]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - systems/eldiron/websites/tools/default.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add config for CI
[perso/Immae/Config/Nix.git] / systems / eldiron / websites / tools / default.nix
1 { lib, pkgs, config, mypackages-lib, grocy, ... }:
2 let
3 composerEnv = mypackages-lib.composerEnv;
4 adminer = pkgs.callPackage ./adminer.nix { inherit config; };
5 ympd = pkgs.callPackage ./ympd.nix {
6 env = config.myEnv.tools.ympd;
7 inherit config;
8 };
9 ttrss = pkgs.callPackage ./ttrss.nix {
10 ttrss = pkgs.webapps-ttrss;
11 ttrss-plugins = pkgs.webapps-ttrss-plugins;
12 env = config.myEnv.tools.ttrss;
13 php = pkgs.php72;
14 inherit config;
15 };
16 kanboard = pkgs.callPackage ./kanboard.nix {
17 inherit config;
18 env = config.myEnv.tools.kanboard;
19 };
20 wallabag = pkgs.callPackage ./wallabag.nix {
21 wallabag = pkgs.webapps-wallabag.override {
22 composerEnv = composerEnv.override {
23 php = pkgs.php73.withExtensions({ enabled, all }: enabled ++ [all.tidy]);
24 };
25 };
26 env = config.myEnv.tools.wallabag;
27 inherit config;
28 };
29 yourls = pkgs.callPackage ./yourls.nix {
30 yourls = pkgs.webapps-yourls;
31 yourls-plugins = pkgs.webapps-yourls-plugins;
32 env = config.myEnv.tools.yourls;
33 inherit config;
34 };
35 rompr = pkgs.callPackage ./rompr.nix {
36 rompr = pkgs.webapps-rompr;
37 env = config.myEnv.tools.rompr;
38 inherit config;
39 };
40 shaarli = pkgs.callPackage ./shaarli.nix {
41 env = config.myEnv.tools.shaarli;
42 inherit config;
43 };
44 dokuwiki = pkgs.callPackage ./dokuwiki.nix {
45 dokuwiki = pkgs.webapps-dokuwiki;
46 dokuwiki-plugins = pkgs.webapps-dokuwiki-plugins;
47 inherit config;
48 };
49 ldap = pkgs.callPackage ./ldap.nix {
50 phpldapadmin = pkgs.webapps-phpldapadmin;
51 env = config.myEnv.tools.phpldapadmin;
52 inherit config;
53 };
54 grocy' = pkgs.callPackage ./grocy.nix {
55 grocy = grocy.override { composerEnv = composerEnv.override { php = pkgs.php72; }; };
56 };
57 phpbb = pkgs.callPackage ./phpbb.nix {
58 phpbb = (pkgs.webapps-phpbb.withLangs (l: [ l.fr ])).withExts (e: [
59 e.alfredoramos.markdown e.davidiq.mailinglist e.dmzx.mchat
60 e.empteintesduweb.monitoranswers e.lr94.autosubscribe
61 e.phpbbmodders.adduser ]);
62 };
63 webhooks-bin-env = pkgs.buildEnv {
64 name = "webhook-env";
65 paths = [ pkgs.apprise ];
66 pathsToLink = [ "/bin" ];
67 };
68 webhooks = pkgs.callPackage ./webhooks.nix {
69 env = config.myEnv.tools.webhooks;
70 binEnv = webhooks-bin-env;
71 };
72 dmarc-reports = pkgs.callPackage ./dmarc_reports.nix {
73 env = config.myEnv.tools.dmarc_reports;
74 inherit config;
75 };
76
77 landing = pkgs.callPackage ./landing.nix { };
78
79 cfg = config.myServices.websites.tools.tools;
80 pcfg = config.services.phpfpm.pools;
81 in {
82 options.myServices.websites.tools.tools = {
83 enable = lib.mkEnableOption "enable tools website";
84 };
85
86 config = lib.mkIf cfg.enable {
87 # Services needing to send e-mails
88 myServices.dns.zones."immae.eu".emailPolicies."tools".receive = true;
89 myServices.dns.zones."immae.eu".subdomains =
90 with config.myServices.dns.helpers;
91 {
92 outils = ips servers.eldiron.ips.main;
93 tools = lib.mkMerge [
94 (mailCommon "immae.eu")
95 mailSend
96 (ips servers.eldiron.ips.main)
97 ];
98 };
99
100 myServices.chatonsProperties.services = {
101 adminer = adminer.chatonsProperties;
102 dokuwiki = dokuwiki.chatonsProperties;
103 shaarli = shaarli.chatonsProperties;
104 ttrss = ttrss.chatonsProperties;
105 wallabag = wallabag.chatonsProperties;
106 paste = {
107 file.datetime = "2022-08-22T00:15:00";
108 service = {
109 name = "Paste";
110 description = "A simple paster script with syntax highlight";
111 website = "https://tools.immae.eu/paste/";
112 logo = "https://assets.immae.eu/logo.jpg";
113 status.level = "OK";
114 status.description = "OK";
115 registration."" = ["MEMBER" "CLIENT"];
116 registration.load = "OPEN";
117 install.type = "PACKAGE";
118 guide.user = "https://tools.immae.eu/paste/";
119 };
120 software = {
121 name = "Paste";
122 website = "https://tools.immae.eu/paste/";
123 license.url = "https://tools.immae.eu/paste/license";
124 license.name = "MIT License";
125 version = "Unversioned";
126 source.url = "https://tools.immae.eu/paste/abcd123/py";
127 };
128 };
129 };
130 myServices.chatonsProperties.hostings = {
131 dokuwiki = dokuwiki.chatonsHostingProperties;
132 phpbb = phpbb.chatonsHostingProperties;
133 };
134 secrets.keys =
135 kanboard.keys
136 // ldap.keys
137 // shaarli.keys
138 // ttrss.keys
139 // wallabag.keys
140 // yourls.keys
141 // dmarc-reports.keys
142 // webhooks.keys
143 // ({ "webapps/tools-landing-sql-rw" = {
144 user = "wwwrun";
145 group = "wwwrun";
146 permissions = "0400";
147 text = let
148 env = config.myEnv.tools.landing;
149 in ''
150 SetEnv PGUSER "${env.postgresql.user}"
151 SetEnv PGPASSWORD "${env.postgresql.password}"
152 SetEnv PGDATABASE "${env.postgresql.database}"
153 SetEnv PGHOST "${env.postgresql.socket}"
154 '';
155 }; });
156 services.websites.env.tools.modules =
157 [ "proxy_fcgi" ]
158 ++ adminer.apache.modules
159 ++ ympd.apache.modules
160 ++ ttrss.apache.modules
161 ++ wallabag.apache.modules
162 ++ yourls.apache.modules
163 ++ rompr.apache.modules
164 ++ shaarli.apache.modules
165 ++ dokuwiki.apache.modules
166 ++ dmarc-reports.apache.modules
167 ++ phpbb.apache.modules
168 ++ ldap.apache.modules
169 ++ kanboard.apache.modules;
170
171 myServices.dns.zones."immae.dev" = with config.myServices.dns.helpers; {
172 subdomains.tools = ips servers.eldiron.ips.integration;
173 };
174 security.acme.certs.integration.domain = "tools.immae.dev";
175 services.websites.env.integration.vhostConfs.devtools = {
176 certName = "integration";
177 hosts = [ "tools.immae.dev" ];
178 root = "/var/lib/ftp/immae/devtools";
179 extraConfig = [
180 ''
181 Use Apaxy "/var/lib/ftp/immae/devtools" "title"
182 Timeout 600
183 ProxyTimeout 600
184 Header always set Content-Security-Policy-Report-Only "${config.myEnv.tools.csp_reports.policies.inline}"
185 <Directory "/var/lib/ftp/immae/devtools">
186 DirectoryIndex index.php index.htm index.html
187 AllowOverride all
188 Require all granted
189 <FilesMatch "\.php$">
190 SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost"
191 </FilesMatch>
192 </Directory>
193 ''
194 ];
195 };
196
197
198 security.acme.certs.eldiron.extraDomainNames = [ "outils.immae.eu" "tools.immae.eu" ];
199 services.websites.env.tools.vhostConfs.tools = {
200 certName = "eldiron";
201 hosts = ["tools.immae.eu" ];
202 root = landing;
203 extraConfig = [
204 ''
205 RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
206 RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
207 RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
208
209 <Directory "${landing}">
210 Include ${config.secrets.fullPaths."webapps/tools-landing-sql-rw"}
211 DirectoryIndex index.html
212 AllowOverride None
213 Require all granted
214
215 <FilesMatch "\.php$">
216 SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
217 </FilesMatch>
218 </Directory>
219 ''
220 (adminer.apache.vhostConf pcfg.adminer.socket)
221 ympd.apache.vhostConf
222 (ttrss.apache.vhostConf pcfg.ttrss.socket)
223 (wallabag.apache.vhostConf pcfg.wallabag.socket)
224 (yourls.apache.vhostConf pcfg.yourls.socket)
225 (rompr.apache.vhostConf pcfg.rompr.socket)
226 (shaarli.apache.vhostConf pcfg.shaarli.socket)
227 (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket)
228 (ldap.apache.vhostConf pcfg.ldap.socket)
229 (kanboard.apache.vhostConf pcfg.kanboard.socket)
230 (grocy'.apache.vhostConf pcfg.grocy.socket)
231 (phpbb.apache.vhostConf pcfg.phpbb.socket)
232 (dmarc-reports.apache.vhostConf pcfg.dmarc-reports.socket)
233 ''
234 <Location "/paste/">
235 ProxyPass unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
236 ProxyPassReverse unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
237 ProxyPreserveHost on
238 </Location>
239 <Location "/paste">
240 ProxyPass unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
241 ProxyPassReverse unix://${config.services.paste.sockets.gunicorn}|http://tools.immae.eu/paste/
242 ProxyPreserveHost on
243 </Location>
244
245 <Location "/ntfy/">
246 SetEnv proxy-nokeepalive 1
247 SetEnv proxy-sendchunked 1
248 LimitRequestBody 102400
249
250 RewriteEngine On
251
252 # FIXME: why is landing prefixed in the url?
253 RewriteCond %{HTTP:Upgrade} websocket [NC]
254 RewriteCond %{HTTP:Connection} upgrade [NC]
255 RewriteRule ^(${landing}/ntfy)?/?(.*) unix:///run/ntfy/ntfy.sock|ws://tools.immae.eu/$2 [P,NE,QSA,L]
256
257 RewriteRule ^(${landing}/ntfy)?/?(.*) unix:///run/ntfy/ntfy.sock|http://tools.immae.eu/$2 [P,NE,QSA,L]
258 </Location>
259 Alias /BIP39 /var/lib/buildbot/outputs/immae/bip39
260 <Directory "/var/lib/buildbot/outputs/immae/bip39">
261 DirectoryIndex index.html
262 AllowOverride None
263 Require all granted
264 </Directory>
265
266 Alias /webhooks ${config.secrets.fullPaths."webapps/webhooks"}
267 <Directory "${config.secrets.fullPaths."webapps/webhooks"}">
268 Options -Indexes
269 DirectoryIndex index.php
270 Require all granted
271 AllowOverride None
272 <FilesMatch "\.php$">
273 SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost"
274 </FilesMatch>
275 </Directory>
276 ''
277 ];
278 };
279
280 services.websites.env.tools.vhostConfs.outils = {
281 certName = "eldiron";
282 hosts = [ "outils.immae.eu" ];
283 root = null;
284 extraConfig = [
285 ''
286 RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
287
288 RedirectMatch 301 ^/ether(.*)$ https://ether.immae.eu$1
289
290 RedirectMatch 301 ^/nextcloud(.*)$ https://cloud.immae.eu$1
291 RedirectMatch 301 ^/owncloud(.*)$ https://cloud.immae.eu$1
292
293 RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
294 RedirectMatch 301 ^/caldavzap(.*)$ https://dav.immae.eu/infcloud$1
295 RedirectMatch 301 ^/caldav.php(.*)$ https://dav.immae.eu/caldav.php$1
296 RedirectMatch 301 ^/davical(.*)$ https://dav.immae.eu/davical$1
297
298 RedirectMatch 301 ^/taskweb(.*)$ https://task.immae.eu/taskweb$1
299
300 RedirectMatch 301 ^/roundcube(.*)$ https://mail.immae.eu/roundcube$1
301
302 RedirectMatch 301 ^/jappix(.*)$ https://im.immae.fr/converse
303
304 RedirectMatch 301 ^/vpn(.*)$ https://vpn.immae.eu$1
305
306 RedirectMatch 301 ^/(.*)$ https://tools.immae.eu/$1
307 ''
308 ];
309 };
310
311 systemd.services = {
312 phpfpm-dokuwiki = {
313 after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
314 wants = dokuwiki.phpFpm.serviceDeps;
315 };
316 phpfpm-phpbb = {
317 after = lib.mkAfter phpbb.phpFpm.serviceDeps;
318 wants = phpbb.phpFpm.serviceDeps;
319 };
320 phpfpm-kanboard = {
321 after = lib.mkAfter kanboard.phpFpm.serviceDeps;
322 wants = kanboard.phpFpm.serviceDeps;
323 };
324 phpfpm-ldap = {
325 after = lib.mkAfter ldap.phpFpm.serviceDeps;
326 wants = ldap.phpFpm.serviceDeps;
327 };
328 phpfpm-shaarli = {
329 after = lib.mkAfter shaarli.phpFpm.serviceDeps;
330 wants = shaarli.phpFpm.serviceDeps;
331 };
332 phpfpm-ttrss = {
333 after = lib.mkAfter ttrss.phpFpm.serviceDeps;
334 wants = ttrss.phpFpm.serviceDeps;
335 };
336 phpfpm-wallabag = {
337 after = lib.mkAfter wallabag.phpFpm.serviceDeps;
338 wants = wallabag.phpFpm.serviceDeps;
339 preStart = lib.mkAfter wallabag.phpFpm.preStart;
340 };
341 phpfpm-yourls = {
342 after = lib.mkAfter yourls.phpFpm.serviceDeps;
343 wants = yourls.phpFpm.serviceDeps;
344 };
345 ntfy = {
346 description = "send push notifications to your phone or desktop via scripts from any computer";
347 wantedBy = [ "multi-user.target" ];
348 serviceConfig = {
349 ExecStart = "${pkgs.ntfy-sh}/bin/ntfy serve --listen-http '' --listen-unix %t/ntfy/ntfy.sock --cache-file %S/ntfy/cache.db --cache-duration 120h --behind-proxy --attachment-cache-dir %S/ntfy/attachments --base-url https://tools.immae.eu/ntfy";
350 Type = "simple";
351 WorkingDirectory = "%S/ntfy";
352 RuntimeDirectory = "ntfy";
353 StateDirectory = "ntfy";
354 User = "wwwrun";
355 };
356 };
357 ympd = {
358 description = "Standalone MPD Web GUI written in C";
359 wantedBy = [ "multi-user.target" ];
360 script = ''
361 export MPD_PASSWORD=$(cat ${config.secrets.fullPaths."mpd"})
362 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
363 '';
364 };
365 tt-rss = {
366 description = "Tiny Tiny RSS feeds update daemon";
367 serviceConfig = {
368 User = "wwwrun";
369 ExecStart = "${pkgs.php72}/bin/php ${ttrss.webRoot}/update.php --daemon";
370 StandardOutput = "syslog";
371 StandardError = "syslog";
372 PermissionsStartOnly = true;
373 };
374
375 wantedBy = [ "multi-user.target" ];
376 requires = ["postgresql.service"];
377 after = ["network.target" "postgresql.service"];
378 };
379 };
380
381 services.filesWatcher.ympd = {
382 restart = true;
383 paths = [ config.secrets.fullPaths."mpd" ];
384 };
385
386 services.phpfpm.pools = {
387 tools = {
388 user = "wwwrun";
389 group = "wwwrun";
390 settings = {
391 "listen.owner" = "wwwrun";
392 "listen.group" = "wwwrun";
393 "pm" = "dynamic";
394 "pm.max_children" = "60";
395 "pm.start_servers" = "2";
396 "pm.min_spare_servers" = "1";
397 "pm.max_spare_servers" = "10";
398
399 "php_admin_value[sendmail_path]" = "/run/wrappers/bin/sendmail -t -i";
400 "php_admin_value[session.save_handler]" = "redis";
401 "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Tools:'";
402 # Needed to avoid clashes in browser cookies (same domain)
403 "php_value[session.name]" = "ToolsPHPSESSID";
404 "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" [
405 "/run/wrappers/bin/sendmail" landing "/tmp"
406 config.secrets.fullPaths."webapps/webhooks"
407 "${webhooks-bin-env}/bin"
408 ];
409 };
410 phpEnv = {
411 CONTACT_EMAIL = config.myEnv.tools.contact;
412 };
413 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [ all.redis ]);
414 };
415 devtools = {
416 user = "wwwrun";
417 group = "wwwrun";
418 settings = {
419 "listen.owner" = "wwwrun";
420 "listen.group" = "wwwrun";
421 "pm" = "dynamic";
422 "pm.max_children" = "60";
423 "pm.start_servers" = "2";
424 "pm.min_spare_servers" = "1";
425 "pm.max_spare_servers" = "10";
426
427 "php_admin_value[sendmail_path]" = "/run/wrappers/bin/sendmail -t -i";
428 "php_admin_value[session.save_handler]" = "redis";
429 "php_admin_value[session.save_path]" = "'unix:///run/redis-php-sessions/redis.sock?persistent=1&prefix=Tools:Devtools:'";
430 "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/immae/devtools:/tmp";
431 };
432 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.mysqli all.sqlite3 all.redis all.apcu all.opcache ]);
433 };
434 adminer = adminer.phpFpm;
435 ttrss = {
436 user = "wwwrun";
437 group = "wwwrun";
438 settings = ttrss.phpFpm.pool;
439 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
440 };
441 wallabag = {
442 user = "wwwrun";
443 group = "wwwrun";
444 settings = wallabag.phpFpm.pool;
445 phpPackage = pkgs.php73.withExtensions({ enabled, all }: enabled ++ [all.tidy all.redis]);
446 };
447 yourls = {
448 user = "wwwrun";
449 group = "wwwrun";
450 settings = yourls.phpFpm.pool;
451 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
452 };
453 rompr = {
454 user = "wwwrun";
455 group = "wwwrun";
456 settings = rompr.phpFpm.pool;
457 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
458 };
459 shaarli = {
460 user = "wwwrun";
461 group = "wwwrun";
462 settings = shaarli.phpFpm.pool;
463 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
464 };
465 dmarc-reports = {
466 user = "wwwrun";
467 group = "wwwrun";
468 settings = dmarc-reports.phpFpm.pool;
469 phpEnv = dmarc-reports.phpFpm.phpEnv;
470 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
471 };
472 dokuwiki = {
473 user = "wwwrun";
474 group = "wwwrun";
475 settings = dokuwiki.phpFpm.pool;
476 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
477 };
478 phpbb = {
479 user = "wwwrun";
480 group = "wwwrun";
481 settings = phpbb.phpFpm.pool;
482 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
483 };
484 ldap = {
485 user = "wwwrun";
486 group = "wwwrun";
487 settings = ldap.phpFpm.pool;
488 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
489 };
490 kanboard = {
491 user = "wwwrun";
492 group = "wwwrun";
493 settings = kanboard.phpFpm.pool;
494 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
495 };
496 grocy = {
497 user = "wwwrun";
498 group = "wwwrun";
499 settings = grocy'.phpFpm.pool;
500 phpPackage = pkgs.php72.withExtensions({ enabled, all }: enabled ++ [all.redis]);
501 };
502 };
503
504 system.activationScripts = {
505 grocy = grocy'.activationScript;
506 ttrss = ttrss.activationScript;
507 wallabag = wallabag.activationScript;
508 rompr = rompr.activationScript;
509 shaarli = shaarli.activationScript;
510 dokuwiki = dokuwiki.activationScript;
511 phpbb = phpbb.activationScript;
512 kanboard = kanboard.activationScript;
513 };
514
515 services.websites.env.tools.watchPaths = [
516 config.secrets.fullPaths."webapps/tools-shaarli"
517 ];
518 services.filesWatcher.phpfpm-wallabag = {
519 restart = true;
520 paths = [ config.secrets.fullPaths."webapps/tools-wallabag" ];
521 };
522
523 myServices.monitoring.fromMasterActivatedPlugins = lib.mkMerge [
524 ttrss.monitoringPlugins
525 rompr.monitoringPlugins
526 wallabag.monitoringPlugins
527 yourls.monitoringPlugins
528 ympd.monitoringPlugins
529 dokuwiki.monitoringPlugins
530 shaarli.monitoringPlugins
531 ldap.monitoringPlugins
532 adminer.monitoringPlugins
533 ];
534 myServices.monitoring.fromMasterObjects = lib.mkMerge [
535 ttrss.monitoringObjects
536 rompr.monitoringObjects
537 wallabag.monitoringObjects
538 yourls.monitoringObjects
539 ympd.monitoringObjects
540 dokuwiki.monitoringObjects
541 shaarli.monitoringObjects
542 ldap.monitoringObjects
543 adminer.monitoringObjects
544 ];
545 };
546 }
547
My infrastructure configuration