diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 17:01:31 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-04-20 17:02:05 +0200 |
| commit | 914dd76ceccc2de3bd5ffa176cf7984ad1bd5581 (patch) | |
| tree | 450c51de1c1273a150ed8b80cd2872f3261a738c /nixops | |
| parent | e905cd0bda71f359597ecb1f4554d3edb27e2ccb (diff) | |
| download | Nix-914dd76ceccc2de3bd5ffa176cf7984ad1bd5581.tar.gz Nix-914dd76ceccc2de3bd5ffa176cf7984ad1bd5581.tar.zst Nix-914dd76ceccc2de3bd5ffa176cf7984ad1bd5581.zip | |
Move ympd password to secure location
Related issue: https://git.immae.eu/mantisbt/view.php?id=122
Diffstat (limited to 'nixops')
| -rw-r--r-- | nixops/modules/mpd/default.nix | 6 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/default.nix | 13 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/ympd-password-env.patch | 23 | ||||
| -rw-r--r-- | nixops/modules/websites/tools/tools/ympd.nix | 6 |
4 files changed, 42 insertions, 6 deletions
diff --git a/nixops/modules/mpd/default.nix b/nixops/modules/mpd/default.nix index 7781b36..d59a34c 100644 --- a/nixops/modules/mpd/default.nix +++ b/nixops/modules/mpd/default.nix | |||
| @@ -1,6 +1,12 @@ | |||
| 1 | { lib, pkgs, config, myconfig, mylibs, ... }: | 1 | { lib, pkgs, config, myconfig, mylibs, ... }: |
| 2 | { | 2 | { |
| 3 | config = { | 3 | config = { |
| 4 | deployment.keys = { | ||
| 5 | mpd = { | ||
| 6 | permissions = "0400"; | ||
| 7 | text = myconfig.env.mpd.password; | ||
| 8 | }; | ||
| 9 | }; | ||
| 4 | networking.firewall.allowedTCPPorts = [ 6600 ]; | 10 | networking.firewall.allowedTCPPorts = [ 6600 ]; |
| 5 | users.users.mpd.extraGroups = [ "wwwrun" ]; | 11 | users.users.mpd.extraGroups = [ "wwwrun" ]; |
| 6 | services.mpd = { | 12 | services.mpd = { |
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix index d309287..fc5b48d 100644 --- a/nixops/modules/websites/tools/tools/default.nix +++ b/nixops/modules/websites/tools/tools/default.nix | |||
| @@ -72,7 +72,14 @@ in { | |||
| 72 | ++ ldap.apache.modules | 72 | ++ ldap.apache.modules |
| 73 | ++ kanboard.apache.modules; | 73 | ++ kanboard.apache.modules; |
| 74 | 74 | ||
| 75 | services.ympd = ympd.config // { enable = true; }; | 75 | systemd.services.ympd = { |
| 76 | description = "Standalone MPD Web GUI written in C"; | ||
| 77 | wantedBy = [ "multi-user.target" ]; | ||
| 78 | script = '' | ||
| 79 | export MPD_PASSWORD=$(cat /run/keys/mpd) | ||
| 80 | ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody | ||
| 81 | ''; | ||
| 82 | }; | ||
| 76 | 83 | ||
| 77 | services.myWebsites.integration.vhostConfs.devtools = { | 84 | services.myWebsites.integration.vhostConfs.devtools = { |
| 78 | certName = "eldiron"; | 85 | certName = "eldiron"; |
| @@ -239,7 +246,9 @@ in { | |||
| 239 | ''; | 246 | ''; |
| 240 | 247 | ||
| 241 | nixpkgs.overlays = [ (self: super: rec { | 248 | nixpkgs.overlays = [ (self: super: rec { |
| 242 | ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json); | 249 | ympd = super.ympd.overrideAttrs(old: mylibs.fetchedGithub ./ympd.json // { |
| 250 | patches = (old.patches or []) ++ [ ./ympd-password-env.patch ]; | ||
| 251 | }); | ||
| 243 | }) ]; | 252 | }) ]; |
| 244 | 253 | ||
| 245 | systemd.services.tt-rss = { | 254 | systemd.services.tt-rss = { |
diff --git a/nixops/modules/websites/tools/tools/ympd-password-env.patch b/nixops/modules/websites/tools/tools/ympd-password-env.patch new file mode 100644 index 0000000..2bbe188 --- /dev/null +++ b/nixops/modules/websites/tools/tools/ympd-password-env.patch | |||
| @@ -0,0 +1,23 @@ | |||
| 1 | diff --git a/src/ympd.c b/src/ympd.c | ||
| 2 | index 3aed7e6..b3b6fda 100644 | ||
| 3 | --- a/src/ympd.c | ||
| 4 | +++ b/src/ympd.c | ||
| 5 | @@ -71,6 +71,7 @@ int main(int argc, char **argv) | ||
| 6 | char *run_as_user = NULL; | ||
| 7 | char const *error_msg = NULL; | ||
| 8 | char *webport = "8080"; | ||
| 9 | + const char *s; | ||
| 10 | |||
| 11 | atexit(bye); | ||
| 12 | #ifdef WITH_DYNAMIC_ASSETS | ||
| 13 | @@ -92,6 +93,10 @@ int main(int argc, char **argv) | ||
| 14 | {0, 0, 0, 0 } | ||
| 15 | }; | ||
| 16 | |||
| 17 | + if ((s = getenv("MPD_PASSWORD")) != NULL) { | ||
| 18 | + mpd.password = strdup(s); | ||
| 19 | + } | ||
| 20 | + | ||
| 21 | while((n = getopt_long(argc, argv, "h:p:w:u:vm:", | ||
| 22 | long_options, &option_index)) != -1) { | ||
| 23 | switch (n) { | ||
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix index 613a171..82d9321 100644 --- a/nixops/modules/websites/tools/tools/ympd.nix +++ b/nixops/modules/websites/tools/tools/ympd.nix | |||
| @@ -3,10 +3,8 @@ let | |||
| 3 | ympd = rec { | 3 | ympd = rec { |
| 4 | config = { | 4 | config = { |
| 5 | webPort = "localhost:${env.listenPort}"; | 5 | webPort = "localhost:${env.listenPort}"; |
| 6 | mpd = { | 6 | host = env.mpd.host; |
| 7 | host = "${env.mpd.host} --mpdpass ${env.mpd.password}"; | 7 | port = env.mpd.port; |
| 8 | port = env.mpd.port; | ||
| 9 | }; | ||
| 10 | }; | 8 | }; |
| 11 | apache = { | 9 | apache = { |
| 12 | modules = [ | 10 | modules = [ |