diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-11 15:34:31 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-01-11 15:34:31 +0100 |
commit | 423c3f1caefdf5f125a2acf7456b5ca0273cee4b (patch) | |
tree | 079f24a9d16dd83d0779d4f7a4c17e49a0160457 /modules/private | |
parent | 619e4f46adc15e409122c4e0fa0e0a0b811bb32f (diff) | |
download | Nix-423c3f1caefdf5f125a2acf7456b5ca0273cee4b.tar.gz Nix-423c3f1caefdf5f125a2acf7456b5ca0273cee4b.tar.zst Nix-423c3f1caefdf5f125a2acf7456b5ca0273cee4b.zip |
Add iridologie via spip
Diffstat (limited to 'modules/private')
-rw-r--r-- | modules/private/environment.nix | 12 | ||||
-rw-r--r-- | modules/private/websites/isabelle/config/chmod.php | 4 | ||||
-rw-r--r-- | modules/private/websites/isabelle/config/connect.php | 15 | ||||
-rw-r--r-- | modules/private/websites/isabelle/config/ldap.php | 9 | ||||
-rw-r--r-- | modules/private/websites/isabelle/iridologie.nix | 76 | ||||
-rw-r--r-- | modules/private/websites/isabelle/spip_builder.nix | 99 |
6 files changed, 171 insertions, 44 deletions
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index 98d50b1..50f153a 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -1005,6 +1005,16 @@ in | |||
1005 | options = { | 1005 | options = { |
1006 | aten_production = atenSubmodule; | 1006 | aten_production = atenSubmodule; |
1007 | aten_integration = atenSubmodule; | 1007 | aten_integration = atenSubmodule; |
1008 | iridologie = mkOption { | ||
1009 | description = "environment configuration"; | ||
1010 | type = submodule { | ||
1011 | options = { | ||
1012 | environment = mkOption { type = str; description = "SPIP environment"; }; | ||
1013 | mysql = mkMysqlOptions "Iridologie" {}; | ||
1014 | ldap = mkLdapOptions "Iridologie" {}; | ||
1015 | }; | ||
1016 | }; | ||
1017 | }; | ||
1008 | }; | 1018 | }; |
1009 | }; | 1019 | }; |
1010 | }; | 1020 | }; |
@@ -1016,7 +1026,7 @@ in | |||
1016 | description = "environment configuration"; | 1026 | description = "environment configuration"; |
1017 | type = submodule { | 1027 | type = submodule { |
1018 | options = { | 1028 | options = { |
1019 | environment = mkOption { type = str; description = "Symfony environment"; }; | 1029 | environment = mkOption { type = str; description = "SPIP environment"; }; |
1020 | mysql = mkMysqlOptions "Chloe" {}; | 1030 | mysql = mkMysqlOptions "Chloe" {}; |
1021 | ldap = mkLdapOptions "Chloe" {}; | 1031 | ldap = mkLdapOptions "Chloe" {}; |
1022 | }; | 1032 | }; |
diff --git a/modules/private/websites/isabelle/config/chmod.php b/modules/private/websites/isabelle/config/chmod.php new file mode 100644 index 0000000..aae16cd --- /dev/null +++ b/modules/private/websites/isabelle/config/chmod.php | |||
@@ -0,0 +1,4 @@ | |||
1 | <?php | ||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | ||
3 | if (!defined('_SPIP_CHMOD')) define('_SPIP_CHMOD', 0777); | ||
4 | ?> \ No newline at end of file | ||
diff --git a/modules/private/websites/isabelle/config/connect.php b/modules/private/websites/isabelle/config/connect.php new file mode 100644 index 0000000..18b0933 --- /dev/null +++ b/modules/private/websites/isabelle/config/connect.php | |||
@@ -0,0 +1,15 @@ | |||
1 | <?php | ||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | ||
3 | define('_MYSQL_SET_SQL_MODE',true); | ||
4 | $GLOBALS['spip_connect_version'] = 0.7; | ||
5 | spip_connect_db( | ||
6 | getenv("SPIP_MYSQL_HOST"), | ||
7 | getenv("SPIP_MYSQL_PORT"), | ||
8 | getenv("SPIP_MYSQL_USER"), | ||
9 | getenv("SPIP_MYSQL_PASSWORD"), | ||
10 | getenv("SPIP_MYSQL_DB"), | ||
11 | 'mysql', | ||
12 | 'spip', | ||
13 | 'ldap.php' | ||
14 | ); | ||
15 | ?> | ||
diff --git a/modules/private/websites/isabelle/config/ldap.php b/modules/private/websites/isabelle/config/ldap.php new file mode 100644 index 0000000..825b7ed --- /dev/null +++ b/modules/private/websites/isabelle/config/ldap.php | |||
@@ -0,0 +1,9 @@ | |||
1 | <?php | ||
2 | if (!defined("_ECRIRE_INC_VERSION")) return; | ||
3 | $GLOBALS['ldap_base'] = getenv("SPIP_LDAP_BASE"); | ||
4 | $GLOBALS['ldap_link'] = @ldap_connect(getenv("SPIP_LDAP_HOST")); | ||
5 | @ldap_set_option($GLOBALS['ldap_link'],LDAP_OPT_PROTOCOL_VERSION,'3'); | ||
6 | @ldap_bind($GLOBALS['ldap_link'],getenv("SPIP_LDAP_SEARCH_DN"), getenv("SPIP_LDAP_SEARCH_PW")); | ||
7 | $GLOBALS['ldap_champs'] = array('login' => array('sAMAccountName','uid','login','userid','cn','sn'),'nom' => 'cn','email' => 'mail','bio' => 'description',); | ||
8 | $GLOBALS['ldap_search'] = getenv("SPIP_LDAP_SEARCH"); | ||
9 | ?> | ||
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index cb4e300..460bd2a 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix | |||
@@ -1,59 +1,49 @@ | |||
1 | { lib, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | iridologie = pkgs.callPackage ./spip_builder.nix { | ||
4 | inherit (pkgs.webapps) iridologie; | ||
5 | config = config.myEnv.websites.isabelle.iridologie; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
3 | cfg = config.myServices.websites.isabelle.iridologie; | 10 | cfg = config.myServices.websites.isabelle.iridologie; |
4 | varDir = "/var/lib/ftp/isabelle"; | ||
5 | in { | 11 | in { |
6 | options.myServices.websites.isabelle.iridologie.enable = lib.mkEnableOption "enable Iridologie's website"; | 12 | options.myServices.websites.isabelle.iridologie.enable = lib.mkEnableOption "enable Iridologie's website"; |
7 | 13 | ||
8 | config = lib.mkIf cfg.enable { | 14 | config = lib.mkIf cfg.enable { |
15 | services.duplyBackup.profiles.iridologie_prod.rootDir = iridologie.app.varDir; | ||
16 | secrets.keys = iridologie.keys; | ||
9 | services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ]; | 17 | services.webstats.sites = [ { name = "iridologie.icommandeur.org"; } ]; |
10 | system.activationScripts.iridologie = { | ||
11 | deps = [ "httpd" ]; | ||
12 | text = '' | ||
13 | install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/iridologie | ||
14 | ''; | ||
15 | }; | ||
16 | services.phpfpm.pools.iridologie = { | ||
17 | listen = "/run/phpfpm/iridologie.sock"; | ||
18 | extraConfig = '' | ||
19 | user = wwwrun | ||
20 | group = wwwrun | ||
21 | listen.owner = wwwrun | ||
22 | listen.group = wwwrun | ||
23 | |||
24 | pm = ondemand | ||
25 | pm.max_children = 5 | ||
26 | pm.process_idle_timeout = 60 | ||
27 | 18 | ||
28 | php_admin_value[open_basedir] = "/var/lib/php/sessions/iridologie:${varDir}:/tmp" | 19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; |
29 | php_admin_value[session.save_path] = "/var/lib/php/sessions/iridologie" | 20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; |
30 | ''; | 21 | services.phpfpm.pools.iridologie = { |
22 | listen = iridologie.phpFpm.socket; | ||
23 | extraConfig = iridologie.phpFpm.pool; | ||
24 | phpOptions = config.services.phpfpm.phpOptions + '' | ||
25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | ||
26 | ''; | ||
31 | }; | 27 | }; |
32 | services.websites.env.production.modules = [ "proxy_fcgi" ]; | 28 | system.activationScripts.iridologie = iridologie.activationScript; |
29 | myServices.websites.webappDirs."${iridologie.apache.webappName}" = iridologie.app.webRoot; | ||
30 | services.websites.env.production.modules = iridologie.apache.modules; | ||
33 | services.websites.env.production.vhostConfs.iridologie = { | 31 | services.websites.env.production.vhostConfs.iridologie = { |
34 | certName = "aten"; | 32 | certName = "aten"; |
35 | addToCerts = true; | 33 | addToCerts = true; |
36 | hosts = [ "iridologie.icommandeur.org" "icommandeur.org" "www.icommandeur.org" ]; | 34 | hosts = [ "iridologie.icommandeur.org" "icommandeur.org" "www.icommandeur.org" ]; |
37 | root = varDir; | 35 | root = iridologie.apache.root; |
38 | extraConfig = [ | 36 | extraConfig = [ |
39 | '' | 37 | '' |
40 | Use Stats iridologie.icommandeur.org | 38 | RewriteEngine On |
41 | RewriteEngine On | 39 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] |
42 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] | 40 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] |
43 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] | ||
44 | |||
45 | <FilesMatch "\.php$"> | ||
46 | SetHandler "proxy:unix:/run/phpfpm/iridologie.sock|fcgi://localhost" | ||
47 | </FilesMatch> | ||
48 | |||
49 | <Directory ${varDir}> | ||
50 | DirectoryIndex index.php index.htm index.html | ||
51 | AllowOverride All | ||
52 | Require all granted | ||
53 | </Directory> | ||
54 | '' | 41 | '' |
42 | iridologie.apache.vhostConf | ||
55 | ]; | 43 | ]; |
56 | }; | 44 | }; |
45 | services.websites.env.production.watchPaths = [ | ||
46 | "/var/secrets/webapps/${iridologie.app.environment}-iridologie" | ||
47 | ]; | ||
57 | }; | 48 | }; |
58 | } | 49 | } |
59 | |||
diff --git a/modules/private/websites/isabelle/spip_builder.nix b/modules/private/websites/isabelle/spip_builder.nix new file mode 100644 index 0000000..2ab5394 --- /dev/null +++ b/modules/private/websites/isabelle/spip_builder.nix | |||
@@ -0,0 +1,99 @@ | |||
1 | { apacheUser, apacheGroup, iridologie, config }: | ||
2 | rec { | ||
3 | app = iridologie.override { inherit (config) environment; }; | ||
4 | phpFpm = rec { | ||
5 | serviceDeps = [ "mysql.service" ]; | ||
6 | socket = "/var/run/phpfpm/iridologie-${app.environment}.sock"; | ||
7 | pool = '' | ||
8 | user = ${apacheUser} | ||
9 | group = ${apacheGroup} | ||
10 | listen.owner = ${apacheUser} | ||
11 | listen.group = ${apacheGroup} | ||
12 | php_admin_value[upload_max_filesize] = 20M | ||
13 | php_admin_value[post_max_size] = 20M | ||
14 | ;php_admin_flag[log_errors] = on | ||
15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | ||
16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | ||
17 | ${if app.environment == "dev" then '' | ||
18 | pm = ondemand | ||
19 | pm.max_children = 5 | ||
20 | pm.process_idle_timeout = 60 | ||
21 | '' else '' | ||
22 | pm = dynamic | ||
23 | pm.max_children = 20 | ||
24 | pm.start_servers = 2 | ||
25 | pm.min_spare_servers = 1 | ||
26 | pm.max_spare_servers = 3 | ||
27 | ''}''; | ||
28 | }; | ||
29 | keys = [{ | ||
30 | dest = "webapps/${app.environment}-iridologie"; | ||
31 | user = apacheUser; | ||
32 | group = apacheGroup; | ||
33 | permissions = "0400"; | ||
34 | text = '' | ||
35 | SetEnv SPIP_CONFIG_DIR "${configDir}" | ||
36 | SetEnv SPIP_VAR_DIR "${app.varDir}" | ||
37 | SetEnv SPIP_SITE "iridologie-${app.environment}" | ||
38 | SetEnv SPIP_LDAP_BASE "dc=immae,dc=eu" | ||
39 | SetEnv SPIP_LDAP_HOST "ldaps://ldap.immae.eu" | ||
40 | SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}" | ||
41 | SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}" | ||
42 | SetEnv SPIP_LDAP_SEARCH "${config.ldap.filter}" | ||
43 | SetEnv SPIP_MYSQL_HOST "${config.mysql.host}" | ||
44 | SetEnv SPIP_MYSQL_PORT "${config.mysql.port}" | ||
45 | SetEnv SPIP_MYSQL_DB "${config.mysql.database}" | ||
46 | SetEnv SPIP_MYSQL_USER "${config.mysql.user}" | ||
47 | SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}" | ||
48 | ''; | ||
49 | }]; | ||
50 | apache = rec { | ||
51 | modules = [ "proxy_fcgi" ]; | ||
52 | webappName = "iridologie_${app.environment}"; | ||
53 | root = "/run/current-system/webapps/${webappName}"; | ||
54 | vhostConf = '' | ||
55 | Include /var/secrets/webapps/${app.environment}-iridologie | ||
56 | |||
57 | RewriteEngine On | ||
58 | |||
59 | <FilesMatch "\.php$"> | ||
60 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
61 | </FilesMatch> | ||
62 | |||
63 | <Directory ${root}> | ||
64 | DirectoryIndex index.php index.htm index.html | ||
65 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
66 | Include ${root}/htaccess.txt | ||
67 | |||
68 | AllowOverride AuthConfig FileInfo Limit | ||
69 | Require all granted | ||
70 | </Directory> | ||
71 | |||
72 | <DirectoryMatch "${root}/squelettes"> | ||
73 | Require all denied | ||
74 | </DirectoryMatch> | ||
75 | |||
76 | <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$"> | ||
77 | Require all denied | ||
78 | </FilesMatch> | ||
79 | |||
80 | ${if app.environment == "dev" then '' | ||
81 | <Location /> | ||
82 | Use LDAPConnect | ||
83 | Require ldap-group cn=isabelle.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
84 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://iridologie.icommandeur.org\"></html>" | ||
85 | </Location> | ||
86 | '' else '' | ||
87 | Use Stats iridologie.icommandeur.org | ||
88 | ''} | ||
89 | ''; | ||
90 | }; | ||
91 | activationScript = { | ||
92 | deps = [ "wrappers" ]; | ||
93 | text = '' | ||
94 | install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local | ||
95 | install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions | ||
96 | ''; | ||
97 | }; | ||
98 | configDir = ./config; | ||
99 | } | ||