Move Aten and Connexionswing secrets to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122

4 files changed, 25 insertions, 9 deletions

diff --git a/nixops/modules/websites/aten/aten.nix b/nixops/modules/websites/aten/aten.nix
index d9286c3..897b3ba 100644
--- a/nixops/modules/websites/aten/aten.nix
+++ b/nixops/modules/websites/aten/aten.nix
@@ -29,6 +29,17 @@ let
         pm.max_spare_servers = 3
         ''}'';
     };
+    keys."${environment}-aten" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
+        SetEnv APP_ENV      "${environment}"
+        SetEnv APP_SECRET   "${config.secret}"
+        SetEnv DATABASE_URL "${config.psql_url}"
+        '';
+    };
     apache = rec {
       user = "wwwrun";
       group = "wwwrun";
@@ -40,9 +51,7 @@ let
         SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
       </FilesMatch>
 
-      SetEnv APP_ENV      "${environment}"
-      SetEnv APP_SECRET   "${config.secret}"
-      SetEnv DATABASE_URL "${config.psql_url}"
+      Include /run/keys/webapps/${environment}-aten
 
       ${if environment == "dev" then ''
       <Location />
@@ -124,8 +133,6 @@ let
         preInstall = ''
           export SYMFONY_ENV="${environment}"
           export APP_ENV="${environment}"
-          export DATABASE_URL="${config.psql_url}"
-          export APP_SECRET="${config.secret}"
           '';
         postInstall = ''
           ln -sf ${yarnModules}/node_modules .
diff --git a/nixops/modules/websites/aten/default.nix b/nixops/modules/websites/aten/default.nix
index 51a36fb..776a02e 100644
--- a/nixops/modules/websites/aten/default.nix
+++ b/nixops/modules/websites/aten/default.nix
@@ -25,6 +25,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
+      deployment.keys = aten_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -56,6 +57,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
+      deployment.keys = aten_dev.keys;
       security.acme.certs."eldiron".extraDomains."dev.aten.pro" = null;
       services.myPhpfpm.poolConfigs.aten_dev = aten_dev.phpFpm.pool;
       system.activationScripts.aten_dev = aten_dev.activationScript;
diff --git a/nixops/modules/websites/connexionswing/connexionswing.nix b/nixops/modules/websites/connexionswing/connexionswing.nix
index 8fbca2d..c178184 100644
--- a/nixops/modules/websites/connexionswing/connexionswing.nix
+++ b/nixops/modules/websites/connexionswing/connexionswing.nix
@@ -3,8 +3,12 @@ let
   connexionswing = { config }: rec {
     environment = config.environment;
     varDir = "/var/lib/connexionswing_${environment}";
-    configRoot =
-      writeText "parameters.yml" ''
+    keys."${environment}-connexionswing" = {
+      destDir = "/run/keys/webapps";
+      user = apache.user;
+      group = apache.group;
+      permissions = "0700";
+      text = ''
         # This file is auto-generated during the composer install
         parameters:
             database_host: ${config.mysql.host}
@@ -27,6 +31,7 @@ let
               arguments: ['/run/wrappers/bin/sendmail -bs']
         '' else ""}
       '';
+    };
     phpFpm = rec {
       socket = "/var/run/phpfpm/connexionswing-${environment}.sock";
       phpConfig = ''
@@ -41,7 +46,7 @@ let
         php_admin_value[upload_max_filesize] = 20M
         php_admin_value[post_max_size] = 20M
         ;php_admin_flag[log_errors] = on
-        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${configRoot}:${webappDir}:${varDir}:/tmp"
+        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/run/keys/webapps/${environment}-connexionswing:${webappDir}:${varDir}:/tmp"
         php_admin_value[session.save_path] = "${varDir}/phpSessions"
         ${if environment == "dev" then ''
         pm = ondemand
@@ -166,7 +171,7 @@ let
           cd $out
           ${if environment == "prod" then "php ./bin/console assetic:dump --env=prod --no-debug" else ""}
           rm app/config/parameters.yml
-          ln -sf ${configRoot} app/config/parameters.yml
+          ln -sf /run/keys/webapps/${environment}-connexionswing app/config/parameters.yml
           rm -rf var/{logs,cache}
           ln -sf ${varDir}/var/{logs,cache} var/
           ln -sf ${varDir}/{medias,uploads} web/images/
diff --git a/nixops/modules/websites/connexionswing/default.nix b/nixops/modules/websites/connexionswing/default.nix
index f98b349..752382f 100644
--- a/nixops/modules/websites/connexionswing/default.nix
+++ b/nixops/modules/websites/connexionswing/default.nix
@@ -25,6 +25,7 @@ in {
 
   config = lib.mkMerge [
     (lib.mkIf cfg.production.enable {
+      deployment.keys = connexionswing_prod.keys;
       services.myWebsites.commons.stats.enable = true;
       services.myWebsites.commons.stats.sites = [
         {
@@ -58,6 +59,7 @@ in {
       };
     })
     (lib.mkIf cfg.integration.enable {
+      deployment.keys = connexionswing_dev.keys;
       security.acme.certs."eldiron".extraDomains."sandetludo.immae.eu" = null;
       security.acme.certs."eldiron".extraDomains."connexionswing.immae.eu" = null;
       services.myPhpfpm.poolConfigs.connexionswing_dev = connexionswing_dev.phpFpm.pool;