{ lib, pkgs, config, ... }:
let
adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; };
secrets = config.myEnv.websites.tellesflorian.integration;
cfg = config.myServices.websites.florian.app;
ftpRoot = "/var/lib/florian_app";
phpRoot = "${ftpRoot}/php";
webRoot = "${phpRoot}/web";
varDir = "${ftpRoot}/var";
packagePath = "/var/lib/ftp/release.immae.eu/buildbot/Florian";
branch = "stabilo_dev";
in {
options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
config = lib.mkIf cfg.enable {
services.phpfpm.pools.florian_app = {
user = config.services.httpd.Inte.user;
group = config.services.httpd.Inte.group;
settings = {
"listen.owner" = config.services.httpd.Inte.user;
"listen.group" = config.services.httpd.Inte.group;
"php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
ftpRoot
config.secrets.fullPaths."websites/florian/app"
"/tmp"
];
"php_admin_value[session.save_handler]" = "redis";
"php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Florian:App:'";
"php_admin_value[upload_max_filesize]" = "20M";
"php_admin_value[post_max_size]" = "20M";
#"php_admin_flag[log_errors]" = "on";
"pm" = "ondemand";
"pm.max_children" = "5";
"pm.process_idle_timeout" = "60";
};
phpEnv = {
SYMFONY_DEBUG_MODE = "\"yes\"";
};
phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
};
systemd.services."phpfpm-florian_app" = {
after = lib.mkAfter ["mysql.service"];
wants = ["mysql.service"];
path = lib.mkAfter [ pkgs.gnutar pkgs.gzip pkgs.php72 ];
preStart = let
script = pkgs.writeScriptBin "florian-app-pre" ''
#! ${pkgs.stdenv.shell}
[ -f ${packagePath}/${branch}.tar.gz ] || exit 1
cd ${ftpRoot}
if ! [ -f .tarball_sum ] || ! sha256sum -c .tarball_sum; then
tar -xf ${packagePath}/${branch}.tar.gz --one-top-level=php_new
if [ -d php ]; then
mv php php_old
fi
mv php_new php
fi
cd php
rm -rf var/{logs,cache}
ln -sf ${varDir}/{logs,cache,sessions} var/
ln -sf ${config.secrets.fullPaths."websites/florian/app"} app/config/parameters.yml
SYMFONY_ENV=dev ./bin/console --env=dev cache:clear --no-warmup
sha256sum ${packagePath}/${branch}.tar.gz > ${ftpRoot}/.tarball_sum
'';
in
"/run/wrappers/bin/sudo -u ${config.services.httpd.Inte.user} ${script}/bin/florian-app-pre";
postStart = let
script = pkgs.writeScriptBin "florian-app-post" ''
#! ${pkgs.stdenv.shell}
cd ${ftpRoot}
if [ -d php_old ]; then
rm -rf php_old
fi
'';
in
"/run/wrappers/bin/sudo -u ${config.services.httpd.Inte.user} ${script}/bin/florian-app-post";
serviceConfig.TimeoutStartSec="infinity";
};
services.filesWatcher.phpfpm-florian_app = {
restart = true;
paths = [ "${packagePath}/${branch}.tar.gz" ];
};
system.activationScripts.florian_app = {
deps = ["users"];
text = ''
install -m 0700 -o ${config.services.httpd.Inte.user} -g ${config.services.httpd.Inte.group} -d ${ftpRoot}
'';
};
secrets.keys = {
"websites/florian/app_passwords" = {
user = config.services.httpd.Inte.user;
group = config.services.httpd.Inte.group;
permissions = "0400";
text = ''
invite:${secrets.invite_passwords}
'';
};
"websites/florian/app" = {
user = config.services.httpd.Inte.user;
group = config.services.httpd.Inte.group;
permissions = "0400";
text = ''
# This file is auto-generated during the composer install
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
mailer_password: null
secret: ${secrets.secret}
'';
};
};
services.websites.env.integration.modules = adminer.apache.modules;
services.websites.env.integration.vhostConfs.florian_app = {
certName = "integration";
addToCerts = true;
hosts = [ "app.tellesflorian.com" ];
root = webRoot;
extraConfig = [
''
SetHandler "proxy:unix:${config.services.phpfpm.pools.florian_app.socket}|fcgi://localhost"
AuthBasicProvider file ldap
Use LDAPConnect
Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
AuthUserFile "${config.secrets.fullPaths."websites/florian/app_passwords"}"
Require user "invite"
ErrorDocument 401 ""
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride None
Require all granted
DirectoryIndex app_dev.php
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Maintenance script
RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.php
RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
ErrorDocument 503 /maintenance.php
# Sets the HTTP_AUTHORIZATION header removed by Apache
RewriteCond %{HTTP:Authorization} .
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
# If the requested filename exists, simply serve it.
# We only want to let Apache serve files and not directories.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
# Rewrite all other queries to the front controller.
RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
''
(adminer.apache.vhostConf null)
];
};
};
}