[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / mediagoblin.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  env = myconfig.env.tools.mediagoblin;
  cfg = config.services.myWebsites.tools.mediagoblin;
  mcfg = config.services.mediagoblin;
in {
  options.services.myWebsites.tools.mediagoblin = {
    enable = lib.mkEnableOption "enable mediagoblin's website";
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [{
      dest = "webapps/tools-mediagoblin";
      user = "mediagoblin";
      group = "mediagoblin";
      permissions = "0400";
      text = ''
        [DEFAULT]
        data_basedir = "${mcfg.dataDir}"

        [mediagoblin]
        direct_remote_path = /mgoblin_static/
        email_sender_address = "mediagoblin@tools.immae.eu"

        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
        sql_engine = ${env.psql_url}

        email_debug_mode = false
        allow_registration = false
        allow_reporting = true

        theme = airymodified

        user_privilege_scheme = "uploader,commenter,reporter"

        # We need to redefine them here since we override data_basedir
        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
        workbench_path = %(data_basedir)s/media/workbench
        crypto_path = %(data_basedir)s/crypto
        theme_install_dir = %(data_basedir)s/themes/
        theme_linked_assets_dir = %(data_basedir)s/theme_static/
        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/

        [storage:queuestore]
        base_dir = %(data_basedir)s/media/queue

        [storage:publicstore]
        base_dir = %(data_basedir)s/media/public
        base_url = /mgoblin_media/

        [celery]
        CELERY_RESULT_DBURI = ${env.redis_url}
        BROKER_URL = ${env.redis_url}
        CELERYD_CONCURRENCY = 1

        [plugins]
          [[mediagoblin.plugins.geolocation]]
          [[mediagoblin.plugins.ldap]]
            [[[immae.eu]]]
              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
              LDAP_BIND_PW = '${env.ldap.password}'
              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
              EMAIL_SEARCH_FIELD = 'mail'
          [[mediagoblin.plugins.basicsearch]]
          [[mediagoblin.plugins.piwigo]]
          [[mediagoblin.plugins.processing_info]]
          [[mediagoblin.media_types.image]]
          [[mediagoblin.media_types.video]]
        '';
    }];

    users.users.mediagoblin.extraGroups = [ "keys" ];

    services.mediagoblin = {
      enable     = true;
      plugins    = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
      configFile = "/var/secrets/webapps/tools-mediagoblin";
    };

    services.myWebsites.tools.modules = [
      "proxy" "proxy_http"
    ];
    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
    security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.mgoblin = {
      certName    = "eldiron";
      hosts       = ["mgoblin.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Alias /mgoblin_media ${mcfg.dataDir}/media/public
        <Directory ${mcfg.dataDir}/media/public>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /theme_static ${mcfg.dataDir}/theme_static
        <Directory ${mcfg.dataDir}/theme_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /plugin_static ${mcfg.dataDir}/plugin_static
        <Directory ${mcfg.dataDir}/plugin_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        ProxyPreserveHost on
        ProxyVia On
        ProxyRequests Off
        ProxyPass /mgoblin_media !
        ProxyPass /theme_static !
        ProxyPass /plugin_static !
        ProxyPassMatch ^/.well-known/acme-challenge !
        ProxyPass / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
        ProxyPassReverse / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
      '' ];
    };
  };
}
Commit	Line	Data
9d90e7e2	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
56eba416	2	let
ddd3f845	3	env = myconfig.env.tools.mediagoblin;
56eba416	4	cfg = config.services.myWebsites.tools.mediagoblin;
996a68c2	5	mcfg = config.services.mediagoblin;
56eba416 IB	6	in {
	7	options.services.myWebsites.tools.mediagoblin = {
	8	enable = lib.mkEnableOption "enable mediagoblin's website";
	9	};
	10
	11	config = lib.mkIf cfg.enable {
1a718805	12	secrets.keys = [{
ddd3f845 IB	13	dest = "webapps/tools-mediagoblin";
	14	user = "mediagoblin";
	15	group = "mediagoblin";
	16	permissions = "0400";
	17	text = ''
	18	[DEFAULT]
996a68c2	19	data_basedir = "${mcfg.dataDir}"
ddd3f845 IB	20
	21	[mediagoblin]
	22	direct_remote_path = /mgoblin_static/
	23	email_sender_address = "mediagoblin@tools.immae.eu"
	24
	25	#sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
	26	sql_engine = ${env.psql_url}
	27
	28	email_debug_mode = false
	29	allow_registration = false
	30	allow_reporting = true
	31
	32	theme = airymodified
	33
	34	user_privilege_scheme = "uploader,commenter,reporter"
	35
	36	# We need to redefine them here since we override data_basedir
	37	# cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
	38	workbench_path = %(data_basedir)s/media/workbench
	39	crypto_path = %(data_basedir)s/crypto
	40	theme_install_dir = %(data_basedir)s/themes/
	41	theme_linked_assets_dir = %(data_basedir)s/theme_static/
	42	plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
	43
	44	[storage:queuestore]
	45	base_dir = %(data_basedir)s/media/queue
	46
	47	[storage:publicstore]
	48	base_dir = %(data_basedir)s/media/public
	49	base_url = /mgoblin_media/
	50
	51	[celery]
	52	CELERY_RESULT_DBURI = ${env.redis_url}
	53	BROKER_URL = ${env.redis_url}
	54	CELERYD_CONCURRENCY = 1
	55
	56	[plugins]
	57	[[mediagoblin.plugins.geolocation]]
	58	[[mediagoblin.plugins.ldap]]
	59	[[[immae.eu]]]
	60	LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
	61	LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
	62	LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
	63	LDAP_BIND_PW = '${env.ldap.password}'
	64	LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
	65	EMAIL_SEARCH_FIELD = 'mail'
	66	[[mediagoblin.plugins.basicsearch]]
	67	[[mediagoblin.plugins.piwigo]]
	68	[[mediagoblin.plugins.processing_info]]
	69	[[mediagoblin.media_types.image]]
	70	[[mediagoblin.media_types.video]]
	71	'';
	72	}];
	73
996a68c2	74	users.users.mediagoblin.extraGroups = [ "keys" ];
56eba416	75
996a68c2 IB	76	services.mediagoblin = {
	77	enable = true;
	78	plugins = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
	79	configFile = "/var/secrets/webapps/tools-mediagoblin";
56eba416 IB	80	};
	81
	82	services.myWebsites.tools.modules = [
a952acc4	83	"proxy" "proxy_http"
56eba416 IB	84	];
	85	users.users.wwwrun.extraGroups = [ "mediagoblin" ];
	86	security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
	87	services.myWebsites.tools.vhostConfs.mgoblin = {
	88	certName = "eldiron";
	89	hosts = ["mgoblin.immae.eu" ];
	90	root = null;
	91	extraConfig = [ ''
996a68c2 IB	92	Alias /mgoblin_media ${mcfg.dataDir}/media/public
996a68c2 IB	93	<Directory ${mcfg.dataDir}/media/public>
56eba416 IB	94	Options -Indexes +FollowSymLinks +MultiViews +Includes
	95	Require all granted
	96	</Directory>
	97
996a68c2 IB	98	Alias /theme_static ${mcfg.dataDir}/theme_static
996a68c2 IB	99	<Directory ${mcfg.dataDir}/theme_static>
56eba416 IB	100	Options -Indexes +FollowSymLinks +MultiViews +Includes
	101	Require all granted
	102	</Directory>
	103
996a68c2 IB	104	Alias /plugin_static ${mcfg.dataDir}/plugin_static
996a68c2 IB	105	<Directory ${mcfg.dataDir}/plugin_static>
56eba416 IB	106	Options -Indexes +FollowSymLinks +MultiViews +Includes
	107	Require all granted
	108	</Directory>
	109
	110	ProxyPreserveHost on
	111	ProxyVia On
	112	ProxyRequests Off
	113	ProxyPass /mgoblin_media !
	114	ProxyPass /theme_static !
	115	ProxyPass /plugin_static !
	116	ProxyPassMatch ^/.well-known/acme-challenge !
658822fb IB	117	ProxyPass / unix://${mcfg.sockets.paster}\|http://mgoblin.immae.eu/
658822fb IB	118	ProxyPassReverse / unix://${mcfg.sockets.paster}\|http://mgoblin.immae.eu/
56eba416 IB	119	'' ];
	120	};
	121	};
	122	}