};
eldiron = { config, pkgs, ... }:
- let mypkgs = import ./packages.nix;
- mylibs = import ../libs.nix;
+ with import ../libs.nix;
+ let
+ mypkgs = pkgs.callPackage ./packages.nix {
+ inherit checkEnv fetchedGitPrivate fetchedGithub;
+ };
in
{
+ # FIXME: they are not overriden in packages.nix
+ # (see nix-store -q --tree /nix/var/nix/profiles/system)
+ nixpkgs.config.packageOverrides = oldpkgs: rec {
+ gitolite = nixpkgs_unstable.gitolite;
+ gitweb = oldpkgs.gitweb.overrideAttrs(old: {
+ installPhase = old.installPhase + ''
+ cp -r ${./packages/gitweb} $out/gitweb-theme;
+ '';
+ });
+ postgresql = postgresql111;
+ postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
+ passthru = old.passthru // { psqlSchema = "11.0"; };
+ name = "postgresql-11.1";
+ src = pkgs.fetchurl {
+ url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+ sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+ };
+ });
+ mariadb = mariadbPAM;
+ mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
+ cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+ buildInputs = old.buildInputs ++ [ pkgs.pam ];
+ });
+ };
+
networking = {
firewall = {
enable = true;
- allowedTCPPorts = [ 22 80 443 3306 5432 ];
+ allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];
};
};
'';
extraDomains = {
"db-1.immae.eu" = null;
+ "git.immae.eu" = null;
"tools.immae.eu" = null;
"connexionswing.immae.eu" = null;
"sandetludo.immae.eu" = null;
AuthorizedKeysCommandUser nobody
'';
+ users.users.wwwrun.extraGroups = [ "gitolite" ];
+
+ users.users.gitolite.packages = let
+ python-packages = python-packages: with python-packages; [
+ simplejson
+ urllib3
+ ];
+ in
+ [
+ (pkgs.python3.withPackages python-packages)
+ ];
# FIXME: after initial install, need to
# (1) copy rc file (adjust gitolite_ldap_groups.sh)
# (2) (mark old readonly and) sync repos except gitolite-admin
connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
nextcloud = mypkgs.nextcloud.phpFpm.pool;
+ mantisbt = mypkgs.mantisbt.phpFpm.pool;
};
};
chown redis /run/redis
'';
gitolite =
- assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+ assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
let
- gitolite_ldap_groups = mylibs.wrap {
+ gitolite_ldap_groups = wrap {
name = "gitolite_ldap_groups.sh";
file = ./packages/gitolite_ldap_groups.sh;
vars = {
text = ''
if [ -d /var/lib/gitolite ]; then
ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
+ chmod g+rx /var/lib/gitolite
+ fi
+ if [ -f /var/lib/gitolite/projects.list ]; then
+ chmod g+r /var/lib/gitolite/projects.list
fi
'';
};
environment.etc."ssh/ldap_authorized_keys" = let
ldap_authorized_keys =
- assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
- mylibs.wrap {
+ assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+ wrap {
name = "ldap_authorized_keys";
file = ./ldap_authorized_keys.sh;
vars = {
source = ldap_authorized_keys;
};
+ services.gitDaemon = {
+ enable = true;
+ user = "gitolite";
+ group = "gitolite";
+ basePath = "${mypkgs.git.web.varDir}/repositories";
+ };
+
services.httpd = let
withSSL = domain: {
enableSSL = true;
};
ldap = {
modules = [ "ldap" "authnz_ldap" ];
- extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
+ extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
<IfModule ldap_module>
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
mypkgs.connexionswing_dev.apache.modules ++
mypkgs.connexionswing_prod.apache.modules ++
mypkgs.ympd.apache.modules ++
+ mypkgs.git.web.apache.modules ++
+ mypkgs.mantisbt.apache.modules ++
pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
[ "macro" ]);
extraConfig = builtins.concatStringsSep "\n"
mypkgs.nextcloud.apache.vhostConf
];
})
+ (withSSL "eldiron" // {
+ listen = [ { ip = "*"; port = 443; } ];
+ hostName = "git.immae.eu";
+ documentRoot = mypkgs.git.web.webRoot;
+ extraConfig = builtins.concatStringsSep "\n" [
+ mypkgs.git.web.apache.vhostConf
+ mypkgs.mantisbt.apache.vhostConf
+ ] + ''
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/releases
+ RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
+ '';
+ })
{ # Should go last, default fallback
listen = [ { ip = "*"; port = 80; } ];
hostName = "redirectSSL";
security.pam.services = let
pam_ldap = pkgs.pam_ldap;
- pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
+ pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
pkgs.writeText "mysql.conf" ''
host ldap.immae.eu
base dc=immae,dc=eu
# FIXME: ssl
services.mysql = rec {
enable = true;
- package = pkgs.mariadb.overrideAttrs(old: rec {
- cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
- buildInputs = old.buildInputs ++ [ pkgs.pam ];
- });
+ package = pkgs.mariadb;
};
# FIXME: initial sync
# FIXME: ssl
services.postgresql = rec {
enable = true;
- package = pkgs.postgresql100.overrideAttrs(old: rec {
- passthru = old.passthru // { psqlSchema = "11.0"; };
- name = "postgresql-11.1";
- src = pkgs.fetchurl {
- url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
- sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
- };
- });
+ package = pkgs.postgresql;
enableTCPIP = true;
extraConfig = ''
max_connections = 100
authentication = ''
local all postgres ident
local all all md5
+ host all all samehost md5
host all all 178.33.252.96/32 md5
host all all 188.165.209.148/32 md5
#host all all all pam