Refactor websites

5 files changed, 212 insertions, 136 deletions

diff --git a/modules/private/websites/chloe/app/chloe.json b/modules/private/websites/chloe/app/chloe.json
new file mode 100644
index 0000000..8508c14
--- /dev/null
+++ b/modules/private/websites/chloe/app/chloe.json
@@ -0,0 +1,14 @@
+{
+  "tag": "b971edc-master",
+  "meta": {
+    "name": "chloe",
+    "url": "ssh://gitolite@git.immae.eu/perso/Immae/Sites/Chloe",
+    "branch": "master"
+  },
+  "git": {
+    "url": "ssh://gitolite@git.immae.eu/perso/Immae/Sites/Chloe",
+    "rev": "b971edce80e922e895836ddf7caeb4023a2db973",
+    "sha256": "1igjr0rgp69szrhcl8kz02ng54w8lw6r0c6jibigp8v5a4spp222",
+    "fetchSubmodules": true
+  }
+}
diff --git a/modules/private/websites/chloe/app/default.nix b/modules/private/websites/chloe/app/default.nix
new file mode 100644
index 0000000..92a5e42
--- /dev/null
+++ b/modules/private/websites/chloe/app/default.nix
@@ -0,0 +1,19 @@
+{ environment ? "prod"
+, varDir ? "/var/lib/chloe_${environment}"
+, spip, stdenv, mylibs, sassc }:
+let
+  siteDir = stdenv.mkDerivation (mylibs.fetchedGitPrivate ./chloe.json // rec {
+    buildPhase = ''
+      make
+      '';
+    installPhase = ''
+      cp -a . $out
+      '';
+    buildInputs = [ sassc ];
+  });
+in
+spip.override {
+  ldap = true;
+  siteName = "chloe";
+  inherit environment siteDir varDir;
+}
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix
deleted file mode 100644
index bce2b4d..0000000
--- a/modules/private/websites/chloe/builder.nix
+++ /dev/null
@@ -1,99 +0,0 @@
-{ apacheUser, apacheGroup, chloe, config }:
-rec {
-  app = chloe.override { inherit (config) environment; };
-  phpFpm = rec {
-    serviceDeps = [ "mysql.service" ];
-    pool = {
-      "listen.owner" = apacheUser;
-      "listen.group" = apacheGroup;
-      "php_admin_value[upload_max_filesize]" = "20M";
-      "php_admin_value[post_max_size]" = "20M";
-      # "php_admin_flag[log_errors]" = "on";
-      "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp";
-      "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions";
-    } // (if app.environment == "dev" then {
-      "pm" = "ondemand";
-      "pm.max_children" = "5";
-      "pm.process_idle_timeout" = "60";
-    } else {
-      "pm" = "dynamic";
-      "pm.max_children" = "20";
-      "pm.start_servers" = "2";
-      "pm.min_spare_servers" = "1";
-      "pm.max_spare_servers" = "3";
-    });
-  };
-  keys = [{
-    dest = "webapps/${app.environment}-chloe";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      SetEnv SPIP_CONFIG_DIR     "${configDir}"
-      SetEnv SPIP_VAR_DIR        "${app.varDir}"
-      SetEnv SPIP_SITE           "chloe-${app.environment}"
-      SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
-      SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
-      SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
-      SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
-      SetEnv SPIP_LDAP_SEARCH    "${config.ldap.filter}"
-      SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
-      SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
-      SetEnv SPIP_MYSQL_DB       "${config.mysql.database}"
-      SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
-      SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
-    '';
-  }];
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "chloe_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = socket: ''
-      Include /var/secrets/webapps/${app.environment}-chloe
-
-      RewriteEngine On
-      ${if app.environment == "prod" then ''
-      RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
-      '' else ""}
-
-      <FilesMatch "\.php$">
-        SetHandler "proxy:unix:${socket}|fcgi://localhost"
-      </FilesMatch>
-
-      <Directory ${root}>
-        DirectoryIndex index.php index.htm index.html
-        Options -Indexes +FollowSymLinks +MultiViews +Includes
-        Include ${root}/htaccess.txt
-
-        AllowOverride AuthConfig FileInfo Limit
-        Require all granted
-      </Directory>
-
-      <DirectoryMatch "${root}/squelettes">
-        Require all denied
-      </DirectoryMatch>
-
-      <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
-        Require all denied
-      </FilesMatch>
-
-      ${if app.environment == "dev" then ''
-      <Location />
-        Use LDAPConnect
-        Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
-        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
-      </Location>
-      '' else ''
-      Use Stats osteopathe-cc.fr
-      ''}
-      '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-      install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
-      install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-  configDir = ./config;
-}
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
index caf6548..6d16a86 100644
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -1,43 +1,115 @@
 { lib, pkgs, config,  ... }:
 let
-  chloe  = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) chloe;
-    config = config.myEnv.websites.chloe.integration;
-    apacheUser = config.services.httpd.Inte.user;
-    apacheGroup = config.services.httpd.Inte.group;
+  apacheUser = config.services.httpd.Inte.user;
+  apacheGroup = config.services.httpd.Inte.group;
+  ccfg = config.myEnv.websites.chloe.integration;
+  app = pkgs.callPackage ./app {
+    inherit (ccfg) environment;
+    inherit (pkgs.webapps) spip;
+    varDir = "/var/lib/chloe_integration";
   };
-
   cfg = config.myServices.websites.chloe.integration;
+  webappdir = config.services.websites.webappDirsPaths.chloe_integration;
 in {
   options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
 
   config = lib.mkIf cfg.enable {
-    services.duplyBackup.profiles.chloe_dev.rootDir = chloe.app.varDir;
-    secrets.keys = chloe.keys;
-    systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps;
-    systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps;
-    services.phpfpm.pools.chloe_dev = {
+    services.duplyBackup.profiles.chloe_integration.rootDir = app.varDir;
+    secrets.keys = [
+      {
+        dest = "websites/chloe/integration";
+        user = apacheUser;
+        group = apacheGroup;
+        permissions = "0400";
+        text = ''
+          SetEnv SPIP_CONFIG_DIR     "${./config}"
+          SetEnv SPIP_VAR_DIR        "${app.varDir}"
+          SetEnv SPIP_SITE           "chloe-${app.environment}"
+          SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+          SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+          SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
+          SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
+          SetEnv SPIP_LDAP_SEARCH    "${ccfg.ldap.filter}"
+          SetEnv SPIP_MYSQL_HOST     "${ccfg.mysql.host}"
+          SetEnv SPIP_MYSQL_PORT     "${ccfg.mysql.port}"
+          SetEnv SPIP_MYSQL_DB       "${ccfg.mysql.database}"
+          SetEnv SPIP_MYSQL_USER     "${ccfg.mysql.user}"
+          SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
+        '';
+      }
+    ];
+    systemd.services.phpfpm-chloe_integration.after = lib.mkAfter [ "mysql.service" ];
+    systemd.services.phpfpm-chloe_integration.wants = [ "mysql.service" ];
+    services.phpfpm.pools.chloe_integration = {
       user = config.services.httpd.Inte.user;
       group = config.services.httpd.Inte.group;
-      settings = chloe.phpFpm.pool;
+      settings = {
+        "listen.owner" = apacheUser;
+        "listen.group" = apacheGroup;
+        "php_admin_value[upload_max_filesize]" = "20M";
+        "php_admin_value[post_max_size]" = "20M";
+        # "php_admin_flag[log_errors]" = "on";
+        "php_admin_value[open_basedir]" = "${app.spipConfig}:${./config}:${app}:${app.varDir}:/tmp";
+        "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions";
+        "pm" = "ondemand";
+        "pm.max_children" = "5";
+        "pm.process_idle_timeout" = "60";
+      };
       phpOptions = config.services.phpfpm.phpOptions + ''
         extension=${pkgs.php}/lib/php/extensions/mysqli.so
       '';
     };
-    system.activationScripts.chloe_dev = chloe.activationScript;
-    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
-    services.websites.env.integration.modules = chloe.apache.modules;
-    services.websites.env.integration.vhostConfs.chloe = {
+    system.activationScripts.chloe_integration = {
+      deps = [ "wrappers" ];
+      text = ''
+        install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
+        install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+      '';
+    };
+    services.websites.webappDirs.chloe_integration = app.webRoot;
+    services.websites.env.integration.modules = [ "proxy_fcgi" ];
+    services.websites.env.integration.vhostConfs.chloe_integration = {
       certName    = "integration";
       addToCerts  = true;
       hosts       = ["chloe.immae.eu" ];
-      root        = chloe.apache.root;
+      root        = webappdir;
       extraConfig = [
-        (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_dev.socket)
+      ''
+        Include ${config.secrets.fullPaths."websites/chloe/integration"}
+
+        RewriteEngine On
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${config.services.phpfpm.pools.chloe_integration.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${webappdir}>
+          DirectoryIndex index.php index.htm index.html
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Include ${webappdir}/htaccess.txt
+
+          AllowOverride AuthConfig FileInfo Limit
+          Require all granted
+        </Directory>
+
+        <DirectoryMatch "${webappdir}/squelettes">
+          Require all denied
+        </DirectoryMatch>
+
+        <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
+          Require all denied
+        </FilesMatch>
+
+        <Location />
+          Use LDAPConnect
+          Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
+        </Location>
+        ''
       ];
     };
     services.websites.env.integration.watchPaths = [
-      "/var/secrets/webapps/${chloe.app.environment}-chloe"
+      config.secrets.fullPaths."websites/chloe/integration"
     ];
   };
 }
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index 83f6c9b..067e8e7 100644
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -1,50 +1,120 @@
 { lib, pkgs, config,  ... }:
 let
-  chloe = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) chloe;
-    config = config.myEnv.websites.chloe.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
+  apacheUser = config.services.httpd.Prod.user;
+  apacheGroup = config.services.httpd.Prod.group;
+  ccfg = config.myEnv.websites.chloe.production;
+  app = pkgs.callPackage ./app {
+    inherit (ccfg) environment;
+    inherit (pkgs.webapps) spip;
+    varDir = "/var/lib/chloe_production";
   };
-
   cfg = config.myServices.websites.chloe.production;
+  webappdir = config.services.websites.webappDirsPaths.chloe_production;
 in {
   options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
 
   config = lib.mkIf cfg.enable {
-    services.duplyBackup.profiles.chloe_prod.rootDir = chloe.app.varDir;
-    secrets.keys = chloe.keys;
+    services.duplyBackup.profiles.chloe_production.rootDir = app.varDir;
+    secrets.keys = [
+      {
+        dest = "websites/chloe/production";
+        user = apacheUser;
+        group = apacheGroup;
+        permissions = "0400";
+        text = ''
+          SetEnv SPIP_CONFIG_DIR     "${./config}"
+          SetEnv SPIP_VAR_DIR        "${app.varDir}"
+          SetEnv SPIP_SITE           "chloe-${app.environment}"
+          SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+          SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+          SetEnv SPIP_LDAP_SEARCH_DN "${ccfg.ldap.dn}"
+          SetEnv SPIP_LDAP_SEARCH_PW "${ccfg.ldap.password}"
+          SetEnv SPIP_LDAP_SEARCH    "${ccfg.ldap.filter}"
+          SetEnv SPIP_MYSQL_HOST     "${ccfg.mysql.host}"
+          SetEnv SPIP_MYSQL_PORT     "${ccfg.mysql.port}"
+          SetEnv SPIP_MYSQL_DB       "${ccfg.mysql.database}"
+          SetEnv SPIP_MYSQL_USER     "${ccfg.mysql.user}"
+          SetEnv SPIP_MYSQL_PASSWORD "${ccfg.mysql.password}"
+        '';
+      }
+    ];
     services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
 
-    systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps;
-    systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps;
-    services.phpfpm.pools.chloe_prod = {
+    systemd.services.phpfpm-chloe_production.after = lib.mkAfter [ "mysql.service" ];
+    systemd.services.phpfpm-chloe_production.wants =  [ "mysql.service" ];
+    services.phpfpm.pools.chloe_production = {
       user = config.services.httpd.Prod.user;
       group = config.services.httpd.Prod.group;
-      settings = chloe.phpFpm.pool;
+      settings = {
+        "listen.owner" = apacheUser;
+        "listen.group" = apacheGroup;
+        "php_admin_value[upload_max_filesize]" = "20M";
+        "php_admin_value[post_max_size]" = "20M";
+        # "php_admin_flag[log_errors]" = "on";
+        "php_admin_value[open_basedir]" = "${app.spipConfig}:${./config}:${app}:${app.varDir}:/tmp";
+        "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions";
+        "pm" = "dynamic";
+        "pm.max_children" = "20";
+        "pm.start_servers" = "2";
+        "pm.min_spare_servers" = "1";
+        "pm.max_spare_servers" = "3";
+      };
       phpOptions = config.services.phpfpm.phpOptions + ''
         extension=${pkgs.php}/lib/php/extensions/mysqli.so
       '';
     };
-    system.activationScripts.chloe_prod = chloe.activationScript;
-    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
-    services.websites.env.production.modules = chloe.apache.modules;
+    system.activationScripts.chloe_production = {
+      deps = [ "wrappers" ];
+      text = ''
+        install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
+        install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+      '';
+    };
+    services.websites.webappDirs.chloe_production = app.webRoot;
+    services.websites.env.production.modules = [ "proxy_fcgi" ];
     services.websites.env.production.vhostConfs.chloe = {
       certName     = "chloe";
       certMainHost = "osteopathe-cc.fr";
       hosts        = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ];
-      root         = chloe.apache.root;
+      root         = webappdir;
       extraConfig  = [
         ''
+          Use Stats osteopathe-cc.fr
+
           RewriteEngine On
           RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC]
           RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L]
+
+          Include ${config.secrets.fullPaths."websites/chloe/production"}
+
+          RewriteEngine On
+          RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
+
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:${config.services.phpfpm.pools.chloe_production.socket}|fcgi://localhost"
+          </FilesMatch>
+
+          <Directory ${webappdir}>
+            DirectoryIndex index.php index.htm index.html
+            Options -Indexes +FollowSymLinks +MultiViews +Includes
+            Include ${webappdir}/htaccess.txt
+
+            AllowOverride AuthConfig FileInfo Limit
+            Require all granted
+          </Directory>
+
+          <DirectoryMatch "${webappdir}/squelettes">
+            Require all denied
+          </DirectoryMatch>
+
+          <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
+            Require all denied
+          </FilesMatch>
           ''
-        (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_prod.socket)
       ];
     };
     services.websites.env.production.watchPaths = [
-      "/var/secrets/webapps/${chloe.app.environment}-chloe"
+      config.secrets.fullPaths."websites/chloe/production"
     ];
   };
 }