imports = [
./modules/certificates.nix
./modules/gitolite.nix
- ./modules/gitweb.nix
+ ./modules/gitweb
./modules/databases.nix
./modules/websites
./modules/websites/phpfpm
source = ldap_authorized_keys;
};
- services.gitDaemon = {
- enable = true;
- user = "gitolite";
- group = "gitolite";
- basePath = "${mypkgs.git.web.varDir}/repositories";
- };
-
- # FIXME: logrotate
- services.httpd = let
- withConf = domain: {
- enableSSL = true;
- sslServerCert = "/var/lib/acme/${domain}/cert.pem";
- sslServerKey = "/var/lib/acme/${domain}/key.pem";
- sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
- logFormat = "combinedVhost";
- listen = [
- { ip = "176.9.151.89"; port = 443; }
- ];
- };
- apacheConfig = config.services.myWebsites.apacheConfig;
- in rec {
- enable = true;
- logPerVirtualHost = true;
- multiProcessingModule = "worker";
- adminAddr = "httpd@immae.eu";
- logFormat = "combinedVhost";
- extraModules = pkgs.lib.lists.unique (
- mypkgs.adminer.apache.modules ++
- mypkgs.nextcloud.apache.modules ++
- mypkgs.ympd.apache.modules ++
- mypkgs.git.web.apache.modules ++
- mypkgs.mantisbt.apache.modules ++
- mypkgs.ttrss.apache.modules ++
- mypkgs.roundcubemail.apache.modules ++
- pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
- extraConfig = builtins.concatStringsSep "\n"
- (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
- virtualHosts = [
- (withConf "eldiron" // {
- hostName = "eldiron.immae.eu";
- documentRoot = ./www;
- extraConfig = ''
- DirectoryIndex index.htm
- '';
- })
- (withConf "eldiron" // {
- hostName = "db-1.immae.eu";
- documentRoot = null;
- extraConfig = builtins.concatStringsSep "\n" [
- mypkgs.adminer.apache.vhostConf
- ];
- })
- (withConf "eldiron" // {
- hostName = "tools.immae.eu";
- documentRoot = null;
- extraConfig = builtins.concatStringsSep "\n" [
- mypkgs.adminer.apache.vhostConf
- mypkgs.ympd.apache.vhostConf
- mypkgs.ttrss.apache.vhostConf
- mypkgs.roundcubemail.apache.vhostConf
- ];
- })
- (withConf "eldiron" // {
- hostName = "dav.immae.eu";
- documentRoot = null;
- extraConfig = builtins.concatStringsSep "\n" [
- mypkgs.infcloud.apache.vhostConf
- mypkgs.davical.apache.vhostConf
- ];
- })
- (withConf "eldiron" // {
- hostName = "cloud.immae.eu";
- documentRoot = mypkgs.nextcloud.webRoot;
- extraConfig = builtins.concatStringsSep "\n" [
- mypkgs.nextcloud.apache.vhostConf
- ];
- })
- (withConf "eldiron" // {
- hostName = "git.immae.eu";
- documentRoot = mypkgs.git.web.webRoot;
- extraConfig = builtins.concatStringsSep "\n" [
- mypkgs.git.web.apache.vhostConf
- mypkgs.mantisbt.apache.vhostConf
- ] + ''
- RewriteEngine on
- RewriteCond %{REQUEST_URI} ^/releases
- RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
- '';
- })
- { # Should go last, default fallback
- listen = [ { ip = "*"; port = 80; } ];
- hostName = "redirectSSL";
- serverAliases = [ "*" ];
- enableSSL = false;
- logFormat = "combinedVhost";
- documentRoot = "/var/lib/acme/acme-challenge";
- extraConfig = ''
- RewriteEngine on
- RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
- RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
- # To redirect in specific "VirtualHost *:80", do
- # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
- # rather than rewrite
- '';
- }
- ];
- };
-
systemd.services.tt-rss = {
description = "Tiny Tiny RSS feeds update daemon";
serviceConfig = {
in {
options.services.myGitolite = {
enable = lib.mkEnableOption "my gitolite service";
+ gitoliteDir = lib.mkOption {
+ type = lib.types.string;
+ default = "/var/lib/gitolite";
+ };
};
config = lib.mkIf cfg.enable {
});
};
+ services.gitDaemon = {
+ enable = true;
+ user = "gitolite";
+ group = "gitolite";
+ basePath = "${cfg.gitoliteDir}/repositories";
+ };
+
system.activationScripts.gitolite =
assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
let
in {
deps = [ "users" ];
text = ''
- if [ -d /var/lib/gitolite ]; then
- ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
- chmod g+rx /var/lib/gitolite
+ if [ -d ${cfg.gitoliteDir} ]; then
+ ln -sf ${gitolite_ldap_groups} ${cfg.gitoliteDir}/gitolite_ldap_groups.sh
+ chmod g+rx ${cfg.gitoliteDir}
fi
- if [ -f /var/lib/gitolite/projects.list ]; then
- chmod g+r /var/lib/gitolite/projects.list
+ if [ -f ${cfg.gitoliteDir}/projects.list ]; then
+ chmod g+r ${cfg.gitoliteDir}/projects.list
fi
'';
};
{ lib, pkgs, config, mylibs, ... }:
let
+ # FIXME: add buildbot
+ gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
cfg = config.services.myGitweb;
in {
options.services.myGitweb = {
nixpkgs.config.packageOverrides = oldpkgs: rec {
gitweb = oldpkgs.gitweb.overrideAttrs(old: {
installPhase = old.installPhase + ''
- cp -r ${./gitweb/theme} $out/gitweb-theme;
+ cp -r ${./theme} $out/gitweb-theme;
'';
});
};
+ services.myWebsites.tools.modules = gitweb.apache.modules;
+ services.myWebsites.tools.vhostConfs.git = {
+ certName = "eldiron";
+ hosts = ["git.immae.eu" ];
+ root = gitweb.webRoot;
+ extraConfig = [ gitweb.apache.vhostConf ];
+ };
};
}
-{ gitweb, writeText, gitolite, git }:
+{ gitweb, writeText, gitolite, git, gitoliteDir }:
rec {
- varDir = "/var/lib/gitolite";
+ varDir = gitoliteDir;
webRoot = gitweb;
config = writeText "gitweb.conf" ''
$git_temp = "/tmp";
{ lib, pkgs, config, mylibs, myconfig, ... }:
let
+ mypkgs = pkgs.callPackage ../../packages.nix {
+ inherit (mylibs) checkEnv fetchedGit fetchedGithub;
+ };
cfg = config.services.myWebsites;
makeService = name: cfg: let
toVhost = vhostConf: {
documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
+ redirectVhost = { # Should go last, catchall http -> https redirect
+ listen = [ { ip = cfg.ip; port = 80; } ];
+ hostName = "redirectSSL";
+ serverAliases = [ "*" ];
+ enableSSL = false;
+ logFormat = "combinedVhost";
+ documentRoot = "/var/lib/acme/acme-challenge";
+ extraConfig = ''
+ RewriteEngine on
+ RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
+ RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
+ # To redirect in specific "VirtualHost *:80", do
+ # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+ # rather than rewrite
+ '';
+ };
+ fallbackVhost = toVhost { # Should go first, default choice
+ certName = "eldiron";
+ hosts = ["eldiron.immae.eu" ];
+ root = ../../www;
+ extraConfig = [ "DirectoryIndex index.htm" ];
+ };
in rec {
enable = true;
listen = [
logFormat = "combinedVhost";
extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
- virtualHosts = pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs;
+ virtualHosts = [ fallbackVhost ]
+ ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
+ ++ [ redirectVhost ];
};
makeServiceOptions = name: ip: {
enable = lib.mkEnableOption "enable websites in ${name}";
options.services.myWebsites = {
production = makeServiceOptions "production" myconfig.ips.production;
integration = makeServiceOptions "integration" myconfig.ips.integration;
+ tools = makeServiceOptions "tools" myconfig.ips.main;
apacheConfig = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
services.httpdInte = makeService "integration" config.services.myWebsites.integration;
services.myWebsites.integration.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
+
+ services.httpd = makeService "tools" config.services.myWebsites.tools;
+ services.myWebsites.tools.modules =
+ mypkgs.adminer.apache.modules ++
+ mypkgs.nextcloud.apache.modules ++
+ mypkgs.ympd.apache.modules ++
+ mypkgs.mantisbt.apache.modules ++
+ mypkgs.ttrss.apache.modules ++
+ mypkgs.roundcubemail.apache.modules ++
+ pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
+ services.myWebsites.tools.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
+ # FIXME: move them all to separate modules
+ services.myWebsites.tools.vhostConfs.eldiron = {
+ certName = "eldiron";
+ hosts = ["eldiron.immae.eu" ];
+ root = ../../www;
+ extraConfig = [ "DirectoryIndex index.htm" ];
+ };
+ services.myWebsites.tools.vhostConfs.db-1 = {
+ certName = "eldiron";
+ hosts = ["db-1.immae.eu" ];
+ root = null;
+ extraConfig = [ mypkgs.adminer.apache.vhostConf ];
+ };
+ services.myWebsites.tools.vhostConfs.tools = {
+ certName = "eldiron";
+ hosts = ["tools.immae.eu" ];
+ root = null;
+ extraConfig = [
+ mypkgs.adminer.apache.vhostConf
+ mypkgs.ympd.apache.vhostConf
+ mypkgs.ttrss.apache.vhostConf
+ mypkgs.roundcubemail.apache.vhostConf
+ ];
+ };
+ services.myWebsites.tools.vhostConfs.dav = {
+ certName = "eldiron";
+ hosts = ["dav.immae.eu" ];
+ root = null;
+ extraConfig = [
+ mypkgs.infcloud.apache.vhostConf
+ mypkgs.davical.apache.vhostConf
+ ];
+ };
+ services.myWebsites.tools.vhostConfs.cloud = {
+ certName = "eldiron";
+ hosts = ["cloud.immae.eu" ];
+ root = mypkgs.nextcloud.webRoot;
+ extraConfig = [
+ mypkgs.nextcloud.apache.vhostConf
+ ];
+ };
+ services.myWebsites.tools.vhostConfs.git.extraConfig = [
+ mypkgs.mantisbt.apache.vhostConf
+ ''
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/releases
+ RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
+ ''
+ ];
};
}
nextcloud = callPackage ./packages/nextcloud.nix { inherit checkEnv; };
adminer = callPackage ./packages/adminer.nix {};
ympd = callPackage ./packages/ympd.nix {};
- gitweb = callPackage ./packages/gitweb.nix {};
mantisbt = callPackage ./packages/mantisbt.nix { inherit checkEnv fetchedGithub; };
ttrss = callPackage ./packages/ttrss.nix { inherit checkEnv fetchedGithub fetchedGit; };
roundcubemail = callPackage ./packages/roundcubemail.nix { inherit checkEnv; };
inherit roundcubemail;
inherit infcloud;
inherit davical;
- # FIXME: add buildbot
- git = { web = gitweb; };
}
vhostConf = ''
Alias /adminer ${webRoot}
<Directory ${webRoot}>
- DirectoryIndex = index.php
+ DirectoryIndex index.php
<FilesMatch "\.php$">
SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
</FilesMatch>
+++ /dev/null
-$git_temp = "/tmp";
-
-# The directories where your projects are. Must not end with a slash.
-$projectroot = "/srv/git/repositories";
-
-$projects_list = "/srv/git/projects.list";
-$strict_export = "true";
-
-# Base URLs for links displayed in the web interface.
-our @git_base_url_list = qw(ssh://gitolite@git.immae.eu https://git.immae.eu);
-
-$feature{'blame'}{'default'} = [1];
-$feature{'avatar'}{'default'} = ['gravatar'];
-$feature{'highlight'}{'default'} = [1];
-
-@stylesheets = ("gitweb-theme/gitweb.css");
-$logo = "gitweb-theme/git-logo.png";
-$favicon = "gitweb-theme/git-favicon.png";
-
-$javascript = "gitweb-theme/gitweb.js";
-$logo_url = "https://git.immae.eu/";
-$projects_list_group_categories = "true";
-$projects_list_description_width = 60;
-$project_list_default_category = "__Others__";