X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Feldiron.nix;h=5dafe6e60b78a70482ac51605a4653299359763f;hb=3013caf18db83d43a1703b1a74cb484f70bab3a8;hp=3f2ba27886f188a9712cdacdced60c79789ce7ba;hpb=7d8b50d392f3aa588518d81b547ffe8cd9364544;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 3f2ba27..5dafe6e 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -4,44 +4,44 @@ enableRollback = true; }; - eldiron = { config, pkgs, ... }: - with import ../libs.nix; + eldiron = { config, pkgs, mylibs, ... }: + with mylibs; let mypkgs = pkgs.callPackage ./packages.nix { - inherit checkEnv fetchedGitPrivate fetchedGithub; + inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub; }; in { + _module.args = { + mylibs = import ../libs.nix; + }; + + imports = [ + ./modules/certificates.nix + ./modules/gitolite.nix + ./modules/gitweb.nix + ./modules/databases.nix + ./modules/websites/chloe.nix + ./modules/websites/ludivine.nix + ./modules/websites/aten.nix + ./modules/websites/piedsjaloux.nix + ./modules/websites/connexionswing.nix + ]; + services.myGitolite.enable = true; + services.myGitweb.enable = true; + services.myDatabases.enable = true; + services.myWebsites.Chloe.production.enable = true; + services.myWebsites.Chloe.integration.enable = true; + services.myWebsites.Ludivine.production.enable = true; + services.myWebsites.Ludivine.integration.enable = true; + services.myWebsites.Aten.production.enable = true; + services.myWebsites.Aten.integration.enable = true; + services.myWebsites.PiedsJaloux.production.enable = true; + services.myWebsites.PiedsJaloux.integration.enable = true; + services.myWebsites.Connexionswing.production.enable = true; + services.myWebsites.Connexionswing.integration.enable = true; + nixpkgs.config.packageOverrides = oldpkgs: rec { - gitolite = oldpkgs.gitolite.overrideAttrs(old: rec { - name = "gitolite-${version}"; - version = "3.6.10"; - src = pkgs.fetchFromGitHub { - owner = "sitaramc"; - repo = "gitolite"; - rev = "v${version}"; - sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h"; - }; - }); - gitweb = oldpkgs.gitweb.overrideAttrs(old: { - installPhase = old.installPhase + '' - cp -r ${./packages/gitweb} $out/gitweb-theme; - ''; - }); - postgresql = postgresql111; - postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { - passthru = old.passthru // { psqlSchema = "11.0"; }; - name = "postgresql-11.1"; - src = pkgs.fetchurl { - url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; - sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; - }; - }); - mariadb = mariadbPAM; - mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { - cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; - buildInputs = old.buildInputs ++ [ pkgs.pam ]; - }); goaccess = oldpkgs.goaccess.overrideAttrs(old: rec { name = "goaccess-${version}"; version = "1.3"; @@ -57,7 +57,7 @@ networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 3306 5432 9418 ]; + allowedTCPPorts = [ 22 80 443 9418 ]; }; }; @@ -94,85 +94,17 @@ ''; in [ pkgs.telnet + pkgs.htop pkgs.vim pkgs.goaccess occ ]; - security.acme.certs = { - # /!\ To create a new certificate, add first the domain to an - # existing certificate, deploy, and then use it in httpd. - "eldiron" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "eldiron.immae.eu"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "db-1.immae.eu" = null; - "git.immae.eu" = null; - "tools.immae.eu" = null; - "connexionswing.immae.eu" = null; - "sandetludo.immae.eu" = null; - "cloud.immae.eu" = null; - "ludivine.immae.eu" = null; - "dev.aten.pro" = null; - "piedsjaloux.immae.eu" = null; - "chloe.immae.eu" = null; - }; - }; - "ludivinecassal" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "ludivinecassal.com"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.ludivinecassal.com" = null; - }; - }; - "aten" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "aten.pro"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.aten.pro" = null; - }; - }; - "piedsjaloux" = { - webroot = "/var/lib/acme/acme-challenge"; - email = "ismael@bouya.org"; - domain = "piedsjaloux.fr"; - plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - postRun = '' - systemctl reload httpd.service - ''; - extraDomains = { - "www.piedsjaloux.fr" = null; - }; - }; - # "connexionswing" = { - # webroot = "/var/lib/acme/acme-challenge"; - # email = "ismael@bouya.org"; - # domain = "connexionswing.com"; - # plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; - # postRun = '' - # systemctl reload httpd.service - # ''; - # extraDomains = { - # "www.connexionswing.com" = null; - # "sandetludo.com" = null; - # "www.sandetludo.com" = null; - # }; - # }; + security.acme.certs."eldiron".extraDomains = { + "db-1.immae.eu" = null; + "tools.immae.eu" = null; + "cloud.immae.eu" = null; + "dav.immae.eu" = null; }; services.openssh.extraConfig = '' @@ -180,37 +112,15 @@ AuthorizedKeysCommandUser nobody ''; - users.users.wwwrun.extraGroups = [ "gitolite" ]; - - users.users.gitolite.packages = let - python-packages = python-packages: with python-packages; [ - simplejson - urllib3 - ]; - in - [ - (pkgs.python3.withPackages python-packages) - ]; - # FIXME: after initial install, need to - # (1) copy rc file (adjust gitolite_ldap_groups.sh) - # (2) (mark old readonly and) sync repos except gitolite-admin - # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/ - # chown -R gitolite:gitolite /var/lib/gitolite - # (3) push force the gitolite-admin to new location (from external point) - # Don't use an existing key, it will take precedence over - # gitolite-admin - # (4) su -u gitolite gitolite setup - services.gitolite = { - enable = true; - # FIXME: key from ./ssh - adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu"; - }; - - services.ympd = mypkgs.ympd.config // { enable = true; }; + services.ympd = mypkgs.ympd.config // { enable = false; }; services.phpfpm = { + # FIXME: move session files to separate dirs # /!\ phppackage is used in nextcloud configuation phpOptions = '' + session.save_path = "/var/lib/php/sessions" + session.gc_maxlifetime = 60*60*24*15 + session.cache_expire = 60*24*30 ; For nextcloud extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so ; For nextcloud @@ -235,6 +145,9 @@ aten_prod = mypkgs.aten_prod.phpFpm.pool; nextcloud = mypkgs.nextcloud.phpFpm.pool; mantisbt = mypkgs.mantisbt.phpFpm.pool; + ttrss = mypkgs.ttrss.phpFpm.pool; + roundcubemail = mypkgs.roundcubemail.phpFpm.pool; + davical = mypkgs.davical.phpFpm.pool; }; }; @@ -250,41 +163,28 @@ aten_dev = mypkgs.aten_dev.activationScript; aten_prod = mypkgs.aten_prod.activationScript; nextcloud = mypkgs.nextcloud.activationScript; + ttrss = mypkgs.ttrss.activationScript; + roundcubemail = mypkgs.roundcubemail.activationScript; httpd = '' install -d -m 0755 /var/lib/acme/acme-challenge + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/ttrss + install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical ''; redis = '' mkdir -p /run/redis chown redis /run/redis ''; - gitolite = - assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; - let - gitolite_ldap_groups = wrap { - name = "gitolite_ldap_groups.sh"; - file = ./packages/gitolite_ldap_groups.sh; - vars = { - LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; - }; - paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ]; - }; - in { - deps = [ "users" ]; - text = '' - if [ -d /var/lib/gitolite ]; then - ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh - chmod g+rx /var/lib/gitolite - fi - if [ -f /var/lib/gitolite/projects.list ]; then - chmod g+r /var/lib/gitolite/projects.list - fi - ''; - }; + # FIXME: initial sync goaccess = '' mkdir -p /var/lib/goaccess mkdir -p /var/lib/goaccess/aten.pro mkdir -p /var/lib/goaccess/ludivinecassal.com mkdir -p /var/lib/goaccess/piedsjaloux.fr + mkdir -p /var/lib/goaccess/osteopathe-cc.fr + mkdir -p /var/lib/goaccess/connexionswing.com ''; }; @@ -315,6 +215,7 @@ basePath = "${mypkgs.git.web.varDir}/repositories"; }; + # FIXME: logrotate services.httpd = let withConf = domain: { enableSSL = true; @@ -402,6 +303,8 @@ mypkgs.ympd.apache.modules ++ mypkgs.git.web.apache.modules ++ mypkgs.mantisbt.apache.modules ++ + mypkgs.ttrss.apache.modules ++ + mypkgs.roundcubemail.apache.modules ++ pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++ [ "macro" ]); extraConfig = builtins.concatStringsSep "\n" @@ -427,6 +330,16 @@ extraConfig = builtins.concatStringsSep "\n" [ mypkgs.adminer.apache.vhostConf mypkgs.ympd.apache.vhostConf + mypkgs.ttrss.apache.vhostConf + mypkgs.roundcubemail.apache.vhostConf + ]; + }) + (withConf "eldiron" // { + hostName = "dav.immae.eu"; + documentRoot = null; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.infcloud.apache.vhostConf + mypkgs.davical.apache.vhostConf ]; }) (withConf "eldiron" // { @@ -437,6 +350,14 @@ mypkgs.connexionswing_dev.apache.vhostConf ]; }) + (withConf "connexionswing" // { + hostName = "connexionswing.com"; + serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; + documentRoot = mypkgs.connexionswing_prod.webRoot; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.connexionswing_prod.apache.vhostConf + ]; + }) (withConf "eldiron" // { hostName = "ludivine.immae.eu"; documentRoot = mypkgs.ludivinecassal_dev.webRoot; @@ -474,7 +395,7 @@ mypkgs.chloe_dev.apache.vhostConf ]; }) - (withConf "eldiron" // { + (withConf "chloe" // { hostName = "osteopathe-cc.fr"; serverAliases = [ "www.osteopathe-cc.fr" ]; documentRoot = mypkgs.chloe_prod.webRoot; @@ -532,95 +453,52 @@ # rather than rewrite ''; } - ]; - }; - - security.pam.services = let - pam_ldap = pkgs.pam_ldap; - pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD"; - pkgs.writeText "mysql.conf" '' - host ldap.immae.eu - base dc=immae,dc=eu - binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} - pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - ''; - in [ - { - name = "mysql"; - text = '' - # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ - auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} - account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} - ''; - } - ]; - - # FIXME: backup - services.redis = rec { - enable = true; - bind = "127.0.0.1"; - unixSocket = "/run/redis/redis.sock"; - extraConfig = '' - unixsocketperm 777 - maxclients 1024 - ''; - }; - - # FIXME: initial sync - # FIXME: backup - # FIXME: restart after pam - # FIXME: pam access doesn’t work (because of php module) - # FIXME: ssl - services.mysql = rec { - enable = true; - package = pkgs.mariadb; - }; - - # FIXME: initial sync - # FIXME: backup - # FIXME: ssl - services.postgresql = rec { - enable = true; - package = pkgs.postgresql; - enableTCPIP = true; - extraConfig = '' - max_connections = 100 - wal_level = logical - shared_buffers = 128MB - max_wal_size = 1GB - min_wal_size = 80MB - log_timezone = 'Europe/Paris' - datestyle = 'iso, mdy' - timezone = 'Europe/Paris' - lc_messages = 'en_US.UTF-8' - lc_monetary = 'en_US.UTF-8' - lc_numeric = 'en_US.UTF-8' - lc_time = 'en_US.UTF-8' - default_text_search_config = 'pg_catalog.english' - # ssl = on - # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' - # ssl_key_file = '/var/lib/acme/eldiron/key.pem' - ''; - authentication = '' - local all postgres ident - local all all md5 - host all all samehost md5 - host all all 178.33.252.96/32 md5 - host all all 188.165.209.148/32 md5 - #host all all all pam - ''; + ]; }; services.cron = { enable = true; systemCronJobs = let - stats = domain: conf: "${pkgs.gnused}/bin/sed -n '/\\['$(LC_ALL=C ${pkgs.coreutils}/bin/date -d yesterday +'%d\\/%b\\/%Y')'/ p' /var/log/httpd/access_log-${domain} | ${pkgs.goaccess}/bin/goaccess -o /var/lib/goaccess/${domain}/index.html -p ${conf}"; + stats = domain: conf: let + d = pkgs.writeScriptBin "stats-${domain}" '' + #!${pkgs.stdenv.shell} + set -e + shopt -s nullglob + date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y') + TMPFILE=$(mktemp) + trap "rm -f $TMPFILE" EXIT + + cat /var/log/httpd/access_log-${domain} | sed -n "/\\[$date_regex/ p" > $TMPFILE + for i in /var/log/httpd/access_log-${domain}*.gz; do + zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE + done + goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf} + ''; + in "${d}/bin/stats-${domain}"; + # FIXME: running several goaccess simultaneously seems to be + # bugged? in [ "5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}" - "5 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}" - "5 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}" + "6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}" + "7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}" + "8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}" + "9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}" ]; }; + + systemd.services.tt-rss = { + description = "Tiny Tiny RSS feeds update daemon"; + serviceConfig = { + User = "wwwrun"; + ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon"; + StandardOutput = "syslog"; + StandardError = "syslog"; + PermissionsStartOnly = true; + }; + + wantedBy = [ "multi-user.target" ]; + requires = ["postgresql.service"]; + after = ["network.target" "postgresql.service"]; + }; }; }