aboutsummaryrefslogtreecommitdiff
path: root/modules/private/system/quatresaisons
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2020-10-24 12:30:42 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2020-10-24 12:30:42 +0200
commit75489e72e379af8aeac64bc4967717d9ae776ff0 (patch)
tree1d028e5a9ab73d096e48e3f177eb60b4f73486bd /modules/private/system/quatresaisons
parente43fdf341072e4a0150324196fc7af8f383860ec (diff)
downloadNix-75489e72e379af8aeac64bc4967717d9ae776ff0.tar.gz
Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.tar.zst
Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.zip
Add quatresaisons server
Diffstat (limited to 'modules/private/system/quatresaisons')
-rw-r--r--modules/private/system/quatresaisons/databases.nix146
-rw-r--r--modules/private/system/quatresaisons/landing.yml32
-rw-r--r--modules/private/system/quatresaisons/landing_4c.yml24
-rw-r--r--modules/private/system/quatresaisons/nextcloud.nix141
4 files changed, 343 insertions, 0 deletions
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix
new file mode 100644
index 0000000..3491ae4
--- /dev/null
+++ b/modules/private/system/quatresaisons/databases.nix
@@ -0,0 +1,146 @@
1{ pkgs, config, lib, ... }:
2{
3 config = let
4 serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
5 phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
6 in {
7 services.postgresql.enable = true;
8 services.postgresql.package = pkgs.postgresql_12;
9 secrets.keys = [
10 {
11 dest = "ldap/password";
12 permissions = "0400";
13 user = "openldap";
14 group = "openldap";
15 text = "rootpw ${serverSpecificConfig.ldap_root_pw}";
16 }
17 {
18 dest = "webapps/tools-ldap";
19 user = "wwwrun";
20 group = "wwwrun";
21 permissions = "0400";
22 text = ''
23 <?php
24 $config->custom->appearance['show_clear_password'] = true;
25 $config->custom->appearance['hide_template_warning'] = true;
26 $config->custom->appearance['theme'] = "tango";
27 $config->custom->appearance['minimalMode'] = false;
28 $config->custom->appearance['tree'] = 'AJAXTree';
29
30 $servers = new Datastore();
31
32 $servers->newServer('ldap_pla');
33 $servers->setValue('server','name','LDAP');
34 $servers->setValue('server','host','ldap://localhost');
35 $servers->setValue('login','auth_type','cookie');
36 $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}');
37 $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}');
38 $servers->setValue('appearance','pla_password_hash','ssha');
39 $servers->setValue('login','attr','uid');
40 $servers->setValue('login','fallback_dn',true);
41 '';
42 }
43 ];
44
45 users.users.openldap.extraGroups = [ "keys" ];
46 services.openldap = {
47 enable = true;
48 dataDir = "/var/lib/openldap";
49 urlList = [ "ldap://localhost" ];
50 logLevel = "none";
51 extraConfig = ''
52 pidfile /run/slapd/slapd.pid
53 argsfile /run/slapd/slapd.args
54
55 moduleload back_hdb
56 backend hdb
57 '';
58
59 extraDatabaseConfig = ''
60 moduleload memberof
61 overlay memberof
62
63 moduleload syncprov
64 overlay syncprov
65 syncprov-checkpoint 100 10
66
67 index objectClass eq
68 index uid pres,eq
69 #index uidMember pres,eq
70 index mail pres,sub,eq
71 index cn pres,sub,eq
72 index sn pres,sub,eq
73 index dc eq
74 index member eq
75 index memberOf eq
76
77 # No one must access that information except root
78 access to attrs=description
79 by * none
80
81 access to attrs=entry,uid filter="(uid=*)"
82 by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read
83 by * break
84
85 access to dn.subtree="ou=users,dc=salle-s,dc=org"
86 by dn.subtree="ou=services,dc=salle-s,dc=org" read
87 by * break
88
89 access to *
90 by self read
91 by anonymous auth
92 by * break
93 '';
94 rootpwFile = "${config.secrets.location}/ldap/password";
95 suffix = "dc=salle-s,dc=org";
96 rootdn = "cn=root,dc=salle-s,dc=org";
97 database = "hdb";
98 };
99
100 services.websites.env.production.modules = [ "proxy_fcgi" ];
101 services.websites.env.production.vhostConfs.tools.extraConfig = [
102 ''
103 Alias /ldap "${phpLdapAdmin}/htdocs"
104 <Directory "${phpLdapAdmin}/htdocs">
105 DirectoryIndex index.php
106 <FilesMatch "\.php$">
107 SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost"
108 </FilesMatch>
109
110 AllowOverride None
111 Require all granted
112 </Directory>
113 ''
114 ];
115 services.phpfpm.pools.ldap = {
116 user = "wwwrun";
117 group = "wwwrun";
118 settings =
119 let
120 basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ];
121 in {
122 "listen.owner" = "wwwrun";
123 "listen.group" = "wwwrun";
124 "pm" = "ondemand";
125 "pm.max_children" = "60";
126 "pm.process_idle_timeout" = "60";
127
128 # Needed to avoid clashes in browser cookies (same domain)
129 "php_value[session.name]" = "LdapPHPSESSID";
130 "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin";
131 "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin";
132 };
133 phpPackage = pkgs.php72;
134 };
135 system.activationScripts.ldap = {
136 deps = [ "users" ];
137 text = ''
138 install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin
139 '';
140 };
141 systemd.services.phpfpm-ldap = {
142 after = lib.mkAfter [ "openldap.service" ];
143 wants = [ "openldap.service" ];
144 };
145 };
146}
diff --git a/modules/private/system/quatresaisons/landing.yml b/modules/private/system/quatresaisons/landing.yml
new file mode 100644
index 0000000..cf4ba87
--- /dev/null
+++ b/modules/private/system/quatresaisons/landing.yml
@@ -0,0 +1,32 @@
1---
2# Homepage configuration
3# See https://fontawesome.com/icons for icons options
4
5title: "Websites dashboard"
6subtitle: "Salle-S"
7footer: false
8#footer: '<p>Created with <span class="has-text-danger">❤️</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it.
9
10# Optional navbar
11# links: [] # Allows for navbar (dark mode, layout, and search) without any links
12links: []
13
14# Services
15# First level array represent a group.
16# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed).
17services:
18 - name: "Quatramaran"
19 items:
20 - name: "Roundcube"
21 logo: "assets/tools/roundcube.svg"
22 url: "https://quatramaran.salle-s.org/roundcube/"
23 - name: "Les dessous de paillasse"
24 url: "https://dessous-de-paillasse.salle-s.org"
25 - name: "Quatre Saisons"
26 items:
27 - name: "Charte d’utilisation"
28 icon: "fas fa-scroll"
29 url: "https://4c.salle-s.org/charte/"
30 - name: "Nextcloud"
31 logo: "assets/tools/nextcloud.png"
32 url: "https://nextcloud.4c.salle-s.org"
diff --git a/modules/private/system/quatresaisons/landing_4c.yml b/modules/private/system/quatresaisons/landing_4c.yml
new file mode 100644
index 0000000..0b9f6b6
--- /dev/null
+++ b/modules/private/system/quatresaisons/landing_4c.yml
@@ -0,0 +1,24 @@
1---
2# Homepage configuration
3# See https://fontawesome.com/icons for icons options
4
5title: "Websites dashboard"
6subtitle: "Quatre saisons"
7footer: false
8#footer: '<p>Created with <span class="has-text-danger">❤️</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it.
9
10# Optional navbar
11# links: [] # Allows for navbar (dark mode, layout, and search) without any links
12links: []
13
14# Services
15# First level array represent a group.
16# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed).
17services:
18 - items:
19 - name: "Charte d’utilisation"
20 icon: "fas fa-scroll"
21 url: "https://4c.salle-s.org/charte/"
22 - name: "Nextcloud"
23 logo: "assets/tools/nextcloud.png"
24 url: "https://nextcloud.4c.salle-s.org"
diff --git a/modules/private/system/quatresaisons/nextcloud.nix b/modules/private/system/quatresaisons/nextcloud.nix
new file mode 100644
index 0000000..047d17e
--- /dev/null
+++ b/modules/private/system/quatresaisons/nextcloud.nix
@@ -0,0 +1,141 @@
1{ lib, pkgs, config, ... }:
2let
3 nextcloud = pkgs.webapps.nextcloud.withApps (a: [
4 a.apporder a.audioplayer a.bookmarks a.calendar a.carnet a.circles
5 a.contacts a.cookbook a.deck a.extract a.files_markdown
6 a.files_readmemd a.flowupload a.gpxedit a.gpxpod a.keeweb a.maps
7 a.metadata a.music a.notes a.ocsms a.passman a.polls a.spreed
8 a.social a.tasks
9 ]);
10 varDir = "/var/lib/nextcloud";
11 phpFpm = rec {
12 basedir = builtins.concatStringsSep ":" ([ nextcloud varDir ] ++ nextcloud.apps);
13 pool = {
14 "listen.owner" = "wwwrun";
15 "listen.group" = "wwwrun";
16 "pm" = "ondemand";
17 "pm.max_children" = "60";
18 "pm.process_idle_timeout" = "60";
19
20 "php_admin_value[output_buffering]" = "0";
21 "php_admin_value[max_execution_time]" = "1800";
22 "php_admin_value[zend_extension]" = "opcache";
23 #already enabled by default?
24 #"php_value[opcache.enable]" = "1";
25 "php_value[opcache.enable_cli]" = "1";
26 "php_value[opcache.interned_strings_buffer]" = "8";
27 "php_value[opcache.max_accelerated_files]" = "10000";
28 "php_value[opcache.memory_consumption]" = "128";
29 "php_value[opcache.save_comments]" = "1";
30 "php_value[opcache.revalidate_freq]" = "1";
31 "php_admin_value[memory_limit]" = "512M";
32
33 "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp";
34 "php_admin_value[session.save_path]" = "${varDir}/phpSessions";
35 };
36 };
37in {
38 config = {
39 services.postgresql.ensureDatabases = [ "nextcloud" ];
40 services.postgresql.ensureUsers = [
41 { name = "nextcloud"; ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; }
42 ];
43 services.websites.env.production.modules = [ "proxy_fcgi" ];
44
45 services.websites.env.production.vhostConfs.cloud = {
46 certName = "quatresaisons";
47 addToCerts = true;
48 hosts = ["nextcloud.4c.salle-s.org" ];
49 root = nextcloud;
50 extraConfig =
51 [
52 ''
53 SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
54 <Directory ${nextcloud}>
55 AcceptPathInfo On
56 DirectoryIndex index.php
57 Options FollowSymlinks
58 Require all granted
59 AllowOverride all
60
61 <IfModule mod_headers.c>
62 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
63 </IfModule>
64 <FilesMatch "\.php$">
65 CGIPassAuth on
66 SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost"
67 </FilesMatch>
68
69 </Directory>
70 ''
71 ];
72 };
73 services.websites.env.production.vhostConfs.cloud_wait = let
74 content = pkgs.writeText "contenu" ''
75 nextcloud est un service qui a besoin de pérennité du nom
76 "nextcloud.salle-s.org", on va peut-etre y arriver, c'est une
77 question de jours, voir le message informatique.internet:8017
78 '';
79 in {
80 certName = "quatresaisons";
81 addToCerts = true;
82 hosts = ["nextcloud.salle-s.org" ];
83 root = content;
84 extraConfig =
85 [
86 ''
87 Alias / ${content}
88 ''
89 ];
90 };
91
92 users.users.root.packages = let
93 occ = pkgs.writeScriptBin "nextcloud-occ" ''
94 #! ${pkgs.stdenv.shell}
95 cd ${nextcloud}
96 NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \
97 exec \
98 sudo -u wwwrun ${pkgs.php74}/bin/php \
99 -c ${pkgs.php74}/etc/php.ini \
100 occ $*
101 '';
102 in [ occ ];
103
104 system.activationScripts.nextcloud = {
105 deps = [ "users" ];
106 text = let
107 confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig;
108 in
109 ''
110 install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
111 install -m 0755 -o wwwrun -g wwwrun -d ${varDir}/config
112 install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions
113 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v:
114 "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json"
115 ) confs)}
116 '';
117 };
118 services.phpfpm.pools.nextcloud = {
119 user = "wwwrun";
120 group = "wwwrun";
121 settings = phpFpm.pool;
122 phpPackage = pkgs.php74.withExtensions({ enabled, all }: enabled ++ [ all.redis all.apcu all.opcache all.imagick ]);
123 };
124
125 services.cron = {
126 enable = true;
127 systemCronJobs = let
128 script = pkgs.writeScriptBin "nextcloud-cron" ''
129 #! ${pkgs.stdenv.shell}
130 export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
131 export PATH=/run/wrappers/bin:$PATH
132 ${pkgs.php74}/bin/php -d memory_limit=512M -f ${nextcloud}/cron.php
133 '';
134 in [
135 ''
136 */15 * * * * wwwrun ${script}/bin/nextcloud-cron
137 ''
138 ];
139 };
140 };
141}