path: root/virtual/eldiron.nix



{
  network = {
    description = "Immae's network";
    enableRollback = true;
  };

  # Full backup:
  # The star after /var/lib/* avoids deleting all folders in case of problem
  # rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu:
  eldiron = { config, pkgs, mylibs, myconfig, ... }:
    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGithub;
        };
    in
  {
    _module.args = {
      mylibs = import ../libs.nix;
      myconfig = {
        ips = {
          main = "176.9.151.89";
          production = "176.9.151.154";
          integration = "176.9.151.155";
        };
      };
    };

    imports = [
      ./modules/certificates.nix
      ./modules/gitolite.nix
      ./modules/gitweb.nix
      ./modules/databases.nix
      ./modules/websites
      ./modules/websites/phpfpm
    ];
    services.myGitolite.enable = true;
    services.myGitweb.enable = true;
    services.myDatabases.enable = true;
    services.myWebsites.production.enable = true;
    services.myWebsites.integration.enable = true;

    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [ 22 9418 ];
      };
    };

    deployment = {
      targetEnv = "hetzner";
      hetzner = {
        #robotUser = "defined in HETZNER_ROBOT_USER";
        #robotPass = "defined in HETZNER_ROBOT_PASS";
        mainIPv4 = myconfig.ips.main;
        partitions = ''
          clearpart --all --initlabel --drives=sda,sdb

          part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
          part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb

          part raid.1 --grow --ondisk=sda
          part raid.2 --grow --ondisk=sdb

          raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
        '';
      };
    };

    environment.systemPackages = let
      # FIXME: move it to nextcloud
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
        cd ${mypkgs.nextcloud.webRoot}
        NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
          exec \
          ${pkgs.php}/bin/php \
          -c ${pkgs.php}/etc/php.ini \
          occ $*
        '';
    in [
      pkgs.telnet
      pkgs.htop
      pkgs.vim
      occ
    ];

    security.acme.certs."eldiron".extraDomains = {
      "db-1.immae.eu" = null;
      "tools.immae.eu" = null;
      "cloud.immae.eu" = null;
      "dav.immae.eu" = null;
    };

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    services.ympd = mypkgs.ympd.config // { enable = false; };

    services.myPhpfpm = {
      phpPackage = pkgs.php;
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        session.gc_maxlifetime = 60*60*24*15
        session.cache_expire = 60*24*30
        '';
      extraConfig = ''
        log_level = notice
        '';
      poolPhpConfigs = {
        nextcloud = mypkgs.nextcloud.phpFpm.phpConfig;
      };
      poolConfigs = {
        adminer = mypkgs.adminer.phpFpm.pool;
        nextcloud = mypkgs.nextcloud.phpFpm.pool;
        mantisbt = mypkgs.mantisbt.phpFpm.pool;
        ttrss = mypkgs.ttrss.phpFpm.pool;
        roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
        davical = mypkgs.davical.phpFpm.pool;
      };
    };

    system.activationScripts = {
      nextcloud = mypkgs.nextcloud.activationScript;
      ttrss = mypkgs.ttrss.activationScript;
      roundcubemail = mypkgs.roundcubemail.activationScript;
      httpd = ''
        install -d -m 0755 /var/lib/acme/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
        '';
    };

    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
        wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          vars = {
            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
            ECHO = "${pkgs.coreutils}/bin/echo";
          };
          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };

    services.gitDaemon = {
      enable = true;
      user = "gitolite";
      group = "gitolite";
      basePath = "${mypkgs.git.web.varDir}/repositories";
    };

    # FIXME: logrotate
    services.httpd = let
      withConf = domain: {
        enableSSL = true;
        sslServerCert = "/var/lib/acme/${domain}/cert.pem";
        sslServerKey = "/var/lib/acme/${domain}/key.pem";
        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
        logFormat = "combinedVhost";
        listen = [
          { ip = "176.9.151.89";  port = 443; }
        ];
      };
      apacheConfig = config.services.myWebsites.apacheConfig;
    in rec {
      enable = true;
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      adminAddr = "httpd@immae.eu";
      logFormat = "combinedVhost";
      extraModules = pkgs.lib.lists.unique (
        mypkgs.adminer.apache.modules ++
        mypkgs.nextcloud.apache.modules ++
        mypkgs.ympd.apache.modules ++
        mypkgs.git.web.apache.modules ++
        mypkgs.mantisbt.apache.modules ++
        mypkgs.ttrss.apache.modules ++
        mypkgs.roundcubemail.apache.modules ++
        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
      extraConfig = builtins.concatStringsSep "\n"
        (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
      virtualHosts = [
        (withConf "eldiron" // {
          hostName = "eldiron.immae.eu";
          documentRoot = ./www;
          extraConfig = ''
            DirectoryIndex index.htm
            '';
        })
        (withConf "eldiron" // {
          hostName = "db-1.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "tools.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
            mypkgs.ympd.apache.vhostConf
            mypkgs.ttrss.apache.vhostConf
            mypkgs.roundcubemail.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dav.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.infcloud.apache.vhostConf
            mypkgs.davical.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "cloud.immae.eu";
          documentRoot = mypkgs.nextcloud.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.nextcloud.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "git.immae.eu";
          documentRoot = mypkgs.git.web.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.git.web.apache.vhostConf
            mypkgs.mantisbt.apache.vhostConf
          ] + ''
            RewriteEngine on
            RewriteCond %{REQUEST_URI}       ^/releases
            RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
            '';
        })
        { # Should go last, default fallback
          listen = [ { ip = "*"; port = 80; } ];
          hostName = "redirectSSL";
          serverAliases = [ "*" ];
          enableSSL = false;
          logFormat = "combinedVhost";
          documentRoot = "/var/lib/acme/acme-challenge";
          extraConfig = ''
            RewriteEngine on
            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
            # To redirect in specific "VirtualHost *:80", do
            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
            # rather than rewrite
            '';
        }
      ];
    };

    systemd.services.tt-rss = {
      description = "Tiny Tiny RSS feeds update daemon";
      serviceConfig = {
        User = "wwwrun";
        ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
        StandardOutput = "syslog";
        StandardError = "syslog";
        PermissionsStartOnly = true;
      };

      wantedBy = [ "multi-user.target" ];
      requires = ["postgresql.service"];
      after = ["network.target" "postgresql.service"];
    };
  };
}
{
  network = {
    description = "Immae's network";
    enableRollback = true;
  };

  # Full backup:
  # The star after /var/lib/* avoids deleting all folders in case of problem
  # rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu:
  eldiron = { config, pkgs, mylibs, myconfig, ... }:
    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGithub;
        };
    in
  {
    _module.args = {
      mylibs = import ../libs.nix;
      myconfig = {
        ips = {
          main = "176.9.151.89";
          production = "176.9.151.154";
          integration = "176.9.151.155";
        };
      };
    };

    imports = [
      ./modules/certificates.nix
      ./modules/gitolite.nix
      ./modules/gitweb.nix
      ./modules/databases.nix
      ./modules/websites
      ./modules/websites/phpfpm
    ];
    services.myGitolite.enable = true;
    services.myGitweb.enable = true;
    services.myDatabases.enable = true;
    services.myWebsites.production.enable = true;
    services.myWebsites.integration.enable = true;

    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [ 22 9418 ];
      };
    };

    deployment = {
      targetEnv = "hetzner";
      hetzner = {
        #robotUser = "defined in HETZNER_ROBOT_USER";
        #robotPass = "defined in HETZNER_ROBOT_PASS";
        mainIPv4 = myconfig.ips.main;
        partitions = ''
          clearpart --all --initlabel --drives=sda,sdb

          part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
          part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb

          part raid.1 --grow --ondisk=sda
          part raid.2 --grow --ondisk=sdb

          raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
        '';
      };
    };

    environment.systemPackages = let
      # FIXME: move it to nextcloud
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
        cd ${mypkgs.nextcloud.webRoot}
        NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
          exec \
          ${pkgs.php}/bin/php \
          -c ${pkgs.php}/etc/php.ini \
          occ $*
        '';
    in [
      pkgs.telnet
      pkgs.htop
      pkgs.vim
      occ
    ];

    security.acme.certs."eldiron".extraDomains = {
      "db-1.immae.eu" = null;
      "tools.immae.eu" = null;
      "cloud.immae.eu" = null;
      "dav.immae.eu" = null;
    };

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    services.ympd = mypkgs.ympd.config // { enable = false; };

    services.myPhpfpm = {
      phpPackage = pkgs.php;
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        session.gc_maxlifetime = 60*60*24*15
        session.cache_expire = 60*24*30
        '';
      extraConfig = ''
        log_level = notice
        '';
      poolPhpConfigs = {
        nextcloud = mypkgs.nextcloud.phpFpm.phpConfig;
      };
      poolConfigs = {
        adminer = mypkgs.adminer.phpFpm.pool;
        nextcloud = mypkgs.nextcloud.phpFpm.pool;
        mantisbt = mypkgs.mantisbt.phpFpm.pool;
        ttrss = mypkgs.ttrss.phpFpm.pool;
        roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
        davical = mypkgs.davical.phpFpm.pool;
      };
    };

    system.activationScripts = {
      nextcloud = mypkgs.nextcloud.activationScript;
      ttrss = mypkgs.ttrss.activationScript;
      roundcubemail = mypkgs.roundcubemail.activationScript;
      httpd = ''
        install -d -m 0755 /var/lib/acme/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
        '';
    };

    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
        wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          vars = {
            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
            ECHO = "${pkgs.coreutils}/bin/echo";
          };
          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };

    services.gitDaemon = {
      enable = true;
      user = "gitolite";
      group = "gitolite";
      basePath = "${mypkgs.git.web.varDir}/repositories";
    };

    # FIXME: logrotate
    services.httpd = let
      withConf = domain: {
        enableSSL = true;
        sslServerCert = "/var/lib/acme/${domain}/cert.pem";
        sslServerKey = "/var/lib/acme/${domain}/key.pem";
        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
        logFormat = "combinedVhost";
        listen = [
          { ip = "176.9.151.89";  port = 443; }
        ];
      };
      apacheConfig = config.services.myWebsites.apacheConfig;
    in rec {
      enable = true;
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      adminAddr = "httpd@immae.eu";
      logFormat = "combinedVhost";
      extraModules = pkgs.lib.lists.unique (
        mypkgs.adminer.apache.modules ++
        mypkgs.nextcloud.apache.modules ++
        mypkgs.ympd.apache.modules ++
        mypkgs.git.web.apache.modules ++
        mypkgs.mantisbt.apache.modules ++
        mypkgs.ttrss.apache.modules ++
        mypkgs.roundcubemail.apache.modules ++
        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
      extraConfig = builtins.concatStringsSep "\n"
        (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
      virtualHosts = [
        (withConf "eldiron" // {
          hostName = "eldiron.immae.eu";
          documentRoot = ./www;
          extraConfig = ''
            DirectoryIndex index.htm
            '';
        })
        (withConf "eldiron" // {
          hostName = "db-1.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "tools.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
            mypkgs.ympd.apache.vhostConf
            mypkgs.ttrss.apache.vhostConf
            mypkgs.roundcubemail.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dav.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.infcloud.apache.vhostConf
            mypkgs.davical.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "cloud.immae.eu";
          documentRoot = mypkgs.nextcloud.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.nextcloud.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "git.immae.eu";
          documentRoot = mypkgs.git.web.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.git.web.apache.vhostConf
            mypkgs.mantisbt.apache.vhostConf
          ] + ''
            RewriteEngine on
            RewriteCond %{REQUEST_URI}       ^/releases
            RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
            '';
        })
        { # Should go last, default fallback
          listen = [ { ip = "*"; port = 80; } ];
          hostName = "redirectSSL";
          serverAliases = [ "*" ];
          enableSSL = false;
          logFormat = "combinedVhost";
          documentRoot = "/var/lib/acme/acme-challenge";
          extraConfig = ''
            RewriteEngine on
            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
            # To redirect in specific "VirtualHost *:80", do
            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
            # rather than rewrite
            '';
        }
      ];
    };

    systemd.services.tt-rss = {
      description = "Tiny Tiny RSS feeds update daemon";
      serviceConfig = {
        User = "wwwrun";
        ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
        StandardOutput = "syslog";
        StandardError = "syslog";
        PermissionsStartOnly = true;
      };

      wantedBy = [ "multi-user.target" ];
      requires = ["postgresql.service"];
      after = ["network.target" "postgresql.service"];
    };
  };
}