]>
Commit | Line | Data |
---|---|---|
1 | { | |
2 | network = { | |
3 | description = "Immae's network"; | |
4 | enableRollback = true; | |
5 | }; | |
6 | ||
7 | eldiron = { config, pkgs, ... }: | |
8 | let mypkgs = import ./packages.nix; | |
9 | mylibs = import ../libs.nix; | |
10 | in | |
11 | { | |
12 | networking = { | |
13 | firewall = { | |
14 | enable = true; | |
15 | allowedTCPPorts = [ 22 80 443 3306 5432 ]; | |
16 | }; | |
17 | }; | |
18 | ||
19 | deployment = { | |
20 | targetEnv = "hetzner"; | |
21 | hetzner = { | |
22 | #robotUser = "defined in HETZNER_ROBOT_USER"; | |
23 | #robotPass = "defined in HETZNER_ROBOT_PASS"; | |
24 | mainIPv4 = "176.9.151.89"; | |
25 | partitions = '' | |
26 | clearpart --all --initlabel --drives=sda,sdb | |
27 | ||
28 | part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda | |
29 | part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb | |
30 | ||
31 | part raid.1 --grow --ondisk=sda | |
32 | part raid.2 --grow --ondisk=sdb | |
33 | ||
34 | raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2 | |
35 | ''; | |
36 | }; | |
37 | }; | |
38 | ||
39 | security.acme.certs = { | |
40 | "eldiron" = { | |
41 | webroot = "/var/lib/acme/acme-challenge"; | |
42 | email = "ismael@bouya.org"; | |
43 | domain = "eldiron.immae.eu"; | |
44 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | |
45 | postRun = '' | |
46 | systemctl reload httpd.service | |
47 | ''; | |
48 | extraDomains = { | |
49 | "db-1.immae.eu" = null; | |
50 | "tools.immae.eu" = null; | |
51 | "connexionswing.immae.eu" = null; | |
52 | "sandetludo.immae.eu" = null; | |
53 | }; | |
54 | }; | |
55 | # "connexionswing" = { | |
56 | # webroot = "/var/lib/acme/acme-challenge"; | |
57 | # email = "ismael@bouya.org"; | |
58 | # domain = "connexionswing.com"; | |
59 | # plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | |
60 | # postRun = '' | |
61 | # systemctl reload httpd.service | |
62 | # ''; | |
63 | # extraDomains = { | |
64 | # "www.connexionswing.com" = null; | |
65 | # "sandetludo.com" = null; | |
66 | # "www.sandetludo.com" = null; | |
67 | # }; | |
68 | # }; | |
69 | }; | |
70 | ||
71 | services.ympd = mypkgs.ympd.config // { enable = true; }; | |
72 | ||
73 | services.phpfpm = { | |
74 | extraConfig = '' | |
75 | log_level = notice | |
76 | ''; | |
77 | poolConfigs = { | |
78 | adminer = mypkgs.adminer.phpFpm.pool; | |
79 | connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool; | |
80 | connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool; | |
81 | www = '' | |
82 | listen = /var/run/phpfpm/www.sock | |
83 | user = wwwrun | |
84 | group = wwwrun | |
85 | listen.owner = wwwrun | |
86 | listen.group = wwwrun | |
87 | pm = ondemand | |
88 | pm.max_children = 5 | |
89 | pm.process_idle_timeout = 60 | |
90 | ;php_admin_flag[log_errors] = on | |
91 | php_admin_value[open_basedir] = "/var/www" | |
92 | ''; | |
93 | }; | |
94 | }; | |
95 | ||
96 | system.activationScripts = { | |
97 | connexionswing_dev = mypkgs.connexionswing_dev.activationScript; | |
98 | connexionswing_prod = mypkgs.connexionswing_prod.activationScript; | |
99 | httpd = '' | |
100 | install -d -m 0755 /var/lib/acme/acme-challenge | |
101 | install -d -m 0755 /var/www | |
102 | ''; | |
103 | }; | |
104 | ||
105 | services.httpd = let | |
106 | withSSL = domain: { | |
107 | enableSSL = true; | |
108 | sslServerCert = "/var/lib/acme/${domain}/cert.pem"; | |
109 | sslServerKey = "/var/lib/acme/${domain}/key.pem"; | |
110 | sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; | |
111 | }; | |
112 | in rec { | |
113 | enable = true; | |
114 | logPerVirtualHost = true; | |
115 | multiProcessingModule = "worker"; | |
116 | adminAddr = "httpd@immae.eu"; | |
117 | # FIXME: http2 | |
118 | extraModules = pkgs.lib.lists.unique ( | |
119 | mypkgs.adminer.apache.modules ++ | |
120 | mypkgs.connexionswing_dev.apache.modules ++ | |
121 | mypkgs.connexionswing_prod.apache.modules ++ | |
122 | [ | |
123 | "macro" | |
124 | "ldap" | |
125 | "authnz_ldap" | |
126 | ]); | |
127 | extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; '' | |
128 | <IfModule ldap_module> | |
129 | LDAPSharedCacheSize 500000 | |
130 | LDAPCacheEntries 1024 | |
131 | LDAPCacheTTL 600 | |
132 | LDAPOpCacheEntries 1024 | |
133 | LDAPOpCacheTTL 600 | |
134 | </IfModule> | |
135 | ||
136 | <Macro LDAPConnect> | |
137 | <IfModule authnz_ldap_module> | |
138 | AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu | |
139 | AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu | |
140 | AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}" | |
141 | AuthType Basic | |
142 | AuthName "Authentification requise (Acces LDAP)" | |
143 | AuthBasicProvider ldap | |
144 | </IfModule> | |
145 | </Macro> | |
146 | ''; | |
147 | virtualHosts = [ | |
148 | (withSSL "eldiron" // { | |
149 | listen = [ { ip = "*"; port = 443; } ]; | |
150 | hostName = "eldiron.immae.eu"; | |
151 | # FIXME: directory needs to exist | |
152 | documentRoot = "/var/www"; | |
153 | }) | |
154 | (withSSL "eldiron" // { | |
155 | listen = [ { ip = "*"; port = 443; } ]; | |
156 | hostName = "db-1.immae.eu"; | |
157 | documentRoot = null; | |
158 | extraConfig = builtins.concatStringsSep "\n" [ | |
159 | mypkgs.adminer.apache.vhostConf | |
160 | ]; | |
161 | }) | |
162 | (withSSL "eldiron" // { | |
163 | listen = [ { ip = "*"; port = 443; } ]; | |
164 | hostName = "tools.immae.eu"; | |
165 | documentRoot = null; | |
166 | extraConfig = builtins.concatStringsSep "\n" [ | |
167 | mypkgs.adminer.apache.vhostConf | |
168 | mypkgs.ympd.apache.vhostConf | |
169 | ]; | |
170 | }) | |
171 | (withSSL "eldiron" // { | |
172 | listen = [ { ip = "*"; port = 443; } ]; | |
173 | hostName = "connexionswing.immae.eu"; | |
174 | serverAliases = [ "sandetludo.immae.eu" ]; | |
175 | documentRoot = mypkgs.connexionswing_dev.webRoot; | |
176 | extraConfig = builtins.concatStringsSep "\n" [ | |
177 | mypkgs.connexionswing_dev.apache.vhostConf | |
178 | ]; | |
179 | }) | |
180 | { # Should go last, default fallback | |
181 | listen = [ { ip = "*"; port = 80; } ]; | |
182 | hostName = "redirectSSL"; | |
183 | serverAliases = [ "*" ]; | |
184 | enableSSL = false; | |
185 | documentRoot = "/var/lib/acme/acme-challenge"; | |
186 | extraConfig = '' | |
187 | RewriteEngine on | |
188 | RewriteCond "%{REQUEST_URI}" "!^/\.well-known" | |
189 | RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] | |
190 | # To redirect in specific "VirtualHost *:80", do | |
191 | # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 | |
192 | # rather than rewrite | |
193 | ''; | |
194 | } | |
195 | ]; | |
196 | }; | |
197 | ||
198 | security.pam.services = let | |
199 | pam_ldap = pkgs.pam_ldap; | |
200 | pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD"; | |
201 | pkgs.writeText "mysql.conf" '' | |
202 | host ldap.immae.eu | |
203 | base dc=immae,dc=eu | |
204 | binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | |
205 | bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"} | |
206 | pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | |
207 | ''; | |
208 | in [ | |
209 | { | |
210 | name = "mysql"; | |
211 | text = '' | |
212 | # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/ | |
213 | auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | |
214 | account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql} | |
215 | ''; | |
216 | } | |
217 | ]; | |
218 | ||
219 | # FIXME: initial sync | |
220 | # FIXME: backup | |
221 | # FIXME: restart after pam | |
222 | # FIXME: pam access doesn’t work (because of php module) | |
223 | # FIXME: ssl | |
224 | services.mysql = rec { | |
225 | enable = true; | |
226 | package = pkgs.mariadb.overrideAttrs(old: rec { | |
227 | cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ]; | |
228 | buildInputs = old.buildInputs ++ [ pkgs.pam ]; | |
229 | }); | |
230 | }; | |
231 | ||
232 | # FIXME: initial sync | |
233 | # FIXME: backup | |
234 | # FIXME: ssl | |
235 | services.postgresql = rec { | |
236 | enable = true; | |
237 | package = pkgs.postgresql100.overrideAttrs(old: rec { | |
238 | passthru = old.passthru // { psqlSchema = "11.0"; }; | |
239 | name = "postgresql-11.1"; | |
240 | src = pkgs.fetchurl { | |
241 | url = "mirror://postgresql/source/v11.1/${name}.tar.bz2"; | |
242 | sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch"; | |
243 | }; | |
244 | }); | |
245 | enableTCPIP = true; | |
246 | extraConfig = '' | |
247 | max_connections = 100 | |
248 | wal_level = logical | |
249 | shared_buffers = 128MB | |
250 | max_wal_size = 1GB | |
251 | min_wal_size = 80MB | |
252 | log_timezone = 'Europe/Paris' | |
253 | datestyle = 'iso, mdy' | |
254 | timezone = 'Europe/Paris' | |
255 | lc_messages = 'en_US.UTF-8' | |
256 | lc_monetary = 'en_US.UTF-8' | |
257 | lc_numeric = 'en_US.UTF-8' | |
258 | lc_time = 'en_US.UTF-8' | |
259 | default_text_search_config = 'pg_catalog.english' | |
260 | # ssl = on | |
261 | # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem' | |
262 | # ssl_key_file = '/var/lib/acme/eldiron/key.pem' | |
263 | ''; | |
264 | authentication = '' | |
265 | local all postgres ident | |
266 | local all all md5 | |
267 | host all all 178.33.252.96/32 md5 | |
268 | host all all 188.165.209.148/32 md5 | |
269 | #host all all all pam | |
270 | ''; | |
271 | }; | |
272 | }; | |
273 | } |