]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/websites/tools/tools/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Move csp report credentials out of the store
[perso/Immae/Config/Nix.git] / modules / private / websites / tools / tools / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 adminer = pkgs.callPackage ./adminer.nix {
4 inherit (pkgs.webapps) adminer;
5 };
6 ympd = pkgs.callPackage ./ympd.nix {
7 env = config.myEnv.tools.ympd;
8 };
9 ttrss = pkgs.callPackage ./ttrss.nix {
10 inherit (pkgs.webapps) ttrss ttrss-plugins;
11 env = config.myEnv.tools.ttrss;
12 php = pkgs.php72;
13 };
14 kanboard = pkgs.callPackage ./kanboard.nix {
15 env = config.myEnv.tools.kanboard;
16 };
17 wallabag = pkgs.callPackage ./wallabag.nix {
18 wallabag = pkgs.webapps.wallabag.override {
19 composerEnv = pkgs.composerEnv.override {
20 php = pkgs.php73.withExtensions({ enabled, all }: enabled ++ [all.tidy]);
21 };
22 };
23 env = config.myEnv.tools.wallabag;
24 };
25 yourls = pkgs.callPackage ./yourls.nix {
26 inherit (pkgs.webapps) yourls yourls-plugins;
27 env = config.myEnv.tools.yourls;
28 };
29 rompr = pkgs.callPackage ./rompr.nix {
30 inherit (pkgs.webapps) rompr;
31 env = config.myEnv.tools.rompr;
32 };
33 shaarli = pkgs.callPackage ./shaarli.nix {
34 env = config.myEnv.tools.shaarli;
35 };
36 dokuwiki = pkgs.callPackage ./dokuwiki.nix {
37 inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
38 };
39 ldap = pkgs.callPackage ./ldap.nix {
40 inherit (pkgs.webapps) phpldapadmin;
41 env = config.myEnv.tools.phpldapadmin;
42 };
43 grocy = pkgs.callPackage ./grocy.nix {
44 grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; };
45 };
46 phpbb = pkgs.callPackage ./phpbb.nix {
47 phpbb = (pkgs.webapps.phpbb.withLangs (l: [ l.fr ])).withExts (e: [
48 e.alfredoramos.markdown e.davidiq.mailinglist e.dmzx.mchat
49 e.empteintesduweb.monitoranswers e.lr94.autosubscribe
50 e.phpbbmodders.adduser ]);
51 };
52 webhooks = pkgs.callPackage ./webhooks.nix {
53 env = config.myEnv.tools.webhooks;
54 };
55 dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
56 env = config.myEnv.tools.dmarc_reports;
57 };
58 csp-reports = pkgs.callPackage ./csp_reports.nix {
59 env = config.myEnv.tools.csp_reports;
60 };
61
62 landing = pkgs.callPackage ./landing.nix {};
63
64 cfg = config.myServices.websites.tools.tools;
65 pcfg = config.services.phpfpm.pools;
66 in {
67 options.myServices.websites.tools.tools = {
68 enable = lib.mkEnableOption "enable tools website";
69 };
70
71 config = lib.mkIf cfg.enable {
72 secrets.keys =
73 kanboard.keys
74 ++ ldap.keys
75 ++ shaarli.keys
76 ++ ttrss.keys
77 ++ wallabag.keys
78 ++ yourls.keys
79 ++ dmarc-reports.keys
80 ++ csp-reports.keys
81 ++ webhooks.keys;
82
83 services.duplyBackup.profiles = {
84 dokuwiki = dokuwiki.backups;
85 grocy = grocy.backups;
86 kanboard = kanboard.backups;
87 rompr = rompr.backups;
88 shaarli = shaarli.backups;
89 ttrss = ttrss.backups;
90 wallabag = wallabag.backups;
91 phpbb = phpbb.backups;
92 };
93
94 services.websites.env.tools.modules =
95 [ "proxy_fcgi" ]
96 ++ adminer.apache.modules
97 ++ ympd.apache.modules
98 ++ ttrss.apache.modules
99 ++ wallabag.apache.modules
100 ++ yourls.apache.modules
101 ++ rompr.apache.modules
102 ++ shaarli.apache.modules
103 ++ dokuwiki.apache.modules
104 ++ dmarc-reports.apache.modules
105 ++ phpbb.apache.modules
106 ++ ldap.apache.modules
107 ++ kanboard.apache.modules;
108
109 services.websites.env.integration.vhostConfs.devtools = {
110 certName = "integration";
111 certMainHost = "devtools.immae.eu";
112 addToCerts = true;
113 hosts = [ "devtools.immae.eu" ];
114 root = "/var/lib/ftp/devtools.immae.eu";
115 extraConfig = [
116 ''
117 Timeout 600
118 ProxyTimeout 600
119 Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
120 <Directory "/var/lib/ftp/devtools.immae.eu">
121 DirectoryIndex index.php index.htm index.html
122 AllowOverride all
123 Require all granted
124 <FilesMatch "\.php$">
125 SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost"
126 </FilesMatch>
127 </Directory>
128 ''
129 ];
130 };
131
132 services.websites.env.tools.vhostConfs.tools = {
133 certName = "eldiron";
134 addToCerts = true;
135 hosts = ["tools.immae.eu" ];
136 root = landing;
137 extraConfig = [
138 ''
139 RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
140 RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
141 RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
142
143 <Directory "${landing}">
144 DirectoryIndex index.html
145 AllowOverride None
146 Require all granted
147
148 <FilesMatch "\.php$">
149 SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
150 </FilesMatch>
151 </Directory>
152 ''
153 (adminer.apache.vhostConf pcfg.adminer.socket)
154 ympd.apache.vhostConf
155 (ttrss.apache.vhostConf pcfg.ttrss.socket)
156 (wallabag.apache.vhostConf pcfg.wallabag.socket)
157 (yourls.apache.vhostConf pcfg.yourls.socket)
158 (rompr.apache.vhostConf pcfg.rompr.socket)
159 (shaarli.apache.vhostConf pcfg.shaarli.socket)
160 (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket)
161 (ldap.apache.vhostConf pcfg.ldap.socket)
162 (kanboard.apache.vhostConf pcfg.kanboard.socket)
163 (grocy.apache.vhostConf pcfg.grocy.socket)
164 (phpbb.apache.vhostConf pcfg.phpbb.socket)
165 (dmarc-reports.apache.vhostConf pcfg.dmarc-reports.socket)
166 ''
167 Alias /paste /var/lib/fiche
168 <Directory "/var/lib/fiche">
169 DirectoryIndex index.txt index.html
170 AllowOverride None
171 Require all granted
172 Options -Indexes
173 </Directory>
174
175 Alias /BIP39 /var/lib/buildbot/outputs/immae/bip39
176 <Directory "/var/lib/buildbot/outputs/immae/bip39">
177 DirectoryIndex index.html
178 AllowOverride None
179 Require all granted
180 </Directory>
181
182 Alias /webhooks ${config.secrets.location}/webapps/webhooks
183 <Directory "${config.secrets.location}/webapps/webhooks">
184 Options -Indexes
185 Require all granted
186 AllowOverride None
187 <FilesMatch "\.php$">
188 SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
189 </FilesMatch>
190 </Directory>
191 ''
192 ];
193 };
194
195 services.websites.env.tools.vhostConfs.outils = {
196 certName = "eldiron";
197 addToCerts = true;
198 hosts = [ "outils.immae.eu" ];
199 root = null;
200 extraConfig = [
201 ''
202 RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
203
204 RedirectMatch 301 ^/ether(.*)$ https://ether.immae.eu$1
205
206 RedirectMatch 301 ^/nextcloud(.*)$ https://cloud.immae.eu$1
207 RedirectMatch 301 ^/owncloud(.*)$ https://cloud.immae.eu$1
208
209 RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
210 RedirectMatch 301 ^/caldavzap(.*)$ https://dav.immae.eu/infcloud$1
211 RedirectMatch 301 ^/caldav.php(.*)$ https://dav.immae.eu/caldav.php$1
212 RedirectMatch 301 ^/davical(.*)$ https://dav.immae.eu/davical$1
213
214 RedirectMatch 301 ^/taskweb(.*)$ https://task.immae.eu/taskweb$1
215
216 RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
217
218 RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
219
220 RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
221
222 RedirectMatch 301 ^/(.*)$ https://tools.immae.eu/$1
223 ''
224 ];
225 };
226
227 systemd.services = {
228 phpfpm-dokuwiki = {
229 after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
230 wants = dokuwiki.phpFpm.serviceDeps;
231 };
232 phpfpm-phpbb = {
233 after = lib.mkAfter phpbb.phpFpm.serviceDeps;
234 wants = phpbb.phpFpm.serviceDeps;
235 };
236 phpfpm-kanboard = {
237 after = lib.mkAfter kanboard.phpFpm.serviceDeps;
238 wants = kanboard.phpFpm.serviceDeps;
239 };
240 phpfpm-ldap = {
241 after = lib.mkAfter ldap.phpFpm.serviceDeps;
242 wants = ldap.phpFpm.serviceDeps;
243 };
244 phpfpm-shaarli = {
245 after = lib.mkAfter shaarli.phpFpm.serviceDeps;
246 wants = shaarli.phpFpm.serviceDeps;
247 };
248 phpfpm-ttrss = {
249 after = lib.mkAfter ttrss.phpFpm.serviceDeps;
250 wants = ttrss.phpFpm.serviceDeps;
251 };
252 phpfpm-wallabag = {
253 after = lib.mkAfter wallabag.phpFpm.serviceDeps;
254 wants = wallabag.phpFpm.serviceDeps;
255 preStart = lib.mkAfter wallabag.phpFpm.preStart;
256 };
257 phpfpm-yourls = {
258 after = lib.mkAfter yourls.phpFpm.serviceDeps;
259 wants = yourls.phpFpm.serviceDeps;
260 };
261 ympd = {
262 description = "Standalone MPD Web GUI written in C";
263 wantedBy = [ "multi-user.target" ];
264 script = ''
265 export MPD_PASSWORD=$(cat /var/secrets/mpd)
266 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
267 '';
268 };
269 tt-rss = {
270 description = "Tiny Tiny RSS feeds update daemon";
271 serviceConfig = {
272 User = "wwwrun";
273 ExecStart = "${pkgs.php72}/bin/php ${ttrss.webRoot}/update.php --daemon";
274 StandardOutput = "syslog";
275 StandardError = "syslog";
276 PermissionsStartOnly = true;
277 };
278
279 wantedBy = [ "multi-user.target" ];
280 requires = ["postgresql.service"];
281 after = ["network.target" "postgresql.service"];
282 };
283 };
284
285 services.filesWatcher.ympd = {
286 restart = true;
287 paths = [ "/var/secrets/mpd" ];
288 };
289
290 services.phpfpm.pools = {
291 tools = {
292 user = "wwwrun";
293 group = "wwwrun";
294 settings = {
295 "listen.owner" = "wwwrun";
296 "listen.group" = "wwwrun";
297 "pm" = "dynamic";
298 "pm.max_children" = "60";
299 "pm.start_servers" = "2";
300 "pm.min_spare_servers" = "1";
301 "pm.max_spare_servers" = "10";
302
303 # Needed to avoid clashes in browser cookies (same domain)
304 "php_value[session.name]" = "ToolsPHPSESSID";
305 "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
306 "/run/wrappers/bin/sendmail" landing "/tmp"
307 "${config.secrets.location}/webapps/webhooks"
308 ];
309 "include" = "${config.secrets.location}/webapps/tools-csp-reports.conf";
310 };
311 phpEnv = {
312 CONTACT_EMAIL = config.myEnv.tools.contact;
313 };
314 phpPackage = pkgs.php72;
315 };
316 devtools = {
317 user = "wwwrun";
318 group = "wwwrun";
319 settings = {
320 "listen.owner" = "wwwrun";
321 "listen.group" = "wwwrun";
322 "pm" = "dynamic";
323 "pm.max_children" = "60";
324 "pm.start_servers" = "2";
325 "pm.min_spare_servers" = "1";
326 "pm.max_spare_servers" = "10";
327
328 "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp";
329 };
330 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.mysqli all.redis all.apcu all.opcache ]);
331 };
332 adminer = adminer.phpFpm;
333 ttrss = {
334 user = "wwwrun";
335 group = "wwwrun";
336 settings = ttrss.phpFpm.pool;
337 phpPackage = pkgs.php72;
338 };
339 wallabag = {
340 user = "wwwrun";
341 group = "wwwrun";
342 settings = wallabag.phpFpm.pool;
343 phpPackage = pkgs.php73.withExtensions({ enabled, all }: enabled ++ [all.tidy]);
344 };
345 yourls = {
346 user = "wwwrun";
347 group = "wwwrun";
348 settings = yourls.phpFpm.pool;
349 phpPackage = pkgs.php72;
350 };
351 rompr = {
352 user = "wwwrun";
353 group = "wwwrun";
354 settings = rompr.phpFpm.pool;
355 phpPackage = pkgs.php72;
356 };
357 shaarli = {
358 user = "wwwrun";
359 group = "wwwrun";
360 settings = shaarli.phpFpm.pool;
361 phpPackage = pkgs.php72;
362 };
363 dmarc-reports = {
364 user = "wwwrun";
365 group = "wwwrun";
366 settings = dmarc-reports.phpFpm.pool;
367 phpEnv = dmarc-reports.phpFpm.phpEnv;
368 phpPackage = pkgs.php72;
369 };
370 dokuwiki = {
371 user = "wwwrun";
372 group = "wwwrun";
373 settings = dokuwiki.phpFpm.pool;
374 phpPackage = pkgs.php72;
375 };
376 phpbb = {
377 user = "wwwrun";
378 group = "wwwrun";
379 settings = phpbb.phpFpm.pool;
380 phpPackage = pkgs.php72;
381 };
382 ldap = {
383 user = "wwwrun";
384 group = "wwwrun";
385 settings = ldap.phpFpm.pool;
386 phpPackage = pkgs.php72;
387 };
388 kanboard = {
389 user = "wwwrun";
390 group = "wwwrun";
391 settings = kanboard.phpFpm.pool;
392 phpPackage = pkgs.php72;
393 };
394 grocy = {
395 user = "wwwrun";
396 group = "wwwrun";
397 settings = grocy.phpFpm.pool;
398 phpPackage = pkgs.php72;
399 };
400 };
401
402 system.activationScripts = {
403 adminer = adminer.activationScript;
404 grocy = grocy.activationScript;
405 ttrss = ttrss.activationScript;
406 wallabag = wallabag.activationScript;
407 yourls = yourls.activationScript;
408 rompr = rompr.activationScript;
409 shaarli = shaarli.activationScript;
410 dokuwiki = dokuwiki.activationScript;
411 phpbb = phpbb.activationScript;
412 kanboard = kanboard.activationScript;
413 ldap = ldap.activationScript;
414 };
415
416 services.websites.webappDirs = {
417 _adminer = adminer.webRoot;
418 "${dmarc-reports.apache.webappName}" = dmarc-reports.webRoot;
419 "${dokuwiki.apache.webappName}" = dokuwiki.webRoot;
420 "${phpbb.apache.webappName}" = phpbb.webRoot;
421 "${ldap.apache.webappName}" = "${ldap.webRoot}/htdocs";
422 "${rompr.apache.webappName}" = rompr.webRoot;
423 "${shaarli.apache.webappName}" = shaarli.webRoot;
424 "${ttrss.apache.webappName}" = ttrss.webRoot;
425 "${wallabag.apache.webappName}" = wallabag.webRoot;
426 "${yourls.apache.webappName}" = yourls.webRoot;
427 "${kanboard.apache.webappName}" = kanboard.webRoot;
428 "${grocy.apache.webappName}" = grocy.webRoot;
429 };
430
431 services.websites.env.tools.watchPaths = [
432 "/var/secrets/webapps/tools-shaarli"
433 ];
434 services.filesWatcher.phpfpm-wallabag = {
435 restart = true;
436 paths = [ "/var/secrets/webapps/tools-wallabag" ];
437 };
438
439 services.fiche = {
440 enable = true;
441 port = config.myEnv.ports.fiche;
442 domain = "tools.immae.eu/paste";
443 https = true;
444 };
445 };
446 }
447
My infrastructure configuration