]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - modules/private/websites/florian/builder_app.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Move personal websites to modules
[perso/Immae/Config/Nix.git] / modules / private / websites / florian / builder_app.nix
diff --git a/modules/private/websites/florian/builder_app.nix b/modules/private/websites/florian/builder_app.nix
new file mode 100644 (file)
index 0000000..e521f6e
--- /dev/null
+++ b/modules/private/websites/florian/builder_app.nix
@@ -0,0 +1,152 @@
+{ apacheUser, apacheGroup, tellesflorian, config }:
+rec {
+  app = tellesflorian.override { inherit (config) environment; };
+  keys = [
+    {
+      dest = "webapps/${app.environment}-tellesflorian-passwords";
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        invite:${config.invite_passwords}
+      '';
+    }
+    {
+      dest = "webapps/${app.environment}-tellesflorian";
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+      '';
+    }
+  ];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-tellesflorian > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/floriantelles-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-tellesflorian:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "florian_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      AuthBasicProvider file ldap
+      Use LDAPConnect
+      Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
+
+      AuthUserFile "/var/secrets/webapps/${app.environment}-tellesflorian-passwords"
+      Require user "invite"
+
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/var
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
My infrastructure configuration