This commit refactors websites into module per "vhost".
# rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu:
eldiron = { config, pkgs, mylibs, myconfig, ... }:
with mylibs;
- let
- mypkgs = pkgs.callPackage ./packages.nix {
- inherit checkEnv fetchedGit fetchedGithub;
- };
- in
{
_module.args = {
mylibs = import ../libs.nix;
imports = [
./modules/certificates.nix
- ./modules/gitolite.nix
- ./modules/gitweb
- ./modules/databases.nix
+ ./modules/gitolite
+ ./modules/databases
./modules/websites
- ./modules/websites/phpfpm
];
services.myGitolite.enable = true;
- services.myGitweb.enable = true;
services.myDatabases.enable = true;
services.myWebsites.production.enable = true;
services.myWebsites.integration.enable = true;
+ services.myWebsites.tools.enable = true;
networking = {
firewall = {
enable = true;
- allowedTCPPorts = [ 22 9418 ];
+ allowedTCPPorts = [ 22 ];
};
};
};
};
- environment.systemPackages = let
- # FIXME: move it to nextcloud
- occ = pkgs.writeScriptBin "nextcloud-occ" ''
- #! ${pkgs.stdenv.shell}
- cd ${mypkgs.nextcloud.webRoot}
- NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
- exec \
- ${pkgs.php}/bin/php \
- -c ${pkgs.php}/etc/php.ini \
- occ $*
- '';
- in [
+ environment.systemPackages = [
pkgs.telnet
pkgs.htop
pkgs.vim
- occ
];
- security.acme.certs."eldiron".extraDomains = {
- "db-1.immae.eu" = null;
- "tools.immae.eu" = null;
- "cloud.immae.eu" = null;
- "dav.immae.eu" = null;
- };
-
services.openssh.extraConfig = ''
AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
AuthorizedKeysCommandUser nobody
'';
- services.ympd = mypkgs.ympd.config // { enable = false; };
-
- services.myPhpfpm = {
- phpPackage = pkgs.php;
- phpOptions = ''
- session.save_path = "/var/lib/php/sessions"
- session.gc_maxlifetime = 60*60*24*15
- session.cache_expire = 60*24*30
- '';
- extraConfig = ''
- log_level = notice
- '';
- poolPhpConfigs = {
- nextcloud = mypkgs.nextcloud.phpFpm.phpConfig;
- };
- poolConfigs = {
- adminer = mypkgs.adminer.phpFpm.pool;
- nextcloud = mypkgs.nextcloud.phpFpm.pool;
- mantisbt = mypkgs.mantisbt.phpFpm.pool;
- ttrss = mypkgs.ttrss.phpFpm.pool;
- roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
- davical = mypkgs.davical.phpFpm.pool;
- };
- };
-
- system.activationScripts = {
- nextcloud = mypkgs.nextcloud.activationScript;
- ttrss = mypkgs.ttrss.activationScript;
- roundcubemail = mypkgs.roundcubemail.activationScript;
- httpd = ''
- install -d -m 0755 /var/lib/acme/acme-challenge
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
- '';
- };
-
environment.etc."ssh/ldap_authorized_keys" = let
ldap_authorized_keys =
assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
source = ldap_authorized_keys;
};
- systemd.services.tt-rss = {
- description = "Tiny Tiny RSS feeds update daemon";
- serviceConfig = {
- User = "wwwrun";
- ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
- StandardOutput = "syslog";
- StandardError = "syslog";
- PermissionsStartOnly = true;
- };
-
- wantedBy = [ "multi-user.target" ];
- requires = ["postgresql.service"];
- after = ["network.target" "postgresql.service"];
- };
};
}
});
};
+ networking.firewall.allowedTCPPorts = [ 9418 ];
+
services.gitDaemon = {
enable = true;
user = "gitolite";
let
gitolite_ldap_groups = mylibs.wrap {
name = "gitolite_ldap_groups.sh";
- file = ./gitolite/gitolite_ldap_groups.sh;
+ file = ./gitolite_ldap_groups.sh;
vars = {
LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
};
+++ /dev/null
-{ lib, pkgs, config, mylibs, ... }:
-let
- # FIXME: add buildbot
- gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
- cfg = config.services.myGitweb;
-in {
- options.services.myGitweb = {
- enable = lib.mkEnableOption "my gitweb service";
- };
-
- config = lib.mkIf cfg.enable {
- security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
-
- nixpkgs.config.packageOverrides = oldpkgs: rec {
- gitweb = oldpkgs.gitweb.overrideAttrs(old: {
- installPhase = old.installPhase + ''
- cp -r ${./theme} $out/gitweb-theme;
- '';
- });
- };
-
- services.myWebsites.tools.modules = gitweb.apache.modules;
- services.myWebsites.tools.vhostConfs.git = {
- certName = "eldiron";
- hosts = ["git.immae.eu" ];
- root = gitweb.webRoot;
- extraConfig = [ gitweb.apache.vhostConf ];
- };
- };
-}
./aten
./piedsjaloux
./connexionswing
+ ./tools/db
+ ./tools/tools
+ ./tools/dav
+ ./tools/cloud
+ ./tools/git
# built using:
# sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
# And removed users / groups
./apache/httpd_prod.nix
./apache/httpd_inte.nix
+ # Adapted from base phpfpm
+ ./phpfpm
];
options.services.myWebsites = {
phpPackages = oldpkgs.php72Packages.override { inherit php; };
};
+ services.myWebsites.tools.databases.enable = true;
+ services.myWebsites.tools.tools.enable = true;
+ services.myWebsites.tools.dav.enable = true;
+ services.myWebsites.tools.cloud.enable = true;
+ services.myWebsites.tools.git.enable = true;
+
services.myWebsites.Chloe.production.enable = cfg.production.enable;
services.myWebsites.Ludivine.production.enable = cfg.production.enable;
services.myWebsites.Aten.production.enable = cfg.production.enable;
};
};
+ system.activationScripts = {
+ httpd = ''
+ install -d -m 0755 /var/lib/acme/acme-challenge
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
+ '';
+ };
+
+ services.myPhpfpm = {
+ phpPackage = pkgs.php;
+ phpOptions = ''
+ session.save_path = "/var/lib/php/sessions"
+ session.gc_maxlifetime = 60*60*24*15
+ session.cache_expire = 60*24*30
+ '';
+ extraConfig = ''
+ log_level = notice
+ '';
+ };
+
# FIXME: logrotate
# FIXME: ipv6
services.httpdProd = makeService "production" config.services.myWebsites.production;
services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
services.httpd = makeService "tools" config.services.myWebsites.tools;
- services.myWebsites.tools.modules =
- mypkgs.adminer.apache.modules ++
- mypkgs.nextcloud.apache.modules ++
- mypkgs.ympd.apache.modules ++
- mypkgs.mantisbt.apache.modules ++
- mypkgs.ttrss.apache.modules ++
- mypkgs.roundcubemail.apache.modules ++
- pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
+ services.myWebsites.tools.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
services.myWebsites.tools.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
- # FIXME: move them all to separate modules
- services.myWebsites.tools.vhostConfs.eldiron = {
- certName = "eldiron";
- hosts = ["eldiron.immae.eu" ];
- root = ../../www;
- extraConfig = [ "DirectoryIndex index.htm" ];
- };
- services.myWebsites.tools.vhostConfs.db-1 = {
- certName = "eldiron";
- hosts = ["db-1.immae.eu" ];
- root = null;
- extraConfig = [ mypkgs.adminer.apache.vhostConf ];
- };
- services.myWebsites.tools.vhostConfs.tools = {
- certName = "eldiron";
- hosts = ["tools.immae.eu" ];
- root = null;
- extraConfig = [
- mypkgs.adminer.apache.vhostConf
- mypkgs.ympd.apache.vhostConf
- mypkgs.ttrss.apache.vhostConf
- mypkgs.roundcubemail.apache.vhostConf
- ];
- };
- services.myWebsites.tools.vhostConfs.dav = {
- certName = "eldiron";
- hosts = ["dav.immae.eu" ];
- root = null;
- extraConfig = [
- mypkgs.infcloud.apache.vhostConf
- mypkgs.davical.apache.vhostConf
- ];
- };
- services.myWebsites.tools.vhostConfs.cloud = {
- certName = "eldiron";
- hosts = ["cloud.immae.eu" ];
- root = mypkgs.nextcloud.webRoot;
- extraConfig = [
- mypkgs.nextcloud.apache.vhostConf
- ];
- };
- services.myWebsites.tools.vhostConfs.git.extraConfig = [
- mypkgs.mantisbt.apache.vhostConf
- ''
- RewriteEngine on
- RewriteCond %{REQUEST_URI} ^/releases
- RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
- ''
- ];
};
}
--- /dev/null
+{ lib, pkgs, config, mylibs, ... }:
+let
+ nextcloud = pkgs.callPackage ./nextcloud.nix { inherit (mylibs) checkEnv; };
+
+ cfg = config.services.myWebsites.tools.cloud;
+in {
+ options.services.myWebsites.tools.cloud = {
+ enable = lib.mkEnableOption "enable cloud website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.acme.certs."eldiron".extraDomains."cloud.immae.eu" = null;
+
+ services.myWebsites.tools.modules = nextcloud.apache.modules;
+
+ services.myWebsites.tools.vhostConfs.cloud = {
+ certName = "eldiron";
+ hosts = ["cloud.immae.eu" ];
+ root = nextcloud.webRoot;
+ extraConfig = [
+ nextcloud.apache.vhostConf
+ ];
+ };
+
+ environment.systemPackages = let
+ occ = pkgs.writeScriptBin "nextcloud-occ" ''
+ #! ${pkgs.stdenv.shell}
+ cd ${nextcloud.webRoot}
+ NEXTCLOUD_CONFIG_DIR="${nextcloud.webRoot}/config" \
+ exec \
+ ${pkgs.php}/bin/php \
+ -c ${pkgs.php}/etc/php.ini \
+ occ $*
+ '';
+ in [ occ ];
+
+ system.activationScripts.nextcloud = nextcloud.activationScript;
+
+ services.myPhpfpm = {
+ poolPhpConfigs.nextcloud = nextcloud.phpFpm.phpConfig;
+ poolConfigs.nextcloud = nextcloud.phpFpm.pool;
+ };
+
+ };
+}
apache = {
user = "wwwrun";
group = "wwwrun";
+ modules = [ "proxy_fcgi" ];
vhostConf = ''
Alias /davical "${webRoot}"
Alias /caldav.php "${webRoot}/caldav.php"
--- /dev/null
+{ lib, pkgs, config, mylibs, ... }:
+let
+ infcloud = pkgs.callPackage ./infcloud.nix {};
+ davical = pkgs.callPackage ./davical.nix { inherit (mylibs) checkEnv; };
+
+ cfg = config.services.myWebsites.tools.dav;
+in {
+ options.services.myWebsites.tools.dav = {
+ enable = lib.mkEnableOption "enable dav website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
+
+ services.myWebsites.tools.modules = davical.apache.modules;
+
+ services.myWebsites.tools.vhostConfs.dav = {
+ certName = "eldiron";
+ hosts = ["dav.immae.eu" ];
+ root = null;
+ extraConfig = [
+ infcloud.apache.vhostConf
+ davical.apache.vhostConf
+ ];
+ };
+
+ services.myPhpfpm.poolConfigs = {
+ davical = davical.phpFpm.pool;
+ };
+
+ };
+}
+
--- /dev/null
+{ lib, pkgs, config, mylibs, ... }:
+let
+ adminer = pkgs.callPackage ../../commons/adminer.nix {};
+
+ cfg = config.services.myWebsites.tools.databases;
+in {
+ options.services.myWebsites.tools.databases = {
+ enable = lib.mkEnableOption "enable database's website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ # FIXME: include it in vhostConf ?
+ security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null;
+
+ services.myWebsites.tools.modules = adminer.apache.modules;
+ services.myWebsites.tools.vhostConfs.db-1 = {
+ certName = "eldiron";
+ hosts = ["db-1.immae.eu" ];
+ root = null;
+ extraConfig = [ adminer.apache.vhostConf ];
+ };
+ };
+}
--- /dev/null
+{ lib, pkgs, config, mylibs, ... }:
+let
+ mantisbt = pkgs.callPackage ./mantisbt/mantisbt.nix { inherit (mylibs) checkEnv fetchedGithub; };
+ gitweb = pkgs.callPackage ./gitweb/gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
+
+ cfg = config.services.myWebsites.tools.git;
+in {
+ options.services.myWebsites.tools.git = {
+ enable = lib.mkEnableOption "enable git's website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ # FIXME: include it in vhostConf ?
+ security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
+
+ nixpkgs.config.packageOverrides = oldpkgs: rec {
+ gitweb = oldpkgs.gitweb.overrideAttrs(old: {
+ installPhase = old.installPhase + ''
+ cp -r ${./gitweb/theme} $out/gitweb-theme;
+ '';
+ });
+ };
+
+ services.myWebsites.tools.modules =
+ gitweb.apache.modules ++
+ mantisbt.apache.modules;
+
+ services.myWebsites.tools.vhostConfs.git = {
+ certName = "eldiron";
+ hosts = ["git.immae.eu" ];
+ root = gitweb.webRoot;
+ extraConfig = [
+ gitweb.apache.vhostConf
+ mantisbt.apache.vhostConf
+ ''
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/releases
+ RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
+ ''
+ ];
+ };
+ services.myPhpfpm.poolConfigs = {
+ mantisbt = mantisbt.phpFpm.pool;
+ };
+ };
+}
sha256 = "0jnrqz6r2hf53v0k1lh3il7hlfiphn61r9wgg6mzyywkjxwq07md";
};
patches = [
- ./mantisbt-patches/bug_report.php.diff
- ./mantisbt-patches/bug_report_page.php.diff
- ./mantisbt-patches/bugnote_add.php.diff
- ./mantisbt-patches/bugnote_add_inc.php.diff
+ ./patches/bug_report.php.diff
+ ./patches/bug_report_page.php.diff
+ ./patches/bugnote_add.php.diff
+ ./patches/bugnote_add_inc.php.diff
];
installPhase = ''
cp -a . $out
--- /dev/null
+{ lib, pkgs, config, mylibs, ... }:
+let
+ adminer = pkgs.callPackage ../../commons/adminer.nix {};
+ ympd = pkgs.callPackage ./ympd.nix {};
+ ttrss = pkgs.callPackage ./ttrss.nix { inherit (mylibs) checkEnv fetchedGithub fetchedGit; };
+ roundcubemail = pkgs.callPackage ./roundcubemail.nix { inherit (mylibs) checkEnv; };
+
+ cfg = config.services.myWebsites.tools.tools;
+in {
+ options.services.myWebsites.tools.tools = {
+ enable = lib.mkEnableOption "enable tools website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
+
+ services.myWebsites.tools.modules =
+ adminer.apache.modules
+ ++ ympd.apache.modules
+ ++ ttrss.apache.modules
+ ++ roundcubemail.apache.modules;
+
+ services.ympd = ympd.config // { enable = false; };
+
+ services.myWebsites.tools.vhostConfs.tools = {
+ certName = "eldiron";
+ hosts = ["tools.immae.eu" ];
+ root = null;
+ extraConfig = [
+ adminer.apache.vhostConf
+ ympd.apache.vhostConf
+ ttrss.apache.vhostConf
+ roundcubemail.apache.vhostConf
+ ];
+ };
+
+ services.myPhpfpm.poolConfigs = {
+ adminer = adminer.phpFpm.pool;
+ ttrss = ttrss.phpFpm.pool;
+ roundcubemail = roundcubemail.phpFpm.pool;
+ };
+
+ system.activationScripts = {
+ ttrss = ttrss.activationScript;
+ roundcubemail = roundcubemail.activationScript;
+ };
+
+ systemd.services.tt-rss = {
+ description = "Tiny Tiny RSS feeds update daemon";
+ serviceConfig = {
+ User = "wwwrun";
+ ExecStart = "${pkgs.php}/bin/php ${ttrss.webRoot}/update.php --daemon";
+ StandardOutput = "syslog";
+ StandardError = "syslog";
+ PermissionsStartOnly = true;
+ };
+
+ wantedBy = [ "multi-user.target" ];
+ requires = ["postgresql.service"];
+ after = ["network.target" "postgresql.service"];
+ };
+
+ };
+}
+
+++ /dev/null
-{ callPackage, checkEnv, fetchedGit, fetchedGithub }:
-let
- nextcloud = callPackage ./packages/nextcloud.nix { inherit checkEnv; };
- adminer = callPackage ./packages/adminer.nix {};
- ympd = callPackage ./packages/ympd.nix {};
- mantisbt = callPackage ./packages/mantisbt.nix { inherit checkEnv fetchedGithub; };
- ttrss = callPackage ./packages/ttrss.nix { inherit checkEnv fetchedGithub fetchedGit; };
- roundcubemail = callPackage ./packages/roundcubemail.nix { inherit checkEnv; };
- infcloud = callPackage ./packages/infcloud.nix {};
- davical = callPackage ./packages/davical.nix { inherit checkEnv; };
-in
- {
- inherit adminer;
- inherit ympd;
- inherit nextcloud;
- inherit mantisbt;
- inherit ttrss;
- inherit roundcubemail;
- inherit infcloud;
- inherit davical;
- }
+++ /dev/null
-time-format %H:%M:%S
-date-format %d/%b/%Y
-
-#sur immae.eu
-#log-format %v %h %^[%d:%t %^] "%r" %s %b "%R" "%u" $^
-
-log-format VCOMBINED
-#= %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
-
-html-prefs {"theme":"bright","layout":"vertical"}
-
-exclude-ip 188.165.209.148
-exclude-ip 178.33.252.96
-exclude-ip 2001:41d0:2:9c94::1
-exclude-ip 2001:41d0:2:9c94::
-exclude-ip 176.9.151.89
-exclude-ip 2a01:4f8:160:3445::
-exclude-ip 82.255.56.72
-
-no-query-string true
-
-keep-db-files true
-load-from-disk true
-db-path /var/lib/goaccess/cloud.immae.eu
-
-ignore-panel REFERRERS
-ignore-panel KEYPHRASES
-
-static-file .css
-static-file .js
-static-file .jpg
-static-file .png
-static-file .gif
-static-file .ico
-static-file .jpeg
-static-file .pdf
-static-file .csv
-static-file .mpeg
-static-file .mpg
-static-file .swf
-static-file .woff
-static-file .woff2
-static-file .xls
-static-file .xlsx
-static-file .doc
-static-file .docx
-static-file .ppt
-static-file .pptx
-static-file .txt
-static-file .zip
-static-file .ogg
-static-file .mp3
-static-file .mp4
-static-file .exe
-static-file .iso
-static-file .gz
-static-file .rar
-static-file .svg
-static-file .bmp
-static-file .tar
-static-file .tgz
-static-file .tiff
-static-file .tif
-static-file .ttf
-static-file .flv
-#static-file .less
-#static-file .ac3
-#static-file .avi
-#static-file .bz2
-#static-file .class
-#static-file .cue
-#static-file .dae
-#static-file .dat
-#static-file .dts
-#static-file .ejs
-#static-file .eot
-#static-file .eps
-#static-file .img
-#static-file .jar
-#static-file .map
-#static-file .mid
-#static-file .midi
-#static-file .ogv
-#static-file .webm
-#static-file .mkv
-#static-file .odp
-#static-file .ods
-#static-file .odt
-#static-file .otf
-#static-file .pict
-#static-file .pls
-#static-file .ps
-#static-file .qt
-#static-file .rm
-#static-file .svgz
-#static-file .wav
-#static-file .webp
-
-