[perso/Immae/Config/Nix.git] / modules / private / websites / aten / production.nix

{ lib, pkgs, config, myconfig,  ... }:
let
  secrets = myconfig.env.websites.aten.production;
  app = pkgs.webapps.aten.override { environment = secrets.environment; };
  cfg = config.myServices.websites.aten.production;
  pcfg = config.services.phpApplication;
in {
  options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";

  config = lib.mkIf cfg.enable {
    services.backup.profiles.aten_prod.rootDir = app.varDir;
    services.webstats.sites = [ { name = "aten.pro"; } ];
    services.phpApplication.apps.aten_prod = {
      websiteEnv = "production";
      httpdUser = config.services.httpd.Prod.user;
      httpdGroup = config.services.httpd.Prod.group;
      httpdWatchFiles = [
        config.secrets.fullPaths."webapps/${app.environment}-aten"
      ];
      inherit (app) webRoot varDir;
      inherit app;
      serviceDeps = [ "postgresql.service" ];
      preStartActions = [
        "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
      ];
      phpOpenbasedir = [ "/tmp" ];
      phpPool = ''
        php_admin_value[upload_max_filesize] = 20M
        php_admin_value[post_max_size] = 20M
        ;php_admin_flag[log_errors] = on
        pm = dynamic
        pm.max_children = 20
        pm.start_servers = 2
        pm.min_spare_servers = 1
        pm.max_spare_servers = 3
      '';
    };

    secrets.keys = [{
      dest = "webapps/${app.environment}-aten";
      user = config.services.httpd.Prod.user;
      group = config.services.httpd.Prod.group;
      permissions = "0400";
      text = ''
        SetEnv APP_ENV      "${app.environment}"
        SetEnv APP_SECRET   "${secrets.secret}"
        SetEnv DATABASE_URL "${secrets.psql_url}"
        '';
    }];
    services.websites.env.production.vhostConfs.aten_prod = {
      certName     = "aten";
      certMainHost = "aten.pro";
      hosts       = [ "aten.pro" "www.aten.pro" ];
      root        = pcfg.webappDirs.aten_prod;
      extraConfig = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}|fcgi://localhost"
        </FilesMatch>

        Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}

        Use Stats aten.pro

        <Location /backend>
          Use LDAPConnect
          Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
        </Location>

        <Directory ${pcfg.webappDirs.aten_prod}>
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride All
          Require all granted
          DirectoryIndex index.php
          FallbackResource /index.php
        </Directory>
        ''
      ];
    };
  };
}