X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Feldiron.nix;h=337ea2f376bfd8a5ae7172bc14d1ed82f2980adf;hb=b0781dbc85da7bba5a3a9209ca4d3b3900eea7b5;hp=55b0bf713424cd6915e400df0a2d6608a7f3cab2;hpb=58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 55b0bf7..337ea2f 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -4,23 +4,46 @@ enableRollback = true; }; - eldiron = { config, pkgs, ... }: - let mypkgs = import ./packages.nix; - in + eldiron = { config, pkgs, mylibs, myconfig, ... }: + with mylibs; { + _module.args = { + mylibs = import ../libs.nix; + myconfig = { + env = import ./environment.nix; + ips = { + main = "176.9.151.89"; + production = "176.9.151.154"; + integration = "176.9.151.155"; + }; + }; + }; + + imports = [ + ./modules/certificates.nix + ./modules/gitolite + ./modules/databases + ./modules/websites + ]; + services.myGitolite.enable = true; + services.myDatabases.enable = true; + services.myWebsites.production.enable = true; + services.myWebsites.integration.enable = true; + services.myWebsites.tools.enable = true; + networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 3306 5432 ]; + allowedTCPPorts = [ 22 ]; }; }; deployment = { targetEnv = "hetzner"; hetzner = { - #robotUser = "defined in HETZNER_ROBOT_USER"; - #robotPass = "defined in HETZNER_ROBOT_PASS"; - mainIPv4 = "176.9.151.89"; + robotUser = myconfig.env.hetzner.user; + robotPass = myconfig.env.hetzner.pass; + mainIPv4 = myconfig.ips.main; partitions = '' clearpart --all --initlabel --drives=sda,sdb @@ -35,221 +58,35 @@ }; }; - # FIXME: how to run it? currently set as timer - security.acme.certs = { - "eldiron" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "eldiron.immae.eu"; - extraDomains = { - "db-1.immae.eu" = null; - }; - }; - }; - - # FIXME: open_basedir - services.phpfpm = { - extraConfig = '' - log_level = notice - ''; - poolConfigs = { - adminer = '' - listen = /var/run/phpfpm/adminer.sock - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - ;php_admin_flag[log_errors] = on - php_admin_value[open_basedir] = "${mypkgs.adminer}:/tmp" - ''; - www = '' - listen = /var/run/phpfpm/www.sock - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - ;php_admin_flag[log_errors] = on - php_admin_value[open_basedir] = "/var/www" - ''; - }; - }; + environment.systemPackages = [ + pkgs.telnet + pkgs.htop + pkgs.vim + ]; - services.httpd = let - withSSL = domain: { - enableSSL = true; - sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only? - sslServerKey = "/var/lib/acme/${domain}/key.pem"; - sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; - }; - in rec { - enable = true; - logPerVirtualHost = true; - multiProcessingModule = "worker"; - adminAddr = "httpd@immae.eu"; - extraModules = [ - "proxy_fcgi" # for PHP - ]; - virtualHosts = [ - (withSSL "eldiron" // { - listen = [ { ip = "*"; port = 443; } ]; - hostName = "eldiron.immae.eu"; - # FIXME: directory needs to exist - documentRoot = "/var/www"; - }) - (withSSL "eldiron" // { - listen = [ { ip = "*"; port = 443; } ]; - hostName = "db-1.immae.eu"; - documentRoot = null; - extraConfig = '' - Alias /adminer ${mypkgs.adminer} - - DirectoryIndex = index.php - - SetHandler "proxy:unix:/var/run/phpfpm/adminer.sock|fcgi://localhost" - - - ''; - }) - { # Should go last, default fallback - listen = [ { ip = "*"; port = 80; } ]; - hostName = "redirectSSL"; - serverAliases = [ "*" ]; - enableSSL = false; - # FIXME: directory needs to exist - documentRoot = "/var/lib/acme/acme-challenge"; - extraConfig = '' - RewriteEngine on - RewriteCond "%{REQUEST_URI}" "!^/\.well-known" - RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] - # To redirect in specific "VirtualHost *:80", do - # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 - # rather than rewrite - ''; - } - ]; - }; + services.openssh.extraConfig = '' + AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys + AuthorizedKeysCommandUser nobody + ''; - services.nginx = rec { - enable = false; - virtualHosts = { - "_" = { - serverName = "_"; - useACMEHost = "eldiron"; - }; - "eldiron.immae.eu" = { - forceSSL = true; - useACMEHost = "eldiron"; - locations."/" = { - # FIXME: directory needs to exist - root = "/var/www"; - extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_param HTTP_PROXY ""; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass unix:/var/run/phpfpm/www.sock; - fastcgi_index index.php; - fastcgi_intercept_errors on; - ''; - }; - }; - "db-1.immae.eu" = { - forceSSL = true; - useACMEHost = "eldiron"; - locations."/adminer" = { - alias = mypkgs.adminer; - index = "index.php"; - extraConfig = '' - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_param HTTP_PROXY ""; - fastcgi_param SCRIPT_FILENAME ${mypkgs.adminer}/index.php; - fastcgi_pass unix:/var/run/phpfpm/adminer.sock; - fastcgi_index index.php; - fastcgi_intercept_errors on; - ''; + environment.etc."ssh/ldap_authorized_keys" = let + ldap_authorized_keys = + wrap { + name = "ldap_authorized_keys"; + file = ./ldap_authorized_keys.sh; + vars = { + LDAP_PASS = myconfig.env.sshd.ldap.password; + GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell"; + ECHO = "${pkgs.coreutils}/bin/echo"; }; + paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ]; }; - }; - }; - - # FIXME: environment variables ? - security.pam.services = let - pam_ldap = pkgs.pam_ldap; - pam_ldap_mysql = pkgs.writeText "mysql.conf" '' - host ldap.immae.eu - base dc=immae,dc=eu - binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} - pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - ''; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} - account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} - ''; - } - ]; - - # FIXME: initial sync - # FIXME: backup - # FIXME: restart after pam - # FIXME: pam access doesn’t work (because of php module) - services.mysql = rec { + in { enable = true; - package = pkgs.mariadb.overrideAttrs(old: rec { - cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; - buildInputs = old.buildInputs ++ [ pkgs.pam ]; - }); + mode = "0755"; + user = "root"; + source = ldap_authorized_keys; }; - # FIXME: initial sync - # FIXME: backup - services.postgresql = rec { - enable = true; - package = pkgs.postgresql100.overrideAttrs(old: rec { - passthru = old.passthru // { psqlSchema = "11.0"; }; - name = "postgresql-11.1"; - src = pkgs.fetchurl { - url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; - sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; - }; - }); - enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 128MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' - # ssl = on - # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' - # ssl_key_file = '/var/lib/acme/eldiron/key.pem' - ''; - authentication = '' - local all postgres ident - local all all md5 - host all all 178.33.252.96/32 md5 - host all all 188.165.209.148/32 md5 - #host all all all pam - ''; - }; }; }