]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - virtual/eldiron.nix
Add cacert as dependency when building private git
[perso/Immae/Config/Nix.git] / virtual / eldiron.nix
index cfbb4645ee2ab6160e04881984f6f09d306b9290..ed414298a2d44334c2af1368a0631d8b4303f5cd 100644 (file)
@@ -4,7 +4,10 @@
     enableRollback = true;
   };
 
-  eldiron = { config, pkgs, ... }: {
+  eldiron = { config, pkgs, ... }:
+    let mypkgs = import ./packages.nix;
+    in
+  {
     networking = {
       firewall = {
         enable = true;
         webroot = "/var/lib/acme/acme-challenge";
         email = "ismael@bouya.org";
         domain = "eldiron.immae.eu";
+        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+        postRun = ''
+          "systemctl reload httpd.service"
+        '';
         extraDomains = {
           "db-1.immae.eu" = null;
+          "tools.immae.eu" = null;
         };
       };
     };
 
-    services.nginx = rec {
-      enable = true;
-      virtualHosts = {
-        "_" = {
-          serverName = "_";
-          useACMEHost = "eldiron";
-        };
-        "eldiron.immae.eu" = {
-          forceSSL = true;
-          useACMEHost = "eldiron";
-          locations."/" = {
-            # FIXME: directory needs to exist
-            root = "/var/www";
-          };
-        };
+    services.ympd = mypkgs.ympd.config // { enable = true; };
+
+    # FIXME: open_basedir
+    services.phpfpm = {
+      extraConfig = ''
+        log_level = notice
+        '';
+      poolConfigs = {
+        adminer = mypkgs.adminer.phpFpm.pool;
+        www = ''
+          listen = /var/run/phpfpm/www.sock
+          user = wwwrun
+          group = wwwrun
+          listen.owner = wwwrun
+          listen.group = wwwrun
+          pm = ondemand
+          pm.max_children = 5
+          pm.process_idle_timeout = 60
+          ;php_admin_flag[log_errors] = on
+          php_admin_value[open_basedir] = "/var/www"
+          '';
       };
     };
 
+    services.httpd = let
+      withSSL = domain: {
+        enableSSL = true;
+        sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only?
+        sslServerKey = "/var/lib/acme/${domain}/key.pem";
+        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
+      };
+    in rec {
+      enable = true;
+      logPerVirtualHost = true;
+      multiProcessingModule = "worker";
+      adminAddr = "httpd@immae.eu";
+      # FIXME: http2
+      extraModules = pkgs.lib.lists.unique (
+        mypkgs.adminer.apache.modules ++
+        [
+          "macro"
+          "ldap"
+          "authnz_ldap"
+        ]);
+      extraConfig = ''
+        <IfModule ldap_module>
+          LDAPSharedCacheSize 500000
+          LDAPCacheEntries 1024
+          LDAPCacheTTL 600
+          LDAPOpCacheEntries 1024
+          LDAPOpCacheTTL 600
+        </IfModule>
+
+        <Macro LDAPConnect>
+          <IfModule authnz_ldap_module>
+            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu
+            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
+            AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
+            AuthType             Basic
+            AuthName             "Authentification requise (Acces LDAP)"
+            AuthBasicProvider    ldap
+          </IfModule>
+        </Macro>
+        '';
+      virtualHosts = [
+        (withSSL "eldiron" // {
+          listen = [ { ip = "*"; port = 443; } ];
+          hostName = "eldiron.immae.eu";
+          # FIXME: directory needs to exist
+          documentRoot = "/var/www";
+        })
+        (withSSL "eldiron" // {
+          listen = [ { ip = "*"; port = 443; } ];
+          hostName = "db-1.immae.eu";
+          documentRoot = null;
+          extraConfig = builtins.concatStringsSep "\n" [
+            mypkgs.adminer.apache.vhostConf
+          ];
+        })
+        (withSSL "eldiron" // {
+          listen = [ { ip = "*"; port = 443; } ];
+          hostName = "tools.immae.eu";
+          documentRoot = null;
+          extraConfig = builtins.concatStringsSep "\n" [
+            mypkgs.adminer.apache.vhostConf
+            mypkgs.ympd.apache.vhostConf
+          ];
+        })
+        { # Should go last, default fallback
+          listen = [ { ip = "*"; port = 80; } ];
+          hostName = "redirectSSL";
+          serverAliases = [ "*" ];
+          enableSSL = false;
+          # FIXME: directory needs to exist
+          documentRoot = "/var/lib/acme/acme-challenge";
+          extraConfig = ''
+            RewriteEngine on
+            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
+            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
+            # To redirect in specific "VirtualHost *:80", do
+            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+            # rather than rewrite
+            '';
+        }
+        ];
+    };
+
     # FIXME: environment variables ?
     security.pam.services = let
       pam_ldap = pkgs.pam_ldap;
     # FIXME: backup
     # FIXME: restart after pam
     # FIXME: pam access doesn’t work (because of php module)
+    # FIXME: ssl
     services.mysql = rec {
       enable = true;
       package = pkgs.mariadb.overrideAttrs(old: rec {
 
     # FIXME: initial sync
     # FIXME: backup
+    # FIXME: ssl
     services.postgresql = rec {
       enable = true;
       package = pkgs.postgresql100.overrideAttrs(old: rec {