modules/private/websites/florian/app.nix

   1 { lib, pkgs, config,  ... }:
   2 let
   3   adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; };
   4   secrets = config.myEnv.websites.tellesflorian.integration;
   5   app = pkgs.callPackage ./app {
   6     environment = secrets.environment;
   7     varDir = "/var/lib/florian_app";
   8     secretsPath = config.secrets.fullPaths."websites/florian/app";
   9   };
  10   cfg = config.myServices.websites.florian.app;
  11   pcfg = config.services.phpApplication;
  12 in {
  13   options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
  14
  15   config = lib.mkIf cfg.enable {
  16     services.duplyBackup.profiles.florian_app.rootDir = app.varDir;
  17     services.phpApplication.apps.florian_app = {
  18       websiteEnv = "integration";
  19       httpdUser = config.services.httpd.Inte.user;
  20       httpdGroup = config.services.httpd.Inte.group;
  21       inherit (app) webRoot varDir;
  22       varDirPaths = {
  23         "var" = "0700";
  24       };
  25       inherit app;
  26       serviceDeps = [ "mysql.service" ];
  27       preStartActions = [
  28         "./bin/console --env=${app.environment} cache:clear --no-warmup"
  29       ];
  30       phpOpenbasedir = [ "/tmp" ];
  31       phpPool = {
  32         "php_admin_value[upload_max_filesize]" = "20M";
  33         "php_admin_value[post_max_size]" = "20M";
  34         #"php_admin_flag[log_errors]" = "on";
  35         "pm" = "ondemand";
  36         "pm.max_children" = "5";
  37         "pm.process_idle_timeout" = "60";
  38       };
  39       phpEnv = {
  40         SYMFONY_DEBUG_MODE = "\"yes\"";
  41       };
  42       phpWatchFiles = [
  43         config.secrets.fullPaths."websites/florian/app"
  44       ];
  45     };
  46
  47     secrets.keys = [
  48       {
  49         dest = "websites/florian/app_passwords";
  50         user = config.services.httpd.Inte.user;
  51         group = config.services.httpd.Inte.group;
  52         permissions = "0400";
  53         text = ''
  54           invite:${secrets.invite_passwords}
  55         '';
  56       }
  57       {
  58         dest = "websites/florian/app";
  59         user = config.services.httpd.Inte.user;
  60         group = config.services.httpd.Inte.group;
  61         permissions = "0400";
  62         text = ''
  63           # This file is auto-generated during the composer install
  64           parameters:
  65             database_host: ${secrets.mysql.host}
  66             database_port: ${secrets.mysql.port}
  67             database_name: ${secrets.mysql.database}
  68             database_user: ${secrets.mysql.user}
  69             database_password: ${secrets.mysql.password}
  70             mailer_transport: smtp
  71             mailer_host: 127.0.0.1
  72             mailer_user: null
  73             mailer_password: null
  74             secret: ${secrets.secret}
  75         '';
  76       }
  77     ];
  78
  79     services.websites.env.integration.modules = adminer.apache.modules;
  80     services.websites.env.integration.vhostConfs.florian_app = {
  81       certName    = "integration";
  82       addToCerts  = true;
  83       hosts       = [ "app.tellesflorian.com" ];
  84       root        = pcfg.webappDirs.florian_app;
  85       extraConfig = [
  86         ''
  87         <FilesMatch "\.php$">
  88           SetHandler "proxy:unix:${pcfg.phpListenPaths.florian_app}|fcgi://localhost"
  89         </FilesMatch>
  90
  91         <Location />
  92           AuthBasicProvider file ldap
  93           Use LDAPConnect
  94           Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
  95
  96           AuthUserFile "${config.secrets.fullPaths."websites/florian/app_passwords"}"
  97           Require user "invite"
  98
  99           ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
 100         </Location>
 101
 102         <Directory ${pcfg.webappDirs.florian_app}>
 103           Options Indexes FollowSymLinks MultiViews Includes
 104           AllowOverride None
 105           Require all granted
 106
 107           DirectoryIndex app_dev.php
 108
 109           <IfModule mod_negotiation.c>
 110           Options -MultiViews
 111           </IfModule>
 112
 113           <IfModule mod_rewrite.c>
 114             RewriteEngine On
 115
 116             RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
 117             RewriteRule ^(.*) - [E=BASE:%1]
 118
 119             # Maintenance script
 120             RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
 121             RewriteCond %{SCRIPT_FILENAME} !maintenance.php
 122             RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
 123             ErrorDocument 503 /maintenance.php
 124
 125             # Sets the HTTP_AUTHORIZATION header removed by Apache
 126             RewriteCond %{HTTP:Authorization} .
 127             RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 128
 129             RewriteCond %{ENV:REDIRECT_STATUS} ^$
 130             RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
 131
 132             # If the requested filename exists, simply serve it.
 133             # We only want to let Apache serve files and not directories.
 134             RewriteCond %{REQUEST_FILENAME} -f
 135             RewriteRule ^ - [L]
 136
 137             # Rewrite all other queries to the front controller.
 138             RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
 139           </IfModule>
 140
 141         </Directory>
 142         ''
 143         (adminer.apache.vhostConf null)
 144       ];
 145     };
 146   };
 147 }