Prepare production configuration for connexionswing

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 2d1c50e4cfd67b1944032cc72de038a0f649bd52..e5839483810b0bf6f17f69d6bb036adabae841ca 100644 (file)
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -36,7 +36,6 @@
       };
     };
 
-    # FIXME: how to run it? currently set as timer
     security.acme.certs = {
       "eldiron" = {
         webroot = "/var/lib/acme/acme-challenge";
@@ -44,7 +43,7 @@
         domain = "eldiron.immae.eu";
         plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
         postRun = ''
-          "systemctl reload httpd.service"
+          systemctl reload httpd.service
         '';
         extraDomains = {
           "db-1.immae.eu" = null;
@@ -53,11 +52,24 @@
           "sandetludo.immae.eu" = null;
         };
       };
+      # "connexionswing" = {
+      #   webroot = "/var/lib/acme/acme-challenge";
+      #   email = "ismael@bouya.org";
+      #   domain = "connexionswing.com";
+      #   plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+      #   postRun = ''
+      #     systemctl reload httpd.service
+      #   '';
+      #   extraDomains = {
+      #     "www.connexionswing.com" = null;
+      #     "sandetludo.com" = null;
+      #     "www.sandetludo.com" = null;
+      #   };
+      # };
     };
 
     services.ympd = mypkgs.ympd.config // { enable = true; };
 
-    # FIXME: open_basedir
     services.phpfpm = {
       extraConfig = ''
         log_level = notice
@@ -65,6 +77,7 @@
       poolConfigs = {
         adminer = mypkgs.adminer.phpFpm.pool;
         connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
+        connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
         www = ''
           listen = /var/run/phpfpm/www.sock
           user = wwwrun
@@ -82,6 +95,7 @@
 
     system.activationScripts = {
       connexionswing_dev  = mypkgs.connexionswing_dev.activationScript;
+      connexionswing_prod = mypkgs.connexionswing_prod.activationScript;
       httpd = ''
         install -d -m 0755 /var/lib/acme/acme-challenge
         install -d -m 0755 /var/www
@@ -104,6 +118,7 @@
       extraModules = pkgs.lib.lists.unique (
         mypkgs.adminer.apache.modules ++
         mypkgs.connexionswing_dev.apache.modules ++
+        mypkgs.connexionswing_prod.apache.modules ++
         [
           "macro"
           "ldap"
@@ -167,7 +182,6 @@
           hostName = "redirectSSL";
           serverAliases = [ "*" ];
           enableSSL = false;
-          # FIXME: directory needs to exist
           documentRoot = "/var/lib/acme/acme-challenge";
           extraConfig = ''
             RewriteEngine on

diff --git a/virtual/packages.nix b/virtual/packages.nix
index cd98b79c3a6caebaa683084dd623987e8c9e1ec8..ef9feb5840a042d0c146667e5b751d85be11ebf6 100644 (file)
--- a/virtual/packages.nix
+++ b/virtual/packages.nix
@@ -61,6 +61,18 @@ let
         SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
       </FilesMatch>
 
+      <Directory ${varDir}/medias>
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+      </Directory>
+
+      <Directory ${varDir}/uploads>
+        Options FollowSymLinks
+        AllowOverride None
+        Require all granted
+      </Directory>
+
       ${if environment == "dev" then ''
       <Location />
         Use LDAPConnect
@@ -131,6 +143,7 @@ let
       # FIXME: can we do better than symlink?
       # FIXME: imagick optional
       # FIXME: initial sync
+      # FIXME: backup
       buildPhase = ''
         export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
         export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt