Move chloe's website keys to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 14:59:22 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-04-16 14:59:22 +0200
commit: 906065a0b7aada3282309791a051e71e5e1cf16d (patch)
tree: a26564f732116b4a2b5784f65566caab6e90a8e2 /nixops
parent: 50933a04f9db56a6368f40bdfe33e988d1a269df (diff)
download: Nix-906065a0b7aada3282309791a051e71e5e1cf16d.tar.gz
Nix-906065a0b7aada3282309791a051e71e5e1cf16d.tar.zst
Nix-906065a0b7aada3282309791a051e71e5e1cf16d.zip
2 files changed, 28 insertions, 13 deletions
diff --git a/nixops/modules/websites/chloe/chloe.nix b/nixops/modules/websites/chloe/chloe.nix
index 7ad23fe..0861cdf 100644
--- a/nixops/modules/websites/chloe/chloe.nix
+++ b/nixops/modules/websites/chloe/chloe.nix
@@ -3,6 +3,7 @@ let
  chloe = { config }: rec {
    environment = config.environment;
    phpFpm = rec {
+      serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ];
      socket = "/var/run/phpfpm/chloe-${environment}.sock";
      pool = ''
        listen = ${socket}
@@ -15,19 +16,6 @@ let
        ;php_admin_flag[log_errors] = on
        php_admin_value[open_basedir] = "${../commons/spip/spip_mes_options.php}:${configDir}:${webRoot}:${varDir}:/tmp"
        php_admin_value[session.save_path] = "${varDir}/phpSessions"
-        env[SPIP_CONFIG_DIR] = "${configDir}"
-        env[SPIP_VAR_DIR] = "${varDir}"
-        env[SPIP_SITE] = "chloe-${environment}"
-        env[SPIP_LDAP_BASE] = "dc=immae,dc=eu"
-        env[SPIP_LDAP_HOST] = "ldaps://ldap.immae.eu"
-        env[SPIP_LDAP_SEARCH_DN] = "${config.ldap.dn}"
-        env[SPIP_LDAP_SEARCH_PW] = "${config.ldap.password}"
-        env[SPIP_LDAP_SEARCH] = "${config.ldap.search}"
-        env[SPIP_MYSQL_HOST] = "${config.mysql.host}"
-        env[SPIP_MYSQL_PORT] = "${config.mysql.port}"
-        env[SPIP_MYSQL_DB] = "${config.mysql.name}"
-        env[SPIP_MYSQL_USER] = "${config.mysql.user}"
-        env[SPIP_MYSQL_PASSWORD] = "${config.mysql.password}"
        ${if environment == "dev" then ''
        pm = ondemand
        pm.max_children = 5
@@ -40,6 +28,27 @@ let
        pm.max_spare_servers = 3
        ''}'';
    };
+    keys."${environment}-chloe" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0400";
+      text = ''
+        SetEnv SPIP_CONFIG_DIR     "${configDir}"
+        SetEnv SPIP_VAR_DIR        "${varDir}"
+        SetEnv SPIP_SITE           "chloe-${environment}"
+        SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+        SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+        SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
+        SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
+        SetEnv SPIP_LDAP_SEARCH    "${config.ldap.search}"
+        SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
+        SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
+        SetEnv SPIP_MYSQL_DB       "${config.mysql.name}"
+        SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
+        SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
+      '';
+    };
    apache = rec {
      user = "wwwrun";
      group = "wwwrun";
@@ -47,6 +56,8 @@ let
      webappName = "chloe_${environment}";
      root = "/run/current-system/webapps/${webappName}";
      vhostConf = ''
+        Include /run/keys/webapps/${environment}-chloe
        RewriteEngine On
        ${if environment == "prod" then ''
        RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
diff --git a/nixops/modules/websites/chloe/default.nix b/nixops/modules/websites/chloe/default.nix
index f561834..451a248 100644
--- a/nixops/modules/websites/chloe/default.nix
+++ b/nixops/modules/websites/chloe/default.nix
@@ -25,6 +25,7 @@ in {
  config = lib.mkMerge [
    (lib.mkIf cfg.production.enable {
+      deployment.keys = chloe_prod.keys;
      services.myWebsites.commons.stats.enable = true;
      services.myWebsites.commons.stats.sites = [
        {
@@ -40,6 +41,7 @@ in {
        };
      };
+      services.myPhpfpm.serviceDependencies.chloe_prod = chloe_prod.phpFpm.serviceDeps;
      services.myPhpfpm.poolConfigs.chloe_prod = chloe_prod.phpFpm.pool;
      services.myPhpfpm.poolPhpConfigs.chloe_prod = ''
        extension=${pkgs.php}/lib/php/extensions/mysqli.so
@@ -58,7 +60,9 @@ in {
      };
    })
    (lib.mkIf cfg.integration.enable {
+      deployment.keys = chloe_dev.keys;
      security.acme.certs."eldiron".extraDomains."chloe.immae.eu" = null;
+      services.myPhpfpm.serviceDependencies.chloe_dev = chloe_dev.phpFpm.serviceDeps;
      services.myPhpfpm.poolConfigs.chloe_dev = chloe_dev.phpFpm.pool;
      services.myPhpfpm.poolPhpConfigs.chloe_dev = ''
        extension=${pkgs.php}/lib/php/extensions/mysqli.so
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 14:59:22 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-04-16 14:59:22 +0200
commit	906065a0b7aada3282309791a051e71e5e1cf16d (patch)
tree	a26564f732116b4a2b5784f65566caab6e90a8e2 /nixops
parent	50933a04f9db56a6368f40bdfe33e988d1a269df (diff)
download	Nix-906065a0b7aada3282309791a051e71e5e1cf16d.tar.gz Nix-906065a0b7aada3282309791a051e71e5e1cf16d.tar.zst Nix-906065a0b7aada3282309791a051e71e5e1cf16d.zip