diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-06-02 23:26:23 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-06-02 23:40:37 +0200 |
commit | 8164ed90c7fdd93fd035bce3dc1b3fc6bde9e30e (patch) | |
tree | c8f34a5f7ed6ac78d84c024a6a9e3dc847bbe8e5 /modules/private/websites/connexionswing | |
parent | 9f66adf4372a3b1c859dc053489f727aa360077e (diff) | |
download | Nix-8164ed90c7fdd93fd035bce3dc1b3fc6bde9e30e.tar.gz Nix-8164ed90c7fdd93fd035bce3dc1b3fc6bde9e30e.tar.zst Nix-8164ed90c7fdd93fd035bce3dc1b3fc6bde9e30e.zip |
Move production php application to dedicated module
Diffstat (limited to 'modules/private/websites/connexionswing')
-rw-r--r-- | modules/private/websites/connexionswing/builder.nix | 161 | ||||
-rw-r--r-- | modules/private/websites/connexionswing/production.nix | 119 |
2 files changed, 92 insertions, 188 deletions
diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix deleted file mode 100644 index 004b979..0000000 --- a/modules/private/websites/connexionswing/builder.nix +++ /dev/null | |||
@@ -1,161 +0,0 @@ | |||
1 | { apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, mylibs, config }: | ||
2 | rec { | ||
3 | app = connexionswing.override { inherit (config) environment; }; | ||
4 | keys = [{ | ||
5 | dest = "webapps/${app.environment}-connexionswing"; | ||
6 | user = apacheUser; | ||
7 | group = apacheGroup; | ||
8 | permissions = "0400"; | ||
9 | text = '' | ||
10 | # This file is auto-generated during the composer install | ||
11 | parameters: | ||
12 | database_host: ${config.mysql.host} | ||
13 | database_port: ${config.mysql.port} | ||
14 | database_name: ${config.mysql.name} | ||
15 | database_user: ${config.mysql.user} | ||
16 | database_password: ${config.mysql.password} | ||
17 | database_server_version: ${pkgs.mariadb.mysqlVersion} | ||
18 | mailer_transport: sendmail | ||
19 | mailer_host: null | ||
20 | mailer_user: null | ||
21 | mailer_password: null | ||
22 | subscription_email: ${config.email} | ||
23 | allow_robots: true | ||
24 | secret: ${config.secret} | ||
25 | ${if app.environment == "prod" then '' | ||
26 | services: | ||
27 | swiftmailer.mailer.default.transport: | ||
28 | class: Swift_SendmailTransport | ||
29 | arguments: ['/run/wrappers/bin/sendmail -bs'] | ||
30 | '' else ""} | ||
31 | ''; | ||
32 | }]; | ||
33 | phpFpm = rec { | ||
34 | preStart = mylibs.phpFpmPreStart { | ||
35 | inherit app; | ||
36 | inherit (app) varDir; | ||
37 | keyFiles = [ | ||
38 | "/var/secrets/webapps/${app.environment}-connexionswing" | ||
39 | ]; | ||
40 | actions = [ | ||
41 | "/run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup" | ||
42 | ]; | ||
43 | }; | ||
44 | serviceDeps = [ "mysql.service" ]; | ||
45 | socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock"; | ||
46 | phpConfig = '' | ||
47 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | ||
48 | ''; | ||
49 | pool = '' | ||
50 | user = ${apacheUser} | ||
51 | group = ${apacheGroup} | ||
52 | listen.owner = ${apacheUser} | ||
53 | listen.group = ${apacheGroup} | ||
54 | php_admin_value[upload_max_filesize] = 20M | ||
55 | php_admin_value[post_max_size] = 20M | ||
56 | ;php_admin_flag[log_errors] = on | ||
57 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp" | ||
58 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
59 | ${if app.environment == "dev" then '' | ||
60 | pm = ondemand | ||
61 | pm.max_children = 5 | ||
62 | pm.process_idle_timeout = 60 | ||
63 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
64 | '' else '' | ||
65 | pm = dynamic | ||
66 | pm.max_children = 20 | ||
67 | pm.start_servers = 2 | ||
68 | pm.min_spare_servers = 1 | ||
69 | pm.max_spare_servers = 3 | ||
70 | ''}''; | ||
71 | }; | ||
72 | apache = rec { | ||
73 | modules = [ "proxy_fcgi" ]; | ||
74 | webappName = "connexionswing_${app.environment}"; | ||
75 | root = "/run/current-system/webapps/${webappName}"; | ||
76 | vhostConf = '' | ||
77 | <FilesMatch "\.php$"> | ||
78 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
79 | </FilesMatch> | ||
80 | |||
81 | <Directory ${app.varDir}/medias> | ||
82 | Options FollowSymLinks | ||
83 | AllowOverride None | ||
84 | Require all granted | ||
85 | </Directory> | ||
86 | |||
87 | <Directory ${app.varDir}/uploads> | ||
88 | Options FollowSymLinks | ||
89 | AllowOverride None | ||
90 | Require all granted | ||
91 | </Directory> | ||
92 | |||
93 | ${if app.environment == "dev" then '' | ||
94 | <Location /> | ||
95 | Use LDAPConnect | ||
96 | Require ldap-group cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
97 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://connexionswing.com\"></html>" | ||
98 | </Location> | ||
99 | |||
100 | <Directory ${root}> | ||
101 | Options Indexes FollowSymLinks MultiViews Includes | ||
102 | AllowOverride None | ||
103 | Require all granted | ||
104 | |||
105 | DirectoryIndex app_dev.php | ||
106 | |||
107 | <IfModule mod_negotiation.c> | ||
108 | Options -MultiViews | ||
109 | </IfModule> | ||
110 | |||
111 | <IfModule mod_rewrite.c> | ||
112 | RewriteEngine On | ||
113 | |||
114 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | ||
115 | RewriteRule ^(.*) - [E=BASE:%1] | ||
116 | |||
117 | # Maintenance script | ||
118 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | ||
119 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | ||
120 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | ||
121 | ErrorDocument 503 /maintenance.php | ||
122 | |||
123 | # Sets the HTTP_AUTHORIZATION header removed by Apache | ||
124 | RewriteCond %{HTTP:Authorization} . | ||
125 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
126 | |||
127 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | ||
128 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | ||
129 | |||
130 | # If the requested filename exists, simply serve it. | ||
131 | # We only want to let Apache serve files and not directories. | ||
132 | RewriteCond %{REQUEST_FILENAME} -f | ||
133 | RewriteRule ^ - [L] | ||
134 | |||
135 | # Rewrite all other queries to the front controller. | ||
136 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | ||
137 | </IfModule> | ||
138 | |||
139 | </Directory> | ||
140 | '' else '' | ||
141 | Use Stats connexionswing.com | ||
142 | |||
143 | <Directory ${root}> | ||
144 | Options Indexes FollowSymLinks MultiViews Includes | ||
145 | AllowOverride All | ||
146 | Require all granted | ||
147 | </Directory> | ||
148 | ''} | ||
149 | ''; | ||
150 | }; | ||
151 | activationScript = { | ||
152 | deps = [ "wrappers" ]; | ||
153 | text = '' | ||
154 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ | ||
155 | ${app.varDir}/medias \ | ||
156 | ${app.varDir}/uploads \ | ||
157 | ${app.varDir}/var | ||
158 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
159 | ''; | ||
160 | }; | ||
161 | } | ||
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index 07647da..1427c8d 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix | |||
@@ -1,42 +1,107 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | 1 | { lib, pkgs, config, myconfig, ... }: |
2 | let | 2 | let |
3 | connexionswing = pkgs.callPackage ./builder.nix { | 3 | secrets = myconfig.env.websites.connexionswing.production; |
4 | inherit (pkgs.webapps) connexionswing; | 4 | app = pkgs.webapps.connexionswing.override { environment = secrets.environment; }; |
5 | config = myconfig.env.websites.connexionswing.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.connexionswing.production; | 5 | cfg = config.myServices.websites.connexionswing.production; |
6 | pcfg = config.services.phpApplication; | ||
11 | in { | 7 | in { |
12 | options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production"; | 8 | options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production"; |
13 | 9 | ||
14 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
15 | secrets.keys = connexionswing.keys; | ||
16 | services.webstats.sites = [ { name = "connexionswing.com"; } ]; | 11 | services.webstats.sites = [ { name = "connexionswing.com"; } ]; |
17 | 12 | services.phpApplication.apps.connexionswing_prod = { | |
18 | systemd.services.phpfpm-connexionswing_prod.after = lib.mkAfter connexionswing.phpFpm.serviceDeps; | 13 | websiteEnv = "production"; |
19 | systemd.services.phpfpm-connexionswing_prod.wants = connexionswing.phpFpm.serviceDeps; | 14 | httpdUser = config.services.httpd.Prod.user; |
20 | systemd.services.phpfpm-connexionswing_prod.preStart = lib.mkAfter connexionswing.phpFpm.preStart; | 15 | httpdGroup = config.services.httpd.Prod.group; |
21 | services.phpfpm.pools.connexionswing_prod = { | 16 | inherit (app) webRoot varDir; |
22 | listen = connexionswing.phpFpm.socket; | 17 | varDirPaths = { |
23 | extraConfig = connexionswing.phpFpm.pool; | 18 | "medias" = "0700"; |
24 | phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig; | 19 | "uploads" = "0700"; |
20 | "var" = "0700"; | ||
21 | }; | ||
22 | inherit app; | ||
23 | serviceDeps = [ "mysql.service" ]; | ||
24 | preStartActions = [ | ||
25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | ||
26 | ]; | ||
27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | ||
28 | phpPool = '' | ||
29 | php_admin_value[upload_max_filesize] = 20M | ||
30 | php_admin_value[post_max_size] = 20M | ||
31 | ;php_admin_flag[log_errors] = on | ||
32 | pm = dynamic | ||
33 | pm.max_children = 20 | ||
34 | pm.start_servers = 2 | ||
35 | pm.min_spare_servers = 1 | ||
36 | pm.max_spare_servers = 3 | ||
37 | ''; | ||
38 | phpWatchFiles = [ | ||
39 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | ||
40 | ]; | ||
25 | }; | 41 | }; |
26 | system.activationScripts.connexionswing_prod = connexionswing.activationScript; | 42 | |
27 | myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot; | 43 | secrets.keys = [ |
28 | services.websites.env.production.modules = connexionswing.apache.modules; | 44 | { |
29 | services.websites.env.production.vhostConfs.connexionswing = { | 45 | dest = "webapps/${app.environment}-connexionswing"; |
46 | user = config.services.httpd.Prod.user; | ||
47 | group = config.services.httpd.Prod.group; | ||
48 | permissions = "0400"; | ||
49 | text = '' | ||
50 | # This file is auto-generated during the composer install | ||
51 | parameters: | ||
52 | database_host: ${secrets.mysql.host} | ||
53 | database_port: ${secrets.mysql.port} | ||
54 | database_name: ${secrets.mysql.name} | ||
55 | database_user: ${secrets.mysql.user} | ||
56 | database_password: ${secrets.mysql.password} | ||
57 | database_server_version: ${pkgs.mariadb.mysqlVersion} | ||
58 | mailer_transport: sendmail | ||
59 | mailer_host: null | ||
60 | mailer_user: null | ||
61 | mailer_password: null | ||
62 | subscription_email: ${secrets.email} | ||
63 | allow_robots: true | ||
64 | secret: ${secrets.secret} | ||
65 | services: | ||
66 | swiftmailer.mailer.default.transport: | ||
67 | class: Swift_SendmailTransport | ||
68 | arguments: ['/run/wrappers/bin/sendmail -bs'] | ||
69 | ''; | ||
70 | } | ||
71 | ]; | ||
72 | |||
73 | services.websites.env.production.vhostConfs.connexionswing_prod = { | ||
30 | certName = "connexionswing"; | 74 | certName = "connexionswing"; |
31 | certMainHost = "connexionswing.com"; | 75 | certMainHost = "connexionswing.com"; |
32 | hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; | 76 | hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; |
33 | root = connexionswing.apache.root; | 77 | root = pcfg.webappDirs.connexionswing_prod; |
34 | extraConfig = [ connexionswing.apache.vhostConf ]; | 78 | extraConfig = [ |
35 | }; | 79 | '' |
36 | services.filesWatcher.phpfpm-connexionswing_prod = { | 80 | <FilesMatch "\.php$"> |
37 | restart = true; | 81 | SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_prod}|fcgi://localhost" |
38 | paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ]; | 82 | </FilesMatch> |
83 | |||
84 | <Directory ${app.varDir}/medias> | ||
85 | Options FollowSymLinks | ||
86 | AllowOverride None | ||
87 | Require all granted | ||
88 | </Directory> | ||
89 | |||
90 | <Directory ${app.varDir}/uploads> | ||
91 | Options FollowSymLinks | ||
92 | AllowOverride None | ||
93 | Require all granted | ||
94 | </Directory> | ||
95 | |||
96 | Use Stats connexionswing.com | ||
97 | |||
98 | <Directory ${pcfg.webappDirs.connexionswing_prod}> | ||
99 | Options Indexes FollowSymLinks MultiViews Includes | ||
100 | AllowOverride All | ||
101 | Require all granted | ||
102 | </Directory> | ||
103 | '' | ||
104 | ]; | ||
39 | }; | 105 | }; |
40 | }; | 106 | }; |
41 | } | 107 | } |
42 | |||