[perso/Immae/Config/Nix.git] / nixops / modules / websites / chloe / chloe.nix

{ stdenv, lib, fetchzip, fetchurl, fetchedGitPrivate, sassc }:
let
  chloe = { config }: rec {
    environment = config.environment;
    phpFpm = rec {
      serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ];
      socket = "/var/run/phpfpm/chloe-${environment}.sock";
      pool = ''
        listen = ${socket}
        user = ${apache.user}
        group = ${apache.group}
        listen.owner = ${apache.user}
        listen.group = ${apache.group}
        php_admin_value[upload_max_filesize] = 20M
        php_admin_value[post_max_size] = 20M
        ;php_admin_flag[log_errors] = on
        php_admin_value[open_basedir] = "${../commons/spip/spip_mes_options.php}:${configDir}:${webRoot}:${varDir}:/tmp"
        php_admin_value[session.save_path] = "${varDir}/phpSessions"
        ${if environment == "dev" then ''
        pm = ondemand
        pm.max_children = 5
        pm.process_idle_timeout = 60
        '' else ''
        pm = dynamic
        pm.max_children = 20
        pm.start_servers = 2
        pm.min_spare_servers = 1
        pm.max_spare_servers = 3
        ''}'';
    };
    keys."${environment}-chloe" = {
      destDir = "/run/keys/webapps";
      user = apache.user;
      group = apache.group;
      permissions = "0400";
      text = ''
        SetEnv SPIP_CONFIG_DIR     "${configDir}"
        SetEnv SPIP_VAR_DIR        "${varDir}"
        SetEnv SPIP_SITE           "chloe-${environment}"
        SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
        SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
        SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
        SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
        SetEnv SPIP_LDAP_SEARCH    "${config.ldap.search}"
        SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
        SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
        SetEnv SPIP_MYSQL_DB       "${config.mysql.name}"
        SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
        SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
      '';
    };
    apache = rec {
      user = "wwwrun";
      group = "wwwrun";
      modules = [ "proxy_fcgi" ];
      webappName = "chloe_${environment}";
      root = "/run/current-system/webapps/${webappName}";
      vhostConf = ''
        Include /run/keys/webapps/${environment}-chloe

        RewriteEngine On
        ${if environment == "prod" then ''
        RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
        '' else ""}

        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
        </FilesMatch>

        <Directory ${root}>
          DirectoryIndex index.php index.htm index.html
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Include ${root}/htaccess.txt

          AllowOverride AuthConfig FileInfo Limit
          Require all granted
        </Directory>

        <DirectoryMatch "${root}/squelettes">
          Require all denied
        </DirectoryMatch>

        <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
          Require all denied
        </FilesMatch>

        ${if environment == "dev" then ''
        <Location />
          Use LDAPConnect
          Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
        </Location>
        '' else ''
        Use Stats osteopathe-cc.fr
        ''}
        '';
    };
    activationScript = {
      deps = [ "wrappers" ];
      text = ''
        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} ${varDir}/IMG ${varDir}/tmp ${varDir}/local
        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
      '';
    };
    configDir = ./chloe_config_ + environment;
    varDir = "/var/lib/chloe_${environment}";
    siteDir = stdenv.mkDerivation (fetchedGitPrivate ./chloe.json // rec {
      buildPhase = ''
        make
        '';
      installPhase = ''
        cp -a . $out
        '';
      buildInputs = [ sassc ];
    });
    webRoot = stdenv.mkDerivation rec {
      name = "chloe-${environment}-spip-${version}";
      version = "3.2.3";
      src = fetchzip {
        url = "https://files.spip.net/spip/archives/SPIP-v${version}.zip";
        sha256 = "1r1mjvsnrp6mvkgjakvi3x4ms8m8k5mp93micbbg8r99fj7qlfkq";
      };
      paches = [ ../commons/spip/spip_ldap_patch.patch ];
      buildPhase = ''
        rm -rf IMG local tmp config/remove.txt
        ln -sf ${../commons/spip/spip_mes_options.php} config/mes_options.php
        echo "Require all denied" > "config/.htaccess"
        ln -sf ${varDir}/{IMG,local} .
      '';
      installPhase = ''
        cp -a . $out
        cp -a ${siteDir}/* $out
      '';
    };
  };
in
  chloe
Commit	Line	Data
9d90e7e2	1	{ stdenv, lib, fetchzip, fetchurl, fetchedGitPrivate, sassc }:
7d8b50d3	2	let
9d90e7e2 IB	3	chloe = { config }: rec {
9d90e7e2 IB	4	environment = config.environment;
7d8b50d3	5	phpFpm = rec {
906065a0	6	serviceDeps = [ "mysql.service" "${environment}-chloe-key.service" ];
7d8b50d3	7	socket = "/var/run/phpfpm/chloe-${environment}.sock";
9d90e7e2	8	pool = ''
7d8b50d3 IB	9	listen = ${socket}
	10	user = ${apache.user}
	11	group = ${apache.group}
	12	listen.owner = ${apache.user}
	13	listen.group = ${apache.group}
	14	php_admin_value[upload_max_filesize] = 20M
	15	php_admin_value[post_max_size] = 20M
	16	;php_admin_flag[log_errors] = on
091ae734	17	php_admin_value[open_basedir] = "${../commons/spip/spip_mes_options.php}:${configDir}:${webRoot}:${varDir}:/tmp"
c8e019b6	18	php_admin_value[session.save_path] = "${varDir}/phpSessions"
7d8b50d3 IB	19	${if environment == "dev" then ''
	20	pm = ondemand
	21	pm.max_children = 5
	22	pm.process_idle_timeout = 60
	23	'' else ''
	24	pm = dynamic
	25	pm.max_children = 20
	26	pm.start_servers = 2
	27	pm.min_spare_servers = 1
	28	pm.max_spare_servers = 3
	29	''}'';
	30	};
906065a0 IB	31	keys."${environment}-chloe" = {
	32	destDir = "/run/keys/webapps";
	33	user = apache.user;
	34	group = apache.group;
	35	permissions = "0400";
	36	text = ''
	37	SetEnv SPIP_CONFIG_DIR "${configDir}"
	38	SetEnv SPIP_VAR_DIR "${varDir}"
	39	SetEnv SPIP_SITE "chloe-${environment}"
	40	SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu"
	41	SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu"
	42	SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
	43	SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
	44	SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}"
	45	SetEnv SPIP_MYSQL_HOST "${config.mysql.host}"
	46	SetEnv SPIP_MYSQL_PORT "${config.mysql.port}"
	47	SetEnv SPIP_MYSQL_DB "${config.mysql.name}"
	48	SetEnv SPIP_MYSQL_USER "${config.mysql.user}"
	49	SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
	50	'';
	51	};
e5073add	52	apache = rec {
7d8b50d3 IB	53	user = "wwwrun";
	54	group = "wwwrun";
	55	modules = [ "proxy_fcgi" ];
e5073add IB	56	webappName = "chloe_${environment}";
e5073add IB	57	root = "/run/current-system/webapps/${webappName}";
7d8b50d3	58	vhostConf = ''
906065a0 IB	59	Include /run/keys/webapps/${environment}-chloe
906065a0 IB	60
7d8b50d3 IB	61	RewriteEngine On
	62	${if environment == "prod" then ''
	63	RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1
	64	'' else ""}
	65
	66	<FilesMatch "\.php$">
	67	SetHandler "proxy:unix:${phpFpm.socket}\|fcgi://localhost"
	68	</FilesMatch>
	69
7da3ceec	70	<Directory ${root}>
7d8b50d3 IB	71	DirectoryIndex index.php index.htm index.html
7d8b50d3 IB	72	Options -Indexes +FollowSymLinks +MultiViews +Includes
7da3ceec	73	Include ${root}/htaccess.txt
7d8b50d3 IB	74
	75	AllowOverride AuthConfig FileInfo Limit
	76	Require all granted
	77	</Directory>
	78
7da3ceec	79	<DirectoryMatch "${root}/squelettes">
7d8b50d3 IB	80	Require all denied
	81	</DirectoryMatch>
	82
	83	<FilesMatch "(.htaccess\|rewrite-rules\|.gitignore)$">
	84	Require all denied
	85	</FilesMatch>
	86
	87	${if environment == "dev" then ''
	88	<Location />
	89	Use LDAPConnect
	90	Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
	91	ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
	92	</Location>
6bd6d033 IB	93	'' else ''
	94	Use Stats osteopathe-cc.fr
	95	''}
7d8b50d3 IB	96	'';
	97	};
	98	activationScript = {
	99	deps = [ "wrappers" ];
	100	text = ''
07f2f340	101	install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} ${varDir}/IMG ${varDir}/tmp ${varDir}/local
c8e019b6	102	install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
7d8b50d3 IB	103	'';
7d8b50d3 IB	104	};
62a0946e	105	configDir = ./chloe_config_ + environment;
7d8b50d3 IB	106	varDir = "/var/lib/chloe_${environment}";
	107	siteDir = stdenv.mkDerivation (fetchedGitPrivate ./chloe.json // rec {
	108	buildPhase = ''
	109	make
	110	'';
	111	installPhase = ''
	112	cp -a . $out
	113	'';
	114	buildInputs = [ sassc ];
	115	});
	116	webRoot = stdenv.mkDerivation rec {
07f2f340	117	name = "chloe-${environment}-spip-${version}";
a718b966	118	version = "3.2.3";
7d8b50d3	119	src = fetchzip {
a718b966 IB	120	url = "https://files.spip.net/spip/archives/SPIP-v${version}.zip";
a718b966 IB	121	sha256 = "1r1mjvsnrp6mvkgjakvi3x4ms8m8k5mp93micbbg8r99fj7qlfkq";
7d8b50d3	122	};
091ae734	123	paches = [ ../commons/spip/spip_ldap_patch.patch ];
7d8b50d3 IB	124	buildPhase = ''
7d8b50d3 IB	125	rm -rf IMG local tmp config/remove.txt
091ae734	126	ln -sf ${../commons/spip/spip_mes_options.php} config/mes_options.php
7d8b50d3	127	echo "Require all denied" > "config/.htaccess"
3c8d7f87	128	ln -sf ${varDir}/{IMG,local} .
7d8b50d3 IB	129	'';
	130	installPhase = ''
	131	cp -a . $out
	132	cp -a ${siteDir}/* $out
	133	'';
	134	};
	135	};
	136	in
	137	chloe