]>
Commit | Line | Data |
---|---|---|
1 | { | |
2 | network = { | |
3 | description = "Immae's network"; | |
4 | enableRollback = true; | |
5 | }; | |
6 | ||
7 | eldiron = { config, pkgs, ... }: | |
8 | let mypkgs = import ./packages.nix; | |
9 | mylibs = import ../libs.nix; | |
10 | in | |
11 | { | |
12 | networking = { | |
13 | firewall = { | |
14 | enable = true; | |
15 | allowedTCPPorts = [ 22 80 443 3306 5432 ]; | |
16 | }; | |
17 | }; | |
18 | ||
19 | deployment = { | |
20 | targetEnv = "hetzner"; | |
21 | hetzner = { | |
22 | #robotUser = "defined in HETZNER_ROBOT_USER"; | |
23 | #robotPass = "defined in HETZNER_ROBOT_PASS"; | |
24 | mainIPv4 = "176.9.151.89"; | |
25 | partitions = '' | |
26 | clearpart --all --initlabel --drives=sda,sdb | |
27 | ||
28 | part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda | |
29 | part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb | |
30 | ||
31 | part raid.1 --grow --ondisk=sda | |
32 | part raid.2 --grow --ondisk=sdb | |
33 | ||
34 | raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 | |
35 | ''; | |
36 | }; | |
37 | }; | |
38 | ||
39 | environment.systemPackages = [ | |
40 | pkgs.telnet | |
41 | pkgs.vim | |
42 | ]; | |
43 | ||
44 | security.acme.certs = { | |
45 | "eldiron" = { | |
46 | webroot = "/var/lib/acme/acme-challenge"; | |
47 | email = "ismael@bouya.org"; | |
48 | domain = "eldiron.immae.eu"; | |
49 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | |
50 | postRun = '' | |
51 | systemctl reload httpd.service | |
52 | ''; | |
53 | extraDomains = { | |
54 | "db-1.immae.eu" = null; | |
55 | "tools.immae.eu" = null; | |
56 | "connexionswing.immae.eu" = null; | |
57 | "sandetludo.immae.eu" = null; | |
58 | }; | |
59 | }; | |
60 | # "connexionswing" = { | |
61 | # webroot = "/var/lib/acme/acme-challenge"; | |
62 | # email = "ismael@bouya.org"; | |
63 | # domain = "connexionswing.com"; | |
64 | # plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | |
65 | # postRun = '' | |
66 | # systemctl reload httpd.service | |
67 | # ''; | |
68 | # extraDomains = { | |
69 | # "www.connexionswing.com" = null; | |
70 | # "sandetludo.com" = null; | |
71 | # "www.sandetludo.com" = null; | |
72 | # }; | |
73 | # }; | |
74 | }; | |
75 | ||
76 | services.ympd = mypkgs.ympd.config // { enable = true; }; | |
77 | ||
78 | services.phpfpm = { | |
79 | extraConfig = '' | |
80 | log_level = notice | |
81 | ''; | |
82 | poolConfigs = { | |
83 | adminer = mypkgs.adminer.phpFpm.pool; | |
84 | connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool; | |
85 | connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool; | |
86 | www = '' | |
87 | listen = /var/run/phpfpm/www.sock | |
88 | user = wwwrun | |
89 | group = wwwrun | |
90 | listen.owner = wwwrun | |
91 | listen.group = wwwrun | |
92 | pm = ondemand | |
93 | pm.max_children = 5 | |
94 | pm.process_idle_timeout = 60 | |
95 | ;php_admin_flag[log_errors] = on | |
96 | php_admin_value[open_basedir] = "/var/www" | |
97 | ''; | |
98 | }; | |
99 | }; | |
100 | ||
101 | system.activationScripts = { | |
102 | connexionswing_dev = mypkgs.connexionswing_dev.activationScript; | |
103 | connexionswing_prod = mypkgs.connexionswing_prod.activationScript; | |
104 | httpd = '' | |
105 | install -d -m 0755 /var/lib/acme/acme-challenge | |
106 | install -d -m 0755 /var/www | |
107 | ''; | |
108 | }; | |
109 | ||
110 | services.httpd = let | |
111 | withSSL = domain: { | |
112 | enableSSL = true; | |
113 | sslServerCert = "/var/lib/acme/${domain}/cert.pem"; | |
114 | sslServerKey = "/var/lib/acme/${domain}/key.pem"; | |
115 | sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; | |
116 | }; | |
117 | in rec { | |
118 | enable = true; | |
119 | logPerVirtualHost = true; | |
120 | multiProcessingModule = "worker"; | |
121 | adminAddr = "httpd@immae.eu"; | |
122 | # FIXME: http2 | |
123 | extraModules = pkgs.lib.lists.unique ( | |
124 | mypkgs.adminer.apache.modules ++ | |
125 | mypkgs.connexionswing_dev.apache.modules ++ | |
126 | mypkgs.connexionswing_prod.apache.modules ++ | |
127 | [ | |
128 | "macro" | |
129 | "ldap" | |
130 | "authnz_ldap" | |
131 | ]); | |
132 | extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; '' | |
133 | <IfModule ldap_module> | |
134 | LDAPSharedCacheSize 500000 | |
135 | LDAPCacheEntries 1024 | |
136 | LDAPCacheTTL 600 | |
137 | LDAPOpCacheEntries 1024 | |
138 | LDAPOpCacheTTL 600 | |
139 | </IfModule> | |
140 | ||
141 | <Macro LDAPConnect> | |
142 | <IfModule authnz_ldap_module> | |
143 | AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu | |
144 | AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu | |
145 | AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}" | |
146 | AuthType Basic | |
147 | AuthName "Authentification requise (Acces LDAP)" | |
148 | AuthBasicProvider ldap | |
149 | </IfModule> | |
150 | </Macro> | |
151 | ''; | |
152 | virtualHosts = [ | |
153 | (withSSL "eldiron" // { | |
154 | listen = [ { ip = "*"; port = 443; } ]; | |
155 | hostName = "eldiron.immae.eu"; | |
156 | # FIXME: directory needs to exist | |
157 | documentRoot = "/var/www"; | |
158 | }) | |
159 | (withSSL "eldiron" // { | |
160 | listen = [ { ip = "*"; port = 443; } ]; | |
161 | hostName = "db-1.immae.eu"; | |
162 | documentRoot = null; | |
163 | extraConfig = builtins.concatStringsSep "\n" [ | |
164 | mypkgs.adminer.apache.vhostConf | |
165 | ]; | |
166 | }) | |
167 | (withSSL "eldiron" // { | |
168 | listen = [ { ip = "*"; port = 443; } ]; | |
169 | hostName = "tools.immae.eu"; | |
170 | documentRoot = null; | |
171 | extraConfig = builtins.concatStringsSep "\n" [ | |
172 | mypkgs.adminer.apache.vhostConf | |
173 | mypkgs.ympd.apache.vhostConf | |
174 | ]; | |
175 | }) | |
176 | (withSSL "eldiron" // { | |
177 | listen = [ { ip = "*"; port = 443; } ]; | |
178 | hostName = "connexionswing.immae.eu"; | |
179 | serverAliases = [ "sandetludo.immae.eu" ]; | |
180 | documentRoot = mypkgs.connexionswing_dev.webRoot; | |
181 | extraConfig = builtins.concatStringsSep "\n" [ | |
182 | mypkgs.connexionswing_dev.apache.vhostConf | |
183 | ]; | |
184 | }) | |
185 | { # Should go last, default fallback | |
186 | listen = [ { ip = "*"; port = 80; } ]; | |
187 | hostName = "redirectSSL"; | |
188 | serverAliases = [ "*" ]; | |
189 | enableSSL = false; | |
190 | documentRoot = "/var/lib/acme/acme-challenge"; | |
191 | extraConfig = '' | |
192 | RewriteEngine on | |
193 | RewriteCond "%{REQUEST_URI}" "!^/\.well-known" | |
194 | RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] | |
195 | # To redirect in specific "VirtualHost *:80", do | |
196 | # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 | |
197 | # rather than rewrite | |
198 | ''; | |
199 | } | |
200 | ]; | |
201 | }; | |
202 | ||
203 | security.pam.services = let | |
204 | pam_ldap = pkgs.pam_ldap; | |
205 | pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD"; | |
206 | pkgs.writeText "mysql.conf" '' | |
207 | host ldap.immae.eu | |
208 | base dc=immae,dc=eu | |
209 | binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | |
210 | bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} | |
211 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | |
212 | ''; | |
213 | in [ | |
214 | { | |
215 | name = "mysql"; | |
216 | text = '' | |
217 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | |
218 | auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | |
219 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | |
220 | ''; | |
221 | } | |
222 | ]; | |
223 | ||
224 | # FIXME: initial sync | |
225 | # FIXME: backup | |
226 | # FIXME: restart after pam | |
227 | # FIXME: pam access doesn’t work (because of php module) | |
228 | # FIXME: ssl | |
229 | services.mysql = rec { | |
230 | enable = true; | |
231 | package = pkgs.mariadb.overrideAttrs(old: rec { | |
232 | cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; | |
233 | buildInputs = old.buildInputs ++ [ pkgs.pam ]; | |
234 | }); | |
235 | }; | |
236 | ||
237 | # FIXME: initial sync | |
238 | # FIXME: backup | |
239 | # FIXME: ssl | |
240 | services.postgresql = rec { | |
241 | enable = true; | |
242 | package = pkgs.postgresql100.overrideAttrs(old: rec { | |
243 | passthru = old.passthru // { psqlSchema = "11.0"; }; | |
244 | name = "postgresql-11.1"; | |
245 | src = pkgs.fetchurl { | |
246 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; | |
247 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; | |
248 | }; | |
249 | }); | |
250 | enableTCPIP = true; | |
251 | extraConfig = '' | |
252 | max_connections = 100 | |
253 | wal_level = logical | |
254 | shared_buffers = 128MB | |
255 | max_wal_size = 1GB | |
256 | min_wal_size = 80MB | |
257 | log_timezone = 'Europe/Paris' | |
258 | datestyle = 'iso, mdy' | |
259 | timezone = 'Europe/Paris' | |
260 | lc_messages = 'en_US.UTF-8' | |
261 | lc_monetary = 'en_US.UTF-8' | |
262 | lc_numeric = 'en_US.UTF-8' | |
263 | lc_time = 'en_US.UTF-8' | |
264 | default_text_search_config = 'pg_catalog.english' | |
265 | # ssl = on | |
266 | # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' | |
267 | # ssl_key_file = '/var/lib/acme/eldiron/key.pem' | |
268 | ''; | |
269 | authentication = '' | |
270 | local all postgres ident | |
271 | local all all md5 | |
272 | host all all 178.33.252.96/32 md5 | |
273 | host all all 188.165.209.148/32 md5 | |
274 | #host all all all pam | |
275 | ''; | |
276 | }; | |
277 | }; | |
278 | } |