nixops/modules/websites/tools/diaspora.nix

   1 { lib, pkgs, config, myconfig, mylibs, ... }:
   2 let
   3   env = myconfig.env.tools.diaspora;
   4   root = "/run/current-system/webapps/tools_diaspora";
   5   cfg = config.services.myWebsites.tools.diaspora;
   6   dcfg = config.services.diaspora;
   7 in {
   8   options.services.myWebsites.tools.diaspora = {
   9     enable = lib.mkEnableOption "enable diaspora's website";
  10   };
  11
  12   config = lib.mkIf cfg.enable {
  13     users.users.diaspora.extraGroups = [ "keys" ];
  14
  15     secrets.keys = [
  16       {
  17         dest = "webapps/diaspora/diaspora.yml";
  18         user = "diaspora";
  19         group = "diaspora";
  20         permissions = "0400";
  21         text = ''
  22         configuration:
  23           environment:
  24             url: "https://diaspora.immae.eu/"
  25             certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
  26             redis: '${env.redis_url}'
  27             sidekiq:
  28             s3:
  29             assets:
  30             logging:
  31               logrotate:
  32               debug:
  33           server:
  34             listen: '${dcfg.sockets.rails}'
  35             rails_environment: 'production'
  36           chat:
  37             server:
  38               bosh:
  39               log:
  40           map:
  41             mapbox:
  42           privacy:
  43             piwik:
  44             statistics:
  45             camo:
  46           settings:
  47             enable_registrations: false
  48             welcome_message:
  49             invitations:
  50               open: false
  51             paypal_donations:
  52             community_spotlight:
  53             captcha:
  54               enable: false
  55             terms:
  56             maintenance:
  57               remove_old_users:
  58             default_metas:
  59             csp:
  60           services:
  61             twitter:
  62             tumblr:
  63             wordpress:
  64           mail:
  65             enable: true
  66             sender_address: 'diaspora@tools.immae.eu'
  67             method: 'sendmail'
  68             smtp:
  69             sendmail:
  70               location: '/run/wrappers/bin/sendmail'
  71           admins:
  72             account: "ismael"
  73             podmin_email: 'diaspora@tools.immae.eu'
  74           relay:
  75             outbound:
  76             inbound:
  77           ldap:
  78               enable: true
  79               host: ldap.immae.eu
  80               port: 636
  81               only_ldap: true
  82               mail_attribute: mail
  83               skip_email_confirmation: true
  84               use_bind_dn: true
  85               bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
  86               bind_pw: "${env.ldap.password}"
  87               search_base: "dc=immae,dc=eu"
  88               search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
  89         production:
  90           environment:
  91         development:
  92           environment:
  93         '';
  94       }
  95       {
  96         dest = "webapps/diaspora/database.yml";
  97         user = "diaspora";
  98         group = "diaspora";
  99         permissions = "0400";
 100         text = ''
 101         postgresql: &postgresql
 102           adapter: postgresql
 103           host: "${env.postgresql.socket}"
 104           port: "${env.postgresql.port}"
 105           username: "${env.postgresql.user}"
 106           password: "${env.postgresql.password}"
 107           encoding: unicode
 108         common: &common
 109           <<: *postgresql
 110         combined: &combined
 111           <<: *common
 112         development:
 113           <<: *combined
 114           database: diaspora_development
 115         production:
 116           <<: *combined
 117           database: ${env.postgresql.database}
 118         test:
 119           <<: *combined
 120           database: "diaspora_test"
 121         integration1:
 122           <<: *combined
 123           database: diaspora_integration1
 124         integration2:
 125           <<: *combined
 126           database: diaspora_integration2
 127         '';
 128       }
 129       {
 130         dest = "webapps/diaspora/secret_token.rb";
 131         user = "diaspora";
 132         group = "diaspora";
 133         permissions = "0400";
 134         text = ''
 135           Diaspora::Application.config.secret_key_base = '${env.secret_token}'
 136         '';
 137       }
 138     ];
 139
 140     services.diaspora = {
 141       enable = true;
 142       package = pkgs.webapps.diaspora.override { ldap = true; };
 143       dataDir = "/var/lib/diaspora_immae";
 144       adminEmail = "diaspora@tools.immae.eu";
 145       configDir = "/var/secrets/webapps/diaspora";
 146     };
 147
 148     services.myWebsites.tools.modules = [
 149       "headers" "proxy" "proxy_http"
 150     ];
 151     security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null;
 152     system.extraSystemBuilderCmds = ''
 153       mkdir -p $out/webapps
 154       ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora
 155       '';
 156     services.myWebsites.tools.vhostConfs.diaspora = {
 157       certName    = "eldiron";
 158       hosts       = [ "diaspora.immae.eu" ];
 159       root        = root;
 160       extraConfig = [ ''
 161         RewriteEngine On
 162         RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
 163         RewriteRule ^/(.*)$ unix://${dcfg.sockets.rails}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L]
 164
 165         ProxyRequests Off
 166         ProxyVia On
 167         ProxyPreserveHost On
 168         RequestHeader set X_FORWARDED_PROTO https
 169
 170         <Proxy *>
 171             Require all granted
 172         </Proxy>
 173
 174         <Directory ${root}>
 175             Require all granted
 176             Options -MultiViews
 177         </Directory>
 178       '' ];
 179     };
 180   };
 181 }