X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Feldiron.nix;h=63106d603da53da37694a1fa8d4c1f659b80fcf7;hb=5c101474d350289370105c99bbf65f8bb3a4ef39;hp=c8536c6f044b5a5b88751498bc2cfe971fa6c2ef;hpb=cf80b4f24e96e7d6e40845ac1fe206fc67a20b12;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index c8536c6..63106d6 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -5,14 +5,41 @@ }; eldiron = { config, pkgs, ... }: - let mypkgs = import ./packages.nix; - mylibs = import ../libs.nix; + with import ../libs.nix; + let + mypkgs = nixpkgs_unstable.callPackage ./packages.nix { + inherit checkEnv fetchedGitPrivate fetchedGithub; + gitwebOverride = nixpkgs_unstable.gitweb.overrideAttrs(old: { + installPhase = old.installPhase + '' + cp -r ${./packages/gitweb} $out/gitweb-theme; + ''; + }); + }; in { + # FIXME: they are not overriden in packages.nix + # (see nix-store -q --tree /nix/var/nix/profiles/system) + nixpkgs.config.packageOverrides = oldpkgs: rec { + postgresql = postgresql111; + postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec { + passthru = old.passthru // { psqlSchema = "11.0"; }; + name = "postgresql-11.1"; + src = pkgs.fetchurl { + url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; + sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; + }; + }); + mariadb = mariadbPAM; + mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec { + cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; + buildInputs = old.buildInputs ++ [ pkgs.pam ]; + }); + }; + networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 3306 5432 ]; + allowedTCPPorts = [ 22 80 443 3306 5432 9418 ]; }; }; @@ -64,6 +91,7 @@ ''; extraDomains = { "db-1.immae.eu" = null; + "git.immae.eu" = null; "tools.immae.eu" = null; "connexionswing.immae.eu" = null; "sandetludo.immae.eu" = null; @@ -93,6 +121,15 @@ users.users.wwwrun.extraGroups = [ "gitolite" ]; + users.users.gitolite.packages = let + python-packages = python-packages: with python-packages; [ + simplejson + urllib3 + ]; + in + [ + (pkgs.python3.withPackages python-packages) + ]; # FIXME: after initial install, need to # (1) copy rc file (adjust gitolite_ldap_groups.sh) # (2) (mark old readonly and) sync repos except gitolite-admin @@ -126,6 +163,7 @@ connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool; connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool; nextcloud = mypkgs.nextcloud.phpFpm.pool; + mantisbt = mypkgs.mantisbt.phpFpm.pool; }; }; @@ -141,9 +179,9 @@ chown redis /run/redis ''; gitolite = - assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; + assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD"; let - gitolite_ldap_groups = mylibs.wrap { + gitolite_ldap_groups = wrap { name = "gitolite_ldap_groups.sh"; file = ./packages/gitolite_ldap_groups.sh; vars = { @@ -167,8 +205,8 @@ environment.etc."ssh/ldap_authorized_keys" = let ldap_authorized_keys = - assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; - mylibs.wrap { + assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD"; + wrap { name = "ldap_authorized_keys"; file = ./ldap_authorized_keys.sh; vars = { @@ -185,6 +223,13 @@ source = ldap_authorized_keys; }; + services.gitDaemon = { + enable = true; + user = "gitolite"; + group = "gitolite"; + basePath = "${mypkgs.git.web.varDir}/repositories"; + }; + services.httpd = let withSSL = domain: { enableSSL = true; @@ -201,7 +246,7 @@ }; ldap = { modules = [ "ldap" "authnz_ldap" ]; - extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; '' + extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; '' LDAPSharedCacheSize 500000 LDAPCacheEntries 1024 @@ -252,6 +297,7 @@ mypkgs.connexionswing_prod.apache.modules ++ mypkgs.ympd.apache.modules ++ mypkgs.git.web.apache.modules ++ + mypkgs.mantisbt.apache.modules ++ pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++ [ "macro" ]); extraConfig = builtins.concatStringsSep "\n" @@ -305,6 +351,7 @@ documentRoot = mypkgs.git.web.webRoot; extraConfig = builtins.concatStringsSep "\n" [ mypkgs.git.web.apache.vhostConf + mypkgs.mantisbt.apache.vhostConf ] + '' RewriteEngine on RewriteCond %{REQUEST_URI} ^/releases @@ -331,7 +378,7 @@ security.pam.services = let pam_ldap = pkgs.pam_ldap; - pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD"; + pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD"; pkgs.writeText "mysql.conf" '' host ldap.immae.eu base dc=immae,dc=eu @@ -368,10 +415,7 @@ # FIXME: ssl services.mysql = rec { enable = true; - package = pkgs.mariadb.overrideAttrs(old: rec { - cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; - buildInputs = old.buildInputs ++ [ pkgs.pam ]; - }); + package = pkgs.mariadb; }; # FIXME: initial sync @@ -379,14 +423,7 @@ # FIXME: ssl services.postgresql = rec { enable = true; - package = pkgs.postgresql100.overrideAttrs(old: rec { - passthru = old.passthru // { psqlSchema = "11.0"; }; - name = "postgresql-11.1"; - src = pkgs.fetchurl { - url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; - sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; - }; - }); + package = pkgs.postgresql; enableTCPIP = true; extraConfig = '' max_connections = 100 @@ -409,6 +446,7 @@ authentication = '' local all postgres ident local all all md5 + host all all samehost md5 host all all 178.33.252.96/32 md5 host all all 188.165.209.148/32 md5 #host all all all pam