[perso/Immae/Config/Nix.git] / modules / private / websites / aten / production.nix

{ lib, pkgs, config, myconfig,  ... }:
let
  secrets = myconfig.env.websites.aten.production;
  app = pkgs.webapps.aten.override { environment = secrets.environment; };
  cfg = config.myServices.websites.aten.production;
  pcfg = config.services.phpApplication;
in {
  options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";

  config = lib.mkIf cfg.enable {
    services.webstats.sites = [ { name = "aten.pro"; } ];
    services.phpApplication.apps.aten_prod = {
      websiteEnv = "production";
      httpdUser = config.services.httpd.Prod.user;
      httpdGroup = config.services.httpd.Prod.group;
      httpdWatchFiles = [
        config.secrets.fullPaths."webapps/${app.environment}-aten"
      ];
      inherit (app) webRoot varDir;
      inherit app;
      serviceDeps = [ "postgresql.service" ];
      preStartActions = [
        "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
      ];
      phpOpenbasedir = [ "/tmp" ];
      phpPool = ''
        php_admin_value[upload_max_filesize] = 20M
        php_admin_value[post_max_size] = 20M
        ;php_admin_flag[log_errors] = on
        pm = dynamic
        pm.max_children = 20
        pm.start_servers = 2
        pm.min_spare_servers = 1
        pm.max_spare_servers = 3
      '';
    };

    secrets.keys = [{
      dest = "webapps/${app.environment}-aten";
      user = config.services.httpd.Prod.user;
      group = config.services.httpd.Prod.group;
      permissions = "0400";
      text = ''
        SetEnv APP_ENV      "${app.environment}"
        SetEnv APP_SECRET   "${secrets.secret}"
        SetEnv DATABASE_URL "${secrets.psql_url}"
        '';
    }];
    services.websites.env.production.vhostConfs.aten_prod = {
      certName     = "aten";
      certMainHost = "aten.pro";
      hosts       = [ "aten.pro" "www.aten.pro" ];
      root        = pcfg.webappDirs.aten_prod;
      extraConfig = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}|fcgi://localhost"
        </FilesMatch>

        Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}

        Use Stats aten.pro

        <Location /backend>
          Use LDAPConnect
          Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
        </Location>

        <Directory ${pcfg.webappDirs.aten_prod}>
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride All
          Require all granted
          DirectoryIndex index.php
          FallbackResource /index.php
        </Directory>
        ''
      ];
    };
  };
}
Commit	Line	Data
f8026b6e IB	1	{ lib, pkgs, config, myconfig, ... }:
f8026b6e IB	2	let
717ccfd9 IB	3	secrets = myconfig.env.websites.aten.production;
717ccfd9 IB	4	app = pkgs.webapps.aten.override { environment = secrets.environment; };
f8026b6e	5	cfg = config.myServices.websites.aten.production;
717ccfd9	6	pcfg = config.services.phpApplication;
f8026b6e IB	7	in {
	8	options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
	9
	10	config = lib.mkIf cfg.enable {
f8026b6e	11	services.webstats.sites = [ { name = "aten.pro"; } ];
717ccfd9 IB	12	services.phpApplication.apps.aten_prod = {
	13	websiteEnv = "production";
	14	httpdUser = config.services.httpd.Prod.user;
	15	httpdGroup = config.services.httpd.Prod.group;
	16	httpdWatchFiles = [
	17	config.secrets.fullPaths."webapps/${app.environment}-aten"
	18	];
	19	inherit (app) webRoot varDir;
	20	inherit app;
	21	serviceDeps = [ "postgresql.service" ];
	22	preStartActions = [
	23	"APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
	24	];
	25	phpOpenbasedir = [ "/tmp" ];
	26	phpPool = ''
	27	php_admin_value[upload_max_filesize] = 20M
	28	php_admin_value[post_max_size] = 20M
	29	;php_admin_flag[log_errors] = on
	30	pm = dynamic
	31	pm.max_children = 20
	32	pm.start_servers = 2
	33	pm.min_spare_servers = 1
	34	pm.max_spare_servers = 3
	35	'';
	36	};
f8026b6e	37
717ccfd9 IB	38	secrets.keys = [{
	39	dest = "webapps/${app.environment}-aten";
	40	user = config.services.httpd.Prod.user;
9f66adf4	41	group = config.services.httpd.Prod.group;
717ccfd9 IB	42	permissions = "0400";
	43	text = ''
	44	SetEnv APP_ENV "${app.environment}"
	45	SetEnv APP_SECRET "${secrets.secret}"
	46	SetEnv DATABASE_URL "${secrets.psql_url}"
	47	'';
	48	}];
	49	services.websites.env.production.vhostConfs.aten_prod = {
f8026b6e IB	50	certName = "aten";
f8026b6e IB	51	certMainHost = "aten.pro";
717ccfd9 IB	52	hosts = [ "aten.pro" "www.aten.pro" ];
	53	root = pcfg.webappDirs.aten_prod;
	54	extraConfig = [
	55	''
	56	<FilesMatch "\.php$">
	57	SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}\|fcgi://localhost"
	58	</FilesMatch>
	59
	60	Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}
	61
	62	Use Stats aten.pro
	63
	64	<Location /backend>
	65	Use LDAPConnect
	66	Require ldap-group cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
	67	ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
	68	</Location>
	69
	70	<Directory ${pcfg.webappDirs.aten_prod}>
	71	Options Indexes FollowSymLinks MultiViews Includes
	72	AllowOverride All
	73	Require all granted
	74	DirectoryIndex index.php
	75	FallbackResource /index.php
	76	</Directory>
	77	''
	78	];
f8026b6e IB	79	};
	80	};
	81	}