X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=systems%2Feldiron%2Fwebsites%2Ftools%2Fdefault.nix;h=4d9e3c1a36b47ec133f713831fe65c08a06c431c;hb=1a64deeb894dc95e2645a75771732c6cc53a79ad;hpb=fa25ffd4583cc362075cd5e1b4130f33306103f0;p=perso%2FImmae%2FConfig%2FNix.git
diff --git a/systems/eldiron/websites/tools/default.nix b/systems/eldiron/websites/tools/default.nix
new file mode 100644
index 0000000..4d9e3c1
--- /dev/null
+++ b/systems/eldiron/websites/tools/default.nix
@@ -0,0 +1,547 @@
+{ lib, pkgs, config, mypackages-lib, grocy, ... }:
+let
+ composerEnv = mypackages-lib.composerEnv;
+ adminer = pkgs.callPackage ./adminer.nix { inherit config; };
+ ympd = pkgs.callPackage ./ympd.nix {
+ env = config.myEnv.tools.ympd;
+ inherit config;
+ };
+ ttrss = pkgs.callPackage ./ttrss.nix {
+ ttrss = pkgs.webapps-ttrss;
+ ttrss-plugins = pkgs.webapps-ttrss-plugins;
+ env = config.myEnv.tools.ttrss;
+ php = pkgs.php72;
+ inherit config;
+ };
+ kanboard = pkgs.callPackage ./kanboard.nix {
+ inherit config;
+ env = config.myEnv.tools.kanboard;
+ };
+ wallabag = pkgs.callPackage ./wallabag.nix {
+ wallabag = pkgs.webapps-wallabag.override {
+ composerEnv = composerEnv.override {
+ php = pkgs.php73.withExtensions({ enabled, all }: enabled ++ [all.tidy]);
+ };
+ };
+ env = config.myEnv.tools.wallabag;
+ inherit config;
+ };
+ yourls = pkgs.callPackage ./yourls.nix {
+ yourls = pkgs.webapps-yourls;
+ yourls-plugins = pkgs.webapps-yourls-plugins;
+ env = config.myEnv.tools.yourls;
+ inherit config;
+ };
+ rompr = pkgs.callPackage ./rompr.nix {
+ rompr = pkgs.webapps-rompr;
+ env = config.myEnv.tools.rompr;
+ inherit config;
+ };
+ shaarli = pkgs.callPackage ./shaarli.nix {
+ env = config.myEnv.tools.shaarli;
+ inherit config;
+ };
+ dokuwiki = pkgs.callPackage ./dokuwiki.nix {
+ dokuwiki = pkgs.webapps-dokuwiki;
+ dokuwiki-plugins = pkgs.webapps-dokuwiki-plugins;
+ inherit config;
+ };
+ ldap = pkgs.callPackage ./ldap.nix {
+ phpldapadmin = pkgs.webapps-phpldapadmin;
+ env = config.myEnv.tools.phpldapadmin;
+ inherit config;
+ };
+ grocy' = pkgs.callPackage ./grocy.nix {
+ grocy = grocy.override { composerEnv = composerEnv.override { php = pkgs.php72; }; };
+ };
+ phpbb = pkgs.callPackage ./phpbb.nix {
+ phpbb = (pkgs.webapps-phpbb.withLangs (l: [ l.fr ])).withExts (e: [
+ e.alfredoramos.markdown e.davidiq.mailinglist e.dmzx.mchat
+ e.empteintesduweb.monitoranswers e.lr94.autosubscribe
+ e.phpbbmodders.adduser ]);
+ };
+ webhooks-bin-env = pkgs.buildEnv {
+ name = "webhook-env";
+ paths = [ pkgs.apprise ];
+ pathsToLink = [ "/bin" ];
+ };
+ webhooks = pkgs.callPackage ./webhooks.nix {
+ env = config.myEnv.tools.webhooks;
+ binEnv = webhooks-bin-env;
+ };
+ dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
+ env = config.myEnv.tools.dmarc_reports;
+ inherit config;
+ };
+
+ landing = pkgs.callPackage ./landing.nix { };
+
+ cfg = config.myServices.websites.tools.tools;
+ pcfg = config.services.phpfpm.pools;
+in {
+ options.myServices.websites.tools.tools = {
+ enable = lib.mkEnableOption "enable tools website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ # Services needing to send e-mails
+ myServices.dns.zones."immae.eu".emailPolicies."tools".receive = true;
+ myServices.dns.zones."immae.eu".subdomains =
+ with config.myServices.dns.helpers;
+ {
+ outils = ips servers.eldiron.ips.main;
+ tools = lib.mkMerge [
+ (mailCommon "immae.eu")
+ mailSend
+ (ips servers.eldiron.ips.main)
+ ];
+ };
+
+ myServices.chatonsProperties.services = {
+ adminer = adminer.chatonsProperties;
+ dokuwiki = dokuwiki.chatonsProperties;
+ shaarli = shaarli.chatonsProperties;
+ ttrss = ttrss.chatonsProperties;
+ wallabag = wallabag.chatonsProperties;
+ paste = {
+ file.datetime = "2022-08-22T00:15:00";
+ service = {
+ name = "Paste";
+ description = "A simple paster script with syntax highlight";
+ website = "https://tools.immae.eu/paste/";
+ logo = "https://assets.immae.eu/logo.jpg";
+ status.level = "OK";
+ status.description = "OK";
+ registration."" = ["MEMBER" "CLIENT"];
+ registration.load = "OPEN";
+ install.type = "PACKAGE";
+ guide.user = "https://tools.immae.eu/paste/";
+ };
+ software = {
+ name = "Paste";
+ website = "https://tools.immae.eu/paste/";
+ license.url = "https://tools.immae.eu/paste/license";
+ license.name = "MIT License";
+ version = "Unversioned";
+ source.url = "https://tools.immae.eu/paste/abcd123/py";
+ };
+ };
+ };
+ myServices.chatonsProperties.hostings = {
+ dokuwiki = dokuwiki.chatonsHostingProperties;
+ phpbb = phpbb.chatonsHostingProperties;
+ };
+ secrets.keys =
+ kanboard.keys
+ // ldap.keys
+ // shaarli.keys
+ // ttrss.keys
+ // wallabag.keys
+ // yourls.keys
+ // dmarc-reports.keys
+ // webhooks.keys
+ // ({ "webapps/tools-landing-sql-rw" = {
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = let
+ env = config.myEnv.tools.landing;
+ in ''
+ SetEnv PGUSER "${env.postgresql.user}"
+ SetEnv PGPASSWORD "${env.postgresql.password}"
+ SetEnv PGDATABASE "${env.postgresql.database}"
+ SetEnv PGHOST "${env.postgresql.socket}"
+ '';
+ }; });
+ services.websites.env.tools.modules =
+ [ "proxy_fcgi" ]
+ ++ adminer.apache.modules
+ ++ ympd.apache.modules
+ ++ ttrss.apache.modules
+ ++ wallabag.apache.modules
+ ++ yourls.apache.modules
+ ++ rompr.apache.modules
+ ++ shaarli.apache.modules
+ ++ dokuwiki.apache.modules
+ ++ dmarc-reports.apache.modules
+ ++ phpbb.apache.modules
+ ++ ldap.apache.modules
+ ++ kanboard.apache.modules;
+
+ myServices.dns.zones."immae.dev" = with config.myServices.dns.helpers; {
+ subdomains.tools = ips servers.eldiron.ips.integration;
+ };
+ security.acme.certs.integration.domain = "tools.immae.dev";
+ services.websites.env.integration.vhostConfs.devtools = {
+ certName = "integration";
+ hosts = [ "tools.immae.dev" ];
+ root = "/var/lib/ftp/immae/devtools";
+ extraConfig = [
+ ''
+ Use Apaxy "/var/lib/ftp/immae/devtools" "title"
+ Timeout 600
+ ProxyTimeout 600
+ Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
+
+ DirectoryIndex index.php index.htm index.html
+ AllowOverride all
+ Require all granted
+
+ SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost"
+
+
+ ''
+ ];
+ };
+
+
+ security.acme.certs.eldiron.extraDomainNames = [ "outils.immae.eu" "tools.immae.eu" ];
+ services.websites.env.tools.vhostConfs.tools = {
+ certName = "eldiron";
+ hosts = ["tools.immae.eu" ];
+ root = landing;
+ extraConfig = [
+ ''
+ RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
+ RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
+ RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
+
+
+ Include ${config.secrets.fullPaths."webapps/tools-landing-sql-rw"}
+ DirectoryIndex index.html
+ AllowOverride None
+ Require all granted
+
+
+ SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
+
+
+ ''
+ (adminer.apache.vhostConf pcfg.adminer.socket)
+ ympd.apache.vhostConf
+ (ttrss.apache.vhostConf pcfg.ttrss.socket)
+ (wallabag.apache.vhostConf pcfg.wallabag.socket)
+ (yourls.apache.vhostConf pcfg.yourls.socket)
+ (rompr.apache.vhostConf pcfg.rompr.socket)
+ (shaarli.apache.vhostConf pcfg.shaarli.socket)
+ (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket)
+ (ldap.apache.vhostConf pcfg.ldap.socket)
+ (kanboard.apache.vhostConf pcfg.kanboard.socket)
+ (grocy'.apache.vhostConf pcfg.grocy.socket)
+ (phpbb.apache.vhostConf pcfg.phpbb.socket)
+ (dmarc-reports.apache.vhostConf pcfg.dmarc-reports.socket)
+ ''
+
+ ProxyPass unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+ ProxyPassReverse unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+ ProxyPreserveHost on
+
+
+ ProxyPass unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+ ProxyPassReverse unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
+ ProxyPreserveHost on
+
+
+
+ SetEnv proxy-nokeepalive 1
+ SetEnv proxy-sendchunked 1
+ LimitRequestBody 102400
+
+ RewriteEngine On
+
+ # FIXME: why is landing prefixed in the url?
+ RewriteCond %{HTTP:Upgrade} websocket [NC]
+ RewriteCond %{HTTP:Connection} upgrade [NC]
+ RewriteRule ^(${landing}/ntfy)?/?(.*) unix:///run/ntfy/ntfy.sock|ws://tools.immae.eu/$2 [P,NE,QSA,L]
+
+ RewriteRule ^(${landing}/ntfy)?/?(.*) unix:///run/ntfy/ntfy.sock|http://tools.immae.eu/$2 [P,NE,QSA,L]
+
+ Alias /BIP39 /var/lib/buildbot/outputs/immae/bip39
+
+ DirectoryIndex index.html
+ AllowOverride None
+ Require all granted
+
+
+ Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"}
+
+ Options -Indexes
+ DirectoryIndex index.php
+ Require all granted
+ AllowOverride None
+
+ SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
+
+
+ ''
+ ];
+ };
+
+ services.websites.env.tools.vhostConfs.outils = {
+ certName = "eldiron";
+ hosts = [ "outils.immae.eu" ];
+ root = null;
+ extraConfig = [
+ ''
+ RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
+
+ RedirectMatch 301 ^/ether(.*)$ https://ether.immae.eu$1
+
+ RedirectMatch 301 ^/nextcloud(.*)$ https://cloud.immae.eu$1
+ RedirectMatch 301 ^/owncloud(.*)$ https://cloud.immae.eu$1
+
+ RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
+ RedirectMatch 301 ^/caldavzap(.*)$ https://dav.immae.eu/infcloud$1
+ RedirectMatch 301 ^/caldav.php(.*)$ https://dav.immae.eu/caldav.php$1
+ RedirectMatch 301 ^/davical(.*)$ https://dav.immae.eu/davical$1
+
+ RedirectMatch 301 ^/taskweb(.*)$ https://task.immae.eu/taskweb$1
+
+ RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
+
+ RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
+
+ RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
+
+ RedirectMatch 301 ^/(.*)$ https://tools.immae.eu/$1
+ ''
+ ];
+ };
+
+ systemd.services = {
+ phpfpm-dokuwiki = {
+ after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
+ wants = dokuwiki.phpFpm.serviceDeps;
+ };
+ phpfpm-phpbb = {
+ after = lib.mkAfter phpbb.phpFpm.serviceDeps;
+ wants = phpbb.phpFpm.serviceDeps;
+ };
+ phpfpm-kanboard = {
+ after = lib.mkAfter kanboard.phpFpm.serviceDeps;
+ wants = kanboard.phpFpm.serviceDeps;
+ };
+ phpfpm-ldap = {
+ after = lib.mkAfter ldap.phpFpm.serviceDeps;
+ wants = ldap.phpFpm.serviceDeps;
+ };
+ phpfpm-shaarli = {
+ after = lib.mkAfter shaarli.phpFpm.serviceDeps;
+ wants = shaarli.phpFpm.serviceDeps;
+ };
+ phpfpm-ttrss = {
+ after = lib.mkAfter ttrss.phpFpm.serviceDeps;
+ wants = ttrss.phpFpm.serviceDeps;
+ };
+ phpfpm-wallabag = {
+ after = lib.mkAfter wallabag.phpFpm.serviceDeps;
+ wants = wallabag.phpFpm.serviceDeps;
+ preStart = lib.mkAfter wallabag.phpFpm.preStart;
+ };
+ phpfpm-yourls = {
+ after = lib.mkAfter yourls.phpFpm.serviceDeps;
+ wants = yourls.phpFpm.serviceDeps;
+ };
+ ntfy = {
+ description = "send push notifications to your phone or desktop via scripts from any computer";
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ ExecStart = "${pkgs.ntfy-sh}/bin/ntfy serve --listen-http '' --listen-unix %t/ntfy/ntfy.sock --cache-file %S/ntfy/cache.db --cache-duration 120h --behind-proxy --attachment-cache-dir %S/ntfy/attachments --base-url https://tools.immae.eu/ntfy";
+ Type = "simple";
+ WorkingDirectory = "%S/ntfy";
+ RuntimeDirectory = "ntfy";
+ StateDirectory = "ntfy";
+ User = "wwwrun";
+ };
+ };
+ ympd = {
+ description = "Standalone MPD Web GUI written in C";
+ wantedBy = [ "multi-user.target" ];
+ script = ''
+ export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"})
+ ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
+ '';
+ };
+ tt-rss = {
+ description = "Tiny Tiny RSS feeds update daemon";
+ serviceConfig = {
+ User = "wwwrun";
+ ExecStart = "${pkgs.php72}/bin/php ${ttrss.webRoot}/update.php --daemon";
+ StandardOutput = "syslog";
+ StandardError = "syslog";
+ PermissionsStartOnly = true;
+ };
+
+ wantedBy = [ "multi-user.target" ];
+ requires = ["postgresql.service"];
+ after = ["network.target" "postgresql.service"];
+ };
+ };
+
+ services.filesWatcher.ympd = {
+ restart = true;
+ paths = [ config.secrets.fullPaths."mpd" ];
+ };
+
+ services.phpfpm.pools = {
+ tools = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = {
+ "listen.owner" = "wwwrun";
+ "listen.group" = "wwwrun";
+ "pm" = "dynamic";
+ "pm.max_children" = "60";
+ "pm.start_servers" = "2";
+ "pm.min_spare_servers" = "1";
+ "pm.max_spare_servers" = "10";
+
+ "php_admin_value[sendmail_path]" = "/run/wrappers/bin/sendmail -t -i";
+ "php_admin_value[session.save_handler]" = "redis";
+ "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Tools:'";
+ # Needed to avoid clashes in browser cookies (same domain)
+ "php_value[session.name]" = "ToolsPHPSESSID";
+ "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
+ "/run/wrappers/bin/sendmail" landing "/tmp"
+ config.secrets.fullPaths."webapps/webhooks"
+ "${webhooks-bin-env}/bin"
+ ];
+ };
+ phpEnv = {
+ CONTACT_EMAIL = config.myEnv.tools.contact;
+ };
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
+ };
+ devtools = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = {
+ "listen.owner" = "wwwrun";
+ "listen.group" = "wwwrun";
+ "pm" = "dynamic";
+ "pm.max_children" = "60";
+ "pm.start_servers" = "2";
+ "pm.min_spare_servers" = "1";
+ "pm.max_spare_servers" = "10";
+
+ "php_admin_value[sendmail_path]" = "/run/wrappers/bin/sendmail -t -i";
+ "php_admin_value[session.save_handler]" = "redis";
+ "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Devtools:'";
+ "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/immae/devtools:/tmp";
+ };
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.mysqli all.sqlite3 all.redis all.apcu all.opcache ]);
+ };
+ adminer = adminer.phpFpm;
+ ttrss = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = ttrss.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ wallabag = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = wallabag.phpFpm.pool;
+ phpPackage = pkgs.php73.withExtensions({ enabled, all }: enabled ++ [all.tidy all.redis]);
+ };
+ yourls = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = yourls.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ rompr = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = rompr.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ shaarli = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = shaarli.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ dmarc-reports = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = dmarc-reports.phpFpm.pool;
+ phpEnv = dmarc-reports.phpFpm.phpEnv;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ dokuwiki = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = dokuwiki.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ phpbb = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = phpbb.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ ldap = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = ldap.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ kanboard = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = kanboard.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ grocy = {
+ user = "wwwrun";
+ group = "wwwrun";
+ settings = grocy'.phpFpm.pool;
+ phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
+ };
+ };
+
+ system.activationScripts = {
+ grocy = grocy'.activationScript;
+ ttrss = ttrss.activationScript;
+ wallabag = wallabag.activationScript;
+ rompr = rompr.activationScript;
+ shaarli = shaarli.activationScript;
+ dokuwiki = dokuwiki.activationScript;
+ phpbb = phpbb.activationScript;
+ kanboard = kanboard.activationScript;
+ };
+
+ services.websites.env.tools.watchPaths = [
+ config.secrets.fullPaths."webapps/tools-shaarli"
+ ];
+ services.filesWatcher.phpfpm-wallabag = {
+ restart = true;
+ paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ];
+ };
+
+ myServices.monitoring.fromMasterActivatedPlugins = lib.mkMerge [
+ ttrss.monitoringPlugins
+ rompr.monitoringPlugins
+ wallabag.monitoringPlugins
+ yourls.monitoringPlugins
+ ympd.monitoringPlugins
+ dokuwiki.monitoringPlugins
+ shaarli.monitoringPlugins
+ ldap.monitoringPlugins
+ adminer.monitoringPlugins
+ ];
+ myServices.monitoring.fromMasterObjects = lib.mkMerge [
+ ttrss.monitoringObjects
+ rompr.monitoringObjects
+ wallabag.monitoringObjects
+ yourls.monitoringObjects
+ ympd.monitoringObjects
+ dokuwiki.monitoringObjects
+ shaarli.monitoringObjects
+ ldap.monitoringObjects
+ adminer.monitoringObjects
+ ];
+ };
+}
+