Move production php application to dedicated module

2 files changed, 92 insertions, 188 deletions

diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix
deleted file mode 100644
index 004b979..0000000
--- a/modules/private/websites/connexionswing/builder.nix
+++ /dev/null
@@ -1,161 +0,0 @@
-{ apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, mylibs, config }:
-rec {
-  app = connexionswing.override { inherit (config) environment; };
-  keys = [{
-    dest = "webapps/${app.environment}-connexionswing";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      # This file is auto-generated during the composer install
-      parameters:
-          database_host: ${config.mysql.host}
-          database_port: ${config.mysql.port}
-          database_name: ${config.mysql.name}
-          database_user: ${config.mysql.user}
-          database_password: ${config.mysql.password}
-          database_server_version: ${pkgs.mariadb.mysqlVersion}
-          mailer_transport: sendmail
-          mailer_host: null
-          mailer_user: null
-          mailer_password: null
-          subscription_email: ${config.email}
-          allow_robots: true
-          secret: ${config.secret}
-      ${if app.environment == "prod" then ''
-      services:
-        swiftmailer.mailer.default.transport:
-            class:     Swift_SendmailTransport
-            arguments: ['/run/wrappers/bin/sendmail -bs']
-      '' else ""}
-    '';
-  }];
-  phpFpm = rec {
-    preStart = mylibs.phpFpmPreStart {
-      inherit app;
-      inherit (app) varDir;
-      keyFiles = [
-        "/var/secrets/webapps/${app.environment}-connexionswing"
-      ];
-      actions = [
-        "/run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup"
-      ];
-    };
-    serviceDeps = [ "mysql.service" ];
-    socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock";
-    phpConfig = ''
-      extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
-      '';
-    pool = ''
-      user = ${apacheUser}
-      group = ${apacheGroup}
-      listen.owner = ${apacheUser}
-      listen.group = ${apacheGroup}
-      php_admin_value[upload_max_filesize] = 20M
-      php_admin_value[post_max_size] = 20M
-      ;php_admin_flag[log_errors] = on
-      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp"
-      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
-      ${if app.environment == "dev" then ''
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      env[SYMFONY_DEBUG_MODE] = "yes"
-      '' else ''
-      pm = dynamic
-      pm.max_children = 20
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      ''}'';
-  };
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "connexionswing_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    <FilesMatch "\.php$">
-      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-    </FilesMatch>
-
-    <Directory ${app.varDir}/medias>
-      Options FollowSymLinks
-      AllowOverride None
-      Require all granted
-    </Directory>
-
-    <Directory ${app.varDir}/uploads>
-      Options FollowSymLinks
-      AllowOverride None
-      Require all granted
-    </Directory>
-
-    ${if app.environment == "dev" then ''
-    <Location />
-      Use LDAPConnect
-      Require ldap-group   cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://connexionswing.com\"></html>"
-    </Location>
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride None
-      Require all granted
-
-      DirectoryIndex app_dev.php
-
-      <IfModule mod_negotiation.c>
-      Options -MultiViews
-      </IfModule>
-
-      <IfModule mod_rewrite.c>
-        RewriteEngine On
-
-        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
-        RewriteRule ^(.*) - [E=BASE:%1]
-
-        # Maintenance script
-        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
-        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
-        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
-        ErrorDocument 503 /maintenance.php
-
-        # Sets the HTTP_AUTHORIZATION header removed by Apache
-        RewriteCond %{HTTP:Authorization} .
-        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-
-        RewriteCond %{ENV:REDIRECT_STATUS} ^$
-        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
-
-        # If the requested filename exists, simply serve it.
-        # We only want to let Apache serve files and not directories.
-        RewriteCond %{REQUEST_FILENAME} -f
-        RewriteRule ^ - [L]
-
-        # Rewrite all other queries to the front controller.
-        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
-      </IfModule>
-
-    </Directory>
-    '' else ''
-    Use Stats connexionswing.com
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride All
-      Require all granted
-    </Directory>
-    ''}
-    '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
-      ${app.varDir}/medias \
-      ${app.varDir}/uploads \
-      ${app.varDir}/var
-    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-}
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index 07647da..1427c8d 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -1,42 +1,107 @@
 { lib, pkgs, config,  myconfig, ... }:
 let
-  connexionswing = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) connexionswing;
-    config = myconfig.env.websites.connexionswing.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
-  };
-
+  secrets = myconfig.env.websites.connexionswing.production;
+  app = pkgs.webapps.connexionswing.override { environment = secrets.environment; };
   cfg = config.myServices.websites.connexionswing.production;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = connexionswing.keys;
     services.webstats.sites = [ { name = "connexionswing.com"; } ];
-
-    systemd.services.phpfpm-connexionswing_prod.after = lib.mkAfter connexionswing.phpFpm.serviceDeps;
-    systemd.services.phpfpm-connexionswing_prod.wants = connexionswing.phpFpm.serviceDeps;
-    systemd.services.phpfpm-connexionswing_prod.preStart = lib.mkAfter connexionswing.phpFpm.preStart;
-    services.phpfpm.pools.connexionswing_prod = {
-      listen = connexionswing.phpFpm.socket;
-      extraConfig = connexionswing.phpFpm.pool;
-      phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig;
+    services.phpApplication.apps.connexionswing_prod = {
+      websiteEnv = "production";
+      httpdUser = config.services.httpd.Prod.user;
+      httpdGroup = config.services.httpd.Prod.group;
+      inherit (app) webRoot varDir;
+      varDirPaths = {
+        "medias" = "0700";
+        "uploads" = "0700";
+        "var" = "0700";
+      };
+      inherit app;
+      serviceDeps = [ "mysql.service" ];
+      preStartActions = [
+        "./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = dynamic
+        pm.max_children = 20
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+      '';
+      phpWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-connexionswing"
+      ];
     };
-    system.activationScripts.connexionswing_prod = connexionswing.activationScript;
-    myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot;
-    services.websites.env.production.modules = connexionswing.apache.modules;
-    services.websites.env.production.vhostConfs.connexionswing = {
+
+    secrets.keys = [
+      {
+        dest = "webapps/${app.environment}-connexionswing";
+        user = config.services.httpd.Prod.user;
+        group = config.services.httpd.Prod.group;
+        permissions = "0400";
+        text = ''
+          # This file is auto-generated during the composer install
+          parameters:
+              database_host: ${secrets.mysql.host}
+              database_port: ${secrets.mysql.port}
+              database_name: ${secrets.mysql.name}
+              database_user: ${secrets.mysql.user}
+              database_password: ${secrets.mysql.password}
+              database_server_version: ${pkgs.mariadb.mysqlVersion}
+              mailer_transport: sendmail
+              mailer_host: null
+              mailer_user: null
+              mailer_password: null
+              subscription_email: ${secrets.email}
+              allow_robots: true
+              secret: ${secrets.secret}
+          services:
+            swiftmailer.mailer.default.transport:
+                class:     Swift_SendmailTransport
+                arguments: ['/run/wrappers/bin/sendmail -bs']
+        '';
+      }
+    ];
+
+    services.websites.env.production.vhostConfs.connexionswing_prod = {
       certName     = "connexionswing";
       certMainHost = "connexionswing.com";
       hosts        = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
-      root         = connexionswing.apache.root;
-      extraConfig  = [ connexionswing.apache.vhostConf ];
-    };
-    services.filesWatcher.phpfpm-connexionswing_prod = {
-      restart = true;
-      paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
+      root         = pcfg.webappDirs.connexionswing_prod;
+      extraConfig  = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_prod}|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${app.varDir}/medias>
+          Options FollowSymLinks
+          AllowOverride None
+          Require all granted
+        </Directory>
+
+        <Directory ${app.varDir}/uploads>
+          Options FollowSymLinks
+          AllowOverride None
+          Require all granted
+        </Directory>
+
+        Use Stats connexionswing.com
+
+        <Directory ${pcfg.webappDirs.connexionswing_prod}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+        </Directory>
+        ''
+      ];
     };
   };
 }
-