X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Feldiron.nix;h=2e4ae1272cfb46265b5b09d7d1ff1635e9f4cee5;hb=f3d9c61e9becccc9ef25f64e5e639d45ea25650a;hp=38f753c7f1469602aba7846b05c59d5deefab64b;hpb=cbc248ed9c13781b3beca56c902531b3ae056041;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 38f753c..2e4ae12 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -4,14 +4,45 @@ enableRollback = true; }; - eldiron = { config, pkgs, ... }: - let mypkgs = import ./packages.nix; + # Full backup: + # The star after /var/lib/* avoids deleting all folders in case of problem + # rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu: + eldiron = { config, pkgs, mylibs, myconfig, ... }: + with mylibs; + let + mypkgs = pkgs.callPackage ./packages.nix { + inherit checkEnv fetchedGit fetchedGithub; + }; in { + _module.args = { + mylibs = import ../libs.nix; + myconfig = { + ips = { + main = "176.9.151.89"; + production = "176.9.151.154"; + integration = "176.9.151.155"; + }; + }; + }; + + imports = [ + ./modules/certificates.nix + ./modules/gitolite.nix + ./modules/gitweb.nix + ./modules/databases.nix + ./modules/websites + ]; + services.myGitolite.enable = true; + services.myGitweb.enable = true; + services.myDatabases.enable = true; + services.myWebsites.production.enable = true; + services.myWebsites.integration.enable = true; + networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 3306 5432 ]; + allowedTCPPorts = [ 22 9418 ]; }; }; @@ -20,7 +51,7 @@ hetzner = { #robotUser = "defined in HETZNER_ROBOT_USER"; #robotPass = "defined in HETZNER_ROBOT_PASS"; - mainIPv4 = "176.9.151.89"; + mainIPv4 = myconfig.ips.main; partitions = '' clearpart --all --initlabel --drives=sda,sdb @@ -35,85 +66,185 @@ }; }; - # FIXME: how to run it? currently set as timer - security.acme.certs = { - "eldiron" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "eldiron.immae.eu"; - extraDomains = { - "db-1.immae.eu" = null; - }; - }; + environment.systemPackages = let + # FIXME: move it to nextcloud + occ = pkgs.writeScriptBin "nextcloud-occ" '' + #! ${pkgs.stdenv.shell} + cd ${mypkgs.nextcloud.webRoot} + NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \ + exec \ + ${config.services.phpfpm.phpPackage}/bin/php \ + -c ${config.services.phpfpm.phpPackage}/etc/php.ini \ + occ $* + ''; + in [ + pkgs.telnet + pkgs.htop + pkgs.vim + occ + ]; + + security.acme.certs."eldiron".extraDomains = { + "db-1.immae.eu" = null; + "tools.immae.eu" = null; + "cloud.immae.eu" = null; + "dav.immae.eu" = null; }; - # FIXME: open_basedir + services.openssh.extraConfig = '' + AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys + AuthorizedKeysCommandUser nobody + ''; + + services.ympd = mypkgs.ympd.config // { enable = false; }; + services.phpfpm = { + # FIXME: move session files to separate dirs + # /!\ phppackage is used in nextcloud configuation + phpOptions = '' + session.save_path = "/var/lib/php/sessions" + session.gc_maxlifetime = 60*60*24*15 + session.cache_expire = 60*24*30 + ; For nextcloud + extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so + ; For nextcloud + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + ; For nextcloud + zend_extension=${pkgs.php}/lib/php/extensions/opcache.so + ''; extraConfig = '' log_level = notice ''; poolConfigs = { - adminer = '' - listen = /var/run/phpfpm/adminer.sock - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - ;php_admin_flag[log_errors] = on - php_admin_value[open_basedir] = "${mypkgs.adminer}:/tmp" - ''; - www = '' - listen = /var/run/phpfpm/www.sock - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - ;php_admin_flag[log_errors] = on - php_admin_value[open_basedir] = "/var/www" - ''; + adminer = mypkgs.adminer.phpFpm.pool; + nextcloud = mypkgs.nextcloud.phpFpm.pool; + mantisbt = mypkgs.mantisbt.phpFpm.pool; + ttrss = mypkgs.ttrss.phpFpm.pool; + roundcubemail = mypkgs.roundcubemail.phpFpm.pool; + davical = mypkgs.davical.phpFpm.pool; }; }; + system.activationScripts = { + nextcloud = mypkgs.nextcloud.activationScript; + ttrss = mypkgs.ttrss.activationScript; + roundcubemail = mypkgs.roundcubemail.activationScript; + httpd = '' + install -d -m 0755 /var/lib/acme/acme-challenge + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical + ''; + }; + + environment.etc."ssh/ldap_authorized_keys" = let + ldap_authorized_keys = + assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; + wrap { + name = "ldap_authorized_keys"; + file = ./ldap_authorized_keys.sh; + vars = { + LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD"; + GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; + ECHO = "${pkgs.coreutils}/bin/echo"; + }; + paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; + }; + in { + enable = true; + mode = "0755"; + user = "root"; + source = ldap_authorized_keys; + }; + + services.gitDaemon = { + enable = true; + user = "gitolite"; + group = "gitolite"; + basePath = "${mypkgs.git.web.varDir}/repositories"; + }; + + # FIXME: logrotate services.httpd = let - withSSL = domain: { + withConf = domain: { enableSSL = true; - sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only? + sslServerCert = "/var/lib/acme/${domain}/cert.pem"; sslServerKey = "/var/lib/acme/${domain}/key.pem"; sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; + logFormat = "combinedVhost"; + listen = [ + { ip = "176.9.151.89"; port = 443; } + ]; }; + apacheConfig = config.services.myWebsites.apacheConfig; in rec { enable = true; logPerVirtualHost = true; multiProcessingModule = "worker"; adminAddr = "httpd@immae.eu"; - extraModules = [ - "proxy_fcgi" # for PHP - ]; + logFormat = "combinedVhost"; + extraModules = pkgs.lib.lists.unique ( + mypkgs.adminer.apache.modules ++ + mypkgs.nextcloud.apache.modules ++ + mypkgs.ympd.apache.modules ++ + mypkgs.git.web.apache.modules ++ + mypkgs.mantisbt.apache.modules ++ + mypkgs.ttrss.apache.modules ++ + mypkgs.roundcubemail.apache.modules ++ + pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig)); + extraConfig = builtins.concatStringsSep "\n" + (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); virtualHosts = [ - (withSSL "eldiron" // { - listen = [ { ip = "*"; port = 443; } ]; + (withConf "eldiron" // { hostName = "eldiron.immae.eu"; - # FIXME: directory needs to exist - documentRoot = "/var/www"; + documentRoot = ./www; + extraConfig = '' + DirectoryIndex index.htm + ''; }) - (withSSL "eldiron" // { - listen = [ { ip = "*"; port = 443; } ]; + (withConf "eldiron" // { hostName = "db-1.immae.eu"; documentRoot = null; - extraConfig = '' - Alias /adminer ${mypkgs.adminer} - - DirectoryIndex = index.php - - SetHandler "proxy:unix:/var/run/phpfpm/adminer.sock|fcgi://localhost" - - + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.adminer.apache.vhostConf + ]; + }) + (withConf "eldiron" // { + hostName = "tools.immae.eu"; + documentRoot = null; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.adminer.apache.vhostConf + mypkgs.ympd.apache.vhostConf + mypkgs.ttrss.apache.vhostConf + mypkgs.roundcubemail.apache.vhostConf + ]; + }) + (withConf "eldiron" // { + hostName = "dav.immae.eu"; + documentRoot = null; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.infcloud.apache.vhostConf + mypkgs.davical.apache.vhostConf + ]; + }) + (withConf "eldiron" // { + hostName = "cloud.immae.eu"; + documentRoot = mypkgs.nextcloud.webRoot; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.nextcloud.apache.vhostConf + ]; + }) + (withConf "eldiron" // { + hostName = "git.immae.eu"; + documentRoot = mypkgs.git.web.webRoot; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.git.web.apache.vhostConf + mypkgs.mantisbt.apache.vhostConf + ] + '' + RewriteEngine on + RewriteCond %{REQUEST_URI} ^/releases + RewriteRule /releases(.*) https://release.immae.eu$1 [P,L] ''; }) { # Should go last, default fallback @@ -121,7 +252,7 @@ hostName = "redirectSSL"; serverAliases = [ "*" ]; enableSSL = false; - # FIXME: directory needs to exist + logFormat = "combinedVhost"; documentRoot = "/var/lib/acme/acme-challenge"; extraConfig = '' RewriteEngine on @@ -132,80 +263,22 @@ # rather than rewrite ''; } - ]; + ]; }; - # FIXME: environment variables ? - security.pam.services = let - pam_ldap = pkgs.pam_ldap; - pam_ldap_mysql = pkgs.writeText "mysql.conf" '' - host ldap.immae.eu - base dc=immae,dc=eu - binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} - pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - ''; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} - account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} - ''; - } - ]; - - # FIXME: initial sync - # FIXME: backup - # FIXME: restart after pam - # FIXME: pam access doesn’t work (because of php module) - services.mysql = rec { - enable = true; - package = pkgs.mariadb.overrideAttrs(old: rec { - cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; - buildInputs = old.buildInputs ++ [ pkgs.pam ]; - }); - }; + systemd.services.tt-rss = { + description = "Tiny Tiny RSS feeds update daemon"; + serviceConfig = { + User = "wwwrun"; + ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon"; + StandardOutput = "syslog"; + StandardError = "syslog"; + PermissionsStartOnly = true; + }; - # FIXME: initial sync - # FIXME: backup - services.postgresql = rec { - enable = true; - package = pkgs.postgresql100.overrideAttrs(old: rec { - passthru = old.passthru // { psqlSchema = "11.0"; }; - name = "postgresql-11.1"; - src = pkgs.fetchurl { - url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; - sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; - }; - }); - enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 128MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' - # ssl = on - # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' - # ssl_key_file = '/var/lib/acme/eldiron/key.pem' - ''; - authentication = '' - local all postgres ident - local all all md5 - host all all 178.33.252.96/32 md5 - host all all 188.165.209.148/32 md5 - #host all all all pam - ''; + wantedBy = [ "multi-user.target" ]; + requires = ["postgresql.service"]; + after = ["network.target" "postgresql.service"]; }; }; }