modules/private/websites/christophe_carpentier/agorakit.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   cfg = config.myServices.websites.christophe_carpentier.agorakit;
   4   env = config.myEnv.websites.christophe_carpentier.agorakit;
   5   varDir = "/var/lib/christophe_carpentier_agorakit";
   6   secretsPath = config.secrets.fullPaths."websites/christophe_carpentier/env";
   7   app = pkgs.callPackage ./agorakit { inherit varDir secretsPath; };
   8   apacheUser = config.services.httpd.Prod.user;
   9   apacheGroup = config.services.httpd.Prod.group;
  10 in {
  11   options.myServices.websites.christophe_carpentier.agorakit.enable = lib.mkEnableOption "enable Christophe Carpentier's Agorakit";
  12
  13   config = lib.mkIf cfg.enable {
  14     secrets.keys."websites/christophe_carpentier/env" = {
  15       user = config.services.httpd.Prod.user;
  16       group = config.services.httpd.Prod.group;
  17       permissions = "0400";
  18       text = ''
  19         APP_ENV=production
  20         APP_DEBUG=false
  21         APP_KEY=${env.appkey}
  22         APP_NAME='Agorakit'
  23         APP_URL=https://agorakit.artisansdunous.fr
  24         APP_LOG=daily
  25         APP_DEFAULT_LOCALE=fr
  26
  27         DB_HOST=${env.mysql.host}
  28         DB_DATABASE=${env.mysql.database}
  29         DB_USERNAME=${env.mysql.user}
  30         DB_PASSWORD=${env.mysql.password}
  31
  32         CACHE_DRIVER=file
  33         SESSION_DRIVER=file
  34         QUEUE_DRIVER=sync
  35
  36         MAIL_DRIVER=smtp
  37         MAIL_HOST=${env.smtp.host}
  38         MAIL_PORT=${env.smtp.port}
  39         MAIL_USERNAME=${env.smtp.email}
  40         MAIL_PASSWORD=${env.smtp.password}
  41         MAIL_ENCRYPTION=tls
  42
  43         MAIL_FROM=${env.smtp.email}
  44         MAIL_FROM_NAME=Agorakit
  45         MAIL_NOREPLY=${env.smtp.email}
  46
  47         # OVH doesn't allow it
  48         INBOX_DRIVER=null
  49         #INBOX_HOST=${env.smtp.host}
  50         INBOX_USERNAME=${env.smtp.email}
  51         INBOX_PASSWORD=${env.smtp.password}
  52         INBOX_PREFIX=${builtins.elemAt (builtins.split "@" env.smtp.email) 0}+
  53         INBOX_SUFFIX=@${builtins.elemAt (builtins.split "@" env.smtp.email) 2}
  54
  55         TWITTER_ID=null
  56         TWITTER_SECRET=null
  57         TWITTER_URL=null
  58
  59         FACEBOOK_ID=null
  60         FACEBOOK_SECRET=null
  61         FACEBOOK_URL=null
  62
  63         GOOGLE_ID=null
  64         GOOGLE_SECRET=null
  65         GOOGLE_URL=null
  66
  67         GITHUB_ID=null
  68         GITHUB_SECRET=null
  69         GITHUB_URL=null
  70
  71         MAX_FILE_SIZE=100000
  72       '';
  73     };
  74
  75     services.phpfpm.pools.christophe_carpentier_agorakit = {
  76       user = config.services.httpd.Prod.user;
  77       group = config.services.httpd.Prod.group;
  78       settings = {
  79         "listen.owner" = config.services.httpd.Prod.user;
  80         "listen.group" = config.services.httpd.Prod.group;
  81         "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [app app.varDir "/tmp" secretsPath];
  82         "php_admin_value[upload_max_filesize]" = "100M";
  83         "php_admin_value[post_max_size]" = "100M";
  84         "pm" = "dynamic";
  85         "pm.max_children" = "20";
  86         "pm.start_servers" = "2";
  87         "pm.min_spare_servers" = "1";
  88         "pm.max_spare_servers" = "3";
  89         "php_admin_value[session.save_handler]" = "redis";
  90         "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=ChristopheCarpentier:agorakit:'";
  91       };
  92       phpOptions = config.services.phpfpm.phpOptions;
  93       phpPackage = pkgs.php74.withExtensions ({ enabled, all }: enabled ++ [all.redis]);
  94     };
  95
  96     systemd.services.phpfpm-christophe_carpentier_agorakit = {
  97       after = lib.mkAfter ["mysql.service"];
  98       wants = ["mysql.service"];
  99       preStart = ''
 100         if [ ! -e ${varDir}/.filled ]; then
 101           cp -r ${app}/oldvars/* ${varDir}
 102           chmod -R u+w ${varDir}
 103           chown -R ${config.services.httpd.Prod.user}:${config.services.httpd.Prod.group} ${varDir}
 104           touch ${varDir}/.filled
 105         fi
 106       '';
 107     };
 108
 109     system.activationScripts.christophe_carpentier_agorakit = {
 110       deps = [];
 111       text = ''
 112           install -m 0700 -o ${config.services.httpd.Prod.user} -g ${config.services.httpd.Prod.group} -d ${app.varDir}
 113           '';
 114     };
 115
 116     services.cron = {
 117       systemCronJobs =  [
 118         ''
 119           */5 * * * * ${apacheUser} cd ${app} && ${pkgs.php74}/bin/php artisan schedule:run >/dev/null 2>/dev/null
 120         ''
 121       ];
 122     };
 123
 124     services.websites.env.production.vhostConfs.christophe_agorakit = {
 125       certName    = "christophe_carpentier";
 126       certMainHost = "agorakit.artisansdunous.fr";
 127       hosts       = [ "agorakit.artisansdunous.fr" ];
 128       root        = "${app}/public";
 129       extraConfig = [
 130         ''
 131         <FilesMatch "\.php$">
 132           SetHandler "proxy:unix:${config.services.phpfpm.pools.christophe_carpentier_agorakit.socket}|fcgi://localhost"
 133         </FilesMatch>
 134
 135         <Directory ${app}/public>
 136           DirectoryIndex index.php index.htm index.html
 137           Options Indexes FollowSymLinks MultiViews Includes
 138           AllowOverride All
 139           Require all granted
 140         </Directory>
 141           ''
 142       ];
 143     };
 144   };
 145 }
 146