diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /modules/private/websites/tools/cloud/default.nix | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'modules/private/websites/tools/cloud/default.nix')
-rw-r--r-- | modules/private/websites/tools/cloud/default.nix | 184 |
1 files changed, 0 insertions, 184 deletions
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix deleted file mode 100644 index 44163de..0000000 --- a/modules/private/websites/tools/cloud/default.nix +++ /dev/null | |||
@@ -1,184 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | nextcloud = pkgs.webapps.nextcloud.withApps (a: [ | ||
4 | a.apporder a.audioplayer a.bookmarks a.calendar a.carnet a.contacts | ||
5 | a.cookbook a.deck a.extract a.files_markdown a.files_readmemd | ||
6 | a.flowupload a.gpxedit a.gpxpod a.keeweb a.maps a.metadata a.music | ||
7 | a.notes a.ocsms a.passman a.polls a.spreed a.tasks | ||
8 | ]); | ||
9 | env = config.myEnv.tools.nextcloud; | ||
10 | varDir = "/var/lib/nextcloud"; | ||
11 | cfg = config.myServices.websites.tools.cloud; | ||
12 | phpFpm = rec { | ||
13 | basedir = builtins.concatStringsSep ":" ([ nextcloud varDir ] ++ nextcloud.apps); | ||
14 | pool = { | ||
15 | "listen.owner" = "wwwrun"; | ||
16 | "listen.group" = "wwwrun"; | ||
17 | "pm" = "ondemand"; | ||
18 | "pm.max_children" = "60"; | ||
19 | "pm.process_idle_timeout" = "60"; | ||
20 | |||
21 | "php_admin_value[output_buffering]" = "0"; | ||
22 | "php_admin_value[max_execution_time]" = "1800"; | ||
23 | "php_admin_value[zend_extension]" = "opcache"; | ||
24 | #already enabled by default? | ||
25 | #"php_value[opcache.enable]" = "1"; | ||
26 | "php_value[opcache.enable_cli]" = "1"; | ||
27 | "php_value[opcache.interned_strings_buffer]" = "8"; | ||
28 | "php_value[opcache.max_accelerated_files]" = "10000"; | ||
29 | "php_value[opcache.memory_consumption]" = "128"; | ||
30 | "php_value[opcache.save_comments]" = "1"; | ||
31 | "php_value[opcache.revalidate_freq]" = "1"; | ||
32 | "php_admin_value[memory_limit]" = "512M"; | ||
33 | |||
34 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; | ||
35 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; | ||
36 | }; | ||
37 | }; | ||
38 | in { | ||
39 | options.myServices.websites.tools.cloud = { | ||
40 | enable = lib.mkEnableOption "enable cloud website"; | ||
41 | }; | ||
42 | |||
43 | config = lib.mkIf cfg.enable { | ||
44 | services.websites.env.tools.modules = [ "proxy_fcgi" ]; | ||
45 | |||
46 | services.websites.env.tools.vhostConfs.cloud = { | ||
47 | certName = "eldiron"; | ||
48 | addToCerts = true; | ||
49 | hosts = ["cloud.immae.eu" ]; | ||
50 | root = nextcloud; | ||
51 | extraConfig = [ | ||
52 | '' | ||
53 | SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 | ||
54 | <Directory ${nextcloud}> | ||
55 | AcceptPathInfo On | ||
56 | DirectoryIndex index.php | ||
57 | Options FollowSymlinks | ||
58 | Require all granted | ||
59 | AllowOverride all | ||
60 | |||
61 | <IfModule mod_headers.c> | ||
62 | Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" | ||
63 | </IfModule> | ||
64 | <FilesMatch "\.php$"> | ||
65 | CGIPassAuth on | ||
66 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" | ||
67 | </FilesMatch> | ||
68 | |||
69 | </Directory> | ||
70 | '' | ||
71 | ]; | ||
72 | }; | ||
73 | |||
74 | secrets.keys."webapps/tools-nextcloud" = { | ||
75 | user = "wwwrun"; | ||
76 | group = "wwwrun"; | ||
77 | permissions = "0600"; | ||
78 | # This file is not actually included, see activationScript below | ||
79 | text = '' | ||
80 | <?php | ||
81 | include('${nextcloud}/version.php'); | ||
82 | $CONFIG = array ( | ||
83 | // FIXME: change this value when nextcloud starts getting slow | ||
84 | 'instanceid' => '${env.instance_id}', | ||
85 | 'datadirectory' => '/var/lib/nextcloud/', | ||
86 | 'passwordsalt' => '${env.password_salt}', | ||
87 | 'debug' => false, | ||
88 | 'dbtype' => 'pgsql', | ||
89 | 'version' => implode($OC_Version, '.'), | ||
90 | 'dbname' => '${env.postgresql.database}', | ||
91 | 'dbhost' => '${env.postgresql.socket}', | ||
92 | 'dbtableprefix' => 'oc_', | ||
93 | 'dbuser' => '${env.postgresql.user}', | ||
94 | 'dbpassword' => '${env.postgresql.password}', | ||
95 | 'installed' => true, | ||
96 | 'maxZipInputSize' => 0, | ||
97 | 'allowZipDownload' => true, | ||
98 | 'forcessl' => true, | ||
99 | 'theme' => ${"''"}, | ||
100 | 'maintenance' => false, | ||
101 | 'trusted_domains' => | ||
102 | array ( | ||
103 | 0 => 'cloud.immae.eu', | ||
104 | ), | ||
105 | 'secret' => '${env.secret}', | ||
106 | 'appstoreenabled' => false, | ||
107 | 'appstore.experimental.enabled' => true, | ||
108 | 'loglevel' => 2, | ||
109 | 'trashbin_retention_obligation' => 'auto', | ||
110 | 'htaccess.RewriteBase' => '/', | ||
111 | 'mail_smtpmode' => 'sendmail', | ||
112 | 'mail_smtphost' => '127.0.0.1', | ||
113 | 'mail_smtpname' => ''', | ||
114 | 'mail_smtppassword' => ''', | ||
115 | 'mail_from_address' => 'nextcloud', | ||
116 | 'mail_smtpauth' => false, | ||
117 | 'mail_domain' => 'tools.immae.eu', | ||
118 | 'memcache.local' => '\\OC\\Memcache\\APCu', | ||
119 | 'memcache.locking' => '\\OC\\Memcache\\Redis', | ||
120 | 'filelocking.enabled' => true, | ||
121 | 'redis' => | ||
122 | array ( | ||
123 | 'host' => '${env.redis.socket}', | ||
124 | 'port' => 0, | ||
125 | 'dbindex' => ${env.redis.db}, | ||
126 | ), | ||
127 | 'overwrite.cli.url' => 'https://cloud.immae.eu', | ||
128 | 'ldapIgnoreNamingRules' => false, | ||
129 | 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', | ||
130 | 'has_rebuilt_cache' => true, | ||
131 | ); | ||
132 | ''; | ||
133 | }; | ||
134 | users.users.root.packages = let | ||
135 | occ = pkgs.writeScriptBin "nextcloud-occ" '' | ||
136 | #! ${pkgs.stdenv.shell} | ||
137 | cd ${nextcloud} | ||
138 | NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ | ||
139 | exec \ | ||
140 | sudo -E -u wwwrun ${pkgs.php74}/bin/php \ | ||
141 | -c ${pkgs.php74}/etc/php.ini \ | ||
142 | occ $* | ||
143 | ''; | ||
144 | in [ occ ]; | ||
145 | |||
146 | system.activationScripts.nextcloud = { | ||
147 | deps = [ "secrets" ]; | ||
148 | text = let | ||
149 | confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; | ||
150 | in | ||
151 | '' | ||
152 | install -m 0755 -o wwwrun -g wwwrun -d ${varDir} | ||
153 | install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions | ||
154 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: | ||
155 | "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" | ||
156 | ) confs)} | ||
157 | #install -D -m 0600 -o wwwrun -g wwwrun -T ${config.secrets.fullPaths."webapps/tools-nextcloud"} ${varDir}/config/config.php | ||
158 | ''; | ||
159 | }; | ||
160 | |||
161 | services.phpfpm.pools.nextcloud = { | ||
162 | user = "wwwrun"; | ||
163 | group = "wwwrun"; | ||
164 | settings = phpFpm.pool; | ||
165 | phpPackage = pkgs.php74.withExtensions({ enabled, all }: enabled ++ [ all.redis all.apcu all.opcache ]); | ||
166 | }; | ||
167 | |||
168 | services.cron = { | ||
169 | enable = true; | ||
170 | systemCronJobs = let | ||
171 | script = pkgs.writeScriptBin "nextcloud-cron" '' | ||
172 | #! ${pkgs.stdenv.shell} | ||
173 | export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive | ||
174 | export PATH=/run/wrappers/bin:$PATH | ||
175 | ${pkgs.php74}/bin/php -d memory_limit=2048M -f ${nextcloud}/cron.php | ||
176 | ''; | ||
177 | in [ | ||
178 | '' | ||
179 | */15 * * * * wwwrun ${script}/bin/nextcloud-cron | ||
180 | '' | ||
181 | ]; | ||
182 | }; | ||
183 | }; | ||
184 | } | ||