{ network = { description = "Immae's network"; enableRollback = true; }; eldiron = { config, pkgs, mylibs, myconfig, ... }: with mylibs; let mypkgs = pkgs.callPackage ./packages.nix { inherit checkEnv fetchedGit fetchedGithub; }; in { _module.args = { mylibs = import ../libs.nix; myconfig = { ips = { main = "176.9.151.89"; production = "176.9.151.154"; integration = "176.9.151.155"; }; }; }; imports = [ ./modules/certificates.nix ./modules/gitolite.nix ./modules/gitweb.nix ./modules/databases.nix ./modules/websites.nix ]; services.myGitolite.enable = true; services.myGitweb.enable = true; services.myDatabases.enable = true; services.myWebsites.production.enable = true; services.myWebsites.integration.enable = true; networking = { firewall = { enable = true; allowedTCPPorts = [ 22 80 443 9418 ]; }; interfaces."eth0".ipv4.addresses = [ # 176.9.151.89 declared in nixops -> infra / tools { address = myconfig.ips.production; prefixLength = 32; } { address = myconfig.ips.integration; prefixLength = 32; } ]; }; deployment = { targetEnv = "hetzner"; hetzner = { #robotUser = "defined in HETZNER_ROBOT_USER"; #robotPass = "defined in HETZNER_ROBOT_PASS"; mainIPv4 = myconfig.ips.main; partitions = '' clearpart --all --initlabel --drives=sda,sdb part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb part raid.1 --grow --ondisk=sda part raid.2 --grow --ondisk=sdb raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 ''; }; }; environment.systemPackages = let # FIXME: move it to nextcloud occ = pkgs.writeScriptBin "nextcloud-occ" '' #! ${pkgs.stdenv.shell} cd ${mypkgs.nextcloud.webRoot} NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \ exec \ ${config.services.phpfpm.phpPackage}/bin/php \ -c ${config.services.phpfpm.phpPackage}/etc/php.ini \ occ $* ''; in [ pkgs.telnet pkgs.htop pkgs.vim occ ]; security.acme.certs."eldiron".extraDomains = { "db-1.immae.eu" = null; "tools.immae.eu" = null; "cloud.immae.eu" = null; "dav.immae.eu" = null; }; services.openssh.extraConfig = '' AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys AuthorizedKeysCommandUser nobody ''; services.ympd = mypkgs.ympd.config // { enable = false; }; services.phpfpm = { # FIXME: move session files to separate dirs # /!\ phppackage is used in nextcloud configuation phpOptions = '' session.save_path = "/var/lib/php/sessions" session.gc_maxlifetime = 60*60*24*15 session.cache_expire = 60*24*30 ; For nextcloud extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so ; For nextcloud extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so ; For nextcloud zend_extension=${pkgs.php}/lib/php/extensions/opcache.so ''; extraConfig = '' log_level = notice ''; poolConfigs = { adminer = mypkgs.adminer.phpFpm.pool; nextcloud = mypkgs.nextcloud.phpFpm.pool; mantisbt = mypkgs.mantisbt.phpFpm.pool; ttrss = mypkgs.ttrss.phpFpm.pool; roundcubemail = mypkgs.roundcubemail.phpFpm.pool; davical = mypkgs.davical.phpFpm.pool; }; }; system.activationScripts = { nextcloud = mypkgs.nextcloud.activationScript; ttrss = mypkgs.ttrss.activationScript; roundcubemail = mypkgs.roundcubemail.activationScript; httpd = '' install -d -m 0755 /var/lib/acme/acme-challenge install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical ''; }; environment.etc."ssh/ldap_authorized_keys" = let ldap_authorized_keys = assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; wrap { name = "ldap_authorized_keys"; file = ./ldap_authorized_keys.sh; vars = { LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD"; GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; ECHO = "${pkgs.coreutils}/bin/echo"; }; paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; }; in { enable = true; mode = "0755"; user = "root"; source = ldap_authorized_keys; }; services.gitDaemon = { enable = true; user = "gitolite"; group = "gitolite"; basePath = "${mypkgs.git.web.varDir}/repositories"; }; # FIXME: logrotate services.httpd = let withConf = domain: { enableSSL = true; sslServerCert = "/var/lib/acme/${domain}/cert.pem"; sslServerKey = "/var/lib/acme/${domain}/key.pem"; sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; logFormat = "combinedVhost"; listen = [ { ip = "176.9.151.89"; port = 443; } ]; }; apacheConfig = config.services.myWebsites.apacheConfig; in rec { enable = true; logPerVirtualHost = true; multiProcessingModule = "worker"; adminAddr = "httpd@immae.eu"; logFormat = "combinedVhost"; extraModules = pkgs.lib.lists.unique ( mypkgs.adminer.apache.modules ++ mypkgs.nextcloud.apache.modules ++ mypkgs.ympd.apache.modules ++ mypkgs.git.web.apache.modules ++ mypkgs.mantisbt.apache.modules ++ mypkgs.ttrss.apache.modules ++ mypkgs.roundcubemail.apache.modules ++ pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig)); extraConfig = builtins.concatStringsSep "\n" (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); virtualHosts = [ (withConf "eldiron" // { hostName = "eldiron.immae.eu"; documentRoot = ./www; extraConfig = '' DirectoryIndex index.htm ''; }) (withConf "eldiron" // { hostName = "db-1.immae.eu"; documentRoot = null; extraConfig = builtins.concatStringsSep "\n" [ mypkgs.adminer.apache.vhostConf ]; }) (withConf "eldiron" // { hostName = "tools.immae.eu"; documentRoot = null; extraConfig = builtins.concatStringsSep "\n" [ mypkgs.adminer.apache.vhostConf mypkgs.ympd.apache.vhostConf mypkgs.ttrss.apache.vhostConf mypkgs.roundcubemail.apache.vhostConf ]; }) (withConf "eldiron" // { hostName = "dav.immae.eu"; documentRoot = null; extraConfig = builtins.concatStringsSep "\n" [ mypkgs.infcloud.apache.vhostConf mypkgs.davical.apache.vhostConf ]; }) (withConf "eldiron" // { hostName = "cloud.immae.eu"; documentRoot = mypkgs.nextcloud.webRoot; extraConfig = builtins.concatStringsSep "\n" [ mypkgs.nextcloud.apache.vhostConf ]; }) (withConf "eldiron" // { hostName = "git.immae.eu"; documentRoot = mypkgs.git.web.webRoot; extraConfig = builtins.concatStringsSep "\n" [ mypkgs.git.web.apache.vhostConf mypkgs.mantisbt.apache.vhostConf ] + '' RewriteEngine on RewriteCond %{REQUEST_URI} ^/releases RewriteRule /releases(.*) https://release.immae.eu$1 [P,L] ''; }) { # Should go last, default fallback listen = [ { ip = "*"; port = 80; } ]; hostName = "redirectSSL"; serverAliases = [ "*" ]; enableSSL = false; logFormat = "combinedVhost"; documentRoot = "/var/lib/acme/acme-challenge"; extraConfig = '' RewriteEngine on RewriteCond "%{REQUEST_URI}" "!^/\.well-known" RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] # To redirect in specific "VirtualHost *:80", do # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 # rather than rewrite ''; } ]; }; systemd.services.tt-rss = { description = "Tiny Tiny RSS feeds update daemon"; serviceConfig = { User = "wwwrun"; ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon"; StandardOutput = "syslog"; StandardError = "syslog"; PermissionsStartOnly = true; }; wantedBy = [ "multi-user.target" ]; requires = ["postgresql.service"]; after = ["network.target" "postgresql.service"]; }; }; }