diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-11 16:09:06 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2019-05-11 16:09:06 +0200 |
| commit | b3c0779fd2c9bfce7af4bfcb8aa601795ffca8c0 (patch) | |
| tree | e6ffaebc409125b92d5a2ab4f9c4cc73f9c1482c /nixops/modules/websites/ludivine/ludivinecassal.nix | |
| parent | 52e8779df7834db6f8308397965d58ffc87f129a (diff) | |
| download | Nix-b3c0779fd2c9bfce7af4bfcb8aa601795ffca8c0.tar.gz Nix-b3c0779fd2c9bfce7af4bfcb8aa601795ffca8c0.tar.zst Nix-b3c0779fd2c9bfce7af4bfcb8aa601795ffca8c0.zip | |
Move Ludivine website to pkgs
Diffstat (limited to 'nixops/modules/websites/ludivine/ludivinecassal.nix')
| -rw-r--r-- | nixops/modules/websites/ludivine/ludivinecassal.nix | 314 |
1 files changed, 142 insertions, 172 deletions
diff --git a/nixops/modules/websites/ludivine/ludivinecassal.nix b/nixops/modules/websites/ludivine/ludivinecassal.nix index c12d89c..39fd088 100644 --- a/nixops/modules/websites/ludivine/ludivinecassal.nix +++ b/nixops/modules/websites/ludivine/ludivinecassal.nix | |||
| @@ -1,187 +1,157 @@ | |||
| 1 | { pkgs, lib, writeText, fetchedGitPrivate, stdenv, composerEnv, fetchurl, fetchgit, ruby, sass, imagemagick }: | 1 | { config, ludivinecassal, pkgs, ruby, sass, imagemagick }: |
| 2 | let | 2 | rec { |
| 3 | ludivinecassal = { config }: rec { | 3 | app = ludivinecassal.override { inherit (config) environment; }; |
| 4 | environment = config.environment; | 4 | varDir = "/var/lib/ludivinecassal_${app.environment}"; |
| 5 | varDir = "/var/lib/ludivinecassal_${environment}"; | 5 | keys = [{ |
| 6 | keys = [{ | 6 | dest = "webapps/${app.environment}-ludivinecassal"; |
| 7 | dest = "webapps/${environment}-ludivinecassal"; | 7 | user = apache.user; |
| 8 | user = apache.user; | 8 | group = apache.group; |
| 9 | group = apache.group; | 9 | permissions = "0400"; |
| 10 | permissions = "0400"; | 10 | text = '' |
| 11 | text = '' | 11 | # This file is auto-generated during the composer install |
| 12 | # This file is auto-generated during the composer install | 12 | parameters: |
| 13 | parameters: | 13 | database_host: ${config.mysql.host} |
| 14 | database_host: ${config.mysql.host} | 14 | database_port: ${config.mysql.port} |
| 15 | database_port: ${config.mysql.port} | 15 | database_name: ${config.mysql.name} |
| 16 | database_name: ${config.mysql.name} | 16 | database_user: ${config.mysql.user} |
| 17 | database_user: ${config.mysql.user} | 17 | database_password: ${config.mysql.password} |
| 18 | database_password: ${config.mysql.password} | 18 | database_server_version: ${pkgs.mariadb.mysqlVersion} |
| 19 | database_server_version: ${pkgs.mariadb.mysqlVersion} | 19 | mailer_transport: smtp |
| 20 | mailer_transport: smtp | 20 | mailer_host: 127.0.0.1 |
| 21 | mailer_host: 127.0.0.1 | 21 | mailer_user: null |
| 22 | mailer_user: null | 22 | mailer_password: null |
| 23 | mailer_password: null | 23 | secret: ${config.secret} |
| 24 | secret: ${config.secret} | 24 | ldap_host: ldap.immae.eu |
| 25 | ldap_host: ldap.immae.eu | 25 | ldap_port: 636 |
| 26 | ldap_port: 636 | 26 | ldap_version: 3 |
| 27 | ldap_version: 3 | 27 | ldap_ssl: true |
| 28 | ldap_ssl: true | 28 | ldap_tls: false |
| 29 | ldap_tls: false | 29 | ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' |
| 30 | ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' | 30 | ldap_base_dn: 'dc=immae,dc=eu' |
| 31 | ldap_base_dn: 'dc=immae,dc=eu' | 31 | ldap_search_dn: '${config.ldap.dn}' |
| 32 | ldap_search_dn: '${config.ldap.dn}' | 32 | ldap_search_password: '${config.ldap.password}' |
| 33 | ldap_search_password: '${config.ldap.password}' | 33 | ldap_search_filter: '${config.ldap.search}' |
| 34 | ldap_search_filter: '${config.ldap.search}' | 34 | leapt_im: |
| 35 | leapt_im: | 35 | binary_path: ${imagemagick}/bin |
| 36 | binary_path: ${imagemagick}/bin | 36 | assetic: |
| 37 | assetic: | 37 | sass: ${sass}/bin/sass |
| 38 | sass: ${sass}/bin/sass | 38 | ruby: ${ruby}/bin/ruby |
| 39 | ruby: ${ruby}/bin/ruby | 39 | ''; |
| 40 | }]; | ||
| 41 | phpFpm = rec { | ||
| 42 | preStart = '' | ||
| 43 | if [ ! -f "${app.varDir}/currentWebappDir" -o \ | ||
| 44 | ! -f "${app.varDir}/currentKey" -o \ | ||
| 45 | "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
| 46 | || ! sha512sum -c --status ${app.varDir}/currentKey; then | ||
| 47 | pushd ${app} > /dev/null | ||
| 48 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${app.environment} cache:clear --no-warmup | ||
| 49 | popd > /dev/null | ||
| 50 | echo -n "${app}" > ${app.varDir}/currentWebappDir | ||
| 51 | sha512sum /var/secrets/webapps/${app.environment}-ludivinecassal > ${app.varDir}/currentKey | ||
| 52 | fi | ||
| 40 | ''; | 53 | ''; |
| 41 | }]; | 54 | serviceDeps = [ "mysql.service" ]; |
| 42 | phpFpm = rec { | 55 | socket = "/var/run/phpfpm/ludivinecassal-${app.environment}.sock"; |
| 43 | preStart = '' | 56 | pool = '' |
| 44 | if [ ! -f "${varDir}/currentWebappDir" -o \ | 57 | listen = ${socket} |
| 45 | ! -f "${varDir}/currentKey" -o \ | 58 | user = ${apache.user} |
| 46 | "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ] \ | 59 | group = ${apache.group} |
| 47 | || ! sha512sum -c --status ${varDir}/currentKey; then | 60 | listen.owner = ${apache.user} |
| 48 | pushd ${webappDir} > /dev/null | 61 | listen.group = ${apache.group} |
| 49 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup | 62 | php_admin_value[upload_max_filesize] = 20M |
| 50 | popd > /dev/null | 63 | php_admin_value[post_max_size] = 20M |
| 51 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | 64 | ;php_admin_flag[log_errors] = on |
| 52 | sha512sum /var/secrets/webapps/${environment}-ludivinecassal > ${varDir}/currentKey | 65 | php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-ludivinecassal:${app}:${app.varDir}:/tmp" |
| 53 | fi | 66 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" |
| 54 | ''; | 67 | ${if app.environment == "dev" then '' |
| 55 | serviceDeps = [ "mysql.service" ]; | 68 | pm = ondemand |
| 56 | socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; | 69 | pm.max_children = 5 |
| 57 | pool = '' | 70 | pm.process_idle_timeout = 60 |
| 58 | listen = ${socket} | 71 | env[SYMFONY_DEBUG_MODE] = "yes" |
| 59 | user = ${apache.user} | 72 | '' else '' |
| 60 | group = ${apache.group} | 73 | pm = dynamic |
| 61 | listen.owner = ${apache.user} | 74 | pm.max_children = 20 |
| 62 | listen.group = ${apache.group} | 75 | pm.start_servers = 2 |
| 63 | php_admin_value[upload_max_filesize] = 20M | 76 | pm.min_spare_servers = 1 |
| 64 | php_admin_value[post_max_size] = 20M | 77 | pm.max_spare_servers = 3 |
| 65 | ;php_admin_flag[log_errors] = on | 78 | ''}''; |
| 66 | php_admin_value[open_basedir] = "/var/secrets/webapps/${environment}-ludivinecassal:${webappDir}:${varDir}:/tmp" | 79 | }; |
| 67 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 80 | apache = rec { |
| 68 | ${if environment == "dev" then '' | 81 | user = "wwwrun"; |
| 69 | pm = ondemand | 82 | group = "wwwrun"; |
| 70 | pm.max_children = 5 | 83 | modules = [ "proxy_fcgi" ]; |
| 71 | pm.process_idle_timeout = 60 | 84 | webappName = "ludivine_${app.environment}"; |
| 72 | env[SYMFONY_DEBUG_MODE] = "yes" | 85 | root = "/run/current-system/webapps/${webappName}"; |
| 73 | '' else '' | 86 | vhostConf = '' |
| 74 | pm = dynamic | 87 | <FilesMatch "\.php$"> |
| 75 | pm.max_children = 20 | 88 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" |
| 76 | pm.start_servers = 2 | 89 | </FilesMatch> |
| 77 | pm.min_spare_servers = 1 | ||
| 78 | pm.max_spare_servers = 3 | ||
| 79 | ''}''; | ||
| 80 | }; | ||
| 81 | apache = rec { | ||
| 82 | user = "wwwrun"; | ||
| 83 | group = "wwwrun"; | ||
| 84 | modules = [ "proxy_fcgi" ]; | ||
| 85 | webappName = "ludivine_${environment}"; | ||
| 86 | root = "/run/current-system/webapps/${webappName}"; | ||
| 87 | vhostConf = '' | ||
| 88 | <FilesMatch "\.php$"> | ||
| 89 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
| 90 | </FilesMatch> | ||
| 91 | 90 | ||
| 92 | ${if environment == "dev" then '' | 91 | ${if app.environment == "dev" then '' |
| 93 | <Location /> | 92 | <Location /> |
| 94 | Use LDAPConnect | 93 | Use LDAPConnect |
| 95 | Require ldap-group cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | 94 | Require ldap-group cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu |
| 96 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>" | 95 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>" |
| 97 | </Location> | 96 | </Location> |
| 98 | 97 | ||
| 99 | <Directory ${root}> | 98 | <Directory ${root}> |
| 100 | Options Indexes FollowSymLinks MultiViews Includes | 99 | Options Indexes FollowSymLinks MultiViews Includes |
| 101 | AllowOverride None | 100 | AllowOverride None |
| 102 | Require all granted | 101 | Require all granted |
| 103 | 102 | ||
| 104 | DirectoryIndex app_dev.php | 103 | DirectoryIndex app_dev.php |
| 105 | 104 | ||
| 106 | <IfModule mod_negotiation.c> | 105 | <IfModule mod_negotiation.c> |
| 107 | Options -MultiViews | 106 | Options -MultiViews |
| 108 | </IfModule> | 107 | </IfModule> |
| 109 | 108 | ||
| 110 | <IfModule mod_rewrite.c> | 109 | <IfModule mod_rewrite.c> |
| 111 | RewriteEngine On | 110 | RewriteEngine On |
| 112 | 111 | ||
| 113 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | 112 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ |
| 114 | RewriteRule ^(.*) - [E=BASE:%1] | 113 | RewriteRule ^(.*) - [E=BASE:%1] |
| 115 | 114 | ||
| 116 | # Maintenance script | 115 | # Maintenance script |
| 117 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | 116 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f |
| 118 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | 117 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php |
| 119 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | 118 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] |
| 120 | ErrorDocument 503 /maintenance.php | 119 | ErrorDocument 503 /maintenance.php |
| 121 | 120 | ||
| 122 | # Sets the HTTP_AUTHORIZATION header removed by Apache | 121 | # Sets the HTTP_AUTHORIZATION header removed by Apache |
| 123 | RewriteCond %{HTTP:Authorization} . | 122 | RewriteCond %{HTTP:Authorization} . |
| 124 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | 123 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] |
| 125 | 124 | ||
| 126 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | 125 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ |
| 127 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | 126 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] |
| 128 | 127 | ||
| 129 | # If the requested filename exists, simply serve it. | 128 | # If the requested filename exists, simply serve it. |
| 130 | # We only want to let Apache serve files and not directories. | 129 | # We only want to let Apache serve files and not directories. |
| 131 | RewriteCond %{REQUEST_FILENAME} -f | 130 | RewriteCond %{REQUEST_FILENAME} -f |
| 132 | RewriteRule ^ - [L] | 131 | RewriteRule ^ - [L] |
| 133 | 132 | ||
| 134 | # Rewrite all other queries to the front controller. | 133 | # Rewrite all other queries to the front controller. |
| 135 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | 134 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] |
| 136 | </IfModule> | 135 | </IfModule> |
| 137 | 136 | ||
| 138 | </Directory> | 137 | </Directory> |
| 139 | '' else '' | 138 | '' else '' |
| 140 | Use Stats ludivinecassal.com | 139 | Use Stats ludivinecassal.com |
| 141 | 140 | ||
| 142 | <Directory ${root}> | 141 | <Directory ${root}> |
| 143 | Options Indexes FollowSymLinks MultiViews Includes | 142 | Options Indexes FollowSymLinks MultiViews Includes |
| 144 | AllowOverride All | 143 | AllowOverride All |
| 145 | Require all granted | 144 | Require all granted |
| 146 | </Directory> | 145 | </Directory> |
| 147 | ''} | 146 | ''} |
| 148 | ''; | 147 | ''; |
| 149 | }; | 148 | }; |
| 150 | activationScript = { | 149 | activationScript = { |
| 151 | deps = [ "wrappers" ]; | 150 | deps = [ "wrappers" ]; |
| 152 | text = '' | 151 | text = '' |
| 153 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} | 152 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${app.varDir} |
| 154 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/tmp | 153 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${app.varDir}/tmp |
| 155 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | 154 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${app.varDir}/phpSessions |
| 156 | ''; | 155 | ''; |
| 157 | }; | ||
| 158 | webappDir = composerEnv.buildPackage ( | ||
| 159 | import ./php-packages.nix { inherit composerEnv fetchurl fetchgit; } // | ||
| 160 | fetchedGitPrivate ./ludivinecassal.json // | ||
| 161 | rec { | ||
| 162 | noDev = (environment == "prod"); | ||
| 163 | preInstall = '' | ||
| 164 | export SYMFONY_ENV="${environment}" | ||
| 165 | cp app/config/parameters.yml.dist app/config/parameters.yml | ||
| 166 | cat >> app/config/parameters.yml <<EOF | ||
| 167 | leapt_im: | ||
| 168 | binary_path: ${imagemagick}/bin | ||
| 169 | assetic: | ||
| 170 | sass: ${sass}/bin/sass | ||
| 171 | ruby: ${ruby}/bin/ruby | ||
| 172 | EOF | ||
| 173 | sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json | ||
| 174 | ''; | ||
| 175 | # /!\ miniatures and data need to be in the same physical dir due to a | ||
| 176 | # bug in leapt.im (searches for data/../miniatures) | ||
| 177 | postInstall = '' | ||
| 178 | rm -rf var/{logs,cache,data,miniatures,tmp} | ||
| 179 | ln -sf ${varDir}/{logs,cache,data,miniatures,tmp} var/ | ||
| 180 | ln -sf /var/secrets/webapps/${environment}-ludivinecassal app/config/parameters.yml | ||
| 181 | ''; | ||
| 182 | buildInputs = [ sass ]; | ||
| 183 | }); | ||
| 184 | webRoot = "${webappDir}/web"; | ||
| 185 | }; | 156 | }; |
| 186 | in | 157 | } |
| 187 | ludivinecassal | ||