{
myids = ./myids.nix;
secrets = ./secrets.nix;
+ filesWatcher = ./filesWatcher.nix;
webstats = ./webapps/webstats;
diaspora = ./webapps/diaspora.nix;
--- /dev/null
+{ lib, config, pkgs, ... }:
+with lib;
+let
+ cfg = config.services.filesWatcher;
+in
+{
+ options = {
+ services.filesWatcher = with types; mkOption {
+ default = {};
+ description = ''
+ Files to watch and trigger service reload or restart of service
+ when changed.
+ '';
+ type = attrsOf (submodule {
+ options = {
+ restart = mkEnableOption "Restart service rather than reloading it";
+ paths = mkOption {
+ type = listOf str;
+ description = ''
+ Paths to watch that should trigger a reload of the
+ service
+ '';
+ };
+ waitTime = mkOption {
+ type = int;
+ default = 5;
+ description = ''
+ Time to wait before reloading/restarting the service.
+ Set 0 to not wait.
+ '';
+ };
+ };
+ });
+ };
+ };
+
+ config.systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+ "${name}Watcher" {
+ description = "${name} reloader";
+ after = [ "network.target" ];
+ script = let
+ action = if icfg.restart then "restart" else "reload";
+ in ''
+ # Service may be stopped during file modification (e.g. activationScripts)
+ if ${pkgs.systemd}/bin/systemctl --quiet is-active ${name}.service; then
+ ${pkgs.coreutils}/bin/sleep ${toString icfg.waitTime}
+ ${pkgs.systemd}/bin/systemctl ${action} ${name}.service
+ fi
+ '';
+ serviceConfig = {
+ Type = "oneshot";
+ };
+ }
+ ) cfg;
+ config.systemd.paths = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+ "${name}Watcher" {
+ wantedBy = [ "multi-user.target" ];
+ pathConfig.PathChanged = icfg.paths;
+ }
+ ) cfg;
+}
extraGroups = [ "keys" ];
};
+ services.websites.tools.watchPaths = lib.attrsets.mapAttrsToList
+ (k: project: "/var/secrets/buildbot/${project.name}/webhook-httpd-include")
+ myconfig.env.buildbot.projects;
+
services.websites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
RewriteEngine On
}
];
+ services.filesWatcher = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
+ restart = true;
+ paths = [
+ "/var/secrets/buildbot/ldap"
+ "/var/secrets/buildbot/ssh_key"
+ ] ++ lib.attrsets.mapAttrsToList (k: v: "/var/secrets/buildbot/${project.name}/${k}") project.secrets;
+ }) myconfig.env.buildbot.projects;
+
systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
description = "Buildbot Continuous Integration Server ${project.name}.";
after = [ "network-online.target" ];
'';
};
+ services.filesWatcher.openldap = {
+ restart = true;
+ paths = [ "${config.secrets.location}/ldap/" ];
+ };
+
services.openldap = {
enable = true;
dataDir = cfg.dataDir;
'';
}];
+ services.filesWatcher.pure-ftpd = {
+ restart = true;
+ paths = [ "/var/secrets/pure-ftpd-ldap" ];
+ };
+
systemd.services.pure-ftpd = let
configFile = pkgs.writeText "pure-ftpd.conf" ''
PassivePortRange 40000 50000
networking.firewall.allowedTCPPorts = [ 6600 ];
users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
+ services.filesWatcher.mpd = {
+ restart = true;
+ paths = [ "/var/secrets/mpd-config" ];
+ };
+
services.mpd = {
enable = true;
network.listenAddress = "any";
SetEnv TASKD_LDAP_FILTER "${env.ldap.search}"
'';
}];
+ services.websites.tools.watchPaths = [ "/var/secrets/webapps/tools-taskwarrior-web" ];
services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
services.websites.tools.vhostConfs.task = {
certName = "eldiron";
root = aten.apache.root;
extraConfig = [ aten.apache.vhostConf ];
};
+ services.websites.integration.watchPaths = [
+ "/var/secrets/webapps/${aten.app.environment}-aten"
+ ];
};
}
root = aten.apache.root;
extraConfig = [ aten.apache.vhostConf ];
};
+ services.websites.production.watchPaths = [
+ "/var/secrets/webapps/${aten.app.environment}-aten"
+ ];
};
}
-
root = chloe.apache.root;
extraConfig = [ chloe.apache.vhostConf ];
};
+ services.websites.integration.watchPaths = [
+ "/var/secrets/webapps/${chloe.app.environment}-chloe"
+ ];
};
}
root = chloe.apache.root;
extraConfig = [ chloe.apache.vhostConf ];
};
+ services.websites.production.watchPaths = [
+ "/var/secrets/webapps/${chloe.app.environment}-chloe"
+ ];
};
}
root = connexionswing.apache.root;
extraConfig = [ connexionswing.apache.vhostConf ];
};
+ services.filesWatcher.phpfpm-connexionswing_dev = {
+ restart = true;
+ paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
+ };
};
}
root = connexionswing.apache.root;
extraConfig = [ connexionswing.apache.vhostConf ];
};
+ services.filesWatcher.phpfpm-connexionswing_prod = {
+ restart = true;
+ paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
+ };
};
}
'';
};
+ services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ];
+ services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ];
+ services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ];
+
services.websites.production = {
enable = true;
adminAddr = "httpd@immae.eu";
adminer.apache.vhostConf
];
};
+ services.filesWatcher.phpfpm-tellesflorian_dev = {
+ restart = true;
+ paths = [ "/var/secrets/webapps/${tellesflorian.app.environment}-tellesflorian" ];
+ };
};
}
root = ludivinecassal.apache.root;
extraConfig = [ ludivinecassal.apache.vhostConf ];
};
+ services.filesWatcher.phpfpm-ludivinecassal_dev = {
+ restart = true;
+ paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
+ };
};
}
root = ludivinecassal.apache.root;
extraConfig = [ ludivinecassal.apache.vhostConf ];
};
+ services.filesWatcher.phpfpm-ludivinecassal_prod = {
+ restart = true;
+ paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
+ };
};
}
configDir = "/var/secrets/webapps/diaspora";
};
+ services.filesWatcher.diaspora = {
+ restart = true;
+ paths = [ dcfg.configDir ];
+ };
+
services.websites.tools.modules = [
"headers" "proxy" "proxy_http"
];
systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+ services.filesWatcher.etherpad-lite = {
+ restart = true;
+ paths = [ ecfg.sessionKeyFile ecfg.apiKeyFile ecfg.configFile ];
+ };
+
services.websites.tools.modules = [
"headers" "proxy" "proxy_http" "proxy_wstunnel"
];
socketsPrefix = "live_immae";
dataDir = "/var/lib/mastodon_immae";
};
+ services.filesWatcher.mastodon-streaming = {
+ restart = true;
+ paths = [ mcfg.configFile ];
+ };
+ services.filesWatcher.mastodon-web = {
+ restart = true;
+ paths = [ mcfg.configFile ];
+ };
+ services.filesWatcher.mastodon-sidekiq = {
+ restart = true;
+ paths = [ mcfg.configFile ];
+ };
+
services.websites.tools.modules = [
"headers" "proxy" "proxy_wstunnel" "proxy_http"
plugins = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
configFile = "/var/secrets/webapps/tools-mediagoblin";
};
+ services.filesWatcher.mediagoblin-web = {
+ restart = true;
+ paths = [ mcfg.configFile ];
+ };
+ services.filesWatcher.mediagoblin-celeryd = {
+ restart = true;
+ paths = [ mcfg.configFile ];
+ };
services.websites.tools.modules = [
"proxy" "proxy_http"
services.websites.tools.modules = [
"headers" "proxy" "proxy_http" "proxy_wstunnel"
];
+ services.filesWatcher.peertube = {
+ restart = true;
+ paths = [ pcfg.configFile ];
+ };
+
services.websites.tools.vhostConfs.peertube = {
certName = "eldiron";
addToCerts = true;
};
};
+ services.filesWatcher.ympd = {
+ restart = true;
+ paths = [ "/var/secrets/mpd" ];
+ };
+
services.phpfpm.pools.roundcubemail = {
listen = roundcubemail.phpFpm.socket;
extraConfig = roundcubemail.phpFpm.pool;
"${kanboard.apache.webappName}" = kanboard.webRoot;
};
+ services.websites.tools.watchPaths = [
+ "/var/secrets/webapps/tools-wallabag"
+ ];
+ services.filesWatcher.phpfpm-wallabag = {
+ restart = true;
+ paths = [ "/var/secrets/webapps/tools-wallabag" ];
+ };
};
}
if [ -f /run/keys/secrets.tar ]; then
if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
echo "rebuilding secrets"
- rm -rf ${location}
- install -m0750 -o root -g keys -d ${location}
- ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
- sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
- find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ TMP=$(${pkgs.coreutils}/bin/mktemp -d)
+ if [ -n "$TMP" ]; then
+ install -m0750 -o root -g keys -d $TMP
+ ${pkgs.gnutar}/bin/tar --strip-components 1 -C $TMP -xf /run/keys/secrets.tar
+ sha512sum /run/keys/secrets.tar > $TMP/currentSecrets
+ find $TMP -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+ ${pkgs.rsync}/bin/rsync -O -c -av --delete $TMP/ ${location}
+ rm -rf $TMP
+ fi
fi
fi
'';
};
});
};
+ watchPaths = mkOption {
+ type = listOf string;
+ default = [];
+ description = ''
+ Paths to watch that should trigger a reload of httpd
+ '';
+ };
};
});
};
})
) cfg;
+ config.services.filesWatcher = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+ "httpd${icfg.httpdName}" {
+ paths = icfg.watchPaths;
+ waitTime = 5;
+ }
+ ) cfg;
+
config.security.acme.certs = let
typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
projects / perso / Immae / Config / Nix.git / commitdiff
