From 51900e3488284b0711083819a5ecb1b0f280a913 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 16 Apr 2019 13:46:47 +0200
Subject: Move etherpad and mediagoblin keys to secure location

Related issue: https://git.immae.eu/mantisbt/view.php?id=122
---
 nixops/modules/websites/tools/mediagoblin/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'nixops/modules/websites/tools/mediagoblin/default.nix')

diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix
index 54c0478..9b058be 100644
--- a/nixops/modules/websites/tools/mediagoblin/default.nix
+++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -12,6 +12,7 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    deployment.keys = mediagoblin.keys;
     ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
     ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
 
@@ -22,6 +23,7 @@ in {
       description = "Mediagoblin user";
       home = mediagoblin.varDir;
       useDefaultShell = true;
+      extraGroups = [ "keys" ];
     };
 
     users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
@@ -29,7 +31,8 @@ in {
     systemd.services.mediagoblin-web = {
       description = "Mediagoblin service";
       wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" ];
+      after = [ "network.target" "tools-mediagoblin-key.service" ];
+      wants = [ "postgresql.service" "redis.service" "tools-mediagoblin-key.service" ];
 
       environment.SCRIPT_NAME = "/mediagoblin/";
 
-- 
cgit v1.2.3