[perso/Immae/Config/Nix.git] / nixops / modules / websites / tools / mediagoblin / default.nix

{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  env = myconfig.env.tools.mediagoblin;
  socketsDir = "/run/mediagoblin";
  varDir = "/var/lib/mediagoblin";
  cfg = config.services.myWebsites.tools.mediagoblin;
  mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin";
  paste_local = pkgs.writeText "paste_local.ini" ''
    [DEFAULT]
    debug = false

    [pipeline:main]
    pipeline = mediagoblin

    [app:mediagoblin]
    use = egg:mediagoblin#app
    config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini
    /mgoblin_static = ${pythonRoot}/mediagoblin/static

    [loggers]
    keys = root

    [handlers]
    keys = console

    [formatters]
    keys = generic

    [logger_root]
    level = INFO
    handlers = console

    [handler_console]
    class = StreamHandler
    args = (sys.stderr,)
    level = NOTSET
    formatter = generic

    [formatter_generic]
    format = %(levelname)-7.7s [%(name)s] %(message)s

    [filter:errors]
    use = egg:mediagoblin#errors
    debug = false

    [server:main]
    use = egg:waitress#main
    unix_socket = ${socketsDir}/mediagoblin.sock
    unix_socket_perms = 777
    url_scheme = https
    '';
  pythonRoot = pkgs.webapps.mediagoblin-with-plugins;
in {
  options.services.myWebsites.tools.mediagoblin = {
    enable = lib.mkEnableOption "enable mediagoblin's website";
  };

  config = lib.mkIf cfg.enable {
    mySecrets.keys = [{
      dest = "webapps/tools-mediagoblin";
      user = "mediagoblin";
      group = "mediagoblin";
      permissions = "0400";
      text = ''
        [DEFAULT]
        data_basedir = "${varDir}"

        [mediagoblin]
        direct_remote_path = /mgoblin_static/
        email_sender_address = "mediagoblin@tools.immae.eu"

        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
        sql_engine = ${env.psql_url}

        email_debug_mode = false
        allow_registration = false
        allow_reporting = true

        theme = airymodified

        user_privilege_scheme = "uploader,commenter,reporter"

        # We need to redefine them here since we override data_basedir
        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
        workbench_path = %(data_basedir)s/media/workbench
        crypto_path = %(data_basedir)s/crypto
        theme_install_dir = %(data_basedir)s/themes/
        theme_linked_assets_dir = %(data_basedir)s/theme_static/
        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/

        [storage:queuestore]
        base_dir = %(data_basedir)s/media/queue

        [storage:publicstore]
        base_dir = %(data_basedir)s/media/public
        base_url = /mgoblin_media/

        [celery]
        CELERY_RESULT_DBURI = ${env.redis_url}
        BROKER_URL = ${env.redis_url}
        CELERYD_CONCURRENCY = 1

        [plugins]
          [[mediagoblin.plugins.geolocation]]
          [[mediagoblin.plugins.ldap]]
            [[[immae.eu]]]
              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
              LDAP_BIND_PW = '${env.ldap.password}'
              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
              EMAIL_SEARCH_FIELD = 'mail'
          [[mediagoblin.plugins.basicsearch]]
          [[mediagoblin.plugins.piwigo]]
          [[mediagoblin.plugins.processing_info]]
          [[mediagoblin.media_types.image]]
          [[mediagoblin.media_types.video]]
        '';
    }];

    ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
    ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;

    users.users.mediagoblin = {
      name = "mediagoblin";
      uid = config.ids.uids.mediagoblin;
      group = "mediagoblin";
      description = "Mediagoblin user";
      home = varDir;
      useDefaultShell = true;
      extraGroups = [ "keys" ];
    };

    users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;

    systemd.services.mediagoblin-web = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      wants = [ "postgresql.service" "redis.service" ];

      environment.SCRIPT_NAME = "/mediagoblin/";

      script = ''
        exec ./bin/paster serve \
          ${paste_local} \
          --pid-file=${socketsDir}/mediagoblin.pid
      '';

      preStop = ''
        exec ./bin/paster serve \
          --pid-file=${socketsDir}/mediagoblin.pid \
          ${paste_local} stop
        '';
      preStart = ''
        ./bin/gmg -cf ${mediagoblin_init} dbupdate
      '';

      serviceConfig = {
        User = "mediagoblin";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 15;
        Type = "simple";
        WorkingDirectory = pythonRoot;
        PIDFile = "${socketsDir}/mediagoblin.pid";
      };

      unitConfig.RequiresMountsFor = varDir;
    };

    systemd.services.mediagoblin-celeryd = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "mediagoblin-web.service" ];

      environment.MEDIAGOBLIN_CONFIG = "${pythonRoot}/mediagoblin_local.ini";
      environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";

      script = ''
        exec ./bin/celery worker \
          --logfile=${varDir}/celery.log \
          --loglevel=INFO
      '';

      serviceConfig = {
        User = "mediagoblin";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 60;
        Type = "simple";
        WorkingDirectory = pythonRoot;
        PIDFile = "${socketsDir}/mediagoblin-celeryd.pid";
      };

      unitConfig.RequiresMountsFor = varDir;
    };

    system.activationScripts.mediagoblin = {
      deps = [ "users" ];
      text = ''
      install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir}
      install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir}
      if [ -d ${varDir}/plugin_static/ ]; then
        rm ${varDir}/plugin_static/coreplugin_basic_auth
        ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth
      fi
      '';
    };

    services.myWebsites.tools.modules = [
      "proxy" "proxy_http"
    ];
    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
    security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.mgoblin = {
      certName    = "eldiron";
      hosts       = ["mgoblin.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Alias /mgoblin_media ${varDir}/media/public
        <Directory ${varDir}/media/public>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /theme_static ${varDir}/theme_static
        <Directory ${varDir}/theme_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /plugin_static ${varDir}/plugin_static
        <Directory ${varDir}/plugin_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        ProxyPreserveHost on
        ProxyVia On
        ProxyRequests Off
        ProxyPass /mgoblin_media !
        ProxyPass /theme_static !
        ProxyPass /plugin_static !
        ProxyPassMatch ^/.well-known/acme-challenge !
        ProxyPass / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
        ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
      '' ];
    };
  };
}
Commit	Line	Data
9d90e7e2	1	{ lib, pkgs, config, myconfig, mylibs, ... }:
56eba416	2	let
ddd3f845 IB	3	env = myconfig.env.tools.mediagoblin;
	4	socketsDir = "/run/mediagoblin";
	5	varDir = "/var/lib/mediagoblin";
56eba416	6	cfg = config.services.myWebsites.tools.mediagoblin;
ddd3f845 IB	7	mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin";
	8	paste_local = pkgs.writeText "paste_local.ini" ''
	9	[DEFAULT]
	10	debug = false
	11
	12	[pipeline:main]
	13	pipeline = mediagoblin
	14
	15	[app:mediagoblin]
	16	use = egg:mediagoblin#app
	17	config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini
	18	/mgoblin_static = ${pythonRoot}/mediagoblin/static
	19
	20	[loggers]
	21	keys = root
	22
	23	[handlers]
	24	keys = console
	25
	26	[formatters]
	27	keys = generic
	28
	29	[logger_root]
	30	level = INFO
	31	handlers = console
	32
	33	[handler_console]
	34	class = StreamHandler
	35	args = (sys.stderr,)
	36	level = NOTSET
	37	formatter = generic
	38
	39	[formatter_generic]
	40	format = %(levelname)-7.7s [%(name)s] %(message)s
	41
	42	[filter:errors]
	43	use = egg:mediagoblin#errors
	44	debug = false
	45
	46	[server:main]
	47	use = egg:waitress#main
	48	unix_socket = ${socketsDir}/mediagoblin.sock
	49	unix_socket_perms = 777
	50	url_scheme = https
	51	'';
	52	pythonRoot = pkgs.webapps.mediagoblin-with-plugins;
56eba416 IB	53	in {
	54	options.services.myWebsites.tools.mediagoblin = {
	55	enable = lib.mkEnableOption "enable mediagoblin's website";
	56	};
	57
	58	config = lib.mkIf cfg.enable {
ddd3f845 IB	59	mySecrets.keys = [{
	60	dest = "webapps/tools-mediagoblin";
	61	user = "mediagoblin";
	62	group = "mediagoblin";
	63	permissions = "0400";
	64	text = ''
	65	[DEFAULT]
	66	data_basedir = "${varDir}"
	67
	68	[mediagoblin]
	69	direct_remote_path = /mgoblin_static/
	70	email_sender_address = "mediagoblin@tools.immae.eu"
	71
	72	#sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
	73	sql_engine = ${env.psql_url}
	74
	75	email_debug_mode = false
	76	allow_registration = false
	77	allow_reporting = true
	78
	79	theme = airymodified
	80
	81	user_privilege_scheme = "uploader,commenter,reporter"
	82
	83	# We need to redefine them here since we override data_basedir
	84	# cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
	85	workbench_path = %(data_basedir)s/media/workbench
	86	crypto_path = %(data_basedir)s/crypto
	87	theme_install_dir = %(data_basedir)s/themes/
	88	theme_linked_assets_dir = %(data_basedir)s/theme_static/
	89	plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
	90
	91	[storage:queuestore]
	92	base_dir = %(data_basedir)s/media/queue
	93
	94	[storage:publicstore]
	95	base_dir = %(data_basedir)s/media/public
	96	base_url = /mgoblin_media/
	97
	98	[celery]
	99	CELERY_RESULT_DBURI = ${env.redis_url}
	100	BROKER_URL = ${env.redis_url}
	101	CELERYD_CONCURRENCY = 1
	102
	103	[plugins]
	104	[[mediagoblin.plugins.geolocation]]
	105	[[mediagoblin.plugins.ldap]]
	106	[[[immae.eu]]]
	107	LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
	108	LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
	109	LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
	110	LDAP_BIND_PW = '${env.ldap.password}'
	111	LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
	112	EMAIL_SEARCH_FIELD = 'mail'
	113	[[mediagoblin.plugins.basicsearch]]
	114	[[mediagoblin.plugins.piwigo]]
	115	[[mediagoblin.plugins.processing_info]]
	116	[[mediagoblin.media_types.image]]
	117	[[mediagoblin.media_types.video]]
	118	'';
	119	}];
	120
3b075825 IB	121	ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
3b075825 IB	122	ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
56eba416 IB	123
	124	users.users.mediagoblin = {
	125	name = "mediagoblin";
	126	uid = config.ids.uids.mediagoblin;
	127	group = "mediagoblin";
	128	description = "Mediagoblin user";
ddd3f845	129	home = varDir;
56eba416	130	useDefaultShell = true;
51900e34	131	extraGroups = [ "keys" ];
56eba416 IB	132	};
	133
	134	users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
	135
	136	systemd.services.mediagoblin-web = {
	137	description = "Mediagoblin service";
	138	wantedBy = [ "multi-user.target" ];
32c84ff8 IB	139	after = [ "network.target" ];
32c84ff8 IB	140	wants = [ "postgresql.service" "redis.service" ];
56eba416 IB	141
	142	environment.SCRIPT_NAME = "/mediagoblin/";
	143
	144	script = ''
	145	exec ./bin/paster serve \
ddd3f845 IB	146	${paste_local} \
ddd3f845 IB	147	--pid-file=${socketsDir}/mediagoblin.pid
56eba416 IB	148	'';
	149
	150	preStop = ''
	151	exec ./bin/paster serve \
ddd3f845 IB	152	--pid-file=${socketsDir}/mediagoblin.pid \
ddd3f845 IB	153	${paste_local} stop
56eba416 IB	154	'';
56eba416 IB	155	preStart = ''
ddd3f845	156	./bin/gmg -cf ${mediagoblin_init} dbupdate
56eba416 IB	157	'';
	158
	159	serviceConfig = {
	160	User = "mediagoblin";
	161	PrivateTmp = true;
	162	Restart = "always";
	163	TimeoutSec = 15;
	164	Type = "simple";
ddd3f845 IB	165	WorkingDirectory = pythonRoot;
ddd3f845 IB	166	PIDFile = "${socketsDir}/mediagoblin.pid";
56eba416 IB	167	};
56eba416 IB	168
ddd3f845	169	unitConfig.RequiresMountsFor = varDir;
56eba416 IB	170	};
	171
	172	systemd.services.mediagoblin-celeryd = {
	173	description = "Mediagoblin service";
	174	wantedBy = [ "multi-user.target" ];
	175	after = [ "network.target" "mediagoblin-web.service" ];
	176
ddd3f845	177	environment.MEDIAGOBLIN_CONFIG = "${pythonRoot}/mediagoblin_local.ini";
56eba416 IB	178	environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
	179
	180	script = ''
	181	exec ./bin/celery worker \
ddd3f845	182	--logfile=${varDir}/celery.log \
56eba416 IB	183	--loglevel=INFO
	184	'';
	185
	186	serviceConfig = {
	187	User = "mediagoblin";
	188	PrivateTmp = true;
	189	Restart = "always";
d65bf723	190	TimeoutSec = 60;
56eba416	191	Type = "simple";
ddd3f845 IB	192	WorkingDirectory = pythonRoot;
ddd3f845 IB	193	PIDFile = "${socketsDir}/mediagoblin-celeryd.pid";
56eba416 IB	194	};
56eba416 IB	195
ddd3f845	196	unitConfig.RequiresMountsFor = varDir;
56eba416 IB	197	};
56eba416 IB	198
56eba416 IB	199	system.activationScripts.mediagoblin = {
	200	deps = [ "users" ];
	201	text = ''
ddd3f845 IB	202	install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir}
	203	install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir}
	204	if [ -d ${varDir}/plugin_static/ ]; then
	205	rm ${varDir}/plugin_static/coreplugin_basic_auth
	206	ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth
56eba416 IB	207	fi
	208	'';
	209	};
	210
	211	services.myWebsites.tools.modules = [
a952acc4	212	"proxy" "proxy_http"
56eba416 IB	213	];
	214	users.users.wwwrun.extraGroups = [ "mediagoblin" ];
	215	security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
	216	services.myWebsites.tools.vhostConfs.mgoblin = {
	217	certName = "eldiron";
	218	hosts = ["mgoblin.immae.eu" ];
	219	root = null;
	220	extraConfig = [ ''
ddd3f845 IB	221	Alias /mgoblin_media ${varDir}/media/public
ddd3f845 IB	222	<Directory ${varDir}/media/public>
56eba416 IB	223	Options -Indexes +FollowSymLinks +MultiViews +Includes
	224	Require all granted
	225	</Directory>
	226
ddd3f845 IB	227	Alias /theme_static ${varDir}/theme_static
ddd3f845 IB	228	<Directory ${varDir}/theme_static>
56eba416 IB	229	Options -Indexes +FollowSymLinks +MultiViews +Includes
	230	Require all granted
	231	</Directory>
	232
ddd3f845 IB	233	Alias /plugin_static ${varDir}/plugin_static
ddd3f845 IB	234	<Directory ${varDir}/plugin_static>
56eba416 IB	235	Options -Indexes +FollowSymLinks +MultiViews +Includes
	236	Require all granted
	237	</Directory>
	238
	239	ProxyPreserveHost on
	240	ProxyVia On
	241	ProxyRequests Off
	242	ProxyPass /mgoblin_media !
	243	ProxyPass /theme_static !
	244	ProxyPass /plugin_static !
	245	ProxyPassMatch ^/.well-known/acme-challenge !
ddd3f845 IB	246	ProxyPass / unix://${socketsDir}/mediagoblin.sock\|http://mgoblin.immae.eu/
ddd3f845 IB	247	ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock\|http://mgoblin.immae.eu/
56eba416 IB	248	'' ];
	249	};
	250	};
	251	}