diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-10-24 12:30:42 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-10-24 12:30:42 +0200 |
commit | 75489e72e379af8aeac64bc4967717d9ae776ff0 (patch) | |
tree | 1d028e5a9ab73d096e48e3f177eb60b4f73486bd /modules/private/system/quatresaisons | |
parent | e43fdf341072e4a0150324196fc7af8f383860ec (diff) | |
download | Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.tar.gz Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.tar.zst Nix-75489e72e379af8aeac64bc4967717d9ae776ff0.zip |
Add quatresaisons server
Diffstat (limited to 'modules/private/system/quatresaisons')
-rw-r--r-- | modules/private/system/quatresaisons/databases.nix | 146 | ||||
-rw-r--r-- | modules/private/system/quatresaisons/landing.yml | 32 | ||||
-rw-r--r-- | modules/private/system/quatresaisons/landing_4c.yml | 24 | ||||
-rw-r--r-- | modules/private/system/quatresaisons/nextcloud.nix | 141 |
4 files changed, 343 insertions, 0 deletions
diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix new file mode 100644 index 0000000..3491ae4 --- /dev/null +++ b/modules/private/system/quatresaisons/databases.nix | |||
@@ -0,0 +1,146 @@ | |||
1 | { pkgs, config, lib, ... }: | ||
2 | { | ||
3 | config = let | ||
4 | serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; | ||
5 | phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; | ||
6 | in { | ||
7 | services.postgresql.enable = true; | ||
8 | services.postgresql.package = pkgs.postgresql_12; | ||
9 | secrets.keys = [ | ||
10 | { | ||
11 | dest = "ldap/password"; | ||
12 | permissions = "0400"; | ||
13 | user = "openldap"; | ||
14 | group = "openldap"; | ||
15 | text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; | ||
16 | } | ||
17 | { | ||
18 | dest = "webapps/tools-ldap"; | ||
19 | user = "wwwrun"; | ||
20 | group = "wwwrun"; | ||
21 | permissions = "0400"; | ||
22 | text = '' | ||
23 | <?php | ||
24 | $config->custom->appearance['show_clear_password'] = true; | ||
25 | $config->custom->appearance['hide_template_warning'] = true; | ||
26 | $config->custom->appearance['theme'] = "tango"; | ||
27 | $config->custom->appearance['minimalMode'] = false; | ||
28 | $config->custom->appearance['tree'] = 'AJAXTree'; | ||
29 | |||
30 | $servers = new Datastore(); | ||
31 | |||
32 | $servers->newServer('ldap_pla'); | ||
33 | $servers->setValue('server','name','LDAP'); | ||
34 | $servers->setValue('server','host','ldap://localhost'); | ||
35 | $servers->setValue('login','auth_type','cookie'); | ||
36 | $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); | ||
37 | $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); | ||
38 | $servers->setValue('appearance','pla_password_hash','ssha'); | ||
39 | $servers->setValue('login','attr','uid'); | ||
40 | $servers->setValue('login','fallback_dn',true); | ||
41 | ''; | ||
42 | } | ||
43 | ]; | ||
44 | |||
45 | users.users.openldap.extraGroups = [ "keys" ]; | ||
46 | services.openldap = { | ||
47 | enable = true; | ||
48 | dataDir = "/var/lib/openldap"; | ||
49 | urlList = [ "ldap://localhost" ]; | ||
50 | logLevel = "none"; | ||
51 | extraConfig = '' | ||
52 | pidfile /run/slapd/slapd.pid | ||
53 | argsfile /run/slapd/slapd.args | ||
54 | |||
55 | moduleload back_hdb | ||
56 | backend hdb | ||
57 | ''; | ||
58 | |||
59 | extraDatabaseConfig = '' | ||
60 | moduleload memberof | ||
61 | overlay memberof | ||
62 | |||
63 | moduleload syncprov | ||
64 | overlay syncprov | ||
65 | syncprov-checkpoint 100 10 | ||
66 | |||
67 | index objectClass eq | ||
68 | index uid pres,eq | ||
69 | #index uidMember pres,eq | ||
70 | index mail pres,sub,eq | ||
71 | index cn pres,sub,eq | ||
72 | index sn pres,sub,eq | ||
73 | index dc eq | ||
74 | index member eq | ||
75 | index memberOf eq | ||
76 | |||
77 | # No one must access that information except root | ||
78 | access to attrs=description | ||
79 | by * none | ||
80 | |||
81 | access to attrs=entry,uid filter="(uid=*)" | ||
82 | by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read | ||
83 | by * break | ||
84 | |||
85 | access to dn.subtree="ou=users,dc=salle-s,dc=org" | ||
86 | by dn.subtree="ou=services,dc=salle-s,dc=org" read | ||
87 | by * break | ||
88 | |||
89 | access to * | ||
90 | by self read | ||
91 | by anonymous auth | ||
92 | by * break | ||
93 | ''; | ||
94 | rootpwFile = "${config.secrets.location}/ldap/password"; | ||
95 | suffix = "dc=salle-s,dc=org"; | ||
96 | rootdn = "cn=root,dc=salle-s,dc=org"; | ||
97 | database = "hdb"; | ||
98 | }; | ||
99 | |||
100 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | ||
101 | services.websites.env.production.vhostConfs.tools.extraConfig = [ | ||
102 | '' | ||
103 | Alias /ldap "${phpLdapAdmin}/htdocs" | ||
104 | <Directory "${phpLdapAdmin}/htdocs"> | ||
105 | DirectoryIndex index.php | ||
106 | <FilesMatch "\.php$"> | ||
107 | SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" | ||
108 | </FilesMatch> | ||
109 | |||
110 | AllowOverride None | ||
111 | Require all granted | ||
112 | </Directory> | ||
113 | '' | ||
114 | ]; | ||
115 | services.phpfpm.pools.ldap = { | ||
116 | user = "wwwrun"; | ||
117 | group = "wwwrun"; | ||
118 | settings = | ||
119 | let | ||
120 | basedir = builtins.concatStringsSep ":" [ phpLdapAdmin "/var/secrets/webapps/tools-ldap" ]; | ||
121 | in { | ||
122 | "listen.owner" = "wwwrun"; | ||
123 | "listen.group" = "wwwrun"; | ||
124 | "pm" = "ondemand"; | ||
125 | "pm.max_children" = "60"; | ||
126 | "pm.process_idle_timeout" = "60"; | ||
127 | |||
128 | # Needed to avoid clashes in browser cookies (same domain) | ||
129 | "php_value[session.name]" = "LdapPHPSESSID"; | ||
130 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; | ||
131 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; | ||
132 | }; | ||
133 | phpPackage = pkgs.php72; | ||
134 | }; | ||
135 | system.activationScripts.ldap = { | ||
136 | deps = [ "users" ]; | ||
137 | text = '' | ||
138 | install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin | ||
139 | ''; | ||
140 | }; | ||
141 | systemd.services.phpfpm-ldap = { | ||
142 | after = lib.mkAfter [ "openldap.service" ]; | ||
143 | wants = [ "openldap.service" ]; | ||
144 | }; | ||
145 | }; | ||
146 | } | ||
diff --git a/modules/private/system/quatresaisons/landing.yml b/modules/private/system/quatresaisons/landing.yml new file mode 100644 index 0000000..cf4ba87 --- /dev/null +++ b/modules/private/system/quatresaisons/landing.yml | |||
@@ -0,0 +1,32 @@ | |||
1 | --- | ||
2 | # Homepage configuration | ||
3 | # See https://fontawesome.com/icons for icons options | ||
4 | |||
5 | title: "Websites dashboard" | ||
6 | subtitle: "Salle-S" | ||
7 | footer: false | ||
8 | #footer: '<p>Created with <span class="has-text-danger">❤️</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it. | ||
9 | |||
10 | # Optional navbar | ||
11 | # links: [] # Allows for navbar (dark mode, layout, and search) without any links | ||
12 | links: [] | ||
13 | |||
14 | # Services | ||
15 | # First level array represent a group. | ||
16 | # Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). | ||
17 | services: | ||
18 | - name: "Quatramaran" | ||
19 | items: | ||
20 | - name: "Roundcube" | ||
21 | logo: "assets/tools/roundcube.svg" | ||
22 | url: "https://quatramaran.salle-s.org/roundcube/" | ||
23 | - name: "Les dessous de paillasse" | ||
24 | url: "https://dessous-de-paillasse.salle-s.org" | ||
25 | - name: "Quatre Saisons" | ||
26 | items: | ||
27 | - name: "Charte d’utilisation" | ||
28 | icon: "fas fa-scroll" | ||
29 | url: "https://4c.salle-s.org/charte/" | ||
30 | - name: "Nextcloud" | ||
31 | logo: "assets/tools/nextcloud.png" | ||
32 | url: "https://nextcloud.4c.salle-s.org" | ||
diff --git a/modules/private/system/quatresaisons/landing_4c.yml b/modules/private/system/quatresaisons/landing_4c.yml new file mode 100644 index 0000000..0b9f6b6 --- /dev/null +++ b/modules/private/system/quatresaisons/landing_4c.yml | |||
@@ -0,0 +1,24 @@ | |||
1 | --- | ||
2 | # Homepage configuration | ||
3 | # See https://fontawesome.com/icons for icons options | ||
4 | |||
5 | title: "Websites dashboard" | ||
6 | subtitle: "Quatre saisons" | ||
7 | footer: false | ||
8 | #footer: '<p>Created with <span class="has-text-danger">❤️</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it. | ||
9 | |||
10 | # Optional navbar | ||
11 | # links: [] # Allows for navbar (dark mode, layout, and search) without any links | ||
12 | links: [] | ||
13 | |||
14 | # Services | ||
15 | # First level array represent a group. | ||
16 | # Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). | ||
17 | services: | ||
18 | - items: | ||
19 | - name: "Charte d’utilisation" | ||
20 | icon: "fas fa-scroll" | ||
21 | url: "https://4c.salle-s.org/charte/" | ||
22 | - name: "Nextcloud" | ||
23 | logo: "assets/tools/nextcloud.png" | ||
24 | url: "https://nextcloud.4c.salle-s.org" | ||
diff --git a/modules/private/system/quatresaisons/nextcloud.nix b/modules/private/system/quatresaisons/nextcloud.nix new file mode 100644 index 0000000..047d17e --- /dev/null +++ b/modules/private/system/quatresaisons/nextcloud.nix | |||
@@ -0,0 +1,141 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | nextcloud = pkgs.webapps.nextcloud.withApps (a: [ | ||
4 | a.apporder a.audioplayer a.bookmarks a.calendar a.carnet a.circles | ||
5 | a.contacts a.cookbook a.deck a.extract a.files_markdown | ||
6 | a.files_readmemd a.flowupload a.gpxedit a.gpxpod a.keeweb a.maps | ||
7 | a.metadata a.music a.notes a.ocsms a.passman a.polls a.spreed | ||
8 | a.social a.tasks | ||
9 | ]); | ||
10 | varDir = "/var/lib/nextcloud"; | ||
11 | phpFpm = rec { | ||
12 | basedir = builtins.concatStringsSep ":" ([ nextcloud varDir ] ++ nextcloud.apps); | ||
13 | pool = { | ||
14 | "listen.owner" = "wwwrun"; | ||
15 | "listen.group" = "wwwrun"; | ||
16 | "pm" = "ondemand"; | ||
17 | "pm.max_children" = "60"; | ||
18 | "pm.process_idle_timeout" = "60"; | ||
19 | |||
20 | "php_admin_value[output_buffering]" = "0"; | ||
21 | "php_admin_value[max_execution_time]" = "1800"; | ||
22 | "php_admin_value[zend_extension]" = "opcache"; | ||
23 | #already enabled by default? | ||
24 | #"php_value[opcache.enable]" = "1"; | ||
25 | "php_value[opcache.enable_cli]" = "1"; | ||
26 | "php_value[opcache.interned_strings_buffer]" = "8"; | ||
27 | "php_value[opcache.max_accelerated_files]" = "10000"; | ||
28 | "php_value[opcache.memory_consumption]" = "128"; | ||
29 | "php_value[opcache.save_comments]" = "1"; | ||
30 | "php_value[opcache.revalidate_freq]" = "1"; | ||
31 | "php_admin_value[memory_limit]" = "512M"; | ||
32 | |||
33 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; | ||
34 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; | ||
35 | }; | ||
36 | }; | ||
37 | in { | ||
38 | config = { | ||
39 | services.postgresql.ensureDatabases = [ "nextcloud" ]; | ||
40 | services.postgresql.ensureUsers = [ | ||
41 | { name = "nextcloud"; ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; } | ||
42 | ]; | ||
43 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | ||
44 | |||
45 | services.websites.env.production.vhostConfs.cloud = { | ||
46 | certName = "quatresaisons"; | ||
47 | addToCerts = true; | ||
48 | hosts = ["nextcloud.4c.salle-s.org" ]; | ||
49 | root = nextcloud; | ||
50 | extraConfig = | ||
51 | [ | ||
52 | '' | ||
53 | SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 | ||
54 | <Directory ${nextcloud}> | ||
55 | AcceptPathInfo On | ||
56 | DirectoryIndex index.php | ||
57 | Options FollowSymlinks | ||
58 | Require all granted | ||
59 | AllowOverride all | ||
60 | |||
61 | <IfModule mod_headers.c> | ||
62 | Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" | ||
63 | </IfModule> | ||
64 | <FilesMatch "\.php$"> | ||
65 | CGIPassAuth on | ||
66 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" | ||
67 | </FilesMatch> | ||
68 | |||
69 | </Directory> | ||
70 | '' | ||
71 | ]; | ||
72 | }; | ||
73 | services.websites.env.production.vhostConfs.cloud_wait = let | ||
74 | content = pkgs.writeText "contenu" '' | ||
75 | nextcloud est un service qui a besoin de pérennité du nom | ||
76 | "nextcloud.salle-s.org", on va peut-etre y arriver, c'est une | ||
77 | question de jours, voir le message informatique.internet:8017 | ||
78 | ''; | ||
79 | in { | ||
80 | certName = "quatresaisons"; | ||
81 | addToCerts = true; | ||
82 | hosts = ["nextcloud.salle-s.org" ]; | ||
83 | root = content; | ||
84 | extraConfig = | ||
85 | [ | ||
86 | '' | ||
87 | Alias / ${content} | ||
88 | '' | ||
89 | ]; | ||
90 | }; | ||
91 | |||
92 | users.users.root.packages = let | ||
93 | occ = pkgs.writeScriptBin "nextcloud-occ" '' | ||
94 | #! ${pkgs.stdenv.shell} | ||
95 | cd ${nextcloud} | ||
96 | NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ | ||
97 | exec \ | ||
98 | sudo -u wwwrun ${pkgs.php74}/bin/php \ | ||
99 | -c ${pkgs.php74}/etc/php.ini \ | ||
100 | occ $* | ||
101 | ''; | ||
102 | in [ occ ]; | ||
103 | |||
104 | system.activationScripts.nextcloud = { | ||
105 | deps = [ "users" ]; | ||
106 | text = let | ||
107 | confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; | ||
108 | in | ||
109 | '' | ||
110 | install -m 0755 -o wwwrun -g wwwrun -d ${varDir} | ||
111 | install -m 0755 -o wwwrun -g wwwrun -d ${varDir}/config | ||
112 | install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions | ||
113 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: | ||
114 | "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" | ||
115 | ) confs)} | ||
116 | ''; | ||
117 | }; | ||
118 | services.phpfpm.pools.nextcloud = { | ||
119 | user = "wwwrun"; | ||
120 | group = "wwwrun"; | ||
121 | settings = phpFpm.pool; | ||
122 | phpPackage = pkgs.php74.withExtensions({ enabled, all }: enabled ++ [ all.redis all.apcu all.opcache all.imagick ]); | ||
123 | }; | ||
124 | |||
125 | services.cron = { | ||
126 | enable = true; | ||
127 | systemCronJobs = let | ||
128 | script = pkgs.writeScriptBin "nextcloud-cron" '' | ||
129 | #! ${pkgs.stdenv.shell} | ||
130 | export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive | ||
131 | export PATH=/run/wrappers/bin:$PATH | ||
132 | ${pkgs.php74}/bin/php -d memory_limit=512M -f ${nextcloud}/cron.php | ||
133 | ''; | ||
134 | in [ | ||
135 | '' | ||
136 | */15 * * * * wwwrun ${script}/bin/nextcloud-cron | ||
137 | '' | ||
138 | ]; | ||
139 | }; | ||
140 | }; | ||
141 | } | ||