Refactor websites

[perso/Immae/Config/Nix.git] / modules / private / websites / ludivine / integration.nix

diff --git a/modules/private/websites/ludivine/integration.nix b/modules/private/websites/ludivine/integration.nix
new file mode 100644 (file)
index 0000000..4e37c0c
--- /dev/null
+++ b/modules/private/websites/ludivine/integration.nix
@@ -0,0 +1,151 @@
+{ lib, pkgs, config,  ... }:
+let
+  secrets = config.myEnv.websites.ludivine.integration;
+  app = pkgs.callPackage ./app {
+    environment = secrets.environment;
+    varDir = "/var/lib/ludivine_integration";
+    secretsPath = config.secrets.fullPaths."websites/ludivine/integration";
+  };
+  cfg = config.myServices.websites.ludivine.integration;
+  pcfg = config.services.phpApplication;
+in {
+  options.myServices.websites.ludivine.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    services.duplyBackup.profiles.ludivine_integration.rootDir = app.varDir;
+    services.phpApplication.apps.ludivine_integration = {
+      websiteEnv = "integration";
+      httpdUser = config.services.httpd.Inte.user;
+      httpdGroup = config.services.httpd.Inte.group;
+      inherit (app) webRoot varDir;
+      varDirPaths = {
+        "tmp" = "0700";
+      };
+      inherit app;
+      serviceDeps = [ "mysql.service" ];
+      preStartActions = [
+        "./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = {
+        "php_admin_value[upload_max_filesize]" = "20M";
+        "php_admin_value[post_max_size]" = "20M";
+        #"php_admin_flag[log_errors]" = "on";
+        "pm" = "ondemand";
+        "pm.max_children" = "5";
+        "pm.process_idle_timeout" = "60";
+      };
+      phpEnv = {
+        PATH = lib.makeBinPath [
+          # below ones don't need to be in the PATH but they’re used in
+          # secrets
+          pkgs.imagemagick pkgs.sass pkgs.ruby
+        ];
+        SYMFONY_DEBUG_MODE = "\"yes\"";
+      };
+      phpWatchFiles = [
+        config.secrets.fullPaths."websites/ludivine/integration"
+      ];
+    };
+
+    secrets.keys = [
+      {
+        dest = "websites/ludivine/integration";
+        user = config.services.httpd.Inte.user;
+        group = config.services.httpd.Inte.group;
+        permissions = "0400";
+        text = ''
+          # This file is auto-generated during the composer install
+          parameters:
+              database_host: ${secrets.mysql.host}
+              database_port: ${secrets.mysql.port}
+              database_name: ${secrets.mysql.database}
+              database_user: ${secrets.mysql.user}
+              database_password: ${secrets.mysql.password}
+              database_server_version: ${pkgs.mariadb.mysqlVersion}
+              mailer_transport: smtp
+              mailer_host: 127.0.0.1
+              mailer_user: null
+              mailer_password: null
+              secret: ${secrets.secret}
+              ldap_host: ldap.immae.eu
+              ldap_port: 636
+              ldap_version: 3
+              ldap_ssl: true
+              ldap_tls: false
+              ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
+              ldap_base_dn: 'dc=immae,dc=eu'
+              ldap_search_dn: '${secrets.ldap.dn}'
+              ldap_search_password: '${secrets.ldap.password}'
+              ldap_search_filter: '${secrets.ldap.filter}'
+          leapt_im:
+              binary_path: ${pkgs.imagemagick}/bin
+          assetic:
+              sass: ${pkgs.sass}/bin/sass
+              ruby: ${pkgs.ruby}/bin/ruby
+        '';
+      }
+    ];
+
+    services.websites.env.integration.vhostConfs.ludivine_integration = {
+      certName    = "integration";
+      addToCerts  = true;
+      hosts       = [ "ludivine.immae.eu" ];
+      root        = pcfg.webappDirs.ludivine_integration;
+      extraConfig = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivine_integration}|fcgi://localhost"
+        </FilesMatch>
+
+        <Location />
+          Use LDAPConnect
+          Require ldap-group   cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>"
+        </Location>
+
+        <Directory ${pcfg.webappDirs.ludivine_integration}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+
+          DirectoryIndex app_dev.php
+
+          <IfModule mod_negotiation.c>
+          Options -MultiViews
+          </IfModule>
+
+          <IfModule mod_rewrite.c>
+            RewriteEngine On
+
+            RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+            RewriteRule ^(.*) - [E=BASE:%1]
+
+            # Maintenance script
+            RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+            RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+            RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+            ErrorDocument 503 /maintenance.php
+
+            # Sets the HTTP_AUTHORIZATION header removed by Apache
+            RewriteCond %{HTTP:Authorization} .
+            RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+            RewriteCond %{ENV:REDIRECT_STATUS} ^$
+            RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+            # If the requested filename exists, simply serve it.
+            # We only want to let Apache serve files and not directories.
+            RewriteCond %{REQUEST_FILENAME} -f
+            RewriteRule ^ - [L]
+
+            # Rewrite all other queries to the front controller.
+            RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+          </IfModule>
+
+        </Directory>
+        ''
+      ];
+    };
+  };
+}