# FIXME: backup
# Nextcloud: 14
# Mastodon: 13
+ # Mediagoblin: 12
services.redis = rec {
enable = config.services.myDatabases.redis.enable;
bind = "127.0.0.1";
./tools/cloud
./tools/git
./tools/mastodon
+ ./tools/mediagoblin
# built using:
# sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
# Removed allGranted
services.myWebsites.tools.cloud.enable = true;
services.myWebsites.tools.git.enable = true;
services.myWebsites.tools.mastodon.enable = true;
+ services.myWebsites.tools.mediagoblin.enable = true;
services.myWebsites.Chloe.production.enable = cfg.production.enable;
services.myWebsites.Ludivine.production.enable = cfg.production.enable;
--- /dev/null
+{ lib, pkgs, config, mylibs, ... }:
+let
+ mediagoblin = pkgs.callPackage ./mediagoblin.nix {
+ inherit (mylibs) checkEnv fetchedGit fetchedGithub;
+ };
+
+ cfg = config.services.myWebsites.tools.mediagoblin;
+in {
+ options.services.myWebsites.tools.mediagoblin = {
+ enable = lib.mkEnableOption "enable mediagoblin's website";
+ };
+
+ config = lib.mkIf cfg.enable {
+ # FIXME: Can we use dynamic users from systemd?
+ # nixos/modules/misc/ids.nix
+ ids.uids.mediagoblin = 397;
+ ids.gids.mediagoblin = 397;
+
+ users.users.mediagoblin = {
+ name = "mediagoblin";
+ uid = config.ids.uids.mediagoblin;
+ group = "mediagoblin";
+ description = "Mediagoblin user";
+ home = mediagoblin.varDir;
+ useDefaultShell = true;
+ };
+
+ users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;
+
+ systemd.services.mediagoblin-web = {
+ description = "Mediagoblin service";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+
+ environment.SCRIPT_NAME = "/mediagoblin/";
+
+ script = ''
+ exec ./bin/paster serve \
+ ${mediagoblin.pythonRoot}/paste_local.ini \
+ --pid-file=${mediagoblin.socketsDir}/mediagoblin.pid
+ '';
+
+ preStop = ''
+ exec ./bin/paster serve \
+ --pid-file=${mediagoblin.socketsDir}/mediagoblin.pid \
+ ${mediagoblin.pythonRoot}/paste_local.ini stop
+ '';
+ preStart = ''
+ ./bin/gmg dbupdate
+ '';
+
+ serviceConfig = {
+ User = "mediagoblin";
+ PrivateTmp = true;
+ Restart = "always";
+ TimeoutSec = 15;
+ Type = "simple";
+ WorkingDirectory = mediagoblin.pythonRoot;
+ PIDFile = "${mediagoblin.socketsDir}/mediagoblin.pid";
+ };
+
+ unitConfig.RequiresMountsFor = mediagoblin.varDir;
+ };
+
+ systemd.services.mediagoblin-celeryd = {
+ description = "Mediagoblin service";
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" "mediagoblin-web.service" ];
+
+ environment.MEDIAGOBLIN_CONFIG = "${mediagoblin.pythonRoot}/mediagoblin_local.ini";
+ environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
+
+ script = ''
+ exec ./bin/celery worker \
+ --logfile=${mediagoblin.varDir}/celery.log \
+ --loglevel=INFO
+ '';
+
+ serviceConfig = {
+ User = "mediagoblin";
+ PrivateTmp = true;
+ Restart = "always";
+ TimeoutSec = 15;
+ Type = "simple";
+ WorkingDirectory = mediagoblin.pythonRoot;
+ PIDFile = "${mediagoblin.socketsDir}/mediagoblin-celeryd.pid";
+ };
+
+ unitConfig.RequiresMountsFor = mediagoblin.varDir;
+ };
+
+ # FIXME: background jobs and upload
+ # FIXME: initial sync
+ system.activationScripts.mediagoblin = {
+ deps = [ "users" ];
+ text = ''
+ install -m 0755 -o mediagoblin -g mediagoblin -d ${mediagoblin.socketsDir}
+ install -m 0755 -o mediagoblin -g mediagoblin -d ${mediagoblin.varDir}
+ if [ -d ${mediagoblin.varDir}/plugin_static/ ]; then
+ rm ${mediagoblin.varDir}/plugin_static/coreplugin_basic_auth
+ ln -sf ${mediagoblin.pythonRoot}/mediagoblin/plugins/basic_auth/static ${mediagoblin.varDir}/plugin_static/coreplugin_basic_auth
+ fi
+ '';
+ };
+
+ services.myWebsites.tools.modules = [
+ "proxy" "proxy_http" "proxy_balancer"
+ # FIXME: probably only one balancer method is needed:
+ "lbmethod_byrequests" "lbmethod_bytraffic" "lbmethod_bybusyness" "lbmethod_heartbeat"
+ ];
+ users.users.wwwrun.extraGroups = [ "mediagoblin" ];
+ security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
+ services.myWebsites.tools.vhostConfs.mgoblin = {
+ certName = "eldiron";
+ hosts = ["mgoblin.immae.eu" ];
+ root = null;
+ extraConfig = [ ''
+ Alias /mgoblin_media ${mediagoblin.varDir}/media/public
+ <Directory ${mediagoblin.varDir}/media/public>
+ Options -Indexes +FollowSymLinks +MultiViews +Includes
+ Require all granted
+ </Directory>
+
+ Alias /theme_static ${mediagoblin.varDir}/theme_static
+ <Directory ${mediagoblin.varDir}/theme_static>
+ Options -Indexes +FollowSymLinks +MultiViews +Includes
+ Require all granted
+ </Directory>
+
+ Alias /plugin_static ${mediagoblin.varDir}/plugin_static
+ <Directory ${mediagoblin.varDir}/plugin_static>
+ Options -Indexes +FollowSymLinks +MultiViews +Includes
+ Require all granted
+ </Directory>
+
+ ProxyPreserveHost on
+ ProxyVia On
+ ProxyRequests Off
+ ProxyPass /mgoblin_media !
+ ProxyPass /theme_static !
+ ProxyPass /plugin_static !
+ ProxyPassMatch ^/.well-known/acme-challenge !
+ ProxyPass / balancer://paster_server/
+ ProxyPassReverse / balancer://paster_server
+ <Proxy balancer://paster_server>
+ BalancerMember unix://${mediagoblin.socketsDir}/mediagoblin.sock|http://
+ </Proxy>
+ '' ];
+ };
+ };
+}
--- /dev/null
+# GNU MediaGoblin -- federated, autonomous media hosting
+# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+from ldap3 import Server, Connection, SUBTREE
+from ldap3.core.exceptions import LDAPException
+import logging
+
+import six
+
+from mediagoblin.tools import pluginapi
+
+_log = logging.getLogger(__name__)
+
+
+class LDAP(object):
+ def __init__(self):
+ self.ldap_settings = pluginapi.get_config('mediagoblin.plugins.ldap')
+
+ def _connect(self, server):
+ _log.info('Connecting to {0}.'.format(server['LDAP_SERVER_URI']))
+ self.server = Server(server['LDAP_SERVER_URI'])
+
+ if 'LDAP_START_TLS' in server and server['LDAP_START_TLS'] == 'true':
+ _log.info('Initiating TLS')
+ self.server.start_tls()
+
+ def _manager_auth(self, settings, username, password):
+ conn = Connection(self.server,
+ settings['LDAP_BIND_DN'],
+ settings['LDAP_BIND_PW'],
+ auto_bind=True)
+ found = conn.search(
+ search_base=settings['LDAP_SEARCH_BASE'],
+ search_filter=settings['LDAP_SEARCH_FILTER'].format(username=username),
+ search_scope=SUBTREE,
+ attributes=[settings['EMAIL_SEARCH_FIELD']])
+ if (not found) or len(conn.entries) > 1:
+ return False, None
+
+ user = conn.entries[0]
+ user_dn = user.entry_dn
+ try:
+ email = user.entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
+ except KeyError:
+ email = None
+
+ Connection(self.server, user_dn, password, auto_bind=True)
+
+ return username, email
+
+ def _direct_auth(self, settings, username, password):
+ user_dn = settings['LDAP_USER_DN_TEMPLATE'].format(username=username)
+ conn = Connection(self.server, user_dn, password, auto_bind=True)
+ email_found = conn.search(
+ search_base=settings['LDAP_SEARCH_BASE'],
+ search_filter='uid={0}'.format(username),
+ search_scope=SUBTREE,
+ attributes=[settings['EMAIL_SEARCH_FIELD']])
+
+ if email_found:
+ try:
+ email = conn.entries[0].entry_attributes_as_dict[settings['EMAIL_SEARCH_FIELD']][0]
+ except KeyError:
+ email = None
+
+ return username, email
+
+ def login(self, username, password):
+ for k, v in six.iteritems(self.ldap_settings):
+ try:
+ self._connect(v)
+
+ if 'LDAP_BIND_DN' in v:
+ return self._manager_auth(v, username, password)
+ else:
+ return self._direct_auth(v, username, password)
+
+ except LDAPException as e:
+ _log.info(e)
+
+ return False, None
--- /dev/null
+{
+ "tag": "ba0a154-master",
+ "meta": {
+ "name": "mediagoblin-plugin-basicsearch",
+ "url": "https://github.com/ayleph/mediagoblin-basicsearch",
+ "branch": "master"
+ },
+ "github": {
+ "owner": "ayleph",
+ "repo": "mediagoblin-basicsearch",
+ "rev": "ba0a1547bd24ebaf363227fe17644d38c6ce8a6b",
+ "sha256": "0d4r7xkf4gxmgaxlb264l44xbanis77g49frwfhfzsflxmdwgncy",
+ "fetchSubmodules": true
+ }
+}
--- /dev/null
+{
+ "tag": "cd465eb-stable",
+ "meta": {
+ "name": "mediagoblin",
+ "url": "git://git.savannah.gnu.org/mediagoblin.git",
+ "branch": "stable"
+ },
+ "git": {
+ "url": "git://git.savannah.gnu.org/mediagoblin.git",
+ "rev": "cd465ebfec837a75a44c4ebd727dffe2fff6d850",
+ "sha256": "1yz4i4i97z3rxl534a6psaybyjbyp5nnc52v3nvbpzc4pd2s69mx",
+ "fetchSubmodules": true
+ }
+}
--- /dev/null
+{ checkEnv, makeWrapper, stdenv, writeText, fetchurl, fetchedGit, fetchedGithub, which, python3, pkgs, automake, autoconf, nodejs, nodePackages, git, cacert }:
+let
+ plugins = {
+ basicsearch = stdenv.mkDerivation (fetchedGithub ./mediagoblin-plugin-basicsearch.json // rec {
+ phases = "unpackPhase installPhase";
+ installPhase = ''
+ cp -R . $out
+ '';
+ });
+ };
+ overridePython = let
+ packageOverrides = self: super: {
+ celery = super.celery.overridePythonAttrs(old: rec {
+ version = "3.1.26.post2";
+ src = self.fetchPypi {
+ inherit version;
+ inherit (old) pname;
+ sha256 = "5493e172ae817b81ba7d09443ada114886765a8ce02f16a56e6fac68d953a9b2";
+ };
+ patches = [];
+ doCheck = false;
+ });
+ billiard = super.billiard.overridePythonAttrs(old: rec {
+ version = "3.3.0.23";
+ src = self.fetchPypi {
+ inherit version;
+ inherit (old) pname;
+ sha256 = "02wxsc6bhqvzh8j6w758kvgqbnj14l796mvmrcms8fgfamd2lak9";
+ };
+ });
+ amqp = super.amqp.overridePythonAttrs(old: rec {
+ version = "1.4.9";
+ src = self.fetchPypi {
+ inherit version;
+ inherit (old) pname;
+ sha256 = "2dea4d16d073c902c3b89d9b96620fb6729ac0f7a923bbc777cb4ad827c0c61a";
+ };
+ });
+ kombu = super.kombu.overridePythonAttrs(old: rec {
+ version = "3.0.37";
+ src = self.fetchPypi {
+ inherit version;
+ inherit (old) pname;
+ sha256 = "e064a00c66b4d1058cd2b0523fb8d98c82c18450244177b6c0f7913016642650";
+ };
+ propagatedBuildInputs = old.propagatedBuildInputs ++ [ self.anyjson ];
+ doCheck = false;
+ });
+ sqlalchemy = super.sqlalchemy.overridePythonAttrs(old: rec {
+ version = "1.1.18";
+ src = self.fetchPypi {
+ inherit version;
+ inherit (old) pname;
+ sha256 = "8b0ec71af9291191ba83a91c03d157b19ab3e7119e27da97932a4773a3f664a9";
+ };
+ });
+ tempita_5_3_dev = super.buildPythonPackage (fetchedGithub ./tempita.json // rec {
+ buildInputs = with self; [ nose ];
+ disabled = false;
+ });
+ sqlalchemy_migrate = super.sqlalchemy_migrate.overridePythonAttrs(old: rec {
+ propagatedBuildInputs = with self; [ pbr tempita_5_3_dev decorator sqlalchemy six sqlparse ];
+ });
+ pasteScript = super.pasteScript.overridePythonAttrs(old: rec {
+ version = "2.0.2";
+ name = "PasteScript-${version}";
+ src = fetchurl {
+ url = "mirror://pypi/P/PasteScript/${name}.tar.gz";
+ sha256 = "1h3nnhn45kf4pbcv669ik4faw04j58k8vbj1hwrc532k0nc28gy0";
+ };
+ propagatedBuildInputs = with self; [ six paste PasteDeploy argparse ];
+ });
+ };
+ in
+ python3.override { inherit packageOverrides; };
+ pythonEnv = python-pkgs: with python-pkgs; [
+ waitress alembic dateutil wtforms pybcrypt
+ pytest pytest_xdist werkzeug celery
+ kombu jinja2 Babel webtest configobj markdown
+ sqlalchemy itsdangerous pytz sphinx six
+ oauthlib unidecode jsonschema PasteDeploy
+ requests PyLD exifread
+ typing pasteScript
+ # For images plugin
+ pillow
+ # For video plugin
+ gst-python
+ # migrations
+ sqlalchemy_migrate
+ # authentication
+ ldap3
+ redis
+ psycopg2
+ ];
+ python = overridePython.withPackages pythonEnv;
+ gmg = writeText "gmg" ''
+ #!${python}/bin/python
+ __requires__ = 'mediagoblin'
+ import sys
+ from pkg_resources import load_entry_point
+
+ if __name__ == '__main__':
+ sys.exit(
+ load_entry_point('mediagoblin', 'console_scripts', 'gmg')()
+ )
+ '';
+in
+ rec {
+ socketsDir = "/run/mediagoblin";
+ varDir = "/var/lib/mediagoblin";
+ mediagoblin = stdenv.mkDerivation (fetchedGit ./mediagoblin.json // rec {
+ preConfigure = ''
+ # ./bootstrap.sh
+ aclocal -I m4 --install
+ autoreconf -fvi
+ # end
+ export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
+ export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
+ export HOME=$PWD
+ '';
+ configureFlags = [ "--with-python3" "--without-virtualenv" ];
+ postBuild = ''
+ make extlib
+ '';
+ installPhase = ''
+ sed -i "s/registry.has_key(current_theme_name)/current_theme_name in registry/" mediagoblin/tools/theme.py
+ sed -i -e "s@\[DEFAULT\]@[DEFAULT]\nhere = $out@" mediagoblin/config_spec.ini
+ cp ${./ldap_fix.py} mediagoblin/plugins/ldap/tools.py
+ ln -s ${plugins.basicsearch}/basicsearch mediagoblin/plugins/basicsearch
+ find . -name '*.pyc' -delete
+ find . -type f -exec sed -i "s|$PWD|$out|g" {} \;
+ python setup.py build
+ cp -a . $out
+ mkdir $out/bin
+ cp ${gmg} $out/bin/gmg
+ chmod a+x $out/bin/gmg
+ '';
+ buildInputs = [ makeWrapper git cacert automake autoconf which nodePackages.bower nodejs python ];
+ propagatedBuildInputs = [ python ];
+ });
+ paste_local = writeText "paste_local.ini" ''
+ [DEFAULT]
+ debug = false
+
+ [pipeline:main]
+ pipeline = mediagoblin
+
+ [app:mediagoblin]
+ use = egg:mediagoblin#app
+ config = %(here)s/mediagoblin_local.ini %(here)s/mediagoblin.ini
+ /mgoblin_static = %(here)s/mediagoblin/static
+
+ [loggers]
+ keys = root
+
+ [handlers]
+ keys = console
+
+ [formatters]
+ keys = generic
+
+ [logger_root]
+ level = INFO
+ handlers = console
+
+ [handler_console]
+ class = StreamHandler
+ args = (sys.stderr,)
+ level = NOTSET
+ formatter = generic
+
+ [formatter_generic]
+ format = %(levelname)-7.7s [%(name)s] %(message)s
+
+ [filter:errors]
+ use = egg:mediagoblin#errors
+ debug = false
+
+ [server:main]
+ use = egg:waitress#main
+ unix_socket = ${socketsDir}/mediagoblin.sock
+ unix_socket_perms = 777
+ url_scheme = https
+ '';
+
+ mediagoblin_local =
+ assert checkEnv "NIXOPS_MEDIAGOBLIN_LDAP_PASSWORD";
+ assert checkEnv "NIXOPS_MEDIAGOBLIN_SQL_URI";
+ writeText "mediagoblin_local.ini" ''
+ [DEFAULT]
+ data_basedir = "${varDir}"
+
+ [mediagoblin]
+ direct_remote_path = /mgoblin_static/
+ email_sender_address = "mediagoblin@mail.immae.eu"
+
+ #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
+ sql_engine = ${builtins.getEnv "NIXOPS_MEDIAGOBLIN_SQL_URI"}
+
+ email_debug_mode = false
+ allow_registration = false
+ allow_reporting = true
+
+ theme = airymodified
+
+ user_privilege_scheme = "uploader,commenter,reporter"
+
+ # We need to redefine them here since we override data_basedir
+ # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
+ workbench_path = %(data_basedir)s/media/workbench
+ crypto_path = %(data_basedir)s/crypto
+ theme_install_dir = %(data_basedir)s/themes/
+ theme_linked_assets_dir = %(data_basedir)s/theme_static/
+ plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
+
+ [storage:queuestore]
+ base_dir = %(data_basedir)s/media/queue
+
+ [storage:publicstore]
+ base_dir = %(data_basedir)s/media/public
+ base_url = /mgoblin_media/
+
+ [celery]
+ CELERY_RESULT_DBURI = redis+socket:///run/redis/redis.sock?virtual_host=12
+ BROKER_URL = redis+socket:///run/redis/redis.sock?virtual_host=12
+ CELERYD_CONCURRENCY = 1
+
+ [plugins]
+ [[mediagoblin.plugins.geolocation]]
+ [[mediagoblin.plugins.ldap]]
+ [[[immae.eu]]]
+ LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
+ LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
+ LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
+ LDAP_BIND_PW = '${builtins.getEnv "NIXOPS_MEDIAGOBLIN_LDAP_PASSWORD"}'
+ LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
+ EMAIL_SEARCH_FIELD = 'mail'
+ [[mediagoblin.plugins.basicsearch]]
+ [[mediagoblin.plugins.piwigo]]
+ [[mediagoblin.plugins.processing_info]]
+ [[mediagoblin.media_types.image]]
+ [[mediagoblin.media_types.video]]
+ '';
+ pythonRoot =
+ with pkgs.gst_all_1;
+ stdenv.mkDerivation {
+ name = "mediagoblin_immae";
+ inherit mediagoblin;
+ buildInputs= [ makeWrapper ];
+ propagatedBuildInputs = [ gst-libav gst-plugins-good gst-plugins-bad gst-plugins-ugly gstreamer ];
+ builder = let
+ libpaths = [
+ python
+ gstreamer
+ gst-plugins-base
+ gst-libav
+ gst-plugins-good
+ gst-plugins-bad
+ gst-plugins-ugly
+ ];
+ plugin_paths = builtins.concatStringsSep ":" (map (x: "${x}/lib") libpaths);
+ typelib_paths = "${gstreamer}/lib/girepository-1.0:${gst-plugins-base}/lib/girepository-1.0";
+ in writeText "build_mediagoblin_immae" ''
+ source $stdenv/setup
+ cp -a $mediagoblin $out
+ cd $out
+ chmod -R u+rwX .
+ sed -i -e "/from gi.repository import GstPbutils/s/^/gi.require_version('GstPbutils', '1.0')\n/" mediagoblin/media_types/video/transcoders.py
+ wrapProgram bin/gmg --prefix PYTHONPATH : "$out:$PYTHONPATH" \
+ --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
+ --prefix GI_TYPELIB_PATH : ${typelib_paths}
+ makeWrapper ${python}/bin/paster bin/paster --prefix PYTHONPATH : "$out:$PYTHONPATH" \
+ --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
+ --prefix GI_TYPELIB_PATH : ${typelib_paths}
+ makeWrapper ${python}/bin/celery bin/celery --prefix PYTHONPATH : "$out:$PYTHONPATH" \
+ --prefix GST_PLUGIN_SYSTEM_PATH : ${plugin_paths} \
+ --prefix GI_TYPELIB_PATH : ${typelib_paths}
+ find . -type f -exec sed -i "s|$mediagoblin|$out|g" {} \;
+ ln -s ${paste_local} ./paste_local.ini
+ ln -s ${mediagoblin_local} ./mediagoblin_local.ini
+ ln -sf ../../../../../${varDir} ./user_dev
+ '';
+ };
+ }
--- /dev/null
+{
+ "tag": "47414a7-master",
+ "meta": {
+ "name": "tempita",
+ "url": "https://github.com/gjhiggins/tempita",
+ "branch": "master"
+ },
+ "github": {
+ "owner": "gjhiggins",
+ "repo": "tempita",
+ "rev": "47414a7c6e46a9a9afe78f0bce2ea299fa84d10d",
+ "sha256": "0f33jjjs5rvp7ar2j6ggyfykcrsrn04jaqcq71qfvycf6b7nw3rn",
+ "fetchSubmodules": true
+ }
+}