]>
Commit | Line | Data |
---|---|---|
a1bb33c4 IB |
1 | { |
2 | network = { | |
3 | description = "Immae's network"; | |
4 | enableRollback = true; | |
5 | }; | |
6 | ||
f8bde3d6 | 7 | eldiron = { config, pkgs, mylibs, myconfig, ... }: |
4d4f13f4 | 8 | with mylibs; |
5c101474 | 9 | let |
712ccefd | 10 | mypkgs = pkgs.callPackage ./packages.nix { |
eb770e14 | 11 | inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub; |
5c101474 | 12 | }; |
ab5d04b8 IB |
13 | in |
14 | { | |
4d4f13f4 IB |
15 | _module.args = { |
16 | mylibs = import ../libs.nix; | |
f8bde3d6 IB |
17 | myconfig = { |
18 | ips = { | |
19 | main = "176.9.151.89"; | |
20 | production = "176.9.151.154"; | |
21 | integration = "176.9.151.155"; | |
22 | }; | |
23 | }; | |
4d4f13f4 IB |
24 | }; |
25 | ||
26 | imports = [ | |
3013caf1 | 27 | ./modules/certificates.nix |
4d4f13f4 IB |
28 | ./modules/gitolite.nix |
29 | ./modules/gitweb.nix | |
30 | ./modules/databases.nix | |
42429ef0 | 31 | ./modules/websites.nix |
4d4f13f4 IB |
32 | ]; |
33 | services.myGitolite.enable = true; | |
34 | services.myGitweb.enable = true; | |
35 | services.myDatabases.enable = true; | |
42429ef0 IB |
36 | services.myWebsites.production.enable = true; |
37 | services.myWebsites.integration.enable = true; | |
4d4f13f4 | 38 | |
91493dc0 | 39 | nixpkgs.config.packageOverrides = oldpkgs: rec { |
6f0d92b4 IB |
40 | goaccess = oldpkgs.goaccess.overrideAttrs(old: rec { |
41 | name = "goaccess-${version}"; | |
42 | version = "1.3"; | |
43 | src = pkgs.fetchurl { | |
44 | url = "https://tar.goaccess.io/${name}.tar.gz"; | |
45 | sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc"; | |
46 | }; | |
47 | configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ]; | |
48 | buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ]; | |
49 | }); | |
91493dc0 IB |
50 | }; |
51 | ||
a1bb33c4 IB |
52 | networking = { |
53 | firewall = { | |
54 | enable = true; | |
4d4f13f4 | 55 | allowedTCPPorts = [ 22 80 443 9418 ]; |
a1bb33c4 | 56 | }; |
f8bde3d6 IB |
57 | interfaces."eth0".ipv4.addresses = [ |
58 | # 176.9.151.89 declared in nixops -> infra / tools | |
59 | { address = myconfig.ips.production; prefixLength = 32; } | |
60 | { address = myconfig.ips.integration; prefixLength = 32; } | |
61 | ]; | |
a1bb33c4 IB |
62 | }; |
63 | ||
64 | deployment = { | |
65 | targetEnv = "hetzner"; | |
66 | hetzner = { | |
67 | #robotUser = "defined in HETZNER_ROBOT_USER"; | |
68 | #robotPass = "defined in HETZNER_ROBOT_PASS"; | |
f8bde3d6 | 69 | mainIPv4 = myconfig.ips.main; |
a1bb33c4 IB |
70 | partitions = '' |
71 | clearpart --all --initlabel --drives=sda,sdb | |
72 | ||
73 | part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda | |
74 | part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb | |
75 | ||
76 | part raid.1 --grow --ondisk=sda | |
77 | part raid.2 --grow --ondisk=sdb | |
78 | ||
79 | raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 | |
80 | ''; | |
81 | }; | |
82 | }; | |
83 | ||
66b5bbf6 IB |
84 | environment.systemPackages = let |
85 | # FIXME: move it to nextcloud | |
86 | occ = pkgs.writeScriptBin "nextcloud-occ" '' | |
87 | #! ${pkgs.stdenv.shell} | |
88 | cd ${mypkgs.nextcloud.webRoot} | |
89 | NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \ | |
90 | exec \ | |
91 | ${config.services.phpfpm.phpPackage}/bin/php \ | |
92 | -c ${config.services.phpfpm.phpPackage}/etc/php.ini \ | |
93 | occ $* | |
94 | ''; | |
95 | in [ | |
ce6ee3b8 | 96 | pkgs.telnet |
beeed847 | 97 | pkgs.htop |
ce6ee3b8 | 98 | pkgs.vim |
6f0d92b4 | 99 | pkgs.goaccess |
66b5bbf6 | 100 | occ |
ce6ee3b8 IB |
101 | ]; |
102 | ||
3013caf1 IB |
103 | security.acme.certs."eldiron".extraDomains = { |
104 | "db-1.immae.eu" = null; | |
105 | "tools.immae.eu" = null; | |
106 | "cloud.immae.eu" = null; | |
107 | "dav.immae.eu" = null; | |
a1bb33c4 IB |
108 | }; |
109 | ||
5566d26d IB |
110 | services.openssh.extraConfig = '' |
111 | AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys | |
112 | AuthorizedKeysCommandUser nobody | |
113 | ''; | |
114 | ||
beeed847 | 115 | services.ympd = mypkgs.ympd.config // { enable = false; }; |
a05f8abe | 116 | |
58d1a782 | 117 | services.phpfpm = { |
beeed847 | 118 | # FIXME: move session files to separate dirs |
66b5bbf6 IB |
119 | # /!\ phppackage is used in nextcloud configuation |
120 | phpOptions = '' | |
c8e019b6 IB |
121 | session.save_path = "/var/lib/php/sessions" |
122 | session.gc_maxlifetime = 60*60*24*15 | |
123 | session.cache_expire = 60*24*30 | |
66b5bbf6 IB |
124 | ; For nextcloud |
125 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | |
126 | ; For nextcloud | |
127 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | |
ec9ff2b8 IB |
128 | ; For nextcloud |
129 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | |
66b5bbf6 | 130 | ''; |
58d1a782 IB |
131 | extraConfig = '' |
132 | log_level = notice | |
133 | ''; | |
134 | poolConfigs = { | |
27e22b76 | 135 | adminer = mypkgs.adminer.phpFpm.pool; |
66b5bbf6 | 136 | nextcloud = mypkgs.nextcloud.phpFpm.pool; |
50d8fa14 | 137 | mantisbt = mypkgs.mantisbt.phpFpm.pool; |
eb770e14 | 138 | ttrss = mypkgs.ttrss.phpFpm.pool; |
d252d718 | 139 | roundcubemail = mypkgs.roundcubemail.phpFpm.pool; |
d9998b44 | 140 | davical = mypkgs.davical.phpFpm.pool; |
58d1a782 IB |
141 | }; |
142 | }; | |
143 | ||
65fe7543 | 144 | system.activationScripts = { |
66b5bbf6 | 145 | nextcloud = mypkgs.nextcloud.activationScript; |
eb770e14 | 146 | ttrss = mypkgs.ttrss.activationScript; |
d252d718 | 147 | roundcubemail = mypkgs.roundcubemail.activationScript; |
5dd28b43 IB |
148 | httpd = '' |
149 | install -d -m 0755 /var/lib/acme/acme-challenge | |
c8e019b6 IB |
150 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions |
151 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer | |
152 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt | |
1635a4ae | 153 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical |
5dd28b43 | 154 | ''; |
6bd6d033 | 155 | # FIXME: initial sync |
6f0d92b4 IB |
156 | goaccess = '' |
157 | mkdir -p /var/lib/goaccess | |
158 | mkdir -p /var/lib/goaccess/aten.pro | |
34e2fd14 IB |
159 | mkdir -p /var/lib/goaccess/ludivinecassal.com |
160 | mkdir -p /var/lib/goaccess/piedsjaloux.fr | |
6bd6d033 | 161 | mkdir -p /var/lib/goaccess/osteopathe-cc.fr |
527e32ad | 162 | mkdir -p /var/lib/goaccess/connexionswing.com |
6f0d92b4 | 163 | ''; |
5566d26d IB |
164 | }; |
165 | ||
166 | environment.etc."ssh/ldap_authorized_keys" = let | |
167 | ldap_authorized_keys = | |
5c101474 IB |
168 | assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; |
169 | wrap { | |
5566d26d IB |
170 | name = "ldap_authorized_keys"; |
171 | file = ./ldap_authorized_keys.sh; | |
172 | vars = { | |
173 | LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD"; | |
174 | GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; | |
175 | ECHO = "${pkgs.coreutils}/bin/echo"; | |
176 | }; | |
177 | paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; | |
178 | }; | |
179 | in { | |
180 | enable = true; | |
181 | mode = "0755"; | |
182 | user = "root"; | |
183 | source = ldap_authorized_keys; | |
65fe7543 IB |
184 | }; |
185 | ||
7611e4e2 IB |
186 | services.gitDaemon = { |
187 | enable = true; | |
188 | user = "gitolite"; | |
189 | group = "gitolite"; | |
190 | basePath = "${mypkgs.git.web.varDir}/repositories"; | |
191 | }; | |
192 | ||
beeed847 | 193 | # FIXME: logrotate |
58d1a782 | 194 | services.httpd = let |
b7cd7e4b | 195 | withConf = domain: { |
58d1a782 | 196 | enableSSL = true; |
5dd28b43 | 197 | sslServerCert = "/var/lib/acme/${domain}/cert.pem"; |
58d1a782 IB |
198 | sslServerKey = "/var/lib/acme/${domain}/key.pem"; |
199 | sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; | |
b7cd7e4b | 200 | logFormat = "combinedVhost"; |
f8bde3d6 IB |
201 | listen = [ |
202 | { ip = "176.9.151.89"; port = 443; } | |
203 | ]; | |
58d1a782 | 204 | }; |
42429ef0 | 205 | apacheConfig = config.services.myWebsites.apacheConfig; |
58d1a782 | 206 | in rec { |
a1bb33c4 | 207 | enable = true; |
58d1a782 IB |
208 | logPerVirtualHost = true; |
209 | multiProcessingModule = "worker"; | |
210 | adminAddr = "httpd@immae.eu"; | |
b7cd7e4b | 211 | logFormat = "combinedVhost"; |
25fd1d16 IB |
212 | extraModules = pkgs.lib.lists.unique ( |
213 | mypkgs.adminer.apache.modules ++ | |
66b5bbf6 | 214 | mypkgs.nextcloud.apache.modules ++ |
5f3e023d | 215 | mypkgs.ympd.apache.modules ++ |
cf80b4f2 | 216 | mypkgs.git.web.apache.modules ++ |
50d8fa14 | 217 | mypkgs.mantisbt.apache.modules ++ |
eb770e14 | 218 | mypkgs.ttrss.apache.modules ++ |
d252d718 | 219 | mypkgs.roundcubemail.apache.modules ++ |
42429ef0 | 220 | pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig)); |
94818b75 | 221 | extraConfig = builtins.concatStringsSep "\n" |
42429ef0 | 222 | (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); |
58d1a782 | 223 | virtualHosts = [ |
b7cd7e4b | 224 | (withConf "eldiron" // { |
58d1a782 | 225 | hostName = "eldiron.immae.eu"; |
1d4ccb2c IB |
226 | documentRoot = ./www; |
227 | extraConfig = '' | |
228 | DirectoryIndex index.htm | |
229 | ''; | |
58d1a782 | 230 | }) |
b7cd7e4b | 231 | (withConf "eldiron" // { |
58d1a782 IB |
232 | hostName = "db-1.immae.eu"; |
233 | documentRoot = null; | |
27e22b76 | 234 | extraConfig = builtins.concatStringsSep "\n" [ |
1bb2ff2c | 235 | mypkgs.adminer.apache.vhostConf |
27e22b76 | 236 | ]; |
58d1a782 | 237 | }) |
b7cd7e4b | 238 | (withConf "eldiron" // { |
e379fd29 IB |
239 | hostName = "tools.immae.eu"; |
240 | documentRoot = null; | |
241 | extraConfig = builtins.concatStringsSep "\n" [ | |
1bb2ff2c | 242 | mypkgs.adminer.apache.vhostConf |
a05f8abe | 243 | mypkgs.ympd.apache.vhostConf |
eb770e14 | 244 | mypkgs.ttrss.apache.vhostConf |
d252d718 | 245 | mypkgs.roundcubemail.apache.vhostConf |
43b726ed IB |
246 | ]; |
247 | }) | |
248 | (withConf "eldiron" // { | |
249 | hostName = "dav.immae.eu"; | |
250 | documentRoot = null; | |
251 | extraConfig = builtins.concatStringsSep "\n" [ | |
1635a4ae | 252 | mypkgs.infcloud.apache.vhostConf |
d9998b44 | 253 | mypkgs.davical.apache.vhostConf |
e379fd29 IB |
254 | ]; |
255 | }) | |
527e32ad IB |
256 | (withConf "connexionswing" // { |
257 | hostName = "connexionswing.com"; | |
258 | serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; | |
259 | documentRoot = mypkgs.connexionswing_prod.webRoot; | |
260 | extraConfig = builtins.concatStringsSep "\n" [ | |
261 | mypkgs.connexionswing_prod.apache.vhostConf | |
262 | ]; | |
263 | }) | |
e42ba74f IB |
264 | (withConf "ludivinecassal" // { |
265 | hostName = "ludivinecassal.com"; | |
266 | serverAliases = [ "www.ludivinecassal.com" ]; | |
267 | documentRoot = mypkgs.ludivinecassal_prod.webRoot; | |
268 | extraConfig = builtins.concatStringsSep "\n" [ | |
269 | mypkgs.ludivinecassal_prod.apache.vhostConf | |
270 | ]; | |
271 | }) | |
34e2fd14 IB |
272 | (withConf "piedsjaloux" // { |
273 | hostName = "piedsjaloux.fr"; | |
274 | serverAliases = [ "www.piedsjaloux.fr" ]; | |
275 | documentRoot = mypkgs.piedsjaloux_prod.webRoot; | |
276 | extraConfig = builtins.concatStringsSep "\n" [ | |
277 | mypkgs.piedsjaloux_prod.apache.vhostConf | |
278 | ]; | |
279 | }) | |
6bd6d033 | 280 | (withConf "chloe" // { |
7d8b50d3 IB |
281 | hostName = "osteopathe-cc.fr"; |
282 | serverAliases = [ "www.osteopathe-cc.fr" ]; | |
283 | documentRoot = mypkgs.chloe_prod.webRoot; | |
284 | extraConfig = builtins.concatStringsSep "\n" [ | |
285 | mypkgs.chloe_prod.apache.vhostConf | |
286 | ]; | |
287 | }) | |
6c672f34 IB |
288 | (withConf "aten" // { |
289 | hostName = "aten.pro"; | |
290 | serverAliases = [ "www.aten.pro" ]; | |
291 | documentRoot = mypkgs.aten_prod.webRoot; | |
292 | extraConfig = builtins.concatStringsSep "\n" [ | |
293 | mypkgs.aten_prod.apache.vhostConf | |
294 | ]; | |
295 | }) | |
b7cd7e4b | 296 | (withConf "eldiron" // { |
66b5bbf6 IB |
297 | hostName = "cloud.immae.eu"; |
298 | documentRoot = mypkgs.nextcloud.webRoot; | |
299 | extraConfig = builtins.concatStringsSep "\n" [ | |
300 | mypkgs.nextcloud.apache.vhostConf | |
301 | ]; | |
302 | }) | |
b7cd7e4b | 303 | (withConf "eldiron" // { |
cf80b4f2 IB |
304 | hostName = "git.immae.eu"; |
305 | documentRoot = mypkgs.git.web.webRoot; | |
306 | extraConfig = builtins.concatStringsSep "\n" [ | |
307 | mypkgs.git.web.apache.vhostConf | |
50d8fa14 | 308 | mypkgs.mantisbt.apache.vhostConf |
cf80b4f2 IB |
309 | ] + '' |
310 | RewriteEngine on | |
311 | RewriteCond %{REQUEST_URI} ^/releases | |
312 | RewriteRule /releases(.*) https://release.immae.eu$1 [P,L] | |
313 | ''; | |
314 | }) | |
58d1a782 IB |
315 | { # Should go last, default fallback |
316 | listen = [ { ip = "*"; port = 80; } ]; | |
317 | hostName = "redirectSSL"; | |
318 | serverAliases = [ "*" ]; | |
319 | enableSSL = false; | |
b7cd7e4b | 320 | logFormat = "combinedVhost"; |
58d1a782 IB |
321 | documentRoot = "/var/lib/acme/acme-challenge"; |
322 | extraConfig = '' | |
323 | RewriteEngine on | |
324 | RewriteCond "%{REQUEST_URI}" "!^/\.well-known" | |
325 | RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] | |
326 | # To redirect in specific "VirtualHost *:80", do | |
327 | # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 | |
328 | # rather than rewrite | |
329 | ''; | |
330 | } | |
43b726ed | 331 | ]; |
58d1a782 IB |
332 | }; |
333 | ||
6f0d92b4 IB |
334 | services.cron = { |
335 | enable = true; | |
336 | systemCronJobs = let | |
6bd6d033 | 337 | stats = domain: conf: let |
0facadb8 IB |
338 | d = pkgs.writeScriptBin "stats-${domain}" '' |
339 | #!${pkgs.stdenv.shell} | |
340 | set -e | |
341 | shopt -s nullglob | |
342 | date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y') | |
343 | TMPFILE=$(mktemp) | |
344 | trap "rm -f $TMPFILE" EXIT | |
345 | ||
346 | cat /var/log/httpd/access_log-${domain} | sed -n "/\\[$date_regex/ p" > $TMPFILE | |
347 | for i in /var/log/httpd/access_log-${domain}*.gz; do | |
348 | zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE | |
349 | done | |
350 | goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf} | |
351 | ''; | |
6bd6d033 | 352 | in "${d}/bin/stats-${domain}"; |
56991aa7 IB |
353 | # FIXME: running several goaccess simultaneously seems to be |
354 | # bugged? | |
6f0d92b4 IB |
355 | in [ |
356 | "5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}" | |
56991aa7 IB |
357 | "6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}" |
358 | "7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}" | |
359 | "8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}" | |
360 | "9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}" | |
6f0d92b4 IB |
361 | ]; |
362 | }; | |
eb770e14 IB |
363 | |
364 | systemd.services.tt-rss = { | |
365 | description = "Tiny Tiny RSS feeds update daemon"; | |
366 | serviceConfig = { | |
367 | User = "wwwrun"; | |
368 | ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon"; | |
369 | StandardOutput = "syslog"; | |
370 | StandardError = "syslog"; | |
371 | PermissionsStartOnly = true; | |
372 | }; | |
373 | ||
374 | wantedBy = [ "multi-user.target" ]; | |
375 | requires = ["postgresql.service"]; | |
376 | after = ["network.target" "postgresql.service"]; | |
377 | }; | |
a1bb33c4 IB |
378 | }; |
379 | } |