From: Ismaƫl Bouya Date: Sun, 30 Dec 2018 00:47:43 +0000 (+0100) Subject: Add Connexionswing X-Git-Tag: nur_publish~387 X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=65fe75439ebcb4e9f065ed7586240357dcca59c1 Add Connexionswing --- diff --git a/libs.nix b/libs.nix index cef8586..c85808b 100644 --- a/libs.nix +++ b/libs.nix @@ -27,5 +27,14 @@ in src = fetchgit json.git; }; + fetchedGitPrivate = path: + let + json = lib.importJSON path; + in rec { + version = json.tag; + name = "${json.meta.name}-${version}"; + src = fetchgitPrivate json.git; + }; + checkEnv = var: builtins.stringLength (builtins.getEnv var) > 0; } diff --git a/virtual/connexionswing_master.json b/virtual/connexionswing_master.json new file mode 100644 index 0000000..30c0c96 --- /dev/null +++ b/virtual/connexionswing_master.json @@ -0,0 +1,14 @@ +{ + "tag": "0c9458f-master", + "meta": { + "name": "connexionswing_master", + "url": "gitolite@git.immae.eu:perso/Immae/Projets/Connexionswing", + "branch": "master" + }, + "git": { + "url": "gitolite@git.immae.eu:perso/Immae/Projets/Connexionswing", + "rev": "0c9458fadbda05e1ffc54956162ee92ad4dd6aef", + "sha256": "04blmpfpb6j57m032vpddcn1775bwx537zvv7fi25ip2yg507fjv", + "fetchSubmodules": true + } +} diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index fb366b7..56c6afd 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -49,6 +49,8 @@ extraDomains = { "db-1.immae.eu" = null; "tools.immae.eu" = null; + "connexionswing.immae.eu" = null; + "sandetludo.immae.eu" = null; }; }; }; @@ -62,6 +64,7 @@ ''; poolConfigs = { adminer = mypkgs.adminer.phpFpm.pool; + connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool; www = '' listen = /var/run/phpfpm/www.sock user = wwwrun @@ -77,6 +80,10 @@ }; }; + system.activationScripts = { + connexionswing_dev = mypkgs.connexionswing_dev.activationScript; + }; + services.httpd = let withSSL = domain: { enableSSL = true; @@ -92,6 +99,7 @@ # FIXME: http2 extraModules = pkgs.lib.lists.unique ( mypkgs.adminer.apache.modules ++ + mypkgs.connexionswing_dev.apache.modules ++ [ "macro" "ldap" @@ -141,6 +149,15 @@ mypkgs.ympd.apache.vhostConf ]; }) + (withSSL "eldiron" // { + listen = [ { ip = "*"; port = 443; } ]; + hostName = "connexionswing.immae.eu"; + serverAliases = [ "sandetludo.immae.eu" ]; + documentRoot = mypkgs.connexionswing_dev.webRoot; + extraConfig = builtins.concatStringsSep "\n" [ + mypkgs.connexionswing_dev.apache.vhostConf + ]; + }) { # Should go last, default fallback listen = [ { ip = "*"; port = 80; } ]; hostName = "redirectSSL"; diff --git a/virtual/packages.nix b/virtual/packages.nix index 05b0e88..cd98b79 100644 --- a/virtual/packages.nix +++ b/virtual/packages.nix @@ -1,6 +1,159 @@ with import ../libs.nix; with nixpkgs_unstable; let + connexionswing = { environment ? "dev" }: rec { + varDir = "/var/lib/connexionswing_${environment}"; + envName= lib.strings.toUpper environment; + configRoot = + # FIXME: spool emails in prod for when immae.eu is down? + assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_PASSWORD"; + assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_USER"; + assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_NAME"; + assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_SECRET"; + assert checkEnv "NIXOPS_CONNEXIONSWING_${envName}_EMAIL"; + pkgs.writeText "parameters.yml" '' + # This file is auto-generated during the composer install + parameters: + database_host: db-1.immae.eu + database_port: null + database_name: ${builtins.getEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_NAME"} + database_user: ${builtins.getEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_USER"} + database_password: ${builtins.getEnv "NIXOPS_CONNEXIONSWING_${envName}_MYSQL_PASSWORD"} + mailer_transport: smtp + mailer_host: mail.immae.eu + mailer_user: null + mailer_password: null + subscription_email: ${builtins.getEnv "NIXOPS_CONNEXIONSWING_${envName}_EMAIL"} + allow_robots: true + secret: ${builtins.getEnv "NIXOPS_CONNEXIONSWING_${envName}_SECRET"} + ''; + phpFpm = rec { + socket = "/var/run/phpfpm/connexionswing-${environment}.sock"; + pool = '' + listen = ${socket} + user = ${apache.user} + group = ${apache.group} + listen.owner = ${apache.user} + listen.group = ${apache.group} + php_admin_value[upload_max_filesize] = 20M + php_admin_value[post_max_size] = 20M + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" + ${if environment == "dev" then '' + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + env[SYMFONY_DEBUG_MODE] = "yes" + '' else '' + pm = dynamic + pm.max_children = 20 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + ''}''; + }; + apache = { + user = "wwwrun"; + group = "wwwrun"; + modules = [ "proxy_fcgi" ]; + vhostConf = '' + + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + ${if environment == "dev" then '' + + Use LDAPConnect + Require ldap-group cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + + + Options Indexes FollowSymLinks MultiViews Includes + AllowOverride None + Require all granted + + DirectoryIndex app_dev.php + + + Options -MultiViews + + + + RewriteEngine On + + RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ + RewriteRule ^(.*) - [E=BASE:%1] + + # Maintenance script + RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.php + RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] + ErrorDocument 503 /maintenance.php + + # Sets the HTTP_AUTHORIZATION header removed by Apache + RewriteCond %{HTTP:Authorization} . + RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] + + RewriteCond %{ENV:REDIRECT_STATUS} ^$ + RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] + + # If the requested filename exists, simply serve it. + # We only want to let Apache serve files and not directories. + RewriteCond %{REQUEST_FILENAME} -f + RewriteRule ^ - [L] + + # Rewrite all other queries to the front controller. + RewriteRule ^ %{ENV:BASE}/app_dev.php [L] + + + + '' else ""} + ''; + }; + activationScript = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ + ${varDir}/medias \ + ${varDir}/uploads \ + ${varDir}/var + if [ ! -f "${varDir}/currentWebappDir" -o \ + "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ]; then + pushd ${webappDir} > /dev/null + $wrapperDir/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup + popd > /dev/null + echo -n "${webappDir}" > ${varDir}/currentWebappDir + fi + ''; + }; + webappDir = pkgs.stdenv.mkDerivation (fetchedGitPrivate ./connexionswing_master.json // rec { + # FIXME: can we do better than symlink? + # FIXME: imagick optional + # FIXME: initial sync + buildPhase = '' + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + + ln -sf ../../../../../${varDir}/{medias,uploads} web/images/ + ln -sf ${configRoot} app/config/parameters.yml + ${if environment == "dev" then "php bin/composer install" else '' + SYMFONY_ENV=prod php bin/composer install --no-dev + ./bin/console assetic:dump --env=prod --no-debug + ''} + rm -rf var + ln -sf ../../../../../${varDir}/var var + ''; + installPhase = '' + cp -a . $out + ''; + buildInputs = [ + pkgs.php pkgs.git pkgs.cacert + ]; + }); + webRoot = "${webappDir}/web"; + }; + adminer = rec { webRoot = pkgs.stdenv.mkDerivation rec { version = "4.7.0"; @@ -91,4 +244,6 @@ in { inherit adminer; inherit ympd; + connexionswing_dev = connexionswing { environment = "dev"; }; + connexionswing_prod = connexionswing { environment = "prod"; }; }