aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-20 17:01:31 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-04-20 17:02:05 +0200
commit914dd76ceccc2de3bd5ffa176cf7984ad1bd5581 (patch)
tree450c51de1c1273a150ed8b80cd2872f3261a738c /nixops
parente905cd0bda71f359597ecb1f4554d3edb27e2ccb (diff)
downloadNix-914dd76ceccc2de3bd5ffa176cf7984ad1bd5581.tar.gz
Nix-914dd76ceccc2de3bd5ffa176cf7984ad1bd5581.tar.zst
Nix-914dd76ceccc2de3bd5ffa176cf7984ad1bd5581.zip
Move ympd password to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
-rw-r--r--nixops/modules/mpd/default.nix6
-rw-r--r--nixops/modules/websites/tools/tools/default.nix13
-rw-r--r--nixops/modules/websites/tools/tools/ympd-password-env.patch23
-rw-r--r--nixops/modules/websites/tools/tools/ympd.nix6
4 files changed, 42 insertions, 6 deletions
diff --git a/nixops/modules/mpd/default.nix b/nixops/modules/mpd/default.nix
index 7781b36..d59a34c 100644
--- a/nixops/modules/mpd/default.nix
+++ b/nixops/modules/mpd/default.nix
@@ -1,6 +1,12 @@
1{ lib, pkgs, config, myconfig, mylibs, ... }: 1{ lib, pkgs, config, myconfig, mylibs, ... }:
2{ 2{
3 config = { 3 config = {
4 deployment.keys = {
5 mpd = {
6 permissions = "0400";
7 text = myconfig.env.mpd.password;
8 };
9 };
4 networking.firewall.allowedTCPPorts = [ 6600 ]; 10 networking.firewall.allowedTCPPorts = [ 6600 ];
5 users.users.mpd.extraGroups = [ "wwwrun" ]; 11 users.users.mpd.extraGroups = [ "wwwrun" ];
6 services.mpd = { 12 services.mpd = {
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
index d309287..fc5b48d 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/nixops/modules/websites/tools/tools/default.nix
@@ -72,7 +72,14 @@ in {
72 ++ ldap.apache.modules 72 ++ ldap.apache.modules
73 ++ kanboard.apache.modules; 73 ++ kanboard.apache.modules;
74 74
75 services.ympd = ympd.config // { enable = true; }; 75 systemd.services.ympd = {
76 description = "Standalone MPD Web GUI written in C";
77 wantedBy = [ "multi-user.target" ];
78 script = ''
79 export MPD_PASSWORD=$(cat /run/keys/mpd)
80 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
81 '';
82 };
76 83
77 services.myWebsites.integration.vhostConfs.devtools = { 84 services.myWebsites.integration.vhostConfs.devtools = {
78 certName = "eldiron"; 85 certName = "eldiron";
@@ -239,7 +246,9 @@ in {
239 ''; 246 '';
240 247
241 nixpkgs.overlays = [ (self: super: rec { 248 nixpkgs.overlays = [ (self: super: rec {
242 ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json); 249 ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json // {
250 patches = (old.patches or []) ++ [ ./ympd-password-env.patch ];
251 });
243 }) ]; 252 }) ];
244 253
245 systemd.services.tt-rss = { 254 systemd.services.tt-rss = {
diff --git a/nixops/modules/websites/tools/tools/ympd-password-env.patch b/nixops/modules/websites/tools/tools/ympd-password-env.patch
new file mode 100644
index 0000000..2bbe188
--- /dev/null
+++ b/nixops/modules/websites/tools/tools/ympd-password-env.patch
@@ -0,0 +1,23 @@
1diff --git a/src/ympd.c b/src/ympd.c
2index 3aed7e6..b3b6fda 100644
3--- a/src/ympd.c
4+++ b/src/ympd.c
5@@ -71,6 +71,7 @@ int main(int argc, char **argv)
6 char *run_as_user = NULL;
7 char const *error_msg = NULL;
8 char *webport = "8080";
9+ const char *s;
10
11 atexit(bye);
12 #ifdef WITH_DYNAMIC_ASSETS
13@@ -92,6 +93,10 @@ int main(int argc, char **argv)
14 {0, 0, 0, 0 }
15 };
16
17+ if ((s = getenv("MPD_PASSWORD")) != NULL) {
18+ mpd.password = strdup(s);
19+ }
20+
21 while((n = getopt_long(argc, argv, "h:p:w:u:vm:",
22 long_options, &option_index)) != -1) {
23 switch (n) {
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix
index 613a171..82d9321 100644
--- a/nixops/modules/websites/tools/tools/ympd.nix
+++ b/nixops/modules/websites/tools/tools/ympd.nix
@@ -3,10 +3,8 @@ let
3 ympd = rec { 3 ympd = rec {
4 config = { 4 config = {
5 webPort = "localhost:${env.listenPort}"; 5 webPort = "localhost:${env.listenPort}";
6 mpd = { 6 host = env.mpd.host;
7 host = "${env.mpd.host} --mpdpass ${env.mpd.password}"; 7 port = env.mpd.port;
8 port = env.mpd.port;
9 };
10 }; 8 };
11 apache = { 9 apache = {
12 modules = [ 10 modules = [