aboutsummaryrefslogtreecommitdiff
path: root/virtual
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2019-01-09 23:35:11 +0100
committerIsmaël Bouya <ismael.bouya@normalesup.org>2019-01-09 23:35:11 +0100
commit4d4f13f4a8e7df6480da895d80d487c891441745 (patch)
treeed559d3b3155bf79c0b2fa789948a3434dad3df4 /virtual
parent43b726ed3ba5e9a5ce91f7b39ffbe895d3ada18b (diff)
downloadNix-4d4f13f4a8e7df6480da895d80d487c891441745.tar.gz
Nix-4d4f13f4a8e7df6480da895d80d487c891441745.tar.zst
Nix-4d4f13f4a8e7df6480da895d80d487c891441745.zip
Move some elements to separate modules
Diffstat (limited to 'virtual')
-rw-r--r--virtual/eldiron.nix176
-rw-r--r--virtual/modules/databases.nix133
-rw-r--r--virtual/modules/gitolite.nix73
-rwxr-xr-xvirtual/modules/gitolite/gitolite_ldap_groups.sh (renamed from virtual/packages/gitolite_ldap_groups.sh)0
-rw-r--r--virtual/modules/gitweb.nix21
-rw-r--r--virtual/modules/gitweb/theme/git-favicon.png (renamed from virtual/packages/gitweb/git-favicon.png)bin1125 -> 1125 bytes
-rw-r--r--virtual/modules/gitweb/theme/git-logo.png (renamed from virtual/packages/gitweb/git-logo.png)bin2412 -> 2412 bytes
-rw-r--r--virtual/modules/gitweb/theme/gitweb.css (renamed from virtual/packages/gitweb/gitweb.css)0
-rw-r--r--virtual/modules/gitweb/theme/gitweb.js (renamed from virtual/packages/gitweb/gitweb.js)0
9 files changed, 243 insertions, 160 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 7dbca92..acd2cbd 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -4,44 +4,28 @@
4 enableRollback = true; 4 enableRollback = true;
5 }; 5 };
6 6
7 eldiron = { config, pkgs, ... }: 7 eldiron = { config, pkgs, mylibs, ... }:
8 with import ../libs.nix; 8 with mylibs;
9 let 9 let
10 mypkgs = pkgs.callPackage ./packages.nix { 10 mypkgs = pkgs.callPackage ./packages.nix {
11 inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub; 11 inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
12 }; 12 };
13 in 13 in
14 { 14 {
15 _module.args = {
16 mylibs = import ../libs.nix;
17 };
18
19 imports = [
20 ./modules/gitolite.nix
21 ./modules/gitweb.nix
22 ./modules/databases.nix
23 ];
24 services.myGitolite.enable = true;
25 services.myGitweb.enable = true;
26 services.myDatabases.enable = true;
27
15 nixpkgs.config.packageOverrides = oldpkgs: rec { 28 nixpkgs.config.packageOverrides = oldpkgs: rec {
16 gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
17 name = "gitolite-${version}";
18 version = "3.6.10";
19 src = pkgs.fetchFromGitHub {
20 owner = "sitaramc";
21 repo = "gitolite";
22 rev = "v${version}";
23 sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
24 };
25 });
26 gitweb = oldpkgs.gitweb.overrideAttrs(old: {
27 installPhase = old.installPhase + ''
28 cp -r ${./packages/gitweb} $out/gitweb-theme;
29 '';
30 });
31 postgresql = postgresql111;
32 postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
33 passthru = old.passthru // { psqlSchema = "11.0"; };
34 name = "postgresql-11.1";
35 src = pkgs.fetchurl {
36 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
37 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
38 };
39 });
40 mariadb = mariadbPAM;
41 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
42 cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
43 buildInputs = old.buildInputs ++ [ pkgs.pam ];
44 });
45 goaccess = oldpkgs.goaccess.overrideAttrs(old: rec { 29 goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
46 name = "goaccess-${version}"; 30 name = "goaccess-${version}";
47 version = "1.3"; 31 version = "1.3";
@@ -57,7 +41,7 @@
57 networking = { 41 networking = {
58 firewall = { 42 firewall = {
59 enable = true; 43 enable = true;
60 allowedTCPPorts = [ 22 80 443 3306 5432 9418 ]; 44 allowedTCPPorts = [ 22 80 443 9418 ];
61 }; 45 };
62 }; 46 };
63 47
@@ -116,7 +100,6 @@
116 allowKeysForGroup = true; 100 allowKeysForGroup = true;
117 extraDomains = { 101 extraDomains = {
118 "db-1.immae.eu" = null; 102 "db-1.immae.eu" = null;
119 "git.immae.eu" = null;
120 "tools.immae.eu" = null; 103 "tools.immae.eu" = null;
121 "connexionswing.immae.eu" = null; 104 "connexionswing.immae.eu" = null;
122 "sandetludo.immae.eu" = null; 105 "sandetludo.immae.eu" = null;
@@ -197,32 +180,6 @@
197 AuthorizedKeysCommandUser nobody 180 AuthorizedKeysCommandUser nobody
198 ''; 181 '';
199 182
200 users.users.wwwrun.extraGroups = [ "gitolite" ];
201
202 users.users.gitolite.packages = let
203 python-packages = python-packages: with python-packages; [
204 simplejson
205 urllib3
206 ];
207 in
208 [
209 (pkgs.python3.withPackages python-packages)
210 ];
211 # FIXME: after initial install, need to
212 # (1) copy rc file (adjust gitolite_ldap_groups.sh)
213 # (2) (mark old readonly and) sync repos except gitolite-admin
214 # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
215 # chown -R gitolite:gitolite /var/lib/gitolite
216 # (3) push force the gitolite-admin to new location (from external point)
217 # Don't use an existing key, it will take precedence over
218 # gitolite-admin
219 # (4) su -u gitolite gitolite setup
220 services.gitolite = {
221 enable = true;
222 # FIXME: key from ./ssh
223 adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
224 };
225
226 services.ympd = mypkgs.ympd.config // { enable = false; }; 183 services.ympd = mypkgs.ympd.config // { enable = false; };
227 184
228 services.phpfpm = { 185 services.phpfpm = {
@@ -288,29 +245,6 @@
288 mkdir -p /run/redis 245 mkdir -p /run/redis
289 chown redis /run/redis 246 chown redis /run/redis
290 ''; 247 '';
291 gitolite =
292 assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
293 let
294 gitolite_ldap_groups = wrap {
295 name = "gitolite_ldap_groups.sh";
296 file = ./packages/gitolite_ldap_groups.sh;
297 vars = {
298 LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
299 };
300 paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
301 };
302 in {
303 deps = [ "users" ];
304 text = ''
305 if [ -d /var/lib/gitolite ]; then
306 ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
307 chmod g+rx /var/lib/gitolite
308 fi
309 if [ -f /var/lib/gitolite/projects.list ]; then
310 chmod g+r /var/lib/gitolite/projects.list
311 fi
312 '';
313 };
314 # FIXME: initial sync 248 # FIXME: initial sync
315 goaccess = '' 249 goaccess = ''
316 mkdir -p /var/lib/goaccess 250 mkdir -p /var/lib/goaccess
@@ -590,84 +524,6 @@
590 ]; 524 ];
591 }; 525 };
592 526
593 security.pam.services = let
594 pam_ldap = pkgs.pam_ldap;
595 pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
596 pkgs.writeText "mysql.conf" ''
597 host ldap.immae.eu
598 base dc=immae,dc=eu
599 binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
600 bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
601 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
602 '';
603 in [
604 {
605 name = "mysql";
606 text = ''
607 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
608 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
609 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
610 '';
611 }
612 ];
613
614 # FIXME: backup
615 # Nextcloud: 14
616 services.redis = rec {
617 enable = true;
618 bind = "127.0.0.1";
619 unixSocket = "/run/redis/redis.sock";
620 extraConfig = ''
621 unixsocketperm 777
622 maxclients 1024
623 '';
624 };
625
626 # FIXME: initial sync
627 # FIXME: backup
628 # FIXME: restart after pam
629 # FIXME: pam access doesn’t work (because of php module)
630 # FIXME: ssl
631 services.mysql = rec {
632 enable = true;
633 package = pkgs.mariadb;
634 };
635
636 # FIXME: initial sync
637 # FIXME: backup
638 # FIXME: ssl
639 services.postgresql = rec {
640 enable = true;
641 package = pkgs.postgresql;
642 enableTCPIP = true;
643 extraConfig = ''
644 max_connections = 100
645 wal_level = logical
646 shared_buffers = 128MB
647 max_wal_size = 1GB
648 min_wal_size = 80MB
649 log_timezone = 'Europe/Paris'
650 datestyle = 'iso, mdy'
651 timezone = 'Europe/Paris'
652 lc_messages = 'en_US.UTF-8'
653 lc_monetary = 'en_US.UTF-8'
654 lc_numeric = 'en_US.UTF-8'
655 lc_time = 'en_US.UTF-8'
656 default_text_search_config = 'pg_catalog.english'
657 # ssl = on
658 # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
659 # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
660 '';
661 authentication = ''
662 local all postgres ident
663 local all all md5
664 host all all samehost md5
665 host all all 178.33.252.96/32 md5
666 host all all 188.165.209.148/32 md5
667 #host all all all pam
668 '';
669 };
670
671 services.cron = { 527 services.cron = {
672 enable = true; 528 enable = true;
673 systemCronJobs = let 529 systemCronJobs = let
diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix
new file mode 100644
index 0000000..25bd645
--- /dev/null
+++ b/virtual/modules/databases.nix
@@ -0,0 +1,133 @@
1{ lib, pkgs, config, mylibs, ... }:
2let
3 cfg = config.services.myDatabases;
4in {
5 options.services.myDatabases = {
6 enable = lib.mkEnableOption "my databases service";
7 postgresql = {
8 enable = lib.mkOption {
9 default = cfg.enable;
10 example = true;
11 description = "Whether to enable postgresql database";
12 type = lib.types.bool;
13 };
14 };
15
16 mariadb = {
17 enable = lib.mkOption {
18 default = cfg.enable;
19 example = true;
20 description = "Whether to enable mariadb database";
21 type = lib.types.bool;
22 };
23 };
24
25 redis = {
26 enable = lib.mkOption {
27 default = cfg.enable;
28 example = true;
29 description = "Whether to enable redis database";
30 type = lib.types.bool;
31 };
32 };
33 };
34
35 config = lib.mkIf cfg.enable {
36 nixpkgs.config.packageOverrides = oldpkgs: rec {
37 postgresql = postgresql111;
38 postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
39 passthru = old.passthru // { psqlSchema = "11.0"; };
40 name = "postgresql-11.1";
41 src = pkgs.fetchurl {
42 url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
43 sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
44 };
45 });
46 mariadb = mariadbPAM;
47 mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
48 cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
49 buildInputs = old.buildInputs ++ [ pkgs.pam ];
50 });
51 };
52
53 networking.firewall.allowedTCPPorts = [ 3306 5432 ];
54
55 # FIXME: initial sync
56 # FIXME: backup
57 # FIXME: restart after pam
58 # FIXME: pam access doesn’t work (because of php module)
59 # FIXME: ssl
60 services.mysql = rec {
61 enable = cfg.mariadb.enable;
62 package = pkgs.mariadb;
63 };
64
65 # FIXME: initial sync
66 # FIXME: backup
67 # FIXME: ssl
68 services.postgresql = rec {
69 enable = cfg.postgresql.enable;
70 package = pkgs.postgresql;
71 enableTCPIP = true;
72 extraConfig = ''
73 max_connections = 100
74 wal_level = logical
75 shared_buffers = 128MB
76 max_wal_size = 1GB
77 min_wal_size = 80MB
78 log_timezone = 'Europe/Paris'
79 datestyle = 'iso, mdy'
80 timezone = 'Europe/Paris'
81 lc_messages = 'en_US.UTF-8'
82 lc_monetary = 'en_US.UTF-8'
83 lc_numeric = 'en_US.UTF-8'
84 lc_time = 'en_US.UTF-8'
85 default_text_search_config = 'pg_catalog.english'
86 # ssl = on
87 # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
88 # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
89 '';
90 authentication = ''
91 local all postgres ident
92 local all all md5
93 host all all samehost md5
94 host all all 178.33.252.96/32 md5
95 host all all 188.165.209.148/32 md5
96 #host all all all pam
97 '';
98 };
99
100 security.pam.services = let
101 pam_ldap = pkgs.pam_ldap;
102 pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
103 pkgs.writeText "mysql.conf" ''
104 host ldap.immae.eu
105 base dc=immae,dc=eu
106 binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
107 bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
108 pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
109 '';
110 in [
111 {
112 name = "mysql";
113 text = ''
114 # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
115 auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
116 account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
117 '';
118 }
119 ];
120
121 # FIXME: backup
122 # Nextcloud: 14
123 services.redis = rec {
124 enable = config.services.myDatabases.redis.enable;
125 bind = "127.0.0.1";
126 unixSocket = "/run/redis/redis.sock";
127 extraConfig = ''
128 unixsocketperm 777
129 maxclients 1024
130 '';
131 };
132 };
133}
diff --git a/virtual/modules/gitolite.nix b/virtual/modules/gitolite.nix
new file mode 100644
index 0000000..85c7be1
--- /dev/null
+++ b/virtual/modules/gitolite.nix
@@ -0,0 +1,73 @@
1{ lib, pkgs, config, mylibs, ... }:
2let
3 cfg = config.services.myGitolite;
4in {
5 options.services.myGitolite = {
6 enable = lib.mkEnableOption "my gitolite service";
7 };
8
9 config = lib.mkIf cfg.enable {
10 nixpkgs.config.packageOverrides = oldpkgs: rec {
11 gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
12 name = "gitolite-${version}";
13 version = "3.6.10";
14 src = pkgs.fetchFromGitHub {
15 owner = "sitaramc";
16 repo = "gitolite";
17 rev = "v${version}";
18 sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
19 };
20 });
21 };
22
23 system.activationScripts.gitolite =
24 assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
25 let
26 gitolite_ldap_groups = mylibs.wrap {
27 name = "gitolite_ldap_groups.sh";
28 file = ./gitolite/gitolite_ldap_groups.sh;
29 vars = {
30 LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
31 };
32 paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
33 };
34 in {
35 deps = [ "users" ];
36 text = ''
37 if [ -d /var/lib/gitolite ]; then
38 ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
39 chmod g+rx /var/lib/gitolite
40 fi
41 if [ -f /var/lib/gitolite/projects.list ]; then
42 chmod g+r /var/lib/gitolite/projects.list
43 fi
44 '';
45 };
46
47 users.users.wwwrun.extraGroups = [ "gitolite" ];
48
49 users.users.gitolite.packages = let
50 python-packages = python-packages: with python-packages; [
51 simplejson
52 urllib3
53 ];
54 in
55 [
56 (pkgs.python3.withPackages python-packages)
57 ];
58 # FIXME: after initial install, need to
59 # (1) copy rc file (adjust gitolite_ldap_groups.sh)
60 # (2) (mark old readonly and) sync repos except gitolite-admin
61 # rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
62 # chown -R gitolite:gitolite /var/lib/gitolite
63 # (3) push force the gitolite-admin to new location (from external point)
64 # Don't use an existing key, it will take precedence over
65 # gitolite-admin
66 # (4) su -u gitolite gitolite setup
67 services.gitolite = {
68 enable = true;
69 # FIXME: key from ./ssh
70 adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
71 };
72 };
73}
diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/modules/gitolite/gitolite_ldap_groups.sh
index 5f7ef6d..5f7ef6d 100755
--- a/virtual/packages/gitolite_ldap_groups.sh
+++ b/virtual/modules/gitolite/gitolite_ldap_groups.sh
diff --git a/virtual/modules/gitweb.nix b/virtual/modules/gitweb.nix
new file mode 100644
index 0000000..f3ef1bd
--- /dev/null
+++ b/virtual/modules/gitweb.nix
@@ -0,0 +1,21 @@
1{ lib, pkgs, config, mylibs, ... }:
2let
3 cfg = config.services.myGitweb;
4in {
5 options.services.myGitweb = {
6 enable = lib.mkEnableOption "my gitweb service";
7 };
8
9 config = lib.mkIf cfg.enable {
10 security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
11
12 nixpkgs.config.packageOverrides = oldpkgs: rec {
13 gitweb = oldpkgs.gitweb.overrideAttrs(old: {
14 installPhase = old.installPhase + ''
15 cp -r ${./gitweb/theme} $out/gitweb-theme;
16 '';
17 });
18 };
19
20 };
21}
diff --git a/virtual/packages/gitweb/git-favicon.png b/virtual/modules/gitweb/theme/git-favicon.png
index 4fa44bb..4fa44bb 100644
--- a/virtual/packages/gitweb/git-favicon.png
+++ b/virtual/modules/gitweb/theme/git-favicon.png
Binary files differ
diff --git a/virtual/packages/gitweb/git-logo.png b/virtual/modules/gitweb/theme/git-logo.png
index fdaf7b7..fdaf7b7 100644
--- a/virtual/packages/gitweb/git-logo.png
+++ b/virtual/modules/gitweb/theme/git-logo.png
Binary files differ
diff --git a/virtual/packages/gitweb/gitweb.css b/virtual/modules/gitweb/theme/gitweb.css
index 83e0742..83e0742 100644
--- a/virtual/packages/gitweb/gitweb.css
+++ b/virtual/modules/gitweb/theme/gitweb.css
diff --git a/virtual/packages/gitweb/gitweb.js b/virtual/modules/gitweb/theme/gitweb.js
index 72f3cfa..72f3cfa 100644
--- a/virtual/packages/gitweb/gitweb.js
+++ b/virtual/modules/gitweb/theme/gitweb.js