bekkalokk/nettsiden: add secrets

2024-04-08 23:07:41 +02:00
parent fc19a8f1e1
commit 9577477460
2 changed files with 34 additions and 21 deletions
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@@ -7,7 +7,18 @@ in {
    ./fetch-gallery.nix
  ];

-  services.idp.sp-remote-metadata = [ "https://www2.pvv.ntnu.no/simplesaml/" ];
+  sops.secrets = lib.genAttrs [
+    "nettsiden/door_secret"
+    "nettsiden/mysql_password"
+    "nettsiden/simplesamlphp/admin_password"
+    "nettsiden/simplesamlphp/cookie_salt"
+  ] (_: {
+    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+    group = config.services.phpfpm.pools.pvv-nettsiden.group;
+    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
+  });
+
+  services.idp.sp-remote-metadata = [ "https://${cfg.domainName}/simplesaml/" ];

  services.pvv-nettsiden = {
    enable = true;
@@ -18,12 +29,12 @@ in {
        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
          <?php
          $config = array(
-              # 'admin' => array(
-              #   'core:AdminPassword'
-              # ),
+              'admin' => array(
+                'core:AdminPassword'
+              ),
              'default-sp' => array(
                  'saml:SP',
-                  'entityID' => 'https://www2.pvv.ntnu.no/simplesaml/',
+                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
                  'idp' => 'https://idp2.pvv.ntnu.no/',
              ),
          );
@@ -33,21 +44,24 @@ in {

    domainName = "www2.pvv.ntnu.no";

-    settings = {
-      DOOR_SECRET = "verysecret";
+    settings = let
+      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
+    in {
+      DOOR_SECRET = includeFromSops "door_secret";

      DB = {
-        DSN = "mysql:dbname=www_data_www2;host=mysql.pvv.ntnu.no";
-        USER = "www-data_www2";
-        PASS = format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/database/password".path}')";
+        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+        USER = "www-data_nettsi";
+        PASS = includeFromSops "mysql_password";
      };

+      # TODO: set up postgres session for simplesamlphp
      SAML = {
-        COOKIE_SALT = "changeme";
+        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
        COOKIE_SECURE = true;
        ADMIN_NAME = "PVV Drift";
        ADMIN_EMAIL = "drift@pvv.ntnu.no";
-        ADMIN_PASSWORD = "torskefjes";
+        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
        TRUSTED_DOMAINS = [ cfg.domainName ];
      };
    };
@@ -58,9 +72,4 @@ in {
    "php_admin_flag[log_errors]" = true;
    "catch_workers_output" = true;
  };
-
-  sops.secrets."nettsiden/database/password" = {
-    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
-    group = config.services.phpfpm.pools.pvv-nettsiden.group;
-  };
 }