75 | ln -s /run/keys/webapps/tools-mantisbt $out/config/config_inc.php | 75 | ln -s /var/secrets/webapps/tools-mantisbt $out/config/config_inc.php |
| 76 | ln -s ${plugins.slack} $out/plugins/Slack | 76 | ln -s ${plugins.slack} $out/plugins/Slack |
| 77 | ln -s ${plugins.source-integration}/Source* $out/plugins/ | 77 | ln -s ${plugins.source-integration}/Source* $out/plugins/ |
| 78 | ''; | 78 | ''; |
| @@ -102,9 +102,9 @@ let | |||
| 102 | ''; | 102 | ''; |
| 103 | }; | 103 | }; |
| 104 | phpFpm = rec { | 104 | phpFpm = rec { |
| 105 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-mantisbt-key.service" ]; | 105 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 106 | basedir = builtins.concatStringsSep ":" ( | 106 | basedir = builtins.concatStringsSep ":" ( |
| 107 | [ webRoot "/run/keys/webapps/tools-mantisbt" ] | 107 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] |
| 108 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); | 108 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); |
| 109 | socket = "/var/run/phpfpm/mantisbt.sock"; | 109 | socket = "/var/run/phpfpm/mantisbt.sock"; |
| 110 | pool = '' | 110 | pool = '' |
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index 463e059..9be9d5d 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix | |||
| @@ -46,14 +46,14 @@ in { | |||
| 46 | security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; | 46 | security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null; |
| 47 | security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; | 47 | security.acme.certs."eldiron".extraDomains."devtools.immae.eu" = null; |
| 48 | 48 | ||
| 49 | deployment.keys = | 49 | mySecrets.keys = |
| 50 | kanboard.keys | 50 | kanboard.keys |
| 51 | // ldap.keys | 51 | ++ ldap.keys |
| 52 | // roundcubemail.keys | 52 | ++ roundcubemail.keys |
| 53 | // shaarli.keys | 53 | ++ shaarli.keys |
| 54 | // ttrss.keys | 54 | ++ ttrss.keys |
| 55 | // wallabag.keys | 55 | ++ wallabag.keys |
| 56 | // yourls.keys; | 56 | ++ yourls.keys; |
| 57 | 57 | ||
| 58 | services.myWebsites.integration.modules = | 58 | services.myWebsites.integration.modules = |
| 59 | rainloop.apache.modules; | 59 | rainloop.apache.modules; |
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix index dd5b18f..37cb8cc 100644 --- a/nixops/modules/websites/tools/tools/kanboard.nix +++ b/nixops/modules/websites/tools/tools/kanboard.nix | |||
| @@ -10,8 +10,8 @@ rec { | |||
| 10 | install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config | 10 | install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config |
| 11 | ''; | 11 | ''; |
| 12 | }; | 12 | }; |
| 13 | keys.tools-kanboard = { | 13 | keys = [{ |
| 14 | destDir = "/run/keys/webapps"; | 14 | dest = "webapps/tools-kanboard"; |
| 15 | user = apache.user; | 15 | user = apache.user; |
| 16 | group = apache.group; | 16 | group = apache.group; |
| 17 | permissions = "0400"; | 17 | permissions = "0400"; |
| @@ -37,12 +37,12 @@ rec { | |||
| 37 | define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); | 37 | define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); |
| 38 | ?> | 38 | ?> |
| 39 | ''; | 39 | ''; |
| 40 | }; | 40 | }]; |
| 41 | webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec { | 41 | webRoot = stdenv.mkDerivation (fetchedGithub ./kanboard.json // rec { |
| 42 | dontBuild = true; | 42 | dontBuild = true; |
| 43 | installPhase = '' | 43 | installPhase = '' |
| 44 | cp -a . $out | 44 | cp -a . $out |
| 45 | ln -s /run/keys/webapps/tools-kanboard $out/config.php | 45 | ln -s /var/secrets/webapps/tools-kanboard $out/config.php |
| 46 | mv $out/data $out/dataold | 46 | mv $out/data $out/dataold |
| 47 | ln -s ${varDir}/data $out/data | 47 | ln -s ${varDir}/data $out/data |
| 48 | ''; | 48 | ''; |
| @@ -71,8 +71,8 @@ rec { | |||
| 71 | ''; | 71 | ''; |
| 72 | }; | 72 | }; |
| 73 | phpFpm = rec { | 73 | phpFpm = rec { |
| 74 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-kanboard-key.service" ]; | 74 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 75 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/run/keys/webapps/tools-kanboard" ]; | 75 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; |
| 76 | socket = "/var/run/phpfpm/kanboard.sock"; | 76 | socket = "/var/run/phpfpm/kanboard.sock"; |
| 77 | pool = '' | 77 | pool = '' |
| 78 | listen = ${socket} | 78 | listen = ${socket} |
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix index 623adb5..7c26b61 100644 --- a/nixops/modules/websites/tools/tools/ldap.nix +++ b/nixops/modules/websites/tools/tools/ldap.nix | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | { lib, php, env, writeText, stdenv, optipng, fetchurl }: | 1 | { lib, php, env, writeText, stdenv, optipng, fetchurl }: |
| 2 | rec { | 2 | rec { |
| 3 | keys.tools-ldap = { | 3 | keys = [{ |
| 4 | destDir = "/run/keys/webapps"; | 4 | dest = "webapps/tools-ldap"; |
| 5 | user = apache.user; | 5 | user = apache.user; |
| 6 | group = apache.group; | 6 | group = apache.group; |
| 7 | permissions = "0400"; | 7 | permissions = "0400"; |
| @@ -24,7 +24,7 @@ rec { | |||
| 24 | $servers->setValue('login','attr','uid'); | 24 | $servers->setValue('login','attr','uid'); |
| 25 | $servers->setValue('login','fallback_dn',true); | 25 | $servers->setValue('login','fallback_dn',true); |
| 26 | ''; | 26 | ''; |
| 27 | }; | 27 | }]; |
| 28 | webRoot = stdenv.mkDerivation rec { | 28 | webRoot = stdenv.mkDerivation rec { |
| 29 | version = "1.2.3"; | 29 | version = "1.2.3"; |
| 30 | name = "phpldapadmin-${version}"; | 30 | name = "phpldapadmin-${version}"; |
| @@ -45,7 +45,7 @@ rec { | |||
| 45 | ''; | 45 | ''; |
| 46 | installPhase = '' | 46 | installPhase = '' |
| 47 | cp -a . $out | 47 | cp -a . $out |
| 48 | ln -sf /run/keys/webapps/tools-ldap $out/config/config.php | 48 | ln -sf /var/secrets/webapps/tools-ldap $out/config/config.php |
| 49 | ''; | 49 | ''; |
| 50 | }; | 50 | }; |
| 51 | apache = rec { | 51 | apache = rec { |
| @@ -68,8 +68,8 @@ rec { | |||
| 68 | ''; | 68 | ''; |
| 69 | }; | 69 | }; |
| 70 | phpFpm = rec { | 70 | phpFpm = rec { |
| 71 | serviceDeps = [ "openldap.service" "tools-ldap-key.service" ]; | 71 | serviceDeps = [ "openldap.service" ]; |
| 72 | basedir = builtins.concatStringsSep ":" [ webRoot "/run/keys/webapps/tools-ldap" ]; | 72 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; |
| 73 | socket = "/var/run/phpfpm/ldap.sock"; | 73 | socket = "/var/run/phpfpm/ldap.sock"; |
| 74 | pool = '' | 74 | pool = '' |
| 75 | listen = ${socket} | 75 | listen = ${socket} |
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix index 5fc3412..9939b77 100644 --- a/nixops/modules/websites/tools/tools/roundcubemail.nix +++ b/nixops/modules/websites/tools/tools/roundcubemail.nix | |||
| @@ -78,8 +78,8 @@ let | |||
| 78 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | 78 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions |
| 79 | ''; | 79 | ''; |
| 80 | }; | 80 | }; |
| 81 | keys.tools-roundcube = { | 81 | keys = [{ |
| 82 | destDir = "/run/keys/webapps"; | 82 | dest = "webapps/tools-roundcube"; |
| 83 | user = apache.user; | 83 | user = apache.user; |
| 84 | group = apache.group; | 84 | group = apache.group; |
| 85 | permissions = "0400"; | 85 | permissions = "0400"; |
| @@ -136,7 +136,7 @@ let | |||
| 136 | $config['temp_dir'] = '${varDir}/cache'; | 136 | $config['temp_dir'] = '${varDir}/cache'; |
| 137 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; | 137 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; |
| 138 | ''; | 138 | ''; |
| 139 | }; | 139 | }]; |
| 140 | webRoot = stdenv.mkDerivation rec { | 140 | webRoot = stdenv.mkDerivation rec { |
| 141 | version = "1.4-rc1"; | 141 | version = "1.4-rc1"; |
| 142 | name = "roundcubemail-${version}"; | 142 | name = "roundcubemail-${version}"; |
| @@ -154,7 +154,7 @@ let | |||
| 154 | ''; | 154 | ''; |
| 155 | installPhase = '' | 155 | installPhase = '' |
| 156 | cp -a . $out | 156 | cp -a . $out |
| 157 | ln -s /run/keys/webapps/tools-roundcube $out/config/config.inc.php | 157 | ln -s /var/secrets/webapps/tools-roundcube $out/config/config.inc.php |
| 158 | ${builtins.concatStringsSep "\n" ( | 158 | ${builtins.concatStringsSep "\n" ( |
| 159 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins | 159 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins |
| 160 | )} | 160 | )} |
| @@ -184,9 +184,9 @@ let | |||
| 184 | ''; | 184 | ''; |
| 185 | }; | 185 | }; |
| 186 | phpFpm = rec { | 186 | phpFpm = rec { |
| 187 | serviceDeps = [ "postgresql.service" "tools-roundcube-key.service" ]; | 187 | serviceDeps = [ "postgresql.service" ]; |
| 188 | basedir = builtins.concatStringsSep ":" ( | 188 | basedir = builtins.concatStringsSep ":" ( |
| 189 | [ webRoot "/run/keys/webapps/tools-roundcube" varDir ] | 189 | [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] |
| 190 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins | 190 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins |
| 191 | ++ lib.attrsets.mapAttrsToList (name: value: value) skins); | 191 | ++ lib.attrsets.mapAttrsToList (name: value: value) skins); |
| 192 | phpConfig = '' | 192 | phpConfig = '' |
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix index 56658fd..19b27c2 100644 --- a/nixops/modules/websites/tools/tools/shaarli.nix +++ b/nixops/modules/websites/tools/tools/shaarli.nix | |||
| @@ -49,7 +49,7 @@ in rec { | |||
| 49 | vhostConf = '' | 49 | vhostConf = '' |
| 50 | Alias /Shaarli "${root}" | 50 | Alias /Shaarli "${root}" |
| 51 | 51 | ||
| 52 | Include /run/keys/webapps/tools-shaarli | 52 | Include /var/secrets/webapps/tools-shaarli |
| 53 | <Directory "${root}"> | 53 | <Directory "${root}"> |
| 54 | DirectoryIndex index.php index.htm index.html | 54 | DirectoryIndex index.php index.htm index.html |
| 55 | Options Indexes FollowSymLinks MultiViews Includes | 55 | Options Indexes FollowSymLinks MultiViews Includes |
| @@ -61,8 +61,8 @@ in rec { | |||
| 61 | </Directory> | 61 | </Directory> |
| 62 | ''; | 62 | ''; |
| 63 | }; | 63 | }; |
| 64 | keys.tools-shaarli = { | 64 | keys = [{ |
| 65 | destDir = "/run/keys/webapps"; | 65 | dest = "webapps/tools-shaarli"; |
| 66 | user = apache.user; | 66 | user = apache.user; |
| 67 | group = apache.group; | 67 | group = apache.group; |
| 68 | permissions = "0400"; | 68 | permissions = "0400"; |
| @@ -73,7 +73,7 @@ in rec { | |||
| 73 | SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" | 73 | SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" |
| 74 | SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" | 74 | SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" |
| 75 | ''; | 75 | ''; |
| 76 | }; | 76 | }]; |
| 77 | phpFpm = rec { | 77 | phpFpm = rec { |
| 78 | serviceDeps = [ "openldap.service" ]; | 78 | serviceDeps = [ "openldap.service" ]; |
| 79 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 79 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix index 0fe94f9..e6cad56 100644 --- a/nixops/modules/websites/tools/tools/ttrss.nix +++ b/nixops/modules/websites/tools/tools/ttrss.nix | |||
| @@ -52,8 +52,8 @@ let | |||
| 52 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | 52 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions |
| 53 | ''; | 53 | ''; |
| 54 | }; | 54 | }; |
| 55 | keys.tools-ttrss = { | 55 | keys = [{ |
| 56 | destDir = "/run/keys/webapps"; | 56 | dest = "webapps/tools-ttrss"; |
| 57 | user = apache.user; | 57 | user = apache.user; |
| 58 | group = apache.group; | 58 | group = apache.group; |
| 59 | permissions = "0400"; | 59 | permissions = "0400"; |
| @@ -120,7 +120,7 @@ let | |||
| 120 | define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); | 120 | define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); |
| 121 | define('LDAP_AUTH_DEBUG', FALSE); | 121 | define('LDAP_AUTH_DEBUG', FALSE); |
| 122 | ''; | 122 | ''; |
| 123 | }; | 123 | }]; |
| 124 | webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec { | 124 | webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec { |
| 125 | buildPhase = '' | 125 | buildPhase = '' |
| 126 | rm -rf lock feed-icons cache | 126 | rm -rf lock feed-icons cache |
| @@ -128,7 +128,7 @@ let | |||
| 128 | ''; | 128 | ''; |
| 129 | installPhase = '' | 129 | installPhase = '' |
| 130 | cp -a . $out | 130 | cp -a . $out |
| 131 | ln -s /run/keys/webapps/tools-ttrss $out/config.php | 131 | ln -s /var/secrets/webapps/tools-ttrss $out/config.php |
| 132 | ${builtins.concatStringsSep "\n" ( | 132 | ${builtins.concatStringsSep "\n" ( |
| 133 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins | 133 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins |
| 134 | )} | 134 | )} |
| @@ -155,9 +155,9 @@ let | |||
| 155 | ''; | 155 | ''; |
| 156 | }; | 156 | }; |
| 157 | phpFpm = rec { | 157 | phpFpm = rec { |
| 158 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-ttrss-key.service" ]; | 158 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 159 | basedir = builtins.concatStringsSep ":" ( | 159 | basedir = builtins.concatStringsSep ":" ( |
| 160 | [ webRoot "/run/keys/webapps/tools-ttrss" varDir ] | 160 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] |
| 161 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); | 161 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); |
| 162 | socket = "/var/run/phpfpm/ttrss.sock"; | 162 | socket = "/var/run/phpfpm/ttrss.sock"; |
| 163 | pool = '' | 163 | pool = '' |
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix index f145bf3..596b9bc 100644 --- a/nixops/modules/websites/tools/tools/wallabag.nix +++ b/nixops/modules/websites/tools/tools/wallabag.nix | |||
| @@ -2,8 +2,8 @@ | |||
| 2 | let | 2 | let |
| 3 | wallabag = rec { | 3 | wallabag = rec { |
| 4 | varDir = "/var/lib/wallabag"; | 4 | varDir = "/var/lib/wallabag"; |
| 5 | keys.tools-wallabag = { | 5 | keys = [{ |
| 6 | destDir = "/run/keys/webapps"; | 6 | dest = "webapps/tools-wallabag"; |
| 7 | user = apache.user; | 7 | user = apache.user; |
| 8 | group = apache.group; | 8 | group = apache.group; |
| 9 | permissions = "0400"; | 9 | permissions = "0400"; |
| @@ -65,7 +65,7 @@ let | |||
| 65 | class: Swift_SendmailTransport | 65 | class: Swift_SendmailTransport |
| 66 | arguments: ['/run/wrappers/bin/sendmail -bs'] | 66 | arguments: ['/run/wrappers/bin/sendmail -bs'] |
| 67 | ''; | 67 | ''; |
| 68 | }; | 68 | }]; |
| 69 | webappDir = composerEnv.buildPackage rec { | 69 | webappDir = composerEnv.buildPackage rec { |
| 70 | packages = { | 70 | packages = { |
| 71 | "fr3d/ldap-bundle" = { | 71 | "fr3d/ldap-bundle" = { |
| @@ -110,7 +110,7 @@ let | |||
| 110 | ''; | 110 | ''; |
| 111 | postInstall = '' | 111 | postInstall = '' |
| 112 | rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data | 112 | rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data |
| 113 | ln -sf /run/keys/webapps/tools-wallabag app/config/parameters.yml | 113 | ln -sf /var/secrets/webapps/tools-wallabag app/config/parameters.yml |
| 114 | ln -sf ${varDir}/var/{cache,logs,sessions} var | 114 | ln -sf ${varDir}/var/{cache,logs,sessions} var |
| 115 | ln -sf ${varDir}/data data | 115 | ln -sf ${varDir}/data data |
| 116 | ln -sf ${varDir}/assets web/assets | 116 | ln -sf ${varDir}/assets web/assets |
| @@ -171,11 +171,11 @@ let | |||
| 171 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction | 171 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction |
| 172 | popd > /dev/null | 172 | popd > /dev/null |
| 173 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 173 | echo -n "${webappDir}" > ${varDir}/currentWebappDir |
| 174 | sha512sum /run/keys/webapps/tools-wallabag > ${varDir}/currentKey | 174 | sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey |
| 175 | fi | 175 | fi |
| 176 | ''; | 176 | ''; |
| 177 | serviceDeps = [ "postgresql.service" "openldap.service" "tools-wallabag-key.service" ]; | 177 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 178 | basedir = builtins.concatStringsSep ":" [ webappDir "/run/keys/webapps/tools-wallabag" varDir ]; | 178 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; |
| 179 | socket = "/var/run/phpfpm/wallabag.sock"; | 179 | socket = "/var/run/phpfpm/wallabag.sock"; |
| 180 | pool = '' | 180 | pool = '' |
| 181 | listen = ${socket} | 181 | listen = ${socket} |
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix index 390dabe..470fb7b 100644 --- a/nixops/modules/websites/tools/tools/yourls.nix +++ b/nixops/modules/websites/tools/tools/yourls.nix | |||
| @@ -13,8 +13,8 @@ let | |||
| 13 | activationScript = '' | 13 | activationScript = '' |
| 14 | install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls | 14 | install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls |
| 15 | ''; | 15 | ''; |
| 16 | keys.tools-yourls = { | 16 | keys = [{ |
| 17 | destDir = "/run/keys/webapps"; | 17 | dest = "webapps/tools-yourls"; |
| 18 | user = apache.user; | 18 | user = apache.user; |
| 19 | group = apache.group; | 19 | group = apache.group; |
| 20 | permissions = "0400"; | 20 | permissions = "0400"; |
| @@ -46,13 +46,13 @@ let | |||
| 46 | 46 | ||
| 47 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); | 47 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); |
| 48 | ''; | 48 | ''; |
| 49 | }; | 49 | }]; |
| 50 | webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec { | 50 | webRoot = stdenv.mkDerivation (fetchedGithub ./yourls.json // rec { |
| 51 | installPhase = '' | 51 | installPhase = '' |
| 52 | mkdir -p $out | 52 | mkdir -p $out |
| 53 | cp -a */ *.php $out/ | 53 | cp -a */ *.php $out/ |
| 54 | cp sample-robots.txt $out/robots.txt | 54 | cp sample-robots.txt $out/robots.txt |
| 55 | ln -sf /run/keys/webapps/tools-yourls $out/includes/config.php | 55 | ln -sf /var/secrets/webapps/tools-yourls $out/includes/config.php |
| 56 | ${builtins.concatStringsSep "\n" ( | 56 | ${builtins.concatStringsSep "\n" ( |
| 57 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins | 57 | lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/user/plugins/${name}") plugins |
| 58 | )} | 58 | )} |
| @@ -85,9 +85,9 @@ let | |||
| 85 | ''; | 85 | ''; |
| 86 | }; | 86 | }; |
| 87 | phpFpm = rec { | 87 | phpFpm = rec { |
| 88 | serviceDeps = [ "mysql.service" "openldap.service" "tools-yourls-key.service" ]; | 88 | serviceDeps = [ "mysql.service" "openldap.service" ]; |
| 89 | basedir = builtins.concatStringsSep ":" ( | 89 | basedir = builtins.concatStringsSep ":" ( |
| 90 | [ webRoot "/run/keys/webapps/tools-yourls" ] | 90 | [ webRoot "/var/secrets/webapps/tools-yourls" ] |
| 91 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); | 91 | ++ lib.attrsets.mapAttrsToList (name: value: value) plugins); |
| 92 | socket = "/var/run/phpfpm/yourls.sock"; | 92 | socket = "/var/run/phpfpm/yourls.sock"; |
| 93 | pool = '' | 93 | pool = '' |