[perso/Immae/Config/Nix.git] / modules / private / websites / nicecoop / gestion-compte.nix

{ lib, pkgs, config, ... }:
let
  secrets = config.myEnv.websites.nicecoop.gestion-compte;
  varDir = "/var/lib/nicecoop_gestion-compte/var";
  parametersPath = "/var/lib/buildbot/outputs/nicecoop/gestion/production/parameters.yml";
  app = pkgs.callPackage ./gestion-compte {
    inherit varDir;
    secretsPath = parametersPath;
  };
  cfg = config.myServices.websites.nicecoop.gestion-compte;
in {
  options.myServices.websites.nicecoop.gestion-compte.enable = lib.mkEnableOption "enable nicecoop's gestion-compte website";

  config = lib.mkIf cfg.enable {
    services.phpfpm.pools.nicecoop_gestion-compte = {
      user = config.services.httpd.Prod.user;
      group = config.services.httpd.Prod.group;
      settings = {
        "listen.owner" = config.services.httpd.Prod.user;
        "listen.group" = config.services.httpd.Prod.group;
        "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
          app
          varDir
          parametersPath
          "/tmp"
        ];
        "php_admin_value[upload_max_filesize]" = "20M";
        "php_admin_value[post_max_size]" = "20M";
        "php_admin_value[session.save_path]" = "${varDir}/phpSessions";
        "pm" = "dynamic";
        "pm.max_children" = "20";
        "pm.start_servers" = "2";
        "pm.min_spare_servers" = "1";
        "pm.max_spare_servers" = "3";
      };
    };
    system.extraSystemBuilderCmds = let
      tarball = pkgs.runCommand "production.tar.gz" {} ''
        tar -P --transform="s@${app}@production_app@" -czf $out ${app}
      '';
    in ''
      mkdir -p $out/nicecoop/gestion
      ln -s ${tarball} $out/nicecoop/gestion/production.tar.gz
    '';
    systemd.services.phpfpm-nicecoop_gestion-compte = {
      after = lib.mkAfter ["mysql.service"];
      wants = ["mysql.service"];
      preStart = lib.mkAfter ''
        /run/wrappers/bin/sudo chown wwwrun:wwwrun ${parametersPath}
        watchFilesChanged() {
          [ ! -f "${varDir}"/watchedFiles ] \
            || ! sha512sum -c --status ${varDir}/watchedFiles
        }
        appDirChanged() {
          [ ! -f "${varDir}/currentWebappDir" -o \
            "${app}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ]
        }
        updateWatchFiles() {
          sha512sum ${parametersPath} > ${varDir}/watchedFiles
        }

        if watchFilesChanged || appDirChanged; then
          pushd ${app} > /dev/null
          /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear
          /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:database:create -n --if-not-exists
          /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate -n
          popd > /dev/null
          echo -n "${app}" > ${varDir}/currentWebappDir
          updateWatchFiles
        fi
      '';
    };

    services.cron = {
      systemCronJobs = let
        prefix = "${config.services.httpd.Prod.user} cd ${app} && ./bin/console --env=prod";
      in [
        ''
          # generate shifts in 27 days (same weekday as yesterday)
          55 5 * * * ${prefix} app:shift:generate $(date -d "+27 days" +\%Y-\%m-\%d)

          # free pre-booked shifts
          55 5 * * * ${prefix} app:shift:free $(date -d "+21 days" +\%Y-\%m-\%d)

          # send reminder 2 days before shift
          #0 6 * * * ${prefix} app:shift:reminder $(date -d "+2 days" +\%Y-\%m-\%d)

          # execute routine for cycle_end/cycle_start, everyday
          5 6 * * * ${prefix} app:user:cycle_start

          # send alert on shifts booking (low)
          #0 10 * * * ${prefix} app:shift:send_alerts --emails creneaux@nicecoop.fr $(date -d "+2 days" +\%Y-\%m-\%d) 1

          # send a reminder mail to the user who generate the last code but did not validate the change.
          #45 21 * * * ${prefix} app:code:verify_change --last_run 24
        ''
      ];
    };

    system.activationScripts.nicecoop_gestion-compte = {
      deps = [];
      text = ''
        install -m 0700 -o wwwrun -g wwwrun -d ${varDir} ${varDir}/phpSessions ${varDir}/var
      '';
    };

    services.filesWatcher.phpfpm-nicecoop_gestion-compte = {
      restart = true;
      paths = [
        parametersPath
      ];
    };

    secrets.keys."buildbot/nicecoop/production.yml" = {
      user = "buildbot";
      group = "buildbot";
      permissions = "0400";
      text = builtins.toJSON {
        database = {
          host = secrets.mysql.host;
          port = secrets.mysql.port;
          name = secrets.mysql.database;
          user = secrets.mysql.user;
          password = secrets.mysql.password;
          version = pkgs.mariadb.mysqlVersion;
        };
        admipassword = secrets.adminpassword;
        smtp = {
          host = secrets.smtp.host;
          port = secrets.smtp.port;
          email = secrets.smtp.email;
          password = secrets.smtp.password;
        };
        secret = secrets.secret;
      };
    };

    # secrets.keys."websites/nicecoop/gestion-compte" = {
    #   user = config.services.httpd.Prod.user;
    #   group = config.services.httpd.Prod.group;
    #   permissions = "0400";
    #   text = ''
    #     # This file is auto-generated during the composer install
    #     parameters:
    #         database_host: ${secrets.mysql.host}
    #         database_port: ${secrets.mysql.port}
    #         database_name: ${secrets.mysql.database}
    #         database_user: ${secrets.mysql.user}
    #         database_password: ${secrets.mysql.password}
    #         database_version: ${pkgs.mariadb.mysqlVersion}
    #         super_admin.username: admin
    #         super_admin.initial_password: ${secrets.adminpassword}
    #         mailer_transport: smtp
    #         mailer_host: ${secrets.smtp.host}
    #         mailer_port: ${secrets.smtp.port}
    #         mailer_user: ${secrets.smtp.email}
    #         mailer_password: ${secrets.smtp.password}
    #         mailer_encryption: tls
    #         transactional_mailer_user: ${secrets.smtp.email}
    #         transactional_mailer_user_name: 'espace membre'
    #         emails.base_domain: tools.immae.eu
    #         emails.contact:
    #             from_name: 'Contact Nicecoop'
    #             address: ${secrets.smtp.email}
    #         emails.member:
    #             from_name: 'Membres Nicecoop'
    #             address: ${secrets.smtp.email}
    #         emails.shift:
    #             from_name: 'Créneaux Nicecoop'
    #             address: ${secrets.smtp.email}
    #         emails.formation:
    #             from_name: 'Formation Nicecoop'
    #             address: ${secrets.smtp.email}
    #         emails.admin:
    #             from_name: 'Admin Nicecoop'
    #             address: ${secrets.smtp.email}
    #         emails.noreply:
    #             from_name: 'Ne pas répondre'
    #             address: ${secrets.smtp.email}
    #         emails.sendable:
    #             - '%emails.contact%'
    #             - '%emails.member%'
    #             - '%emails.shift%'
    #             - '%emails.formation%'
    #             - '%emails.admin%'
    #             - '%emails.noreply%'
    #         shift_mailer_user: null
    #         secret: ${secrets.secret}
    #         router.request_context.host: membre.nicecoop.fr
    #         router.request_context.scheme: https
    #         router.request_context.base_url: null
    #         site_name: 'Espace membre @ Nicecoop'
    #         project_name: 'Nicecoop'
    #         project_url: 'https://membre.nicecoop.fr/'
    #         project_url_display: membre.nicecoop.fr
    #         main_color: null
    #         local_currency_name: 'monnaie locale'
    #         place_local_ip_address: '127.0.0.1,192.168.0.x'
    #         wiki_keys_url: null
    #         registration_duration: '1 year'
    #         registration_every_civil_year: false
    #         helloasso_registration_campaign_url: 'https://www.helloasso.com/associations/my-local-coop/adhesions/re-adhesion'
    #         helloasso_campaign_id: null
    #         helloasso_api_key: null
    #         helloasso_api_password: null
    #         helloasso_api_base_url: 'https://api.helloasso.com/v3/'
    #         due_duration_by_cycle: 180
    #         min_shift_duration: 90
    #         cycle_duration: '28 days'
    #         maximum_nb_of_beneficiaries_in_membership: 2
    #         new_users_start_as_beginner: true
    #         allow_extra_shifts: true
    #         max_time_in_advance_to_book_extra_shifts: '3 days'
    #         display_gauge: true
    #         use_fly_and_fixed: false
    #         time_after_which_members_are_late_with_shifts: -9
    #         reserve_new_shift_to_prior_shifter: true
    #         forbid_shift_overlap_time: 30
    #         display_name_shifters: false
    #         use_card_reader_to_validate_shifts: false
    #         max_time_at_end_of_shift: 0
    #         swipe_card_logging: true
    #         display_swipe_cards_settings: true
    #         logging.mattermost.enabled: false
    #         logging.mattermost.level: critical
    #         logging.mattermost.url: 'http://mattermost.yourcoop.local'
    #         logging.mattermost.channel: null
    #         logging.swiftmailer.enabled: false
    #         logging.swiftmailer.level: critical
    #         logging.swiftmailer.recipient: null
    #         code_generation_enabled: true
    #         display_freeze_account: true
    #         display_keys_shop: true
    #     services:
    #       swiftmailer.mailer.default.transport:
    #           class:     Swift_SendmailTransport
    #           arguments: ['/run/wrappers/bin/sendmail -bs']
    #   '';
    # };

    services.websites.env.production.vhostConfs.nicecoop_gestion-compte = {
      certName     = "nicecoop";
      certMainHost = "membre.nicecoop.fr";
      hosts        = ["membre.nicecoop.fr"];
      root         = app.webRoot;
      extraConfig  = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${config.services.phpfpm.pools.nicecoop_gestion-compte.socket}|fcgi://localhost"
        </FilesMatch>

        <Directory ${app.webRoot}>
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride All
          Require all granted
        </Directory>
        ''
      ];
    };
  };
}
Commit	Line	Data
965b61c2 IB	1	{ lib, pkgs, config, ... }:
	2	let
	3	secrets = config.myEnv.websites.nicecoop.gestion-compte;
	4	varDir = "/var/lib/nicecoop_gestion-compte/var";
	5	parametersPath = "/var/lib/buildbot/outputs/nicecoop/gestion/production/parameters.yml";
	6	app = pkgs.callPackage ./gestion-compte {
	7	inherit varDir;
	8	secretsPath = parametersPath;
	9	};
	10	cfg = config.myServices.websites.nicecoop.gestion-compte;
	11	in {
	12	options.myServices.websites.nicecoop.gestion-compte.enable = lib.mkEnableOption "enable nicecoop's gestion-compte website";
	13
	14	config = lib.mkIf cfg.enable {
	15	services.phpfpm.pools.nicecoop_gestion-compte = {
	16	user = config.services.httpd.Prod.user;
	17	group = config.services.httpd.Prod.group;
	18	settings = {
	19	"listen.owner" = config.services.httpd.Prod.user;
	20	"listen.group" = config.services.httpd.Prod.group;
	21	"php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
	22	app
	23	varDir
	24	parametersPath
	25	"/tmp"
	26	];
	27	"php_admin_value[upload_max_filesize]" = "20M";
	28	"php_admin_value[post_max_size]" = "20M";
	29	"php_admin_value[session.save_path]" = "${varDir}/phpSessions";
	30	"pm" = "dynamic";
	31	"pm.max_children" = "20";
	32	"pm.start_servers" = "2";
	33	"pm.min_spare_servers" = "1";
	34	"pm.max_spare_servers" = "3";
	35	};
	36	};
	37	system.extraSystemBuilderCmds = let
	38	tarball = pkgs.runCommand "production.tar.gz" {} ''
	39	tar -P --transform="s@${app}@production_app@" -czf $out ${app}
	40	'';
	41	in ''
	42	mkdir -p $out/nicecoop/gestion
	43	ln -s ${tarball} $out/nicecoop/gestion/production.tar.gz
	44	'';
	45	systemd.services.phpfpm-nicecoop_gestion-compte = {
	46	after = lib.mkAfter ["mysql.service"];
	47	wants = ["mysql.service"];
	48	preStart = lib.mkAfter ''
	49	/run/wrappers/bin/sudo chown wwwrun:wwwrun ${parametersPath}
	50	watchFilesChanged() {
	51	[ ! -f "${varDir}"/watchedFiles ] \
	52	\|\| ! sha512sum -c --status ${varDir}/watchedFiles
	53	}
	54	appDirChanged() {
	55	[ ! -f "${varDir}/currentWebappDir" -o \
	56	"${app}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ]
	57	}
	58	updateWatchFiles() {
	59	sha512sum ${parametersPath} > ${varDir}/watchedFiles
	60	}
	61
	62	if watchFilesChanged \|\| appDirChanged; then
	63	pushd ${app} > /dev/null
	64	/run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear
65	/run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:database:create -n --if-not-exists
66	/run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate -n
67	popd > /dev/null
68	echo -n "${app}" > ${varDir}/currentWebappDir
69	updateWatchFiles
70	fi
71	'';
72	};
73
74	services.cron = {
75	systemCronJobs = let
76	prefix = "${config.services.httpd.Prod.user} cd ${app} && ./bin/console --env=prod";
77	in [
78	''
79	# generate shifts in 27 days (same weekday as yesterday)
80	55 5 * * * ${prefix} app:shift:generate $(date -d "+27 days" +\%Y-\%m-\%d)
81
82	# free pre-booked shifts
83	55 5 * * * ${prefix} app:shift:free $(date -d "+21 days" +\%Y-\%m-\%d)
84
85	# send reminder 2 days before shift
86	#0 6 * * * ${prefix} app:shift:reminder $(date -d "+2 days" +\%Y-\%m-\%d)
87
88	# execute routine for cycle_end/cycle_start, everyday
89	5 6 * * * ${prefix} app:user:cycle_start
90
91	# send alert on shifts booking (low)
92	#0 10 * * * ${prefix} app:shift:send_alerts --emails creneaux@nicecoop.fr $(date -d "+2 days" +\%Y-\%m-\%d) 1
93
94	# send a reminder mail to the user who generate the last code but did not validate the change.
95	#45 21 * * * ${prefix} app:code:verify_change --last_run 24
96	''
97	];
98	};
99
100	system.activationScripts.nicecoop_gestion-compte = {
101	deps = [];
102	text = ''
103	install -m 0700 -o wwwrun -g wwwrun -d ${varDir} ${varDir}/phpSessions ${varDir}/var
104	'';
105	};
106
107	services.filesWatcher.phpfpm-nicecoop_gestion-compte = {
108	restart = true;
109	paths = [
110	parametersPath
111	];
112	};
113
114	secrets.keys."buildbot/nicecoop/production.yml" = {
115	user = "buildbot";
116	group = "buildbot";
117	permissions = "0400";
118	text = builtins.toJSON {
119	database = {
120	host = secrets.mysql.host;
121	port = secrets.mysql.port;
122	name = secrets.mysql.database;
123	user = secrets.mysql.user;
124	password = secrets.mysql.password;
125	version = pkgs.mariadb.mysqlVersion;
126	};
127	admipassword = secrets.adminpassword;
128	smtp = {
129	host = secrets.smtp.host;
130	port = secrets.smtp.port;
131	email = secrets.smtp.email;
132	password = secrets.smtp.password;
133	};
134	secret = secrets.secret;
135	};
136	};
137
138	# secrets.keys."websites/nicecoop/gestion-compte" = {
139	# user = config.services.httpd.Prod.user;
140	# group = config.services.httpd.Prod.group;
141	# permissions = "0400";
142	# text = ''
143	# # This file is auto-generated during the composer install
144	# parameters:
145	# database_host: ${secrets.mysql.host}
146	# database_port: ${secrets.mysql.port}
147	# database_name: ${secrets.mysql.database}
148	# database_user: ${secrets.mysql.user}
149	# database_password: ${secrets.mysql.password}
150	# database_version: ${pkgs.mariadb.mysqlVersion}
151	# super_admin.username: admin
152	# super_admin.initial_password: ${secrets.adminpassword}
153	# mailer_transport: smtp
154	# mailer_host: ${secrets.smtp.host}
155	# mailer_port: ${secrets.smtp.port}
156	# mailer_user: ${secrets.smtp.email}
157	# mailer_password: ${secrets.smtp.password}
158	# mailer_encryption: tls
159	# transactional_mailer_user: ${secrets.smtp.email}
160	# transactional_mailer_user_name: 'espace membre'
161	# emails.base_domain: tools.immae.eu
162	# emails.contact:
163	# from_name: 'Contact Nicecoop'
164	# address: ${secrets.smtp.email}
165	# emails.member:
166	# from_name: 'Membres Nicecoop'
167	# address: ${secrets.smtp.email}
168	# emails.shift:
169	# from_name: 'Créneaux Nicecoop'
170	# address: ${secrets.smtp.email}
171	# emails.formation:
172	# from_name: 'Formation Nicecoop'
173	# address: ${secrets.smtp.email}
174	# emails.admin:
175	# from_name: 'Admin Nicecoop'
176	# address: ${secrets.smtp.email}
177	# emails.noreply:
178	# from_name: 'Ne pas répondre'
179	# address: ${secrets.smtp.email}
180	# emails.sendable:
181	# - '%emails.contact%'
182	# - '%emails.member%'
183	# - '%emails.shift%'
184	# - '%emails.formation%'
185	# - '%emails.admin%'
186	# - '%emails.noreply%'
187	# shift_mailer_user: null
188	# secret: ${secrets.secret}
189	# router.request_context.host: membre.nicecoop.fr
190	# router.request_context.scheme: https
191	# router.request_context.base_url: null
192	# site_name: 'Espace membre @ Nicecoop'
193	# project_name: 'Nicecoop'
194	# project_url: 'https://membre.nicecoop.fr/'
195	# project_url_display: membre.nicecoop.fr
196	# main_color: null
197	# local_currency_name: 'monnaie locale'
198	# place_local_ip_address: '127.0.0.1,192.168.0.x'
199	# wiki_keys_url: null
200	# registration_duration: '1 year'
201	# registration_every_civil_year: false
202	# helloasso_registration_campaign_url: 'https://www.helloasso.com/associations/my-local-coop/adhesions/re-adhesion'
203	# helloasso_campaign_id: null
204	# helloasso_api_key: null
205	# helloasso_api_password: null
206	# helloasso_api_base_url: 'https://api.helloasso.com/v3/'
207	# due_duration_by_cycle: 180
208	# min_shift_duration: 90
209	# cycle_duration: '28 days'
210	# maximum_nb_of_beneficiaries_in_membership: 2
211	# new_users_start_as_beginner: true
212	# allow_extra_shifts: true
213	# max_time_in_advance_to_book_extra_shifts: '3 days'
214	# display_gauge: true
215	# use_fly_and_fixed: false
216	# time_after_which_members_are_late_with_shifts: -9
217	# reserve_new_shift_to_prior_shifter: true
218	# forbid_shift_overlap_time: 30
219	# display_name_shifters: false
220	# use_card_reader_to_validate_shifts: false
221	# max_time_at_end_of_shift: 0
222	# swipe_card_logging: true
223	# display_swipe_cards_settings: true
224	# logging.mattermost.enabled: false
225	# logging.mattermost.level: critical
226	# logging.mattermost.url: 'http://mattermost.yourcoop.local'
227	# logging.mattermost.channel: null
228	# logging.swiftmailer.enabled: false
229	# logging.swiftmailer.level: critical
230	# logging.swiftmailer.recipient: null
231	# code_generation_enabled: true
232	# display_freeze_account: true
233	# display_keys_shop: true
234	# services:
235	# swiftmailer.mailer.default.transport:
236	# class: Swift_SendmailTransport
237	# arguments: ['/run/wrappers/bin/sendmail -bs']
238	# '';
239	# };
240
241	services.websites.env.production.vhostConfs.nicecoop_gestion-compte = {
242	certName = "nicecoop";
243	certMainHost = "membre.nicecoop.fr";
244	hosts = ["membre.nicecoop.fr"];
245	root = app.webRoot;
246	extraConfig = [
247	''
248	<FilesMatch "\.php$">
249	SetHandler "proxy:unix:${config.services.phpfpm.pools.nicecoop_gestion-compte.socket}\|fcgi://localhost"
250	</FilesMatch>
251
252	<Directory ${app.webRoot}>
253	Options Indexes FollowSymLinks MultiViews Includes
254	AllowOverride All
255	Require all granted
256	</Directory>
257	''
258	];
259	};
260	};
261	}