path: root/modules/private/websites/ludivine/integration.nix

{ lib, pkgs, config,  ... }:
let
  secrets = config.myEnv.websites.ludivine.integration;
  cfg = config.myServices.websites.ludivine.integration;
  pcfg = config.services.phpApplication;
  webRoot = "/var/lib/ftp/immae/ludivine/web";
in {
  options.myServices.websites.ludivine.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";

  config = lib.mkIf cfg.enable {
    services.duplyBackup.profiles.ludivine_integration.rootDir = app.varDir;
    services.phpApplication.apps.ludivine_integration = {
      websiteEnv = "integration";
      httpdUser = config.services.httpd.Inte.user;
      httpdGroup = config.services.httpd.Inte.group;
      inherit webRoot;
      varDir = "/var/lib/ftp/immae/ludivine_var";
      app = "/var/lib/ftp/immae/ludivine";
      varDirPaths = {
        "tmp" = "0700";
      };
      serviceDeps = [ "mysql.service" ];
      preStartActions = [
        "./bin/console --env=dev cache:clear --no-warmup"
      ];
      phpOpenbasedir = [ "/tmp" ];
      phpPool = {
        "php_admin_value[upload_max_filesize]" = "20M";
        "php_admin_value[post_max_size]" = "20M";
        #"php_admin_flag[log_errors]" = "on";
        "pm" = "ondemand";
        "pm.max_children" = "5";
        "pm.process_idle_timeout" = "60";
      };
      phpEnv = {
        PATH = lib.makeBinPath [
          # below ones don't need to be in the PATH but they’re used in
          # secrets
          pkgs.imagemagick pkgs.sass pkgs.ruby
        ];
        SYMFONY_DEBUG_MODE = "\"yes\"";
      };
      phpWatchFiles = [
        config.secrets.fullPaths."websites/ludivine/integration"
      ];
      phpPackage = pkgs.php72;
    };

    secrets.keys."websites/ludivine/integration" = {
      user = config.services.httpd.Inte.user;
      group = config.services.httpd.Inte.group;
      permissions = "0400";
      text = ''
        # This file is auto-generated during the composer install
        parameters:
            database_host: ${secrets.mysql.host}
            database_port: ${secrets.mysql.port}
            database_name: ${secrets.mysql.database}
            database_user: ${secrets.mysql.user}
            database_password: ${secrets.mysql.password}
            database_server_version: ${pkgs.mariadb.mysqlVersion}
            mailer_transport: smtp
            mailer_host: 127.0.0.1
            mailer_user: null
            mailer_password: null
            secret: ${secrets.secret}
            ldap_host: ldap.immae.eu
            ldap_port: 636
            ldap_version: 3
            ldap_ssl: true
            ldap_tls: false
            ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
            ldap_base_dn: 'dc=immae,dc=eu'
            ldap_search_dn: '${secrets.ldap.dn}'
            ldap_search_password: '${secrets.ldap.password}'
            ldap_search_filter: '${secrets.ldap.filter}'
        leapt_im:
            binary_path: ${pkgs.imagemagick}/bin
        assetic:
            sass: ${pkgs.sass}/bin/sass
            ruby: ${pkgs.ruby}/bin/ruby
      '';
    };

    services.websites.env.integration.vhostConfs.ludivine_integration = {
      certName    = "integration";
      addToCerts  = true;
      hosts       = [ "ludivine.immae.eu" ];
      root        = webRoot;
      extraConfig = [
        ''
        <FilesMatch "\.php$">
          SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivine_integration}|fcgi://localhost"
        </FilesMatch>

        <Location />
          Use LDAPConnect
          Require ldap-group   cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>"
        </Location>

        <Directory ${webRoot}>
          Options Indexes FollowSymLinks MultiViews Includes
          AllowOverride None
          Require all granted

          DirectoryIndex app_dev.php

          <IfModule mod_negotiation.c>
          Options -MultiViews
          </IfModule>

          <IfModule mod_rewrite.c>
            RewriteEngine On

            RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
            RewriteRule ^(.*) - [E=BASE:%1]

            # Maintenance script
            RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
            RewriteCond %{SCRIPT_FILENAME} !maintenance.php
            RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
            ErrorDocument 503 /maintenance.php

            # Sets the HTTP_AUTHORIZATION header removed by Apache
            RewriteCond %{HTTP:Authorization} .
            RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

            RewriteCond %{ENV:REDIRECT_STATUS} ^$
            RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]

            # If the requested filename exists, simply serve it.
            # We only want to let Apache serve files and not directories.
            RewriteCond %{REQUEST_FILENAME} -f
            RewriteRule ^ - [L]

            # Rewrite all other queries to the front controller.
            RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
          </IfModule>

        </Directory>
        ''
      ];
    };
  };
}