Finish moving aten php configuration to dedicated module

3 files changed, 126 insertions, 141 deletions

diff --git a/modules/private/websites/aten/builder.nix b/modules/private/websites/aten/builder.nix
deleted file mode 100644
index 83a8f70..0000000
--- a/modules/private/websites/aten/builder.nix
+++ /dev/null
@@ -1,100 +0,0 @@
-{ apacheUser, apacheGroup, aten, lib, mylibs, config }: rec {
-  app = aten.override { inherit (config) environment; };
-  phpFpm = rec {
-    preStart = mylibs.phpFpmPreStart {
-      inherit app;
-      inherit (app) varDir;
-      keyFiles = [
-        "/var/secrets/webapps/${app.environment}-aten"
-      ];
-      actions = [
-        "/run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
-      ];
-    };
-    serviceDeps = [ "postgresql.service" ];
-    socket = "/var/run/phpfpm/aten-${app.environment}.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apacheUser}
-      group = ${apacheGroup}
-      listen.owner = ${apacheUser}
-      listen.group = ${apacheGroup}
-      php_admin_value[upload_max_filesize] = 20M
-      php_admin_value[post_max_size] = 20M
-      ;php_admin_flag[log_errors] = on
-      php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp"
-      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
-      ${if app.environment == "dev" then ''
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      env[SYMFONY_DEBUG_MODE] = "yes"
-      '' else ''
-      pm = dynamic
-      pm.max_children = 20
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      ''}'';
-  };
-  keys = [{
-    dest = "webapps/${app.environment}-aten";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      SetEnv APP_ENV      "${app.environment}"
-      SetEnv APP_SECRET   "${config.secret}"
-      SetEnv DATABASE_URL "${config.psql_url}"
-      '';
-  }];
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "aten_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    <FilesMatch "\.php$">
-      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-    </FilesMatch>
-
-    Include /var/secrets/webapps/${app.environment}-aten
-
-    ${if app.environment == "dev" then ''
-    <Location />
-      Use LDAPConnect
-      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
-    </Location>
-
-    <Location /backend>
-      Use LDAPConnect
-      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
-    </Location>
-    '' else ''
-    Use Stats aten.pro
-
-    <Location /backend>
-      Use LDAPConnect
-      Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
-    </Location>
-    ''}
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride All
-      Require all granted
-      DirectoryIndex index.php
-      FallbackResource /index.php
-    </Directory>
-    '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
-    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-}
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
index 0dbc4fa..38068a7 100644
--- a/modules/private/websites/aten/integration.nix
+++ b/modules/private/websites/aten/integration.nix
@@ -1,43 +1,83 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-  aten = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) aten;
-    config = myconfig.env.websites.aten.integration;
-    apacheUser = config.services.httpd.Inte.user;
-    apacheGroup = config.services.httpd.Inte.group;
-  };
-
+  secrets = myconfig.env.websites.aten.integration;
+  app = pkgs.webapps.aten.override { environment = secrets.environment; };
   cfg = config.myServices.websites.aten.integration;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
 
   config = lib.mkIf cfg.enable {
-    services.phpApplication.aten_dev = let
-      app = pkgs.webapps.aten.override { environment = "dev"; };
-    in {
+    services.phpApplication.apps.aten_dev = {
       websiteEnv = "integration";
       httpdUser = config.services.httpd.Inte.user;
       httpdGroup = config.services.httpd.Inte.group;
+      httpdWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-aten"
+      ];
       inherit (app) webRoot varDir;
       inherit app;
       serviceDeps = [ "postgresql.service" ];
       preStartActions = [
         "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
       ];
-      watchFiles = [
-        "${config.secrets.location}/webapps/${app.environment}-aten"
-      ];
-      webappName = "aten_dev";
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = ondemand
+        pm.max_children = 5
+        pm.process_idle_timeout = 60
+        env[SYMFONY_DEBUG_MODE] = "yes"
+      '';
     };
 
-    secrets.keys = aten.keys;
-    services.phpfpm.poolConfigs.aten_dev = aten.phpFpm.pool;
-    services.websites.env.integration.vhostConfs.aten = {
+    secrets.keys = [{
+      dest = "webapps/${app.environment}-aten";
+      user = config.services.httpd.Inte.user;
+      group = config.services.httpd.Inte.user;
+      permissions = "0400";
+      text = ''
+        SetEnv APP_ENV      "${app.environment}"
+        SetEnv APP_SECRET   "${secrets.secret}"
+        SetEnv DATABASE_URL "${secrets.psql_url}"
+        '';
+    }];
+    services.websites.env.integration.vhostConfs.aten_dev = {
       certName    = "eldiron";
       addToCerts  = true;
       hosts       = [ "dev.aten.pro" ];
-      root        = aten.apache.root;
-      extraConfig = [ aten.apache.vhostConf ];
+      root        = pcfg.webappDirs.aten_dev;
+      extraConfig = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_dev}|fcgi://localhost"
+        </FilesMatch>
+
+        Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}
+
+        <Location />
+          Use LDAPConnect
+          Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+        </Location>
+
+        <Location /backend>
+          Use LDAPConnect
+          Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+        </Location>
+
+        <Directory ${pcfg.webappDirs.aten_dev}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+          DirectoryIndex index.php
+          FallbackResource /index.php
+        </Directory>
+        ''
+      ];
     };
   };
 }
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
index 0fab309..21ecdcf 100644
--- a/modules/private/websites/aten/production.nix
+++ b/modules/private/websites/aten/production.nix
@@ -1,36 +1,81 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-  aten = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) aten;
-    config = myconfig.env.websites.aten.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
-  };
-
+  secrets = myconfig.env.websites.aten.production;
+  app = pkgs.webapps.aten.override { environment = secrets.environment; };
   cfg = config.myServices.websites.aten.production;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = aten.keys;
     services.webstats.sites = [ { name = "aten.pro"; } ];
+    services.phpApplication.apps.aten_prod = {
+      websiteEnv = "production";
+      httpdUser = config.services.httpd.Prod.user;
+      httpdGroup = config.services.httpd.Prod.group;
+      httpdWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-aten"
+      ];
+      inherit (app) webRoot varDir;
+      inherit app;
+      serviceDeps = [ "postgresql.service" ];
+      preStartActions = [
+        "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = dynamic
+        pm.max_children = 20
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+      '';
+    };
 
-    systemd.services.phpfpm-aten_prod.preStart = lib.mkAfter aten.phpFpm.preStart;
-    systemd.services.phpfpm-aten_prod.after = lib.mkAfter aten.phpFpm.serviceDeps;
-    systemd.services.phpfpm-aten_prod.wants = aten.phpFpm.serviceDeps;
-    services.phpfpm.poolConfigs.aten_prod = aten.phpFpm.pool;
-    system.activationScripts.aten_prod = aten.activationScript;
-    myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot;
-    services.websites.env.production.modules = aten.apache.modules;
-    services.websites.env.production.vhostConfs.aten = {
+    secrets.keys = [{
+      dest = "webapps/${app.environment}-aten";
+      user = config.services.httpd.Prod.user;
+      group = config.services.httpd.Prod.user;
+      permissions = "0400";
+      text = ''
+        SetEnv APP_ENV      "${app.environment}"
+        SetEnv APP_SECRET   "${secrets.secret}"
+        SetEnv DATABASE_URL "${secrets.psql_url}"
+        '';
+    }];
+    services.websites.env.production.vhostConfs.aten_prod = {
       certName     = "aten";
       certMainHost = "aten.pro";
-      hosts        = [ "aten.pro" "www.aten.pro" ];
-      root         = aten.apache.root;
-      extraConfig  = [ aten.apache.vhostConf ];
+      hosts       = [ "aten.pro" "www.aten.pro" ];
+      root        = pcfg.webappDirs.aten_prod;
+      extraConfig = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}|fcgi://localhost"
+        </FilesMatch>
+
+        Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"}
+
+        Use Stats aten.pro
+
+        <Location /backend>
+          Use LDAPConnect
+          Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+          ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+        </Location>
+
+        <Directory ${pcfg.webappDirs.aten_prod}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+          DirectoryIndex index.php
+          FallbackResource /index.php
+        </Directory>
+        ''
+      ];
     };
-    services.websites.env.production.watchPaths = [
-      "/var/secrets/webapps/${aten.app.environment}-aten"
-    ];
   };
 }