]> git.immae.eu Git - perso/Immae/Config/Nix.git/blob - virtual/eldiron.nix
projects / perso / Immae / Config / Nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add Chloé's website
[perso/Immae/Config/Nix.git] / virtual / eldiron.nix
1 {
2 network = {
3 description = "Immae's network";
4 enableRollback = true;
5 };
6
7 eldiron = { config, pkgs, ... }:
8 with import ../libs.nix;
9 let
10 mypkgs = pkgs.callPackage ./packages.nix {
11 inherit checkEnv fetchedGitPrivate fetchedGithub;
12 };
13 in
14 {
15 nixpkgs.config.packageOverrides = oldpkgs: rec {
16 gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
17 name = "gitolite-${version}";
18 version = "3.6.10";
19 src = pkgs.fetchFromGitHub {
20 owner = "sitaramc";
21 repo = "gitolite";
22 rev = "v${version}";
23 sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
24 };
25 });
26 gitweb = oldpkgs.gitweb.overrideAttrs(old: {
27 installPhase = old.installPhase + ''
28 cp -r ${./packages/gitweb} $out/gitweb-theme;
29 '';
30 });
31 postgresql = postgresql111;
32 postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
33 passthru = old.passthru // { psqlSchema = "11.0"; };
34 name = "postgresql-11.1";
35 src = pkgs.fetchurl {
36 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
37 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
38 };
39 });
40 mariadb = mariadbPAM;
41 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
42 cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
43 buildInputs = old.buildInputs ++ [ pkgs.pam ];
44 });
45 goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
46 name = "goaccess-${version}";
47 version = "1.3";
48 src = pkgs.fetchurl {
49 url = "https://tar.goaccess.io/${name}.tar.gz";
50 sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
51 };
52 configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
53 buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
54 });
55 };
56
57 networking = {
58 firewall = {
59 enable = true;
60 allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];
61 };
62 };
63
64 deployment = {
65 targetEnv = "hetzner";
66 hetzner = {
67 #robotUser = "defined in HETZNER_ROBOT_USER";
68 #robotPass = "defined in HETZNER_ROBOT_PASS";
69 mainIPv4 = "176.9.151.89";
70 partitions = ''
71 clearpart --all --initlabel --drives=sda,sdb
72
73 part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
74 part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
75
76 part raid.1 --grow --ondisk=sda
77 part raid.2 --grow --ondisk=sdb
78
79 raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
80 '';
81 };
82 };
83
84 environment.systemPackages = let
85 # FIXME: move it to nextcloud
86 occ = pkgs.writeScriptBin "nextcloud-occ" ''
87 #! ${pkgs.stdenv.shell}
88 cd ${mypkgs.nextcloud.webRoot}
89 NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
90 exec \
91 ${config.services.phpfpm.phpPackage}/bin/php \
92 -c ${config.services.phpfpm.phpPackage}/etc/php.ini \
93 occ $*
94 '';
95 in [
96 pkgs.telnet
97 pkgs.vim
98 pkgs.goaccess
99 occ
100 ];
101
102 security.acme.certs = {
103 # /!\ To create a new certificate, add first the domain to an
104 # existing certificate, deploy, and then use it in httpd.
105 "eldiron" = {
106 webroot = "/var/lib/acme/acme-challenge";
107 email = "ismael@bouya.org";
108 domain = "eldiron.immae.eu";
109 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
110 postRun = ''
111 systemctl reload httpd.service
112 '';
113 extraDomains = {
114 "db-1.immae.eu" = null;
115 "git.immae.eu" = null;
116 "tools.immae.eu" = null;
117 "connexionswing.immae.eu" = null;
118 "sandetludo.immae.eu" = null;
119 "cloud.immae.eu" = null;
120 "ludivine.immae.eu" = null;
121 "dev.aten.pro" = null;
122 "piedsjaloux.immae.eu" = null;
123 "chloe.immae.eu" = null;
124 };
125 };
126 "ludivinecassal" = {
127 webroot = "/var/lib/acme/acme-challenge";
128 email = "ismael@bouya.org";
129 domain = "ludivinecassal.com";
130 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
131 postRun = ''
132 systemctl reload httpd.service
133 '';
134 extraDomains = {
135 "www.ludivinecassal.com" = null;
136 };
137 };
138 "aten" = {
139 webroot = "/var/lib/acme/acme-challenge";
140 email = "ismael@bouya.org";
141 domain = "aten.pro";
142 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
143 postRun = ''
144 systemctl reload httpd.service
145 '';
146 extraDomains = {
147 "www.aten.pro" = null;
148 };
149 };
150 "piedsjaloux" = {
151 webroot = "/var/lib/acme/acme-challenge";
152 email = "ismael@bouya.org";
153 domain = "piedsjaloux.fr";
154 plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
155 postRun = ''
156 systemctl reload httpd.service
157 '';
158 extraDomains = {
159 "www.piedsjaloux.fr" = null;
160 };
161 };
162 # "connexionswing" = {
163 # webroot = "/var/lib/acme/acme-challenge";
164 # email = "ismael@bouya.org";
165 # domain = "connexionswing.com";
166 # plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
167 # postRun = ''
168 # systemctl reload httpd.service
169 # '';
170 # extraDomains = {
171 # "www.connexionswing.com" = null;
172 # "sandetludo.com" = null;
173 # "www.sandetludo.com" = null;
174 # };
175 # };
176 };
177
178 services.openssh.extraConfig = ''
179 AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
180 AuthorizedKeysCommandUser nobody
181 '';
182
183 users.users.wwwrun.extraGroups = [ "gitolite" ];
184
185 users.users.gitolite.packages = let
186 python-packages = python-packages: with python-packages; [
187 simplejson
188 urllib3
189 ];
190 in
191 [
192 (pkgs.python3.withPackages python-packages)
193 ];
194 # FIXME: after initial install, need to
195 # (1) copy rc file (adjust gitolite_ldap_groups.sh)
196 # (2) (mark old readonly and) sync repos except gitolite-admin
197 # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
198 # chown -R gitolite:gitolite /var/lib/gitolite
199 # (3) push force the gitolite-admin to new location (from external point)
200 # Don't use an existing key, it will take precedence over
201 # gitolite-admin
202 # (4) su -u gitolite gitolite setup
203 services.gitolite = {
204 enable = true;
205 # FIXME: key from ./ssh
206 adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
207 };
208
209 services.ympd = mypkgs.ympd.config // { enable = true; };
210
211 services.phpfpm = {
212 # /!\ phppackage is used in nextcloud configuation
213 phpOptions = ''
214 ; For nextcloud
215 extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
216 ; For nextcloud
217 extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
218 ; For nextcloud
219 zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
220 '';
221 extraConfig = ''
222 log_level = notice
223 '';
224 poolConfigs = {
225 adminer = mypkgs.adminer.phpFpm.pool;
226 connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
227 connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
228 ludivinecassal_dev = mypkgs.ludivinecassal_dev.phpFpm.pool;
229 ludivinecassal_prod = mypkgs.ludivinecassal_prod.phpFpm.pool;
230 piedsjaloux_dev = mypkgs.piedsjaloux_dev.phpFpm.pool;
231 piedsjaloux_prod = mypkgs.piedsjaloux_prod.phpFpm.pool;
232 chloe_dev = mypkgs.chloe_dev.phpFpm.pool;
233 chloe_prod = mypkgs.chloe_prod.phpFpm.pool;
234 aten_dev = mypkgs.aten_dev.phpFpm.pool;
235 aten_prod = mypkgs.aten_prod.phpFpm.pool;
236 nextcloud = mypkgs.nextcloud.phpFpm.pool;
237 mantisbt = mypkgs.mantisbt.phpFpm.pool;
238 };
239 };
240
241 system.activationScripts = {
242 connexionswing_dev = mypkgs.connexionswing_dev.activationScript;
243 connexionswing_prod = mypkgs.connexionswing_prod.activationScript;
244 ludivinecassal_dev = mypkgs.ludivinecassal_dev.activationScript;
245 ludivinecassal_prod = mypkgs.ludivinecassal_prod.activationScript;
246 piedsjaloux_dev = mypkgs.piedsjaloux_dev.activationScript;
247 piedsjaloux_prod = mypkgs.piedsjaloux_prod.activationScript;
248 chloe_dev = mypkgs.chloe_dev.activationScript;
249 chloe_prod = mypkgs.chloe_prod.activationScript;
250 aten_dev = mypkgs.aten_dev.activationScript;
251 aten_prod = mypkgs.aten_prod.activationScript;
252 nextcloud = mypkgs.nextcloud.activationScript;
253 httpd = ''
254 install -d -m 0755 /var/lib/acme/acme-challenge
255 '';
256 redis = ''
257 mkdir -p /run/redis
258 chown redis /run/redis
259 '';
260 gitolite =
261 assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
262 let
263 gitolite_ldap_groups = wrap {
264 name = "gitolite_ldap_groups.sh";
265 file = ./packages/gitolite_ldap_groups.sh;
266 vars = {
267 LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
268 };
269 paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
270 };
271 in {
272 deps = [ "users" ];
273 text = ''
274 if [ -d /var/lib/gitolite ]; then
275 ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
276 chmod g+rx /var/lib/gitolite
277 fi
278 if [ -f /var/lib/gitolite/projects.list ]; then
279 chmod g+r /var/lib/gitolite/projects.list
280 fi
281 '';
282 };
283 goaccess = ''
284 mkdir -p /var/lib/goaccess
285 mkdir -p /var/lib/goaccess/aten.pro
286 mkdir -p /var/lib/goaccess/ludivinecassal.com
287 mkdir -p /var/lib/goaccess/piedsjaloux.fr
288 '';
289 };
290
291 environment.etc."ssh/ldap_authorized_keys" = let
292 ldap_authorized_keys =
293 assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
294 wrap {
295 name = "ldap_authorized_keys";
296 file = ./ldap_authorized_keys.sh;
297 vars = {
298 LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
299 GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
300 ECHO = "${pkgs.coreutils}/bin/echo";
301 };
302 paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
303 };
304 in {
305 enable = true;
306 mode = "0755";
307 user = "root";
308 source = ldap_authorized_keys;
309 };
310
311 services.gitDaemon = {
312 enable = true;
313 user = "gitolite";
314 group = "gitolite";
315 basePath = "${mypkgs.git.web.varDir}/repositories";
316 };
317
318 services.httpd = let
319 withConf = domain: {
320 enableSSL = true;
321 sslServerCert = "/var/lib/acme/${domain}/cert.pem";
322 sslServerKey = "/var/lib/acme/${domain}/key.pem";
323 sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
324 logFormat = "combinedVhost";
325 listen = [ { ip = "*"; port = 443; } ];
326 };
327 apacheConfig = {
328 gzip = {
329 modules = [ "deflate" "filter" ];
330 extraConfig = ''
331 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
332 '';
333 };
334 ldap = {
335 modules = [ "ldap" "authnz_ldap" ];
336 extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
337 <IfModule ldap_module>
338 LDAPSharedCacheSize 500000
339 LDAPCacheEntries 1024
340 LDAPCacheTTL 600
341 LDAPOpCacheEntries 1024
342 LDAPOpCacheTTL 600
343 </IfModule>
344
345 <Macro LDAPConnect>
346 <IfModule authnz_ldap_module>
347 AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu
348 AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
349 AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
350 AuthType Basic
351 AuthName "Authentification requise (Acces LDAP)"
352 AuthBasicProvider ldap
353 </IfModule>
354 </Macro>
355
356 <Macro Stats %{domain}>
357 Alias /awstats /var/lib/goaccess/%{domain}
358 <Directory /var/lib/goaccess/%{domain}>
359 DirectoryIndex index.html
360 AllowOverride None
361 Require all granted
362 </Directory>
363 <Location /awstats>
364 Use LDAPConnect
365 Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
366 </Location>
367 </Macro>
368 '';
369 };
370 http2 = {
371 modules = [ "http2" ];
372 extraConfig = ''
373 Protocols h2 http/1.1
374 '';
375 };
376 customLog = {
377 modules = [];
378 extraConfig = ''
379 LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
380 '';
381 };
382 };
383 in rec {
384 enable = true;
385 logPerVirtualHost = true;
386 multiProcessingModule = "worker";
387 adminAddr = "httpd@immae.eu";
388 logFormat = "combinedVhost";
389 extraModules = pkgs.lib.lists.unique (
390 mypkgs.adminer.apache.modules ++
391 mypkgs.nextcloud.apache.modules ++
392 mypkgs.connexionswing_dev.apache.modules ++
393 mypkgs.connexionswing_prod.apache.modules ++
394 mypkgs.ludivinecassal_dev.apache.modules ++
395 mypkgs.ludivinecassal_prod.apache.modules ++
396 mypkgs.piedsjaloux_dev.apache.modules ++
397 mypkgs.piedsjaloux_prod.apache.modules ++
398 mypkgs.chloe_dev.apache.modules ++
399 mypkgs.chloe_prod.apache.modules ++
400 mypkgs.aten_dev.apache.modules ++
401 mypkgs.aten_prod.apache.modules ++
402 mypkgs.ympd.apache.modules ++
403 mypkgs.git.web.apache.modules ++
404 mypkgs.mantisbt.apache.modules ++
405 pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
406 [ "macro" ]);
407 extraConfig = builtins.concatStringsSep "\n"
408 (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
409 virtualHosts = [
410 (withConf "eldiron" // {
411 hostName = "eldiron.immae.eu";
412 documentRoot = ./www;
413 extraConfig = ''
414 DirectoryIndex index.htm
415 '';
416 })
417 (withConf "eldiron" // {
418 hostName = "db-1.immae.eu";
419 documentRoot = null;
420 extraConfig = builtins.concatStringsSep "\n" [
421 mypkgs.adminer.apache.vhostConf
422 ];
423 })
424 (withConf "eldiron" // {
425 hostName = "tools.immae.eu";
426 documentRoot = null;
427 extraConfig = builtins.concatStringsSep "\n" [
428 mypkgs.adminer.apache.vhostConf
429 mypkgs.ympd.apache.vhostConf
430 ];
431 })
432 (withConf "eldiron" // {
433 hostName = "connexionswing.immae.eu";
434 serverAliases = [ "sandetludo.immae.eu" ];
435 documentRoot = mypkgs.connexionswing_dev.webRoot;
436 extraConfig = builtins.concatStringsSep "\n" [
437 mypkgs.connexionswing_dev.apache.vhostConf
438 ];
439 })
440 (withConf "eldiron" // {
441 hostName = "ludivine.immae.eu";
442 documentRoot = mypkgs.ludivinecassal_dev.webRoot;
443 extraConfig = builtins.concatStringsSep "\n" [
444 mypkgs.ludivinecassal_dev.apache.vhostConf
445 ];
446 })
447 (withConf "ludivinecassal" // {
448 hostName = "ludivinecassal.com";
449 serverAliases = [ "www.ludivinecassal.com" ];
450 documentRoot = mypkgs.ludivinecassal_prod.webRoot;
451 extraConfig = builtins.concatStringsSep "\n" [
452 mypkgs.ludivinecassal_prod.apache.vhostConf
453 ];
454 })
455 (withConf "eldiron" // {
456 hostName = "piedsjaloux.immae.eu";
457 documentRoot = mypkgs.piedsjaloux_dev.webRoot;
458 extraConfig = builtins.concatStringsSep "\n" [
459 mypkgs.piedsjaloux_dev.apache.vhostConf
460 ];
461 })
462 (withConf "piedsjaloux" // {
463 hostName = "piedsjaloux.fr";
464 serverAliases = [ "www.piedsjaloux.fr" ];
465 documentRoot = mypkgs.piedsjaloux_prod.webRoot;
466 extraConfig = builtins.concatStringsSep "\n" [
467 mypkgs.piedsjaloux_prod.apache.vhostConf
468 ];
469 })
470 (withConf "eldiron" // {
471 hostName = "chloe.immae.eu";
472 documentRoot = mypkgs.chloe_dev.webRoot;
473 extraConfig = builtins.concatStringsSep "\n" [
474 mypkgs.chloe_dev.apache.vhostConf
475 ];
476 })
477 (withConf "eldiron" // {
478 hostName = "osteopathe-cc.fr";
479 serverAliases = [ "www.osteopathe-cc.fr" ];
480 documentRoot = mypkgs.chloe_prod.webRoot;
481 extraConfig = builtins.concatStringsSep "\n" [
482 mypkgs.chloe_prod.apache.vhostConf
483 ];
484 })
485 (withConf "eldiron" // {
486 hostName = "dev.aten.pro";
487 documentRoot = mypkgs.aten_dev.webRoot;
488 extraConfig = builtins.concatStringsSep "\n" [
489 mypkgs.aten_dev.apache.vhostConf
490 ];
491 })
492 (withConf "aten" // {
493 hostName = "aten.pro";
494 serverAliases = [ "www.aten.pro" ];
495 documentRoot = mypkgs.aten_prod.webRoot;
496 extraConfig = builtins.concatStringsSep "\n" [
497 mypkgs.aten_prod.apache.vhostConf
498 ];
499 })
500 (withConf "eldiron" // {
501 hostName = "cloud.immae.eu";
502 documentRoot = mypkgs.nextcloud.webRoot;
503 extraConfig = builtins.concatStringsSep "\n" [
504 mypkgs.nextcloud.apache.vhostConf
505 ];
506 })
507 (withConf "eldiron" // {
508 hostName = "git.immae.eu";
509 documentRoot = mypkgs.git.web.webRoot;
510 extraConfig = builtins.concatStringsSep "\n" [
511 mypkgs.git.web.apache.vhostConf
512 mypkgs.mantisbt.apache.vhostConf
513 ] + ''
514 RewriteEngine on
515 RewriteCond %{REQUEST_URI} ^/releases
516 RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
517 '';
518 })
519 { # Should go last, default fallback
520 listen = [ { ip = "*"; port = 80; } ];
521 hostName = "redirectSSL";
522 serverAliases = [ "*" ];
523 enableSSL = false;
524 logFormat = "combinedVhost";
525 documentRoot = "/var/lib/acme/acme-challenge";
526 extraConfig = ''
527 RewriteEngine on
528 RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
529 RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
530 # To redirect in specific "VirtualHost *:80", do
531 # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
532 # rather than rewrite
533 '';
534 }
535 ];
536 };
537
538 security.pam.services = let
539 pam_ldap = pkgs.pam_ldap;
540 pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
541 pkgs.writeText "mysql.conf" ''
542 host ldap.immae.eu
543 base dc=immae,dc=eu
544 binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
545 bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
546 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
547 '';
548 in [
549 {
550 name = "mysql";
551 text = ''
552 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
553 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
554 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
555 '';
556 }
557 ];
558
559 # FIXME: backup
560 services.redis = rec {
561 enable = true;
562 bind = "127.0.0.1";
563 unixSocket = "/run/redis/redis.sock";
564 extraConfig = ''
565 unixsocketperm 777
566 maxclients 1024
567 '';
568 };
569
570 # FIXME: initial sync
571 # FIXME: backup
572 # FIXME: restart after pam
573 # FIXME: pam access doesn’t work (because of php module)
574 # FIXME: ssl
575 services.mysql = rec {
576 enable = true;
577 package = pkgs.mariadb;
578 };
579
580 # FIXME: initial sync
581 # FIXME: backup
582 # FIXME: ssl
583 services.postgresql = rec {
584 enable = true;
585 package = pkgs.postgresql;
586 enableTCPIP = true;
587 extraConfig = ''
588 max_connections = 100
589 wal_level = logical
590 shared_buffers = 128MB
591 max_wal_size = 1GB
592 min_wal_size = 80MB
593 log_timezone = 'Europe/Paris'
594 datestyle = 'iso, mdy'
595 timezone = 'Europe/Paris'
596 lc_messages = 'en_US.UTF-8'
597 lc_monetary = 'en_US.UTF-8'
598 lc_numeric = 'en_US.UTF-8'
599 lc_time = 'en_US.UTF-8'
600 default_text_search_config = 'pg_catalog.english'
601 # ssl = on
602 # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
603 # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
604 '';
605 authentication = ''
606 local all postgres ident
607 local all all md5
608 host all all samehost md5
609 host all all 178.33.252.96/32 md5
610 host all all 188.165.209.148/32 md5
611 #host all all all pam
612 '';
613 };
614
615 services.cron = {
616 enable = true;
617 systemCronJobs = let
618 stats = domain: conf: "${pkgs.gnused}/bin/sed -n '/\\['$(LC_ALL=C ${pkgs.coreutils}/bin/date -d yesterday +'%d\\/%b\\/%Y')'/ p' /var/log/httpd/access_log-${domain} | ${pkgs.goaccess}/bin/goaccess -o /var/lib/goaccess/${domain}/index.html -p ${conf}";
619 in [
620 "5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
621 "5 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
622 "5 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
623 ];
624 };
625 };
626 }
My infrastructure configuration