enableRollback = true;
};
- # FIXME: improve purity by enforcing sandbox = true in
- # /etc/nix/nix.conf (need to do something about environment variables
- # before)
-
- # Full backup:
- # The star after /var/lib/* avoids deleting all folders in case of problem
- # rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu:
eldiron = { config, pkgs, mylibs, myconfig, ... }:
with mylibs;
{
};
config = {
- # FIXME: doesn't work with httpd?
security.acme.preliminarySelfsigned = true;
security.acme.certs = {
- # FIXME: /!\ To create a new certificate, create it before using
- # it in httpd
"eldiron" = config.services.myCertificates.certConfig // {
domain = "eldiron.immae.eu";
};
networking.firewall.allowedTCPPorts = [ 3306 5432 ];
- # FIXME: initial sync
- # FIXME: backup
- # FIXME: restart after pam
- # FIXME: pam access doesn’t work (because of php module)
- # FIXME: ssl
services.mysql = rec {
enable = cfg.mariadb.enable;
package = pkgs.mariadb;
};
- # Cannot use eldiron: psql complains too much rights on the key, and
- # setfacl cannot work properly because of acme prestart script
security.acme.certs."postgresql" = config.services.myCertificates.certConfig // {
user = "postgres";
group = "postgres";
install -m 0755 -o postgres -g postgres -d /run/postgresql
'';
- # FIXME: initial sync
services.postgresql = rec {
enable = cfg.postgresql.enable;
package = pkgs.postgresql;
}
];
- # FIXME: backup
# Diaspora: 15
# Nextcloud: 14
# Mastodon: 13
[
(pkgs.python3.withPackages python-packages)
];
- # FIXME: after initial install, need to
- # (1) copy rc file (adjust gitolite_ldap_groups.sh)
- # (2) (mark old readonly and) sync repos except gitolite-admin
- # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
- # chown -R gitolite:gitolite /var/lib/gitolite
- # (3) push force the gitolite-admin to new location (from external point)
- # Don't use an existing key, it will take precedence over
- # gitolite-admin
- # (4) su -u gitolite gitolite setup
+ # Installation: https://git.immae.eu/mantisbt/view.php?id=93
services.gitolite = {
enable = true;
- # FIXME: key from ./ssh
adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
};
};
'';
};
webappDir = stdenv.mkDerivation (fetchedGitPrivate ./aten.json // rec {
- # FIXME: can we do better than symlink?
- # FIXME: initial sync
- # FIXME: backup
- # FIXME: usage statistics
buildPhase = ''
export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
services.myWebsites.commons.stats = {
enable = lib.mkEnableOption "enable statistics";
sites = lib.mkOption {
- # FIXME: specify
- type = lib.types.listOf (lib.types.unspecified);
+ type = lib.types.listOf (lib.types.submodule {
+ options = {
+ conf = lib.mkOption { type = lib.types.path; };
+ name = lib.mkOption { type = lib.types.string; };
+ };
+ });
default = [];
description = "Sites to generate stats";
};
goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
'';
in "${d}/bin/stats-${domain}";
- # FIXME: running several goaccess simultaneously seems to be
- # bugged?
in
pkgs.lib.lists.imap0 (i: v: "${toString (i+5)} 0 * * * root ${stats v.name v.conf}") cfg.sites;
};
- # FIXME: initial sync
system.activationScripts.goaccess = ''
mkdir -p /var/lib/goaccess
'' +
varDir = "/var/lib/connexionswing_${environment}";
envName= lib.strings.toUpper environment;
configRoot =
- # FIXME: spool emails in prod for when immae.eu is down?
assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_PASSWORD";
assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_USER";
assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_NAME";
'';
};
webappDir = stdenv.mkDerivation (fetchedGitPrivate ./connexionswing.json // rec {
- # FIXME: can we do better than symlink?
- # FIXME: imagick optional
- # FIXME: initial sync
- # FIXME: backup
- # FIXME: replace with pkgs.phpPackages.composer
buildPhase = ''
export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
};
ldap = {
modules = [ "ldap" "authnz_ldap" ];
- # FIXME: starttls
extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
<IfModule ldap_module>
LDAPSharedCacheSize 500000
'';
};
- # FIXME: logrotate
- # FIXME: ipv6
services.httpdProd = makeService "production" config.services.myWebsites.production;
services.myWebsites.production.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
services.myWebsites.production.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
'';
};
webappDir = stdenv.mkDerivation (fetchedGitPrivate ./ludivinecassal.json // rec {
- # FIXME: can we do better than symlink?
- # FIXME: initial sync
- # FIXME: backup
- # FIXME: miniatures and data need to be in the same dir due to a
- # bug in leapt.im (searches for data/../miniatures)
+ # /!\ miniatures and data need to be in the same dir due to a
+ # bug in leapt.im (searches for data/../miniatures)
buildPhase = ''
export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
'';
};
webappDir = stdenv.mkDerivation (fetchedGitPrivate ./piedsjaloux.json // rec {
- # FIXME: can we do better than symlink?
- # FIXME: initial sync
- # FIXME: backup
- # FIXME: miniatures and data need to be in the same dir due to a
- # bug in leapt.im (searches for data/../miniatures)
- # FIXME: var/bootstrap.php.cache doesn't get created
- # (cannot work with var as a symlink since the file
- # references ..)
- # FIXME: configuration change should not trigger a rebuild
+ # /!\ miniatures and data need to be in the same dir due to a
+ # bug in leapt.im (searches for data/../miniatures)
buildPhase = ''
export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
varDir = "/var/lib/tellesflorian_${environment}";
envName= lib.strings.toUpper environment;
configRoot =
- # FIXME: spool emails in prod for when immae.eu is down?
assert checkEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_PASSWORD";
assert checkEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_USER";
assert checkEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_NAME";
'';
};
webappDir = stdenv.mkDerivation (fetchedGitPrivate ./tellesflorian.json // rec {
- # FIXME: can we do better than symlink?
- # FIXME: initial sync
- # FIXME: backup
buildPhase = ''
export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt
{ stdenv, fetchurl, checkEnv, writeText, lib, phpPackages, php }:
let
nextcloud = let
- # FIXME: initial sync
- # FIXME: backup
buildApp = { appName, version, url, sha256, installPhase ? "mkdir -p $out && cp -R . $out/" }:
stdenv.mkDerivation rec {
name = "nextcloud-app-${appName}-${version}";
src = fetchurl { inherit url sha256; };
};
apps = {
- # FIXME: nextcloud complains that he cannot write into config
- # directory when an app needs upgrade
- # /!\ Attention, just changing the version number is not
- # sufficient when the downloaded file doesn’t contain the version
- # number in it, sha256 needs to be recomputed
audioplayer = buildApp rec {
appName = "audioplayer";
version = "2.5.0";
cp -ra dba docs inc scripts tests $out
'';
};
- # FIXME: e-mail sending
davical = rec {
config =
assert checkEnv "NIXOPS_DAVICAL_DB_PASSWORD";
};
config = lib.mkIf cfg.enable {
- # FIXME: include it in vhostConf ?
security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null;
services.myWebsites.tools.modules = adminer.apache.modules;
};
config = lib.mkIf cfg.enable {
- # FIXME: Can we use dynamic users from systemd?
- # nixos/modules/misc/ids.nix
ids.uids.diaspora = 398;
ids.gids.diaspora = 398;
unitConfig.RequiresMountsFor = diaspora.varDir;
};
- # FIXME: initial sync
- # FIXME: touch ${diaspora.varDir}/schedule.yml
system.activationScripts.diaspora = {
deps = [ "users" ];
text = ''
services.myWebsites.tools.modules = [
"headers" "proxy" "proxy_http" "proxy_balancer"
- # FIXME: probably only one balancer method is needed:
"lbmethod_byrequests" "lbmethod_bytraffic" "lbmethod_bybusyness" "lbmethod_heartbeat"
];
security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null;
name = "diaspora-env";
ruby = ruby_2_4;
gemdir = ./.;
- # FIXME: it fails if I don’t include all groups
- #groups = [ "default" "postgresql" "production" "development" "test" ];
- # Had to remove them from gemset.nix, and remove mysql2
- # Also had to "ungroup" pg in Gemfile
gemConfig = defaultGemConfig // {
kostya-sigar = attrs: {
buildInputs = with pkgs; [ pkgs.perl ];
};
config = lib.mkIf cfg.enable {
- # FIXME: include it in vhostConf ?
security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
nixpkgs.config.packageOverrides = oldpkgs: rec {
{ lib, checkEnv, writeText, stdenv, fetchurl, fetchedGithub }:
let
- # FIXME: check that source-integration and slack still work
mantisbt = let
plugins = {
slack = stdenv.mkDerivation (fetchedGithub ./mantisbt-plugin-slack.json // rec {
};
config = lib.mkIf cfg.enable {
- # FIXME: Can we use dynamic users from systemd?
- # nixos/modules/misc/ids.nix
ids.uids.mastodon = 399;
ids.gids.mastodon = 399;
unitConfig.RequiresMountsFor = mastodon.varDir;
};
- # FIXME: monitor jobs
systemd.services.mastodon-sidekiq = {
description = "Mastodon Sidekiq";
wantedBy = [ "multi-user.target" ];
unitConfig.RequiresMountsFor = mastodon.varDir;
};
- # FIXME: initial sync
system.activationScripts.mastodon = {
deps = [ "users" ];
text = ''
services.myWebsites.tools.modules = [
"headers" "proxy" "proxy_wstunnel" "proxy_http" "proxy_balancer"
- # FIXME: probably only one balancer method is needed:
"lbmethod_byrequests" "lbmethod_bytraffic" "lbmethod_bybusyness" "lbmethod_heartbeat"
];
security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null;
let
varDir = "/var/lib/mastodon_immae";
socketsDir = "/run/mastodon";
- # FIXME: use gemsets and nodejs equivalent
mastodon = stdenv.mkDerivation (fetchedGithub ./mastodon.json // rec {
buildPhase = ''
export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt
};
config = lib.mkIf cfg.enable {
- # FIXME: Can we use dynamic users from systemd?
- # nixos/modules/misc/ids.nix
ids.uids.mediagoblin = 397;
ids.gids.mediagoblin = 397;
unitConfig.RequiresMountsFor = mediagoblin.varDir;
};
- # FIXME: background jobs and upload
- # FIXME: initial sync
system.activationScripts.mediagoblin = {
deps = [ "users" ];
text = ''
services.myWebsites.tools.modules = [
"proxy" "proxy_http" "proxy_balancer"
- # FIXME: probably only one balancer method is needed:
"lbmethod_byrequests" "lbmethod_bytraffic" "lbmethod_bybusyness" "lbmethod_heartbeat"
];
users.users.wwwrun.extraGroups = [ "mediagoblin" ];
plugins = {};
in rec {
varDir = "/var/lib/roundcubemail";
- # FIXME: initial sync
activationScript = {
deps = [ "wrappers" ];
text = ''
'';
};
config =
- # FIXME: LOG_DESTINATION syslog?
assert checkEnv "NIXOPS_ROUNDCUBEMAIL_PSQL_URL";
assert checkEnv "NIXOPS_ROUNDCUBEMAIL_SECRET";
writeText "config.php" ''
};
in rec {
varDir = "/var/lib/ttrss";
- # FIXME: initial sync
activationScript = {
deps = [ "wrappers" ];
text = ''
'';
};
config =
- # FIXME: LOG_DESTINATION syslog?
assert checkEnv "NIXOPS_TTRSS_DB_PASSWORD";
assert checkEnv "NIXOPS_TTRSS_LDAP_PASSWORD";
writeText "config.php" ''
group = "wwwrun";
modules = [ "proxy_fcgi" ];
vhostConf = ''
- # FIXME
Alias /assets "${varDir}/assets"
Alias /wallabag "${webRoot}"
<Directory "${webRoot}">