From: Ismaël Bouya Date: Sat, 18 Apr 2020 14:10:56 +0000 (+0200) Subject: Refactor websites X-Git-Url: https://git.immae.eu/?p=perso%2FImmae%2FConfig%2FNix.git;a=commitdiff_plain;h=d3452fc59b9839846225fd254926c64a9c71f071 Refactor websites --- diff --git a/modules/private/default.nix b/modules/private/default.nix index dafec47..dbb8361 100644 --- a/modules/private/default.nix +++ b/modules/private/default.nix @@ -16,36 +16,56 @@ set = { openldapReplication = ./databases/openldap_replication.nix; websites = ./websites; - isabelleAtenInte = ./websites/isabelle/aten_integration.nix; - isabelleAtenProd = ./websites/isabelle/aten_production.nix; - isabelleIridologie = ./websites/isabelle/iridologie.nix; - capitainesProd = ./websites/capitaines/production.nix; + + + # Personal websites + capitainesLandingPages = ./websites/capitaines/landing_pages.nix; + chloeInte = ./websites/chloe/integration.nix; chloeProd = ./websites/chloe/production.nix; + connexionswingInte = ./websites/connexionswing/integration.nix; connexionswingProd = ./websites/connexionswing/production.nix; - denisejeromeProd = ./websites/denisejerome/production.nix; - emiliaProd = ./websites/emilia/production.nix; - richieProd = ./websites/emilia/richie.nix; + + deniseDenisejeromeProd = ./websites/denise/denisejerome.nix; + deniseEvariste = ./websites/denise/evariste.nix; + + emiliaMoodle = ./websites/emilia/moodle.nix; + florianApp = ./websites/florian/app.nix; florianInte = ./websites/florian/integration.nix; florianProd = ./websites/florian/production.nix; + immaeProd = ./websites/immae/production.nix; immaeRelease = ./websites/immae/release.nix; immaeTemp = ./websites/immae/temp.nix; + + isabelleAtenInte = ./websites/isabelle/aten_integration.nix; + isabelleAtenProd = ./websites/isabelle/aten_production.nix; + isabelleIridologie = ./websites/isabelle/iridologie.nix; + + jeromeNaturaloutil = ./websites/jerome/naturaloutil.nix; + leilaProd = ./websites/leila/production.nix; - ludivinecassalInte = ./websites/ludivinecassal/integration.nix; - ludivinecassalProd = ./websites/ludivinecassal/production.nix; + + ludivineInte = ./websites/ludivine/integration.nix; + ludivineProd = ./websites/ludivine/production.nix; + nassimeProd = ./websites/nassime/production.nix; - naturaloutilProd = ./websites/naturaloutil/production.nix; - evaristeProd = ./websites/evariste/production.nix; - telioTortayProd = ./websites/teliotortay/production.nix; + papaMaisonBbc = ./websites/papa/maison_bbc.nix; papaSurveillance = ./websites/papa/surveillance.nix; + piedsjalouxInte = ./websites/piedsjaloux/integration.nix; piedsjalouxProd = ./websites/piedsjaloux/production.nix; + + richieProd = ./websites/richie/production.nix; + sydenPeertube = ./websites/syden/peertube.nix; + teliotortayProd = ./websites/telio_tortay/production.nix; + + # Tools cloudTool = ./websites/tools/cloud; davTool = ./websites/tools/dav; vpnTool = ./websites/tools/vpn; diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 29ea173..01ab967 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix @@ -1133,7 +1133,7 @@ in }; }; }; - telioTortay = mkOption { + telio_tortay = mkOption { description = "Telio Tortay configuration"; type = submodule { options = { @@ -1141,7 +1141,7 @@ in }; }; }; - ludivinecassal = mkOption { + ludivine = mkOption { description = "Ludivinecassal configurations by environment"; type = let diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 43d40d6..89b7664 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -193,7 +193,7 @@ in { }; }; - myServices.websites.webappDirs._task = ./www; + services.websites.webappDirs._task = ./www; security.acme.certs."task" = config.myServices.certificates.certConfig // { inherit user group; diff --git a/pkgs/private/webapps/apache-default/www/googleb6d69446ff4ca3e5.html b/modules/private/websites/_www/googleb6d69446ff4ca3e5.html similarity index 100% rename from pkgs/private/webapps/apache-default/www/googleb6d69446ff4ca3e5.html rename to modules/private/websites/_www/googleb6d69446ff4ca3e5.html diff --git a/pkgs/private/webapps/apache-default/www/index.htm b/modules/private/websites/_www/index.htm similarity index 100% rename from pkgs/private/webapps/apache-default/www/index.htm rename to modules/private/websites/_www/index.htm diff --git a/pkgs/private/webapps/apache-default/www/maintenance_immae.html b/modules/private/websites/_www/maintenance_immae.html similarity index 100% rename from pkgs/private/webapps/apache-default/www/maintenance_immae.html rename to modules/private/websites/_www/maintenance_immae.html diff --git a/pkgs/private/webapps/apache-default/www/nossl.html b/modules/private/websites/_www/nossl.html similarity index 100% rename from pkgs/private/webapps/apache-default/www/nossl.html rename to modules/private/websites/_www/nossl.html diff --git a/modules/private/websites/capitaines/landing_pages.nix b/modules/private/websites/capitaines/landing_pages.nix new file mode 100644 index 0000000..b94a398 --- /dev/null +++ b/modules/private/websites/capitaines/landing_pages.nix @@ -0,0 +1,60 @@ +{ lib, config, ... }: +let + cfg = config.myServices.websites.capitaines.landing_pages; + webappdirs = config.services.websites.webappDirsPaths; + certName = "capitaines"; + domain = "capitaines.fr"; +in { + options.myServices.websites.capitaines.landing_pages.enable = lib.mkEnableOption "enable Capitaines's landing pages"; + + config = lib.mkIf cfg.enable { + services.websites.webappDirs.capitaines_mastodon = ./mastodon_static; + services.websites.env.production.vhostConfs.capitaines_mastodon = rec { + inherit certName; + certMainHost = "mastodon.${domain}"; + hosts = [ certMainHost ]; + root = webappdirs.capitaines_mastodon; + extraConfig = [ + '' + ErrorDocument 404 /index.html + + DirectoryIndex index.html + Options Indexes FollowSymLinks MultiViews Includes + Require all granted + + '' + ]; + }; + + services.websites.webappDirs.capitaines_discourse = ./discourse_static; + services.websites.env.production.vhostConfs.capitaines_discourse = { + inherit certName; + addToCerts = true; + hosts = [ "discourse.${domain}" ]; + root = webappdirs.capitaines_discourse; + extraConfig = [ + '' + ErrorDocument 404 /index.html + + DirectoryIndex index.html + Options Indexes FollowSymLinks MultiViews Includes + Require all granted + + '' + ]; + }; + + services.websites.env.production.vhostConfs.capitaines = { + inherit certName; + addToCerts = true; + hosts = [ domain ]; + root = webappdirs._www; + extraConfig = [ '' + + DirectoryIndex index.htm + Require all granted + + '' ]; + }; + }; +} diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix deleted file mode 100644 index ee1698b..0000000 --- a/modules/private/websites/capitaines/production.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ lib, pkgs, config, ... }: -let - cfg = config.myServices.websites.capitaines.production; - env = config.myEnv.websites.capitaines; -in { - options.myServices.websites.capitaines.production.enable = lib.mkEnableOption "enable Capitaines's website"; - - config = lib.mkIf cfg.enable { - myServices.websites.webappDirs.capitaines_mastodon = ./mastodon_static; - services.websites.env.production.vhostConfs.capitaines_mastodon = let - root = "/run/current-system/webapps/capitaines_mastodon"; - in { - certName = "capitaines"; - certMainHost = "mastodon.capitaines.fr"; - hosts = [ "mastodon.capitaines.fr" ]; - root = root; - extraConfig = [ - '' - ErrorDocument 404 /index.html - - DirectoryIndex index.html - Options Indexes FollowSymLinks MultiViews Includes - Require all granted - - '' - ]; - }; - - myServices.websites.webappDirs.capitaines_discourse = ./discourse_static; - services.websites.env.production.vhostConfs.capitaines_discourse = let - root = "/run/current-system/webapps/capitaines_discourse"; - in { - certName = "capitaines"; - addToCerts = true; - hosts = [ "discourse.capitaines.fr" ]; - root = root; - extraConfig = [ - '' - ErrorDocument 404 /index.html - - DirectoryIndex index.html - Options Indexes FollowSymLinks MultiViews Includes - Require all granted - - '' - ]; - }; - - services.websites.env.production.vhostConfs.capitaines = { - certName = "capitaines"; - addToCerts = true; - hosts = [ "capitaines.fr" ]; - root = "/run/current-system/webapps/_www"; - extraConfig = [ '' - - DirectoryIndex index.htm - Require all granted - - '' ]; - }; - }; -} diff --git a/pkgs/private/webapps/chloe/chloe.json b/modules/private/websites/chloe/app/chloe.json similarity index 100% rename from pkgs/private/webapps/chloe/chloe.json rename to modules/private/websites/chloe/app/chloe.json diff --git a/pkgs/private/webapps/chloe/default.nix b/modules/private/websites/chloe/app/default.nix similarity index 90% rename from pkgs/private/webapps/chloe/default.nix rename to modules/private/websites/chloe/app/default.nix index f148d4b..92a5e42 100644 --- a/pkgs/private/webapps/chloe/default.nix +++ b/modules/private/websites/chloe/app/default.nix @@ -15,5 +15,5 @@ in spip.override { ldap = true; siteName = "chloe"; - inherit environment siteDir; + inherit environment siteDir varDir; } diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix deleted file mode 100644 index bce2b4d..0000000 --- a/modules/private/websites/chloe/builder.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ apacheUser, apacheGroup, chloe, config }: -rec { - app = chloe.override { inherit (config) environment; }; - phpFpm = rec { - serviceDeps = [ "mysql.service" ]; - pool = { - "listen.owner" = apacheUser; - "listen.group" = apacheGroup; - "php_admin_value[upload_max_filesize]" = "20M"; - "php_admin_value[post_max_size]" = "20M"; - # "php_admin_flag[log_errors]" = "on"; - "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; - "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; - } // (if app.environment == "dev" then { - "pm" = "ondemand"; - "pm.max_children" = "5"; - "pm.process_idle_timeout" = "60"; - } else { - "pm" = "dynamic"; - "pm.max_children" = "20"; - "pm.start_servers" = "2"; - "pm.min_spare_servers" = "1"; - "pm.max_spare_servers" = "3"; - }); - }; - keys = [{ - dest = "webapps/${app.environment}-chloe"; - user = apacheUser; - group = apacheGroup; - permissions = "0400"; - text = '' - SetEnv SPIP_CONFIG_DIR "${configDir}" - SetEnv SPIP_VAR_DIR "${app.varDir}" - SetEnv SPIP_SITE "chloe-${app.environment}" - SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" - SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" - SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" - SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" - SetEnv SPIP_LDAP_SEARCH "${config.ldap.filter}" - SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" - SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" - SetEnv SPIP_MYSQL_DB "${config.mysql.database}" - SetEnv SPIP_MYSQL_USER "${config.mysql.user}" - SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" - ''; - }]; - apache = rec { - modules = [ "proxy_fcgi" ]; - webappName = "chloe_${app.environment}"; - root = "/run/current-system/webapps/${webappName}"; - vhostConf = socket: '' - Include /var/secrets/webapps/${app.environment}-chloe - - RewriteEngine On - ${if app.environment == "prod" then '' - RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 - '' else ""} - - - SetHandler "proxy:unix:${socket}|fcgi://localhost" - - - - DirectoryIndex index.php index.htm index.html - Options -Indexes +FollowSymLinks +MultiViews +Includes - Include ${root}/htaccess.txt - - AllowOverride AuthConfig FileInfo Limit - Require all granted - - - - Require all denied - - - - Require all denied - - - ${if app.environment == "dev" then '' - - Use LDAPConnect - Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu - ErrorDocument 401 "" - - '' else '' - Use Stats osteopathe-cc.fr - ''} - ''; - }; - activationScript = { - deps = [ "wrappers" ]; - text = '' - install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local - install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions - ''; - }; - configDir = ./config; -} diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index caf6548..6d16a86 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix @@ -1,43 +1,115 @@ { lib, pkgs, config, ... }: let - chloe = pkgs.callPackage ./builder.nix { - inherit (pkgs.webapps) chloe; - config = config.myEnv.websites.chloe.integration; - apacheUser = config.services.httpd.Inte.user; - apacheGroup = config.services.httpd.Inte.group; + apacheUser = config.services.httpd.Inte.user; + apacheGroup = config.services.httpd.Inte.group; + ccfg = config.myEnv.websites.chloe.integration; + app = pkgs.callPackage ./app { + inherit (ccfg) environment; + inherit (pkgs.webapps) spip; + varDir = "/var/lib/chloe_integration"; }; - cfg = config.myServices.websites.chloe.integration; + webappdir = config.services.websites.webappDirsPaths.chloe_integration; in { options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.chloe_dev.rootDir = chloe.app.varDir; - secrets.keys = chloe.keys; - systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; - systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; - services.phpfpm.pools.chloe_dev = { + services.duplyBackup.profiles.chloe_integration.rootDir = app.varDir; + secrets.keys = [ + { + dest = "websites/chloe/integration"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${./config}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "chloe-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" + SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" + SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" + SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" + ''; + } + ]; + systemd.services.phpfpm-chloe_integration.after = lib.mkAfter [ "mysql.service" ]; + systemd.services.phpfpm-chloe_integration.wants = [ "mysql.service" ]; + services.phpfpm.pools.chloe_integration = { user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; - settings = chloe.phpFpm.pool; + settings = { + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + # "php_admin_flag[log_errors]" = "on"; + "php_admin_value[open_basedir]" = "${app.spipConfig}:${./config}:${app}:${app.varDir}:/tmp"; + "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + }; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; }; - system.activationScripts.chloe_dev = chloe.activationScript; - myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot; - services.websites.env.integration.modules = chloe.apache.modules; - services.websites.env.integration.vhostConfs.chloe = { + system.activationScripts.chloe_integration = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; + services.websites.webappDirs.chloe_integration = app.webRoot; + services.websites.env.integration.modules = [ "proxy_fcgi" ]; + services.websites.env.integration.vhostConfs.chloe_integration = { certName = "integration"; addToCerts = true; hosts = ["chloe.immae.eu" ]; - root = chloe.apache.root; + root = webappdir; extraConfig = [ - (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_dev.socket) + '' + Include ${config.secrets.fullPaths."websites/chloe/integration"} + + RewriteEngine On + + + SetHandler "proxy:unix:${config.services.phpfpm.pools.chloe_integration.socket}|fcgi://localhost" + + + + DirectoryIndex index.php index.htm index.html + Options -Indexes +FollowSymLinks +MultiViews +Includes + Include ${webappdir}/htaccess.txt + + AllowOverride AuthConfig FileInfo Limit + Require all granted + + + + Require all denied + + + + Require all denied + + + + Use LDAPConnect + Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu + ErrorDocument 401 "" + + '' ]; }; services.websites.env.integration.watchPaths = [ - "/var/secrets/webapps/${chloe.app.environment}-chloe" + config.secrets.fullPaths."websites/chloe/integration" ]; }; } diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 83f6c9b..067e8e7 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix @@ -1,50 +1,120 @@ { lib, pkgs, config, ... }: let - chloe = pkgs.callPackage ./builder.nix { - inherit (pkgs.webapps) chloe; - config = config.myEnv.websites.chloe.production; - apacheUser = config.services.httpd.Prod.user; - apacheGroup = config.services.httpd.Prod.group; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + ccfg = config.myEnv.websites.chloe.production; + app = pkgs.callPackage ./app { + inherit (ccfg) environment; + inherit (pkgs.webapps) spip; + varDir = "/var/lib/chloe_production"; }; - cfg = config.myServices.websites.chloe.production; + webappdir = config.services.websites.webappDirsPaths.chloe_production; in { options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.chloe_prod.rootDir = chloe.app.varDir; - secrets.keys = chloe.keys; + services.duplyBackup.profiles.chloe_production.rootDir = app.varDir; + secrets.keys = [ + { + dest = "websites/chloe/production"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${./config}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "chloe-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${ccfg.ldap.filter}" + SetEnv SPIP_MYSQL_HOST "${ccfg.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${ccfg.mysql.port}" + SetEnv SPIP_MYSQL_DB "${ccfg.mysql.database}" + SetEnv SPIP_MYSQL_USER "${ccfg.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}" + ''; + } + ]; services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; - systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; - systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; - services.phpfpm.pools.chloe_prod = { + systemd.services.phpfpm-chloe_production.after = lib.mkAfter [ "mysql.service" ]; + systemd.services.phpfpm-chloe_production.wants = [ "mysql.service" ]; + services.phpfpm.pools.chloe_production = { user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; - settings = chloe.phpFpm.pool; + settings = { + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + # "php_admin_flag[log_errors]" = "on"; + "php_admin_value[open_basedir]" = "${app.spipConfig}:${./config}:${app}:${app.varDir}:/tmp"; + "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; }; - system.activationScripts.chloe_prod = chloe.activationScript; - myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot; - services.websites.env.production.modules = chloe.apache.modules; + system.activationScripts.chloe_production = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; + services.websites.webappDirs.chloe_production = app.webRoot; + services.websites.env.production.modules = [ "proxy_fcgi" ]; services.websites.env.production.vhostConfs.chloe = { certName = "chloe"; certMainHost = "osteopathe-cc.fr"; hosts = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ]; - root = chloe.apache.root; + root = webappdir; extraConfig = [ '' + Use Stats osteopathe-cc.fr + RewriteEngine On RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] + + Include ${config.secrets.fullPaths."websites/chloe/production"} + + RewriteEngine On + RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 + + + SetHandler "proxy:unix:${config.services.phpfpm.pools.chloe_production.socket}|fcgi://localhost" + + + + DirectoryIndex index.php index.htm index.html + Options -Indexes +FollowSymLinks +MultiViews +Includes + Include ${webappdir}/htaccess.txt + + AllowOverride AuthConfig FileInfo Limit + Require all granted + + + + Require all denied + + + + Require all denied + '' - (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_prod.socket) ]; }; services.websites.env.production.watchPaths = [ - "/var/secrets/webapps/${chloe.app.environment}-chloe" + config.secrets.fullPaths."websites/chloe/production" ]; }; } diff --git a/pkgs/private/webapps/connexionswing/connexionswing.json b/modules/private/websites/connexionswing/app/connexionswing.json similarity index 100% rename from pkgs/private/webapps/connexionswing/connexionswing.json rename to modules/private/websites/connexionswing/app/connexionswing.json diff --git a/pkgs/private/webapps/connexionswing/default.nix b/modules/private/websites/connexionswing/app/default.nix similarity index 87% rename from pkgs/private/webapps/connexionswing/default.nix rename to modules/private/websites/connexionswing/app/default.nix index 04e296b..37ce42d 100644 --- a/pkgs/private/webapps/connexionswing/default.nix +++ b/modules/private/websites/connexionswing/app/default.nix @@ -1,5 +1,6 @@ { environment ? "prod" , varDir ? "/var/lib/connexionswing_${environment}" +, secretsPath ? "/var/secrets/webapps/${environment}-connexionswing" , composerEnv, fetchurl, fetchgit, mylibs }: let app = composerEnv.buildPackage ( @@ -14,7 +15,7 @@ let cd $out ${if environment == "prod" then "php ./bin/console assetic:dump --env=prod --no-debug" else ""} rm app/config/parameters.yml - ln -sf /var/secrets/webapps/${environment}-connexionswing app/config/parameters.yml + ln -sf ${secretsPath} app/config/parameters.yml rm -rf var/{logs,cache} ln -sf ${varDir}/var/{logs,cache} var/ ln -sf ${varDir}/{medias,uploads} web/images/ diff --git a/pkgs/private/webapps/connexionswing/php-packages.nix b/modules/private/websites/connexionswing/app/php-packages.nix similarity index 100% rename from pkgs/private/webapps/connexionswing/php-packages.nix rename to modules/private/websites/connexionswing/app/php-packages.nix diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 4f7b72d..b4de4e1 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix @@ -1,15 +1,19 @@ { lib, pkgs, config, ... }: let secrets = config.myEnv.websites.connexionswing.integration; - app = pkgs.webapps.connexionswing.override { environment = secrets.environment; }; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/connexionswing_integration"; + secretsPath = config.secrets.fullPaths."websites/connexionswing/integration"; + }; cfg = config.myServices.websites.connexionswing.integration; pcfg = config.services.phpApplication; in { options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.connexionswing_dev.rootDir = app.varDir; - services.phpApplication.apps.connexionswing_dev = { + services.duplyBackup.profiles.connexionswing_integration.rootDir = app.varDir; + services.phpApplication.apps.connexionswing_integration = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; httpdGroup = config.services.httpd.Inte.group; @@ -34,16 +38,16 @@ in { "pm.process_idle_timeout" = "60"; }; phpEnv = { - SYMFONY_DEBUG_MODE = "yes"; + SYMFONY_DEBUG_MODE = "\"yes\""; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-connexionswing" + config.secrets.fullPaths."websites/connexionswing/integration" ]; }; secrets.keys = [ { - dest = "webapps/${app.environment}-connexionswing"; + dest = "websites/connexionswing/integration"; user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -67,15 +71,15 @@ in { } ]; - services.websites.env.integration.vhostConfs.connexionswing_dev = { - certName = "integration"; + services.websites.env.integration.vhostConfs.connexionswing_integration = { + certName = "integration"; addToCerts = true; hosts = ["connexionswing.immae.eu" "sandetludo.immae.eu" ]; - root = pcfg.webappDirs.connexionswing_dev; + root = pcfg.webappDirs.connexionswing_integration; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_dev}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_integration}|fcgi://localhost" @@ -96,7 +100,7 @@ in { ErrorDocument 401 "" - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Require all granted diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index 0b52af1..119a15e 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix @@ -1,16 +1,20 @@ { lib, pkgs, config, ... }: let secrets = config.myEnv.websites.connexionswing.production; - app = pkgs.webapps.connexionswing.override { environment = secrets.environment; }; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/connexionswing_production"; + secretsPath = config.secrets.fullPaths."websites/connexionswing/production"; + }; cfg = config.myServices.websites.connexionswing.production; pcfg = config.services.phpApplication; in { options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.connexionswing_prod.rootDir = app.varDir; + services.duplyBackup.profiles.connexionswing_produdction.rootDir = app.varDir; services.webstats.sites = [ { name = "connexionswing.com"; } ]; - services.phpApplication.apps.connexionswing_prod = { + services.phpApplication.apps.connexionswing_production = { websiteEnv = "production"; httpdUser = config.services.httpd.Prod.user; httpdGroup = config.services.httpd.Prod.group; @@ -37,13 +41,13 @@ in { "pm.max_spare_servers" = "3"; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-connexionswing" + config.secrets.fullPaths."websites/connexionswing/production" ]; }; secrets.keys = [ { - dest = "webapps/${app.environment}-connexionswing"; + dest = "websites/connexionswing/production"; user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; permissions = "0400"; @@ -71,15 +75,15 @@ in { } ]; - services.websites.env.production.vhostConfs.connexionswing_prod = { + services.websites.env.production.vhostConfs.connexionswing_production = { certName = "connexionswing"; certMainHost = "connexionswing.com"; hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; - root = pcfg.webappDirs.connexionswing_prod; + root = pcfg.webappDirs.connexionswing_production; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_prod}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_production}|fcgi://localhost" @@ -96,7 +100,7 @@ in { Use Stats connexionswing.com - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride All Require all granted diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 3d43b11..5c33e1c 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix @@ -43,7 +43,21 @@ let ''; }; global = { - extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig; + extraConfig = '' + ErrorDocument 500 /maintenance_immae.html + ErrorDocument 501 /maintenance_immae.html + ErrorDocument 502 /maintenance_immae.html + ErrorDocument 503 /maintenance_immae.html + ErrorDocument 504 /maintenance_immae.html + Alias /maintenance_immae.html ${www_root}/maintenance_immae.html + ProxyPass /maintenance_immae.html ! + + AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html + + AllowOverride None + Require all granted + + ''; }; apaxy = { extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig; @@ -64,17 +78,7 @@ let makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); in { - options.myServices.websites = { - enable = lib.mkEnableOption "enable websites"; - - webappDirs = lib.mkOption { - type = lib.types.attrsOf lib.types.path; - description = '' - Webapp paths to create in /run/current-system/webapps - ''; - default = {}; - }; - }; + options.myServices.websites.enable = lib.mkEnableOption "enable websites"; config = lib.mkIf config.myServices.websites.enable { services.duplyBackup.profiles.php = { @@ -213,61 +217,75 @@ in }; }; - system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues config.myServices.websites.webappDirs) > 0) '' - mkdir -p $out/webapps - ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (name: path: "ln -s ${path} $out/webapps/${name}") config.myServices.websites.webappDirs)} - ''; - + services.websites.webappDirs = { + _www = ./_www; + _theme = pkgs.webapps.apache-theme.theme; + }; myServices.websites = { - webappDirs = { - _www = pkgs.webapps.apache-default.www; - _theme = pkgs.webapps.apache-theme.theme; - }; + capitaines.landing_pages.enable = true; - isabelle.aten_integration.enable = true; - isabelle.aten_production.enable = true; - isabelle.iridologie.enable = true; + chloe = { + integration.enable = true; + production.enable = true; + }; - capitaines.production.enable = true; + connexionswing = { + integration.enable = true; + production.enable = true; + }; - chloe.integration.enable = true; - chloe.production.enable = true; + denise = { + evariste.enable = true; + denisejerome.enable = true; + }; - connexionswing.integration.enable = true; - connexionswing.production.enable = true; + emilia.moodle.enable = true; - denisejerome.production.enable = true; + florian = { + app.enable = true; + integration.enable = true; + production.enable = true; + }; - emilia.production.enable = true; - emilia.richie_production.enable = true; + immae = { + production.enable = true; + release.enable = true; + temp.enable = true; + }; - florian.app.enable = true; - florian.integration.enable = true; - florian.production.enable = true; + isabelle = { + aten_integration.enable = true; + aten_production.enable = true; + iridologie.enable = true; + }; - immae.production.enable = true; - immae.release.enable = true; - immae.temp.enable = true; + jerome.naturaloutil.enable = true; leila.production.enable = true; - ludivinecassal.integration.enable = true; - ludivinecassal.production.enable = true; + ludivine = { + integration.enable = true; + production.enable = true; + }; nassime.production.enable = true; - evariste.production.enable = true; - naturaloutil.production.enable = true; - telioTortay.production.enable = true; + papa = { + surveillance.enable = true; + maison_bbc.enable = true; + }; - papa.surveillance.enable = true; - papa.maison_bbc.enable = true; + piedsjaloux = { + integration.enable = true; + production.enable = true; + }; - piedsjaloux.integration.enable = true; - piedsjaloux.production.enable = true; + richie.production.enable = true; syden.peertube.enable = true; + telio_tortay.production.enable = true; + tools.cloud.enable = true; tools.dav.enable = true; tools.db.enable = true; diff --git a/modules/private/websites/denisejerome/production.nix b/modules/private/websites/denise/denisejerome.nix similarity index 64% rename from modules/private/websites/denisejerome/production.nix rename to modules/private/websites/denise/denisejerome.nix index 481df5b..a75e591 100644 --- a/modules/private/websites/denisejerome/production.nix +++ b/modules/private/websites/denise/denisejerome.nix @@ -1,16 +1,16 @@ -{ lib, pkgs, config, ... }: +{ lib, config, ... }: let - cfg = config.myServices.websites.denisejerome.production; - varDir = "/var/lib/ftp/denisejerome"; + cfg = config.myServices.websites.denise.denisejerome; + varDir = "/var/lib/ftp/denise/denisejerome"; env = config.myEnv.websites.denisejerome; in { - options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website"; + options.myServices.websites.denise.denisejerome.enable = lib.mkEnableOption "enable Denise Jerome's website"; config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ]; - services.websites.env.production.vhostConfs.denisejerome = { - certName = "denisejerome"; + services.websites.env.production.vhostConfs.denise_denisejerome = { + certName = "denise"; certMainHost = "denisejerome.piedsjaloux.fr"; hosts = ["denisejerome.piedsjaloux.fr" ]; root = varDir; diff --git a/modules/private/websites/evariste/production.nix b/modules/private/websites/denise/evariste.nix similarity index 56% rename from modules/private/websites/evariste/production.nix rename to modules/private/websites/denise/evariste.nix index 43b26c8..460302b 100644 --- a/modules/private/websites/evariste/production.nix +++ b/modules/private/websites/denise/evariste.nix @@ -1,10 +1,12 @@ -{ lib, pkgs, config, ... }: +{ lib, config, ... }: let - cfg = config.myServices.websites.evariste.production; - nsiVarDir = "/var/lib/ftp/nsievariste"; - stmgVarDir = "/var/lib/ftp/stmgevariste"; + cfg = config.myServices.websites.denise.evariste; + nsiVarDir = "/var/lib/ftp/denise/nsievariste"; + stmgVarDir = "/var/lib/ftp/denise/stmgevariste"; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; in { - options.myServices.websites.evariste.production.enable = lib.mkEnableOption "enable NSI/STMG Evariste website"; + options.myServices.websites.denise.evariste.enable = lib.mkEnableOption "enable NSI/STMG Evariste website"; config = lib.mkIf cfg.enable { services.webstats.sites = [ @@ -13,31 +15,32 @@ in { ]; services.websites.env.production.modules = [ "proxy_fcgi" ]; - system.activationScripts.evariste = { + system.activationScripts.denise_evariste = { deps = [ "httpd" ]; text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/nsievariste - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/stmgevariste + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d /var/lib/php/sessions/denise_nsievariste + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d /var/lib/php/sessions/denise_stmgevariste ''; }; - services.phpfpm.pools.nsievariste = { - user = "wwwrun"; - group = "wwwrun"; + services.phpfpm.pools.denise_nsievariste = { + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; "pm.process_idle_timeout" = "60"; - "php_admin_value[open_basedir]" = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/nsievariste"; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/denise_nsievariste:${nsiVarDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/denise_nsievariste"; }; }; - services.websites.env.production.vhostConfs.nsievariste = { - certName = "eldiron"; + services.websites.env.production.vhostConfs.denise_nsievariste = { + certName = "denise_evariste"; addToCerts = true; + certMainHost = "nsievariste.immae.eu"; hosts = ["nsievariste.immae.eu" ]; root = nsiVarDir; extraConfig = [ @@ -45,7 +48,7 @@ in { Use Stats nsievariste.immae.eu - SetHandler "proxy:unix:${config.services.phpfpm.pools.nsievariste.socket}|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.denise_nsievariste.socket}|fcgi://localhost" @@ -58,23 +61,23 @@ in { ]; }; - services.phpfpm.pools.stmgevariste = { - user = "wwwrun"; - group = "wwwrun"; + services.phpfpm.pools.denise_stmgevariste = { + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; "pm.process_idle_timeout" = "60"; - "php_admin_value[open_basedir]" = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/stmgevariste"; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/denise_stmgevariste:${stmgVarDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/denise_stmgevariste"; }; }; - services.websites.env.production.vhostConfs.stmgevariste = { - certName = "eldiron"; + services.websites.env.production.vhostConfs.denise_stmgevariste = { + certName = "denise_evariste"; addToCerts = true; hosts = ["stmgevariste.immae.eu" ]; root = stmgVarDir; @@ -83,7 +86,7 @@ in { Use Stats stmgevariste.immae.eu - SetHandler "proxy:unix:${config.services.phpfpm.pools.stmgevariste.socket}|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.denise_stmgevariste.socket}|fcgi://localhost" diff --git a/modules/private/websites/emilia/moodle.nix b/modules/private/websites/emilia/moodle.nix new file mode 100644 index 0000000..d49faf5 --- /dev/null +++ b/modules/private/websites/emilia/moodle.nix @@ -0,0 +1,69 @@ +{ lib, pkgs, config, ... }: +let + cfg = config.myServices.websites.emilia.moodle; + env = config.myEnv.websites.emilia; + varDir = "/var/lib/emilia_moodle"; + siteDir = ./moodle; + webappName = "emilia_moodle"; + webappdir = config.services.websites.webappDirsPaths.emilia_moodle; + # php_admin_value[upload_max_filesize] = 50000000 + # php_admin_value[post_max_size] = 50000000 + configFile = '' + dbtype = 'pgsql'; + $CFG->dblibrary = 'native'; + $CFG->dbhost = '${env.postgresql.host}'; + $CFG->dbname = '${env.postgresql.database}'; + $CFG->dbuser = '${env.postgresql.user}'; + $CFG->dbpass = '${env.postgresql.password}'; + $CFG->prefix = 'mdl_'; + $CFG->dboptions = array ( + 'dbpersist' => 0, + 'dbport' => '${env.postgreesql.port}', + 'dbsocket' => '${env.postgresql.password}', + ); + + $CFG->wwwroot = 'https://www.saison-photo.org'; + $CFG->dataroot = '${varDir}'; + $CFG->admin = 'admin'; + + $CFG->directorypermissions = 02777; + + require_once(__DIR__ . '/lib/setup.php'); + + // There is no php closing tag in this file, + // it is intentional because it prevents trailing whitespace problems! + ''; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; +in { + options.myServices.websites.emilia.moodle.enable = lib.mkEnableOption "enable Emilia's website"; + + config = lib.mkIf cfg.enable { + services.duplyBackup.profiles.emilia_moodle.rootDir = varDir; + system.activationScripts.emilia_moodle = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${varDir} + ''; + services.websites.webappDirs.emilia_moodle = siteDir; + services.websites.env.production.vhostConfs.emilia_moodle = { + certName = "emilia"; + certMainHost = "saison-photo.org"; + hosts = [ "saison-photo.org" "www.saison-photo.org" ]; + root = webappdir; + extraConfig = [ + '' + + DirectoryIndex pause.html + Options Indexes FollowSymLinks MultiViews Includes + Require all granted + + '' + ]; + }; + }; +} diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix deleted file mode 100644 index 71b97dd..0000000 --- a/modules/private/websites/emilia/production.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ lib, pkgs, config, ... }: -let - cfg = config.myServices.websites.emilia.production; - env = config.myEnv.websites.emilia; - varDir = "/var/lib/moodle"; - siteDir = ./moodle; - webappName = "emilia_moodle"; - root = "/run/current-system/webapps/${webappName}"; - # php_admin_value[upload_max_filesize] = 50000000 - # php_admin_value[post_max_size] = 50000000 - configFile = '' - dbtype = 'pgsql'; - $CFG->dblibrary = 'native'; - $CFG->dbhost = '${env.postgresql.host}'; - $CFG->dbname = '${env.postgresql.database}'; - $CFG->dbuser = '${env.postgresql.user}'; - $CFG->dbpass = '${env.postgresql.password}'; - $CFG->prefix = 'mdl_'; - $CFG->dboptions = array ( - 'dbpersist' => 0, - 'dbport' => '${env.postgreesql.port}', - 'dbsocket' => '${env.postgresql.password}', - ); - - $CFG->wwwroot = 'https://www.saison-photo.org'; - $CFG->dataroot = '${varDir}'; - $CFG->admin = 'admin'; - - $CFG->directorypermissions = 02777; - - require_once(__DIR__ . '/lib/setup.php'); - - // There is no php closing tag in this file, - // it is intentional because it prevents trailing whitespace problems! - ''; -in { - options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website"; - - config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.emilia_prod = { - rootDir = varDir; - }; - system.activationScripts.emilia = '' - install -m 0755 -o wwwrun -g wwwrun -d ${varDir} - ''; - myServices.websites.webappDirs."${webappName}" = siteDir; - services.websites.env.production.vhostConfs.emilia = { - certName = "emilia"; - certMainHost = "saison-photo.org"; - hosts = [ "saison-photo.org" "www.saison-photo.org" ]; - root = root; - extraConfig = [ - '' - - DirectoryIndex pause.html - Options Indexes FollowSymLinks MultiViews Includes - Require all granted - - '' - ]; - }; - }; -} diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index c65c26f..19a88b0 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix @@ -2,15 +2,19 @@ let adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; secrets = config.myEnv.websites.tellesflorian.integration; - app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/florian_app"; + secretsPath = config.secrets.fullPaths."websites/florian/app"; + }; cfg = config.myServices.websites.florian.app; pcfg = config.services.phpApplication; in { options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.tellesflorian_dev.rootDir = app.varDir; - services.phpApplication.apps.florian_dev = { + services.duplyBackup.profiles.florian_app.rootDir = app.varDir; + services.phpApplication.apps.florian_app = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; httpdGroup = config.services.httpd.Inte.group; @@ -33,16 +37,16 @@ in { "pm.process_idle_timeout" = "60"; }; phpEnv = { - SYMFONY_DEBUG_MODE = "yes"; + SYMFONY_DEBUG_MODE = "\"yes\""; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" + config.secrets.fullPaths."websites/florian/app" ]; }; secrets.keys = [ { - dest = "webapps/${app.environment}-tellesflorian-passwords"; + dest = "websites/florian/app_passwords"; user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -51,7 +55,7 @@ in { ''; } { - dest = "webapps/${app.environment}-tellesflorian"; + dest = "websites/florian/app"; user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -73,15 +77,15 @@ in { ]; services.websites.env.integration.modules = adminer.apache.modules; - services.websites.env.integration.vhostConfs.florian_dev = { - certName = "integration"; + services.websites.env.integration.vhostConfs.florian_app = { + certName = "integration"; addToCerts = true; hosts = [ "app.tellesflorian.com" ]; - root = pcfg.webappDirs.florian_dev; + root = pcfg.webappDirs.florian_app; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.florian_dev}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.florian_app}|fcgi://localhost" @@ -89,13 +93,13 @@ in { Use LDAPConnect Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu - AuthUserFile "${config.secrets.fullPaths."webapps/${app.environment}-tellesflorian-passwords"}" + AuthUserFile "${config.secrets.fullPaths."websites/florian/app_passwords"}" Require user "invite" ErrorDocument 401 "" - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Require all granted diff --git a/pkgs/private/webapps/tellesflorian/default.nix b/modules/private/websites/florian/app/default.nix similarity index 84% rename from pkgs/private/webapps/tellesflorian/default.nix rename to modules/private/websites/florian/app/default.nix index b1ccb98..b31e12d 100644 --- a/pkgs/private/webapps/tellesflorian/default.nix +++ b/modules/private/websites/florian/app/default.nix @@ -1,5 +1,6 @@ { environment ? "prod" , varDir ? "/var/lib/tellesflorian_${environment}" +, secretsPath ? "/var/secrets/webapps/${environment}-tellesflorian" , composerEnv, fetchurl, mylibs }: let app = composerEnv.buildPackage ( @@ -13,7 +14,7 @@ let postInstall = '' cd $out rm app/config/parameters.yml - ln -sf /var/secrets/webapps/${environment}-tellesflorian app/config/parameters.yml + ln -sf ${secretsPath} app/config/parameters.yml rm -rf var/{logs,cache} ln -sf ${varDir}/var/{logs,cache,sessions} var/ ''; diff --git a/pkgs/private/webapps/tellesflorian/php-packages.nix b/modules/private/websites/florian/app/php-packages.nix similarity index 100% rename from pkgs/private/webapps/tellesflorian/php-packages.nix rename to modules/private/websites/florian/app/php-packages.nix diff --git a/pkgs/private/webapps/tellesflorian/tellesflorian.json b/modules/private/websites/florian/app/tellesflorian.json similarity index 100% rename from pkgs/private/webapps/tellesflorian/tellesflorian.json rename to modules/private/websites/florian/app/tellesflorian.json diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix index 4ee160a..5ebe531 100644 --- a/modules/private/websites/florian/integration.nix +++ b/modules/private/websites/florian/integration.nix @@ -1,9 +1,9 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; - cfg = config.myServices.websites.florian.integration; - varDir = "/var/lib/ftp/florian"; - env = config.myEnv.websites.florian; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; + cfg = config.myServices.websites.florian.integration; + varDir = "/var/lib/ftp/florian/florian.immae.eu"; + env = config.myEnv.websites.florian; in { options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; @@ -11,17 +11,17 @@ in { security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; services.websites.env.integration.modules = adminer.apache.modules; - services.websites.env.integration.vhostConfs.florian = { + services.websites.env.integration.vhostConfs.florian_integration = { certName = "integration"; addToCerts = true; hosts = [ "florian.immae.eu" ]; - root = "${varDir}/florian.immae.eu"; + root = varDir; extraConfig = [ (adminer.apache.vhostConf null) '' ServerAdmin ${env.server_admin} - + DirectoryIndex index.php index.htm index.html Options Indexes FollowSymLinks MultiViews Includes AllowOverride None diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix index 16c6022..1c5ffa6 100644 --- a/modules/private/websites/florian/production.nix +++ b/modules/private/websites/florian/production.nix @@ -1,9 +1,9 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; - cfg = config.myServices.websites.florian.production; - varDir = "/var/lib/ftp/florian"; - env = config.myEnv.websites.florian; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; + cfg = config.myServices.websites.florian.production; + varDir = "/var/lib/ftp/florian/tellesflorian.com"; + env = config.myEnv.websites.florian; in { options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; @@ -11,17 +11,17 @@ in { security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; services.websites.env.production.modules = adminer.apache.modules; - services.websites.env.production.vhostConfs.florian = { + services.websites.env.production.vhostConfs.florian_production = { certName = "florian"; certMainHost = "tellesflorian.com"; hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; - root = "${varDir}/tellesflorian.com"; + root = varDir; extraConfig = [ (adminer.apache.vhostConf null) '' ServerAdmin ${env.server_admin} - + DirectoryIndex index.php index.htm index.html Options Indexes FollowSymLinks MultiViews Includes AllowOverride None diff --git a/modules/private/websites/immae/production.nix b/modules/private/websites/immae/production.nix index dff1053..dc89ae3 100644 --- a/modules/private/websites/immae/production.nix +++ b/modules/private/websites/immae/production.nix @@ -12,12 +12,13 @@ in { config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "www.immae.eu"; } ]; - services.websites.env.production.vhostConfs.immae = { - certName = "eldiron"; - addToCerts = true; - hosts = [ "www.immae.eu" "immae.eu" ]; - root = varDir; - extraConfig = [ + services.websites.env.production.vhostConfs.immae_production = { + certName = "immae"; + addToCerts = true; + certMainHost = "www.immae.eu"; + hosts = [ "www.immae.eu" "immae.eu" ]; + root = varDir; + extraConfig = [ '' Use Stats www.immae.eu @@ -68,8 +69,8 @@ in { ]; }; - services.websites.env.production.vhostConfs.immaeFr = { - certName = "eldiron"; + services.websites.env.production.vhostConfs.immae_fr = { + certName = "immae"; addToCerts = true; hosts = [ "www.immae.fr" "immae.fr" ]; root = null; @@ -78,8 +79,8 @@ in { '' ]; }; - services.websites.env.production.vhostConfs.bouya = { - certName = "eldiron"; + services.websites.env.production.vhostConfs.immae_bouya = { + certName = "immae"; addToCerts = true; hosts = [ "bouya.org" "www.bouya.org" ]; root = null; diff --git a/modules/private/websites/immae/release.nix b/modules/private/websites/immae/release.nix index a503c90..d06af87 100644 --- a/modules/private/websites/immae/release.nix +++ b/modules/private/websites/immae/release.nix @@ -9,8 +9,8 @@ in { config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "release.immae.eu"; } ]; - services.websites.env.production.vhostConfs.release = { - certName = "eldiron"; + services.websites.env.production.vhostConfs.immae_release = { + certName = "immae"; addToCerts = true; hosts = [ "release.immae.eu" ]; root = varDir; diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix index 899bb3a..c24844e 100644 --- a/modules/private/websites/immae/temp.nix +++ b/modules/private/websites/immae/temp.nix @@ -8,8 +8,8 @@ in { config = lib.mkIf cfg.enable { services.websites.env.production.modules = [ "headers" ]; - services.websites.env.production.vhostConfs.temp = { - certName = "eldiron"; + services.websites.env.production.vhostConfs.immae_temp = { + certName = "immae"; addToCerts = true; hosts = [ "temp.immae.eu" ]; root = varDir; diff --git a/pkgs/private/webapps/aten/aten.json b/modules/private/websites/isabelle/aten_app/aten.json similarity index 100% rename from pkgs/private/webapps/aten/aten.json rename to modules/private/websites/isabelle/aten_app/aten.json diff --git a/pkgs/private/webapps/aten/default.nix b/modules/private/websites/isabelle/aten_app/default.nix similarity index 100% rename from pkgs/private/webapps/aten/default.nix rename to modules/private/websites/isabelle/aten_app/default.nix diff --git a/pkgs/private/webapps/aten/php-packages.nix b/modules/private/websites/isabelle/aten_app/php-packages.nix similarity index 100% rename from pkgs/private/webapps/aten/php-packages.nix rename to modules/private/websites/isabelle/aten_app/php-packages.nix diff --git a/pkgs/private/webapps/aten/yarn-packages.nix b/modules/private/websites/isabelle/aten_app/yarn-packages.nix similarity index 100% rename from pkgs/private/webapps/aten/yarn-packages.nix rename to modules/private/websites/isabelle/aten_app/yarn-packages.nix diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix index fb6eda9..61c35cc 100644 --- a/modules/private/websites/isabelle/aten_integration.nix +++ b/modules/private/websites/isabelle/aten_integration.nix @@ -1,20 +1,23 @@ { lib, pkgs, config, ... }: let secrets = config.myEnv.websites.isabelle.aten_integration; - app = pkgs.webapps.aten.override { environment = secrets.environment; }; + app = pkgs.callPackage ./aten_app { + environment = secrets.environment; + varDir = "/var/lib/isabelle_aten_integration"; + }; cfg = config.myServices.websites.isabelle.aten_integration; pcfg = config.services.phpApplication; in { options.myServices.websites.isabelle.aten_integration.enable = lib.mkEnableOption "enable Aten's website in integration"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.aten_dev.rootDir = app.varDir; - services.phpApplication.apps.aten_dev = { + services.duplyBackup.profiles.isabelle_aten_integration.rootDir = app.varDir; + services.phpApplication.apps.isabelle_aten_integration = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; httpdGroup = config.services.httpd.Inte.group; httpdWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-aten" + config.secrets.fullPaths."websites/isabelle/aten_integration" ]; inherit (app) webRoot varDir; inherit app; @@ -32,12 +35,12 @@ in { "pm.process_idle_timeout" = "60"; }; phpEnv = { - SYMFONY_DEBUG_MODE = "yes"; + SYMFONY_DEBUG_MODE = "\"yes\""; }; }; secrets.keys = [{ - dest = "webapps/${app.environment}-aten"; + dest = "websites/isabelle/aten_integration"; user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -52,18 +55,18 @@ in { SetEnv DATABASE_URL "${psql_url}" ''; }]; - services.websites.env.integration.vhostConfs.aten_dev = { + services.websites.env.integration.vhostConfs.isabelle_aten_integration = { certName = "integration"; addToCerts = true; hosts = [ "dev.aten.pro" ]; - root = pcfg.webappDirs.aten_dev; + root = pcfg.webappDirs.isabelle_aten_integration; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_dev}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.isabelle_aten_integration}|fcgi://localhost" - Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"} + Include ${config.secrets.fullPaths."websites/isabelle/aten_integration"} Use LDAPConnect @@ -77,7 +80,7 @@ in { ErrorDocument 401 "" - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride All Require all granted diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index cf7e4a2..e34d659 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix @@ -1,21 +1,24 @@ { lib, pkgs, config, ... }: let secrets = config.myEnv.websites.isabelle.aten_production; - app = pkgs.webapps.aten.override { environment = secrets.environment; }; + app = pkgs.callPackage ./aten_app { + environment = secrets.environment; + varDir = "/var/lib/isabelle_aten_production"; + }; cfg = config.myServices.websites.isabelle.aten_production; pcfg = config.services.phpApplication; in { options.myServices.websites.isabelle.aten_production.enable = lib.mkEnableOption "enable Aten's website in production"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.aten_prod.rootDir = app.varDir; + services.duplyBackup.profiles.isabelle_aten_production.rootDir = app.varDir; services.webstats.sites = [ { name = "aten.pro"; } ]; - services.phpApplication.apps.aten_prod = { + services.phpApplication.apps.isabelle_aten_production = { websiteEnv = "production"; httpdUser = config.services.httpd.Prod.user; httpdGroup = config.services.httpd.Prod.group; httpdWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-aten" + config.secrets.fullPaths."websites/isabelle/aten_production" ]; inherit (app) webRoot varDir; inherit app; @@ -37,7 +40,7 @@ in { }; secrets.keys = [{ - dest = "webapps/${app.environment}-aten"; + dest = "websites/isabelle/aten_production"; user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; permissions = "0400"; @@ -52,18 +55,18 @@ in { SetEnv DATABASE_URL "${psql_url}" ''; }]; - services.websites.env.production.vhostConfs.aten_prod = { - certName = "aten"; + services.websites.env.production.vhostConfs.isabelle_aten_production = { + certName = "isabelle"; certMainHost = "aten.pro"; hosts = [ "aten.pro" "www.aten.pro" ]; - root = pcfg.webappDirs.aten_prod; + root = pcfg.webappDirs.isabelle_aten_production; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.isabelle_aten_production}|fcgi://localhost" - Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"} + Include ${config.secrets.fullPaths."websites/isabelle/aten_production"} Use Stats aten.pro @@ -73,7 +76,7 @@ in { ErrorDocument 401 "" - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride All Require all granted diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index ffbf259..560e605 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix @@ -1,50 +1,121 @@ { lib, pkgs, config, ... }: let - iridologie = pkgs.callPackage ./spip_builder.nix { - inherit (pkgs.webapps) iridologie; - config = config.myEnv.websites.isabelle.iridologie; - apacheUser = config.services.httpd.Prod.user; - apacheGroup = config.services.httpd.Prod.group; + icfg = config.myEnv.websites.isabelle.iridologie; + cfg = config.myServices.websites.isabelle.iridologie; + app = pkgs.callPackage ./iridologie_app { + inherit (icfg) environment; + inherit (pkgs.webapps) spip; + varDir = "/var/lib/isabelle_iridologie"; }; - cfg = config.myServices.websites.isabelle.iridologie; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + webappdir = config.services.websites.webappDirsPaths.isabelle_iridologie; + secretsPath = config.secrets.fullPaths."websites/isabelle/iridologie"; in { options.myServices.websites.isabelle.iridologie.enable = lib.mkEnableOption "enable Iridologie's website"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.iridologie_prod.rootDir = iridologie.app.varDir; - secrets.keys = iridologie.keys; + services.duplyBackup.profiles.isabelle_iridologie.rootDir = app.varDir; + secrets.keys = [ + { + dest = "websites/isabelle/iridologie"; + user = apacheUser; + group = apacheGroup; + permissions = "0400"; + text = '' + SetEnv SPIP_CONFIG_DIR "${./config}" + SetEnv SPIP_VAR_DIR "${app.varDir}" + SetEnv SPIP_SITE "iridologie-${app.environment}" + SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" + SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" + SetEnv SPIP_LDAP_SEARCH_DN "${icfg.ldap.dn}" + SetEnv SPIP_LDAP_SEARCH_PW "${icfg.ldap.password}" + SetEnv SPIP_LDAP_SEARCH "${icfg.ldap.filter}" + SetEnv SPIP_MYSQL_HOST "${icfg.mysql.host}" + SetEnv SPIP_MYSQL_PORT "${icfg.mysql.port}" + SetEnv SPIP_MYSQL_DB "${icfg.mysql.database}" + SetEnv SPIP_MYSQL_USER "${icfg.mysql.user}" + SetEnv SPIP_MYSQL_PASSWORD "${icfg.mysql.password}" + ''; + } + ]; services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ]; - systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; - systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; - services.phpfpm.pools.iridologie = { + systemd.services.phpfpm-isabelle_iridologie.after = lib.mkAfter [ "mysql.service" ]; + systemd.services.phpfpm-isabelle_iridologie.wants = [ "mysql.service" ]; + services.phpfpm.pools.isabelle_iridologie = { user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; - settings = iridologie.phpFpm.pool; + settings = { + "listen.owner" = "${apacheUser}"; + "listen.group" = "${apacheGroup}"; + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "php_admin_value[open_basedir]" = "${app.spipConfig}:${./config}:${app}:${app.varDir}:/tmp"; + "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; }; - system.activationScripts.iridologie = iridologie.activationScript; - myServices.websites.webappDirs."${iridologie.apache.webappName}" = iridologie.app.webRoot; - services.websites.env.production.modules = iridologie.apache.modules; - services.websites.env.production.vhostConfs.iridologie = { - certName = "aten"; + system.activationScripts.isabelle_iridologie = { + deps = [ "wrappers" ]; + text = '' + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local + install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions + ''; + }; + services.websites.webappDirs.isabelle_iridologie = app.webRoot; + services.websites.env.production.modules = [ "proxy_fcgi" ]; + services.websites.env.production.vhostConfs.isabelle_iridologie = { + certName = "isabelle"; addToCerts = true; hosts = [ "iridologie.icommandeur.org" "icommandeur.org" "www.icommandeur.org" ]; - root = iridologie.apache.root; + root = webappdir; extraConfig = [ '' RewriteEngine On RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] + + Include ${secretsPath} + + RewriteEngine On + + + SetHandler "proxy:unix:${config.services.phpfpm.pools.isabelle_iridologie.socket}|fcgi://localhost" + + + + DirectoryIndex index.php index.htm index.html + Options -Indexes +FollowSymLinks +MultiViews +Includes + Include ${webappdir}/htaccess.txt + + AllowOverride AuthConfig FileInfo Limit + Require all granted + + + + Require all denied + + + + Require all denied + + + Use Stats iridologie.icommandeur.org '' - (iridologie.apache.vhostConf config.services.phpfpm.pools.iridologie.socket) ]; }; services.websites.env.production.watchPaths = [ - "/var/secrets/webapps/${iridologie.app.environment}-iridologie" + secretsPath ]; }; } diff --git a/pkgs/private/webapps/iridologie/default.nix b/modules/private/websites/isabelle/iridologie_app/default.nix similarity index 89% rename from pkgs/private/webapps/iridologie/default.nix rename to modules/private/websites/isabelle/iridologie_app/default.nix index 8e05736..604d250 100644 --- a/pkgs/private/webapps/iridologie/default.nix +++ b/modules/private/websites/isabelle/iridologie_app/default.nix @@ -11,5 +11,5 @@ in spip.override { ldap = true; siteName = "iridologie"; - inherit environment siteDir; + inherit environment siteDir varDir; } diff --git a/pkgs/private/webapps/iridologie/iridologie.json b/modules/private/websites/isabelle/iridologie_app/iridologie.json similarity index 100% rename from pkgs/private/webapps/iridologie/iridologie.json rename to modules/private/websites/isabelle/iridologie_app/iridologie.json diff --git a/modules/private/websites/isabelle/spip_builder.nix b/modules/private/websites/isabelle/spip_builder.nix deleted file mode 100644 index e1130d1..0000000 --- a/modules/private/websites/isabelle/spip_builder.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ apacheUser, apacheGroup, iridologie, config }: -rec { - app = iridologie.override { inherit (config) environment; }; - phpFpm = rec { - serviceDeps = [ "mysql.service" ]; - pool = { - "listen.owner" = "${apacheUser}"; - "listen.group" = "${apacheGroup}"; - "php_admin_value[upload_max_filesize]" = "20M"; - "php_admin_value[post_max_size]" = "20M"; - #"php_admin_flag[log_errors]" = "on"; - "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; - "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; - } // (if app.environment == "dev" then { - "pm" = "ondemand"; - "pm.max_children" = "5"; - "pm.process_idle_timeout" = "60"; - } else { - "pm" = "dynamic"; - "pm.max_children" = "20"; - "pm.start_servers" = "2"; - "pm.min_spare_servers" = "1"; - "pm.max_spare_servers" = "3"; - }); - }; - keys = [{ - dest = "webapps/${app.environment}-iridologie"; - user = apacheUser; - group = apacheGroup; - permissions = "0400"; - text = '' - SetEnv SPIP_CONFIG_DIR "${configDir}" - SetEnv SPIP_VAR_DIR "${app.varDir}" - SetEnv SPIP_SITE "iridologie-${app.environment}" - SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" - SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" - SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" - SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" - SetEnv SPIP_LDAP_SEARCH "${config.ldap.filter}" - SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" - SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" - SetEnv SPIP_MYSQL_DB "${config.mysql.database}" - SetEnv SPIP_MYSQL_USER "${config.mysql.user}" - SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" - ''; - }]; - apache = rec { - modules = [ "proxy_fcgi" ]; - webappName = "iridologie_${app.environment}"; - root = "/run/current-system/webapps/${webappName}"; - vhostConf = socket: '' - Include /var/secrets/webapps/${app.environment}-iridologie - - RewriteEngine On - - - SetHandler "proxy:unix:${socket}|fcgi://localhost" - - - - DirectoryIndex index.php index.htm index.html - Options -Indexes +FollowSymLinks +MultiViews +Includes - Include ${root}/htaccess.txt - - AllowOverride AuthConfig FileInfo Limit - Require all granted - - - - Require all denied - - - - Require all denied - - - ${if app.environment == "dev" then '' - - Use LDAPConnect - Require ldap-group cn=isabelle.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu - ErrorDocument 401 "" - - '' else '' - Use Stats iridologie.icommandeur.org - ''} - ''; - }; - activationScript = { - deps = [ "wrappers" ]; - text = '' - install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local - install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions - ''; - }; - configDir = ./config; -} diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/jerome/naturaloutil.nix similarity index 67% rename from modules/private/websites/naturaloutil/production.nix rename to modules/private/websites/jerome/naturaloutil.nix index 1e79141..8bbb49e 100644 --- a/modules/private/websites/naturaloutil/production.nix +++ b/modules/private/websites/jerome/naturaloutil.nix @@ -1,11 +1,14 @@ { lib, pkgs, config, ... }: let adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; - cfg = config.myServices.websites.naturaloutil.production; + cfg = config.myServices.websites.jerome.naturaloutil; varDir = "/var/lib/ftp/jerome"; env = config.myEnv.websites.jerome; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; + secretsPath = config.secrets.fullPaths."websites/jerome/naturaloutil"; in { - options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website"; + options.myServices.websites.jerome.naturaloutil.enable = lib.mkEnableOption "enable Jerome Naturaloutil's website"; config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; @@ -13,9 +16,9 @@ in { security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; secrets.keys = [{ - dest = "webapps/prod-naturaloutil"; - user = "wwwrun"; - group = "wwwrun"; + dest = "websites/jerome/naturaloutil"; + user = apacheUser; + group = apacheGroup; permissions = "0400"; text = '' ''; }]; - system.activationScripts.naturaloutil = { + system.activationScripts.jerome_naturaloutil = { deps = [ "httpd" ]; text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/naturaloutil + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d /var/lib/php/sessions/jerome_naturaloutil ''; }; - systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; - systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; - services.phpfpm.pools.jerome = { - user = "wwwrun"; - group = "wwwrun"; + systemd.services.phpfpm-jerome_naturaloutil.after = lib.mkAfter [ "mysql.service" ]; + systemd.services.phpfpm-jerome_naturaloutil.wants = [ "mysql.service" ]; + services.phpfpm.pools.jerome_naturaloutil = { + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; "pm.process_idle_timeout" = "60"; - "php_admin_value[open_basedir]" = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/naturaloutil"; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/jerome_naturaloutil:${secretsPath}:${varDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/jerome_naturaloutil"; }; phpEnv = { - BDD_CONNECT = "/var/secrets/webapps/prod-naturaloutil"; + BDD_CONNECT = secretsPath; }; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; }; services.websites.env.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ]; - services.websites.env.production.vhostConfs.naturaloutil = { - certName = "naturaloutil"; + services.websites.env.production.vhostConfs.jerome_naturaloutil = { + certName = "jerome"; certMainHost = "naturaloutil.immae.eu"; hosts = ["naturaloutil.immae.eu" ]; root = varDir; @@ -77,7 +80,7 @@ in { CustomLog "${varDir}/logs/access_log" combined - SetHandler "proxy:unix:${config.services.phpfpm.pools.jerome.socket}|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.jerome_naturaloutil.socket}|fcgi://localhost" diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix index 3b289cf..b48da6f 100644 --- a/modules/private/websites/leila/production.nix +++ b/modules/private/websites/leila/production.nix @@ -2,16 +2,18 @@ let cfg = config.myServices.websites.leila.production; varDir = "/var/lib/ftp/leila"; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; in { options.myServices.websites.leila.production.enable = lib.mkEnableOption "enable Leila's websites in production"; config = lib.mkIf cfg.enable { services.phpfpm.pools.leila = { - user = "wwwrun"; - group = "wwwrun"; + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; diff --git a/pkgs/private/webapps/ludivinecassal/default.nix b/modules/private/websites/ludivine/app/default.nix similarity index 90% rename from pkgs/private/webapps/ludivinecassal/default.nix rename to modules/private/websites/ludivine/app/default.nix index 3401435..05be0b1 100644 --- a/pkgs/private/webapps/ludivinecassal/default.nix +++ b/modules/private/websites/ludivine/app/default.nix @@ -1,5 +1,6 @@ { environment ? "prod" , varDir ? "/var/lib/ludivinecassal_${environment}" +, secretsPath ? "/var/secrets/webapps/${environment}-ludivinecassal" , composerEnv, fetchurl, fetchgit, imagemagick, sass, ruby, mylibs }: let app = composerEnv.buildPackage ( @@ -24,7 +25,7 @@ let postInstall = '' rm -rf var/{logs,cache,data,miniatures,tmp} ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ - ln -sf /var/secrets/webapps/${environment}-ludivinecassal app/config/parameters.yml + ln -sf ${secretsPath} app/config/parameters.yml ''; buildInputs = [ sass ]; passthru = { diff --git a/pkgs/private/webapps/ludivinecassal/ludivinecassal.json b/modules/private/websites/ludivine/app/ludivinecassal.json similarity index 100% rename from pkgs/private/webapps/ludivinecassal/ludivinecassal.json rename to modules/private/websites/ludivine/app/ludivinecassal.json diff --git a/pkgs/private/webapps/ludivinecassal/php-packages.nix b/modules/private/websites/ludivine/app/php-packages.nix similarity index 100% rename from pkgs/private/webapps/ludivinecassal/php-packages.nix rename to modules/private/websites/ludivine/app/php-packages.nix diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivine/integration.nix similarity index 77% rename from modules/private/websites/ludivinecassal/integration.nix rename to modules/private/websites/ludivine/integration.nix index d304fdf..4e37c0c 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivine/integration.nix @@ -1,15 +1,19 @@ { lib, pkgs, config, ... }: let - secrets = config.myEnv.websites.ludivinecassal.integration; - app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; }; - cfg = config.myServices.websites.ludivinecassal.integration; + secrets = config.myEnv.websites.ludivine.integration; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/ludivine_integration"; + secretsPath = config.secrets.fullPaths."websites/ludivine/integration"; + }; + cfg = config.myServices.websites.ludivine.integration; pcfg = config.services.phpApplication; in { - options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration"; + options.myServices.websites.ludivine.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.ludivinecassal_dev.rootDir = app.varDir; - services.phpApplication.apps.ludivinecassal_dev = { + services.duplyBackup.profiles.ludivine_integration.rootDir = app.varDir; + services.phpApplication.apps.ludivine_integration = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; httpdGroup = config.services.httpd.Inte.group; @@ -32,16 +36,21 @@ in { "pm.process_idle_timeout" = "60"; }; phpEnv = { - SYMFONY_DEBUG_MODE = "yes"; + PATH = lib.makeBinPath [ + # below ones don't need to be in the PATH but they’re used in + # secrets + pkgs.imagemagick pkgs.sass pkgs.ruby + ]; + SYMFONY_DEBUG_MODE = "\"yes\""; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" + config.secrets.fullPaths."websites/ludivine/integration" ]; }; secrets.keys = [ { - dest = "webapps/${app.environment}-ludivinecassal"; + dest = "websites/ludivine/integration"; user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -78,15 +87,15 @@ in { } ]; - services.websites.env.integration.vhostConfs.ludivinecassal_dev = { - certName = "integration"; + services.websites.env.integration.vhostConfs.ludivine_integration = { + certName = "integration"; addToCerts = true; hosts = [ "ludivine.immae.eu" ]; - root = pcfg.webappDirs.ludivinecassal_dev; + root = pcfg.webappDirs.ludivine_integration; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivinecassal_dev}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivine_integration}|fcgi://localhost" @@ -95,7 +104,7 @@ in { ErrorDocument 401 "" - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Require all granted diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivine/production.nix similarity index 71% rename from modules/private/websites/ludivinecassal/production.nix rename to modules/private/websites/ludivine/production.nix index 5761be7..47450c5 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivine/production.nix @@ -1,16 +1,20 @@ { lib, pkgs, config, ... }: let - secrets = config.myEnv.websites.ludivinecassal.production; - app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; }; + secrets = config.myEnv.websites.ludivine.production; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/ludivine_production"; + secretsPath = config.secrets.fullPaths."websites/ludivine/production"; + }; pcfg = config.services.phpApplication; - cfg = config.myServices.websites.ludivinecassal.production; + cfg = config.myServices.websites.ludivine.production; in { - options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production"; + options.myServices.websites.ludivine.production.enable = lib.mkEnableOption "enable Ludivine's website in production"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.ludivinecassal_prod.rootDir = app.varDir; + services.duplyBackup.profiles.ludivine_production.rootDir = app.varDir; services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; - services.phpApplication.apps.ludivinecassal_prod = { + services.phpApplication.apps.ludivine_production = { websiteEnv = "production"; httpdUser = config.services.httpd.Prod.user; httpdGroup = config.services.httpd.Prod.group; @@ -35,13 +39,20 @@ in { "pm.max_spare_servers" = "3"; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" + config.secrets.fullPaths."websites/ludivine/production" ]; + phpEnv = { + PATH = lib.makeBinPath [ + # below ones don't need to be in the PATH but they’re used in + # secrets + pkgs.imagemagick pkgs.sass pkgs.ruby + ]; + }; }; secrets.keys = [ { - dest = "webapps/${app.environment}-ludivinecassal"; + dest = "websites/ludivine/production"; user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; permissions = "0400"; @@ -78,11 +89,11 @@ in { } ]; - services.websites.env.production.vhostConfs.ludivinecassal_prod = { - certName = "ludivinecassal"; + services.websites.env.production.vhostConfs.ludivine_production = { + certName = "ludivine"; certMainHost = "ludivinecassal.com"; hosts = ["ludivinecassal.com" "www.ludivinecassal.com" ]; - root = pcfg.webappDirs.ludivinecassal_prod; + root = pcfg.webappDirs.ludivine_production; extraConfig = [ '' RewriteEngine on @@ -90,12 +101,12 @@ in { RewriteRule ^(.+)$ https://ludivinecassal.com$1 [R=302,L] - SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivinecassal_prod}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivine_production}|fcgi://localhost" Use Stats ludivinecassal.com - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride All Require all granted diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix index f9468f9..1179351 100644 --- a/modules/private/websites/nassime/production.nix +++ b/modules/private/websites/nassime/production.nix @@ -3,26 +3,27 @@ let cfg = config.myServices.websites.nassime.production; varDir = "/var/lib/ftp/nassime"; env = config.myEnv.websites.nassime; + domain = "nassime.bouya.org"; in { options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website"; config = lib.mkIf cfg.enable { - services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; + services.webstats.sites = [ { name = domain; } ]; - security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; + security.acme.certs."ftp".extraDomains."${domain}" = null; services.websites.env.production.vhostConfs.nassime = { certName = "nassime"; - certMainHost = "nassime.bouya.org"; - hosts = ["nassime.bouya.org" ]; + certMainHost = domain; + hosts = [ domain ]; root = varDir; extraConfig = [ '' - Use Stats nassime.bouya.org + Use Stats ${domain} ServerAdmin ${env.server_admin} - DirectoryIndex index.php index.htm index.html + DirectoryIndex index.htm index.html Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Require all granted diff --git a/modules/private/websites/papa/maison_bbc.nix b/modules/private/websites/papa/maison_bbc.nix index 9576a9e..d94a027 100644 --- a/modules/private/websites/papa/maison_bbc.nix +++ b/modules/private/websites/papa/maison_bbc.nix @@ -2,6 +2,8 @@ let cfg = config.myServices.websites.papa.maison_bbc; varDir = "/var/lib/ftp/papa/site"; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; in { options.myServices.websites.papa.maison_bbc.enable = lib.mkEnableOption "enable Papa Maison bbc website"; @@ -9,11 +11,11 @@ in { services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; services.phpfpm.pools.papa_maison_bbc = { - user = "wwwrun"; - group = "wwwrun"; + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix index 1bb6ac8..a8e5149 100644 --- a/modules/private/websites/papa/surveillance.nix +++ b/modules/private/websites/papa/surveillance.nix @@ -2,6 +2,7 @@ let cfg = config.myServices.websites.papa.surveillance; varDir = "/var/lib/ftp/papa"; + apacheUser = config.services.httpd.Prod.user; in { options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; @@ -22,12 +23,12 @@ in { in [ '' - 0 6 * * * wwwrun ${script} + 0 6 * * * ${apacheUser} ${script} '' ]; }; - services.websites.env.production.vhostConfs.papa = { + services.websites.env.production.vhostConfs.papa_surveillance = { certName = "papa"; certMainHost = "surveillance.maison.bbc.bouya.org"; hosts = [ "surveillance.maison.bbc.bouya.org" ]; diff --git a/pkgs/private/webapps/piedsjaloux/default.nix b/modules/private/websites/piedsjaloux/app/default.nix similarity index 82% rename from pkgs/private/webapps/piedsjaloux/default.nix rename to modules/private/websites/piedsjaloux/app/default.nix index f5370db..726d93c 100644 --- a/pkgs/private/webapps/piedsjaloux/default.nix +++ b/modules/private/websites/piedsjaloux/app/default.nix @@ -1,5 +1,6 @@ { environment ? "prod" , varDir ? "/var/lib/piedsjaloux_${environment}" +, secretsPath ? "/var/secrets/webapps/${environment}-piedsjaloux" , composerEnv, fetchurl, fetchgit, mylibs }: let app = composerEnv.buildPackage ( @@ -15,12 +16,12 @@ let postInstall = '' cd $out rm app/config/parameters.yml - ln -sf /var/secrets/webapps/${environment}-piedsjaloux app/config/parameters.yml + ln -sf ${secretsPath} app/config/parameters.yml rm -rf var/{logs,cache,data,miniatures,tmp} ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ ''; passthru = { - inherit varDir environment; + inherit varDir environment secretsPath; webRoot = "${app}/web"; }; }); diff --git a/pkgs/private/webapps/piedsjaloux/php-packages.nix b/modules/private/websites/piedsjaloux/app/php-packages.nix similarity index 100% rename from pkgs/private/webapps/piedsjaloux/php-packages.nix rename to modules/private/websites/piedsjaloux/app/php-packages.nix diff --git a/pkgs/private/webapps/piedsjaloux/piedsjaloux.json b/modules/private/websites/piedsjaloux/app/piedsjaloux.json similarity index 100% rename from pkgs/private/webapps/piedsjaloux/piedsjaloux.json rename to modules/private/websites/piedsjaloux/app/piedsjaloux.json diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index 76523ed..d8790cc 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix @@ -1,15 +1,20 @@ { lib, pkgs, config, ... }: let secrets = config.myEnv.websites.piedsjaloux.integration; - app = pkgs.webapps.piedsjaloux.override { environment = secrets.environment; }; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/piedsjaloux_integration"; + secretsPath = config.secrets.fullPaths."websites/piedsjaloux/integration"; + }; cfg = config.myServices.websites.piedsjaloux.integration; pcfg = config.services.phpApplication; + texlive = pkgs.texlive.combine { inherit (pkgs.texlive) attachfile preprint scheme-small; }; in { options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.piedsjaloux_dev.rootDir = app.varDir; - services.phpApplication.apps.piedsjaloux_dev = { + services.duplyBackup.profiles.piedsjaloux_integration.rootDir = app.varDir; + services.phpApplication.apps.piedsjaloux_integration = { websiteEnv = "integration"; httpdUser = config.services.httpd.Inte.user; httpdGroup = config.services.httpd.Inte.group; @@ -32,17 +37,22 @@ in { "pm.process_idle_timeout" = "60"; }; phpEnv = { - PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; - SYMFONY_DEBUG_MODE = "yes"; + PATH = lib.makeBinPath [ + pkgs.apg pkgs.unzip + # below ones don't need to be in the PATH but they’re used in + # secrets + pkgs.imagemagick texlive + ]; + SYMFONY_DEBUG_MODE = "\"yes\""; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" + app.secretsPath ]; }; secrets.keys = [ { - dest = "webapps/${app.environment}-piedsjaloux"; + dest = "websites/piedsjaloux/integration"; user = config.services.httpd.Inte.user; group = config.services.httpd.Inte.group; permissions = "0400"; @@ -60,22 +70,22 @@ in { mailer_user: null mailer_password: null secret: ${secrets.secret} - pdflatex: "${pkgs.texlive.combine { inherit (pkgs.texlive) attachfile preprint scheme-small; }}/bin/pdflatex" + pdflatex: "${texlive}/bin/pdflatex" leapt_im: binary_path: ${pkgs.imagemagick}/bin ''; } ]; - services.websites.env.integration.vhostConfs.piedsjaloux_dev = { + services.websites.env.integration.vhostConfs.piedsjaloux_integration = { certName = "integration"; addToCerts = true; hosts = [ "piedsjaloux.immae.eu" ]; - root = pcfg.webappDirs.piedsjaloux_dev; + root = pcfg.webappDirs.piedsjaloux_integration; extraConfig = [ '' - SetHandler "proxy:unix:${pcfg.phpListenPaths.piedsjaloux_dev}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.piedsjaloux_integration}|fcgi://localhost" @@ -84,7 +94,7 @@ in { ErrorDocument 401 "" - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride None Require all granted diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index d3e5c2b..4b2c056 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix @@ -1,16 +1,21 @@ { lib, pkgs, config, ... }: let secrets = config.myEnv.websites.piedsjaloux.production; - app = pkgs.webapps.piedsjaloux.override { environment = secrets.environment; }; + app = pkgs.callPackage ./app { + environment = secrets.environment; + varDir = "/var/lib/piedsjaloux_production"; + secretsPath = config.secrets.fullPaths."websites/piedsjaloux/production"; + }; cfg = config.myServices.websites.piedsjaloux.production; pcfg = config.services.phpApplication; + texlive = pkgs.texlive.combine { inherit (pkgs.texlive) attachfile preprint scheme-small; }; in { options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production"; config = lib.mkIf cfg.enable { - services.duplyBackup.profiles.piedsjaloux_prod.rootDir = app.varDir; + services.duplyBackup.profiles.piedsjaloux_production.rootDir = app.varDir; services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; - services.phpApplication.apps.piedsjaloux_prod = { + services.phpApplication.apps.piedsjaloux_production = { websiteEnv = "production"; httpdUser = config.services.httpd.Prod.user; httpdGroup = config.services.httpd.Prod.group; @@ -35,16 +40,21 @@ in { "pm.max_spare_servers" = "3"; }; phpEnv = { - PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; + PATH = lib.makeBinPath [ + pkgs.apg pkgs.unzip + # below ones don't need to be in the PATH but they’re used in + # secrets + pkgs.imagemagick texlive + ]; }; phpWatchFiles = [ - config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" + app.secretsPath ]; }; secrets.keys = [ { - dest = "webapps/${app.environment}-piedsjaloux"; + dest = "websites/piedsjaloux/production"; user = config.services.httpd.Prod.user; group = config.services.httpd.Prod.group; permissions = "0400"; @@ -62,18 +72,18 @@ in { mailer_user: null mailer_password: null secret: ${secrets.secret} - pdflatex: "${pkgs.texlive.combine { inherit (pkgs.texlive) attachfile preprint scheme-small; }}/bin/pdflatex" + pdflatex: "${texlive}/bin/pdflatex" leapt_im: binary_path: ${pkgs.imagemagick}/bin ''; } ]; - services.websites.env.production.vhostConfs.piedsjaloux_prod = { + services.websites.env.production.vhostConfs.piedsjaloux_production = { certName = "piedsjaloux"; certMainHost = "piedsjaloux.fr"; hosts = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ]; - root = pcfg.webappDirs.piedsjaloux_prod; + root = pcfg.webappDirs.piedsjaloux_production; extraConfig = [ '' RewriteEngine on @@ -81,12 +91,12 @@ in { RewriteRule ^(.+)$ https://www.piedsjaloux.fr$1 [R=302,L] - SetHandler "proxy:unix:${pcfg.phpListenPaths.piedsjaloux_prod}|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.phpListenPaths.piedsjaloux_production}|fcgi://localhost" Use Stats piedsjaloux.fr - + Options Indexes FollowSymLinks MultiViews Includes AllowOverride All Require all granted diff --git a/modules/private/websites/emilia/richie.nix b/modules/private/websites/richie/production.nix similarity index 73% rename from modules/private/websites/emilia/richie.nix rename to modules/private/websites/richie/production.nix index 98ab1cd..d6d19c8 100644 --- a/modules/private/websites/emilia/richie.nix +++ b/modules/private/websites/richie/production.nix @@ -1,6 +1,6 @@ { lib, config, pkgs, ... }: let - cfg = config.myServices.websites.emilia.richie_production; + cfg = config.myServices.websites.richie.production; vardir = "/var/lib/richie_production"; richieSrc = pkgs.stdenv.mkDerivation (pkgs.mylibs.fetchedGitPrivate ./richie.json // { phases = "installPhase"; @@ -13,17 +13,21 @@ let sed -i "s@localedef --list-archive@localedef --list-archive /run/current-system/sw/lib/locale/locale-archive@" $out/admin/parametres.php ''; }); + webappdir = config.services.websites.webappDirsPaths.richie_production; + secretPath = config.secrets.fullPaths."websites/richie/production"; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; in { - options.myServices.websites.emilia.richie_production.enable = lib.mkEnableOption "enable Richie's website"; + options.myServices.websites.richie.production.enable = lib.mkEnableOption "enable Richie's website"; config = lib.mkIf cfg.enable { services.duplyBackup.profiles.richie_production.rootDir = vardir; services.webstats.sites = [ { name = "europe-richie.org"; } ]; secrets.keys = [{ - dest = "webapps/prod-richie"; - user = "wwwrun"; - group = "wwwrun"; + dest = "websites/richie/production"; + user = apacheUser; + group = apacheGroup; permissions = "0400"; text = with config.myEnv.websites.richie; '' ''; }]; - myServices.websites.webappDirs.richie_production = richieSrc; + services.websites.webappDirs.richie_production = richieSrc; system.activationScripts.richie_production = { deps = [ "httpd" ]; text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/richie_production - install -m 0755 -o wwwrun -g wwwrun -d ${vardir} + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d /var/lib/php/sessions/richie_production + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${vardir} ''; }; services.phpfpm.pools.richie_production = { - user = "wwwrun"; - group = "wwwrun"; + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; "pm.process_idle_timeout" = "60"; - "php_admin_value[open_basedir]" = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp"; + "php_admin_value[open_basedir]" = "${vardir}:/var/lib/php/sessions/richie_production:${secretPath}:${richieSrc}:/tmp"; "php_admin_value[session.save_path]" = "/var/lib/php/sessions/richie_production"; }; phpEnv = { PATH = "/run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]}"; - BDD_CONNECT = "/var/secrets/webapps/prod-richie"; + BDD_CONNECT = secretPath; }; phpOptions = config.services.phpfpm.phpOptions + '' date.timezone = 'Europe/Paris' @@ -77,7 +81,7 @@ in addToCerts = true; certMainHost = "europe-richie.org"; hosts = [ "europe-richie.org" "www.europe-richie.org" ]; - root = "/run/current-system/webapps/richie_production"; + root = webappdir; extraConfig = [ '' Use Stats europe-richie.org @@ -85,7 +89,7 @@ in Require all denied - + DirectoryIndex index.php index.htm index.html Options Indexes FollowSymLinks MultiViews Includes AllowOverride None diff --git a/modules/private/websites/emilia/richie.json b/modules/private/websites/richie/richie.json similarity index 100% rename from modules/private/websites/emilia/richie.json rename to modules/private/websites/richie/richie.json diff --git a/modules/private/websites/syden/peertube.nix b/modules/private/websites/syden/peertube.nix index 2ad7217..e659875 100644 --- a/modules/private/websites/syden/peertube.nix +++ b/modules/private/websites/syden/peertube.nix @@ -23,7 +23,7 @@ in users.groups.peertube.gid = config.ids.gids.peertube; secrets.keys = [{ - dest = "webapps/syden-peertube"; + dest = "websites/syden/peertube"; user = "peertube"; group = "peertube"; permissions = "0640"; @@ -69,7 +69,7 @@ in services.filesWatcher.syden_peertube = { restart = true; - paths = [ "/var/secrets/webapps/syden-peertube" ]; + paths = [ config.secrets.fullPaths."websites/syden/peertube" ]; }; systemd.services.syden_peertube = { @@ -86,7 +86,7 @@ in script = '' install -m 0750 -d ${dataDir}/config - ln -sf /var/secrets/webapps/syden-peertube ${dataDir}/config/production.yaml + ln -sf ${config.secrets.fullPaths."websites/syden/peertube"} ${dataDir}/config/production.yaml ln -sf ${package}/config/default.yaml ${dataDir}/config/default.yaml exec npm run start ''; @@ -109,11 +109,12 @@ in }; services.websites.env.production.vhostConfs.syden_peertube = { - certName = "eldiron"; - addToCerts = true; - hosts = [ "syden.immae.eu" ]; - root = null; - extraConfig = [ '' + certName = "syden"; + addToCerts = true; + certMainHost = "syden.immae.eu"; + hosts = [ "syden.immae.eu" ]; + root = null; + extraConfig = [ '' RewriteEngine On RewriteCond %{REQUEST_URI} ^/socket.io [NC] diff --git a/modules/private/websites/teliotortay/production.nix b/modules/private/websites/telio_tortay/production.nix similarity index 64% rename from modules/private/websites/teliotortay/production.nix rename to modules/private/websites/telio_tortay/production.nix index 62762ec..130f4db 100644 --- a/modules/private/websites/teliotortay/production.nix +++ b/modules/private/websites/telio_tortay/production.nix @@ -1,39 +1,41 @@ { lib, pkgs, config, ... }: let adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; - cfg = config.myServices.websites.telioTortay.production; + cfg = config.myServices.websites.telio_tortay.production; varDir = "/var/lib/ftp/telio_tortay"; - env = config.myEnv.websites.telioTortay; + env = config.myEnv.websites.telio_tortay; + apacheUser = config.services.httpd.Prod.user; + apacheGroup = config.services.httpd.Prod.group; in { - options.myServices.websites.telioTortay.production.enable = lib.mkEnableOption "enable Telio Tortay's website"; + options.myServices.websites.telio_tortay.production.enable = lib.mkEnableOption "enable Telio Tortay's website"; config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; - system.activationScripts.telio-tortay = { + system.activationScripts.telio_tortay = { deps = [ "httpd" ]; text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/ftp/telio_tortay/logs - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/telio-tortay + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d /var/lib/ftp/telio_tortay/logs + install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d /var/lib/php/sessions/telio_tortay ''; }; - systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; - systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; - services.phpfpm.pools.telio-tortay = { - user = "wwwrun"; - group = "wwwrun"; + systemd.services.phpfpm-telio_tortay.after = lib.mkAfter [ "mysql.service" ]; + systemd.services.phpfpm-telio_tortay.wants = [ "mysql.service" ]; + services.phpfpm.pools.telio_tortay = { + user = apacheUser; + group = apacheGroup; settings = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; "pm" = "ondemand"; "pm.max_children" = "5"; "pm.process_idle_timeout" = "60"; - "php_admin_value[open_basedir]" = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/telio-tortay"; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/telio_tortay:${varDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/telio_tortay"; }; phpOptions = config.services.phpfpm.phpOptions + '' disable_functions = "mail" @@ -41,8 +43,8 @@ in { ''; }; services.websites.env.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ]; - services.websites.env.production.vhostConfs.telio-tortay = { - certName = "telio-tortay"; + services.websites.env.production.vhostConfs.telio_tortay = { + certName = "telio_tortay"; certMainHost = "telio-tortay.immae.eu"; hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; root = varDir; @@ -55,7 +57,7 @@ in { CustomLog "${varDir}/logs/access_log" combined - SetHandler "proxy:unix:${config.services.phpfpm.pools.telio-tortay.socket}|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.telio_tortay.socket}|fcgi://localhost" diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index 30a562c..14e4069 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix @@ -50,9 +50,9 @@ in { }; }; - myServices.websites.webappDirs._dav = ./www; - myServices.websites.webappDirs."${davical.apache.webappName}" = davical.webRoot; - myServices.websites.webappDirs."${infcloud.webappName}" = pkgs.webapps.infcloud; + services.websites.webappDirs._dav = ./www; + services.websites.webappDirs."${davical.apache.webappName}" = davical.webRoot; + services.websites.webappDirs."${infcloud.webappName}" = pkgs.webapps.infcloud; }; } diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 56e4401..55f9ecb 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix @@ -19,8 +19,8 @@ in { services.websites.env.tools.modules = gitweb.apache.modules ++ mantisbt.apache.modules; - myServices.websites.webappDirs."${gitweb.apache.webappName}" = gitweb.webRoot; - myServices.websites.webappDirs."${mantisbt.apache.webappName}" = mantisbt.webRoot; + services.websites.webappDirs."${gitweb.apache.webappName}" = gitweb.webRoot; + services.websites.webappDirs."${mantisbt.apache.webappName}" = mantisbt.webRoot; system.activationScripts.mantisbt = mantisbt.activationScript; services.websites.env.tools.vhostConfs.git = { diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index 1f7f7bf..dda2d45 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix @@ -72,7 +72,7 @@ in rainloop = rainloop.activationScript; }; - myServices.websites.webappDirs = { + services.websites.webappDirs = { _mail = ./www; "${roundcubemail.apache.webappName}" = roundcubemail.webRoot; "${rainloop.apache.webappName}" = rainloop.webRoot; diff --git a/modules/private/websites/tools/mail/mta-sts.nix b/modules/private/websites/tools/mail/mta-sts.nix index ed3fce8..c5d4306 100644 --- a/modules/private/websites/tools/mail/mta-sts.nix +++ b/modules/private/websites/tools/mail/mta-sts.nix @@ -34,7 +34,7 @@ let in { config = lib.mkIf cfg.enable { - myServices.websites.webappDirs = { + services.websites.webappDirs = { _mta-sts = root; }; diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index d88763c..be2ee75 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -335,7 +335,7 @@ in { ldap = ldap.activationScript; }; - myServices.websites.webappDirs = { + services.websites.webappDirs = { _adminer = adminer.webRoot; "${dokuwiki.apache.webappName}" = dokuwiki.webRoot; "${ldap.apache.webappName}" = "${ldap.webRoot}/htdocs"; diff --git a/modules/private/websites/tools/vpn/default.nix b/modules/private/websites/tools/vpn/default.nix index cfe010c..4398a60 100644 --- a/modules/private/websites/tools/vpn/default.nix +++ b/modules/private/websites/tools/vpn/default.nix @@ -10,6 +10,6 @@ in { root = "/run/current-system/webapps/_vpn"; }; - myServices.websites.webappDirs._vpn = ./www; + services.websites.webappDirs._vpn = ./www; }; } diff --git a/pkgs/default.nix b/pkgs/default.nix index b02c63e..14d3ed6 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -45,7 +45,7 @@ rec { bitlbee-mastodon = callPackage ./bitlbee-mastodon {}; composerEnv = callPackage ./composer-env {}; - webapps = callPackage ./webapps { inherit mylibs composerEnv private; }; + webapps = callPackage ./webapps { inherit mylibs composerEnv; }; monitoring-plugins = callPackage ./monitoring-plugins {}; naemon = callPackage ./naemon { inherit mylibs monitoring-plugins; }; @@ -54,10 +54,6 @@ rec { simp_le_0_17 = callPackage ./simp_le {}; certbot = callPackage ./certbot {}; - private = if builtins.pathExists (./. + "/private") - then import ./private { inherit pkgs; } - else { webapps = {}; }; - python3PackagesPlus = callPackage ./python-packages { python = python3; inherit mylibs; diff --git a/pkgs/private/default.nix b/pkgs/private/default.nix deleted file mode 100644 index 1abdd29..0000000 --- a/pkgs/private/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs }: -with pkgs; -let - mylibs = import ../../lib { inherit pkgs; }; -in -rec { - webapps = callPackage ./webapps { - inherit mylibs; - inherit (pkgs) composerEnv; - inherit (pkgs.webapps) spip; - }; -} diff --git a/pkgs/private/webapps/apache-default/default.nix b/pkgs/private/webapps/apache-default/default.nix deleted file mode 100644 index 92f558e..0000000 --- a/pkgs/private/webapps/apache-default/default.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ www_root ? null }: -rec { - www = ./www; - apacheConfig = let - www_root' = if isNull www_root then www else www_root; - in '' - ErrorDocument 500 /maintenance_immae.html - ErrorDocument 501 /maintenance_immae.html - ErrorDocument 502 /maintenance_immae.html - ErrorDocument 503 /maintenance_immae.html - ErrorDocument 504 /maintenance_immae.html - Alias /maintenance_immae.html ${www_root'}/maintenance_immae.html - ProxyPass /maintenance_immae.html ! - - AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root'}/googleb6d69446ff4ca3e5.html - - AllowOverride None - Require all granted - - ''; -} diff --git a/pkgs/private/webapps/default.nix b/pkgs/private/webapps/default.nix deleted file mode 100644 index 12b690b..0000000 --- a/pkgs/private/webapps/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ callPackage, mylibs, composerEnv, lib, spip }: -rec { - apache-default = callPackage ./apache-default {}; - - aten = callPackage ./aten { inherit composerEnv mylibs; }; - chloe = callPackage ./chloe { inherit mylibs spip; }; - iridologie = callPackage ./iridologie { inherit mylibs spip; }; - connexionswing = callPackage ./connexionswing { inherit composerEnv mylibs;}; - ludivinecassal = callPackage ./ludivinecassal { inherit composerEnv mylibs; }; - piedsjaloux = callPackage ./piedsjaloux { inherit composerEnv mylibs; }; - tellesflorian = callPackage ./tellesflorian { inherit composerEnv mylibs; }; -} diff --git a/pkgs/webapps/default.nix b/pkgs/webapps/default.nix index 2f4d739..8cc252d 100644 --- a/pkgs/webapps/default.nix +++ b/pkgs/webapps/default.nix @@ -1,4 +1,4 @@ -{ callPackage, mylibs, composerEnv, lib, private }: +{ callPackage, mylibs, composerEnv, lib }: rec { adminer = callPackage ./adminer {}; apache-theme = callPackage ./apache-theme {}; @@ -113,4 +113,4 @@ rec { in lib.attrsets.genAttrs names (name: callPackage (./yourls/plugins + "/${name}") { inherit mylibs; }); -} // private.webapps +}