Move some more configuration for websites

[perso/Immae/Config/Nix.git] / virtual / eldiron.nix
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix

index 49d426455c18aaca025aceef903a53009ac17ecc..fa5cb5123c95b9b5609fddb3ffc03e77993c3562 100644 (file)
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -4,15 +4,42 @@
      enableRollback = true;
    };
  
-  eldiron = { config, pkgs, ... }:
-    let mypkgs = import ./packages.nix;
-        mylibs = import ../libs.nix;
+  eldiron = { config, pkgs, mylibs, myconfig, ... }:
+    with mylibs;
+    let
+        mypkgs = pkgs.callPackage ./packages.nix {
+          inherit checkEnv fetchedGit fetchedGithub;
+        };
      in
    {
+    _module.args = {
+      mylibs = import ../libs.nix;
+      myconfig = {
+        ips = {
+          main = "176.9.151.89";
+          production = "176.9.151.154";
+          integration = "176.9.151.155";
+        };
+      };
+    };
+
+    imports = [
+      ./modules/certificates.nix
+      ./modules/gitolite.nix
+      ./modules/gitweb.nix
+      ./modules/databases.nix
+      ./modules/websites
+    ];
+    services.myGitolite.enable = true;
+    services.myGitweb.enable = true;
+    services.myDatabases.enable = true;
+    services.myWebsites.production.enable = true;
+    services.myWebsites.integration.enable = true;
+
      networking = {
        firewall = {
          enable = true;
-        allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];
+        allowedTCPPorts = [ 22 9418 ];
        };
      };
  
@@ -21,7 +48,7 @@
        hetzner = {
          #robotUser = "defined in HETZNER_ROBOT_USER";
          #robotPass = "defined in HETZNER_ROBOT_PASS";
-        mainIPv4 = "176.9.151.89";
+        mainIPv4 = myconfig.ips.main;
          partitions = ''
            clearpart --all --initlabel --drives=sda,sdb
  
@@ -49,42 +76,16 @@
          '';
      in [
        pkgs.telnet
+      pkgs.htop
        pkgs.vim
        occ
      ];
  
-    security.acme.certs = {
-      "eldiron" = {
-        webroot = "/var/lib/acme/acme-challenge";
-        email = "ismael@bouya.org";
-        domain = "eldiron.immae.eu";
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
-        postRun = ''
-          systemctl reload httpd.service
-        '';
-        extraDomains = {
-          "db-1.immae.eu" = null;
-          "git.immae.eu" = null;
-          "tools.immae.eu" = null;
-          "connexionswing.immae.eu" = null;
-          "sandetludo.immae.eu" = null;
-          "cloud.immae.eu" = null;
-        };
-      };
-      # "connexionswing" = {
-      #   webroot = "/var/lib/acme/acme-challenge";
-      #   email = "ismael@bouya.org";
-      #   domain = "connexionswing.com";
-      #   plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
-      #   postRun = ''
-      #     systemctl reload httpd.service
-      #   '';
-      #   extraDomains = {
-      #     "www.connexionswing.com" = null;
-      #     "sandetludo.com" = null;
-      #     "www.sandetludo.com" = null;
-      #   };
-      # };
+    security.acme.certs."eldiron".extraDomains = {
+      "db-1.immae.eu" = null;
+      "tools.immae.eu" = null;
+      "cloud.immae.eu" = null;
+      "dav.immae.eu" = null;
      };
  
      services.openssh.extraConfig = ''
@@ -92,94 +93,52 @@
        AuthorizedKeysCommandUser nobody
        '';
  
-    users.users.wwwrun.extraGroups = [ "gitolite" ];
-
-    users.users.gitolite.packages = let
-      python-packages = python-packages: with python-packages; [
-        simplejson
-        urllib3
-      ];
-    in
-      [
-        (pkgs.python3.withPackages python-packages)
-      ];
-    # FIXME: after initial install, need to
-    # (1) copy rc file (adjust gitolite_ldap_groups.sh)
-    # (2) (mark old readonly and) sync repos except gitolite-admin
-    #     rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
-    #     chown -R gitolite:gitolite /var/lib/gitolite
-    # (3) push force the gitolite-admin to new location (from external point)
-    #     Don't use an existing key, it will take precedence over
-    #     gitolite-admin
-    # (4) su -u gitolite gitolite setup
-    services.gitolite = {
-      enable = true;
-      # FIXME: key from ./ssh
-      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
-    };
-
-    services.ympd = mypkgs.ympd.config // { enable = true; };
+    services.ympd = mypkgs.ympd.config // { enable = false; };
  
      services.phpfpm = {
+      # FIXME: move session files to separate dirs
        # /!\ phppackage is used in nextcloud configuation
        phpOptions = ''
+        session.save_path = "/var/lib/php/sessions"
+        session.gc_maxlifetime = 60*60*24*15
+        session.cache_expire = 60*24*30
          ; For nextcloud
          extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
          ; For nextcloud
          extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+        ; For nextcloud
+        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
          '';
        extraConfig = ''
          log_level = notice
          '';
        poolConfigs = {
          adminer = mypkgs.adminer.phpFpm.pool;
-        connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
-        connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
          nextcloud = mypkgs.nextcloud.phpFpm.pool;
          mantisbt = mypkgs.mantisbt.phpFpm.pool;
+        ttrss = mypkgs.ttrss.phpFpm.pool;
+        roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
+        davical = mypkgs.davical.phpFpm.pool;
        };
      };
  
      system.activationScripts = {
-      connexionswing_dev  = mypkgs.connexionswing_dev.activationScript;
-      connexionswing_prod = mypkgs.connexionswing_prod.activationScript;
        nextcloud = mypkgs.nextcloud.activationScript;
+      ttrss = mypkgs.ttrss.activationScript;
+      roundcubemail = mypkgs.roundcubemail.activationScript;
        httpd = ''
          install -d -m 0755 /var/lib/acme/acme-challenge
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
          '';
-      redis = ''
-        mkdir -p /run/redis
-        chown redis /run/redis
-        '';
-      gitolite =
-        assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
-        let
-        gitolite_ldap_groups = mylibs.wrap {
-          name = "gitolite_ldap_groups.sh";
-          file = ./packages/gitolite_ldap_groups.sh;
-          vars = {
-            LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
-          };
-          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
-        };
-      in {
-        deps = [ "users" ];
-        text = ''
-          if [ -d /var/lib/gitolite ]; then
-            ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
-            chmod g+rx /var/lib/gitolite
-          fi
-          if [ -f /var/lib/gitolite/projects.list ]; then
-            chmod g+r /var/lib/gitolite/projects.list
-          fi
-        '';
-      };
      };
  
      environment.etc."ssh/ldap_authorized_keys" = let
        ldap_authorized_keys =
-        assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
-        mylibs.wrap {
+        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+        wrap {
            name = "ldap_authorized_keys";
            file = ./ldap_authorized_keys.sh;
            vars = {
@@ -203,123 +162,77 @@
        basePath = "${mypkgs.git.web.varDir}/repositories";
      };
  
+    # FIXME: logrotate
      services.httpd = let
-      withSSL = domain: {
+      withConf = domain: {
          enableSSL = true;
          sslServerCert = "/var/lib/acme/${domain}/cert.pem";
          sslServerKey = "/var/lib/acme/${domain}/key.pem";
          sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
+        logFormat = "combinedVhost";
+        listen = [
+          { ip = "176.9.151.89";  port = 443; }
+        ];
        };
-      apacheConfig = {
-        gzip = {
-          modules = [ "deflate" "filter" ];
-          extraConfig = ''
-            AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
-          '';
-        };
-        ldap = {
-          modules = [ "ldap" "authnz_ldap" ];
-          extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
-            <IfModule ldap_module>
-              LDAPSharedCacheSize 500000
-              LDAPCacheEntries 1024
-              LDAPCacheTTL 600
-              LDAPOpCacheEntries 1024
-              LDAPOpCacheTTL 600
-            </IfModule>
-
-            <Macro LDAPConnect>
-              <IfModule authnz_ldap_module>
-                AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu
-                AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
-                AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
-                AuthType             Basic
-                AuthName             "Authentification requise (Acces LDAP)"
-                AuthBasicProvider    ldap
-              </IfModule>
-            </Macro>
-          '';
-        };
-      };
+      apacheConfig = config.services.myWebsites.apacheConfig;
      in rec {
        enable = true;
        logPerVirtualHost = true;
        multiProcessingModule = "worker";
        adminAddr = "httpd@immae.eu";
-      # FIXME: http2
-      # FIXME: voir les autres modules:
-      #    authz_core_module
-      #    reqtimeout_module
-      #    http2_module
-      #    version_module
-      #    proxy_connect_module
-      #    proxy_ftp_module
-      #    proxy_scgi_module
-      #    proxy_ajp_module
-      #    proxy_balancer_module
-      #    proxy_express_module
-      #    lbmethod_byrequests_module
-      #    lbmethod_bytraffic_module
-      #    lbmethod_bybusyness_module
-      #    lbmethod_heartbeat_module
-
+      logFormat = "combinedVhost";
        extraModules = pkgs.lib.lists.unique (
          mypkgs.adminer.apache.modules ++
          mypkgs.nextcloud.apache.modules ++
-        mypkgs.connexionswing_dev.apache.modules ++
-        mypkgs.connexionswing_prod.apache.modules ++
          mypkgs.ympd.apache.modules ++
          mypkgs.git.web.apache.modules ++
          mypkgs.mantisbt.apache.modules ++
-        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
-        [ "macro" ]);
+        mypkgs.ttrss.apache.modules ++
+        mypkgs.roundcubemail.apache.modules ++
+        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
        extraConfig = builtins.concatStringsSep "\n"
-        (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
+        (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
        virtualHosts = [
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
            hostName = "eldiron.immae.eu";
            documentRoot = ./www;
            extraConfig = ''
              DirectoryIndex index.htm
              '';
          })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
            hostName = "db-1.immae.eu";
            documentRoot = null;
            extraConfig = builtins.concatStringsSep "\n" [
              mypkgs.adminer.apache.vhostConf
            ];
          })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
            hostName = "tools.immae.eu";
            documentRoot = null;
            extraConfig = builtins.concatStringsSep "\n" [
              mypkgs.adminer.apache.vhostConf
              mypkgs.ympd.apache.vhostConf
+            mypkgs.ttrss.apache.vhostConf
+            mypkgs.roundcubemail.apache.vhostConf
            ];
          })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
-          hostName = "connexionswing.immae.eu";
-          serverAliases = [ "sandetludo.immae.eu" ];
-          documentRoot = mypkgs.connexionswing_dev.webRoot;
+        (withConf "eldiron" // {
+          hostName = "dav.immae.eu";
+          documentRoot = null;
            extraConfig = builtins.concatStringsSep "\n" [
-            mypkgs.connexionswing_dev.apache.vhostConf
+            mypkgs.infcloud.apache.vhostConf
+            mypkgs.davical.apache.vhostConf
            ];
          })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
            hostName = "cloud.immae.eu";
            documentRoot = mypkgs.nextcloud.webRoot;
            extraConfig = builtins.concatStringsSep "\n" [
              mypkgs.nextcloud.apache.vhostConf
            ];
          })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
            hostName = "git.immae.eu";
            documentRoot = mypkgs.git.web.webRoot;
            extraConfig = builtins.concatStringsSep "\n" [
@@ -336,6 +249,7 @@
            hostName = "redirectSSL";
            serverAliases = [ "*" ];
            enableSSL = false;
+          logFormat = "combinedVhost";
            documentRoot = "/var/lib/acme/acme-challenge";
            extraConfig = ''
              RewriteEngine on
@@ -346,94 +260,22 @@
              # rather than rewrite
              '';
          }
-        ];
-    };
-
-    security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
-      pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
-              pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
-        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
-        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        '';
-    in [
-      {
-        name = "mysql";
-        text = ''
-          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          '';
-      }
-    ];
-
-    # FIXME: backup
-    services.redis = rec {
-      enable = true;
-      bind = "127.0.0.1";
-      unixSocket = "/run/redis/redis.sock";
-      extraConfig = ''
-        unixsocketperm 777
-        maxclients 1024
-        '';
+      ];
      };
  
-    # FIXME: initial sync
-    # FIXME: backup
-    # FIXME: restart after pam
-    # FIXME: pam access doesn’t work (because of php module)
-    # FIXME: ssl
-    services.mysql = rec {
-      enable = true;
-      package = pkgs.mariadb.overrideAttrs(old: rec {
-        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
-        buildInputs = old.buildInputs ++ [ pkgs.pam ];
-      });
-    };
+    systemd.services.tt-rss = {
+      description = "Tiny Tiny RSS feeds update daemon";
+      serviceConfig = {
+        User = "wwwrun";
+        ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
+        StandardOutput = "syslog";
+        StandardError = "syslog";
+        PermissionsStartOnly = true;
+      };
  
-    # FIXME: initial sync
-    # FIXME: backup
-    # FIXME: ssl
-    services.postgresql = rec {
-      enable = true;
-      package = pkgs.postgresql100.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        name = "postgresql-11.1";
-        src = pkgs.fetchurl {
-          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-        };
-      });
-      enableTCPIP = true;
-      extraConfig = ''
-        max_connections = 100
-        wal_level = logical
-        shared_buffers = 128MB
-        max_wal_size = 1GB
-        min_wal_size = 80MB
-        log_timezone = 'Europe/Paris'
-        datestyle = 'iso, mdy'
-        timezone = 'Europe/Paris'
-        lc_messages = 'en_US.UTF-8'
-        lc_monetary = 'en_US.UTF-8'
-        lc_numeric = 'en_US.UTF-8'
-        lc_time = 'en_US.UTF-8'
-        default_text_search_config = 'pg_catalog.english'
-        # ssl = on
-        # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
-        # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
-        '';
-      authentication = ''
-        local  all     postgres                                ident
-        local  all     all                                     md5
-        host   all     all             samehost                md5
-        host   all     all             178.33.252.96/32        md5
-        host   all     all             188.165.209.148/32      md5
-        #host  all     all             all                     pam
-      '';
+      wantedBy = [ "multi-user.target" ];
+      requires = ["postgresql.service"];
+      after = ["network.target" "postgresql.service"];
      };
    };
  }