diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-18 10:49:00 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-18 10:49:00 +0200 |
commit | f8026b6e4c869aa108f6361c8ccd50890657994d (patch) | |
tree | 57cb311e520933bd2ab6ccbae05f2913799eb49e /modules/private | |
parent | 4aac110f17f0528d90510eec00c9a8df60bcf04f (diff) | |
download | Nix-f8026b6e4c869aa108f6361c8ccd50890657994d.tar.gz Nix-f8026b6e4c869aa108f6361c8ccd50890657994d.tar.zst Nix-f8026b6e4c869aa108f6361c8ccd50890657994d.zip |
Move personal websites to modules
Diffstat (limited to 'modules/private')
38 files changed, 2011 insertions, 2 deletions
diff --git a/modules/private/default.nix b/modules/private/default.nix index 2030315..16258e4 100644 --- a/modules/private/default.nix +++ b/modules/private/default.nix | |||
@@ -1,4 +1,5 @@ | |||
1 | { | 1 | let |
2 | set = { | ||
2 | # adatped from nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix | 3 | # adatped from nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix |
3 | httpdInte = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; }; | 4 | httpdInte = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; }; |
4 | httpdProd = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; }; | 5 | httpdProd = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; }; |
@@ -10,5 +11,32 @@ | |||
10 | postgresql = ./databases/postgresql.nix; | 11 | postgresql = ./databases/postgresql.nix; |
11 | redis = ./databases/redis.nix; | 12 | redis = ./databases/redis.nix; |
12 | 13 | ||
14 | websites = ./websites; | ||
15 | atenInte = ./websites/aten/integration.nix; | ||
16 | atenProd = ./websites/aten/production.nix; | ||
17 | capitainesProd = ./websites/capitaines/production.nix; | ||
18 | chloeInte = ./websites/chloe/integration.nix; | ||
19 | chloeProd = ./websites/chloe/production.nix; | ||
20 | connexionswingInte = ./websites/connexionswing/integration.nix; | ||
21 | connexionswingProd = ./websites/connexionswing/production.nix; | ||
22 | denisejeromeProd = ./websites/denisejerome/production.nix; | ||
23 | emiliaProd = ./websites/emilia/production.nix; | ||
24 | florianApp = ./websites/florian/app.nix; | ||
25 | florianInte = ./websites/florian/integration.nix; | ||
26 | florianProd = ./websites/florian/production.nix; | ||
27 | immaeProd = ./websites/immae/production.nix; | ||
28 | immaeRelease = ./websites/immae/release.nix; | ||
29 | immaeTemp = ./websites/immae/temp.nix; | ||
30 | leilaProd = ./websites/leila/production.nix; | ||
31 | ludivinecassalInte = ./websites/ludivinecassal/integration.nix; | ||
32 | ludivinecassalProd = ./websites/ludivinecassal/production.nix; | ||
33 | nassimeProd = ./websites/nassime/production.nix; | ||
34 | naturaloutilProd = ./websites/naturaloutil/production.nix; | ||
35 | papaSurveillance = ./websites/papa/surveillance.nix; | ||
36 | piedsjalouxInte = ./websites/piedsjaloux/integration.nix; | ||
37 | piedsjalouxProd = ./websites/piedsjaloux/production.nix; | ||
38 | |||
13 | irc = ./irc.nix; | 39 | irc = ./irc.nix; |
14 | } | 40 | }; |
41 | in | ||
42 | builtins.listToAttrs (map (attr: { name = "priv${attr}"; value = set.${attr}; }) (builtins.attrNames set)) | ||
diff --git a/modules/private/websites/aten/builder.nix b/modules/private/websites/aten/builder.nix new file mode 100644 index 0000000..9a2e1a7 --- /dev/null +++ b/modules/private/websites/aten/builder.nix | |||
@@ -0,0 +1,102 @@ | |||
1 | { apacheUser, apacheGroup, aten, lib, config }: rec { | ||
2 | app = aten.override { inherit (config) environment; }; | ||
3 | phpFpm = rec { | ||
4 | preStart = '' | ||
5 | if [ ! -f "${app.varDir}/currentWebappDir" -o \ | ||
6 | ! -f "${app.varDir}/currentKey" -o \ | ||
7 | "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
8 | || ! sha512sum -c --status ${app.varDir}/currentKey; then | ||
9 | pushd ${app} > /dev/null | ||
10 | /run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup | ||
11 | popd > /dev/null | ||
12 | echo -n "${app}" > ${app.varDir}/currentWebappDir | ||
13 | sha512sum /var/secrets/webapps/${app.environment}-aten > ${app.varDir}/currentKey | ||
14 | fi | ||
15 | ''; | ||
16 | serviceDeps = [ "postgresql.service" ]; | ||
17 | socket = "/var/run/phpfpm/aten-${app.environment}.sock"; | ||
18 | pool = '' | ||
19 | listen = ${socket} | ||
20 | user = ${apacheUser} | ||
21 | group = ${apacheGroup} | ||
22 | listen.owner = ${apacheUser} | ||
23 | listen.group = ${apacheGroup} | ||
24 | php_admin_value[upload_max_filesize] = 20M | ||
25 | php_admin_value[post_max_size] = 20M | ||
26 | ;php_admin_flag[log_errors] = on | ||
27 | php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp" | ||
28 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
29 | ${if app.environment == "dev" then '' | ||
30 | pm = ondemand | ||
31 | pm.max_children = 5 | ||
32 | pm.process_idle_timeout = 60 | ||
33 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
34 | '' else '' | ||
35 | pm = dynamic | ||
36 | pm.max_children = 20 | ||
37 | pm.start_servers = 2 | ||
38 | pm.min_spare_servers = 1 | ||
39 | pm.max_spare_servers = 3 | ||
40 | ''}''; | ||
41 | }; | ||
42 | keys = [{ | ||
43 | dest = "webapps/${app.environment}-aten"; | ||
44 | user = apacheUser; | ||
45 | group = apacheGroup; | ||
46 | permissions = "0400"; | ||
47 | text = '' | ||
48 | SetEnv APP_ENV "${app.environment}" | ||
49 | SetEnv APP_SECRET "${config.secret}" | ||
50 | SetEnv DATABASE_URL "${config.psql_url}" | ||
51 | ''; | ||
52 | }]; | ||
53 | apache = rec { | ||
54 | modules = [ "proxy_fcgi" ]; | ||
55 | webappName = "aten_${app.environment}"; | ||
56 | root = "/run/current-system/webapps/${webappName}"; | ||
57 | vhostConf = '' | ||
58 | <FilesMatch "\.php$"> | ||
59 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
60 | </FilesMatch> | ||
61 | |||
62 | Include /var/secrets/webapps/${app.environment}-aten | ||
63 | |||
64 | ${if app.environment == "dev" then '' | ||
65 | <Location /> | ||
66 | Use LDAPConnect | ||
67 | Require ldap-group cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu | ||
68 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>" | ||
69 | </Location> | ||
70 | |||
71 | <Location /backend> | ||
72 | Use LDAPConnect | ||
73 | Require ldap-group cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu | ||
74 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>" | ||
75 | </Location> | ||
76 | '' else '' | ||
77 | Use Stats aten.pro | ||
78 | |||
79 | <Location /backend> | ||
80 | Use LDAPConnect | ||
81 | Require ldap-group cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu | ||
82 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>" | ||
83 | </Location> | ||
84 | ''} | ||
85 | |||
86 | <Directory ${root}> | ||
87 | Options Indexes FollowSymLinks MultiViews Includes | ||
88 | AllowOverride All | ||
89 | Require all granted | ||
90 | DirectoryIndex index.php | ||
91 | FallbackResource /index.php | ||
92 | </Directory> | ||
93 | ''; | ||
94 | }; | ||
95 | activationScript = { | ||
96 | deps = [ "wrappers" ]; | ||
97 | text = '' | ||
98 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} | ||
99 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
100 | ''; | ||
101 | }; | ||
102 | } | ||
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix new file mode 100644 index 0000000..790c5a9 --- /dev/null +++ b/modules/private/websites/aten/integration.nix | |||
@@ -0,0 +1,34 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | aten = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) aten; | ||
5 | config = myconfig.env.websites.aten.integration; | ||
6 | apacheUser = config.services.httpd.Inte.user; | ||
7 | apacheGroup = config.services.httpd.Inte.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.aten.integration; | ||
11 | in { | ||
12 | options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = aten.keys; | ||
16 | services.myPhpfpm.preStart.aten_dev = aten.phpFpm.preStart; | ||
17 | services.myPhpfpm.serviceDependencies.aten_dev = aten.phpFpm.serviceDeps; | ||
18 | services.myPhpfpm.poolConfigs.aten_dev = aten.phpFpm.pool; | ||
19 | system.activationScripts.aten_dev = aten.activationScript; | ||
20 | system.extraSystemBuilderCmds = '' | ||
21 | mkdir -p $out/webapps | ||
22 | ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName} | ||
23 | ''; | ||
24 | services.websites.integration.modules = aten.apache.modules; | ||
25 | services.websites.integration.vhostConfs.aten = { | ||
26 | certName = "eldiron"; | ||
27 | addToCerts = true; | ||
28 | hosts = [ "dev.aten.pro" ]; | ||
29 | root = aten.apache.root; | ||
30 | extraConfig = [ aten.apache.vhostConf ]; | ||
31 | }; | ||
32 | }; | ||
33 | } | ||
34 | |||
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix new file mode 100644 index 0000000..697f1b8 --- /dev/null +++ b/modules/private/websites/aten/production.nix | |||
@@ -0,0 +1,36 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | aten = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) aten; | ||
5 | config = myconfig.env.websites.aten.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.aten.production; | ||
11 | in { | ||
12 | options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = aten.keys; | ||
16 | services.webstats.sites = [ { name = "aten.pro"; } ]; | ||
17 | |||
18 | services.myPhpfpm.preStart.aten_prod = aten.phpFpm.preStart; | ||
19 | services.myPhpfpm.serviceDependencies.aten_prod = aten.phpFpm.serviceDeps; | ||
20 | services.myPhpfpm.poolConfigs.aten_prod = aten.phpFpm.pool; | ||
21 | system.activationScripts.aten_prod = aten.activationScript; | ||
22 | system.extraSystemBuilderCmds = '' | ||
23 | mkdir -p $out/webapps | ||
24 | ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName} | ||
25 | ''; | ||
26 | services.websites.production.modules = aten.apache.modules; | ||
27 | services.websites.production.vhostConfs.aten = { | ||
28 | certName = "aten"; | ||
29 | certMainHost = "aten.pro"; | ||
30 | hosts = [ "aten.pro" "www.aten.pro" ]; | ||
31 | root = aten.apache.root; | ||
32 | extraConfig = [ aten.apache.vhostConf ]; | ||
33 | }; | ||
34 | }; | ||
35 | } | ||
36 | |||
diff --git a/modules/private/websites/capitaines/mastodon_static/index.html b/modules/private/websites/capitaines/mastodon_static/index.html new file mode 100644 index 0000000..fae4152 --- /dev/null +++ b/modules/private/websites/capitaines/mastodon_static/index.html | |||
@@ -0,0 +1,29 @@ | |||
1 | <!DOCTYPE html> | ||
2 | <html lang='en'> | ||
3 | <head> | ||
4 | <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'> | ||
5 | <title>This instance is now closed - Mastodon</title> | ||
6 | <style> | ||
7 | body { | ||
8 | text-align: center; | ||
9 | background: #282c37; | ||
10 | font-family: sans-serif; | ||
11 | } | ||
12 | img { | ||
13 | max-width: 470px; | ||
14 | width: 100%; | ||
15 | } | ||
16 | h1 { | ||
17 | font-size: 20px; | ||
18 | font-weight: 400; | ||
19 | color: #9baec8; | ||
20 | } | ||
21 | </style> | ||
22 | </head> | ||
23 | <body> | ||
24 | <div> | ||
25 | <img alt='Mastodon' src='/oops.png'> | ||
26 | <h1>Sorry, this instance is closed now.</h1> | ||
27 | </div> | ||
28 | </body> | ||
29 | </html> | ||
diff --git a/modules/private/websites/capitaines/mastodon_static/oops.png b/modules/private/websites/capitaines/mastodon_static/oops.png new file mode 100644 index 0000000..0abddad --- /dev/null +++ b/modules/private/websites/capitaines/mastodon_static/oops.png | |||
Binary files differ | |||
diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix new file mode 100644 index 0000000..fe9c619 --- /dev/null +++ b/modules/private/websites/capitaines/production.nix | |||
@@ -0,0 +1,47 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.capitaines.production; | ||
4 | env = myconfig.env.websites.capitaines; | ||
5 | webappName = "capitaines_mastodon"; | ||
6 | root = "/run/current-system/webapps/${webappName}"; | ||
7 | siteDir = ./mastodon_static; | ||
8 | in { | ||
9 | options.myServices.websites.capitaines.production.enable = lib.mkEnableOption "enable Capitaines's website"; | ||
10 | |||
11 | config = lib.mkIf cfg.enable { | ||
12 | system.extraSystemBuilderCmds = '' | ||
13 | mkdir -p $out/webapps | ||
14 | ln -s ${siteDir} $out/webapps/${webappName} | ||
15 | ''; | ||
16 | |||
17 | services.websites.production.vhostConfs.capitaines_mastodon = { | ||
18 | certName = "capitaines"; | ||
19 | certMainHost = "mastodon.capitaines.fr"; | ||
20 | hosts = [ "mastodon.capitaines.fr" ]; | ||
21 | root = root; | ||
22 | extraConfig = [ | ||
23 | '' | ||
24 | ErrorDocument 404 /index.html | ||
25 | <Directory ${root}> | ||
26 | DirectoryIndex index.html | ||
27 | Options Indexes FollowSymLinks MultiViews Includes | ||
28 | Require all granted | ||
29 | </Directory> | ||
30 | '' | ||
31 | ]; | ||
32 | }; | ||
33 | |||
34 | services.websites.production.vhostConfs.capitaines = { | ||
35 | certName = "capitaines"; | ||
36 | addToCerts = true; | ||
37 | hosts = [ "capitaines.fr" ]; | ||
38 | root = "/run/current-system/webapps/_www"; | ||
39 | extraConfig = [ '' | ||
40 | <Directory /run/current-system/webapps/_www> | ||
41 | DirectoryIndex index.htm | ||
42 | Require all granted | ||
43 | </Directory> | ||
44 | '' ]; | ||
45 | }; | ||
46 | }; | ||
47 | } | ||
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix new file mode 100644 index 0000000..7b72b97 --- /dev/null +++ b/modules/private/websites/chloe/builder.nix | |||
@@ -0,0 +1,103 @@ | |||
1 | { apacheUser, apacheGroup, chloe, config }: | ||
2 | rec { | ||
3 | app = chloe.override { inherit (config) environment; }; | ||
4 | phpFpm = rec { | ||
5 | serviceDeps = [ "mysql.service" ]; | ||
6 | socket = "/var/run/phpfpm/chloe-${app.environment}.sock"; | ||
7 | pool = '' | ||
8 | listen = ${socket} | ||
9 | user = ${apacheUser} | ||
10 | group = ${apacheGroup} | ||
11 | listen.owner = ${apacheUser} | ||
12 | listen.group = ${apacheGroup} | ||
13 | php_admin_value[upload_max_filesize] = 20M | ||
14 | php_admin_value[post_max_size] = 20M | ||
15 | ;php_admin_flag[log_errors] = on | ||
16 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | ||
17 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
18 | ${if app.environment == "dev" then '' | ||
19 | pm = ondemand | ||
20 | pm.max_children = 5 | ||
21 | pm.process_idle_timeout = 60 | ||
22 | '' else '' | ||
23 | pm = dynamic | ||
24 | pm.max_children = 20 | ||
25 | pm.start_servers = 2 | ||
26 | pm.min_spare_servers = 1 | ||
27 | pm.max_spare_servers = 3 | ||
28 | ''}''; | ||
29 | }; | ||
30 | keys = [{ | ||
31 | dest = "webapps/${app.environment}-chloe"; | ||
32 | user = apacheUser; | ||
33 | group = apacheGroup; | ||
34 | permissions = "0400"; | ||
35 | text = '' | ||
36 | SetEnv SPIP_CONFIG_DIR "${configDir}" | ||
37 | SetEnv SPIP_VAR_DIR "${app.varDir}" | ||
38 | SetEnv SPIP_SITE "chloe-${app.environment}" | ||
39 | SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" | ||
40 | SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" | ||
41 | SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" | ||
42 | SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" | ||
43 | SetEnv SPIP_LDAP_SEARCH "${config.ldap.search}" | ||
44 | SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" | ||
45 | SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" | ||
46 | SetEnv SPIP_MYSQL_DB "${config.mysql.name}" | ||
47 | SetEnv SPIP_MYSQL_USER "${config.mysql.user}" | ||
48 | SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" | ||
49 | ''; | ||
50 | }]; | ||
51 | apache = rec { | ||
52 | modules = [ "proxy_fcgi" ]; | ||
53 | webappName = "chloe_${app.environment}"; | ||
54 | root = "/run/current-system/webapps/${webappName}"; | ||
55 | vhostConf = '' | ||
56 | Include /var/secrets/webapps/${app.environment}-chloe | ||
57 | |||
58 | RewriteEngine On | ||
59 | ${if app.environment == "prod" then '' | ||
60 | RewriteRule ^/news.rss /spip.php?page=backend&id_rubrique=1 | ||
61 | '' else ""} | ||
62 | |||
63 | <FilesMatch "\.php$"> | ||
64 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
65 | </FilesMatch> | ||
66 | |||
67 | <Directory ${root}> | ||
68 | DirectoryIndex index.php index.htm index.html | ||
69 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
70 | Include ${root}/htaccess.txt | ||
71 | |||
72 | AllowOverride AuthConfig FileInfo Limit | ||
73 | Require all granted | ||
74 | </Directory> | ||
75 | |||
76 | <DirectoryMatch "${root}/squelettes"> | ||
77 | Require all denied | ||
78 | </DirectoryMatch> | ||
79 | |||
80 | <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$"> | ||
81 | Require all denied | ||
82 | </FilesMatch> | ||
83 | |||
84 | ${if app.environment == "dev" then '' | ||
85 | <Location /> | ||
86 | Use LDAPConnect | ||
87 | Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
88 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>" | ||
89 | </Location> | ||
90 | '' else '' | ||
91 | Use Stats osteopathe-cc.fr | ||
92 | ''} | ||
93 | ''; | ||
94 | }; | ||
95 | activationScript = { | ||
96 | deps = [ "wrappers" ]; | ||
97 | text = '' | ||
98 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local | ||
99 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
100 | ''; | ||
101 | }; | ||
102 | configDir = ./config; | ||
103 | } | ||
diff --git a/modules/private/websites/chloe/config/chmod.php b/modules/private/websites/chloe/config/chmod.php new file mode 100644 index 0000000..aae16cd --- /dev/null +++ b/modules/private/websites/chloe/config/chmod.php | |||
@@ -0,0 +1,4 @@ | |||
1 | <?php | ||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | ||
3 | if (!defined('_SPIP_CHMOD')) define('_SPIP_CHMOD', 0777); | ||
4 | ?> \ No newline at end of file | ||
diff --git a/modules/private/websites/chloe/config/connect.php b/modules/private/websites/chloe/config/connect.php new file mode 100644 index 0000000..18b0933 --- /dev/null +++ b/modules/private/websites/chloe/config/connect.php | |||
@@ -0,0 +1,15 @@ | |||
1 | <?php | ||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | ||
3 | define('_MYSQL_SET_SQL_MODE',true); | ||
4 | $GLOBALS['spip_connect_version'] = 0.7; | ||
5 | spip_connect_db( | ||
6 | getenv("SPIP_MYSQL_HOST"), | ||
7 | getenv("SPIP_MYSQL_PORT"), | ||
8 | getenv("SPIP_MYSQL_USER"), | ||
9 | getenv("SPIP_MYSQL_PASSWORD"), | ||
10 | getenv("SPIP_MYSQL_DB"), | ||
11 | 'mysql', | ||
12 | 'spip', | ||
13 | 'ldap.php' | ||
14 | ); | ||
15 | ?> | ||
diff --git a/modules/private/websites/chloe/config/ldap.php b/modules/private/websites/chloe/config/ldap.php new file mode 100644 index 0000000..825b7ed --- /dev/null +++ b/modules/private/websites/chloe/config/ldap.php | |||
@@ -0,0 +1,9 @@ | |||
1 | <?php | ||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | ||
3 | $GLOBALS['ldap_base'] = getenv("SPIP_LDAP_BASE"); | ||
4 | $GLOBALS['ldap_link'] = @ldap_connect(getenv("SPIP_LDAP_HOST")); | ||
5 | @ldap_set_option($GLOBALS['ldap_link'],LDAP_OPT_PROTOCOL_VERSION,'3'); | ||
6 | @ldap_bind($GLOBALS['ldap_link'],getenv("SPIP_LDAP_SEARCH_DN"), getenv("SPIP_LDAP_SEARCH_PW")); | ||
7 | $GLOBALS['ldap_champs'] = array('login' => array('sAMAccountName','uid','login','userid','cn','sn'),'nom' => 'cn','email' => 'mail','bio' => 'description',); | ||
8 | $GLOBALS['ldap_search'] = getenv("SPIP_LDAP_SEARCH"); | ||
9 | ?> | ||
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix new file mode 100644 index 0000000..458e414 --- /dev/null +++ b/modules/private/websites/chloe/integration.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | chloe = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) chloe; | ||
5 | config = myconfig.env.websites.chloe.integration; | ||
6 | apacheUser = config.services.httpd.Inte.user; | ||
7 | apacheGroup = config.services.httpd.Inte.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.chloe.integration; | ||
11 | in { | ||
12 | options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = chloe.keys; | ||
16 | services.myPhpfpm.serviceDependencies.chloe_dev = chloe.phpFpm.serviceDeps; | ||
17 | services.myPhpfpm.poolConfigs.chloe_dev = chloe.phpFpm.pool; | ||
18 | services.myPhpfpm.poolPhpConfigs.chloe_dev = '' | ||
19 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | ||
20 | ''; | ||
21 | system.activationScripts.chloe_dev = chloe.activationScript; | ||
22 | system.extraSystemBuilderCmds = '' | ||
23 | mkdir -p $out/webapps | ||
24 | ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName} | ||
25 | ''; | ||
26 | services.websites.integration.modules = chloe.apache.modules; | ||
27 | services.websites.integration.vhostConfs.chloe = { | ||
28 | certName = "eldiron"; | ||
29 | addToCerts = true; | ||
30 | hosts = ["chloe.immae.eu" ]; | ||
31 | root = chloe.apache.root; | ||
32 | extraConfig = [ chloe.apache.vhostConf ]; | ||
33 | }; | ||
34 | }; | ||
35 | } | ||
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix new file mode 100644 index 0000000..0eafebd --- /dev/null +++ b/modules/private/websites/chloe/production.nix | |||
@@ -0,0 +1,37 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | chloe = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) chloe; | ||
5 | config = myconfig.env.websites.chloe.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.chloe.production; | ||
11 | in { | ||
12 | options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = chloe.keys; | ||
16 | services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ]; | ||
17 | |||
18 | services.myPhpfpm.serviceDependencies.chloe_prod = chloe.phpFpm.serviceDeps; | ||
19 | services.myPhpfpm.poolConfigs.chloe_prod = chloe.phpFpm.pool; | ||
20 | services.myPhpfpm.poolPhpConfigs.chloe_prod = '' | ||
21 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | ||
22 | ''; | ||
23 | system.activationScripts.chloe_prod = chloe.activationScript; | ||
24 | system.extraSystemBuilderCmds = '' | ||
25 | mkdir -p $out/webapps | ||
26 | ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName} | ||
27 | ''; | ||
28 | services.websites.production.modules = chloe.apache.modules; | ||
29 | services.websites.production.vhostConfs.chloe = { | ||
30 | certName = "chloe"; | ||
31 | certMainHost = "osteopathe-cc.fr"; | ||
32 | hosts = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ]; | ||
33 | root = chloe.apache.root; | ||
34 | extraConfig = [ chloe.apache.vhostConf ]; | ||
35 | }; | ||
36 | }; | ||
37 | } | ||
diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix new file mode 100644 index 0000000..98ab461 --- /dev/null +++ b/modules/private/websites/commons/adminer.nix | |||
@@ -0,0 +1,21 @@ | |||
1 | {}: | ||
2 | rec { | ||
3 | phpFpm = { | ||
4 | socket = "/var/run/phpfpm/adminer.sock"; | ||
5 | }; | ||
6 | apache = rec { | ||
7 | modules = [ "proxy_fcgi" ]; | ||
8 | webappName = "_adminer"; | ||
9 | root = "/run/current-system/webapps/${webappName}"; | ||
10 | vhostConf = '' | ||
11 | Alias /adminer ${root} | ||
12 | <Directory ${root}> | ||
13 | DirectoryIndex index.php | ||
14 | Require all granted | ||
15 | <FilesMatch "\.php$"> | ||
16 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
17 | </FilesMatch> | ||
18 | </Directory> | ||
19 | ''; | ||
20 | }; | ||
21 | } | ||
diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix new file mode 100644 index 0000000..1224420 --- /dev/null +++ b/modules/private/websites/connexionswing/builder.nix | |||
@@ -0,0 +1,164 @@ | |||
1 | { apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, config }: | ||
2 | rec { | ||
3 | app = connexionswing.override { inherit (config) environment; }; | ||
4 | keys = [{ | ||
5 | dest = "webapps/${app.environment}-connexionswing"; | ||
6 | user = apacheUser; | ||
7 | group = apacheGroup; | ||
8 | permissions = "0400"; | ||
9 | text = '' | ||
10 | # This file is auto-generated during the composer install | ||
11 | parameters: | ||
12 | database_host: ${config.mysql.host} | ||
13 | database_port: ${config.mysql.port} | ||
14 | database_name: ${config.mysql.name} | ||
15 | database_user: ${config.mysql.user} | ||
16 | database_password: ${config.mysql.password} | ||
17 | database_server_version: ${pkgs.mariadb.mysqlVersion} | ||
18 | mailer_transport: sendmail | ||
19 | mailer_host: null | ||
20 | mailer_user: null | ||
21 | mailer_password: null | ||
22 | subscription_email: ${config.email} | ||
23 | allow_robots: true | ||
24 | secret: ${config.secret} | ||
25 | ${if app.environment == "prod" then '' | ||
26 | services: | ||
27 | swiftmailer.mailer.default.transport: | ||
28 | class: Swift_SendmailTransport | ||
29 | arguments: ['/run/wrappers/bin/sendmail -bs'] | ||
30 | '' else ""} | ||
31 | ''; | ||
32 | }]; | ||
33 | phpFpm = rec { | ||
34 | preStart = '' | ||
35 | if [ ! -f "${app.varDir}/currentWebappDir" -o \ | ||
36 | ! -f "${app.varDir}/currentKey" -o \ | ||
37 | "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
38 | || ! sha512sum -c --status ${app.varDir}/currentKey; then | ||
39 | pushd ${app} > /dev/null | ||
40 | /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup | ||
41 | popd > /dev/null | ||
42 | echo -n "${app}" > ${app.varDir}/currentWebappDir | ||
43 | sha512sum /var/secrets/webapps/${app.environment}-connexionswing > ${app.varDir}/currentKey | ||
44 | fi | ||
45 | ''; | ||
46 | serviceDeps = [ "mysql.service" ]; | ||
47 | socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock"; | ||
48 | phpConfig = '' | ||
49 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | ||
50 | ''; | ||
51 | pool = '' | ||
52 | listen = ${socket} | ||
53 | user = ${apacheUser} | ||
54 | group = ${apacheGroup} | ||
55 | listen.owner = ${apacheUser} | ||
56 | listen.group = ${apacheGroup} | ||
57 | php_admin_value[upload_max_filesize] = 20M | ||
58 | php_admin_value[post_max_size] = 20M | ||
59 | ;php_admin_flag[log_errors] = on | ||
60 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp" | ||
61 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
62 | ${if app.environment == "dev" then '' | ||
63 | pm = ondemand | ||
64 | pm.max_children = 5 | ||
65 | pm.process_idle_timeout = 60 | ||
66 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
67 | '' else '' | ||
68 | pm = dynamic | ||
69 | pm.max_children = 20 | ||
70 | pm.start_servers = 2 | ||
71 | pm.min_spare_servers = 1 | ||
72 | pm.max_spare_servers = 3 | ||
73 | ''}''; | ||
74 | }; | ||
75 | apache = rec { | ||
76 | modules = [ "proxy_fcgi" ]; | ||
77 | webappName = "connexionswing_${app.environment}"; | ||
78 | root = "/run/current-system/webapps/${webappName}"; | ||
79 | vhostConf = '' | ||
80 | <FilesMatch "\.php$"> | ||
81 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
82 | </FilesMatch> | ||
83 | |||
84 | <Directory ${app.varDir}/medias> | ||
85 | Options FollowSymLinks | ||
86 | AllowOverride None | ||
87 | Require all granted | ||
88 | </Directory> | ||
89 | |||
90 | <Directory ${app.varDir}/uploads> | ||
91 | Options FollowSymLinks | ||
92 | AllowOverride None | ||
93 | Require all granted | ||
94 | </Directory> | ||
95 | |||
96 | ${if app.environment == "dev" then '' | ||
97 | <Location /> | ||
98 | Use LDAPConnect | ||
99 | Require ldap-group cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
100 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://connexionswing.com\"></html>" | ||
101 | </Location> | ||
102 | |||
103 | <Directory ${root}> | ||
104 | Options Indexes FollowSymLinks MultiViews Includes | ||
105 | AllowOverride None | ||
106 | Require all granted | ||
107 | |||
108 | DirectoryIndex app_dev.php | ||
109 | |||
110 | <IfModule mod_negotiation.c> | ||
111 | Options -MultiViews | ||
112 | </IfModule> | ||
113 | |||
114 | <IfModule mod_rewrite.c> | ||
115 | RewriteEngine On | ||
116 | |||
117 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | ||
118 | RewriteRule ^(.*) - [E=BASE:%1] | ||
119 | |||
120 | # Maintenance script | ||
121 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | ||
122 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | ||
123 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | ||
124 | ErrorDocument 503 /maintenance.php | ||
125 | |||
126 | # Sets the HTTP_AUTHORIZATION header removed by Apache | ||
127 | RewriteCond %{HTTP:Authorization} . | ||
128 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
129 | |||
130 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | ||
131 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | ||
132 | |||
133 | # If the requested filename exists, simply serve it. | ||
134 | # We only want to let Apache serve files and not directories. | ||
135 | RewriteCond %{REQUEST_FILENAME} -f | ||
136 | RewriteRule ^ - [L] | ||
137 | |||
138 | # Rewrite all other queries to the front controller. | ||
139 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | ||
140 | </IfModule> | ||
141 | |||
142 | </Directory> | ||
143 | '' else '' | ||
144 | Use Stats connexionswing.com | ||
145 | |||
146 | <Directory ${root}> | ||
147 | Options Indexes FollowSymLinks MultiViews Includes | ||
148 | AllowOverride All | ||
149 | Require all granted | ||
150 | </Directory> | ||
151 | ''} | ||
152 | ''; | ||
153 | }; | ||
154 | activationScript = { | ||
155 | deps = [ "wrappers" ]; | ||
156 | text = '' | ||
157 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ | ||
158 | ${app.varDir}/medias \ | ||
159 | ${app.varDir}/uploads \ | ||
160 | ${app.varDir}/var | ||
161 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
162 | ''; | ||
163 | }; | ||
164 | } | ||
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix new file mode 100644 index 0000000..c3425bd --- /dev/null +++ b/modules/private/websites/connexionswing/integration.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | connexionswing = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) connexionswing; | ||
5 | config = myconfig.env.websites.connexionswing.integration; | ||
6 | apacheUser = config.services.httpd.Inte.user; | ||
7 | apacheGroup = config.services.httpd.Inte.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.connexionswing.integration; | ||
11 | in { | ||
12 | options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = connexionswing.keys; | ||
16 | services.myPhpfpm.preStart.connexionswing_dev = connexionswing.phpFpm.preStart; | ||
17 | services.myPhpfpm.serviceDependencies.connexionswing_dev = connexionswing.phpFpm.serviceDeps; | ||
18 | services.myPhpfpm.poolConfigs.connexionswing_dev = connexionswing.phpFpm.pool; | ||
19 | services.myPhpfpm.poolPhpConfigs.connexionswing_dev = connexionswing.phpFpm.phpConfig; | ||
20 | system.activationScripts.connexionswing_dev = connexionswing.activationScript; | ||
21 | system.extraSystemBuilderCmds = '' | ||
22 | mkdir -p $out/webapps | ||
23 | ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName} | ||
24 | ''; | ||
25 | services.websites.integration.modules = connexionswing.apache.modules; | ||
26 | services.websites.integration.vhostConfs.connexionswing = { | ||
27 | certName = "eldiron"; | ||
28 | addToCerts = true; | ||
29 | hosts = ["connexionswing.immae.eu" "sandetludo.immae.eu" ]; | ||
30 | root = connexionswing.apache.root; | ||
31 | extraConfig = [ connexionswing.apache.vhostConf ]; | ||
32 | }; | ||
33 | }; | ||
34 | } | ||
35 | |||
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix new file mode 100644 index 0000000..8f28f46 --- /dev/null +++ b/modules/private/websites/connexionswing/production.nix | |||
@@ -0,0 +1,37 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | connexionswing = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) connexionswing; | ||
5 | config = myconfig.env.websites.connexionswing.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.connexionswing.production; | ||
11 | in { | ||
12 | options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = connexionswing.keys; | ||
16 | services.webstats.sites = [ { name = "connexionswing.com"; } ]; | ||
17 | |||
18 | services.myPhpfpm.preStart.connexionswing_prod = connexionswing.phpFpm.preStart; | ||
19 | services.myPhpfpm.serviceDependencies.connexionswing_prod = connexionswing.phpFpm.serviceDeps; | ||
20 | services.myPhpfpm.poolConfigs.connexionswing_prod = connexionswing.phpFpm.pool; | ||
21 | services.myPhpfpm.poolPhpConfigs.connexionswing_prod = connexionswing.phpFpm.phpConfig; | ||
22 | system.activationScripts.connexionswing_prod = connexionswing.activationScript; | ||
23 | system.extraSystemBuilderCmds = '' | ||
24 | mkdir -p $out/webapps | ||
25 | ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName} | ||
26 | ''; | ||
27 | services.websites.production.modules = connexionswing.apache.modules; | ||
28 | services.websites.production.vhostConfs.connexionswing = { | ||
29 | certName = "connexionswing"; | ||
30 | certMainHost = "connexionswing.com"; | ||
31 | hosts = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ]; | ||
32 | root = connexionswing.apache.root; | ||
33 | extraConfig = [ connexionswing.apache.vhostConf ]; | ||
34 | }; | ||
35 | }; | ||
36 | } | ||
37 | |||
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix new file mode 100644 index 0000000..80d902e --- /dev/null +++ b/modules/private/websites/default.nix | |||
@@ -0,0 +1,39 @@ | |||
1 | { ... }: | ||
2 | { | ||
3 | config.myServices.websites.aten.integration.enable = true; | ||
4 | config.myServices.websites.aten.production.enable = true; | ||
5 | |||
6 | config.myServices.websites.capitaines.production.enable = true; | ||
7 | |||
8 | config.myServices.websites.chloe.integration.enable = true; | ||
9 | config.myServices.websites.chloe.production.enable = true; | ||
10 | |||
11 | config.myServices.websites.connexionswing.integration.enable = true; | ||
12 | config.myServices.websites.connexionswing.production.enable = true; | ||
13 | |||
14 | config.myServices.websites.denisejerome.production.enable = true; | ||
15 | |||
16 | config.myServices.websites.emilia.production.enable = true; | ||
17 | |||
18 | config.myServices.websites.florian.app.enable = true; | ||
19 | config.myServices.websites.florian.integration.enable = true; | ||
20 | config.myServices.websites.florian.production.enable = true; | ||
21 | |||
22 | config.myServices.websites.immae.production.enable = true; | ||
23 | config.myServices.websites.immae.release.enable = true; | ||
24 | config.myServices.websites.immae.temp.enable = true; | ||
25 | |||
26 | config.myServices.websites.leila.production.enable = true; | ||
27 | |||
28 | config.myServices.websites.ludivinecassal.integration.enable = true; | ||
29 | config.myServices.websites.ludivinecassal.production.enable = true; | ||
30 | |||
31 | config.myServices.websites.nassime.production.enable = true; | ||
32 | |||
33 | config.myServices.websites.naturaloutil.production.enable = true; | ||
34 | |||
35 | config.myServices.websites.papa.surveillance.enable = true; | ||
36 | |||
37 | config.myServices.websites.piedsjaloux.integration.enable = true; | ||
38 | config.myServices.websites.piedsjaloux.production.enable = true; | ||
39 | } | ||
diff --git a/modules/private/websites/denisejerome/production.nix b/modules/private/websites/denisejerome/production.nix new file mode 100644 index 0000000..b5aff94 --- /dev/null +++ b/modules/private/websites/denisejerome/production.nix | |||
@@ -0,0 +1,31 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.denisejerome.production; | ||
4 | varDir = "/var/lib/ftp/denisejerome"; | ||
5 | env = myconfig.env.websites.denisejerome; | ||
6 | in { | ||
7 | options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website"; | ||
8 | |||
9 | config = lib.mkIf cfg.enable { | ||
10 | services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ]; | ||
11 | |||
12 | services.websites.production.vhostConfs.denisejerome = { | ||
13 | certName = "denisejerome"; | ||
14 | certMainHost = "denisejerome.piedsjaloux.fr"; | ||
15 | hosts = ["denisejerome.piedsjaloux.fr" ]; | ||
16 | root = varDir; | ||
17 | extraConfig = [ | ||
18 | '' | ||
19 | Use Stats denisejerome.piedsjaloux.fr | ||
20 | |||
21 | <Directory ${varDir}> | ||
22 | DirectoryIndex index.htm index.html | ||
23 | Options Indexes FollowSymLinks MultiViews Includes | ||
24 | AllowOverride AuthConfig | ||
25 | Require all granted | ||
26 | </Directory> | ||
27 | '' | ||
28 | ]; | ||
29 | }; | ||
30 | }; | ||
31 | } | ||
diff --git a/modules/private/websites/emilia/moodle/pause.html b/modules/private/websites/emilia/moodle/pause.html new file mode 100644 index 0000000..8b99c59 --- /dev/null +++ b/modules/private/websites/emilia/moodle/pause.html | |||
@@ -0,0 +1,48 @@ | |||
1 | <!doctype html> | ||
2 | <html> | ||
3 | <head> | ||
4 | <title>Pause</title> | ||
5 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> | ||
6 | <style> | ||
7 | body { | ||
8 | padding-left: 5px; | ||
9 | padding-right: 5px; | ||
10 | text-align: center; | ||
11 | margin: auto; | ||
12 | font: 20px Helvetica, sans-serif; | ||
13 | color: #333; | ||
14 | } | ||
15 | h1 { | ||
16 | margin: 0px; | ||
17 | font-size: 40px; | ||
18 | } | ||
19 | article { | ||
20 | display: block; | ||
21 | max-width: 650px; | ||
22 | margin: 0 auto; | ||
23 | padding-top: 30px; | ||
24 | } | ||
25 | article + article { | ||
26 | border-top: 1px solid lightgrey; | ||
27 | } | ||
28 | article div { | ||
29 | text-align: justify; | ||
30 | } | ||
31 | a { | ||
32 | color: #dc8100; | ||
33 | text-decoration: none; | ||
34 | } | ||
35 | a:hover { | ||
36 | color: #333; | ||
37 | } | ||
38 | </style> | ||
39 | </head> | ||
40 | <body> | ||
41 | <article> | ||
42 | <h1>Site web en pause !</h1> | ||
43 | <div> | ||
44 | <p>Le site et les cours de photographie sont actuellement en pause.</p> | ||
45 | </div> | ||
46 | </article> | ||
47 | </body> | ||
48 | </html> | ||
diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix new file mode 100644 index 0000000..2e705a1 --- /dev/null +++ b/modules/private/websites/emilia/production.nix | |||
@@ -0,0 +1,69 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.emilia.production; | ||
4 | env = myconfig.env.websites.emilia; | ||
5 | varDir = "/var/lib/moodle"; | ||
6 | siteDir = ./moodle; | ||
7 | webappName = "emilia_moodle"; | ||
8 | root = "/run/current-system/webapps/${webappName}"; | ||
9 | # php_admin_value[upload_max_filesize] = 50000000 | ||
10 | # php_admin_value[post_max_size] = 50000000 | ||
11 | configFile = '' | ||
12 | <?php // Moodle configuration file | ||
13 | |||
14 | unset($CFG); | ||
15 | global $CFG; | ||
16 | $CFG = new stdClass(); | ||
17 | |||
18 | $CFG->dbtype = 'pgsql'; | ||
19 | $CFG->dblibrary = 'native'; | ||
20 | $CFG->dbhost = '${env.postgresql.host}'; | ||
21 | $CFG->dbname = '${env.postgresql.database}'; | ||
22 | $CFG->dbuser = '${env.postgresql.user}'; | ||
23 | $CFG->dbpass = '${env.postgresql.password}'; | ||
24 | $CFG->prefix = 'mdl_'; | ||
25 | $CFG->dboptions = array ( | ||
26 | 'dbpersist' => 0, | ||
27 | 'dbport' => '${env.postgreesql.port}', | ||
28 | 'dbsocket' => '${env.postgresql.password}', | ||
29 | ); | ||
30 | |||
31 | $CFG->wwwroot = 'https://www.saison-photo.org'; | ||
32 | $CFG->dataroot = '${varDir}'; | ||
33 | $CFG->admin = 'admin'; | ||
34 | |||
35 | $CFG->directorypermissions = 02777; | ||
36 | |||
37 | require_once(__DIR__ . '/lib/setup.php'); | ||
38 | |||
39 | // There is no php closing tag in this file, | ||
40 | // it is intentional because it prevents trailing whitespace problems! | ||
41 | ''; | ||
42 | in { | ||
43 | options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website"; | ||
44 | |||
45 | config = lib.mkIf cfg.enable { | ||
46 | system.activationScripts.emilia = '' | ||
47 | install -m 0755 -o wwwrun -g wwwrun -d ${varDir} | ||
48 | ''; | ||
49 | system.extraSystemBuilderCmds = '' | ||
50 | mkdir -p $out/webapps | ||
51 | ln -s ${siteDir} $out/webapps/${webappName} | ||
52 | ''; | ||
53 | services.websites.production.vhostConfs.emilia = { | ||
54 | certName = "emilia"; | ||
55 | certMainHost = "saison-photo.org"; | ||
56 | hosts = [ "saison-photo.org" "www.saison-photo.org" ]; | ||
57 | root = root; | ||
58 | extraConfig = [ | ||
59 | '' | ||
60 | <Directory ${root}> | ||
61 | DirectoryIndex pause.html | ||
62 | Options Indexes FollowSymLinks MultiViews Includes | ||
63 | Require all granted | ||
64 | </Directory> | ||
65 | '' | ||
66 | ]; | ||
67 | }; | ||
68 | }; | ||
69 | } | ||
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix new file mode 100644 index 0000000..08506e1 --- /dev/null +++ b/modules/private/websites/florian/app.nix | |||
@@ -0,0 +1,38 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | ||
4 | |||
5 | tellesflorian = pkgs.callPackage ./builder_app.nix { | ||
6 | inherit (pkgs.webapps) tellesflorian; | ||
7 | config = myconfig.env.websites.tellesflorian.integration; | ||
8 | apacheUser = config.services.httpd.Inte.user; | ||
9 | apacheGroup = config.services.httpd.Inte.group; | ||
10 | }; | ||
11 | |||
12 | cfg = config.myServices.websites.florian.app; | ||
13 | in { | ||
14 | options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration"; | ||
15 | |||
16 | config = lib.mkIf cfg.enable { | ||
17 | secrets.keys = tellesflorian.keys; | ||
18 | services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian.phpFpm.preStart; | ||
19 | services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian.phpFpm.serviceDeps; | ||
20 | services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian.phpFpm.pool; | ||
21 | system.activationScripts.tellesflorian_dev = tellesflorian.activationScript; | ||
22 | system.extraSystemBuilderCmds = '' | ||
23 | mkdir -p $out/webapps | ||
24 | ln -s ${tellesflorian.app.webRoot} $out/webapps/${tellesflorian.apache.webappName} | ||
25 | ''; | ||
26 | services.websites.integration.modules = adminer.apache.modules ++ tellesflorian.apache.modules; | ||
27 | services.websites.integration.vhostConfs.tellesflorian = { | ||
28 | certName = "eldiron"; | ||
29 | addToCerts = true; | ||
30 | hosts = ["app.tellesflorian.com" ]; | ||
31 | root = tellesflorian.apache.root; | ||
32 | extraConfig = [ | ||
33 | tellesflorian.apache.vhostConf | ||
34 | adminer.apache.vhostConf | ||
35 | ]; | ||
36 | }; | ||
37 | }; | ||
38 | } | ||
diff --git a/modules/private/websites/florian/builder_app.nix b/modules/private/websites/florian/builder_app.nix new file mode 100644 index 0000000..e521f6e --- /dev/null +++ b/modules/private/websites/florian/builder_app.nix | |||
@@ -0,0 +1,152 @@ | |||
1 | { apacheUser, apacheGroup, tellesflorian, config }: | ||
2 | rec { | ||
3 | app = tellesflorian.override { inherit (config) environment; }; | ||
4 | keys = [ | ||
5 | { | ||
6 | dest = "webapps/${app.environment}-tellesflorian-passwords"; | ||
7 | user = apacheUser; | ||
8 | group = apacheGroup; | ||
9 | permissions = "0400"; | ||
10 | text = '' | ||
11 | invite:${config.invite_passwords} | ||
12 | ''; | ||
13 | } | ||
14 | { | ||
15 | dest = "webapps/${app.environment}-tellesflorian"; | ||
16 | user = apacheUser; | ||
17 | group = apacheGroup; | ||
18 | permissions = "0400"; | ||
19 | text = '' | ||
20 | # This file is auto-generated during the composer install | ||
21 | parameters: | ||
22 | database_host: ${config.mysql.host} | ||
23 | database_port: ${config.mysql.port} | ||
24 | database_name: ${config.mysql.name} | ||
25 | database_user: ${config.mysql.user} | ||
26 | database_password: ${config.mysql.password} | ||
27 | mailer_transport: smtp | ||
28 | mailer_host: 127.0.0.1 | ||
29 | mailer_user: null | ||
30 | mailer_password: null | ||
31 | secret: ${config.secret} | ||
32 | ''; | ||
33 | } | ||
34 | ]; | ||
35 | phpFpm = rec { | ||
36 | preStart = '' | ||
37 | if [ ! -f "${app.varDir}/currentWebappDir" -o \ | ||
38 | ! -f "${app.varDir}/currentKey" -o \ | ||
39 | "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
40 | || ! sha512sum -c --status ${app.varDir}/currentKey; then | ||
41 | pushd ${app} > /dev/null | ||
42 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${app.environment} cache:clear --no-warmup | ||
43 | popd > /dev/null | ||
44 | echo -n "${app}" > ${app.varDir}/currentWebappDir | ||
45 | sha512sum /var/secrets/webapps/${app.environment}-tellesflorian > ${app.varDir}/currentKey | ||
46 | fi | ||
47 | ''; | ||
48 | serviceDeps = [ "mysql.service" ]; | ||
49 | socket = "/var/run/phpfpm/floriantelles-${app.environment}.sock"; | ||
50 | pool = '' | ||
51 | listen = ${socket} | ||
52 | user = ${apacheUser} | ||
53 | group = ${apacheGroup} | ||
54 | listen.owner = ${apacheUser} | ||
55 | listen.group = ${apacheGroup} | ||
56 | php_admin_value[upload_max_filesize] = 20M | ||
57 | php_admin_value[post_max_size] = 20M | ||
58 | ;php_admin_flag[log_errors] = on | ||
59 | php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-tellesflorian:${app}:${app.varDir}:/tmp" | ||
60 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
61 | ${if app.environment == "dev" then '' | ||
62 | pm = ondemand | ||
63 | pm.max_children = 5 | ||
64 | pm.process_idle_timeout = 60 | ||
65 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
66 | '' else '' | ||
67 | pm = dynamic | ||
68 | pm.max_children = 20 | ||
69 | pm.start_servers = 2 | ||
70 | pm.min_spare_servers = 1 | ||
71 | pm.max_spare_servers = 3 | ||
72 | ''}''; | ||
73 | }; | ||
74 | apache = rec { | ||
75 | modules = [ "proxy_fcgi" ]; | ||
76 | webappName = "florian_${app.environment}"; | ||
77 | root = "/run/current-system/webapps/${webappName}"; | ||
78 | vhostConf = '' | ||
79 | <FilesMatch "\.php$"> | ||
80 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
81 | </FilesMatch> | ||
82 | |||
83 | ${if app.environment == "dev" then '' | ||
84 | <Location /> | ||
85 | AuthBasicProvider file ldap | ||
86 | Use LDAPConnect | ||
87 | Require ldap-group cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu | ||
88 | |||
89 | AuthUserFile "/var/secrets/webapps/${app.environment}-tellesflorian-passwords" | ||
90 | Require user "invite" | ||
91 | |||
92 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>" | ||
93 | </Location> | ||
94 | |||
95 | <Directory ${root}> | ||
96 | Options Indexes FollowSymLinks MultiViews Includes | ||
97 | AllowOverride None | ||
98 | Require all granted | ||
99 | |||
100 | DirectoryIndex app_dev.php | ||
101 | |||
102 | <IfModule mod_negotiation.c> | ||
103 | Options -MultiViews | ||
104 | </IfModule> | ||
105 | |||
106 | <IfModule mod_rewrite.c> | ||
107 | RewriteEngine On | ||
108 | |||
109 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | ||
110 | RewriteRule ^(.*) - [E=BASE:%1] | ||
111 | |||
112 | # Maintenance script | ||
113 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | ||
114 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | ||
115 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | ||
116 | ErrorDocument 503 /maintenance.php | ||
117 | |||
118 | # Sets the HTTP_AUTHORIZATION header removed by Apache | ||
119 | RewriteCond %{HTTP:Authorization} . | ||
120 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
121 | |||
122 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | ||
123 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | ||
124 | |||
125 | # If the requested filename exists, simply serve it. | ||
126 | # We only want to let Apache serve files and not directories. | ||
127 | RewriteCond %{REQUEST_FILENAME} -f | ||
128 | RewriteRule ^ - [L] | ||
129 | |||
130 | # Rewrite all other queries to the front controller. | ||
131 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | ||
132 | </IfModule> | ||
133 | |||
134 | </Directory> | ||
135 | '' else '' | ||
136 | <Directory ${root}> | ||
137 | Options Indexes FollowSymLinks MultiViews Includes | ||
138 | AllowOverride All | ||
139 | Require all granted | ||
140 | </Directory> | ||
141 | ''} | ||
142 | ''; | ||
143 | }; | ||
144 | activationScript = { | ||
145 | deps = [ "wrappers" ]; | ||
146 | text = '' | ||
147 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ | ||
148 | ${app.varDir}/var | ||
149 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
150 | ''; | ||
151 | }; | ||
152 | } | ||
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix new file mode 100644 index 0000000..424ebd4 --- /dev/null +++ b/modules/private/websites/florian/integration.nix | |||
@@ -0,0 +1,34 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | ||
4 | cfg = config.myServices.websites.florian.integration; | ||
5 | varDir = "/var/lib/ftp/florian"; | ||
6 | env = myconfig.env.websites.florian; | ||
7 | in { | ||
8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; | ||
9 | |||
10 | config = lib.mkIf cfg.enable { | ||
11 | security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; | ||
12 | |||
13 | services.websites.integration.modules = adminer.apache.modules; | ||
14 | services.websites.integration.vhostConfs.florian = { | ||
15 | certName = "eldiron"; | ||
16 | addToCerts = true; | ||
17 | hosts = [ "florian.immae.eu" ]; | ||
18 | root = "${varDir}/florian.immae.eu"; | ||
19 | extraConfig = [ | ||
20 | adminer.apache.vhostConf | ||
21 | '' | ||
22 | ServerAdmin ${env.server_admin} | ||
23 | |||
24 | <Directory ${varDir}/florian.immae.eu> | ||
25 | DirectoryIndex index.php index.htm index.html | ||
26 | Options Indexes FollowSymLinks MultiViews Includes | ||
27 | AllowOverride None | ||
28 | Require all granted | ||
29 | </Directory> | ||
30 | '' | ||
31 | ]; | ||
32 | }; | ||
33 | }; | ||
34 | } | ||
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix new file mode 100644 index 0000000..9b310b8 --- /dev/null +++ b/modules/private/websites/florian/production.nix | |||
@@ -0,0 +1,34 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | ||
4 | cfg = config.myServices.websites.florian.production; | ||
5 | varDir = "/var/lib/ftp/florian"; | ||
6 | env = myconfig.env.websites.florian; | ||
7 | in { | ||
8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; | ||
9 | |||
10 | config = lib.mkIf cfg.enable { | ||
11 | security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; | ||
12 | |||
13 | services.websites.production.modules = adminer.apache.modules; | ||
14 | services.websites.production.vhostConfs.florian = { | ||
15 | certName = "florian"; | ||
16 | certMainHost = "tellesflorian.com"; | ||
17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; | ||
18 | root = "${varDir}/tellesflorian.com"; | ||
19 | extraConfig = [ | ||
20 | adminer.apache.vhostConf | ||
21 | '' | ||
22 | ServerAdmin ${env.server_admin} | ||
23 | |||
24 | <Directory ${varDir}/tellesflorian.com> | ||
25 | DirectoryIndex index.php index.htm index.html | ||
26 | Options Indexes FollowSymLinks MultiViews Includes | ||
27 | AllowOverride None | ||
28 | Require all granted | ||
29 | </Directory> | ||
30 | '' | ||
31 | ]; | ||
32 | }; | ||
33 | }; | ||
34 | } | ||
diff --git a/modules/private/websites/immae/production.nix b/modules/private/websites/immae/production.nix new file mode 100644 index 0000000..58cf048 --- /dev/null +++ b/modules/private/websites/immae/production.nix | |||
@@ -0,0 +1,64 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.immae.production; | ||
4 | varDir = "/var/lib/ftp/immae"; | ||
5 | env = myconfig.env.websites.immae; | ||
6 | in { | ||
7 | options.myServices.websites.immae.production.enable = lib.mkEnableOption "enable Immae's website"; | ||
8 | |||
9 | config = lib.mkIf cfg.enable { | ||
10 | services.webstats.sites = [ { name = "www.immae.eu"; } ]; | ||
11 | |||
12 | services.myPhpfpm.poolConfigs.immae = '' | ||
13 | listen = /run/phpfpm/immae.sock | ||
14 | user = wwwrun | ||
15 | group = wwwrun | ||
16 | listen.owner = wwwrun | ||
17 | listen.group = wwwrun | ||
18 | |||
19 | pm = ondemand | ||
20 | pm.max_children = 5 | ||
21 | pm.process_idle_timeout = 60 | ||
22 | |||
23 | php_admin_value[open_basedir] = "${varDir}:/tmp" | ||
24 | ''; | ||
25 | services.websites.production.modules = [ "proxy_fcgi" ]; | ||
26 | services.websites.production.vhostConfs.immae = { | ||
27 | certName = "eldiron"; | ||
28 | addToCerts = true; | ||
29 | hosts = [ "www.immae.eu" ]; | ||
30 | root = varDir; | ||
31 | extraConfig = [ | ||
32 | '' | ||
33 | Use Stats www.immae.eu | ||
34 | |||
35 | <FilesMatch "\.php$"> | ||
36 | SetHandler "proxy:unix:/run/phpfpm/immae.sock|fcgi://localhost" | ||
37 | </FilesMatch> | ||
38 | |||
39 | <Directory ${varDir}> | ||
40 | DirectoryIndex index.php index.htm index.html | ||
41 | Options Indexes FollowSymLinks MultiViews Includes | ||
42 | AllowOverride All | ||
43 | Require all granted | ||
44 | </Directory> | ||
45 | |||
46 | <Location /blog_old/> | ||
47 | Use LDAPConnect | ||
48 | Require ldap-group cn=blog,cn=immae.eu,ou=services,dc=immae,dc=eu | ||
49 | </Location> | ||
50 | '' | ||
51 | ]; | ||
52 | }; | ||
53 | |||
54 | services.websites.production.vhostConfs.bouya = { | ||
55 | certName = "eldiron"; | ||
56 | addToCerts = true; | ||
57 | hosts = [ "bouya.org" "www.bouya.org" ]; | ||
58 | root = null; | ||
59 | extraConfig = [ '' | ||
60 | RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://www.normalesup.org/~bouya/ | ||
61 | '' ]; | ||
62 | }; | ||
63 | }; | ||
64 | } | ||
diff --git a/modules/private/websites/immae/release.nix b/modules/private/websites/immae/release.nix new file mode 100644 index 0000000..68381a6 --- /dev/null +++ b/modules/private/websites/immae/release.nix | |||
@@ -0,0 +1,39 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.immae.release; | ||
4 | varDir = "/var/lib/ftp/release.immae.eu"; | ||
5 | env = myconfig.env.websites.release; | ||
6 | in { | ||
7 | options.myServices.websites.immae.release.enable = lib.mkEnableOption "enable Release' website"; | ||
8 | |||
9 | config = lib.mkIf cfg.enable { | ||
10 | services.webstats.sites = [ { name = "release.immae.eu"; } ]; | ||
11 | |||
12 | services.websites.production.vhostConfs.release = { | ||
13 | certName = "eldiron"; | ||
14 | addToCerts = true; | ||
15 | hosts = [ "release.immae.eu" ]; | ||
16 | root = varDir; | ||
17 | extraConfig = [ | ||
18 | '' | ||
19 | Use Stats release.immae.eu | ||
20 | |||
21 | Use Apaxy "${varDir}" "title .duplicity-ignore" | ||
22 | <Directory "${varDir}"> | ||
23 | Use LDAPConnect | ||
24 | Options Indexes | ||
25 | AllowOverride All | ||
26 | Require all granted | ||
27 | </Directory> | ||
28 | |||
29 | <Directory "${varDir}/packages"> | ||
30 | Use LDAPConnect | ||
31 | Options Indexes FollowSymlinks | ||
32 | AllowOverride None | ||
33 | Require all granted | ||
34 | </Directory> | ||
35 | '' | ||
36 | ]; | ||
37 | }; | ||
38 | }; | ||
39 | } | ||
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix new file mode 100644 index 0000000..0b2a3a3 --- /dev/null +++ b/modules/private/websites/immae/temp.nix | |||
@@ -0,0 +1,36 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.immae.temp; | ||
4 | varDir = "/var/lib/ftp/temp.immae.eu"; | ||
5 | env = myconfig.env.websites.temp; | ||
6 | in { | ||
7 | options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website"; | ||
8 | |||
9 | config = lib.mkIf cfg.enable { | ||
10 | services.websites.production.modules = [ "headers" ]; | ||
11 | services.websites.production.vhostConfs.temp = { | ||
12 | certName = "eldiron"; | ||
13 | addToCerts = true; | ||
14 | hosts = [ "temp.immae.eu" ]; | ||
15 | root = varDir; | ||
16 | extraConfig = [ | ||
17 | '' | ||
18 | Use Apaxy "${varDir}" "title .duplicity-ignore" | ||
19 | <FilesMatch ".+"> | ||
20 | Header set Content-Disposition attachment | ||
21 | </FilesMatch> | ||
22 | <Directory "${varDir}"> | ||
23 | Options -Indexes | ||
24 | AllowOverride None | ||
25 | Require all granted | ||
26 | </Directory> | ||
27 | |||
28 | <DirectoryMatch "${varDir}/(.+)"> | ||
29 | Options Indexes | ||
30 | </DirectoryMatch> | ||
31 | '' | ||
32 | ]; | ||
33 | }; | ||
34 | }; | ||
35 | } | ||
36 | |||
diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix new file mode 100644 index 0000000..1ce8eea --- /dev/null +++ b/modules/private/websites/leila/production.nix | |||
@@ -0,0 +1,82 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.leila.production; | ||
4 | varDir = "/var/lib/ftp/leila"; | ||
5 | in { | ||
6 | options.myServices.websites.leila.production.enable = lib.mkEnableOption "enable Leila's website in production"; | ||
7 | |||
8 | config = lib.mkIf cfg.enable { | ||
9 | services.myPhpfpm.poolConfigs.leila = '' | ||
10 | listen = /run/phpfpm/leila.sock | ||
11 | user = wwwrun | ||
12 | group = wwwrun | ||
13 | listen.owner = wwwrun | ||
14 | listen.group = wwwrun | ||
15 | |||
16 | pm = ondemand | ||
17 | pm.max_children = 5 | ||
18 | pm.process_idle_timeout = 60 | ||
19 | |||
20 | php_admin_value[open_basedir] = "${varDir}:/tmp" | ||
21 | ''; | ||
22 | |||
23 | services.webstats.sites = [ | ||
24 | { name = "leila.bouya.org"; } | ||
25 | { name = "chorale.leila.bouya.org"; } | ||
26 | ]; | ||
27 | |||
28 | services.websites.production.modules = [ "proxy_fcgi" ]; | ||
29 | services.websites.production.vhostConfs.leila_chorale = { | ||
30 | certName = "leila"; | ||
31 | addToCerts = true; | ||
32 | hosts = [ "chorale.leila.bouya.org" "chorale-vocanta.fr.nf" "www.chorale-vocanta.fr.nf" ]; | ||
33 | root = "${varDir}/Chorale"; | ||
34 | extraConfig = [ | ||
35 | '' | ||
36 | Use Stats chorale.leila.bouya.org | ||
37 | <Directory ${varDir}/Chorale> | ||
38 | DirectoryIndex index.php index.htm index.html | ||
39 | Options Indexes FollowSymLinks MultiViews Includes | ||
40 | AllowOverride None | ||
41 | |||
42 | Use LDAPConnect | ||
43 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | ||
44 | |||
45 | <FilesMatch "\.php$"> | ||
46 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | ||
47 | </FilesMatch> | ||
48 | </Directory> | ||
49 | '' | ||
50 | ]; | ||
51 | }; | ||
52 | services.websites.production.vhostConfs.leila = { | ||
53 | certName = "leila"; | ||
54 | certMainHost = "leila.bouya.org"; | ||
55 | hosts = [ "leila.bouya.org" ]; | ||
56 | root = varDir; | ||
57 | extraConfig = [ | ||
58 | '' | ||
59 | Use Stats leila.bouya.org | ||
60 | <Directory ${varDir}/Chorale> | ||
61 | DirectoryIndex index.htm index.html | ||
62 | Options Indexes FollowSymLinks MultiViews Includes | ||
63 | AllowOverride None | ||
64 | |||
65 | Use LDAPConnect | ||
66 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | ||
67 | |||
68 | <FilesMatch "\.php$"> | ||
69 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | ||
70 | </FilesMatch> | ||
71 | </Directory> | ||
72 | <Directory ${varDir}> | ||
73 | DirectoryIndex index.htm index.html | ||
74 | Options Indexes FollowSymLinks MultiViews Includes | ||
75 | AllowOverride None | ||
76 | Require all granted | ||
77 | </Directory> | ||
78 | '' | ||
79 | ]; | ||
80 | }; | ||
81 | }; | ||
82 | } | ||
diff --git a/modules/private/websites/ludivinecassal/builder.nix b/modules/private/websites/ludivinecassal/builder.nix new file mode 100644 index 0000000..3167bce --- /dev/null +++ b/modules/private/websites/ludivinecassal/builder.nix | |||
@@ -0,0 +1,155 @@ | |||
1 | { apacheUser, apacheGroup, config, ludivinecassal, pkgs, ruby, sass, imagemagick }: | ||
2 | rec { | ||
3 | app = ludivinecassal.override { inherit (config) environment; }; | ||
4 | varDir = "/var/lib/ludivinecassal_${app.environment}"; | ||
5 | keys = [{ | ||
6 | dest = "webapps/${app.environment}-ludivinecassal"; | ||
7 | user = apacheUser; | ||
8 | group = apacheGroup; | ||
9 | permissions = "0400"; | ||
10 | text = '' | ||
11 | # This file is auto-generated during the composer install | ||
12 | parameters: | ||
13 | database_host: ${config.mysql.host} | ||
14 | database_port: ${config.mysql.port} | ||
15 | database_name: ${config.mysql.name} | ||
16 | database_user: ${config.mysql.user} | ||
17 | database_password: ${config.mysql.password} | ||
18 | database_server_version: ${pkgs.mariadb.mysqlVersion} | ||
19 | mailer_transport: smtp | ||
20 | mailer_host: 127.0.0.1 | ||
21 | mailer_user: null | ||
22 | mailer_password: null | ||
23 | secret: ${config.secret} | ||
24 | ldap_host: ldap.immae.eu | ||
25 | ldap_port: 636 | ||
26 | ldap_version: 3 | ||
27 | ldap_ssl: true | ||
28 | ldap_tls: false | ||
29 | ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' | ||
30 | ldap_base_dn: 'dc=immae,dc=eu' | ||
31 | ldap_search_dn: '${config.ldap.dn}' | ||
32 | ldap_search_password: '${config.ldap.password}' | ||
33 | ldap_search_filter: '${config.ldap.search}' | ||
34 | leapt_im: | ||
35 | binary_path: ${imagemagick}/bin | ||
36 | assetic: | ||
37 | sass: ${sass}/bin/sass | ||
38 | ruby: ${ruby}/bin/ruby | ||
39 | ''; | ||
40 | }]; | ||
41 | phpFpm = rec { | ||
42 | preStart = '' | ||
43 | if [ ! -f "${app.varDir}/currentWebappDir" -o \ | ||
44 | ! -f "${app.varDir}/currentKey" -o \ | ||
45 | "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
46 | || ! sha512sum -c --status ${app.varDir}/currentKey; then | ||
47 | pushd ${app} > /dev/null | ||
48 | /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup | ||
49 | popd > /dev/null | ||
50 | echo -n "${app}" > ${app.varDir}/currentWebappDir | ||
51 | sha512sum /var/secrets/webapps/${app.environment}-ludivinecassal > ${app.varDir}/currentKey | ||
52 | fi | ||
53 | ''; | ||
54 | serviceDeps = [ "mysql.service" ]; | ||
55 | socket = "/var/run/phpfpm/ludivinecassal-${app.environment}.sock"; | ||
56 | pool = '' | ||
57 | listen = ${socket} | ||
58 | user = ${apacheUser} | ||
59 | group = ${apacheGroup} | ||
60 | listen.owner = ${apacheUser} | ||
61 | listen.group = ${apacheGroup} | ||
62 | php_admin_value[upload_max_filesize] = 20M | ||
63 | php_admin_value[post_max_size] = 20M | ||
64 | ;php_admin_flag[log_errors] = on | ||
65 | php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-ludivinecassal:${app}:${app.varDir}:/tmp" | ||
66 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
67 | ${if app.environment == "dev" then '' | ||
68 | pm = ondemand | ||
69 | pm.max_children = 5 | ||
70 | pm.process_idle_timeout = 60 | ||
71 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
72 | '' else '' | ||
73 | pm = dynamic | ||
74 | pm.max_children = 20 | ||
75 | pm.start_servers = 2 | ||
76 | pm.min_spare_servers = 1 | ||
77 | pm.max_spare_servers = 3 | ||
78 | ''}''; | ||
79 | }; | ||
80 | apache = rec { | ||
81 | modules = [ "proxy_fcgi" ]; | ||
82 | webappName = "ludivine_${app.environment}"; | ||
83 | root = "/run/current-system/webapps/${webappName}"; | ||
84 | vhostConf = '' | ||
85 | <FilesMatch "\.php$"> | ||
86 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
87 | </FilesMatch> | ||
88 | |||
89 | ${if app.environment == "dev" then '' | ||
90 | <Location /> | ||
91 | Use LDAPConnect | ||
92 | Require ldap-group cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
93 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>" | ||
94 | </Location> | ||
95 | |||
96 | <Directory ${root}> | ||
97 | Options Indexes FollowSymLinks MultiViews Includes | ||
98 | AllowOverride None | ||
99 | Require all granted | ||
100 | |||
101 | DirectoryIndex app_dev.php | ||
102 | |||
103 | <IfModule mod_negotiation.c> | ||
104 | Options -MultiViews | ||
105 | </IfModule> | ||
106 | |||
107 | <IfModule mod_rewrite.c> | ||
108 | RewriteEngine On | ||
109 | |||
110 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | ||
111 | RewriteRule ^(.*) - [E=BASE:%1] | ||
112 | |||
113 | # Maintenance script | ||
114 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | ||
115 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | ||
116 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | ||
117 | ErrorDocument 503 /maintenance.php | ||
118 | |||
119 | # Sets the HTTP_AUTHORIZATION header removed by Apache | ||
120 | RewriteCond %{HTTP:Authorization} . | ||
121 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
122 | |||
123 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | ||
124 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | ||
125 | |||
126 | # If the requested filename exists, simply serve it. | ||
127 | # We only want to let Apache serve files and not directories. | ||
128 | RewriteCond %{REQUEST_FILENAME} -f | ||
129 | RewriteRule ^ - [L] | ||
130 | |||
131 | # Rewrite all other queries to the front controller. | ||
132 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | ||
133 | </IfModule> | ||
134 | |||
135 | </Directory> | ||
136 | '' else '' | ||
137 | Use Stats ludivinecassal.com | ||
138 | |||
139 | <Directory ${root}> | ||
140 | Options Indexes FollowSymLinks MultiViews Includes | ||
141 | AllowOverride All | ||
142 | Require all granted | ||
143 | </Directory> | ||
144 | ''} | ||
145 | ''; | ||
146 | }; | ||
147 | activationScript = { | ||
148 | deps = [ "wrappers" ]; | ||
149 | text = '' | ||
150 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} | ||
151 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/tmp | ||
152 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
153 | ''; | ||
154 | }; | ||
155 | } | ||
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix new file mode 100644 index 0000000..0be067b --- /dev/null +++ b/modules/private/websites/ludivinecassal/integration.nix | |||
@@ -0,0 +1,34 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | ludivinecassal = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) ludivinecassal; | ||
5 | config = myconfig.env.websites.ludivinecassal.integration; | ||
6 | apacheUser = config.services.httpd.Inte.user; | ||
7 | apacheGroup = config.services.httpd.Inte.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.ludivinecassal.integration; | ||
11 | in { | ||
12 | options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = ludivinecassal.keys; | ||
16 | |||
17 | services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal.phpFpm.preStart; | ||
18 | services.myPhpfpm.serviceDependencies.ludivinecassal_dev = ludivinecassal.phpFpm.serviceDeps; | ||
19 | services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal.phpFpm.pool; | ||
20 | system.activationScripts.ludivinecassal_dev = ludivinecassal.activationScript; | ||
21 | system.extraSystemBuilderCmds = '' | ||
22 | mkdir -p $out/webapps | ||
23 | ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName} | ||
24 | ''; | ||
25 | services.websites.integration.modules = ludivinecassal.apache.modules; | ||
26 | services.websites.integration.vhostConfs.ludivine = { | ||
27 | certName = "eldiron"; | ||
28 | addToCerts = true; | ||
29 | hosts = [ "ludivine.immae.eu" ]; | ||
30 | root = ludivinecassal.apache.root; | ||
31 | extraConfig = [ ludivinecassal.apache.vhostConf ]; | ||
32 | }; | ||
33 | }; | ||
34 | } | ||
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix new file mode 100644 index 0000000..c5de698 --- /dev/null +++ b/modules/private/websites/ludivinecassal/production.nix | |||
@@ -0,0 +1,35 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | ludivinecassal = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) ludivinecassal; | ||
5 | config = myconfig.env.websites.ludivinecassal.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.ludivinecassal.production; | ||
11 | in { | ||
12 | options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = ludivinecassal.keys; | ||
16 | services.webstats.sites = [ { name = "ludivinecassal.com"; } ]; | ||
17 | |||
18 | services.myPhpfpm.preStart.ludivinecassal_prod = ludivinecassal.phpFpm.preStart; | ||
19 | services.myPhpfpm.serviceDependencies.ludivinecassal_prod = ludivinecassal.phpFpm.serviceDeps; | ||
20 | services.myPhpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal.phpFpm.pool; | ||
21 | system.activationScripts.ludivinecassal_prod = ludivinecassal.activationScript; | ||
22 | system.extraSystemBuilderCmds = '' | ||
23 | mkdir -p $out/webapps | ||
24 | ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName} | ||
25 | ''; | ||
26 | services.websites.production.modules = ludivinecassal.apache.modules; | ||
27 | services.websites.production.vhostConfs.ludivine = { | ||
28 | certName = "ludivinecassal"; | ||
29 | certMainHost = "ludivinecassal.com"; | ||
30 | hosts = ["ludivinecassal.com" "www.ludivinecassal.com" ]; | ||
31 | root = ludivinecassal.apache.root; | ||
32 | extraConfig = [ ludivinecassal.apache.vhostConf ]; | ||
33 | }; | ||
34 | }; | ||
35 | } | ||
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix new file mode 100644 index 0000000..a109778 --- /dev/null +++ b/modules/private/websites/nassime/production.nix | |||
@@ -0,0 +1,34 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.nassime.production; | ||
4 | varDir = "/var/lib/ftp/nassime"; | ||
5 | env = myconfig.env.websites.nassime; | ||
6 | in { | ||
7 | options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website"; | ||
8 | |||
9 | config = lib.mkIf cfg.enable { | ||
10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; | ||
11 | |||
12 | security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; | ||
13 | |||
14 | services.websites.production.vhostConfs.nassime = { | ||
15 | certName = "nassime"; | ||
16 | certMainHost = "nassime.bouya.org"; | ||
17 | hosts = ["nassime.bouya.org" ]; | ||
18 | root = varDir; | ||
19 | extraConfig = [ | ||
20 | '' | ||
21 | Use Stats nassime.bouya.org | ||
22 | ServerAdmin ${env.server_admin} | ||
23 | |||
24 | <Directory ${varDir}> | ||
25 | DirectoryIndex index.php index.htm index.html | ||
26 | Options Indexes FollowSymLinks MultiViews Includes | ||
27 | AllowOverride None | ||
28 | Require all granted | ||
29 | </Directory> | ||
30 | '' | ||
31 | ]; | ||
32 | }; | ||
33 | }; | ||
34 | } | ||
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix new file mode 100644 index 0000000..b6cf069 --- /dev/null +++ b/modules/private/websites/naturaloutil/production.nix | |||
@@ -0,0 +1,86 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | ||
4 | cfg = config.myServices.websites.naturaloutil.production; | ||
5 | varDir = "/var/lib/ftp/jerome"; | ||
6 | env = myconfig.env.websites.jerome; | ||
7 | in { | ||
8 | options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website"; | ||
9 | |||
10 | config = lib.mkIf cfg.enable { | ||
11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; | ||
12 | |||
13 | security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; | ||
14 | |||
15 | secrets.keys = [{ | ||
16 | dest = "webapps/prod-naturaloutil"; | ||
17 | user = "wwwrun"; | ||
18 | group = "wwwrun"; | ||
19 | permissions = "0400"; | ||
20 | text = '' | ||
21 | <?php | ||
22 | $mysql_user = '${env.mysql.user}' ; | ||
23 | $mysql_server = '${env.mysql.host}' ; | ||
24 | $mysql_base = '${env.mysql.name}' ; | ||
25 | $mysql_password = '${env.mysql.password}' ; | ||
26 | //connect to db | ||
27 | $db = mysqli_init(); | ||
28 | ${if env.mysql.host != "localhost" then '' | ||
29 | mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true); | ||
30 | $db->ssl_set(NULL, NULL, "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt", NULL, NULL); | ||
31 | '' else ""} | ||
32 | $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password); | ||
33 | ?> | ||
34 | ''; | ||
35 | }]; | ||
36 | services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" ]; | ||
37 | services.myPhpfpm.poolConfigs.jerome = '' | ||
38 | listen = /run/phpfpm/naturaloutil.sock | ||
39 | user = wwwrun | ||
40 | group = wwwrun | ||
41 | listen.owner = wwwrun | ||
42 | listen.group = wwwrun | ||
43 | |||
44 | pm = ondemand | ||
45 | pm.max_children = 5 | ||
46 | pm.process_idle_timeout = 60 | ||
47 | |||
48 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" | ||
49 | php_admin_value[open_basedir] = "/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" | ||
50 | ''; | ||
51 | services.myPhpfpm.poolPhpConfigs.jerome = '' | ||
52 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | ||
53 | ''; | ||
54 | services.websites.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ]; | ||
55 | services.websites.production.vhostConfs.naturaloutil = { | ||
56 | certName = "naturaloutil"; | ||
57 | certMainHost = "naturaloutil.immae.eu"; | ||
58 | hosts = ["naturaloutil.immae.eu" ]; | ||
59 | root = varDir; | ||
60 | extraConfig = [ | ||
61 | adminer.apache.vhostConf | ||
62 | '' | ||
63 | Use Stats naturaloutil.immae.eu | ||
64 | ServerAdmin ${env.server_admin} | ||
65 | ErrorLog "${varDir}/logs/error_log" | ||
66 | CustomLog "${varDir}/logs/access_log" combined | ||
67 | |||
68 | <FilesMatch "\.php$"> | ||
69 | SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost" | ||
70 | </FilesMatch> | ||
71 | |||
72 | <Directory ${varDir}/logs> | ||
73 | AllowOverride None | ||
74 | Require all denied | ||
75 | </Directory> | ||
76 | <Directory ${varDir}> | ||
77 | DirectoryIndex index.php index.htm index.html | ||
78 | Options Indexes FollowSymLinks MultiViews Includes | ||
79 | AllowOverride None | ||
80 | Require all granted | ||
81 | </Directory> | ||
82 | '' | ||
83 | ]; | ||
84 | }; | ||
85 | }; | ||
86 | } | ||
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix new file mode 100644 index 0000000..8e7cd9d --- /dev/null +++ b/modules/private/websites/papa/surveillance.nix | |||
@@ -0,0 +1,49 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.myServices.websites.papa.surveillance; | ||
4 | varDir = "/var/lib/ftp/papa"; | ||
5 | in { | ||
6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; | ||
7 | |||
8 | config = lib.mkIf cfg.enable { | ||
9 | security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; | ||
10 | |||
11 | services.cron = { | ||
12 | systemCronJobs = let | ||
13 | script = pkgs.writeScript "cleanup-papa" '' | ||
14 | #!${pkgs.stdenv.shell} | ||
15 | d=$(date -d "7 days ago" +%Y%m%d) | ||
16 | for i in /var/lib/ftp/papa/*/20[0-9][0-9][0-9][0-9][0-9][0-9]; do | ||
17 | if [ "$d" -gt $(basename $i) ]; then | ||
18 | rm -rf "$i" | ||
19 | fi | ||
20 | done | ||
21 | ''; | ||
22 | in | ||
23 | [ | ||
24 | '' | ||
25 | 0 6 * * * wwwrun ${script} | ||
26 | '' | ||
27 | ]; | ||
28 | }; | ||
29 | |||
30 | services.websites.production.vhostConfs.papa = { | ||
31 | certName = "papa"; | ||
32 | certMainHost = "surveillance.maison.bbc.bouya.org"; | ||
33 | hosts = [ "surveillance.maison.bbc.bouya.org" ]; | ||
34 | root = varDir; | ||
35 | extraConfig = [ | ||
36 | '' | ||
37 | Use Apaxy "${varDir}" "title .duplicity-ignore" | ||
38 | <Directory ${varDir}> | ||
39 | Use LDAPConnect | ||
40 | Options Indexes | ||
41 | AllowOverride None | ||
42 | Require ldap-group cn=surveillance.maison.bbc.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | ||
43 | </Directory> | ||
44 | '' | ||
45 | ]; | ||
46 | }; | ||
47 | }; | ||
48 | } | ||
49 | |||
diff --git a/modules/private/websites/piedsjaloux/builder.nix b/modules/private/websites/piedsjaloux/builder.nix new file mode 100644 index 0000000..9fcc8fb --- /dev/null +++ b/modules/private/websites/piedsjaloux/builder.nix | |||
@@ -0,0 +1,144 @@ | |||
1 | { apacheUser, apacheGroup, piedsjaloux, config, pkgs, lib, texlive, imagemagick }: | ||
2 | rec { | ||
3 | app = piedsjaloux.override { inherit (config) environment; }; | ||
4 | varDir = "/var/lib/piedsjaloux_${app.environment}"; | ||
5 | keys = [{ | ||
6 | dest = "webapps/${app.environment}-piedsjaloux"; | ||
7 | user = apacheUser; | ||
8 | group = apacheGroup; | ||
9 | permissions = "0400"; | ||
10 | text = '' | ||
11 | # This file is auto-generated during the composer install | ||
12 | parameters: | ||
13 | database_host: ${config.mysql.host} | ||
14 | database_port: ${config.mysql.port} | ||
15 | database_name: ${config.mysql.name} | ||
16 | database_user: ${config.mysql.user} | ||
17 | database_password: ${config.mysql.password} | ||
18 | database_server_version: ${pkgs.mariadb.mysqlVersion} | ||
19 | mailer_transport: smtp | ||
20 | mailer_host: 127.0.0.1 | ||
21 | mailer_user: null | ||
22 | mailer_password: null | ||
23 | secret: ${config.secret} | ||
24 | pdflatex: "${texlive.combine { inherit (texlive) attachfile preprint scheme-small; }}/bin/pdflatex" | ||
25 | leapt_im: | ||
26 | binary_path: ${imagemagick}/bin | ||
27 | ''; | ||
28 | }]; | ||
29 | phpFpm = rec { | ||
30 | preStart = '' | ||
31 | if [ ! -f "${app.varDir}/currentWebappDir" -o \ | ||
32 | ! -f "${app.varDir}/currentKey" -o \ | ||
33 | "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
34 | || ! sha512sum -c --status ${app.varDir}/currentKey; then | ||
35 | pushd ${app} > /dev/null | ||
36 | /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup | ||
37 | popd > /dev/null | ||
38 | echo -n "${app}" > ${app.varDir}/currentWebappDir | ||
39 | sha512sum /var/secrets/webapps/${app.environment}-piedsjaloux > ${app.varDir}/currentKey | ||
40 | fi | ||
41 | ''; | ||
42 | serviceDeps = [ "mysql.service" ]; | ||
43 | socket = "/var/run/phpfpm/piedsjaloux-${app.environment}.sock"; | ||
44 | pool = '' | ||
45 | listen = ${socket} | ||
46 | user = ${apacheUser} | ||
47 | group = ${apacheGroup} | ||
48 | listen.owner = ${apacheUser} | ||
49 | listen.group = ${apacheGroup} | ||
50 | php_admin_value[upload_max_filesize] = 20M | ||
51 | php_admin_value[post_max_size] = 20M | ||
52 | ;php_admin_flag[log_errors] = on | ||
53 | php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-piedsjaloux:${app}:${app.varDir}:/tmp" | ||
54 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
55 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | ||
56 | ${if app.environment == "dev" then '' | ||
57 | pm = ondemand | ||
58 | pm.max_children = 5 | ||
59 | pm.process_idle_timeout = 60 | ||
60 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
61 | '' else '' | ||
62 | pm = dynamic | ||
63 | pm.max_children = 20 | ||
64 | pm.start_servers = 2 | ||
65 | pm.min_spare_servers = 1 | ||
66 | pm.max_spare_servers = 3 | ||
67 | ''}''; | ||
68 | }; | ||
69 | apache = rec { | ||
70 | modules = [ "proxy_fcgi" ]; | ||
71 | webappName = "piedsjaloux_${app.environment}"; | ||
72 | root = "/run/current-system/webapps/${webappName}"; | ||
73 | vhostConf = '' | ||
74 | <FilesMatch "\.php$"> | ||
75 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
76 | </FilesMatch> | ||
77 | |||
78 | ${if app.environment == "dev" then '' | ||
79 | <Location /> | ||
80 | Use LDAPConnect | ||
81 | Require ldap-group cn=piedsjaloux.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
82 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://piedsjaloux.fr\"></html>" | ||
83 | </Location> | ||
84 | |||
85 | <Directory ${root}> | ||
86 | Options Indexes FollowSymLinks MultiViews Includes | ||
87 | AllowOverride None | ||
88 | Require all granted | ||
89 | |||
90 | DirectoryIndex app_dev.php | ||
91 | |||
92 | <IfModule mod_negotiation.c> | ||
93 | Options -MultiViews | ||
94 | </IfModule> | ||
95 | |||
96 | <IfModule mod_rewrite.c> | ||
97 | RewriteEngine On | ||
98 | |||
99 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | ||
100 | RewriteRule ^(.*) - [E=BASE:%1] | ||
101 | |||
102 | # Maintenance script | ||
103 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | ||
104 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | ||
105 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | ||
106 | ErrorDocument 503 /maintenance.php | ||
107 | |||
108 | # Sets the HTTP_AUTHORIZATION header removed by Apache | ||
109 | RewriteCond %{HTTP:Authorization} . | ||
110 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
111 | |||
112 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | ||
113 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | ||
114 | |||
115 | # If the requested filename exists, simply serve it. | ||
116 | # We only want to let Apache serve files and not directories. | ||
117 | RewriteCond %{REQUEST_FILENAME} -f | ||
118 | RewriteRule ^ - [L] | ||
119 | |||
120 | # Rewrite all other queries to the front controller. | ||
121 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | ||
122 | </IfModule> | ||
123 | |||
124 | </Directory> | ||
125 | '' else '' | ||
126 | Use Stats piedsjaloux.fr | ||
127 | |||
128 | <Directory ${root}> | ||
129 | Options Indexes FollowSymLinks MultiViews Includes | ||
130 | AllowOverride All | ||
131 | Require all granted | ||
132 | </Directory> | ||
133 | ''} | ||
134 | ''; | ||
135 | }; | ||
136 | activationScript = { | ||
137 | deps = [ "wrappers" ]; | ||
138 | text = '' | ||
139 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \ | ||
140 | ${app.varDir}/tmp | ||
141 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
142 | ''; | ||
143 | }; | ||
144 | } | ||
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix new file mode 100644 index 0000000..6249e85 --- /dev/null +++ b/modules/private/websites/piedsjaloux/integration.nix | |||
@@ -0,0 +1,34 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | piedsjaloux = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) piedsjaloux; | ||
5 | config = myconfig.env.websites.piedsjaloux.integration; | ||
6 | apacheUser = config.services.httpd.Inte.user; | ||
7 | apacheGroup = config.services.httpd.Inte.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.piedsjaloux.integration; | ||
11 | in { | ||
12 | options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = piedsjaloux.keys; | ||
16 | services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux.phpFpm.preStart; | ||
17 | services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux.phpFpm.serviceDeps; | ||
18 | services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux.phpFpm.pool; | ||
19 | system.activationScripts.piedsjaloux_dev = piedsjaloux.activationScript; | ||
20 | system.extraSystemBuilderCmds = '' | ||
21 | mkdir -p $out/webapps | ||
22 | ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName} | ||
23 | ''; | ||
24 | services.websites.integration.modules = piedsjaloux.apache.modules; | ||
25 | services.websites.integration.vhostConfs.piedsjaloux = { | ||
26 | certName = "eldiron"; | ||
27 | addToCerts = true; | ||
28 | hosts = [ "piedsjaloux.immae.eu" ]; | ||
29 | root = piedsjaloux.apache.root; | ||
30 | extraConfig = [ piedsjaloux.apache.vhostConf ]; | ||
31 | }; | ||
32 | }; | ||
33 | } | ||
34 | |||
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix new file mode 100644 index 0000000..afa1667 --- /dev/null +++ b/modules/private/websites/piedsjaloux/production.nix | |||
@@ -0,0 +1,36 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | piedsjaloux = pkgs.callPackage ./builder.nix { | ||
4 | inherit (pkgs.webapps) piedsjaloux; | ||
5 | config = myconfig.env.websites.piedsjaloux.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.piedsjaloux.production; | ||
11 | in { | ||
12 | options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production"; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = piedsjaloux.keys; | ||
16 | services.webstats.sites = [ { name = "piedsjaloux.fr"; } ]; | ||
17 | |||
18 | services.myPhpfpm.preStart.piedsjaloux_prod = piedsjaloux.phpFpm.preStart; | ||
19 | services.myPhpfpm.serviceDependencies.piedsjaloux_prod = piedsjaloux.phpFpm.serviceDeps; | ||
20 | services.myPhpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux.phpFpm.pool; | ||
21 | system.activationScripts.piedsjaloux_prod = piedsjaloux.activationScript; | ||
22 | system.extraSystemBuilderCmds = '' | ||
23 | mkdir -p $out/webapps | ||
24 | ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName} | ||
25 | ''; | ||
26 | services.websites.production.modules = piedsjaloux.apache.modules; | ||
27 | services.websites.production.vhostConfs.piedsjaloux = { | ||
28 | certName = "piedsjaloux"; | ||
29 | certMainHost = "piedsjaloux.fr"; | ||
30 | hosts = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ]; | ||
31 | root = piedsjaloux.apache.root; | ||
32 | extraConfig = [ piedsjaloux.apache.vhostConf ]; | ||
33 | }; | ||
34 | }; | ||
35 | } | ||
36 | |||