Add Richie website

[perso/Immae/Config/Nix.git] / modules / private / websites / emilia / richie.nix

{ lib, config, pkgs, ... }:
let
  cfg = config.myServices.websites.emilia.richie_production;
  vardir = "/var/lib/richie_production";
  richieSrc = pkgs.stdenv.mkDerivation (pkgs.mylibs.fetchedGitPrivate ./richie.json // {
    phases = "installPhase";
    installPhase = ''
      cp -a $src $out
      chmod -R u+w $out
      ln -sf ${vardir}/files $out/
      ln -sf ${vardir}/drapeaux $out/images/
      ln -sf ${vardir}/photos $out/
      sed -i "s@localedef --list-archive@localedef --list-archive /run/current-system/sw/lib/locale/locale-archive@" $out/admin/parametres.php
      '';
  });
in
{
  options.myServices.websites.emilia.richie_production.enable = lib.mkEnableOption "enable Richie's website";
  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.richie_production.rootDir = vardir;
    services.webstats.sites = [ { name = "europe-richie.org"; } ];

    secrets.keys = [{
      dest = "webapps/prod-richie";
      user = "wwwrun";
      group = "wwwrun";
      permissions = "0400";
      text = with config.myEnv.websites.richie; ''
        <?php

        $hote_sql = '${mysql.host}';
        $login_sql = '${mysql.user}';
        $bdd_sql = '${mysql.database}';
        $mdp_sql = '${mysql.password}';

        $db = mysqli_connect($hote_sql,$login_sql,$mdp_sql);
        unset($mdp_sql);

        $smtp_mailer->Auth('${smtp_mailer.user}', '${smtp_mailer.password}');
        ?>
        '';
    }];
    myServices.websites.webappDirs.richie_production = richieSrc;
    system.activationScripts.richie_production = {
      deps = [ "httpd" ];
      text = ''
        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/richie_production
        install -m 0755 -o wwwrun -g wwwrun -d ${vardir}
        '';
    };
    services.phpfpm.pools.richie_production = {
      listen = "/run/phpfpm/richie_production.sock";
      extraConfig = ''
        user = wwwrun
        group = wwwrun
        listen.owner = wwwrun
        listen.group = wwwrun

        pm = ondemand
        pm.max_children = 5
        pm.process_idle_timeout = 60

        env[PATH] = /run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]}
        env[BDD_CONNECT] = "/var/secrets/webapps/prod-richie"
        php_admin_value[open_basedir] = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp"
        php_admin_value[session.save_path] = "/var/lib/php/sessions/richie_production"
        '';
      phpOptions = config.services.phpfpm.phpOptions + ''
        date.timezone = 'Europe/Paris'
        extension=${pkgs.php}/lib/php/extensions/mysqli.so
        '';
    };
    services.websites.env.production.modules = [ "proxy_fcgi" ];
    services.websites.env.production.vhostConfs.richie_production = {
      certName    = "richie";
      addToCerts  = true;
      certMainHost = "europe-richie.org";
      hosts       = [ "europe-richie.org" "www.europe-richie.org" ];
      root        = "/run/current-system/webapps/richie_production";
      extraConfig = [
        ''
        Use Stats europe-richie.org
        ErrorDocument 404 /404.html
        <LocationMatch "^/files/.*/admin/">
          Require all denied
        </LocationMatch>
        <Directory /run/current-system/webapps/richie_production>
          DirectoryIndex index.php index.htm index.html
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride None
          Require all granted

          <FilesMatch "\.php$">
            SetHandler "proxy:unix:/run/phpfpm/richie_production.sock|fcgi://localhost"
          </FilesMatch>
        </Directory>
          ''
      ];
    };
  };
}