Finish moving aten php configuration to dedicated module

6 files changed, 229 insertions, 167 deletions

diff --git a/modules/private/websites/aten/builder.nix b/modules/private/websites/aten/builder.nix
deleted file mode 100644
index 83a8f70..0000000
--- a/modules/private/websites/aten/builder.nix
+++ /dev/null
@@ -1,100 +0,0 @@
-{ apacheUser, apacheGroup, aten, lib, mylibs, config }: rec {
-  app = aten.override { inherit (config) environment; };
-  phpFpm = rec {
-    preStart = mylibs.phpFpmPreStart {
-      inherit app;
-      inherit (app) varDir;
-      keyFiles = [
-        "/var/secrets/webapps/${app.environment}-aten"
-      ];
-      actions = [
-        "/run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
-      ];
-    };
-    serviceDeps = [ "postgresql.service" ];
-    socket = "/var/run/phpfpm/aten-${app.environment}.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apacheUser}
-      group = ${apacheGroup}
-      listen.owner = ${apacheUser}
-      listen.group = ${apacheGroup}
-      php_admin_value[upload_max_filesize] = 20M
-      php_admin_value[post_max_size] = 20M
-      ;php_admin_flag[log_errors] = on
-      php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp"
-      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
-      ${if app.environment == "dev" then ''
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      env[SYMFONY_DEBUG_MODE] = "yes"
-      '' else ''
-      pm = dynamic
-      pm.max_children = 20
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      ''}'';
-  };
-  keys = [{
-    dest = "webapps/${app.environment}-aten";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      SetEnv APP_ENV      "${app.environment}"
-      SetEnv APP_SECRET   "${config.secret}"
-      SetEnv DATABASE_URL "${config.psql_url}"
-      '';
-  }];
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "aten_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    <FilesMatch "\.php$">
-      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-    </FilesMatch>
-
-    Include /var/secrets/webapps/${app.environment}-aten
-
-    ${if app.environment == "dev" then ''
-    <Location />
-      Use LDAPConnect
-      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
-    </Location>
-
-    <Location /backend>
-      Use LDAPConnect
-      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
-    </Location>
-    '' else ''
-    Use Stats aten.pro
-
-    <Location /backend>
-      Use LDAPConnect
-      Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
-    </Location>
-    ''}
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride All
-      Require all granted
-      DirectoryIndex index.php
-      FallbackResource /index.php
-    </Directory>
-    '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
-    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-}
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
index 0dbc4fa..38068a7 100644
--- a/modules/private/websites/aten/integration.nix
+++ b/modules/private/websites/aten/integration.nix
@@ -1,43 +1,83 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-  aten = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) aten;
-    config = myconfig.env.websites.aten.integration;
-    apacheUser = config.services.httpd.Inte.user;
-    apacheGroup = config.services.httpd.Inte.group;
-  };
-
+  secrets = myconfig.env.websites.aten.integration;
+  app = pkgs.webapps.aten.override { environment = secrets.environment; };
   cfg = config.myServices.websites.aten.integration;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
 
   config = lib.mkIf cfg.enable {
-    services.phpApplication.aten_dev = let
-      app = pkgs.webapps.aten.override { environment = "dev"; };
-    in {
+    services.phpApplication.apps.aten_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;
       httpdGroup = config.services.httpd.Inte.group;
+      httpdWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-aten"
+      ];
       inherit (app) webRoot varDir;
       inherit app;
       serviceDeps = [ "postgresql.service" ];
       preStartActions = [
         "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
       ];
-      watchFiles = [
-        "${config.secrets.location}/webapps/${app.environment}-aten"
-      ];
-      webappName = "aten_dev";
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = ondemand
+        pm.max_children = 5
+        pm.process_idle_timeout = 60
+        env[SYMFONY_DEBUG_MODE] = "yes"
+      '';
     };
 
-    secrets.keys = aten.keys;
-    services.phpfpm.poolConfigs.aten_dev = aten.phpFpm.pool;
-    services.websites.env.integration.vhostConfs.aten = {
+    secrets.keys = [{
+      dest = "webapps/${app.environment}-aten";
+      user = config.services.httpd.Inte.user;
+      group = config.services.httpd.Inte.user;
+      permissions = "0400";
+      text = ''
+        SetEnv APP_ENV      "${app.environment}"
+        SetEnv APP_SECRET   "${secrets.secret}"
+        SetEnv DATABASE_URL "${secrets.psql_url}"
+        '';
+    }];
+    services.websites.env.integration.vhostConfs.aten_dev = {
       certName    = "eldiron";
       addToCerts  = true;
       hosts       = [ "dev.aten.pro" ];
-      root        = aten.apache.root;
-      extraConfig = [ aten.apache.vhostConf ];
+      root        = pcfg.webappDirs.aten_dev;
+      extraConfig = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_dev}|fcgi://localhost"
+        </FilesMatch>
+
+        Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}
+
+        <Location />
+          Use LDAPConnect
+          Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+        </Location>
+
+        <Location /backend>
+          Use LDAPConnect
+          Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+        </Location>
+
+        <Directory ${pcfg.webappDirs.aten_dev}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+          DirectoryIndex index.php
+          FallbackResource /index.php
+        </Directory>
+        ''
+      ];
     };
   };
 }
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
index 0fab309..21ecdcf 100644
--- a/modules/private/websites/aten/production.nix
+++ b/modules/private/websites/aten/production.nix
@@ -1,36 +1,81 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-  aten = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) aten;
-    config = myconfig.env.websites.aten.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
-  };
-
+  secrets = myconfig.env.websites.aten.production;
+  app = pkgs.webapps.aten.override { environment = secrets.environment; };
   cfg = config.myServices.websites.aten.production;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = aten.keys;
     services.webstats.sites = [ { name = "aten.pro"; } ];
+    services.phpApplication.apps.aten_prod = {
+      websiteEnv = "production";
+      httpdUser = config.services.httpd.Prod.user;
+      httpdGroup = config.services.httpd.Prod.group;
+      httpdWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-aten"
+      ];
+      inherit (app) webRoot varDir;
+      inherit app;
+      serviceDeps = [ "postgresql.service" ];
+      preStartActions = [
+        "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = dynamic
+        pm.max_children = 20
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+      '';
+    };
 
-    systemd.services.phpfpm-aten_prod.preStart = lib.mkAfter aten.phpFpm.preStart;
-    systemd.services.phpfpm-aten_prod.after = lib.mkAfter aten.phpFpm.serviceDeps;
-    systemd.services.phpfpm-aten_prod.wants = aten.phpFpm.serviceDeps;
-    services.phpfpm.poolConfigs.aten_prod = aten.phpFpm.pool;
-    system.activationScripts.aten_prod = aten.activationScript;
-    myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot;
-    services.websites.env.production.modules = aten.apache.modules;
-    services.websites.env.production.vhostConfs.aten = {
+    secrets.keys = [{
+      dest = "webapps/${app.environment}-aten";
+      user = config.services.httpd.Prod.user;
+      group = config.services.httpd.Prod.user;
+      permissions = "0400";
+      text = ''
+        SetEnv APP_ENV      "${app.environment}"
+        SetEnv APP_SECRET   "${secrets.secret}"
+        SetEnv DATABASE_URL "${secrets.psql_url}"
+        '';
+    }];
+    services.websites.env.production.vhostConfs.aten_prod = {
       certName     = "aten";
       certMainHost = "aten.pro";
-      hosts        = [ "aten.pro" "www.aten.pro" ];
-      root         = aten.apache.root;
-      extraConfig  = [ aten.apache.vhostConf ];
+      hosts       = [ "aten.pro" "www.aten.pro" ];
+      root        = pcfg.webappDirs.aten_prod;
+      extraConfig = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}|fcgi://localhost"
+        </FilesMatch>
+
+        Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}
+
+        Use Stats aten.pro
+
+        <Location /backend>
+          Use LDAPConnect
+          Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+        </Location>
+
+        <Directory ${pcfg.webappDirs.aten_prod}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+          DirectoryIndex index.php
+          FallbackResource /index.php
+        </Directory>
+        ''
+      ];
     };
-    services.websites.env.production.watchPaths = [
-      "/var/secrets/webapps/${aten.app.environment}-aten"
-    ];
   };
 }
diff --git a/modules/secrets.nix b/modules/secrets.nix
index 808b15c..a2424e9 100644
--- a/modules/secrets.nix
+++ b/modules/secrets.nix
@@ -11,7 +11,16 @@
       default = "/var/secrets";
       description = "Location where to put the keys";
     };
+    # Read-only variables
+    fullPaths = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = builtins.listToAttrs
+        (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys);
+      readOnly = true;
+      description = "set of full paths to secrets";
+    };
   };
+
   config = let
     location = config.secrets.location;
     keys = config.secrets.keys;
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index ef79cb3..043fc6e 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -23,14 +23,6 @@ in
         Name of the webapp dir to create in /run/current-system
         '';
     };
-    webappDirsPath = mkOption {
-      type = str;
-      readOnly = true;
-      description = ''
-        Full path of the webapp dir
-        '';
-      default = "/run/current-system/${cfg.webappDirsName}";
-    };
     env = mkOption {
       default = {};
       description = "Each type of website to enable will target a distinct httpd server";
@@ -126,6 +118,17 @@ in
         };
       });
     };
+    # Readonly variables
+    webappDirsPaths = mkOption {
+      type = attrsOf path;
+      readOnly = true;
+      description = ''
+        Full paths of the webapp dir
+        '';
+      default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+        name "/run/current-system/${cfg.webappDirsName}/${name}"
+      ) cfg.webappDirs;
+    };
   };
 
   config.services.httpd = let
diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix
index 765d406..1bc4872 100644
--- a/modules/websites/php-application.nix
+++ b/modules/websites/php-application.nix
@@ -2,11 +2,11 @@
 with lib;
 let
   cfg = config.services.phpApplication;
-  cfgByEnv = lists.groupBy (x: x.websiteEnv) (builtins.attrValues cfg);
+  cfgByEnv = lists.groupBy (x: x.websiteEnv) (builtins.attrValues cfg.apps);
 in
 {
-  options = {
-    services.phpApplication = with types; mkOption {
+  options = with types; {
+    services.phpApplication.apps = mkOption {
       default = {};
       description = ''
         php applications to define
@@ -31,6 +31,35 @@ in
             default = true;
             description = "Handle phpsession files separately in vardir";
           };
+          phpListen = mkOption {
+            type = nullOr str;
+            default = null;
+            description = "Name of the socket to listen to. Defaults to app name if null";
+          };
+          phpPool = mkOption {
+            type = lines;
+            default = "";
+            description = "Pool configuration to append";
+          };
+          phpOptions = mkOption {
+            type = lines;
+            default = "";
+            description = "php configuration to append";
+          };
+          phpOpenbasedir = mkOption {
+            type = listOf path;
+            default = [];
+            description = ''
+              paths to add to php open_basedir configuration in addition to app and vardir
+              '';
+          };
+          phpWatchFiles = mkOption {
+            type = listOf path;
+            default = [];
+            description = ''
+              Path to other files to watch to trigger preStart scripts
+              '';
+          };
           websiteEnv = mkOption {
             type = str;
             description = ''
@@ -51,6 +80,13 @@ in
               httpd group to run the prestart scripts as.
               '';
           };
+          httpdWatchFiles = mkOption {
+            type = listOf path;
+            default = [];
+            description = ''
+              Path to other files to watch to trigger httpd reload
+              '';
+          };
           app = mkOption {
             type = path;
             description = ''
@@ -59,6 +95,7 @@ in
           };
           webappName = mkOption {
             type = nullOr str;
+            default = null;
             description = ''
               Alias name for the app, to be used in services.websites.webappDirs
               '';
@@ -84,29 +121,57 @@ in
               List of systemd services this application depends on
               '';
           };
-          watchFiles = mkOption {
-            type = listOf path;
-            default = [];
-            description = ''
-              Path to other files to watch to trigger preStart scripts
-              '';
-          };
         };
       });
     };
+    # Read-only variables
+    services.phpApplication.phpListenPaths = mkOption {
+      type = attrsOf path;
+      default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+        name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock"
+      ) cfg.apps;
+      readOnly = true;
+      description = ''
+        Full paths to listen for php
+        '';
+    };
+    services.phpApplication.webappDirs = mkOption {
+      type = attrsOf path;
+      default = attrsets.filterAttrs (n: v: builtins.hasAttr n cfg.apps) config.services.websites.webappDirsPaths;
+      readOnly = true;
+      description = ''
+        Stable name webapp dirs for httpd
+        '';
+    };
   };
 
   config = {
     services.websites.env = attrsets.mapAttrs' (name: cfgs: attrsets.nameValuePair
       name {
         modules = [ "proxy_fcgi" ];
-        watchPaths = builtins.concatLists (map (c: c.watchFiles) cfgs);
+        watchPaths = builtins.concatLists (map (c: c.httpdWatchFiles) cfgs);
       }
     ) cfgByEnv;
 
+    services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+      name {
+        listen = cfg.phpListenPaths."${name}";
+        extraConfig = ''
+          user = ${icfg.httpdUser}
+          group = ${icfg.httpdGroup}
+          listen.owner = ${icfg.httpdUser}
+          listen.group = ${icfg.httpdGroup}
+          ${optionalString (icfg.phpSession) ''
+            php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''}
+          php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpOpenbasedir)}"
+          '' + icfg.phpPool;
+        phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions;
+      }
+    ) cfg.apps;
+
     services.websites.webappDirs = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
-      icfg.webappName icfg.webRoot
-    ) (attrsets.filterAttrs (n: v: !isNull v.webappName && !isNull v.webRoot) cfg);
+      (if icfg.webappName == null then name else icfg.webappName) icfg.webRoot
+    ) (attrsets.filterAttrs (n: v: !isNull v.webRoot) cfg.apps);
 
     systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
       "phpfpm-${name}" {
@@ -114,7 +179,7 @@ in
         wants = icfg.serviceDeps;
         preStart = lib.mkAfter (optionalString (!isNull icfg.varDir) ''
           watchFilesChanged() {
-            ${optionalString (builtins.length icfg.watchFiles == 0) "return 0"}
+            ${optionalString (builtins.length icfg.phpWatchFiles == 0) "return 1"}
             [ ! -f "${icfg.varDir}"/watchedFiles ] \
               || ! sha512sum -c --status ${icfg.varDir}/watchedFiles
           }
@@ -123,8 +188,8 @@ in
               "${icfg.app}" != "$(cat ${icfg.varDir}/currentWebappDir 2>/dev/null)" ]
           }
           updateWatchFiles() {
-            ${optionalString (builtins.length icfg.watchFiles == 0) "return 0"}
-            sha512sum ${builtins.concatStringsSep " " icfg.watchFiles} > ${icfg.varDir}/watchedFiles
+            ${optionalString (builtins.length icfg.phpWatchFiles == 0) "return 0"}
+            sha512sum ${builtins.concatStringsSep " " icfg.phpWatchFiles} > ${icfg.varDir}/watchedFiles
           }
 
           if watchFilesChanged || appDirChanged; then
@@ -136,7 +201,7 @@ in
           fi
         '');
       }
-    ) cfg;
+    ) cfg.apps;
 
     system.activationScripts = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
       name {
@@ -147,6 +212,6 @@ in
           install -m 0700 -o ${icfg.httpdUser} -g ${icfg.httpdGroup} -d ${icfg.varDir}/phpSessions
           '';
       }
-    ) cfg;
+    ) cfg.apps;
   };
 }