Use attrs for secrets instead of lists

[perso/Immae/Config/Nix.git] / modules / private / websites / immae / temp.nix

diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix
index 288c8cc209461a320989bc0ce89f6cd031d0cff2..61ed9cf4195fa9d1f6fb4d7593ae040486ef4997 100644 (file)
--- a/modules/private/websites/immae/temp.nix
+++ b/modules/private/websites/immae/temp.nix
@@ -1,35 +1,65 @@
-{ lib, pkgs, config, myconfig,  ... }:
+{ lib, pkgs, config,  ... }:
 let
   cfg = config.myServices.websites.immae.temp;
-  varDir = "/var/lib/ftp/temp.immae.eu";
-  env = myconfig.env.websites.temp;
+  varDir = "/var/lib/immae_temp";
+  env = config.myEnv.websites.immae.temp;
 in {
   options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website";
 
   config = lib.mkIf cfg.enable {
-    services.websites.env.production.modules = [ "headers" ];
-    services.websites.env.production.vhostConfs.temp = {
-      certName    = "eldiron";
+    services.duplyBackup.profiles.immae_temp.rootDir = varDir;
+    services.duplyBackup.profiles.immae_temp_surfer.rootDir = "/var/lib/surfer";
+    services.websites.env.production.vhostConfs.immae_temp = {
+      certName    = "immae";
       addToCerts  = true;
       hosts       = [ "temp.immae.eu" ];
-      root        = varDir;
-      extraConfig = [
-        ''
-        Use Apaxy "${varDir}" "title .duplicity-ignore"
-        <FilesMatch ".+">
-          Header set Content-Disposition attachment
-        </FilesMatch>
-        <Directory "${varDir}">
-          Options -Indexes
+      root        = null;
+      extraConfig = [ ''
+        ProxyVia On
+        ProxyRequests Off
+        ProxyPreserveHost On
+        ProxyPass         / unix:///run/surfer/listen.sock|http://temp.immae.eu/
+        ProxyPassReverse  / unix:///run/surfer/listen.sock|http://temp.immae.eu/
+        <Proxy *>
+          Options FollowSymLinks MultiViews
           AllowOverride None
           Require all granted
-        </Directory>
+        </Proxy>
+      '' ];
+    };
+
+    secrets.keys."webapps/surfer" = {
+      permissions = "0400";
+      user = "wwwrun";
+      group = "wwwrun";
+      text = ''
+        CLOUDRON_LDAP_URL=ldaps://${env.ldap.host}
+        CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
+        TOKENSTORE_FILE=/var/lib/surfer/tokens.json
+        CLOUDRON_LDAP_BIND_DN=${env.ldap.dn}
+        CLOUDRON_LDAP_BIND_PASSWORD=${env.ldap.password}
+        CLOUDRON_LDAP_USERS_BASE_DN=${env.ldap.base}
+        CLOUDRON_LDAP_FILTER="${env.ldap.filter}"
+        LISTEN=/run/surfer/listen.sock
+      '';
+    };
+
+    systemd.services.surfer = {
+      description = "Surfer";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
 
-        <DirectoryMatch "${varDir}/(.+)">
-          Options Indexes
-        </DirectoryMatch>
-        ''
-      ];
+      script = ''
+        exec ${pkgs.webapps.surfer}/bin/surfer-server ${varDir}
+      '';
+      serviceConfig = {
+        EnvironmentFile = config.secrets.fullPaths."webapps/surfer";
+        User = "wwwrun";
+        Group = "wwwrun";
+        StateDirectory = "surfer";
+        RuntimeDirectory = "surfer";
+        Type = "simple";
+      };
     };
   };
 }