aboutsummaryrefslogtreecommitdiff
path: root/nixops
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-22 20:01:33 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-05-22 20:01:33 +0200
commit4288c2f2431fb782b0d512b1b3749187f2374b6a (patch)
treeaaf812414f91d6b695a7507265e7572de8dc477c /nixops
parentf40f5b235b890f46770a22f005f8a0f664cf0562 (diff)
downloadNix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.gz
Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.tar.zst
Nix-4288c2f2431fb782b0d512b1b3749187f2374b6a.zip
Move websites/tools to modules
Diffstat (limited to 'nixops')
-rw-r--r--nixops/eldiron.nix1
-rw-r--r--nixops/modules/task/default.nix4
-rw-r--r--nixops/modules/websites/commons/adminer.nix40
-rw-r--r--nixops/modules/websites/default.nix236
-rw-r--r--nixops/modules/websites/tools/cloud.nix188
-rw-r--r--nixops/modules/websites/tools/dav/davical.nix133
-rw-r--r--nixops/modules/websites/tools/dav/default.nix55
-rw-r--r--nixops/modules/websites/tools/db.nix21
-rw-r--r--nixops/modules/websites/tools/diaspora.nix181
-rw-r--r--nixops/modules/websites/tools/ether.nix175
-rw-r--r--nixops/modules/websites/tools/git/default.nix45
-rw-r--r--nixops/modules/websites/tools/git/gitweb.nix64
-rw-r--r--nixops/modules/websites/tools/git/mantisbt.nix90
-rw-r--r--nixops/modules/websites/tools/mastodon.nix128
-rw-r--r--nixops/modules/websites/tools/mediagoblin.nix122
-rw-r--r--nixops/modules/websites/tools/peertube.nix179
-rw-r--r--nixops/modules/websites/tools/tools/default.nix298
-rw-r--r--nixops/modules/websites/tools/tools/dokuwiki.nix61
-rw-r--r--nixops/modules/websites/tools/tools/kanboard.nix86
-rw-r--r--nixops/modules/websites/tools/tools/ldap.nix68
-rw-r--r--nixops/modules/websites/tools/tools/rainloop.nix59
-rw-r--r--nixops/modules/websites/tools/tools/rompr.nix77
-rw-r--r--nixops/modules/websites/tools/tools/roundcubemail.nix121
-rw-r--r--nixops/modules/websites/tools/tools/shaarli.nix65
-rw-r--r--nixops/modules/websites/tools/tools/ttrss.nix131
-rw-r--r--nixops/modules/websites/tools/tools/wallabag.nix148
-rw-r--r--nixops/modules/websites/tools/tools/ympd.nix40
-rw-r--r--nixops/modules/websites/tools/tools/yourls.nix90
28 files changed, 1 insertions, 2905 deletions
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index a0c5c7c..59ff85a 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -36,7 +36,6 @@
36 ./modules/certificates.nix 36 ./modules/certificates.nix
37 ./modules/gitolite 37 ./modules/gitolite
38 ./modules/mpd.nix 38 ./modules/mpd.nix
39 ./modules/websites
40 ./modules/mail.nix 39 ./modules/mail.nix
41 ./modules/ftp.nix 40 ./modules/ftp.nix
42 ./modules/pub 41 ./modules/pub
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index e620318..9aeaa3f 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -180,9 +180,7 @@ in {
180 ''; 180 '';
181 }; 181 };
182 182
183 system.extraSystemBuilderCmds = '' 183 myServices.websites.webappDirs._task = ./www;
184 ln -s ${./www} $out/webapps/_task
185 '';
186 184
187 security.acme.certs."task" = config.services.myCertificates.certConfig // { 185 security.acme.certs."task" = config.services.myCertificates.certConfig // {
188 inherit user group; 186 inherit user group;
diff --git a/nixops/modules/websites/commons/adminer.nix b/nixops/modules/websites/commons/adminer.nix
deleted file mode 100644
index e911347..0000000
--- a/nixops/modules/websites/commons/adminer.nix
+++ /dev/null
@@ -1,40 +0,0 @@
1{ stdenv, fetchurl, webapps }:
2rec {
3 webRoot = webapps.adminer;
4 phpFpm = rec {
5 socket = "/var/run/phpfpm/adminer.sock";
6 pool = ''
7 listen = ${socket}
8 user = ${apache.user}
9 group = ${apache.group}
10 listen.owner = ${apache.user}
11 listen.group = ${apache.group}
12 pm = ondemand
13 pm.max_children = 5
14 pm.process_idle_timeout = 60
15 ;php_admin_flag[log_errors] = on
16 ; Needed to avoid clashes in browser cookies (same domain)
17 php_value[session.name] = AdminerPHPSESSID
18 php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"
19 php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer"
20 php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer"
21 '';
22 };
23 apache = rec {
24 user = "wwwrun";
25 group = "wwwrun";
26 modules = [ "proxy_fcgi" ];
27 webappName = "_adminer";
28 root = "/run/current-system/webapps/${webappName}";
29 vhostConf = ''
30 Alias /adminer ${root}
31 <Directory ${root}>
32 DirectoryIndex index.php
33 Require all granted
34 <FilesMatch "\.php$">
35 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
36 </FilesMatch>
37 </Directory>
38 '';
39 };
40}
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
deleted file mode 100644
index 1948fe9..0000000
--- a/nixops/modules/websites/default.nix
+++ /dev/null
@@ -1,236 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 cfg = config.services.myWebsites;
4 www_root = "/run/current-system/webapps/_www";
5 theme_root = "/run/current-system/webapps/_theme";
6 apacheConfig = {
7 gzip = {
8 modules = [ "deflate" "filter" ];
9 extraConfig = ''
10 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
11 '';
12 };
13 macros = {
14 modules = [ "macro" ];
15 };
16 stats = {
17 extraConfig = ''
18 <Macro Stats %{domain}>
19 Alias /webstats ${config.services.webstats.dataDir}/%{domain}
20 <Directory ${config.services.webstats.dataDir}/%{domain}>
21 DirectoryIndex index.html
22 AllowOverride None
23 Require all granted
24 </Directory>
25 <Location /webstats>
26 Use LDAPConnect
27 Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
28 </Location>
29 </Macro>
30 '';
31 };
32 ldap = {
33 modules = [ "ldap" "authnz_ldap" ];
34 extraConfig = ''
35 <IfModule ldap_module>
36 LDAPSharedCacheSize 500000
37 LDAPCacheEntries 1024
38 LDAPCacheTTL 600
39 LDAPOpCacheEntries 1024
40 LDAPOpCacheTTL 600
41 </IfModule>
42
43 Include /var/secrets/apache-ldap
44 '';
45 };
46 global = {
47 extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
48 };
49 apaxy = {
50 extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
51 };
52 http2 = {
53 modules = [ "http2" ];
54 extraConfig = ''
55 Protocols h2 http/1.1
56 '';
57 };
58 customLog = {
59 extraConfig = ''
60 LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
61 '';
62 };
63 };
64 makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
65 makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
66in
67{
68 imports = [
69 ./tools/db.nix
70 ./tools/tools
71 ./tools/dav
72 ./tools/cloud.nix
73 ./tools/git
74 ./tools/mastodon.nix
75 ./tools/mediagoblin.nix
76 ./tools/diaspora.nix
77 ./tools/ether.nix
78 ./tools/peertube.nix
79 ];
80
81 config = {
82 users.users.wwwrun.extraGroups = [ "keys" ];
83 networking.firewall.allowedTCPPorts = [ 80 443 ];
84
85 nixpkgs.overlays = [ (self: super: rec {
86 #openssl = self.openssl_1_1;
87 php = php72;
88 php72 = (super.php72.override {
89 mysql.connector-c = self.mariadb;
90 config.php.mysqlnd = false;
91 config.php.mysqli = false;
92 }).overrideAttrs(old: rec {
93 # Didn't manage to build with mysqli + mysql_config connector
94 configureFlags = old.configureFlags ++ [
95 "--with-mysqli=shared,mysqlnd"
96 ];
97 # preConfigure = (old.preConfigure or "") + ''
98 # export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
99 # sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
100 # ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
101 # '';
102 });
103 phpPackages = super.php72Packages.override { inherit php; };
104 }) ];
105
106 services.myWebsites.tools.databases.enable = true;
107 services.myWebsites.tools.tools.enable = true;
108 services.myWebsites.tools.dav.enable = true;
109 services.myWebsites.tools.cloud.enable = true;
110 services.myWebsites.tools.git.enable = true;
111 services.myWebsites.tools.mastodon.enable = true;
112 services.myWebsites.tools.mediagoblin.enable = true;
113 services.myWebsites.tools.diaspora.enable = true;
114 services.myWebsites.tools.etherpad-lite.enable = true;
115 services.myWebsites.tools.peertube.enable = true;
116
117 secrets.keys = [{
118 dest = "apache-ldap";
119 user = "wwwrun";
120 group = "wwwrun";
121 permissions = "0400";
122 text = ''
123 <Macro LDAPConnect>
124 <IfModule authnz_ldap_module>
125 AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
126 AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
127 AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
128 AuthType Basic
129 AuthName "Authentification requise (Acces LDAP)"
130 AuthBasicProvider ldap
131 </IfModule>
132 </Macro>
133 '';
134 }];
135
136 system.activationScripts = {
137 httpd = ''
138 install -d -m 0755 ${config.security.acme.directory}/acme-challenge
139 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
140 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
141 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
142 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
143 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
144 install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
145 '';
146 };
147
148 system.extraSystemBuilderCmds = let
149 adminer = pkgs.callPackage ./commons/adminer.nix {};
150 in ''
151 mkdir -p $out/webapps
152 ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www
153 ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme
154 ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
155 '';
156
157 services.phpfpm = {
158 phpPackage = pkgs.php;
159 phpOptions = ''
160 session.save_path = "/var/lib/php/sessions"
161 post_max_size = 20M
162 ; 15 days (seconds)
163 session.gc_maxlifetime = 1296000
164 ; 30 days (minutes)
165 session.cache_expire = 43200
166 '';
167 extraConfig = ''
168 log_level = notice
169 '';
170 };
171
172 services.websites.production = {
173 enable = true;
174 adminAddr = "httpd@immae.eu";
175 httpdName = "Prod";
176 ips =
177 let ips = myconfig.env.servers.eldiron.ips.production;
178 in [ips.ip4] ++ (ips.ip6 or []);
179 modules = makeModules;
180 extraConfig = makeExtraConfig;
181 fallbackVhost = {
182 certName = "eldiron";
183 hosts = ["eldiron.immae.eu" ];
184 root = www_root;
185 extraConfig = [ "DirectoryIndex index.htm" ];
186 };
187 };
188
189 services.websites.integration = {
190 enable = true;
191 adminAddr = "httpd@immae.eu";
192 httpdName = "Inte";
193 ips =
194 let ips = myconfig.env.servers.eldiron.ips.integration;
195 in [ips.ip4] ++ (ips.ip6 or []);
196 modules = makeModules;
197 extraConfig = makeExtraConfig;
198 fallbackVhost = {
199 certName = "eldiron";
200 hosts = ["eldiron.immae.eu" ];
201 root = www_root;
202 extraConfig = [ "DirectoryIndex index.htm" ];
203 };
204 };
205
206 services.websites.tools = {
207 enable = true;
208 adminAddr = "httpd@immae.eu";
209 httpdName = "Tools";
210 ips =
211 let ips = myconfig.env.servers.eldiron.ips.main;
212 in [ips.ip4] ++ (ips.ip6 or []);
213 modules = makeModules;
214 extraConfig = makeExtraConfig ++
215 [ ''
216 RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
217 RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
218 RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
219 RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
220 RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
221 RedirectMatch ^/CGU$ https://www.immae.eu/CGU
222 ''
223 ];
224 nosslVhost = {
225 enable = true;
226 host = "nossl.immae.eu";
227 };
228 fallbackVhost = {
229 certName = "eldiron";
230 hosts = ["eldiron.immae.eu" ];
231 root = www_root;
232 extraConfig = [ "DirectoryIndex index.htm" ];
233 };
234 };
235 };
236}
diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix
deleted file mode 100644
index 5d2ca40..0000000
--- a/nixops/modules/websites/tools/cloud.nix
+++ /dev/null
@@ -1,188 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps);
4 env = myconfig.env.tools.nextcloud;
5 varDir = "/var/lib/nextcloud";
6 webappName = "tools_nextcloud";
7 apacheRoot = "/run/current-system/webapps/${webappName}";
8 cfg = config.services.myWebsites.tools.cloud;
9 phpFpm = rec {
10 basedir = builtins.concatStringsSep ":" (
11 [ nextcloud varDir ]
12 ++ builtins.attrValues pkgs.webapps.nextcloud-apps);
13 socket = "/var/run/phpfpm/nextcloud.sock";
14 phpConfig = ''
15 extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
16 extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
17 zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
18 '';
19 pool = ''
20 user = wwwrun
21 group = wwwrun
22 listen.owner = wwwrun
23 listen.group = wwwrun
24 pm = ondemand
25 pm.max_children = 60
26 pm.process_idle_timeout = 60
27
28 php_admin_value[output_buffering] = 0
29 php_admin_value[max_execution_time] = 1800
30 php_admin_value[zend_extension] = "opcache"
31 ;already enabled by default?
32 ;php_value[opcache.enable] = 1
33 php_value[opcache.enable_cli] = 1
34 php_value[opcache.interned_strings_buffer] = 8
35 php_value[opcache.max_accelerated_files] = 10000
36 php_value[opcache.memory_consumption] = 128
37 php_value[opcache.save_comments] = 1
38 php_value[opcache.revalidate_freq] = 1
39 php_admin_value[memory_limit] = 512M
40
41 php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"
42 php_admin_value[session.save_path] = "${varDir}/phpSessions"
43 '';
44 };
45in {
46 options.services.myWebsites.tools.cloud = {
47 enable = lib.mkEnableOption "enable cloud website";
48 };
49
50 config = lib.mkIf cfg.enable {
51 services.websites.tools.modules = [ "proxy_fcgi" ];
52
53 services.websites.tools.vhostConfs.cloud = {
54 certName = "eldiron";
55 addToCerts = true;
56 hosts = ["cloud.immae.eu" ];
57 root = apacheRoot;
58 extraConfig = [
59 ''
60 SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
61 <Directory ${apacheRoot}>
62 AcceptPathInfo On
63 DirectoryIndex index.php
64 Options FollowSymlinks
65 Require all granted
66 AllowOverride all
67
68 <IfModule mod_headers.c>
69 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
70 </IfModule>
71 <FilesMatch "\.php$">
72 CGIPassAuth on
73 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
74 </FilesMatch>
75
76 </Directory>
77 ''
78 ];
79 };
80
81 secrets.keys = [{
82 dest = "webapps/tools-nextcloud";
83 user = "wwwrun";
84 group = "wwwrun";
85 permissions = "0600";
86 text = ''
87 <?php
88 $CONFIG = array (
89 // FIXME: change this value when nextcloud starts getting slow
90 'instanceid' => '${env.instance_id}1',
91 'datadirectory' => '/var/lib/nextcloud/',
92 'passwordsalt' => '${env.password_salt}',
93 'debug' => false,
94 'dbtype' => 'pgsql',
95 'version' => '16.0.0.9',
96 'dbname' => '${env.postgresql.database}',
97 'dbhost' => '${env.postgresql.socket}',
98 'dbtableprefix' => 'oc_',
99 'dbuser' => '${env.postgresql.user}',
100 'dbpassword' => '${env.postgresql.password}',
101 'installed' => true,
102 'maxZipInputSize' => 0,
103 'allowZipDownload' => true,
104 'forcessl' => true,
105 'theme' => ${"''"},
106 'maintenance' => false,
107 'trusted_domains' =>
108 array (
109 0 => 'cloud.immae.eu',
110 ),
111 'secret' => '${env.secret}',
112 'appstoreenabled' => false,
113 'appstore.experimental.enabled' => true,
114 'loglevel' => 2,
115 'trashbin_retention_obligation' => 'auto',
116 'htaccess.RewriteBase' => '/',
117 'mail_smtpmode' => 'sendmail',
118 'mail_smtphost' => '127.0.0.1',
119 'mail_smtpname' => ''',
120 'mail_smtppassword' => ''',
121 'mail_from_address' => 'nextcloud',
122 'mail_smtpauth' => false,
123 'mail_domain' => 'tools.immae.eu',
124 'memcache.local' => '\\OC\\Memcache\\APCu',
125 'memcache.locking' => '\\OC\\Memcache\\Redis',
126 'filelocking.enabled' => true,
127 'redis' =>
128 array (
129 'host' => '${env.redis.socket}',
130 'port' => 0,
131 'dbindex' => ${env.redis.db_index},
132 ),
133 'overwrite.cli.url' => 'https://cloud.immae.eu',
134 'ldapIgnoreNamingRules' => false,
135 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
136 'has_rebuilt_cache' => true,
137 );
138 '';
139 }];
140 users.users.root.packages = let
141 occ = pkgs.writeScriptBin "nextcloud-occ" ''
142 #! ${pkgs.stdenv.shell}
143 cd ${nextcloud}
144 NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \
145 exec \
146 sudo -u wwwrun ${pkgs.php}/bin/php \
147 -c ${pkgs.php}/etc/php.ini \
148 occ $*
149 '';
150 in [ occ ];
151
152 system.activationScripts.nextcloud = {
153 deps = [ "secrets" ];
154 text = let
155 confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig;
156 in
157 ''
158 install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
159 install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions
160 ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v:
161 "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json"
162 ) confs)}
163 install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php
164 '';
165 };
166 # FIXME: add a warning when config.php changes
167 system.extraSystemBuilderCmds = ''
168 mkdir -p $out/webapps
169 ln -s ${nextcloud} $out/webapps/${webappName}
170 '';
171
172 services.phpfpm.pools.nextcloud = {
173 listen = phpFpm.socket;
174 extraConfig = phpFpm.pool;
175 phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig;
176 };
177
178 services.cron = {
179 enable = true;
180 systemCronJobs = [
181 ''
182 LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
183 */15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php
184 ''
185 ];
186 };
187 };
188}
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix
deleted file mode 100644
index 634359d..0000000
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ /dev/null
@@ -1,133 +0,0 @@
1{ stdenv, fetchurl, gettext, writeText, env, awl, davical }:
2rec {
3 keys = [{
4 dest = "webapps/dav-davical";
5 user = apache.user;
6 group = apache.group;
7 permissions = "0400";
8 text = ''
9 <?php
10 $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
11
12 $c->readonly_webdav_collections = false;
13
14 $c->admin_email ='davical@tools.immae.eu';
15
16 $c->restrict_setup_to_admin = true;
17
18 $c->collections_always_exist = false;
19
20 $c->external_refresh = 60;
21
22 $c->enable_scheduling = true;
23
24 $c->iMIP = (object) array("send_email" => true);
25
26 $c->authenticate_hook['optional'] = false;
27 $c->authenticate_hook['call'] = 'LDAP_check';
28 $c->authenticate_hook['config'] = array(
29 'host' => 'ldap.immae.eu',
30 'port' => '389',
31 'startTLS' => 'yes',
32 'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu',
33 'passDN'=> '${env.ldap.password}',
34 'protocolVersion' => '3',
35 'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'),
36 'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu',
37 'baseDNGroups' => 'ou=groups,dc=immae,dc=eu',
38 'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu',
39 'mapping_field' => array(
40 "username" => "uid",
41 "fullname" => "cn",
42 "email" => "mail",
43 "modified" => "modifyTimestamp",
44 ),
45 'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
46 /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
47 // 'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
48 'group_mapping_field' => array(
49 "username" => "cn",
50 "updated" => "modifyTimestamp",
51 "fullname" => "givenName",
52 "displayname" => "givenName",
53 "members" => "memberUid",
54 "email" => "mail",
55 ),
56 );
57
58 $c->do_not_sync_from_ldap = array('admin' => true);
59 include('drivers_ldap.php');
60 '';
61 }];
62 webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
63 webRoot = "${webapp}/htdocs";
64 apache = rec {
65 user = "wwwrun";
66 group = "wwwrun";
67 modules = [ "proxy_fcgi" ];
68 webappName = "tools_davical";
69 root = "/run/current-system/webapps/${webappName}";
70 vhostConf = ''
71 Alias /davical "${root}"
72 Alias /caldav.php "${root}/caldav.php"
73 <Directory "${root}">
74 DirectoryIndex index.php index.html
75 AcceptPathInfo On
76 AllowOverride None
77 Require all granted
78
79 <FilesMatch "\.php$">
80 CGIPassAuth on
81 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
82 </FilesMatch>
83
84 RewriteEngine On
85 <IfModule mod_headers.c>
86 Header unset Access-Control-Allow-Origin
87 Header unset Access-Control-Allow-Methods
88 Header unset Access-Control-Allow-Headers
89 Header unset Access-Control-Allow-Credentials
90 Header unset Access-Control-Expose-Headers
91
92 Header always set Access-Control-Allow-Origin "*"
93 Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
94 Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
95 Header always set Access-Control-Allow-Credentials false
96 Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
97
98 RewriteCond %{HTTP:Access-Control-Request-Method} !^$
99 RewriteCond %{REQUEST_METHOD} OPTIONS
100 RewriteRule ^(.*)$ $1 [R=200,L]
101 </IfModule>
102 </Directory>
103 '';
104 };
105 phpFpm = rec {
106 serviceDeps = [ "postgresql.service" "openldap.service" ];
107 basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
108 socket = "/var/run/phpfpm/davical.sock";
109 pool = ''
110 listen = ${socket}
111 user = ${apache.user}
112 group = ${apache.group}
113 listen.owner = ${apache.user}
114 listen.group = ${apache.group}
115 pm = dynamic
116 pm.max_children = 60
117 pm.start_servers = 2
118 pm.min_spare_servers = 1
119 pm.max_spare_servers = 10
120
121 ; Needed to avoid clashes in browser cookies (same domain)
122 php_value[session.name] = DavicalPHPSESSID
123 php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical"
124 php_admin_value[include_path] = "${awl}/inc:${webapp}/inc"
125 php_admin_value[session.save_path] = "/var/lib/php/sessions/davical"
126 php_flag[magic_quotes_gpc] = Off
127 php_flag[register_globals] = Off
128 php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE"
129 php_admin_value[default_charset] = "utf-8"
130 php_flag[magic_quotes_runtime] = Off
131 '';
132 };
133}
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
deleted file mode 100644
index 78e0ba3..0000000
--- a/nixops/modules/websites/tools/dav/default.nix
+++ /dev/null
@@ -1,55 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 infcloud = rec {
4 webappName = "tools_infcloud";
5 root = "/run/current-system/webapps/${webappName}";
6 vhostConf = ''
7 Alias /carddavmate ${root}
8 Alias /caldavzap ${root}
9 Alias /infcloud ${root}
10 <Directory ${root}>
11 AllowOverride All
12 Options FollowSymlinks
13 Require all granted
14 DirectoryIndex index.html
15 </Directory>
16 '';
17 };
18 davical = pkgs.callPackage ./davical.nix {
19 env = myconfig.env.tools.davical;
20 inherit (pkgs.webapps) davical awl;
21 };
22
23 cfg = config.services.myWebsites.tools.dav;
24in {
25 options.services.myWebsites.tools.dav = {
26 enable = lib.mkEnableOption "enable dav website";
27 };
28
29 config = lib.mkIf cfg.enable {
30 secrets.keys = davical.keys;
31 services.websites.tools.modules = davical.apache.modules;
32
33 services.websites.tools.vhostConfs.dav = {
34 certName = "eldiron";
35 addToCerts = true;
36 hosts = ["dav.immae.eu" ];
37 root = null;
38 extraConfig = [
39 infcloud.vhostConf
40 davical.apache.vhostConf
41 ];
42 };
43
44 services.phpfpm.poolConfigs = {
45 davical = davical.phpFpm.pool;
46 };
47
48 system.extraSystemBuilderCmds = ''
49 mkdir -p $out/webapps
50 ln -s ${davical.webRoot} $out/webapps/${davical.apache.webappName}
51 ln -s ${pkgs.webapps.infcloud} $out/webapps/${infcloud.webappName}
52 '';
53 };
54}
55
diff --git a/nixops/modules/websites/tools/db.nix b/nixops/modules/websites/tools/db.nix
deleted file mode 100644
index 7c15c23..0000000
--- a/nixops/modules/websites/tools/db.nix
+++ /dev/null
@@ -1,21 +0,0 @@
1{ lib, pkgs, config, ... }:
2let
3 adminer = pkgs.callPackage ../commons/adminer.nix {};
4
5 cfg = config.services.myWebsites.tools.databases;
6in {
7 options.services.myWebsites.tools.databases = {
8 enable = lib.mkEnableOption "enable database's website";
9 };
10
11 config = lib.mkIf cfg.enable {
12 services.websites.tools.modules = adminer.apache.modules;
13 services.websites.tools.vhostConfs.db-1 = {
14 certName = "eldiron";
15 addToCerts = true;
16 hosts = ["db-1.immae.eu" ];
17 root = null;
18 extraConfig = [ adminer.apache.vhostConf ];
19 };
20 };
21}
diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix
deleted file mode 100644
index ee5507d..0000000
--- a/nixops/modules/websites/tools/diaspora.nix
+++ /dev/null
@@ -1,181 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 env = myconfig.env.tools.diaspora;
4 root = "/run/current-system/webapps/tools_diaspora";
5 cfg = config.services.myWebsites.tools.diaspora;
6 dcfg = config.services.diaspora;
7in {
8 options.services.myWebsites.tools.diaspora = {
9 enable = lib.mkEnableOption "enable diaspora's website";
10 };
11
12 config = lib.mkIf cfg.enable {
13 users.users.diaspora.extraGroups = [ "keys" ];
14
15 secrets.keys = [
16 {
17 dest = "webapps/diaspora/diaspora.yml";
18 user = "diaspora";
19 group = "diaspora";
20 permissions = "0400";
21 text = ''
22 configuration:
23 environment:
24 url: "https://diaspora.immae.eu/"
25 certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
26 redis: '${env.redis_url}'
27 sidekiq:
28 s3:
29 assets:
30 logging:
31 logrotate:
32 debug:
33 server:
34 listen: '${dcfg.sockets.rails}'
35 rails_environment: 'production'
36 chat:
37 server:
38 bosh:
39 log:
40 map:
41 mapbox:
42 privacy:
43 piwik:
44 statistics:
45 camo:
46 settings:
47 enable_registrations: false
48 welcome_message:
49 invitations:
50 open: false
51 paypal_donations:
52 community_spotlight:
53 captcha:
54 enable: false
55 terms:
56 maintenance:
57 remove_old_users:
58 default_metas:
59 csp:
60 services:
61 twitter:
62 tumblr:
63 wordpress:
64 mail:
65 enable: true
66 sender_address: 'diaspora@tools.immae.eu'
67 method: 'sendmail'
68 smtp:
69 sendmail:
70 location: '/run/wrappers/bin/sendmail'
71 admins:
72 account: "ismael"
73 podmin_email: 'diaspora@tools.immae.eu'
74 relay:
75 outbound:
76 inbound:
77 ldap:
78 enable: true
79 host: ldap.immae.eu
80 port: 636
81 only_ldap: true
82 mail_attribute: mail
83 skip_email_confirmation: true
84 use_bind_dn: true
85 bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
86 bind_pw: "${env.ldap.password}"
87 search_base: "dc=immae,dc=eu"
88 search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
89 production:
90 environment:
91 development:
92 environment:
93 '';
94 }
95 {
96 dest = "webapps/diaspora/database.yml";
97 user = "diaspora";
98 group = "diaspora";
99 permissions = "0400";
100 text = ''
101 postgresql: &postgresql
102 adapter: postgresql
103 host: "${env.postgresql.socket}"
104 port: "${env.postgresql.port}"
105 username: "${env.postgresql.user}"
106 password: "${env.postgresql.password}"
107 encoding: unicode
108 common: &common
109 <<: *postgresql
110 combined: &combined
111 <<: *common
112 development:
113 <<: *combined
114 database: diaspora_development
115 production:
116 <<: *combined
117 database: ${env.postgresql.database}
118 test:
119 <<: *combined
120 database: "diaspora_test"
121 integration1:
122 <<: *combined
123 database: diaspora_integration1
124 integration2:
125 <<: *combined
126 database: diaspora_integration2
127 '';
128 }
129 {
130 dest = "webapps/diaspora/secret_token.rb";
131 user = "diaspora";
132 group = "diaspora";
133 permissions = "0400";
134 text = ''
135 Diaspora::Application.config.secret_key_base = '${env.secret_token}'
136 '';
137 }
138 ];
139
140 services.diaspora = {
141 enable = true;
142 package = pkgs.webapps.diaspora.override { ldap = true; };
143 dataDir = "/var/lib/diaspora_immae";
144 adminEmail = "diaspora@tools.immae.eu";
145 configDir = "/var/secrets/webapps/diaspora";
146 };
147
148 services.websites.tools.modules = [
149 "headers" "proxy" "proxy_http"
150 ];
151 system.extraSystemBuilderCmds = ''
152 mkdir -p $out/webapps
153 ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora
154 '';
155 services.websites.tools.vhostConfs.diaspora = {
156 certName = "eldiron";
157 addToCerts = true;
158 hosts = [ "diaspora.immae.eu" ];
159 root = root;
160 extraConfig = [ ''
161 RewriteEngine On
162 RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
163 RewriteRule ^/(.*)$ unix://${dcfg.sockets.rails}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L]
164
165 ProxyRequests Off
166 ProxyVia On
167 ProxyPreserveHost On
168 RequestHeader set X_FORWARDED_PROTO https
169
170 <Proxy *>
171 Require all granted
172 </Proxy>
173
174 <Directory ${root}>
175 Require all granted
176 Options -MultiViews
177 </Directory>
178 '' ];
179 };
180 };
181}
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
deleted file mode 100644
index 8c9bbb1..0000000
--- a/nixops/modules/websites/tools/ether.nix
+++ /dev/null
@@ -1,175 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 env = myconfig.env.tools.etherpad-lite;
4 cfg = config.services.myWebsites.tools.etherpad-lite;
5 # Make sure we’re not rebuilding whole libreoffice just because of a
6 # dependency
7 libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
8 ecfg = config.services.etherpad-lite;
9in {
10 options.services.myWebsites.tools.etherpad-lite = {
11 enable = lib.mkEnableOption "enable etherpad's website";
12 };
13
14 config = lib.mkIf cfg.enable {
15 secrets.keys = [
16 {
17 dest = "webapps/tools-etherpad-apikey";
18 permissions = "0400";
19 text = env.api_key;
20 }
21 {
22 dest = "webapps/tools-etherpad-sessionkey";
23 permissions = "0400";
24 text = env.session_key;
25 }
26 {
27 dest = "webapps/tools-etherpad";
28 permissions = "0400";
29 text = ''
30 {
31 "title": "Etherpad",
32 "favicon": "favicon.ico",
33
34 "ip": "",
35 "port" : "${ecfg.sockets.node}",
36 "showSettingsInAdminPage" : false,
37 "dbType" : "postgres",
38 "dbSettings" : {
39 "user" : "${env.postgresql.user}",
40 "host" : "${env.postgresql.socket}",
41 "password": "${env.postgresql.password}",
42 "database": "${env.postgresql.database}",
43 "charset" : "utf8mb4"
44 },
45
46 "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
47 "padOptions": {
48 "noColors": false,
49 "showControls": true,
50 "showChat": true,
51 "showLineNumbers": true,
52 "useMonospaceFont": false,
53 "userName": false,
54 "userColor": false,
55 "rtl": false,
56 "alwaysShowChat": false,
57 "chatAndUsers": false,
58 "lang": "en-gb"
59 },
60
61 "suppressErrorsInPadText" : false,
62 "requireSession" : false,
63 "editOnly" : false,
64 "sessionNoPassword" : false,
65 "minify" : true,
66 "maxAge" : 21600,
67 "abiword" : null,
68 "soffice" : "${libreoffice}/bin/soffice",
69 "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
70 "allowUnknownFileEnds" : true,
71 "requireAuthentication" : false,
72 "requireAuthorization" : false,
73 "trustProxy" : false,
74 "disableIPlogging" : false,
75 "automaticReconnectionTimeout" : 0,
76 "scrollWhenFocusLineIsOutOfViewport": {
77 "percentage": {
78 "editionAboveViewport": 0,
79 "editionBelowViewport": 0
80 },
81 "duration": 0,
82 "scrollWhenCaretIsInTheLastLineOfViewport": false,
83 "percentageToScrollWhenUserPressesArrowUp": 0
84 },
85 "users": {
86 "ldapauth": {
87 "url": "ldaps://${env.ldap.host}",
88 "accountBase": "${env.ldap.base}",
89 "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
90 "displayNameAttribute": "cn",
91 "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
92 "searchPWD": "${env.ldap.password}",
93 "groupSearchBase": "${env.ldap.base}",
94 "groupAttribute": "member",
95 "groupAttributeIsDN": true,
96 "searchScope": "sub",
97 "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
98 "anonymousReadonly": false
99 }
100 },
101 "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
102 "loadTest": false,
103 "indentationOnNewLine": false,
104 "toolbar": {
105 "left": [
106 ["bold", "italic", "underline", "strikethrough"],
107 ["orderedlist", "unorderedlist", "indent", "outdent"],
108 ["undo", "redo"],
109 ["clearauthorship"]
110 ],
111 "right": [
112 ["importexport", "timeslider", "savedrevision"],
113 ["settings", "embed"],
114 ["showusers"]
115 ],
116 "timeslider": [
117 ["timeslider_export", "timeslider_returnToPad"]
118 ]
119 },
120 "loglevel": "INFO",
121 "logconfig" : { "appenders": [ { "type": "console" } ] }
122 }
123 '';
124 }
125 ];
126 services.etherpad-lite = {
127 enable = true;
128 modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
129 sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
130 apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
131 configFile = "/var/secrets/webapps/tools-etherpad";
132 };
133
134 systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
135
136 services.websites.tools.modules = [
137 "headers" "proxy" "proxy_http" "proxy_wstunnel"
138 ];
139 services.websites.tools.vhostConfs.etherpad-lite = {
140 certName = "eldiron";
141 addToCerts = true;
142 hosts = [ "ether.immae.eu" ];
143 root = null;
144 extraConfig = [ ''
145 Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
146 RequestHeader set X-Forwarded-Proto "https"
147
148 RewriteEngine On
149
150 RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
151 RewriteCond %{QUERY_STRING} "!noredirect"
152 RewriteCond %{REQUEST_URI} "^(.*)$"
153 RewriteCond ''${redirects:$1|Unknown} "!Unknown"
154 RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD]
155
156 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
157 RewriteCond %{QUERY_STRING} transport=websocket [NC]
158 RewriteRule /(.*) unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
159
160 <IfModule mod_proxy.c>
161 ProxyVia On
162 ProxyRequests Off
163 ProxyPreserveHost On
164 ProxyPass / unix://${ecfg.sockets.node}|http://ether.immae.eu/
165 ProxyPassReverse / unix://${ecfg.sockets.node}|http://ether.immae.eu/
166 <Proxy *>
167 Options FollowSymLinks MultiViews
168 AllowOverride None
169 Require all granted
170 </Proxy>
171 </IfModule>
172 '' ];
173 };
174 };
175}
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
deleted file mode 100644
index 495c5ea..0000000
--- a/nixops/modules/websites/tools/git/default.nix
+++ /dev/null
@@ -1,45 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 mantisbt = pkgs.callPackage ./mantisbt.nix {
4 inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins;
5 env = myconfig.env.tools.mantisbt;
6 };
7 gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
8
9 cfg = config.services.myWebsites.tools.git;
10in {
11 options.services.myWebsites.tools.git = {
12 enable = lib.mkEnableOption "enable git's website";
13 };
14
15 config = lib.mkIf cfg.enable {
16 secrets.keys = mantisbt.keys;
17 services.websites.tools.modules =
18 gitweb.apache.modules ++
19 mantisbt.apache.modules;
20 system.extraSystemBuilderCmds = ''
21 mkdir -p $out/webapps
22 ln -s ${gitweb.webRoot} $out/webapps/${gitweb.apache.webappName}
23 ln -s ${mantisbt.webRoot} $out/webapps/${mantisbt.apache.webappName}
24 '';
25
26 services.websites.tools.vhostConfs.git = {
27 certName = "eldiron";
28 addToCerts = true;
29 hosts = ["git.immae.eu" ];
30 root = gitweb.apache.root;
31 extraConfig = [
32 gitweb.apache.vhostConf
33 mantisbt.apache.vhostConf
34 ''
35 RewriteEngine on
36 RewriteCond %{REQUEST_URI} ^/releases
37 RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
38 ''
39 ];
40 };
41 services.phpfpm.poolConfigs = {
42 mantisbt = mantisbt.phpFpm.pool;
43 };
44 };
45}
diff --git a/nixops/modules/websites/tools/git/gitweb.nix b/nixops/modules/websites/tools/git/gitweb.nix
deleted file mode 100644
index 2ee7a63..0000000
--- a/nixops/modules/websites/tools/git/gitweb.nix
+++ /dev/null
@@ -1,64 +0,0 @@
1{ gitweb, writeText, gitolite, git, gitoliteDir, highlight }:
2rec {
3 varDir = gitoliteDir;
4 webRoot = gitweb;
5 config = writeText "gitweb.conf" ''
6 $git_temp = "/tmp";
7
8 # The directories where your projects are. Must not end with a
9 # slash.
10 $projectroot = "${varDir}/repositories";
11
12 $projects_list = "${varDir}/projects.list";
13 $strict_export = "true";
14
15 # Base URLs for links displayed in the web interface.
16 our @git_base_url_list = qw(ssh://gitolite@git.immae.eu https://git.immae.eu);
17
18 $feature{'blame'}{'default'} = [1];
19 $feature{'avatar'}{'default'} = ['gravatar'];
20 $feature{'highlight'}{'default'} = [1];
21
22 @stylesheets = ("gitweb-theme/gitweb.css");
23 $logo = "gitweb-theme/git-logo.png";
24 $favicon = "gitweb-theme/git-favicon.png";
25 $javascript = "gitweb-theme/gitweb.js";
26 $logo_url = "https://git.immae.eu/";
27 $projects_list_group_categories = "true";
28 $projects_list_description_width = 60;
29 $project_list_default_category = "__Others__";
30 $highlight_bin = "${highlight}/bin/highlight";
31 '';
32 apache = rec {
33 user = "wwwrun";
34 group = "wwwrun";
35 modules = [ "cgid" ];
36 webappName = "tools_gitweb";
37 root = "/run/current-system/webapps/${webappName}";
38 vhostConf = ''
39 SetEnv GIT_PROJECT_ROOT ${varDir}/repositories/
40 ScriptAliasMatch \
41 "(?x)^/(.*/(HEAD | \
42 info/refs | \
43 objects/(info/[^/]+ | \
44 [0-9a-f]{2}/[0-9a-f]{38} | \
45 pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
46 git-(upload|receive)-pack))$" \
47 ${git}/libexec/git-core/git-http-backend/$1
48
49 <Directory "${git}/libexec/git-core">
50 Require all granted
51 </Directory>
52 <Directory "${root}">
53 DirectoryIndex gitweb.cgi
54 Require all granted
55 AllowOverride None
56 Options ExecCGI FollowSymLinks
57 <Files gitweb.cgi>
58 SetHandler cgi-script
59 SetEnv GITWEB_CONFIG "${config}"
60 </Files>
61 </Directory>
62 '';
63 };
64}
diff --git a/nixops/modules/websites/tools/git/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt.nix
deleted file mode 100644
index 0c459a7..0000000
--- a/nixops/modules/websites/tools/git/mantisbt.nix
+++ /dev/null
@@ -1,90 +0,0 @@
1{ env, mantisbt_2, mantisbt_2-plugins }:
2rec {
3 keys = [{
4 dest = "webapps/tools-mantisbt";
5 user = apache.user;
6 group = apache.group;
7 permissions = "0400";
8 text = ''
9 <?php
10 $g_hostname = '${env.postgresql.socket}';
11 $g_db_username = '${env.postgresql.user}';
12 $g_db_password = '${env.postgresql.password}';
13 $g_database_name = '${env.postgresql.database}';
14 $g_db_type = 'pgsql';
15 $g_crypto_master_salt = '${env.master_salt}';
16 $g_allow_signup = OFF;
17 $g_allow_anonymous_login = ON;
18 $g_anonymous_account = 'anonymous';
19
20 $g_phpMailer_method = PHPMAILER_METHOD_SENDMAIL;
21 $g_smtp_host = 'localhost';
22 $g_smtp_username = ''';
23 $g_smtp_password = ''';
24 $g_webmaster_email = 'mantisbt@tools.immae.eu';
25 $g_from_email = 'mantisbt@tools.immae.eu';
26 $g_return_path_email = 'mantisbt@tools.immae.eu';
27 $g_from_name = 'Mantis Bug Tracker at git.immae.eu';
28 $g_email_receive_own = OFF;
29 # --- LDAP ---
30 $g_login_method = LDAP;
31 $g_ldap_protocol_version = 3;
32 $g_ldap_server = 'ldaps://ldap.immae.eu:636';
33 $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
34 $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
35 $g_ldap_bind_passwd = '${env.ldap.password}';
36 $g_use_ldap_email = ON;
37 $g_use_ldap_realname = ON;
38 $g_ldap_uid_field = 'uid';
39 $g_ldap_realname_field = 'cn';
40 $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
41 '';
42 }];
43 webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (builtins.attrValues mantisbt_2-plugins);
44 apache = rec {
45 user = "wwwrun";
46 group = "wwwrun";
47 modules = [ "proxy_fcgi" ];
48 webappName = "tools_mantisbt";
49 root = "/run/current-system/webapps/${webappName}";
50 vhostConf = ''
51 Alias /mantisbt "${root}"
52 <Directory "${root}">
53 DirectoryIndex index.php
54 <FilesMatch "\.php$">
55 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
56 </FilesMatch>
57
58 AllowOverride All
59 Options FollowSymlinks
60 Require all granted
61 </Directory>
62 <Directory "${root}/admin">
63 #Reenable during upgrade
64 Require all denied
65 </Directory>
66 '';
67 };
68 phpFpm = rec {
69 serviceDeps = [ "postgresql.service" "openldap.service" ];
70 basedir = builtins.concatStringsSep ":" (
71 [ webRoot "/var/secrets/webapps/tools-mantisbt" ]
72 ++ webRoot.plugins);
73 socket = "/var/run/phpfpm/mantisbt.sock";
74 pool = ''
75 listen = ${socket}
76 user = ${apache.user}
77 group = ${apache.group}
78 listen.owner = ${apache.user}
79 listen.group = ${apache.group}
80 pm = ondemand
81 pm.max_children = 60
82 pm.process_idle_timeout = 60
83
84 php_admin_value[upload_max_filesize] = 5000000
85
86 php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"
87 php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt"
88 '';
89 };
90}
diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix
deleted file mode 100644
index ffd59dd..0000000
--- a/nixops/modules/websites/tools/mastodon.nix
+++ /dev/null
@@ -1,128 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 env = myconfig.env.tools.mastodon;
4 root = "/run/current-system/webapps/tools_mastodon";
5 cfg = config.services.myWebsites.tools.mastodon;
6 mcfg = config.services.mastodon;
7in {
8 options.services.myWebsites.tools.mastodon = {
9 enable = lib.mkEnableOption "enable mastodon's website";
10 };
11
12 config = lib.mkIf cfg.enable {
13 secrets.keys = [{
14 dest = "webapps/tools-mastodon";
15 user = "mastodon";
16 group = "mastodon";
17 permissions = "0400";
18 text = ''
19 REDIS_HOST=${env.redis.host}
20 REDIS_PORT=${env.redis.port}
21 REDIS_DB=${env.redis.db}
22 DB_HOST=${env.postgresql.socket}
23 DB_USER=${env.postgresql.user}
24 DB_NAME=${env.postgresql.database}
25 DB_PASS=${env.postgresql.password}
26 DB_PORT=${env.postgresql.port}
27
28 LOCAL_DOMAIN=mastodon.immae.eu
29 LOCAL_HTTPS=true
30 ALTERNATE_DOMAINS=immae.eu
31
32 PAPERCLIP_SECRET=${env.paperclip_secret}
33 SECRET_KEY_BASE=${env.secret_key_base}
34 OTP_SECRET=${env.otp_secret}
35
36 VAPID_PRIVATE_KEY=${env.vapid.private}
37 VAPID_PUBLIC_KEY=${env.vapid.public}
38
39 SMTP_DELIVERY_METHOD=sendmail
40 SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
41 SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
42 PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
43
44 STREAMING_CLUSTER_NUM=1
45
46 RAILS_LOG_LEVEL=warn
47
48 # LDAP authentication (optional)
49 LDAP_ENABLED=true
50 LDAP_HOST=ldap.immae.eu
51 LDAP_PORT=636
52 LDAP_METHOD=simple_tls
53 LDAP_BASE="dc=immae,dc=eu"
54 LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
55 LDAP_PASSWORD="${env.ldap.password}"
56 LDAP_UID="uid"
57 LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
58 '';
59 }];
60 services.mastodon = {
61 enable = true;
62 configFile = "/var/secrets/webapps/tools-mastodon";
63 socketsPrefix = "live_immae";
64 dataDir = "/var/lib/mastodon_immae";
65 };
66
67 services.websites.tools.modules = [
68 "headers" "proxy" "proxy_wstunnel" "proxy_http"
69 ];
70 system.extraSystemBuilderCmds = ''
71 mkdir -p $out/webapps
72 ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
73 '';
74 services.websites.tools.vhostConfs.mastodon = {
75 certName = "eldiron";
76 addToCerts = true;
77 hosts = ["mastodon.immae.eu" ];
78 root = root;
79 extraConfig = [ ''
80 Header always set Referrer-Policy "strict-origin-when-cross-origin"
81 Header always set Strict-Transport-Security "max-age=31536000"
82
83 <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
84 Header always set Cache-Control "public, max-age=31536000, immutable"
85 Require all granted
86 </LocationMatch>
87
88 ProxyPreserveHost On
89 RequestHeader set X-Forwarded-Proto "https"
90
91 RewriteEngine On
92
93 ProxyPass /500.html !
94 ProxyPass /sw.js !
95 ProxyPass /embed.js !
96 ProxyPass /robots.txt !
97 ProxyPass /manifest.json !
98 ProxyPass /browserconfig.xml !
99 ProxyPass /mask-icon.svg !
100 ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
101 ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
102
103 RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
104 RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
105 ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
106 ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
107
108 Alias /system ${mcfg.dataDir}
109
110 <Directory ${mcfg.dataDir}>
111 Require all granted
112 Options -MultiViews
113 </Directory>
114
115 <Directory ${root}>
116 Require all granted
117 Options -MultiViews +FollowSymlinks
118 </Directory>
119
120 ErrorDocument 500 /500.html
121 ErrorDocument 501 /500.html
122 ErrorDocument 502 /500.html
123 ErrorDocument 503 /500.html
124 ErrorDocument 504 /500.html
125 '' ];
126 };
127 };
128}
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix
deleted file mode 100644
index eb56b35..0000000
--- a/nixops/modules/websites/tools/mediagoblin.nix
+++ /dev/null
@@ -1,122 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 env = myconfig.env.tools.mediagoblin;
4 cfg = config.services.myWebsites.tools.mediagoblin;
5 mcfg = config.services.mediagoblin;
6in {
7 options.services.myWebsites.tools.mediagoblin = {
8 enable = lib.mkEnableOption "enable mediagoblin's website";
9 };
10
11 config = lib.mkIf cfg.enable {
12 secrets.keys = [{
13 dest = "webapps/tools-mediagoblin";
14 user = "mediagoblin";
15 group = "mediagoblin";
16 permissions = "0400";
17 text = ''
18 [DEFAULT]
19 data_basedir = "${mcfg.dataDir}"
20
21 [mediagoblin]
22 direct_remote_path = /mgoblin_static/
23 email_sender_address = "mediagoblin@tools.immae.eu"
24
25 #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
26 sql_engine = ${env.psql_url}
27
28 email_debug_mode = false
29 allow_registration = false
30 allow_reporting = true
31
32 theme = airymodified
33
34 user_privilege_scheme = "uploader,commenter,reporter"
35
36 # We need to redefine them here since we override data_basedir
37 # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
38 workbench_path = %(data_basedir)s/media/workbench
39 crypto_path = %(data_basedir)s/crypto
40 theme_install_dir = %(data_basedir)s/themes/
41 theme_linked_assets_dir = %(data_basedir)s/theme_static/
42 plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
43
44 [storage:queuestore]
45 base_dir = %(data_basedir)s/media/queue
46
47 [storage:publicstore]
48 base_dir = %(data_basedir)s/media/public
49 base_url = /mgoblin_media/
50
51 [celery]
52 CELERY_RESULT_DBURI = ${env.redis_url}
53 BROKER_URL = ${env.redis_url}
54 CELERYD_CONCURRENCY = 1
55
56 [plugins]
57 [[mediagoblin.plugins.geolocation]]
58 [[mediagoblin.plugins.ldap]]
59 [[[immae.eu]]]
60 LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
61 LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
62 LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
63 LDAP_BIND_PW = '${env.ldap.password}'
64 LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
65 EMAIL_SEARCH_FIELD = 'mail'
66 [[mediagoblin.plugins.basicsearch]]
67 [[mediagoblin.plugins.piwigo]]
68 [[mediagoblin.plugins.processing_info]]
69 [[mediagoblin.media_types.image]]
70 [[mediagoblin.media_types.video]]
71 '';
72 }];
73
74 users.users.mediagoblin.extraGroups = [ "keys" ];
75
76 services.mediagoblin = {
77 enable = true;
78 plugins = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
79 configFile = "/var/secrets/webapps/tools-mediagoblin";
80 };
81
82 services.websites.tools.modules = [
83 "proxy" "proxy_http"
84 ];
85 users.users.wwwrun.extraGroups = [ "mediagoblin" ];
86 services.websites.tools.vhostConfs.mgoblin = {
87 certName = "eldiron";
88 addToCerts = true;
89 hosts = ["mgoblin.immae.eu" ];
90 root = null;
91 extraConfig = [ ''
92 Alias /mgoblin_media ${mcfg.dataDir}/media/public
93 <Directory ${mcfg.dataDir}/media/public>
94 Options -Indexes +FollowSymLinks +MultiViews +Includes
95 Require all granted
96 </Directory>
97
98 Alias /theme_static ${mcfg.dataDir}/theme_static
99 <Directory ${mcfg.dataDir}/theme_static>
100 Options -Indexes +FollowSymLinks +MultiViews +Includes
101 Require all granted
102 </Directory>
103
104 Alias /plugin_static ${mcfg.dataDir}/plugin_static
105 <Directory ${mcfg.dataDir}/plugin_static>
106 Options -Indexes +FollowSymLinks +MultiViews +Includes
107 Require all granted
108 </Directory>
109
110 ProxyPreserveHost on
111 ProxyVia On
112 ProxyRequests Off
113 ProxyPass /mgoblin_media !
114 ProxyPass /theme_static !
115 ProxyPass /plugin_static !
116 ProxyPassMatch ^/.well-known/acme-challenge !
117 ProxyPass / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
118 ProxyPassReverse / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
119 '' ];
120 };
121 };
122}
diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix
deleted file mode 100644
index 12ab3c4..0000000
--- a/nixops/modules/websites/tools/peertube.nix
+++ /dev/null
@@ -1,179 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 env = myconfig.env.tools.peertube;
4 cfg = config.services.myWebsites.tools.peertube;
5 pcfg = config.services.peertube;
6in {
7 options.services.myWebsites.tools.peertube = {
8 enable = lib.mkEnableOption "enable Peertube's website";
9 };
10
11 config = lib.mkIf cfg.enable {
12 services.peertube = {
13 enable = true;
14 configFile = "/var/secrets/webapps/tools-peertube";
15 package = pkgs.webapps.peertube.override { ldap = true; };
16 };
17 users.users.peertube.extraGroups = [ "keys" ];
18
19 secrets.keys = [{
20 dest = "webapps/tools-peertube";
21 user = "peertube";
22 group = "peertube";
23 permissions = "0640";
24 text = ''
25 listen:
26 hostname: 'localhost'
27 port: ${env.listenPort}
28 webserver:
29 https: true
30 hostname: 'peertube.immae.eu'
31 port: 443
32 trust_proxy:
33 - 'loopback'
34 database:
35 hostname: '${env.postgresql.socket}'
36 port: 5432
37 suffix: '_prod'
38 username: '${env.postgresql.user}'
39 password: '${env.postgresql.password}'
40 pool:
41 max: 5
42 redis:
43 socket: '${env.redis.socket}'
44 auth: null
45 db: ${env.redis.db_index}
46 ldap:
47 enable: true
48 ldap_only: false
49 url: ldaps://${env.ldap.host}/${env.ldap.base}
50 bind_dn: ${env.ldap.dn}
51 bind_password: ${env.ldap.password}
52 base: ${env.ldap.base}
53 mail_entry: "mail"
54 user_filter: "${env.ldap.filter}"
55 smtp:
56 transport: sendmail
57 sendmail: '/run/wrappers/bin/sendmail'
58 hostname: null
59 port: 465 # If you use StartTLS: 587
60 username: null
61 password: null
62 tls: true # If you use StartTLS: false
63 disable_starttls: false
64 ca_file: null # Used for self signed certificates
65 from_address: 'peertube@tools.immae.eu'
66 storage:
67 tmp: '${pcfg.dataDir}/storage/tmp/'
68 avatars: '${pcfg.dataDir}/storage/avatars/'
69 videos: '${pcfg.dataDir}/storage/videos/'
70 redundancy: '${pcfg.dataDir}/storage/videos/'
71 logs: '${pcfg.dataDir}/storage/logs/'
72 previews: '${pcfg.dataDir}/storage/previews/'
73 thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
74 torrents: '${pcfg.dataDir}/storage/torrents/'
75 captions: '${pcfg.dataDir}/storage/captions/'
76 cache: '${pcfg.dataDir}/storage/cache/'
77 log:
78 level: 'info'
79 search:
80 remote_uri:
81 users: true
82 anonymous: false
83 trending:
84 videos:
85 interval_days: 7
86 redundancy:
87 videos:
88 check_interval: '1 hour' # How often you want to check new videos to cache
89 strategies: # Just uncomment strategies you want
90 # Following are saved in local-production.json
91 cache:
92 previews:
93 size: 500 # Max number of previews you want to cache
94 captions:
95 size: 500 # Max number of video captions/subtitles you want to cache
96 admin:
97 email: 'peertube@tools.immae.eu'
98 contact_form:
99 enabled: true
100 signup:
101 enabled: false
102 limit: 10
103 requires_email_verification: false
104 filters:
105 cidr:
106 whitelist: []
107 blacklist: []
108 user:
109 video_quota: -1
110 video_quota_daily: -1
111 transcoding:
112 enabled: false
113 allow_additional_extensions: true
114 threads: 1
115 resolutions:
116 240p: false
117 360p: false
118 480p: true
119 720p: true
120 1080p: true
121 hls:
122 enabled: false
123 import:
124 videos:
125 http:
126 enabled: true
127 torrent:
128 enabled: false
129 instance:
130 name: 'Immae&#x2019;s PeerTube'
131 short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
132 description: '''
133 terms: '''
134 default_client_route: '/videos/trending'
135 default_nsfw_policy: 'blur'
136 customizations:
137 javascript: '''
138 css: '''
139 robots: |
140 User-agent: *
141 Disallow:
142 securitytxt:
143 "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
144 services:
145 # You can provide a reporting endpoint for Content Security Policy violations
146 csp-logger:
147 twitter:
148 username: '@_immae'
149 whitelisted: false
150 '';
151 }];
152
153 services.websites.tools.modules = [
154 "headers" "proxy" "proxy_http" "proxy_wstunnel"
155 ];
156 services.websites.tools.vhostConfs.peertube = {
157 certName = "eldiron";
158 addToCerts = true;
159 hosts = [ "peertube.immae.eu" ];
160 root = null;
161 extraConfig = [ ''
162 RewriteEngine On
163
164 RewriteCond %{REQUEST_URI} ^/socket.io [NC]
165 RewriteCond %{QUERY_STRING} transport=websocket [NC]
166 RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
167
168 RewriteCond %{REQUEST_URI} ^/tracker/socket [NC]
169 RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
170
171 ProxyPass / http://localhost:${env.listenPort}/
172 ProxyPassReverse / http://localhost:${env.listenPort}/
173
174 ProxyPreserveHost On
175 RequestHeader set X-Real-IP %{REMOTE_ADDR}s
176 '' ];
177 };
178 };
179}
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
deleted file mode 100644
index 642755f..0000000
--- a/nixops/modules/websites/tools/tools/default.nix
+++ /dev/null
@@ -1,298 +0,0 @@
1{ lib, pkgs, config, myconfig, ... }:
2let
3 adminer = pkgs.callPackage ../../commons/adminer.nix {};
4 ympd = pkgs.callPackage ./ympd.nix {
5 env = myconfig.env.tools.ympd;
6 };
7 ttrss = pkgs.callPackage ./ttrss.nix {
8 inherit (pkgs.webapps) ttrss ttrss-plugins;
9 env = myconfig.env.tools.ttrss;
10 };
11 roundcubemail = pkgs.callPackage ./roundcubemail.nix {
12 inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins;
13 env = myconfig.env.tools.roundcubemail;
14 };
15 rainloop = pkgs.callPackage ./rainloop.nix {};
16 kanboard = pkgs.callPackage ./kanboard.nix {
17 env = myconfig.env.tools.kanboard;
18 };
19 wallabag = pkgs.callPackage ./wallabag.nix {
20 inherit (pkgs.webapps) wallabag;
21 env = myconfig.env.tools.wallabag;
22 };
23 yourls = pkgs.callPackage ./yourls.nix {
24 inherit (pkgs.webapps) yourls yourls-plugins;
25 env = myconfig.env.tools.yourls;
26 };
27 rompr = pkgs.callPackage ./rompr.nix {
28 inherit (pkgs.webapps) rompr;
29 env = myconfig.env.tools.rompr;
30 };
31 shaarli = pkgs.callPackage ./shaarli.nix {
32 env = myconfig.env.tools.shaarli;
33 };
34 dokuwiki = pkgs.callPackage ./dokuwiki.nix {
35 inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
36 };
37 ldap = pkgs.callPackage ./ldap.nix {
38 inherit (pkgs.webapps) phpldapadmin;
39 env = myconfig.env.tools.phpldapadmin;
40 };
41
42 cfg = config.services.myWebsites.tools.tools;
43in {
44 options.services.myWebsites.tools.tools = {
45 enable = lib.mkEnableOption "enable tools website";
46 };
47
48 config = lib.mkIf cfg.enable {
49 secrets.keys =
50 kanboard.keys
51 ++ ldap.keys
52 ++ roundcubemail.keys
53 ++ shaarli.keys
54 ++ ttrss.keys
55 ++ wallabag.keys
56 ++ yourls.keys;
57
58 services.websites.integration.modules =
59 rainloop.apache.modules;
60
61 services.websites.tools.modules =
62 [ "proxy_fcgi" ]
63 ++ adminer.apache.modules
64 ++ ympd.apache.modules
65 ++ ttrss.apache.modules
66 ++ roundcubemail.apache.modules
67 ++ wallabag.apache.modules
68 ++ yourls.apache.modules
69 ++ rompr.apache.modules
70 ++ shaarli.apache.modules
71 ++ dokuwiki.apache.modules
72 ++ ldap.apache.modules
73 ++ kanboard.apache.modules;
74
75 services.websites.integration.vhostConfs.devtools = {
76 certName = "eldiron";
77 addToCerts = true;
78 hosts = ["devtools.immae.eu" ];
79 root = "/var/lib/ftp/devtools.immae.eu";
80 extraConfig = [
81 ''
82 <Directory "/var/lib/ftp/devtools.immae.eu">
83 DirectoryIndex index.php index.htm index.html
84 AllowOverride all
85 Require all granted
86 <FilesMatch "\.php$">
87 SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost"
88 </FilesMatch>
89 </Directory>
90 ''
91 rainloop.apache.vhostConf
92 ];
93 };
94
95 services.websites.tools.vhostConfs.tools = {
96 certName = "eldiron";
97 addToCerts = true;
98 hosts = ["tools.immae.eu" ];
99 root = "/var/lib/ftp/tools.immae.eu";
100 extraConfig = [
101 ''
102 <Directory "/var/lib/ftp/tools.immae.eu">
103 DirectoryIndex index.php index.htm index.html
104 AllowOverride all
105 Require all granted
106 <FilesMatch "\.php$">
107 SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost"
108 </FilesMatch>
109 </Directory>
110 ''
111 adminer.apache.vhostConf
112 ympd.apache.vhostConf
113 ttrss.apache.vhostConf
114 roundcubemail.apache.vhostConf
115 wallabag.apache.vhostConf
116 yourls.apache.vhostConf
117 rompr.apache.vhostConf
118 shaarli.apache.vhostConf
119 dokuwiki.apache.vhostConf
120 ldap.apache.vhostConf
121 kanboard.apache.vhostConf
122 ];
123 };
124
125 services.websites.tools.vhostConfs.outils = {
126 certName = "eldiron";
127 addToCerts = true;
128 hosts = [ "outils.immae.eu" ];
129 root = null;
130 extraConfig = [
131 ''
132 RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
133
134 RedirectMatch 301 ^/ether(.*)$ https://ether.immae.eu$1
135
136 RedirectMatch 301 ^/nextcloud(.*)$ https://cloud.immae.eu$1
137 RedirectMatch 301 ^/owncloud(.*)$ https://cloud.immae.eu$1
138
139 RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
140 RedirectMatch 301 ^/caldavzap(.*)$ https://dav.immae.eu/infcloud$1
141 RedirectMatch 301 ^/caldav.php(.*)$ https://dav.immae.eu/caldav.php$1
142 RedirectMatch 301 ^/davical(.*)$ https://dav.immae.eu/davical$1
143
144 RedirectMatch 301 ^/taskweb(.*)$ https://task.immae.eu/taskweb$1
145
146 RedirectMatch 301 ^/(.*)$ https://tools.immae.eu/$1
147 ''
148 ];
149 };
150
151 systemd.services = {
152 phpfpm-dokuwiki = {
153 after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
154 wants = dokuwiki.phpFpm.serviceDeps;
155 };
156 phpfpm-kanboard = {
157 after = lib.mkAfter kanboard.phpFpm.serviceDeps;
158 wants = kanboard.phpFpm.serviceDeps;
159 };
160 phpfpm-ldap = {
161 after = lib.mkAfter ldap.phpFpm.serviceDeps;
162 wants = ldap.phpFpm.serviceDeps;
163 };
164 phpfpm-rainloop = {
165 after = lib.mkAfter rainloop.phpFpm.serviceDeps;
166 wants = rainloop.phpFpm.serviceDeps;
167 };
168 phpfpm-roundcubemail = {
169 after = lib.mkAfter roundcubemail.phpFpm.serviceDeps;
170 wants = roundcubemail.phpFpm.serviceDeps;
171 };
172 phpfpm-shaarli = {
173 after = lib.mkAfter shaarli.phpFpm.serviceDeps;
174 wants = shaarli.phpFpm.serviceDeps;
175 };
176 phpfpm-ttrss = {
177 after = lib.mkAfter ttrss.phpFpm.serviceDeps;
178 wants = ttrss.phpFpm.serviceDeps;
179 };
180 phpfpm-wallabag = {
181 after = lib.mkAfter wallabag.phpFpm.serviceDeps;
182 wants = wallabag.phpFpm.serviceDeps;
183 preStart = lib.mkAfter wallabag.phpFpm.preStart;
184 };
185 phpfpm-yourls = {
186 after = lib.mkAfter yourls.phpFpm.serviceDeps;
187 wants = yourls.phpFpm.serviceDeps;
188 };
189 ympd = {
190 description = "Standalone MPD Web GUI written in C";
191 wantedBy = [ "multi-user.target" ];
192 script = ''
193 export MPD_PASSWORD=$(cat /var/secrets/mpd)
194 ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
195 '';
196 };
197 tt-rss = {
198 description = "Tiny Tiny RSS feeds update daemon";
199 serviceConfig = {
200 User = "wwwrun";
201 ExecStart = "${pkgs.php}/bin/php ${ttrss.webRoot}/update.php --daemon";
202 StandardOutput = "syslog";
203 StandardError = "syslog";
204 PermissionsStartOnly = true;
205 };
206
207 wantedBy = [ "multi-user.target" ];
208 requires = ["postgresql.service"];
209 after = ["network.target" "postgresql.service"];
210 };
211 };
212
213 services.phpfpm.pools.roundcubemail = {
214 listen = roundcubemail.phpFpm.socket;
215 extraConfig = roundcubemail.phpFpm.pool;
216 phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig;
217 };
218
219 services.phpfpm.pools.devtools = {
220 listen = "/var/run/phpfpm/devtools.sock";
221 extraConfig = ''
222 user = wwwrun
223 group = wwwrun
224 listen.owner = wwwrun
225 listen.group = wwwrun
226 pm = dynamic
227 pm.max_children = 60
228 pm.start_servers = 2
229 pm.min_spare_servers = 1
230 pm.max_spare_servers = 10
231
232 php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"
233 '';
234 phpOptions = config.services.phpfpm.phpOptions + ''
235 extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
236 extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
237 zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
238 '';
239 };
240
241 services.phpfpm.poolConfigs = {
242 adminer = adminer.phpFpm.pool;
243 ttrss = ttrss.phpFpm.pool;
244 wallabag = wallabag.phpFpm.pool;
245 yourls = yourls.phpFpm.pool;
246 rompr = rompr.phpFpm.pool;
247 shaarli = shaarli.phpFpm.pool;
248 dokuwiki = dokuwiki.phpFpm.pool;
249 ldap = ldap.phpFpm.pool;
250 rainloop = rainloop.phpFpm.pool;
251 kanboard = kanboard.phpFpm.pool;
252 tools = ''
253 listen = /var/run/phpfpm/tools.sock
254 user = wwwrun
255 group = wwwrun
256 listen.owner = wwwrun
257 listen.group = wwwrun
258 pm = dynamic
259 pm.max_children = 60
260 pm.start_servers = 2
261 pm.min_spare_servers = 1
262 pm.max_spare_servers = 10
263
264 ; Needed to avoid clashes in browser cookies (same domain)
265 php_value[session.name] = ToolsPHPSESSID
266 php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"
267 '';
268 };
269
270 system.activationScripts = {
271 ttrss = ttrss.activationScript;
272 roundcubemail = roundcubemail.activationScript;
273 wallabag = wallabag.activationScript;
274 yourls = yourls.activationScript;
275 rompr = rompr.activationScript;
276 shaarli = shaarli.activationScript;
277 dokuwiki = dokuwiki.activationScript;
278 rainloop = rainloop.activationScript;
279 kanboard = kanboard.activationScript;
280 };
281
282 system.extraSystemBuilderCmds = ''
283 mkdir -p $out/webapps
284 ln -s ${dokuwiki.webRoot} $out/webapps/${dokuwiki.apache.webappName}
285 ln -s ${ldap.webRoot}/htdocs $out/webapps/${ldap.apache.webappName}
286 ln -s ${rompr.webRoot} $out/webapps/${rompr.apache.webappName}
287 ln -s ${roundcubemail.webRoot} $out/webapps/${roundcubemail.apache.webappName}
288 ln -s ${shaarli.webRoot} $out/webapps/${shaarli.apache.webappName}
289 ln -s ${ttrss.webRoot} $out/webapps/${ttrss.apache.webappName}
290 ln -s ${wallabag.webRoot} $out/webapps/${wallabag.apache.webappName}
291 ln -s ${yourls.webRoot} $out/webapps/${yourls.apache.webappName}
292 ln -s ${rainloop.webRoot} $out/webapps/${rainloop.apache.webappName}
293 ln -s ${kanboard.webRoot} $out/webapps/${kanboard.apache.webappName}
294 '';
295
296 };
297}
298
diff --git a/nixops/modules/websites/tools/tools/dokuwiki.nix b/nixops/modules/websites/tools/tools/dokuwiki.nix
deleted file mode 100644
index c61d15f..0000000
--- a/nixops/modules/websites/tools/tools/dokuwiki.nix
+++ /dev/null
@@ -1,61 +0,0 @@
1{ lib, stdenv, dokuwiki, dokuwiki-plugins }:
2rec {
3 varDir = "/var/lib/dokuwiki";
4 activationScript = {
5 deps = [ "wrappers" ];
6 text = ''
7 if [ ! -d ${varDir} ]; then
8 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
9 ${varDir}/animals
10 cp -a ${webRoot}/conf.dist ${varDir}/conf
11 cp -a ${webRoot}/data.dist ${varDir}/data
12 cp -a ${webRoot}/
13 chown -R ${apache.user}:${apache.user} ${varDir}/config ${varDir}/data
14 chmod -R 755 ${varDir}/config ${varDir}/data
15 fi
16 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
17 '';
18 };
19 webRoot = dokuwiki.withPlugins (builtins.attrValues dokuwiki-plugins);
20 apache = rec {
21 user = "wwwrun";
22 group = "wwwrun";
23 modules = [ "proxy_fcgi" ];
24 webappName = "tools_dokuwiki";
25 root = "/run/current-system/webapps/${webappName}";
26 vhostConf = ''
27 Alias /dokuwiki "${root}"
28 <Directory "${root}">
29 DirectoryIndex index.php
30 <FilesMatch "\.php$">
31 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
32 </FilesMatch>
33
34 AllowOverride All
35 Options +FollowSymlinks
36 Require all granted
37 </Directory>
38 '';
39 };
40 phpFpm = rec {
41 serviceDeps = [ "openldap.service" ];
42 basedir = builtins.concatStringsSep ":" (
43 [ webRoot varDir ] ++ webRoot.plugins);
44 socket = "/var/run/phpfpm/dokuwiki.sock";
45 pool = ''
46 listen = ${socket}
47 user = ${apache.user}
48 group = ${apache.group}
49 listen.owner = ${apache.user}
50 listen.group = ${apache.group}
51 pm = ondemand
52 pm.max_children = 60
53 pm.process_idle_timeout = 60
54
55 ; Needed to avoid clashes in browser cookies (same domain)
56 php_value[session.name] = DokuwikiPHPSESSID
57 php_admin_value[open_basedir] = "${basedir}:/tmp"
58 php_admin_value[session.save_path] = "${varDir}/phpSessions"
59 '';
60 };
61}
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
deleted file mode 100644
index 68f92b8..0000000
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ /dev/null
@@ -1,86 +0,0 @@
1{ env, kanboard }:
2rec {
3 varDir = "/var/lib/kanboard";
4 activationScript = {
5 deps = [ "wrappers" ];
6 text = ''
7 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
8 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
9 install -TDm644 ${webRoot}/dataold/.htaccess ${varDir}/data/.htaccess
10 install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
11 '';
12 };
13 keys = [{
14 dest = "webapps/tools-kanboard";
15 user = apache.user;
16 group = apache.group;
17 permissions = "0400";
18 text = ''
19 <?php
20 define('MAIL_FROM', 'kanboard@tools.immae.eu');
21
22 define('DB_DRIVER', 'postgres');
23 define('DB_USERNAME', '${env.postgresql.user}');
24 define('DB_PASSWORD', '${env.postgresql.password}');
25 define('DB_HOSTNAME', '${env.postgresql.socket}');
26 define('DB_NAME', '${env.postgresql.database}');
27
28 define('DATA_DIR', '${varDir}');
29 define('LDAP_AUTH', true);
30 define('LDAP_SERVER', '${env.ldap.host}');
31 define('LDAP_START_TLS', true);
32
33 define('LDAP_BIND_TYPE', 'proxy');
34 define('LDAP_USERNAME', '${env.ldap.dn}');
35 define('LDAP_PASSWORD', '${env.ldap.password}');
36 define('LDAP_USER_BASE_DN', '${env.ldap.base}');
37 define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
38 define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
39 ?>
40 '';
41 }];
42 webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; };
43 apache = rec {
44 user = "wwwrun";
45 group = "wwwrun";
46 modules = [ "proxy_fcgi" ];
47 webappName = "tools_kanboard";
48 root = "/run/current-system/webapps/${webappName}";
49 vhostConf = ''
50 Alias /kanboard "${root}"
51 <Directory "${root}">
52 DirectoryIndex index.php
53 AllowOverride All
54 Options FollowSymlinks
55 Require all granted
56
57 <FilesMatch "\.php$">
58 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
59 </FilesMatch>
60 </Directory>
61 <DirectoryMatch "${root}/data">
62 Require all denied
63 </DirectoryMatch>
64 '';
65 };
66 phpFpm = rec {
67 serviceDeps = [ "postgresql.service" "openldap.service" ];
68 basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ];
69 socket = "/var/run/phpfpm/kanboard.sock";
70 pool = ''
71 listen = ${socket}
72 user = ${apache.user}
73 group = ${apache.group}
74 listen.owner = ${apache.user}
75 listen.group = ${apache.group}
76 pm = ondemand
77 pm.max_children = 60
78 pm.process_idle_timeout = 60
79
80 ; Needed to avoid clashes in browser cookies (same domain)
81 php_value[session.name] = KanboardPHPSESSID
82 php_admin_value[open_basedir] = "${basedir}:/tmp"
83 php_admin_value[session.save_path] = "${varDir}/phpSessions"
84 '';
85 };
86}
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix
deleted file mode 100644
index 8ee39f6..0000000
--- a/nixops/modules/websites/tools/tools/ldap.nix
+++ /dev/null
@@ -1,68 +0,0 @@
1{ lib, php, env, writeText, phpldapadmin }:
2rec {
3 keys = [{
4 dest = "webapps/tools-ldap";
5 user = apache.user;
6 group = apache.group;
7 permissions = "0400";
8 text = ''
9 <?php
10 $config->custom->appearance['show_clear_password'] = true;
11 $config->custom->appearance['hide_template_warning'] = true;
12 $config->custom->appearance['theme'] = "tango";
13 $config->custom->appearance['minimalMode'] = true;
14
15 $servers = new Datastore();
16
17 $servers->newServer('ldap_pla');
18 $servers->setValue('server','name','Immae&#x2019;s LDAP');
19 $servers->setValue('server','host','ldaps://${env.ldap.host}');
20 $servers->setValue('login','auth_type','cookie');
21 $servers->setValue('login','bind_id','${env.ldap.dn}');
22 $servers->setValue('login','bind_pass','${env.ldap.password}');
23 $servers->setValue('appearance','password_hash','ssha');
24 $servers->setValue('login','attr','uid');
25 $servers->setValue('login','fallback_dn',true);
26 '';
27 }];
28 webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
29 apache = rec {
30 user = "wwwrun";
31 group = "wwwrun";
32 modules = [ "proxy_fcgi" ];
33 webappName = "tools_ldap";
34 root = "/run/current-system/webapps/${webappName}";
35 vhostConf = ''
36 Alias /ldap "${root}"
37 <Directory "${root}">
38 DirectoryIndex index.php
39 <FilesMatch "\.php$">
40 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
41 </FilesMatch>
42
43 AllowOverride None
44 Require all granted
45 </Directory>
46 '';
47 };
48 phpFpm = rec {
49 serviceDeps = [ "openldap.service" ];
50 basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ];
51 socket = "/var/run/phpfpm/ldap.sock";
52 pool = ''
53 listen = ${socket}
54 user = ${apache.user}
55 group = ${apache.group}
56 listen.owner = ${apache.user}
57 listen.group = ${apache.group}
58 pm = ondemand
59 pm.max_children = 60
60 pm.process_idle_timeout = 60
61
62 ; Needed to avoid clashes in browser cookies (same domain)
63 php_value[session.name] = LdapPHPSESSID
64 php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"
65 php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin"
66 '';
67 };
68}
diff --git a/nixops/modules/websites/tools/tools/rainloop.nix b/nixops/modules/websites/tools/tools/rainloop.nix
deleted file mode 100644
index dbf0f24..0000000
--- a/nixops/modules/websites/tools/tools/rainloop.nix
+++ /dev/null
@@ -1,59 +0,0 @@
1{ lib, pkgs, writeText, stdenv, fetchurl }:
2rec {
3 varDir = "/var/lib/rainloop";
4 activationScript = {
5 deps = [ "wrappers" ];
6 text = ''
7 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
8 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
9 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
10 '';
11 };
12 webRoot = pkgs.rainloop-community.override { dataPath = "${varDir}/data"; };
13 apache = rec {
14 user = "wwwrun";
15 group = "wwwrun";
16 modules = [ "proxy_fcgi" ];
17 webappName = "tools_rainloop";
18 root = "/run/current-system/webapps/${webappName}";
19 vhostConf = ''
20 Alias /rainloop "${root}"
21 <Directory "${root}">
22 DirectoryIndex index.php
23 AllowOverride All
24 Options -FollowSymlinks
25 Require all granted
26
27 <FilesMatch "\.php$">
28 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
29 </FilesMatch>
30 </Directory>
31
32 <DirectoryMatch "${root}/data">
33 Require all denied
34 </DirectoryMatch>
35 '';
36 };
37 phpFpm = rec {
38 serviceDeps = [ "postgresql.service" ];
39 basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
40 socket = "/var/run/phpfpm/rainloop.sock";
41 pool = ''
42 listen = ${socket}
43 user = ${apache.user}
44 group = ${apache.group}
45 listen.owner = ${apache.user}
46 listen.group = ${apache.group}
47 pm = ondemand
48 pm.max_children = 60
49 pm.process_idle_timeout = 60
50
51 ; Needed to avoid clashes in browser cookies (same domain)
52 php_value[session.name] = RainloopPHPSESSID
53 php_admin_value[upload_max_filesize] = 200M
54 php_admin_value[post_max_size] = 200M
55 php_admin_value[open_basedir] = "${basedir}:/tmp"
56 php_admin_value[session.save_path] = "${varDir}/phpSessions"
57 '';
58 };
59}
diff --git a/nixops/modules/websites/tools/tools/rompr.nix b/nixops/modules/websites/tools/tools/rompr.nix
deleted file mode 100644
index fea59fc..0000000
--- a/nixops/modules/websites/tools/tools/rompr.nix
+++ /dev/null
@@ -1,77 +0,0 @@
1{ lib, env, rompr }:
2rec {
3 varDir = "/var/lib/rompr";
4 activationScript = ''
5 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
6 ${varDir}/prefs ${varDir}/albumart ${varDir}/phpSessions
7 '';
8 webRoot = rompr;
9 apache = rec {
10 user = "wwwrun";
11 group = "wwwrun";
12 modules = [ "headers" "mime" "proxy_fcgi" ];
13 webappName = "tools_rompr";
14 root = "/run/current-system/webapps/${webappName}";
15 vhostConf = ''
16 Alias /rompr ${root}
17
18 <Directory ${root}>
19 Options Indexes FollowSymLinks
20 DirectoryIndex index.php
21 AllowOverride all
22 Require all granted
23 Order allow,deny
24 Allow from all
25 ErrorDocument 404 /rompr/404.php
26 AddType image/x-icon .ico
27
28 <FilesMatch "\.php$">
29 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
30 </FilesMatch>
31 </Directory>
32
33 <Directory ${root}/albumart/small>
34 Header Set Cache-Control "max-age=0, no-store"
35 Header Set Cache-Control "no-cache, must-revalidate"
36 </Directory>
37
38 <Directory ${root}/albumart/asdownloaded>
39 Header Set Cache-Control "max-age=0, no-store"
40 Header Set Cache-Control "no-cache, must-revalidate"
41 </Directory>
42
43 <LocationMatch "^/rompr">
44 Use LDAPConnect
45 Require ldap-group cn=users,cn=mpd,ou=services,dc=immae,dc=eu
46 </LocationMatch>
47 '';
48 };
49 phpFpm = rec {
50 basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
51 socket = "/var/run/phpfpm/rompr.sock";
52 pool = ''
53 listen = ${socket}
54 user = ${apache.user}
55 group = ${apache.group}
56 listen.owner = ${apache.user}
57 listen.group = ${apache.group}
58 pm = ondemand
59 pm.max_children = 60
60 pm.process_idle_timeout = 60
61
62 ; Needed to avoid clashes in browser cookies (same domain)
63 php_value[session.name] = RomprPHPSESSID
64 php_admin_value[open_basedir] = "${basedir}:/tmp"
65 php_admin_value[session.save_path] = "${varDir}/phpSessions"
66 php_flag[magic_quotes_gpc] = Off
67 php_flag[track_vars] = On
68 php_flag[register_globals] = Off
69 php_admin_flag[allow_url_fopen] = On
70 php_value[include_path] = ${webRoot}
71 php_admin_value[upload_tmp_dir] = "${varDir}/prefs"
72 php_admin_value[post_max_size] = 32M
73 php_admin_value[upload_max_filesize] = 32M
74 php_admin_value[memory_limit] = 256M
75 '';
76 };
77}
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix
deleted file mode 100644
index 8974d1b..0000000
--- a/nixops/modules/websites/tools/tools/roundcubemail.nix
+++ /dev/null
@@ -1,121 +0,0 @@
1{ env, roundcubemail, roundcubemail-plugins, roundcubemail-skins, phpPackages, apacheHttpd }:
2rec {
3 varDir = "/var/lib/roundcubemail";
4 activationScript = {
5 deps = [ "wrappers" ];
6 text = ''
7 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
8 ${varDir}/cache ${varDir}/logs
9 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
10 '';
11 };
12 keys = [{
13 dest = "webapps/tools-roundcube";
14 user = apache.user;
15 group = apache.group;
16 permissions = "0400";
17 text = ''
18 <?php
19 $config['db_dsnw'] = '${env.psql_url}';
20 $config['default_host'] = 'ssl://mail.immae.eu';
21 $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
22 $config['smtp_server'] = 'tls://mail.immae.eu';
23 $config['smtp_port'] = '25';
24 $config['managesieve_host'] = 'mail.immae.eu';
25 $config['managesieve_port'] = '4190';
26 $config['managesieve_usetls'] = true;
27 $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
28
29 $config['imap_cache'] = 'db';
30 $config['messages_cache'] = 'db';
31
32 $config['support_url'] = ''';
33
34 $config['des_key'] = '${env.secret}';
35
36 $config['skin'] = 'elastic';
37 $config['plugins'] = array(
38 'attachment_reminder',
39 'emoticons',
40 'filesystem_attachments',
41 'hide_blockquote',
42 'identicon',
43 'identity_select',
44 'jqueryui',
45 'managesieve',
46 'newmail_notifier',
47 'vcard_attachments',
48 'zipdownload',
49
50 'automatic_addressbook',
51 'message_highlight',
52 'carddav',
53 // Ne marche pas ?: 'ident_switch',
54 // Ne marche pas ?: 'thunderbird_labels',
55 );
56
57 $config['language'] = 'fr_FR';
58
59 $config['drafts_mbox'] = 'Mail/Drafts';
60 $config['junk_mbox'] = 'Mail/Spam';
61 $config['sent_mbox'] = 'Mail/sent';
62 $config['trash_mbox'] = ''';
63 $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
64 $config['draft_autosave'] = 60;
65 $config['enable_installer'] = false;
66 $config['log_driver'] = 'file';
67 $config['temp_dir'] = '${varDir}/cache';
68 $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
69 '';
70 }];
71 webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins
72 (builtins.attrValues roundcubemail-plugins) (builtins.attrValues roundcubemail-skins);
73 apache = rec {
74 user = "wwwrun";
75 group = "wwwrun";
76 modules = [ "proxy_fcgi" ];
77 webappName = "tools_roundcubemail";
78 root = "/run/current-system/webapps/${webappName}";
79 vhostConf = ''
80 Alias /roundcube "${root}"
81 <Directory "${root}">
82 DirectoryIndex index.php
83 AllowOverride All
84 Options FollowSymlinks
85 Require all granted
86
87 <FilesMatch "\.php$">
88 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
89 </FilesMatch>
90 </Directory>
91 '';
92 };
93 phpFpm = rec {
94 serviceDeps = [ "postgresql.service" ];
95 basedir = builtins.concatStringsSep ":" (
96 [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ]
97 ++ webRoot.plugins
98 ++ webRoot.skins);
99 phpConfig = ''
100 date.timezone = 'CET'
101 extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
102 '';
103 socket = "/var/run/phpfpm/roundcubemail.sock";
104 pool = ''
105 user = ${apache.user}
106 group = ${apache.group}
107 listen.owner = ${apache.user}
108 listen.group = ${apache.group}
109 pm = ondemand
110 pm.max_children = 60
111 pm.process_idle_timeout = 60
112
113 ; Needed to avoid clashes in browser cookies (same domain)
114 php_value[session.name] = RoundcubemailPHPSESSID
115 php_admin_value[upload_max_filesize] = 200M
116 php_admin_value[post_max_size] = 200M
117 php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"
118 php_admin_value[session.save_path] = "${varDir}/phpSessions"
119 '';
120 };
121}
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
deleted file mode 100644
index 2e89a47..0000000
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ /dev/null
@@ -1,65 +0,0 @@
1{ lib, env, stdenv, fetchurl, shaarli }:
2let
3 varDir = "/var/lib/shaarli";
4in rec {
5 activationScript = ''
6 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
7 ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \
8 ${varDir}/phpSessions
9 '';
10 webRoot = shaarli varDir;
11 apache = rec {
12 user = "wwwrun";
13 group = "wwwrun";
14 modules = [ "proxy_fcgi" "rewrite" "env" ];
15 webappName = "tools_shaarli";
16 root = "/run/current-system/webapps/${webappName}";
17 vhostConf = ''
18 Alias /Shaarli "${root}"
19
20 Include /var/secrets/webapps/tools-shaarli
21 <Directory "${root}">
22 DirectoryIndex index.php index.htm index.html
23 Options Indexes FollowSymLinks MultiViews Includes
24 AllowOverride All
25 Require all granted
26 <FilesMatch "\.php$">
27 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
28 </FilesMatch>
29 </Directory>
30 '';
31 };
32 keys = [{
33 dest = "webapps/tools-shaarli";
34 user = apache.user;
35 group = apache.group;
36 permissions = "0400";
37 text = ''
38 SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
39 SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}"
40 SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}"
41 SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}"
42 SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}"
43 '';
44 }];
45 phpFpm = rec {
46 serviceDeps = [ "openldap.service" ];
47 basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
48 socket = "/var/run/phpfpm/shaarli.sock";
49 pool = ''
50 listen = ${socket}
51 user = ${apache.user}
52 group = ${apache.group}
53 listen.owner = ${apache.user}
54 listen.group = ${apache.group}
55 pm = ondemand
56 pm.max_children = 60
57 pm.process_idle_timeout = 60
58
59 ; Needed to avoid clashes in browser cookies (same domain)
60 php_value[session.name] = ShaarliPHPSESSID
61 php_admin_value[open_basedir] = "${basedir}:/tmp"
62 php_admin_value[session.save_path] = "${varDir}/phpSessions"
63 '';
64 };
65}
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix
deleted file mode 100644
index 05c8cab..0000000
--- a/nixops/modules/websites/tools/tools/ttrss.nix
+++ /dev/null
@@ -1,131 +0,0 @@
1{ php, env, ttrss, ttrss-plugins }:
2rec {
3 varDir = "/var/lib/ttrss";
4 activationScript = {
5 deps = [ "wrappers" ];
6 text = ''
7 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
8 ${varDir}/lock ${varDir}/cache ${varDir}/feed-icons
9 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/cache/export/ \
10 ${varDir}/cache/feeds/ \
11 ${varDir}/cache/images/ \
12 ${varDir}/cache/js/ \
13 ${varDir}/cache/simplepie/ \
14 ${varDir}/cache/upload/
15 touch ${varDir}/feed-icons/index.html
16 install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
17 '';
18 };
19 keys = [{
20 dest = "webapps/tools-ttrss";
21 user = apache.user;
22 group = apache.group;
23 permissions = "0400";
24 text = ''
25 <?php
26
27 define('PHP_EXECUTABLE', '${php}/bin/php');
28
29 define('LOCK_DIRECTORY', 'lock');
30 define('CACHE_DIR', 'cache');
31 define('ICONS_DIR', 'feed-icons');
32 define('ICONS_URL', 'feed-icons');
33 define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/');
34
35 define('MYSQL_CHARSET', 'UTF8');
36
37 define('DB_TYPE', 'pgsql');
38 define('DB_HOST', '${env.postgresql.socket}');
39 define('DB_USER', '${env.postgresql.user}');
40 define('DB_NAME', '${env.postgresql.database}');
41 define('DB_PASS', '${env.postgresql.password}');
42 define('DB_PORT', '${env.postgresql.port}');
43
44 define('AUTH_AUTO_CREATE', true);
45 define('AUTH_AUTO_LOGIN', true);
46
47 define('SINGLE_USER_MODE', false);
48
49 define('SIMPLE_UPDATE_MODE', false);
50 define('CHECK_FOR_UPDATES', true);
51
52 define('FORCE_ARTICLE_PURGE', 0);
53 define('SESSION_COOKIE_LIFETIME', 60*60*24*120);
54 define('ENABLE_GZIP_OUTPUT', false);
55
56 define('PLUGINS', 'auth_ldap, note, instances');
57
58 define('LOG_DESTINATION', ''');
59 define('CONFIG_VERSION', 26);
60
61
62 define('SPHINX_SERVER', 'localhost:9312');
63 define('SPHINX_INDEX', 'ttrss, delta');
64
65 define('ENABLE_REGISTRATION', false);
66 define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu');
67 define('REG_MAX_USERS', 10);
68
69 define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
70 define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu');
71 define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
72
73 define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
74 define('LDAP_AUTH_USETLS', TRUE);
75 define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
76 define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
77 define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
78 define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
79
80 define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
81 define('LDAP_AUTH_BINDPW', '${env.ldap.password}');
82 define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
83
84 define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
85 define('LDAP_AUTH_DEBUG', FALSE);
86 '';
87 }];
88 webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (builtins.attrValues ttrss-plugins);
89 apache = rec {
90 user = "wwwrun";
91 group = "wwwrun";
92 modules = [ "proxy_fcgi" ];
93 webappName = "tools_ttrss";
94 root = "/run/current-system/webapps/${webappName}";
95 vhostConf = ''
96 Alias /ttrss "${root}"
97 <Directory "${root}">
98 DirectoryIndex index.php
99 <FilesMatch "\.php$">
100 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
101 </FilesMatch>
102
103 AllowOverride All
104 Options FollowSymlinks
105 Require all granted
106 </Directory>
107 '';
108 };
109 phpFpm = rec {
110 serviceDeps = [ "postgresql.service" "openldap.service" ];
111 basedir = builtins.concatStringsSep ":" (
112 [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ]
113 ++ webRoot.plugins);
114 socket = "/var/run/phpfpm/ttrss.sock";
115 pool = ''
116 listen = ${socket}
117 user = ${apache.user}
118 group = ${apache.group}
119 listen.owner = ${apache.user}
120 listen.group = ${apache.group}
121 pm = ondemand
122 pm.max_children = 60
123 pm.process_idle_timeout = 60
124
125 ; Needed to avoid clashes in browser cookies (same domain)
126 php_value[session.name] = TtrssPHPSESSID
127 php_admin_value[open_basedir] = "${basedir}:/tmp"
128 php_admin_value[session.save_path] = "${varDir}/phpSessions"
129 '';
130 };
131}
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix
deleted file mode 100644
index d6e5882..0000000
--- a/nixops/modules/websites/tools/tools/wallabag.nix
+++ /dev/null
@@ -1,148 +0,0 @@
1{ env, wallabag }:
2rec {
3 varDir = "/var/lib/wallabag";
4 keys = [{
5 dest = "webapps/tools-wallabag";
6 user = apache.user;
7 group = apache.group;
8 permissions = "0400";
9 text = ''
10 # This file is auto-generated during the composer install
11 parameters:
12 database_driver: pdo_pgsql
13 database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
14 database_host: ${env.postgresql.socket}
15 database_port: ${env.postgresql.port}
16 database_name: ${env.postgresql.database}
17 database_user: ${env.postgresql.user}
18 database_password: ${env.postgresql.password}
19 database_path: null
20 database_table_prefix: wallabag_
21 database_socket: null
22 database_charset: utf8
23 domain_name: https://tools.immae.eu/wallabag
24 mailer_transport: sendmail
25 mailer_host: 127.0.0.1
26 mailer_user: null
27 mailer_password: null
28 locale: fr
29 secret: ${env.secret}
30 twofactor_auth: true
31 twofactor_sender: wallabag@tools.immae.eu
32 fosuser_registration: false
33 fosuser_confirmation: true
34 from_email: wallabag@tools.immae.eu
35 rss_limit: 50
36 rabbitmq_host: localhost
37 rabbitmq_port: 5672
38 rabbitmq_user: guest
39 rabbitmq_password: guest
40 rabbitmq_prefetch_count: 10
41 redis_scheme: unix
42 redis_host: null
43 redis_port: null
44 redis_path: ${env.redis.socket}
45 redis_password: null
46 sites_credentials: { }
47 ldap_enabled: true
48 ldap_host: ldap.immae.eu
49 ldap_port: 636
50 ldap_tls: false
51 ldap_ssl: true
52 ldap_bind_requires_dn: true
53 ldap_base: 'dc=immae,dc=eu'
54 ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
55 ldap_manager_pw: ${env.ldap.password}
56 ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
57 ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
58 ldap_username_attribute: uid
59 ldap_email_attribute: mail
60 ldap_name_attribute: cn
61 ldap_enabled_attribute: null
62 services:
63 swiftmailer.mailer.default.transport:
64 class: Swift_SendmailTransport
65 arguments: ['/run/wrappers/bin/sendmail -bs']
66 '';
67 }];
68 webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; };
69 activationScript = ''
70 install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
71 ${varDir}/var ${varDir}/data/db ${varDir}/assets/images
72 '';
73 webRoot = "${webappDir}/web";
74 # Domain migration: Table wallabag_entry contains whole
75 # https://tools.immae.eu/wallabag domain name in preview_picture
76 apache = rec {
77 user = "wwwrun";
78 group = "wwwrun";
79 modules = [ "proxy_fcgi" ];
80 webappName = "tools_wallabag";
81 root = "/run/current-system/webapps/${webappName}";
82 vhostConf = ''
83 Alias /wallabag "${root}"
84 <Directory "${root}">
85 AllowOverride None
86 Require all granted
87 # For OAuth (apps)
88 CGIPassAuth On
89
90 <FilesMatch "\.php$">
91 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
92 </FilesMatch>
93
94 <IfModule mod_rewrite.c>
95 Options -MultiViews
96 RewriteEngine On
97 RewriteCond %{REQUEST_FILENAME} !-f
98 RewriteRule ^(.*)$ app.php [QSA,L]
99 </IfModule>
100 </Directory>
101 <Directory "${root}/bundles">
102 <IfModule mod_rewrite.c>
103 RewriteEngine Off
104 </IfModule>
105 </Directory>
106 <Directory "${varDir}/assets">
107 AllowOverride None
108 Require all granted
109 </Directory>
110 '';
111 };
112 phpFpm = rec {
113 preStart = ''
114 if [ ! -f "${varDir}/currentWebappDir" -o \
115 ! -f "${varDir}/currentKey" -o \
116 "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ] \
117 || ! sha512sum -c --status ${varDir}/currentKey; then
118 pushd ${webappDir} > /dev/null
119 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear
120 rm -rf /var/lib/wallabag/var/cache/pro_
121 /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction
122 popd > /dev/null
123 echo -n "${webappDir}" > ${varDir}/currentWebappDir
124 sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey
125 fi
126 '';
127 serviceDeps = [ "postgresql.service" "openldap.service" ];
128 basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ];
129 socket = "/var/run/phpfpm/wallabag.sock";
130 pool = ''
131 listen = ${socket}
132 user = ${apache.user}
133 group = ${apache.group}
134 listen.owner = ${apache.user}
135 listen.group = ${apache.group}
136 pm = dynamic
137 pm.max_children = 60
138 pm.start_servers = 2
139 pm.min_spare_servers = 1
140 pm.max_spare_servers = 10
141
142 ; Needed to avoid clashes in browser cookies (same domain)
143 php_value[session.name] = WallabagPHPSESSID
144 php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp"
145 php_value[max_execution_time] = 300
146 '';
147 };
148}
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix
deleted file mode 100644
index b54c486..0000000
--- a/nixops/modules/websites/tools/tools/ympd.nix
+++ /dev/null
@@ -1,40 +0,0 @@
1{ env }:
2let
3 ympd = rec {
4 config = {
5 webPort = "localhost:${env.listenPort}";
6 host = env.mpd.host;
7 port = env.mpd.port;
8 };
9 apache = {
10 modules = [
11 "proxy_wstunnel"
12 ];
13 vhostConf = ''
14 <LocationMatch "^/mpd(?!/music.(mp3|ogg))">
15 Use LDAPConnect
16 Require ldap-group cn=users,cn=mpd,ou=services,dc=immae,dc=eu
17 </LocationMatch>
18
19 RedirectMatch permanent "^/mpd$" "/mpd/"
20 <Location "/mpd/">
21 ProxyPass http://${config.webPort}/
22 ProxyPassReverse http://${config.webPort}/
23 ProxyPreserveHost on
24 </Location>
25 <Location "/mpd/ws">
26 ProxyPass ws://${config.webPort}/ws
27 </Location>
28 <Location "/mpd/music.mp3">
29 ProxyPass unix:///run/mpd/mp3.sock|http://tools.immae.eu/
30 ProxyPassReverse unix:///run/mpd/mp3.sock|http://tools.immae.eu/
31 </Location>
32 <Location "/mpd/music.ogg">
33 ProxyPass unix:///run/mpd/ogg.sock|http://tools.immae.eu/
34 ProxyPassReverse unix:///run/mpd/ogg.sock|http://tools.immae.eu/
35 </Location>
36 '';
37 };
38 };
39in
40 ympd
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix
deleted file mode 100644
index df1b3a2..0000000
--- a/nixops/modules/websites/tools/tools/yourls.nix
+++ /dev/null
@@ -1,90 +0,0 @@
1{ env, yourls, yourls-plugins }:
2rec {
3 activationScript = ''
4 install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
5 '';
6 keys = [{
7 dest = "webapps/tools-yourls";
8 user = apache.user;
9 group = apache.group;
10 permissions = "0400";
11 text = ''
12 <?php
13 define( 'YOURLS_DB_USER', '${env.mysql.user}' );
14 define( 'YOURLS_DB_PASS', '${env.mysql.password}' );
15 define( 'YOURLS_DB_NAME', '${env.mysql.database}' );
16 define( 'YOURLS_DB_HOST', '${env.mysql.host}' );
17 define( 'YOURLS_DB_PREFIX', 'yourls_' );
18 define( 'YOURLS_SITE', 'https://tools.immae.eu/url' );
19 define( 'YOURLS_HOURS_OFFSET', 0 );
20 define( 'YOURLS_LANG', ''' );
21 define( 'YOURLS_UNIQUE_URLS', true );
22 define( 'YOURLS_PRIVATE', true );
23 define( 'YOURLS_COOKIEKEY', '${env.cookieKey}' );
24 $yourls_user_passwords = array();
25 define( 'YOURLS_DEBUG', false );
26 define( 'YOURLS_URL_CONVERT', 36 );
27 $yourls_reserved_URL = array();
28 define( 'LDAPAUTH_HOST', 'ldaps://ldap.immae.eu' );
29 define( 'LDAPAUTH_PORT', '636' );
30 define( 'LDAPAUTH_BASE', 'dc=immae,dc=eu' );
31 define( 'LDAPAUTH_SEARCH_USER', 'cn=yourls,ou=services,dc=immae,dc=eu' );
32 define( 'LDAPAUTH_SEARCH_PASS', '${env.ldap.password}' );
33
34 define( 'LDAPAUTH_GROUP_ATTR', 'memberof' );
35 define( 'LDAPAUTH_GROUP_REQ', 'cn=admin,cn=yourls,ou=services,dc=immae,dc=eu');
36
37 define( 'LDAPAUTH_USERCACHE_TYPE', 0);
38 '';
39 }];
40 webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins
41 (builtins.attrValues yourls-plugins);
42 apache = rec {
43 user = "wwwrun";
44 group = "wwwrun";
45 modules = [ "proxy_fcgi" ];
46 webappName = "tools_yourls";
47 root = "/run/current-system/webapps/${webappName}";
48 vhostConf = ''
49 Alias /url "${root}"
50 <Directory "${root}">
51 <FilesMatch "\.php$">
52 SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
53 </FilesMatch>
54
55 AllowOverride None
56 Require all granted
57 <IfModule mod_rewrite.c>
58 RewriteEngine On
59 RewriteBase /url/
60 RewriteCond %{REQUEST_FILENAME} !-f
61 RewriteCond %{REQUEST_FILENAME} !-d
62 RewriteRule ^.*$ /url/yourls-loader.php [L]
63 </IfModule>
64 DirectoryIndex index.php
65 </Directory>
66 '';
67 };
68 phpFpm = rec {
69 serviceDeps = [ "mysql.service" "openldap.service" ];
70 basedir = builtins.concatStringsSep ":" (
71 [ webRoot "/var/secrets/webapps/tools-yourls" ]
72 ++ webRoot.plugins);
73 socket = "/var/run/phpfpm/yourls.sock";
74 pool = ''
75 listen = ${socket}
76 user = ${apache.user}
77 group = ${apache.group}
78 listen.owner = ${apache.user}
79 listen.group = ${apache.group}
80 pm = ondemand
81 pm.max_children = 60
82 pm.process_idle_timeout = 60
83
84 ; Needed to avoid clashes in browser cookies (same domain)
85 php_value[session.name] = YourlsPHPSESSID
86 php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls"
87 php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls"
88 '';
89 };
90}