From da30ae4ffdd153a1eb32fb86f9ca9a65aa19e4e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 13 Oct 2021 02:26:54 +0200 Subject: Move secrets to flakes --- modules/private/websites/tools/cloud/default.nix | 2 +- modules/private/websites/tools/dav/davical.nix | 6 +++--- modules/private/websites/tools/dav/default.nix | 1 + .../private/websites/tools/diaspora/default.nix | 9 ++++++++- modules/private/websites/tools/ether/default.nix | 6 +++--- modules/private/websites/tools/git/default.nix | 1 + modules/private/websites/tools/git/mantisbt.nix | 6 +++--- modules/private/websites/tools/mail/default.nix | 1 + .../private/websites/tools/mail/roundcubemail.nix | 6 +++--- .../private/websites/tools/mastodon/default.nix | 2 +- modules/private/websites/tools/mgoblin/default.nix | 2 +- .../private/websites/tools/peertube/default.nix | 2 +- .../private/websites/tools/performance/default.nix | 2 +- modules/private/websites/tools/tools/default.nix | 23 ++++++++++++++-------- .../private/websites/tools/tools/dmarc_reports.nix | 6 +++--- modules/private/websites/tools/tools/kanboard.nix | 6 +++--- modules/private/websites/tools/tools/ldap.nix | 6 +++--- modules/private/websites/tools/tools/shaarli.nix | 4 ++-- modules/private/websites/tools/tools/ttrss.nix | 6 +++--- modules/private/websites/tools/tools/wallabag.nix | 8 ++++---- modules/private/websites/tools/tools/webhooks.nix | 8 +++++++- modules/private/websites/tools/tools/yourls.nix | 6 +++--- 22 files changed, 71 insertions(+), 48 deletions(-) (limited to 'modules/private/websites/tools') diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index c374940..471858a 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix @@ -157,7 +157,7 @@ in { ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" ) confs)} - #install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php + #install -D -m 0600 -o wwwrun -g wwwrun -T ${config.secrets.fullPaths."webapps/tools-nextcloud"} ${varDir}/config/config.php ''; }; # FIXME: add a warning when config.php changes diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 9d6cd21..eeac1b5 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gettext, writeText, env, awl, davical }: +{ stdenv, fetchurl, gettext, writeText, env, awl, davical, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -65,7 +65,7 @@ rec { include('drivers_ldap.php'); ''; }]; - webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; }; + webapp = davical.override { davical_config = config.secrets.fullPaths."webapps/dav-davical"; }; webRoot = "${webapp}/htdocs"; apache = rec { user = "wwwrun"; @@ -110,7 +110,7 @@ rec { }; phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; + basedir = builtins.concatStringsSep ":" [ webapp config.secrets.fullPaths."webapps/dav-davical" awl ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index f53cf58..c54e152 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix @@ -18,6 +18,7 @@ let davical = pkgs.callPackage ./davical.nix { env = config.myEnv.tools.davical; inherit (pkgs.webapps) davical awl; + inherit config; }; cfg = config.myServices.websites.tools.dav; diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix index 5d2b19f..663fe88 100644 --- a/modules/private/websites/tools/diaspora/default.nix +++ b/modules/private/websites/tools/diaspora/default.nix @@ -17,6 +17,13 @@ in { users.users.diaspora.extraGroups = [ "keys" ]; secrets.keys = [ + { + dest = "webapps/diaspora"; + isDir = true; + user = "diaspora"; + group = "diaspora"; + permissions = "0500"; + } { dest = "webapps/diaspora/diaspora.yml"; user = "diaspora"; @@ -146,7 +153,7 @@ in { package = pkgs.webapps.diaspora.override { ldap = true; }; dataDir = "/var/lib/diaspora_immae"; adminEmail = "diaspora@tools.immae.eu"; - configDir = "/var/secrets/webapps/diaspora"; + configDir = config.secrets.fullPaths."webapps/diaspora"; }; services.filesWatcher.diaspora = { diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix index 3350a4a..64e411d 100644 --- a/modules/private/websites/tools/ether/default.nix +++ b/modules/private/websites/tools/ether/default.nix @@ -166,9 +166,9 @@ in { p.ep_timesliderdiff ]); modules = []; - sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; - apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; - configFile = "/var/secrets/webapps/tools-etherpad"; + sessionKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-sessionkey"; + apiKeyFile = config.secrets.fullPaths."webapps/tools-etherpad-apikey"; + configFile = config.secrets.fullPaths."webapps/tools-etherpad"; }; systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 8b1afa8..755bab0 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix @@ -3,6 +3,7 @@ let mantisbt = pkgs.callPackage ./mantisbt.nix { inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; env = config.myEnv.tools.mantisbt; + inherit config; }; gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.myServices.gitolite.gitoliteDir; diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index 9996d23..e6a8da7 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix @@ -1,4 +1,4 @@ -{ env, mantisbt_2, mantisbt_2-plugins }: +{ env, mantisbt_2, mantisbt_2-plugins, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -46,7 +46,7 @@ rec { $g_ldap_organization = '${env.ldap.filter}'; ''; }]; - webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); + webRoot = (mantisbt_2.override { mantis_config = config.secrets.fullPaths."webapps/tools-mantisbt"; }).withPlugins (p: [p.slack p.source-integration]); apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -75,7 +75,7 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-mantisbt" ] + [ webRoot config.secrets.fullPaths."webapps/tools-mantisbt" ] ++ webRoot.plugins); pool = { "listen.owner" = apache.user; diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index 4636a6c..033a587 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix @@ -3,6 +3,7 @@ let roundcubemail = pkgs.callPackage ./roundcubemail.nix { inherit (pkgs.webapps) roundcubemail; env = config.myEnv.tools.roundcubemail; + inherit config; }; rainloop = pkgs.callPackage ./rainloop.nix { rainloop = pkgs.rainloop-community; diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index bb7dee9..7d8e733 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix @@ -1,4 +1,4 @@ -{ env, roundcubemail, apacheHttpd }: +{ env, roundcubemail, apacheHttpd, config }: rec { varDir = "/var/lib/roundcubemail"; activationScript = { @@ -75,7 +75,7 @@ rec { $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; ''; }]; - webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); + webRoot = (roundcubemail.override { roundcube_config = config.secrets.fullPaths."webapps/tools-roundcube"; }).withPlugins (p: [ p.automatic_addressbook p.carddav p.contextmenu p.contextmenu_folder p.html5_notifier p.ident_switch p.message_highlight p.thunderbird_labels ]); apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -99,7 +99,7 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] + [ webRoot config.secrets.fullPaths."webapps/tools-roundcube" varDir ] ++ webRoot.plugins ++ webRoot.skins); pool = { diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix index 80d7431..cea8710 100644 --- a/modules/private/websites/tools/mastodon/default.nix +++ b/modules/private/websites/tools/mastodon/default.nix @@ -62,7 +62,7 @@ in { }]; services.mastodon = { enable = true; - configFile = "/var/secrets/webapps/tools-mastodon"; + configFile = config.secrets.fullPaths."webapps/tools-mastodon"; socketsPrefix = "live_immae"; dataDir = "/var/lib/mastodon_immae"; }; diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix index 719d3d3..6d6a5a4 100644 --- a/modules/private/websites/tools/mgoblin/default.nix +++ b/modules/private/websites/tools/mgoblin/default.nix @@ -84,7 +84,7 @@ in { services.mediagoblin = { enable = true; package = pkgs.webapps.mediagoblin.withPlugins (p: [p.basicsearch]); - configFile = "/var/secrets/webapps/tools-mediagoblin"; + configFile = config.secrets.fullPaths."webapps/tools-mediagoblin"; }; services.filesWatcher.mediagoblin-web = { restart = true; diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix index d2cbe40..7dcc998 100644 --- a/modules/private/websites/tools/peertube/default.nix +++ b/modules/private/websites/tools/peertube/default.nix @@ -14,7 +14,7 @@ in { }; services.peertube = { enable = true; - configFile = "/var/secrets/webapps/tools-peertube"; + configFile = config.secrets.fullPaths."webapps/tools-peertube"; }; users.users.peertube.extraGroups = [ "keys" ]; diff --git a/modules/private/websites/tools/performance/default.nix b/modules/private/websites/tools/performance/default.nix index df2b58d..5afd639 100644 --- a/modules/private/websites/tools/performance/default.nix +++ b/modules/private/websites/tools/performance/default.nix @@ -80,7 +80,7 @@ in "pm.min_spare_servers" = "1"; "pm.max_spare_servers" = "10"; - "php_admin_value[open_basedir]" = "${package}:/tmp:/var/secrets/status_engine_ui"; + "php_admin_value[open_basedir]" = "${package}:/tmp:${config.secrets.fullPaths."status_engine_ui"}"; }; phpPackage = pkgs.php74; }; diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index ac92ef4..ada6253 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -12,8 +12,10 @@ let inherit (pkgs.webapps) ttrss ttrss-plugins; env = config.myEnv.tools.ttrss; php = pkgs.php72; + inherit config; }; kanboard = pkgs.callPackage ./kanboard.nix { + inherit config; env = config.myEnv.tools.kanboard; }; wallabag = pkgs.callPackage ./wallabag.nix { @@ -23,10 +25,12 @@ let }; }; env = config.myEnv.tools.wallabag; + inherit config; }; yourls = pkgs.callPackage ./yourls.nix { inherit (pkgs.webapps) yourls yourls-plugins; env = config.myEnv.tools.yourls; + inherit config; }; rompr = pkgs.callPackage ./rompr.nix { inherit (pkgs.webapps) rompr; @@ -34,6 +38,7 @@ let }; shaarli = pkgs.callPackage ./shaarli.nix { env = config.myEnv.tools.shaarli; + inherit config; }; dokuwiki = pkgs.callPackage ./dokuwiki.nix { inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; @@ -41,6 +46,7 @@ let ldap = pkgs.callPackage ./ldap.nix { inherit (pkgs.webapps) phpldapadmin; env = config.myEnv.tools.phpldapadmin; + inherit config; }; grocy = pkgs.callPackage ./grocy.nix { grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; }; @@ -56,6 +62,7 @@ let }; dmarc-reports = pkgs.callPackage ./dmarc_reports.nix { env = config.myEnv.tools.dmarc_reports; + inherit config; }; csp-reports = pkgs.callPackage ./csp_reports.nix { env = config.myEnv.tools.csp_reports; @@ -188,8 +195,8 @@ in { Require all granted - Alias /webhooks ${config.secrets.location}/webapps/webhooks - + Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"} + Options -Indexes Require all granted AllowOverride None @@ -271,7 +278,7 @@ in { description = "Standalone MPD Web GUI written in C"; wantedBy = [ "multi-user.target" ]; script = '' - export MPD_PASSWORD=$(cat /var/secrets/mpd) + export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"}) ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody ''; }; @@ -293,7 +300,7 @@ in { services.filesWatcher.ympd = { restart = true; - paths = [ "/var/secrets/mpd" ]; + paths = [ config.secrets.fullPaths."mpd" ]; }; services.phpfpm.pools = { @@ -313,9 +320,9 @@ in { "php_value[session.name]" = "ToolsPHPSESSID"; "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [ "/run/wrappers/bin/sendmail" landing "/tmp" - "${config.secrets.location}/webapps/webhooks" + config.secrets.fullPaths."webapps/webhooks" ]; - "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf"; + "include" = config.secrets.fullPaths."webapps/tools-csp-reports.conf"; }; phpEnv = { CONTACT_EMAIL = config.myEnv.tools.contact; @@ -438,11 +445,11 @@ in { }; services.websites.env.tools.watchPaths = [ - "/var/secrets/webapps/tools-shaarli" + config.secrets.fullPaths."webapps/tools-shaarli" ]; services.filesWatcher.phpfpm-wallabag = { restart = true; - paths = [ "/var/secrets/webapps/tools-wallabag" ]; + paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ]; }; }; diff --git a/modules/private/websites/tools/tools/dmarc_reports.nix b/modules/private/websites/tools/tools/dmarc_reports.nix index e264e80..5fdf0b6 100644 --- a/modules/private/websites/tools/tools/dmarc_reports.nix +++ b/modules/private/websites/tools/tools/dmarc_reports.nix @@ -1,4 +1,4 @@ -{ env }: +{ env, config }: rec { keys = [{ dest = "webapps/tools-dmarc-reports.php"; @@ -43,7 +43,7 @@ rec { }; phpFpm = rec { basedir = builtins.concatStringsSep ":" - [ webRoot "/var/secrets/webapps/tools-dmarc-reports.php" ]; + [ webRoot config.secrets.fullPaths."webapps/tools-dmarc-reports.php" ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; @@ -55,7 +55,7 @@ rec { "php_admin_value[open_basedir]" = "${basedir}:/tmp"; }; phpEnv = { - SECRETS_FILE = "/var/secrets/webapps/tools-dmarc-reports.php"; + SECRETS_FILE = config.secrets.fullPaths."webapps/tools-dmarc-reports.php"; }; }; } diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 0f6fefc..1a70499 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -1,4 +1,4 @@ -{ env, kanboard }: +{ env, kanboard, config }: rec { backups = { rootDir = varDir; @@ -42,7 +42,7 @@ rec { ?> ''; }]; - webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; }; + webRoot = kanboard { kanboard_config = config.secrets.fullPaths."webapps/tools-kanboard"; }; apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -68,7 +68,7 @@ rec { }; phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; + basedir = builtins.concatStringsSep ":" [ webRoot varDir config.secrets.fullPaths."webapps/tools-kanboard" ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index 0c1a21f..cb90edc 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix @@ -1,4 +1,4 @@ -{ lib, php, env, writeText, phpldapadmin }: +{ lib, php, env, writeText, phpldapadmin, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -32,7 +32,7 @@ rec { $servers->setValue('login','fallback_dn',true); ''; }]; - webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; + webRoot = phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -54,7 +54,7 @@ rec { }; phpFpm = rec { serviceDeps = [ "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; + basedir = builtins.concatStringsSep ":" [ webRoot config.secrets.fullPaths."webapps/tools-ldap" ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index d11f525..80c6a89 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -1,4 +1,4 @@ -{ lib, env, stdenv, fetchurl, shaarli }: +{ lib, env, stdenv, fetchurl, shaarli, config }: let varDir = "/var/lib/shaarli"; in rec { @@ -21,7 +21,7 @@ in rec { vhostConf = socket: '' Alias /Shaarli "${root}" - Include /var/secrets/webapps/tools-shaarli + Include ${config.secrets.fullPaths."webapps/tools-shaarli"} Header set Access-Control-Allow-Origin "*" Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index ce1ab8e..eb1d415 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -1,4 +1,4 @@ -{ php, env, ttrss, ttrss-plugins }: +{ php, env, ttrss, ttrss-plugins, config }: rec { backups = { rootDir = varDir; @@ -88,7 +88,7 @@ rec { define('LDAP_AUTH_DEBUG', FALSE); ''; }]; - webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (p: [ + webRoot = (ttrss.override { ttrss_config = config.secrets.fullPaths."webapps/tools-ttrss"; }).withPlugins (p: [ p.auth_ldap p.ff_instagram p.tumblr_gdpr_ua (p.af_feedmod.override { patched = true; }) (p.feediron.override { patched = true; }) @@ -116,7 +116,7 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] + [ webRoot config.secrets.fullPaths."webapps/tools-ttrss" varDir ] ++ webRoot.plugins); pool = { "listen.owner" = apache.user; diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 1cb0645..1a604c7 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -1,4 +1,4 @@ -{ env, wallabag, mylibs }: +{ env, wallabag, mylibs, config }: rec { backups = { rootDir = varDir; @@ -69,7 +69,7 @@ rec { arguments: ['/run/wrappers/bin/sendmail -bs'] ''; }]; - webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; }; + webappDir = wallabag.override { ldap = true; wallabag_config = config.secrets.fullPaths."webapps/tools-wallabag"; }; activationScript = '' install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ ${varDir}/var ${varDir}/data/db ${varDir}/assets/images @@ -125,11 +125,11 @@ rec { /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction popd > /dev/null echo -n "${webappDir}" > ${varDir}/currentWebappDir - sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey + sha512sum ${config.secrets.fullPaths."webapps/tools-wallabag"} > ${varDir}/currentKey fi ''; serviceDeps = [ "postgresql.service" "openldap.service" ]; - basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; + basedir = builtins.concatStringsSep ":" [ webappDir config.secrets.fullPaths."webapps/tools-wallabag" varDir ]; pool = { "listen.owner" = apache.user; "listen.group" = apache.group; diff --git a/modules/private/websites/tools/tools/webhooks.nix b/modules/private/websites/tools/tools/webhooks.nix index 885b68b..8ffb81b 100644 --- a/modules/private/websites/tools/tools/webhooks.nix +++ b/modules/private/websites/tools/tools/webhooks.nix @@ -6,5 +6,11 @@ group = "wwwrun"; permissions = "0400"; text = v; - }) env; + }) env ++ [{ + dest = "webapps/webhooks"; + isDir = true; + user = "wwwrun"; + group = "wwwrun"; + permissions = "0500"; + }]; } diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 77ac0a3..0f977f2 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix @@ -1,4 +1,4 @@ -{ env, yourls, yourls-plugins }: +{ env, yourls, yourls-plugins, config }: rec { activationScript = { deps = [ "httpd" ]; @@ -40,7 +40,7 @@ rec { define( 'LDAPAUTH_USERCACHE_TYPE', 0); ''; }]; - webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); + webRoot = (yourls.override { yourls_config = config.secrets.fullPaths."webapps/tools-yourls"; }).withPlugins (p: [p.ldap]); apache = rec { user = "wwwrun"; group = "wwwrun"; @@ -70,7 +70,7 @@ rec { phpFpm = rec { serviceDeps = [ "mysql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( - [ webRoot "/var/secrets/webapps/tools-yourls" ] + [ webRoot config.secrets.fullPaths."webapps/tools-yourls" ] ++ webRoot.plugins); pool = { "listen.owner" = apache.user; -- cgit v1.2.3