networking = {
firewall = {
enable = true;
- allowedTCPPorts = [ 22 80 443 3306 5432 ];
+ allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];
};
};
# };
};
+ services.openssh.extraConfig = ''
+ AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
+ AuthorizedKeysCommandUser nobody
+ '';
+
+ users.users.wwwrun.extraGroups = [ "gitolite" ];
+
+ users.users.gitolite.packages = let
+ python-packages = python-packages: with python-packages; [
+ simplejson
+ urllib3
+ ];
+ in
+ [
+ (pkgs.python3.withPackages python-packages)
+ ];
+ # FIXME: after initial install, need to
+ # (1) copy rc file (adjust gitolite_ldap_groups.sh)
+ # (2) (mark old readonly and) sync repos except gitolite-admin
+ # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
+ # chown -R gitolite:gitolite /var/lib/gitolite
+ # (3) push force the gitolite-admin to new location (from external point)
+ # Don't use an existing key, it will take precedence over
+ # gitolite-admin
+ # (4) su -u gitolite gitolite setup
+ services.gitolite = {
+ enable = true;
+ # FIXME: key from ./ssh
+ adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
+ };
+
services.ympd = mypkgs.ympd.config // { enable = true; };
services.phpfpm = {
connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
nextcloud = mypkgs.nextcloud.phpFpm.pool;
+ mantisbt = mypkgs.mantisbt.phpFpm.pool;
};
};
mkdir -p /run/redis
chown redis /run/redis
'';
+ gitolite =
+ assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+ let
+ gitolite_ldap_groups = mylibs.wrap {
+ name = "gitolite_ldap_groups.sh";
+ file = ./packages/gitolite_ldap_groups.sh;
+ vars = {
+ LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+ };
+ paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+ };
+ in {
+ deps = [ "users" ];
+ text = ''
+ if [ -d /var/lib/gitolite ]; then
+ ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
+ chmod g+rx /var/lib/gitolite
+ fi
+ if [ -f /var/lib/gitolite/projects.list ]; then
+ chmod g+r /var/lib/gitolite/projects.list
+ fi
+ '';
+ };
+ };
+
+ environment.etc."ssh/ldap_authorized_keys" = let
+ ldap_authorized_keys =
+ assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+ mylibs.wrap {
+ name = "ldap_authorized_keys";
+ file = ./ldap_authorized_keys.sh;
+ vars = {
+ LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+ GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
+ ECHO = "${pkgs.coreutils}/bin/echo";
+ };
+ paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+ };
+ in {
+ enable = true;
+ mode = "0755";
+ user = "root";
+ source = ldap_authorized_keys;
+ };
+
+ services.gitDaemon = {
+ enable = true;
+ user = "gitolite";
+ group = "gitolite";
+ basePath = "${mypkgs.git.web.varDir}/repositories";
};
services.httpd = let
mypkgs.connexionswing_dev.apache.modules ++
mypkgs.connexionswing_prod.apache.modules ++
mypkgs.ympd.apache.modules ++
+ mypkgs.git.web.apache.modules ++
+ mypkgs.mantisbt.apache.modules ++
pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
[ "macro" ]);
extraConfig = builtins.concatStringsSep "\n"
mypkgs.nextcloud.apache.vhostConf
];
})
+ (withSSL "eldiron" // {
+ listen = [ { ip = "*"; port = 443; } ];
+ hostName = "git.immae.eu";
+ documentRoot = mypkgs.git.web.webRoot;
+ extraConfig = builtins.concatStringsSep "\n" [
+ mypkgs.git.web.apache.vhostConf
+ mypkgs.mantisbt.apache.vhostConf
+ ] + ''
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/releases
+ RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
+ '';
+ })
{ # Should go last, default fallback
listen = [ { ip = "*"; port = 80; } ];
hostName = "redirectSSL";
authentication = ''
local all postgres ident
local all all md5
+ host all all samehost md5
host all all 178.33.252.96/32 md5
host all all 188.165.209.148/32 md5
#host all all all pam
projects / perso / Immae / Config / Nix.git / blobdiff