{ lib, pkgs, config, myconfig, mylibs, ... }:
let
varDir = "/var/lib/diaspora_immae";
diaspora = pkgs.webapps.diaspora.override {
ldap = true;
inherit varDir;
podmin_email = "diaspora@tools.immae.eu";
config_dir = "/var/secrets/webapps/diaspora";
};
railsSocket = "${socketsDir}/diaspora.sock";
socketsDir = "/run/diaspora";
env = myconfig.env.tools.diaspora;
root = "/run/current-system/webapps/tools_diaspora";
cfg = config.services.myWebsites.tools.diaspora;
in {
options.services.myWebsites.tools.diaspora = {
enable = lib.mkEnableOption "enable diaspora's website";
};
config = lib.mkIf cfg.enable {
ids.uids.diaspora = env.user.uid;
ids.gids.diaspora = env.user.gid;
users.users.diaspora = {
name = "diaspora";
uid = config.ids.uids.diaspora;
group = "diaspora";
description = "Diaspora user";
home = varDir;
useDefaultShell = true;
packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ];
extraGroups = [ "keys" ];
};
users.groups.diaspora.gid = config.ids.gids.diaspora;
secrets.keys = [
{
dest = "webapps/diaspora/diaspora.yml";
user = "diaspora";
group = "diaspora";
permissions = "0400";
text = ''
configuration:
environment:
url: "https://diaspora.immae.eu/"
certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
redis: '${env.redis_url}'
sidekiq:
s3:
assets:
logging:
logrotate:
debug:
server:
listen: '${socketsDir}/diaspora.sock'
rails_environment: 'production'
chat:
server:
bosh:
log:
map:
mapbox:
privacy:
piwik:
statistics:
camo:
settings:
enable_registrations: false
welcome_message:
invitations:
open: false
paypal_donations:
community_spotlight:
captcha:
enable: false
terms:
maintenance:
remove_old_users:
default_metas:
csp:
services:
twitter:
tumblr:
wordpress:
mail:
enable: true
sender_address: 'diaspora@tools.immae.eu'
method: 'sendmail'
smtp:
sendmail:
location: '/run/wrappers/bin/sendmail'
admins:
account: "ismael"
podmin_email: 'diaspora@tools.immae.eu'
relay:
outbound:
inbound:
ldap:
enable: true
host: ldap.immae.eu
port: 636
only_ldap: true
mail_attribute: mail
skip_email_confirmation: true
use_bind_dn: true
bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
bind_pw: "${env.ldap.password}"
search_base: "dc=immae,dc=eu"
search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
production:
environment:
development:
environment:
'';
}
{
dest = "webapps/diaspora/database.yml";
user = "diaspora";
group = "diaspora";
permissions = "0400";
text = ''
postgresql: &postgresql
adapter: postgresql
host: "${env.postgresql.socket}"
port: "${env.postgresql.port}"
username: "${env.postgresql.user}"
password: "${env.postgresql.password}"
encoding: unicode
common: &common
<<: *postgresql
combined: &combined
<<: *common
development:
<<: *combined
database: diaspora_development
production:
<<: *combined
database: ${env.postgresql.database}
test:
<<: *combined
database: "diaspora_test"
integration1:
<<: *combined
database: diaspora_integration1
integration2:
<<: *combined
database: diaspora_integration2
'';
}
{
dest = "webapps/diaspora/secret_token.rb";
user = "diaspora";
group = "diaspora";
permissions = "0400";
text = ''
Diaspora::Application.config.secret_key_base = '${env.secret_token}'
'';
}
];
systemd.services.diaspora = {
description = "Diaspora";
wantedBy = [ "multi-user.target" ];
after = [
"network.target" "redis.service" "postgresql.service"
];
wants = [
"redis.service" "postgresql.service"
];
environment.RAILS_ENV = "production";
environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}";
environment.BUNDLE_GEMFILE = "${diaspora.gems.confFiles}/Gemfile";
environment.EYE_SOCK = "${socketsDir}/eye.sock";
environment.EYE_PID = "${socketsDir}/eye.pid";
path = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby pkgs.curl pkgs.which pkgs.gawk ];
preStart = ''
./bin/bundle exec rails db:migrate
'';
script = ''
exec ${diaspora}/script/server
'';
serviceConfig = {
User = "diaspora";
PrivateTmp = true;
Restart = "always";
Type = "simple";
WorkingDirectory = diaspora;
StandardInput = "null";
KillMode = "control-group";
};
unitConfig.RequiresMountsFor = varDir;
};
system.activationScripts.diaspora = {
deps = [ "users" ];
text = ''
install -m 0755 -o diaspora -g diaspora -d ${socketsDir}
install -m 0755 -o diaspora -g diaspora -d ${varDir} \
${varDir}/uploads ${varDir}/tmp \
${varDir}/log
install -m 0700 -o diaspora -g diaspora -d ${varDir}/tmp/pids
if [ ! -f ${varDir}/schedule.yml ]; then
echo "{}" | $wrapperDir/sudo -u diaspora tee ${varDir}/schedule.yml
fi
'';
};
services.myWebsites.tools.modules = [
"headers" "proxy" "proxy_http"
];
security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null;
system.extraSystemBuilderCmds = ''
mkdir -p $out/webapps
ln -s ${diaspora}/public/ $out/webapps/tools_diaspora
'';
services.myWebsites.tools.vhostConfs.diaspora = {
certName = "eldiron";
hosts = [ "diaspora.immae.eu" ];
root = root;
extraConfig = [ ''
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ unix://${railsSocket}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L]
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
RequestHeader set X_FORWARDED_PROTO https
Require all granted
Require all granted
Options -MultiViews
'' ];
};
};
}