Squash changes containing private information

There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository
author: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 01:35:06 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2023-10-04 02:11:48 +0200
commit: 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree: 1b9df4838f894577a09b9b260151756272efeb53 /systems/eldiron/websites/mgoblin
parent: fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download: Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst
Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip
1 files changed, 173 insertions, 0 deletions
diff --git a/systems/eldiron/websites/mgoblin/default.nix b/systems/eldiron/websites/mgoblin/default.nix
new file mode 100644
index 0000000..f276c62
--- /dev/null
+++ b/systems/eldiron/websites/mgoblin/default.nix
@@ -0,0 +1,173 @@
+{ lib, pkgs, config, mediagoblin, ... }:
+let
+  env = config.myEnv.tools.mediagoblin;
+  cfg = config.myServices.websites.tools.mediagoblin;
+  mcfg = config.services.mediagoblin;
+in {
+  options.myServices.websites.tools.mediagoblin = {
+    enable = lib.mkEnableOption "enable mediagoblin's website";
+  };
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.eu".subdomains.mgoblin =
+      with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
+    myServices.chatonsProperties.services.mediagoblin = {
+      file.datetime = "2022-08-21T20:00:00";
+      service = {
+        name = "Mediagoblin";
+        description = "MediaGoblin is a free software media publishing platform that anyone can run";
+        website = "https://mgoblin.immae.eu/";
+        logo = "https://mgoblin.immae.eu/mgoblin_static/images/goblin.ico";
+        status.level = "OK";
+        status.description = "OK";
+        registration."" = ["MEMBER" "CLIENT"];
+        registration.load = "OPEN";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "Mediagoblin";
+        website = "https://mediagoblin.org/";
+        license.url = "http://www.gnu.org/licenses/agpl.html";
+        license.name = "GNU Affero General Public License";
+        version = mcfg.package.version;
+        source.url = "https://git.savannah.gnu.org/git/mediagoblin.git";
+        modules = map (a: a.pluginName) mcfg.package.plugins;
+      };
+    };
+    secrets.keys."webapps/tools-mediagoblin" = {
+      user = "mediagoblin";
+      group = "mediagoblin";
+      permissions = "0400";
+      text =
+        let
+          psql_url = with env.postgresql; "postgresql://${user}:${password}@:${port}/${database}?host=${socket}";
+          redis_url = with env.redis; "redis+socket://${socket}?virtual_host=${db}";
+        in
+      ''
+        [DEFAULT]
+        data_basedir = "${mcfg.dataDir}"
+        [mediagoblin]
+        direct_remote_path = /mgoblin_static/
+        email_sender_address = "mediagoblin@tools.immae.eu"
+        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
+        sql_engine = ${psql_url}
+        email_debug_mode = false
+        allow_registration = false
+        allow_reporting = true
+        theme = airymodified
+        user_privilege_scheme = "uploader,commenter,reporter"
+        # We need to redefine them here since we override data_basedir
+        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
+        workbench_path = %(data_basedir)s/media/workbench
+        crypto_path = %(data_basedir)s/crypto
+        theme_install_dir = %(data_basedir)s/themes/
+        theme_linked_assets_dir = %(data_basedir)s/theme_static/
+        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
+        [storage:queuestore]
+        base_dir = %(data_basedir)s/media/queue
+        [storage:publicstore]
+        base_dir = %(data_basedir)s/media/public
+        base_url = /mgoblin_media/
+        [celery]
+        CELERY_RESULT_DBURI = ${redis_url}
+        BROKER_URL = ${redis_url}
+        CELERYD_CONCURRENCY = 1
+        [plugins]
+          [[mediagoblin.plugins.geolocation]]
+          [[mediagoblin.plugins.ldap]]
+            [[[immae.eu]]]
+              LDAP_SERVER_URI = 'ldaps://${env.ldap.host}:636'
+              LDAP_SEARCH_BASE = '${env.ldap.base}'
+              LDAP_BIND_DN = '${env.ldap.dn}'
+              LDAP_BIND_PW = '${env.ldap.password}'
+              LDAP_SEARCH_FILTER = '${env.ldap.filter}'
+              EMAIL_SEARCH_FIELD = 'mail'
+          [[mediagoblin.plugins.basicsearch]]
+          [[mediagoblin.plugins.piwigo]]
+          [[mediagoblin.plugins.processing_info]]
+          [[mediagoblin.media_types.image]]
+          [[mediagoblin.media_types.video]]
+        '';
+    };
+    users.users.mediagoblin.extraGroups = [ "keys" ];
+    services.mediagoblin = {
+      enable     = true;
+      package    = mediagoblin.withPlugins (p: [p.basicsearch]);
+      configFile = config.secrets.fullPaths."webapps/tools-mediagoblin";
+    };
+    services.filesWatcher.mediagoblin-web = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
+    services.filesWatcher.mediagoblin-celeryd = {
+      restart = true;
+      paths = [ mcfg.configFile ];
+    };
+    services.websites.env.tools.modules = [
+      "proxy" "proxy_http"
+    ];
+    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
+    security.acme.certs.eldiron.extraDomainNames = [ "mgoblin.immae.eu" ];
+    services.websites.env.tools.vhostConfs.mgoblin = {
+      certName    = "eldiron";
+      hosts       = ["mgoblin.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+        Alias /mgoblin_media ${mcfg.dataDir}/media/public
+        <Directory ${mcfg.dataDir}/media/public>
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Require all granted
+        </Directory>
+        Alias /theme_static ${mcfg.dataDir}/theme_static
+        <Directory ${mcfg.dataDir}/theme_static>
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Require all granted
+        </Directory>
+        Alias /plugin_static ${mcfg.dataDir}/plugin_static
+        <Directory ${mcfg.dataDir}/plugin_static>
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Require all granted
+        </Directory>
+        ProxyPreserveHost on
+        ProxyVia On
+        ProxyRequests Off
+        ProxyPass /mgoblin_media !
+        ProxyPass /theme_static !
+        ProxyPass /plugin_static !
+        ProxyPassMatch ^/.well-known/acme-challenge !
+        ProxyPass / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
+        ProxyPassReverse / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
+      '' ];
+    };
+    myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
+    myServices.monitoring.fromMasterObjects.service = [
+      {
+        service_description = "mediagoblin website is running on mgoblin.immae.eu";
+        host_name = config.hostEnv.fqdn;
+        use = "external-web-service";
+        check_command = ["check_https" "mgoblin.immae.eu" "/" "<title>GNU MediaGoblin"];
+        servicegroups = "webstatus-webapps";
+        _webstatus_name = "Mediagoblin";
+        _webstatus_url = "https://mgoblin.immae.eu/";
+      }
+    ];
+  };
+}
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 01:35:06 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2023-10-04 02:11:48 +0200
commit	1a64deeb894dc95e2645a75771732c6cc53a79ad (patch)
tree	1b9df4838f894577a09b9b260151756272efeb53 /systems/eldiron/websites/mgoblin
parent	fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff)
download	Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip

diff --git a/systems/eldiron/websites/mgoblin/default.nix b/systems/eldiron/websites/mgoblin/default.nix new file mode 100644 index 0000000..f276c62 --- /dev/null +++ b/systems/eldiron/websites/mgoblin/default.nix
@@ -0,0 +1,173 @@
	1	{ lib, pkgs, config, mediagoblin, ... }:
	2	let
	3	env = config.myEnv.tools.mediagoblin;
	4	cfg = config.myServices.websites.tools.mediagoblin;
	5	mcfg = config.services.mediagoblin;
	6	in {
	7	options.myServices.websites.tools.mediagoblin = {
	8	enable = lib.mkEnableOption "enable mediagoblin's website";
	9	};
	10
	11	config = lib.mkIf cfg.enable {
	12	myServices.dns.zones."immae.eu".subdomains.mgoblin =
	13	with config.myServices.dns.helpers; ips servers.eldiron.ips.main;
	14
	15	myServices.chatonsProperties.services.mediagoblin = {
	16	file.datetime = "2022-08-21T20:00:00";
	17	service = {
	18	name = "Mediagoblin";
	19	description = "MediaGoblin is a free software media publishing platform that anyone can run";
	20	website = "https://mgoblin.immae.eu/";
	21	logo = "https://mgoblin.immae.eu/mgoblin_static/images/goblin.ico";
	22	status.level = "OK";
	23	status.description = "OK";
	24	registration."" = ["MEMBER" "CLIENT"];
	25	registration.load = "OPEN";
	26	install.type = "PACKAGE";
	27	};
	28	software = {
	29	name = "Mediagoblin";
	30	website = "https://mediagoblin.org/";
	31	license.url = "http://www.gnu.org/licenses/agpl.html";
	32	license.name = "GNU Affero General Public License";
	33	version = mcfg.package.version;
	34	source.url = "https://git.savannah.gnu.org/git/mediagoblin.git";
	35	modules = map (a: a.pluginName) mcfg.package.plugins;
	36	};
	37	};
	38	secrets.keys."webapps/tools-mediagoblin" = {
	39	user = "mediagoblin";
	40	group = "mediagoblin";
	41	permissions = "0400";
	42	text =
	43	let
	44	psql_url = with env.postgresql; "postgresql://${user}:${password}@:${port}/${database}?host=${socket}";
	45	redis_url = with env.redis; "redis+socket://${socket}?virtual_host=${db}";
	46	in
	47	''
	48	[DEFAULT]
	49	data_basedir = "${mcfg.dataDir}"
	50
	51	[mediagoblin]
	52	direct_remote_path = /mgoblin_static/
	53	email_sender_address = "mediagoblin@tools.immae.eu"
	54
	55	#sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
	56	sql_engine = ${psql_url}
	57
	58	email_debug_mode = false
	59	allow_registration = false
	60	allow_reporting = true
	61
	62	theme = airymodified
	63
	64	user_privilege_scheme = "uploader,commenter,reporter"
	65
	66	# We need to redefine them here since we override data_basedir
	67	# cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
	68	workbench_path = %(data_basedir)s/media/workbench
	69	crypto_path = %(data_basedir)s/crypto
	70	theme_install_dir = %(data_basedir)s/themes/
	71	theme_linked_assets_dir = %(data_basedir)s/theme_static/
	72	plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
	73
	74	[storage:queuestore]
	75	base_dir = %(data_basedir)s/media/queue
	76
	77	[storage:publicstore]
	78	base_dir = %(data_basedir)s/media/public
	79	base_url = /mgoblin_media/
	80
	81	[celery]
	82	CELERY_RESULT_DBURI = ${redis_url}
	83	BROKER_URL = ${redis_url}
	84	CELERYD_CONCURRENCY = 1
	85
	86	[plugins]
	87	[[mediagoblin.plugins.geolocation]]
	88	[[mediagoblin.plugins.ldap]]
	89	[[[immae.eu]]]
	90	LDAP_SERVER_URI = 'ldaps://${env.ldap.host}:636'
	91	LDAP_SEARCH_BASE = '${env.ldap.base}'
	92	LDAP_BIND_DN = '${env.ldap.dn}'
	93	LDAP_BIND_PW = '${env.ldap.password}'
	94	LDAP_SEARCH_FILTER = '${env.ldap.filter}'
	95	EMAIL_SEARCH_FIELD = 'mail'
	96	[[mediagoblin.plugins.basicsearch]]
	97	[[mediagoblin.plugins.piwigo]]
	98	[[mediagoblin.plugins.processing_info]]
	99	[[mediagoblin.media_types.image]]
	100	[[mediagoblin.media_types.video]]
	101	'';
	102	};
	103
	104	users.users.mediagoblin.extraGroups = [ "keys" ];
	105
	106	services.mediagoblin = {
	107	enable = true;
	108	package = mediagoblin.withPlugins (p: [p.basicsearch]);
	109	configFile = config.secrets.fullPaths."webapps/tools-mediagoblin";
	110	};
	111	services.filesWatcher.mediagoblin-web = {
	112	restart = true;
	113	paths = [ mcfg.configFile ];
	114	};
	115	services.filesWatcher.mediagoblin-celeryd = {
	116	restart = true;
	117	paths = [ mcfg.configFile ];
	118	};
	119
	120	services.websites.env.tools.modules = [
	121	"proxy" "proxy_http"
	122	];
	123	users.users.wwwrun.extraGroups = [ "mediagoblin" ];
	124	security.acme.certs.eldiron.extraDomainNames = [ "mgoblin.immae.eu" ];
	125	services.websites.env.tools.vhostConfs.mgoblin = {
	126	certName = "eldiron";
	127	hosts = ["mgoblin.immae.eu" ];
	128	root = null;
	129	extraConfig = [ ''
	130	Alias /mgoblin_media ${mcfg.dataDir}/media/public
	131	<Directory ${mcfg.dataDir}/media/public>
	132	Options -Indexes +FollowSymLinks +MultiViews +Includes
	133	Require all granted
	134	</Directory>
	135
	136	Alias /theme_static ${mcfg.dataDir}/theme_static
	137	<Directory ${mcfg.dataDir}/theme_static>
	138	Options -Indexes +FollowSymLinks +MultiViews +Includes
	139	Require all granted
	140	</Directory>
	141
	142	Alias /plugin_static ${mcfg.dataDir}/plugin_static
	143	<Directory ${mcfg.dataDir}/plugin_static>
	144	Options -Indexes +FollowSymLinks +MultiViews +Includes
	145	Require all granted
	146	</Directory>
	147
	148	ProxyPreserveHost on
	149	ProxyVia On
	150	ProxyRequests Off
	151	ProxyPass /mgoblin_media !
	152	ProxyPass /theme_static !
	153	ProxyPass /plugin_static !
	154	ProxyPassMatch ^/.well-known/acme-challenge !
	155	ProxyPass / unix://${mcfg.sockets.paster}\|http://mgoblin.immae.eu/
	156	ProxyPassReverse / unix://${mcfg.sockets.paster}\|http://mgoblin.immae.eu/
	157	'' ];
	158	};
	159	myServices.monitoring.fromMasterActivatedPlugins = [ "http" ];
	160	myServices.monitoring.fromMasterObjects.service = [
	161	{
	162	service_description = "mediagoblin website is running on mgoblin.immae.eu";
	163	host_name = config.hostEnv.fqdn;
	164	use = "external-web-service";
	165	check_command = ["check_https" "mgoblin.immae.eu" "/" "<title>GNU MediaGoblin"];
	166
	167	servicegroups = "webstatus-webapps";
	168	_webstatus_name = "Mediagoblin";
	169	_webstatus_url = "https://mgoblin.immae.eu/";
	170	}
	171	];
	172	};
	173	}