X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Feldiron.nix;h=68eddf607446c5630f46ac13b9659271893c6377;hb=6c672f344e2de6852cfa97ed789726bcd54cc83c;hp=39672b515ad932090420d8fcc188d16c89f621ee;hpb=19def671f5bd0865514b41a47c7a694cb513fbda;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 39672b5..68eddf6 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -5,10 +5,45 @@
   };
 
   eldiron = { config, pkgs, ... }:
-    let mypkgs = import ./packages.nix;
-        mylibs = import ../libs.nix;
+    with import ../libs.nix;
+    let
+        mypkgs = pkgs.callPackage ./packages.nix {
+          inherit checkEnv fetchedGitPrivate fetchedGithub;
+        };
     in
   {
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
+        name = "gitolite-${version}";
+        version = "3.6.10";
+        src = pkgs.fetchFromGitHub {
+          owner = "sitaramc";
+          repo = "gitolite";
+          rev = "v${version}";
+          sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
+        };
+      });
+      gitweb = oldpkgs.gitweb.overrideAttrs(old: {
+        installPhase = old.installPhase + ''
+          cp -r ${./packages/gitweb} $out/gitweb-theme;
+          '';
+      });
+      postgresql = postgresql111;
+      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
+        passthru = old.passthru // { psqlSchema = "11.0"; };
+        name = "postgresql-11.1";
+        src = pkgs.fetchurl {
+          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+        };
+      });
+      mariadb = mariadbPAM;
+      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
+        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+        buildInputs = old.buildInputs ++ [ pkgs.pam ];
+      });
+    };
+
     networking = {
       firewall = {
         enable = true;
@@ -54,6 +89,8 @@
     ];
 
     security.acme.certs = {
+      # /!\ To create a new certificate, add first the domain to an
+      # existing certificate, deploy, and then use it in httpd.
       "eldiron" = {
         webroot = "/var/lib/acme/acme-challenge";
         email = "ismael@bouya.org";
@@ -64,10 +101,37 @@
         '';
         extraDomains = {
           "db-1.immae.eu" = null;
+          "git.immae.eu" = null;
           "tools.immae.eu" = null;
           "connexionswing.immae.eu" = null;
           "sandetludo.immae.eu" = null;
           "cloud.immae.eu" = null;
+          "ludivine.immae.eu" = null;
+          "dev.aten.pro" = null;
+        };
+      };
+      "ludivinecassal" = {
+        webroot = "/var/lib/acme/acme-challenge";
+        email = "ismael@bouya.org";
+        domain = "ludivinecassal.com";
+        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+        postRun = ''
+          systemctl reload httpd.service
+        '';
+        extraDomains = {
+          "www.ludivinecassal.com" = null;
+        };
+      };
+      "aten" = {
+        webroot = "/var/lib/acme/acme-challenge";
+        email = "ismael@bouya.org";
+        domain = "aten.pro";
+        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+        postRun = ''
+          systemctl reload httpd.service
+        '';
+        extraDomains = {
+          "www.aten.pro" = null;
         };
       };
       # "connexionswing" = {
@@ -126,6 +190,8 @@
         extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
         ; For nextcloud
         extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+        ; For nextcloud
+        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
         '';
       extraConfig = ''
         log_level = notice
@@ -134,6 +200,10 @@
         adminer = mypkgs.adminer.phpFpm.pool;
         connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
         connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
+        ludivinecassal_dev = mypkgs.ludivinecassal_dev.phpFpm.pool;
+        ludivinecassal_prod = mypkgs.ludivinecassal_prod.phpFpm.pool;
+        aten_dev = mypkgs.aten_dev.phpFpm.pool;
+        aten_prod = mypkgs.aten_prod.phpFpm.pool;
         nextcloud = mypkgs.nextcloud.phpFpm.pool;
         mantisbt = mypkgs.mantisbt.phpFpm.pool;
       };
@@ -142,6 +212,10 @@
     system.activationScripts = {
       connexionswing_dev  = mypkgs.connexionswing_dev.activationScript;
       connexionswing_prod = mypkgs.connexionswing_prod.activationScript;
+      ludivinecassal_dev  = mypkgs.ludivinecassal_dev.activationScript;
+      ludivinecassal_prod  = mypkgs.ludivinecassal_prod.activationScript;
+      aten_dev  = mypkgs.aten_dev.activationScript;
+      aten_prod = mypkgs.aten_prod.activationScript;
       nextcloud = mypkgs.nextcloud.activationScript;
       httpd = ''
         install -d -m 0755 /var/lib/acme/acme-challenge
@@ -151,9 +225,9 @@
         chown redis /run/redis
         '';
       gitolite =
-        assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+        assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
         let
-        gitolite_ldap_groups = mylibs.wrap {
+        gitolite_ldap_groups = wrap {
           name = "gitolite_ldap_groups.sh";
           file = ./packages/gitolite_ldap_groups.sh;
           vars = {
@@ -177,8 +251,8 @@
 
     environment.etc."ssh/ldap_authorized_keys" = let
       ldap_authorized_keys =
-        assert mylibs.checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
-        mylibs.wrap {
+        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
+        wrap {
           name = "ldap_authorized_keys";
           file = ./ldap_authorized_keys.sh;
           vars = {
@@ -203,11 +277,13 @@
     };
 
     services.httpd = let
-      withSSL = domain: {
+      withConf = domain: {
         enableSSL = true;
         sslServerCert = "/var/lib/acme/${domain}/cert.pem";
         sslServerKey = "/var/lib/acme/${domain}/key.pem";
         sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
+        logFormat = "combinedVhost";
+        listen = [ { ip = "*"; port = 443; } ];
       };
       apacheConfig = {
         gzip = {
@@ -218,7 +294,7 @@
         };
         ldap = {
           modules = [ "ldap" "authnz_ldap" ];
-          extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
+          extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
             <IfModule ldap_module>
               LDAPSharedCacheSize 500000
               LDAPCacheEntries 1024
@@ -239,34 +315,34 @@
             </Macro>
           '';
         };
+        http2 = {
+          modules = [ "http2" ];
+          extraConfig = ''
+            Protocols h2 http/1.1
+          '';
+        };
+        customLog = {
+          modules = [];
+          extraConfig = ''
+            LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p" combinedVhost
+          '';
+        };
       };
     in rec {
       enable = true;
       logPerVirtualHost = true;
       multiProcessingModule = "worker";
       adminAddr = "httpd@immae.eu";
-      # FIXME: http2
-      # FIXME: voir les autres modules:
-      #    authz_core_module
-      #    reqtimeout_module
-      #    http2_module
-      #    version_module
-      #    proxy_connect_module
-      #    proxy_ftp_module
-      #    proxy_scgi_module
-      #    proxy_ajp_module
-      #    proxy_balancer_module
-      #    proxy_express_module
-      #    lbmethod_byrequests_module
-      #    lbmethod_bytraffic_module
-      #    lbmethod_bybusyness_module
-      #    lbmethod_heartbeat_module
-
+      logFormat = "combinedVhost";
       extraModules = pkgs.lib.lists.unique (
         mypkgs.adminer.apache.modules ++
         mypkgs.nextcloud.apache.modules ++
         mypkgs.connexionswing_dev.apache.modules ++
         mypkgs.connexionswing_prod.apache.modules ++
+        mypkgs.ludivinecassal_dev.apache.modules ++
+        mypkgs.ludivinecassal_prod.apache.modules ++
+        mypkgs.aten_dev.apache.modules ++
+        mypkgs.aten_prod.apache.modules ++
         mypkgs.ympd.apache.modules ++
         mypkgs.git.web.apache.modules ++
         mypkgs.mantisbt.apache.modules ++
@@ -275,24 +351,21 @@
       extraConfig = builtins.concatStringsSep "\n"
         (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
       virtualHosts = [
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
           hostName = "eldiron.immae.eu";
           documentRoot = ./www;
           extraConfig = ''
             DirectoryIndex index.htm
             '';
         })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
           hostName = "db-1.immae.eu";
           documentRoot = null;
           extraConfig = builtins.concatStringsSep "\n" [
             mypkgs.adminer.apache.vhostConf
           ];
         })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
           hostName = "tools.immae.eu";
           documentRoot = null;
           extraConfig = builtins.concatStringsSep "\n" [
@@ -300,8 +373,7 @@
             mypkgs.ympd.apache.vhostConf
           ];
         })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
           hostName = "connexionswing.immae.eu";
           serverAliases = [ "sandetludo.immae.eu" ];
           documentRoot = mypkgs.connexionswing_dev.webRoot;
@@ -309,16 +381,44 @@
             mypkgs.connexionswing_dev.apache.vhostConf
           ];
         })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
+          hostName = "ludivine.immae.eu";
+          documentRoot = mypkgs.ludivinecassal_dev.webRoot;
+          extraConfig = builtins.concatStringsSep "\n" [
+            mypkgs.ludivinecassal_dev.apache.vhostConf
+          ];
+        })
+        (withConf "ludivinecassal" // {
+          hostName = "ludivinecassal.com";
+          serverAliases = [ "www.ludivinecassal.com" ];
+          documentRoot = mypkgs.ludivinecassal_prod.webRoot;
+          extraConfig = builtins.concatStringsSep "\n" [
+            mypkgs.ludivinecassal_prod.apache.vhostConf
+          ];
+        })
+        (withConf "eldiron" // {
+          hostName = "dev.aten.pro";
+          documentRoot = mypkgs.aten_dev.webRoot;
+          extraConfig = builtins.concatStringsSep "\n" [
+            mypkgs.aten_dev.apache.vhostConf
+          ];
+        })
+        (withConf "aten" // {
+          hostName = "aten.pro";
+          serverAliases = [ "www.aten.pro" ];
+          documentRoot = mypkgs.aten_prod.webRoot;
+          extraConfig = builtins.concatStringsSep "\n" [
+            mypkgs.aten_prod.apache.vhostConf
+          ];
+        })
+        (withConf "eldiron" // {
           hostName = "cloud.immae.eu";
           documentRoot = mypkgs.nextcloud.webRoot;
           extraConfig = builtins.concatStringsSep "\n" [
             mypkgs.nextcloud.apache.vhostConf
           ];
         })
-        (withSSL "eldiron" // {
-          listen = [ { ip = "*"; port = 443; } ];
+        (withConf "eldiron" // {
           hostName = "git.immae.eu";
           documentRoot = mypkgs.git.web.webRoot;
           extraConfig = builtins.concatStringsSep "\n" [
@@ -335,6 +435,7 @@
           hostName = "redirectSSL";
           serverAliases = [ "*" ];
           enableSSL = false;
+          logFormat = "combinedVhost";
           documentRoot = "/var/lib/acme/acme-challenge";
           extraConfig = ''
             RewriteEngine on
@@ -350,7 +451,7 @@
 
     security.pam.services = let
       pam_ldap = pkgs.pam_ldap;
-      pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
+      pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
               pkgs.writeText "mysql.conf" ''
         host ldap.immae.eu
         base dc=immae,dc=eu
@@ -387,10 +488,7 @@
     # FIXME: ssl
     services.mysql = rec {
       enable = true;
-      package = pkgs.mariadb.overrideAttrs(old: rec {
-        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
-        buildInputs = old.buildInputs ++ [ pkgs.pam ];
-      });
+      package = pkgs.mariadb;
     };
 
     # FIXME: initial sync
@@ -398,14 +496,7 @@
     # FIXME: ssl
     services.postgresql = rec {
       enable = true;
-      package = pkgs.postgresql100.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        name = "postgresql-11.1";
-        src = pkgs.fetchurl {
-          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-        };
-      });
+      package = pkgs.postgresql;
       enableTCPIP = true;
       extraConfig = ''
         max_connections = 100