[perso/Immae/Config/Nix.git] / modules / private / websites / florian / app.nix

{ lib, pkgs, config,  ... }:
let
  adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; };
  secrets = config.myEnv.websites.tellesflorian.integration;
  app = pkgs.callPackage ./app {
    composerEnv = pkgs.composerEnv.override { php = pkgs.php72; };
    environment = secrets.environment;
    varDir = "/var/lib/florian_app";
    secretsPath = config.secrets.fullPaths."websites/florian/app";
  };
  cfg = config.myServices.websites.florian.app;
  pcfg = config.services.phpApplication;
in {
  options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.florian_app.rootDir = app.varDir;
    services.phpApplication.apps.florian_app = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
      httpdGroup = config.services.httpd.Inte.group;
      inherit (app) webRoot varDir;
      varDirPaths = {
        "var" = "0700";
      };
      inherit app;
      serviceDeps = [ "mysql.service" ];
      preStartActions = [
        "./bin/console --env=${app.environment} cache:clear --no-warmup"
      ];
      phpOpenbasedir = [ "/tmp" ];
      phpPool = {
        "php_admin_value[upload_max_filesize]" = "20M";
        "php_admin_value[post_max_size]" = "20M";
        #"php_admin_flag[log_errors]" = "on";
        "pm" = "ondemand";
        "pm.max_children" = "5";
        "pm.process_idle_timeout" = "60";
      };
      phpEnv = {
        SYMFONY_DEBUG_MODE = "\"yes\"";
      };
      phpWatchFiles = [
        config.secrets.fullPaths."websites/florian/app"
      ];
      phpPackage = pkgs.php72;
    };

    secrets.keys = {
      "websites/florian/app_passwords" = {
        user = config.services.httpd.Inte.user;
        group = config.services.httpd.Inte.group;
        permissions = "0400";
        text = ''
          invite:${secrets.invite_passwords}
        '';
      };
      "websites/florian/app" = {
        user = config.services.httpd.Inte.user;
        group = config.services.httpd.Inte.group;
        permissions = "0400";
        text = ''
          # This file is auto-generated during the composer install
          parameters:
            database_host: ${secrets.mysql.host}
            database_port: ${secrets.mysql.port}
            database_name: ${secrets.mysql.database}
            database_user: ${secrets.mysql.user}
            database_password: ${secrets.mysql.password}
            mailer_transport: smtp
            mailer_host: 127.0.0.1
            mailer_user: null
            mailer_password: null
            secret: ${secrets.secret}
        '';
      };
    };

    services.websites.env.integration.modules = adminer.apache.modules;
    services.websites.env.integration.vhostConfs.florian_app = {
      certName    = "integration";
      addToCerts  = true;
      hosts       = [ "app.tellesflorian.com" ];
      root        = pcfg.webappDirs.florian_app;
      extraConfig = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${pcfg.phpListenPaths.florian_app}|fcgi://localhost"
        </FilesMatch>

        <Location />
          AuthBasicProvider file ldap
          Use LDAPConnect
          Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu

          AuthUserFile "${config.secrets.fullPaths."websites/florian/app_passwords"}"
          Require user "invite"

          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
        </Location>

        <Directory ${pcfg.webappDirs.florian_app}>
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride None
          Require all granted

          DirectoryIndex app_dev.php

          <IfModule mod_negotiation.c>
          Options -MultiViews
          </IfModule>

          <IfModule mod_rewrite.c>
            RewriteEngine On

            RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
            RewriteRule ^(.*) - [E=BASE:%1]

            # Maintenance script
            RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
            RewriteCond %{SCRIPT_FILENAME} !maintenance.php
            RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
            ErrorDocument 503 /maintenance.php

            # Sets the HTTP_AUTHORIZATION header removed by Apache
            RewriteCond %{HTTP:Authorization} .
            RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

            RewriteCond %{ENV:REDIRECT_STATUS} ^$
            RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]

            # If the requested filename exists, simply serve it.
            # We only want to let Apache serve files and not directories.
            RewriteCond %{REQUEST_FILENAME} -f
            RewriteRule ^ - [L]

            # Rewrite all other queries to the front controller.
            RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
          </IfModule>

        </Directory>
        ''
        (adminer.apache.vhostConf null)
      ];
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
2f0f1c48	2	let
5400b9b6	3	adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; };
ab8f306d	4	secrets = config.myEnv.websites.tellesflorian.integration;
d3452fc5	5	app = pkgs.callPackage ./app {
dcac3ec7	6	composerEnv = pkgs.composerEnv.override { php = pkgs.php72; };
d3452fc5 IB	7	environment = secrets.environment;
	8	varDir = "/var/lib/florian_app";
	9	secretsPath = config.secrets.fullPaths."websites/florian/app";
	10	};
f8026b6e	11	cfg = config.myServices.websites.florian.app;
1594c8da	12	pcfg = config.services.phpApplication;
2f0f1c48	13	in {
f8026b6e	14	options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
2f0f1c48	15
f8026b6e	16	config = lib.mkIf cfg.enable {
d3452fc5 IB	17	services.duplyBackup.profiles.florian_app.rootDir = app.varDir;
d3452fc5 IB	18	services.phpApplication.apps.florian_app = {
1594c8da IB	19	websiteEnv = "integration";
	20	httpdUser = config.services.httpd.Inte.user;
	21	httpdGroup = config.services.httpd.Inte.group;
	22	inherit (app) webRoot varDir;
	23	varDirPaths = {
	24	"var" = "0700";
	25	};
	26	inherit app;
	27	serviceDeps = [ "mysql.service" ];
	28	preStartActions = [
	29	"./bin/console --env=${app.environment} cache:clear --no-warmup"
	30	];
	31	phpOpenbasedir = [ "/tmp" ];
5400b9b6 IB	32	phpPool = {
	33	"php_admin_value[upload_max_filesize]" = "20M";
	34	"php_admin_value[post_max_size]" = "20M";
	35	#"php_admin_flag[log_errors]" = "on";
	36	"pm" = "ondemand";
	37	"pm.max_children" = "5";
	38	"pm.process_idle_timeout" = "60";
	39	};
	40	phpEnv = {
d3452fc5	41	SYMFONY_DEBUG_MODE = "\"yes\"";
5400b9b6	42	};
1594c8da	43	phpWatchFiles = [
d3452fc5	44	config.secrets.fullPaths."websites/florian/app"
1594c8da	45	];
dcac3ec7	46	phpPackage = pkgs.php72;
1594c8da IB	47	};
1594c8da IB	48
4c4652aa IB	49	secrets.keys = {
4c4652aa IB	50	"websites/florian/app_passwords" = {
1594c8da	51	user = config.services.httpd.Inte.user;
9f66adf4	52	group = config.services.httpd.Inte.group;
1594c8da IB	53	permissions = "0400";
	54	text = ''
	55	invite:${secrets.invite_passwords}
	56	'';
4c4652aa IB	57	};
4c4652aa IB	58	"websites/florian/app" = {
1594c8da	59	user = config.services.httpd.Inte.user;
9f66adf4	60	group = config.services.httpd.Inte.group;
1594c8da IB	61	permissions = "0400";
	62	text = ''
	63	# This file is auto-generated during the composer install
	64	parameters:
	65	database_host: ${secrets.mysql.host}
	66	database_port: ${secrets.mysql.port}
ab8f306d	67	database_name: ${secrets.mysql.database}
1594c8da IB	68	database_user: ${secrets.mysql.user}
	69	database_password: ${secrets.mysql.password}
	70	mailer_transport: smtp
	71	mailer_host: 127.0.0.1
	72	mailer_user: null
	73	mailer_password: null
	74	secret: ${secrets.secret}
	75	'';
4c4652aa IB	76	};
4c4652aa IB	77	};
1594c8da IB	78
1594c8da IB	79	services.websites.env.integration.modules = adminer.apache.modules;
d3452fc5 IB	80	services.websites.env.integration.vhostConfs.florian_app = {
d3452fc5 IB	81	certName = "integration";
7df420c2	82	addToCerts = true;
1594c8da	83	hosts = [ "app.tellesflorian.com" ];
d3452fc5	84	root = pcfg.webappDirs.florian_app;
2f0f1c48	85	extraConfig = [
1594c8da IB	86	''
1594c8da IB	87	<FilesMatch "\.php$">
d3452fc5	88	SetHandler "proxy:unix:${pcfg.phpListenPaths.florian_app}\|fcgi://localhost"
1594c8da IB	89	</FilesMatch>
	90
	91	<Location />
	92	AuthBasicProvider file ldap
	93	Use LDAPConnect
	94	Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
	95
d3452fc5	96	AuthUserFile "${config.secrets.fullPaths."websites/florian/app_passwords"}"
1594c8da IB	97	Require user "invite"
	98
	99	ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
	100	</Location>
	101
d3452fc5	102	<Directory ${pcfg.webappDirs.florian_app}>
1594c8da IB	103	Options Indexes FollowSymLinks MultiViews Includes
	104	AllowOverride None
	105	Require all granted
	106
	107	DirectoryIndex app_dev.php
	108
	109	<IfModule mod_negotiation.c>
	110	Options -MultiViews
	111	</IfModule>
	112
	113	<IfModule mod_rewrite.c>
	114	RewriteEngine On
	115
	116	RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
	117	RewriteRule ^(.*) - [E=BASE:%1]
	118
	119	# Maintenance script
	120	RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
	121	RewriteCond %{SCRIPT_FILENAME} !maintenance.php
	122	RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
	123	ErrorDocument 503 /maintenance.php
	124
	125	# Sets the HTTP_AUTHORIZATION header removed by Apache
	126	RewriteCond %{HTTP:Authorization} .
	127	RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	128
	129	RewriteCond %{ENV:REDIRECT_STATUS} ^$
	130	RewriteRule ^app_dev\.php(?:/(.*)\|$) %{ENV:BASE}/$1 [R=301,L]
	131
	132	# If the requested filename exists, simply serve it.
	133	# We only want to let Apache serve files and not directories.
	134	RewriteCond %{REQUEST_FILENAME} -f
	135	RewriteRule ^ - [L]
	136
	137	# Rewrite all other queries to the front controller.
	138	RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
	139	</IfModule>
	140
	141	</Directory>
	142	''
5400b9b6	143	(adminer.apache.vhostConf null)
2f0f1c48 IB	144	];
	145	};
	146	};
	147	}