aboutsummaryrefslogblamecommitdiff
path: root/nixops/modules/websites/tools/mediagoblin/default.nix
blob: 36329d9fd91653613ef701fbe908efc09a8d4a2d (plain) (tree)
1
2
3
4
5
                                             

                                                    

                                              








                                                               
                                      

                                                                   







                                        
                               






                                                               

                                                       
















































                                                                                         
                        







                                                                      












                                                                                                                                        
                          
































                                                                         

                                                                                                     



           
{ lib, pkgs, config, myconfig, mylibs, ... }:
let
  mediagoblin = pkgs.callPackage ./mediagoblin.nix {
    inherit (mylibs) fetchedGit fetchedGithub;
    env = myconfig.env.tools.mediagoblin;
  };

  cfg = config.services.myWebsites.tools.mediagoblin;
in {
  options.services.myWebsites.tools.mediagoblin = {
    enable = lib.mkEnableOption "enable mediagoblin's website";
  };

  config = lib.mkIf cfg.enable {
    mySecrets.keys = mediagoblin.keys;
    ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
    ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;

    users.users.mediagoblin = {
      name = "mediagoblin";
      uid = config.ids.uids.mediagoblin;
      group = "mediagoblin";
      description = "Mediagoblin user";
      home = mediagoblin.varDir;
      useDefaultShell = true;
      extraGroups = [ "keys" ];
    };

    users.groups.mediagoblin.gid = config.ids.gids.mediagoblin;

    systemd.services.mediagoblin-web = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      wants = [ "postgresql.service" "redis.service" ];

      environment.SCRIPT_NAME = "/mediagoblin/";

      script = ''
        exec ./bin/paster serve \
          ${mediagoblin.pythonRoot}/paste_local.ini \
          --pid-file=${mediagoblin.socketsDir}/mediagoblin.pid
      '';

      preStop = ''
        exec ./bin/paster serve \
          --pid-file=${mediagoblin.socketsDir}/mediagoblin.pid \
          ${mediagoblin.pythonRoot}/paste_local.ini stop
        '';
      preStart = ''
        ./bin/gmg dbupdate
      '';

      serviceConfig = {
        User = "mediagoblin";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 15;
        Type = "simple";
        WorkingDirectory = mediagoblin.pythonRoot;
        PIDFile = "${mediagoblin.socketsDir}/mediagoblin.pid";
      };

      unitConfig.RequiresMountsFor = mediagoblin.varDir;
    };

    systemd.services.mediagoblin-celeryd = {
      description = "Mediagoblin service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "mediagoblin-web.service" ];

      environment.MEDIAGOBLIN_CONFIG = "${mediagoblin.pythonRoot}/mediagoblin_local.ini";
      environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";

      script = ''
        exec ./bin/celery worker \
          --logfile=${mediagoblin.varDir}/celery.log \
          --loglevel=INFO
      '';

      serviceConfig = {
        User = "mediagoblin";
        PrivateTmp = true;
        Restart = "always";
        TimeoutSec = 60;
        Type = "simple";
        WorkingDirectory = mediagoblin.pythonRoot;
        PIDFile = "${mediagoblin.socketsDir}/mediagoblin-celeryd.pid";
      };

      unitConfig.RequiresMountsFor = mediagoblin.varDir;
    };

    system.activationScripts.mediagoblin = {
      deps = [ "users" ];
      text = ''
      install -m 0755 -o mediagoblin -g mediagoblin -d ${mediagoblin.socketsDir}
      install -m 0755 -o mediagoblin -g mediagoblin -d ${mediagoblin.varDir}
      if [ -d ${mediagoblin.varDir}/plugin_static/ ]; then
        rm ${mediagoblin.varDir}/plugin_static/coreplugin_basic_auth
        ln -sf ${mediagoblin.pythonRoot}/mediagoblin/plugins/basic_auth/static ${mediagoblin.varDir}/plugin_static/coreplugin_basic_auth
      fi
      '';
    };

    services.myWebsites.tools.modules = [
      "proxy" "proxy_http"
    ];
    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
    security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null;
    services.myWebsites.tools.vhostConfs.mgoblin = {
      certName    = "eldiron";
      hosts       = ["mgoblin.immae.eu" ];
      root        = null;
      extraConfig = [ ''
        Alias /mgoblin_media ${mediagoblin.varDir}/media/public
        <Directory ${mediagoblin.varDir}/media/public>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /theme_static ${mediagoblin.varDir}/theme_static
        <Directory ${mediagoblin.varDir}/theme_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        Alias /plugin_static ${mediagoblin.varDir}/plugin_static
        <Directory ${mediagoblin.varDir}/plugin_static>
          Options -Indexes +FollowSymLinks +MultiViews +Includes
          Require all granted
        </Directory>

        ProxyPreserveHost on
        ProxyVia On
        ProxyRequests Off
        ProxyPass /mgoblin_media !
        ProxyPass /theme_static !
        ProxyPass /plugin_static !
        ProxyPassMatch ^/.well-known/acme-challenge !
        ProxyPass / unix://${mediagoblin.socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
        ProxyPassReverse / unix://${mediagoblin.socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
      '' ];
    };
  };
}