X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=virtual%2Feldiron.nix;h=768de84c63e173bfdaea6d12e45c76763d63b306;hb=27e22b76e2f7d402c1556d6bbf99cf5e1316f9d4;hp=04b11b8cff432fcfd71cfcf4c52889a2e924fa69;hpb=a1bb33c420e5a2daeca616693e28a086bc5b3fac;p=perso%2FImmae%2FConfig%2FNix.git diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 04b11b8..768de84 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -4,11 +4,14 @@ enableRollback = true; }; - eldiron = { config, pkgs, ... }: { + eldiron = { config, pkgs, ... }: + let mypkgs = import ./packages.nix; + in + { networking = { firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 5432 ]; + allowedTCPPorts = [ 22 80 443 3306 5432 ]; }; }; @@ -44,25 +47,114 @@ }; }; - services.nginx = rec { - enable = true; - virtualHosts = { - "_" = { - serverName = "_"; - useACMEHost = "eldiron"; - }; - "eldiron.immae.eu" = { - forceSSL = true; - useACMEHost = "eldiron"; - locations."/" = { - # FIXME: directory needs to exist - root = "/var/www"; - }; - }; + # FIXME: open_basedir + services.phpfpm = { + extraConfig = '' + log_level = notice + ''; + poolConfigs = { + adminer = mypkgs.adminer.phpFpm.pool; + www = '' + listen = /var/run/phpfpm/www.sock + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "/var/www" + ''; + }; + }; + + services.httpd = let + withSSL = domain: { + enableSSL = true; + sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only? + sslServerKey = "/var/lib/acme/${domain}/key.pem"; + sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; }; + in rec { + enable = true; + logPerVirtualHost = true; + multiProcessingModule = "worker"; + adminAddr = "httpd@immae.eu"; + extraModules = [ + "proxy_fcgi" # for PHP + ]; + virtualHosts = [ + (withSSL "eldiron" // { + listen = [ { ip = "*"; port = 443; } ]; + hostName = "eldiron.immae.eu"; + # FIXME: directory needs to exist + documentRoot = "/var/www"; + }) + (withSSL "eldiron" // { + listen = [ { ip = "*"; port = 443; } ]; + hostName = "db-1.immae.eu"; + documentRoot = null; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.adminer.apacheConf + ]; + }) + { # Should go last, default fallback + listen = [ { ip = "*"; port = 80; } ]; + hostName = "redirectSSL"; + serverAliases = [ "*" ]; + enableSSL = false; + # FIXME: directory needs to exist + documentRoot = "/var/lib/acme/acme-challenge"; + extraConfig = '' + RewriteEngine on + RewriteCond "%{REQUEST_URI}" "!^/\.well-known" + RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] + # To redirect in specific "VirtualHost *:80", do + # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 + # rather than rewrite + ''; + } + ]; + }; + + # FIXME: environment variables ? + security.pam.services = let + pam_ldap = pkgs.pam_ldap; + pam_ldap_mysql = pkgs.writeText "mysql.conf" '' + host ldap.immae.eu + base dc=immae,dc=eu + binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu + bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} + pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu + ''; + in [ + { + name = "mysql"; + text = '' + # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ + auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} + account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} + ''; + } + ]; + + # FIXME: initial sync + # FIXME: backup + # FIXME: restart after pam + # FIXME: pam access doesn’t work (because of php module) + # FIXME: ssl + services.mysql = rec { + enable = true; + package = pkgs.mariadb.overrideAttrs(old: rec { + cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; + buildInputs = old.buildInputs ++ [ pkgs.pam ]; + }); }; # FIXME: initial sync + # FIXME: backup + # FIXME: ssl services.postgresql = rec { enable = true; package = pkgs.postgresql100.overrideAttrs(old: rec {