]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - modules/private/websites/tools/tools/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add CSP reports
[perso/Immae/Config/Nix.git] / modules / private / websites / tools / tools / default.nix
1 { lib, pkgs, config, ... }:
2 let
3 adminer = pkgs.callPackage ./adminer.nix {
4 inherit (pkgs.webapps) adminer;
5 };
6 ympd = pkgs.callPackage ./ympd.nix {
7 env = config.myEnv.tools.ympd;
8 };
9 ttrss = pkgs.callPackage ./ttrss.nix {
10 inherit (pkgs.webapps) ttrss ttrss-plugins;
11 env = config.myEnv.tools.ttrss;
12 php = pkgs.php72;
13 };
14 kanboard = pkgs.callPackage ./kanboard.nix {
15 env = config.myEnv.tools.kanboard;
16 };
17 wallabag = pkgs.callPackage ./wallabag.nix {
18 wallabag = pkgs.webapps.wallabag.override {
19 composerEnv = pkgs.composerEnv.override {
20 php = pkgs.php73.withExtensions(e: pkgs.php73.enabledExtensions ++ [e.tidy]);
21 };
22 };
23 env = config.myEnv.tools.wallabag;
24 };
25 yourls = pkgs.callPackage ./yourls.nix {
26 inherit (pkgs.webapps) yourls yourls-plugins;
27 env = config.myEnv.tools.yourls;
28 };
29 rompr = pkgs.callPackage ./rompr.nix {
30 inherit (pkgs.webapps) rompr;
31 env = config.myEnv.tools.rompr;
32 };
33 shaarli = pkgs.callPackage ./shaarli.nix {
34 env = config.myEnv.tools.shaarli;
35 };
36 dokuwiki = pkgs.callPackage ./dokuwiki.nix {
37 inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
38 };
39 ldap = pkgs.callPackage ./ldap.nix {
40 inherit (pkgs.webapps) phpldapadmin;
41 env = config.myEnv.tools.phpldapadmin;
42 };
43 grocy = pkgs.callPackage ./grocy.nix {
44 grocy = pkgs.webapps.grocy.override { composerEnv = pkgs.composerEnv.override { php = pkgs.php72; }; };
45 };
46 phpbb = pkgs.callPackage ./phpbb.nix {
47 phpbb = (pkgs.webapps.phpbb.withLangs (l: [ l.fr ])).withExts (e: [
48 e.alfredoramos.markdown e.davidiq.mailinglist e.dmzx.mchat
49 e.empteintesduweb.monitoranswers e.lr94.autosubscribe
50 e.phpbbmodders.adduser ]);
51 };
52 webhooks = pkgs.callPackage ./webhooks.nix {
53 env = config.myEnv.tools.webhooks;
54 };
55 dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
56 env = config.myEnv.tools.dmarc_reports;
57 };
58
59 landing = pkgs.callPackage ./landing.nix {};
60
61 cfg = config.myServices.websites.tools.tools;
62 pcfg = config.services.phpfpm.pools;
63 in {
64 options.myServices.websites.tools.tools = {
65 enable = lib.mkEnableOption "enable tools website";
66 };
67
68 config = lib.mkIf cfg.enable {
69 secrets.keys =
70 kanboard.keys
71 ++ ldap.keys
72 ++ shaarli.keys
73 ++ ttrss.keys
74 ++ wallabag.keys
75 ++ yourls.keys
76 ++ dmarc-reports.keys
77 ++ webhooks.keys;
78
79 services.duplyBackup.profiles = {
80 dokuwiki = dokuwiki.backups;
81 grocy = grocy.backups;
82 kanboard = kanboard.backups;
83 rompr = rompr.backups;
84 shaarli = shaarli.backups;
85 ttrss = ttrss.backups;
86 wallabag = wallabag.backups;
87 phpbb = phpbb.backups;
88 };
89
90 services.websites.env.tools.modules =
91 [ "proxy_fcgi" ]
92 ++ adminer.apache.modules
93 ++ ympd.apache.modules
94 ++ ttrss.apache.modules
95 ++ wallabag.apache.modules
96 ++ yourls.apache.modules
97 ++ rompr.apache.modules
98 ++ shaarli.apache.modules
99 ++ dokuwiki.apache.modules
100 ++ dmarc-reports.apache.modules
101 ++ phpbb.apache.modules
102 ++ ldap.apache.modules
103 ++ kanboard.apache.modules;
104
105 services.websites.env.integration.vhostConfs.devtools = {
106 certName = "integration";
107 certMainHost = "devtools.immae.eu";
108 addToCerts = true;
109 hosts = [ "devtools.immae.eu" ];
110 root = "/var/lib/ftp/devtools.immae.eu";
111 extraConfig = [
112 ''
113 Timeout 600
114 ProxyTimeout 600
115 Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
116 <Directory "/var/lib/ftp/devtools.immae.eu">
117 DirectoryIndex index.php index.htm index.html
118 AllowOverride all
119 Require all granted
120 <FilesMatch "\.php$">
121 SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost"
122 </FilesMatch>
123 </Directory>
124 ''
125 ];
126 };
127
128 services.websites.env.tools.vhostConfs.tools = {
129 certName = "eldiron";
130 addToCerts = true;
131 hosts = ["tools.immae.eu" ];
132 root = landing;
133 extraConfig = [
134 ''
135 RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
136 RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
137 RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
138
139 <Directory "${landing}">
140 DirectoryIndex index.html
141 AllowOverride None
142 Require all granted
143
144 <FilesMatch "\.php$">
145 SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
146 </FilesMatch>
147 </Directory>
148 ''
149 (adminer.apache.vhostConf pcfg.adminer.socket)
150 ympd.apache.vhostConf
151 (ttrss.apache.vhostConf pcfg.ttrss.socket)
152 (wallabag.apache.vhostConf pcfg.wallabag.socket)
153 (yourls.apache.vhostConf pcfg.yourls.socket)
154 (rompr.apache.vhostConf pcfg.rompr.socket)
155 (shaarli.apache.vhostConf pcfg.shaarli.socket)
156 (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket)
157 (ldap.apache.vhostConf pcfg.ldap.socket)
158 (kanboard.apache.vhostConf pcfg.kanboard.socket)
159 (grocy.apache.vhostConf pcfg.grocy.socket)
160 (phpbb.apache.vhostConf pcfg.phpbb.socket)
161 (dmarc-reports.apache.vhostConf pcfg.dmarc-reports.socket)
162 ''
163 Alias /paste /var/lib/fiche
164 <Directory "/var/lib/fiche">
165 DirectoryIndex index.txt index.html
166 AllowOverride None
167 Require all granted
168 Options -Indexes
169 </Directory>
170
171 Alias /BIP39 /var/lib/buildbot/outputs/immae/bip39
172 <Directory "/var/lib/buildbot/outputs/immae/bip39">
173 DirectoryIndex index.html
174 AllowOverride None
175 Require all granted
176 </Directory>
177
178 Alias /webhooks ${config.secrets.location}/webapps/webhooks
179 <Directory "${config.secrets.location}/webapps/webhooks">
180 Options -Indexes
181 Require all granted
182 AllowOverride None
183 <FilesMatch "\.php$">
184 SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
185 </FilesMatch>
186 </Directory>
187 ''
188 ];
189 };
190
191 services.websites.env.tools.vhostConfs.outils = {
192 certName = "eldiron";
193 addToCerts = true;
194 hosts = [ "outils.immae.eu" ];
195 root = null;
196 extraConfig = [
197 ''
198 RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
199
200 RedirectMatch 301 ^/ether(.*)$ https://ether.immae.eu$1
201
202 RedirectMatch 301 ^/nextcloud(.*)$ https://cloud.immae.eu$1
203 RedirectMatch 301 ^/owncloud(.*)$ https://cloud.immae.eu$1
204
205 RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
206 RedirectMatch 301 ^/caldavzap(.*)$ https://dav.immae.eu/infcloud$1
207 RedirectMatch 301 ^/caldav.php(.*)$ https://dav.immae.eu/caldav.php$1
208 RedirectMatch 301 ^/davical(.*)$ https://dav.immae.eu/davical$1
209
210 RedirectMatch 301 ^/taskweb(.*)$ https://task.immae.eu/taskweb$1
211
212 RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
213
214 RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
215
216 RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
217
218 RedirectMatch 301 ^/(.*)$ https://tools.immae.eu/$1
219 ''
220 ];
221 };
222
223 systemd.services = {
224 phpfpm-dokuwiki = {
225 after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
226 wants = dokuwiki.phpFpm.serviceDeps;
227 };
228 phpfpm-phpbb = {
229 after = lib.mkAfter phpbb.phpFpm.serviceDeps;
230 wants = phpbb.phpFpm.serviceDeps;
231 };
232 phpfpm-kanboard = {
233 after = lib.mkAfter kanboard.phpFpm.serviceDeps;
234 wants = kanboard.phpFpm.serviceDeps;
235 };
236 phpfpm-ldap = {
237 after = lib.mkAfter ldap.phpFpm.serviceDeps;
238 wants = ldap.phpFpm.serviceDeps;
239 };
240 phpfpm-shaarli = {
241 after = lib.mkAfter shaarli.phpFpm.serviceDeps;
242 wants = shaarli.phpFpm.serviceDeps;
243 };
244 phpfpm-ttrss = {
245 after = lib.mkAfter ttrss.phpFpm.serviceDeps;
246 wants = ttrss.phpFpm.serviceDeps;
247 };
248 phpfpm-wallabag = {
249 after = lib.mkAfter wallabag.phpFpm.serviceDeps;
250 wants = wallabag.phpFpm.serviceDeps;
251 preStart = lib.mkAfter wallabag.phpFpm.preStart;
252 };
253 phpfpm-yourls = {
254 after = lib.mkAfter yourls.phpFpm.serviceDeps;
255 wants = yourls.phpFpm.serviceDeps;
256 };
257 ympd = {
258 description = "Standalone MPD Web GUI written in C";
259 wantedBy = [ "multi-user.target" ];
260 script = ''
261 export MPD_PASSWORD=$(cat /var/secrets/mpd)
262 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
263 '';
264 };
265 tt-rss = {
266 description = "Tiny Tiny RSS feeds update daemon";
267 serviceConfig = {
268 User = "wwwrun";
269 ExecStart = "${pkgs.php72}/bin/php ${ttrss.webRoot}/update.php --daemon";
270 StandardOutput = "syslog";
271 StandardError = "syslog";
272 PermissionsStartOnly = true;
273 };
274
275 wantedBy = [ "multi-user.target" ];
276 requires = ["postgresql.service"];
277 after = ["network.target" "postgresql.service"];
278 };
279 };
280
281 services.filesWatcher.ympd = {
282 restart = true;
283 paths = [ "/var/secrets/mpd" ];
284 };
285
286 services.phpfpm.pools = {
287 tools = {
288 user = "wwwrun";
289 group = "wwwrun";
290 settings = {
291 "listen.owner" = "wwwrun";
292 "listen.group" = "wwwrun";
293 "pm" = "dynamic";
294 "pm.max_children" = "60";
295 "pm.start_servers" = "2";
296 "pm.min_spare_servers" = "1";
297 "pm.max_spare_servers" = "10";
298
299 # Needed to avoid clashes in browser cookies (same domain)
300 "php_value[session.name]" = "ToolsPHPSESSID";
301 "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
302 "/run/wrappers/bin/sendmail" landing "/tmp"
303 "${config.secrets.location}/webapps/webhooks"
304 ];
305 };
306 phpEnv = {
307 CONTACT_EMAIL = config.myEnv.tools.contact;
308 CSP_REPORT_URI = with config.myEnv.tools.csp_reports.postgresql;
309 "\"host=${socket} dbname=${database} user=${user} password=${password}\"";
310 };
311 phpPackage = pkgs.php72;
312 };
313 devtools = {
314 user = "wwwrun";
315 group = "wwwrun";
316 settings = {
317 "listen.owner" = "wwwrun";
318 "listen.group" = "wwwrun";
319 "pm" = "dynamic";
320 "pm.max_children" = "60";
321 "pm.start_servers" = "2";
322 "pm.min_spare_servers" = "1";
323 "pm.max_spare_servers" = "10";
324
325 "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp";
326 };
327 phpPackage = pkgs.php72.withExtensions(e: pkgs.php72.enabledExtensions ++ [e.mysqli e.redis e.apcu e.opcache ]);
328 };
329 adminer = adminer.phpFpm;
330 ttrss = {
331 user = "wwwrun";
332 group = "wwwrun";
333 settings = ttrss.phpFpm.pool;
334 phpPackage = pkgs.php72;
335 };
336 wallabag = {
337 user = "wwwrun";
338 group = "wwwrun";
339 settings = wallabag.phpFpm.pool;
340 phpPackage = pkgs.php73.withExtensions(e: pkgs.php73.enabledExtensions ++ [e.tidy]);
341 };
342 yourls = {
343 user = "wwwrun";
344 group = "wwwrun";
345 settings = yourls.phpFpm.pool;
346 phpPackage = pkgs.php72;
347 };
348 rompr = {
349 user = "wwwrun";
350 group = "wwwrun";
351 settings = rompr.phpFpm.pool;
352 phpPackage = pkgs.php72;
353 };
354 shaarli = {
355 user = "wwwrun";
356 group = "wwwrun";
357 settings = shaarli.phpFpm.pool;
358 phpPackage = pkgs.php72;
359 };
360 dmarc-reports = {
361 user = "wwwrun";
362 group = "wwwrun";
363 settings = dmarc-reports.phpFpm.pool;
364 phpEnv = dmarc-reports.phpFpm.phpEnv;
365 phpPackage = pkgs.php72;
366 };
367 dokuwiki = {
368 user = "wwwrun";
369 group = "wwwrun";
370 settings = dokuwiki.phpFpm.pool;
371 phpPackage = pkgs.php72;
372 };
373 phpbb = {
374 user = "wwwrun";
375 group = "wwwrun";
376 settings = phpbb.phpFpm.pool;
377 phpPackage = pkgs.php72;
378 };
379 ldap = {
380 user = "wwwrun";
381 group = "wwwrun";
382 settings = ldap.phpFpm.pool;
383 phpPackage = pkgs.php72;
384 };
385 kanboard = {
386 user = "wwwrun";
387 group = "wwwrun";
388 settings = kanboard.phpFpm.pool;
389 phpPackage = pkgs.php72;
390 };
391 grocy = {
392 user = "wwwrun";
393 group = "wwwrun";
394 settings = grocy.phpFpm.pool;
395 phpPackage = pkgs.php72;
396 };
397 };
398
399 system.activationScripts = {
400 adminer = adminer.activationScript;
401 grocy = grocy.activationScript;
402 ttrss = ttrss.activationScript;
403 wallabag = wallabag.activationScript;
404 yourls = yourls.activationScript;
405 rompr = rompr.activationScript;
406 shaarli = shaarli.activationScript;
407 dokuwiki = dokuwiki.activationScript;
408 phpbb = phpbb.activationScript;
409 kanboard = kanboard.activationScript;
410 ldap = ldap.activationScript;
411 };
412
413 services.websites.webappDirs = {
414 _adminer = adminer.webRoot;
415 "${dmarc-reports.apache.webappName}" = dmarc-reports.webRoot;
416 "${dokuwiki.apache.webappName}" = dokuwiki.webRoot;
417 "${phpbb.apache.webappName}" = phpbb.webRoot;
418 "${ldap.apache.webappName}" = "${ldap.webRoot}/htdocs";
419 "${rompr.apache.webappName}" = rompr.webRoot;
420 "${shaarli.apache.webappName}" = shaarli.webRoot;
421 "${ttrss.apache.webappName}" = ttrss.webRoot;
422 "${wallabag.apache.webappName}" = wallabag.webRoot;
423 "${yourls.apache.webappName}" = yourls.webRoot;
424 "${kanboard.apache.webappName}" = kanboard.webRoot;
425 "${grocy.apache.webappName}" = grocy.webRoot;
426 };
427
428 services.websites.env.tools.watchPaths = [
429 "/var/secrets/webapps/tools-shaarli"
430 ];
431 services.filesWatcher.phpfpm-wallabag = {
432 restart = true;
433 paths = [ "/var/secrets/webapps/tools-wallabag" ];
434 };
435
436 services.fiche = {
437 enable = true;
438 port = config.myEnv.ports.fiche;
439 domain = "tools.immae.eu/paste";
440 https = true;
441 };
442 };
443 }
444
My infrastructure configuration