[perso/Immae/Config/Nix.git] / nixops / modules / websites / chloe / chloe.nix

{ chloe, config }:
rec {
  app = chloe.override { inherit (config) environment; };
  phpFpm = rec {
    serviceDeps = [ "mysql.service" ];
    socket = "/var/run/phpfpm/chloe-${app.environment}.sock";
    pool = ''
      listen = ${socket}
      user = ${apache.user}
      group = ${apache.group}
      listen.owner = ${apache.user}
      listen.group = ${apache.group}
      php_admin_value[upload_max_filesize] = 20M
      php_admin_value[post_max_size] = 20M
      ;php_admin_flag[log_errors] = on
      php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"
      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
      ${if app.environment == "dev" then ''
      pm = ondemand
      pm.max_children = 5
      pm.process_idle_timeout = 60
      '' else ''
      pm = dynamic
      pm.max_children = 20
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 3
      ''}'';
  };
  keys = [{
    dest = "webapps/${app.environment}-chloe";
    user = apache.user;
    group = apache.group;
    permissions = "0400";
    text = ''
      SetEnv SPIP_CONFIG_DIR     "${configDir}"
      SetEnv SPIP_VAR_DIR        "${app.varDir}"
      SetEnv SPIP_SITE           "chloe-${app.environment}"
      SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
      SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
      SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
      SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
      SetEnv SPIP_LDAP_SEARCH    "${config.ldap.search}"
      SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
      SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
      SetEnv SPIP_MYSQL_DB       "${config.mysql.name}"
      SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
      SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
    '';
  }];
  apache = rec {
    user = "wwwrun";
    group = "wwwrun";
    modules = [ "proxy_fcgi" ];
    webappName = "chloe_${app.environment}";
    root = "/run/current-system/webapps/${webappName}";
    vhostConf = ''
      Include /var/secrets/webapps/${app.environment}-chloe

      RewriteEngine On
      ${if app.environment == "prod" then ''
      RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
      '' else ""}

      <FilesMatch "\.php$">
        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
      </FilesMatch>

      <Directory ${root}>
        DirectoryIndex index.php index.htm index.html
        Options -Indexes +FollowSymLinks +MultiViews +Includes
        Include ${root}/htaccess.txt

        AllowOverride AuthConfig FileInfo Limit
        Require all granted
      </Directory>

      <DirectoryMatch "${root}/squelettes">
        Require all denied
      </DirectoryMatch>

      <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
        Require all denied
      </FilesMatch>

      ${if app.environment == "dev" then ''
      <Location />
        Use LDAPConnect
        Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
      </Location>
      '' else ''
      Use Stats osteopathe-cc.fr
      ''}
      '';
  };
  activationScript = {
    deps = [ "wrappers" ];
    text = ''
      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${app.varDir}/phpSessions
    '';
  };
  configDir = ./chloe_config_ + app.environment;
}