Move some elements to separate modules

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-09 23:35:11 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-09 23:35:11 +0100
commit: 4d4f13f4a8e7df6480da895d80d487c891441745 (patch)
tree: ed559d3b3155bf79c0b2fa789948a3434dad3df4 /virtual
parent: 43b726ed3ba5e9a5ce91f7b39ffbe895d3ada18b (diff)
download: Nix-4d4f13f4a8e7df6480da895d80d487c891441745.tar.gz
Nix-4d4f13f4a8e7df6480da895d80d487c891441745.tar.zst
Nix-4d4f13f4a8e7df6480da895d80d487c891441745.zip
9 files changed, 243 insertions, 160 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 7dbca92..acd2cbd 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -4,44 +4,28 @@
    enableRollback = true;
  };
-  eldiron = { config, pkgs, ... }:
+  eldiron = { config, pkgs, mylibs, ... }:
-    with import ../libs.nix;
+    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
        };
    in
  {
+    _module.args = {
+      mylibs = import ../libs.nix;
+    };
+    imports = [
+      ./modules/gitolite.nix
+      ./modules/gitweb.nix
+      ./modules/databases.nix
+    ];
+    services.myGitolite.enable = true;
+    services.myGitweb.enable = true;
+    services.myDatabases.enable = true;
    nixpkgs.config.packageOverrides = oldpkgs: rec {
-      gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
-        name = "gitolite-${version}";
-        version = "3.6.10";
-        src = pkgs.fetchFromGitHub {
-          owner = "sitaramc";
-          repo = "gitolite";
-          rev = "v${version}";
-          sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
-        };
-      });
-      gitweb = oldpkgs.gitweb.overrideAttrs(old: {
-        installPhase = old.installPhase + ''
-          cp -r ${./packages/gitweb} $out/gitweb-theme;
-          '';
-      });
-      postgresql = postgresql111;
-      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        name = "postgresql-11.1";
-        src = pkgs.fetchurl {
-          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-        };
-      });
-      mariadb = mariadbPAM;
-      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
-        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
-        buildInputs = old.buildInputs ++ [ pkgs.pam ];
-      });
      goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
        name = "goaccess-${version}";
        version = "1.3";
@@ -57,7 +41,7 @@
    networking = {
      firewall = {
        enable = true;
-        allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];
+        allowedTCPPorts = [ 22 80 443 9418 ];
      };
    };
@@ -116,7 +100,6 @@
        allowKeysForGroup = true;
        extraDomains = {
          "db-1.immae.eu" = null;
-          "git.immae.eu" = null;
          "tools.immae.eu" = null;
          "connexionswing.immae.eu" = null;
          "sandetludo.immae.eu" = null;
@@ -197,32 +180,6 @@
      AuthorizedKeysCommandUser nobody
      '';
-    users.users.wwwrun.extraGroups = [ "gitolite" ];
-    users.users.gitolite.packages = let
-      python-packages = python-packages: with python-packages; [
-        simplejson
-        urllib3
-      ];
-    in
-      [
-        (pkgs.python3.withPackages python-packages)
-      ];
-    # FIXME: after initial install, need to
-    # (1) copy rc file (adjust gitolite_ldap_groups.sh)
-    # (2) (mark old readonly and) sync repos except gitolite-admin
-    #     rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
-    #     chown -R gitolite:gitolite /var/lib/gitolite
-    # (3) push force the gitolite-admin to new location (from external point)
-    #     Don't use an existing key, it will take precedence over
-    #     gitolite-admin
-    # (4) su -u gitolite gitolite setup
-    services.gitolite = {
-      enable = true;
-      # FIXME: key from ./ssh
-      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
-    };
    services.ympd = mypkgs.ympd.config // { enable = false; };
    services.phpfpm = {
@@ -288,29 +245,6 @@
        mkdir -p /run/redis
        chown redis /run/redis
        '';
-      gitolite =
-        assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
-        let
-        gitolite_ldap_groups = wrap {
-          name = "gitolite_ldap_groups.sh";
-          file = ./packages/gitolite_ldap_groups.sh;
-          vars = {
-            LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
-          };
-          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
-        };
-      in {
-        deps = [ "users" ];
-        text = ''
-          if [ -d /var/lib/gitolite ]; then
-            ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
-            chmod g+rx /var/lib/gitolite
-          fi
-          if [ -f /var/lib/gitolite/projects.list ]; then
-            chmod g+r /var/lib/gitolite/projects.list
-          fi
-        '';
-      };
      # FIXME: initial sync
      goaccess = ''
        mkdir -p /var/lib/goaccess
@@ -590,84 +524,6 @@
      ];
    };
-    security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
-      pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
-              pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
-        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
-        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        '';
-    in [
-      {
-        name = "mysql";
-        text = ''
-          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          '';
-      }
-    ];
-    # FIXME: backup
-    # Nextcloud: 14
-    services.redis = rec {
-      enable = true;
-      bind = "127.0.0.1";
-      unixSocket = "/run/redis/redis.sock";
-      extraConfig = ''
-        unixsocketperm 777
-        maxclients 1024
-        '';
-    };
-    # FIXME: initial sync
-    # FIXME: backup
-    # FIXME: restart after pam
-    # FIXME: pam access doesn’t work (because of php module)
-    # FIXME: ssl
-    services.mysql = rec {
-      enable = true;
-      package = pkgs.mariadb;
-    };
-    # FIXME: initial sync
-    # FIXME: backup
-    # FIXME: ssl
-    services.postgresql = rec {
-      enable = true;
-      package = pkgs.postgresql;
-      enableTCPIP = true;
-      extraConfig = ''
-        max_connections = 100
-        wal_level = logical
-        shared_buffers = 128MB
-        max_wal_size = 1GB
-        min_wal_size = 80MB
-        log_timezone = 'Europe/Paris'
-        datestyle = 'iso, mdy'
-        timezone = 'Europe/Paris'
-        lc_messages = 'en_US.UTF-8'
-        lc_monetary = 'en_US.UTF-8'
-        lc_numeric = 'en_US.UTF-8'
-        lc_time = 'en_US.UTF-8'
-        default_text_search_config = 'pg_catalog.english'
-        # ssl = on
-        # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
-        # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
-        '';
-      authentication = ''
-        local   all     postgres                                ident
-        local   all     all                                     md5
-        host    all     all             samehost                md5
-        host    all     all             178.33.252.96/32        md5
-        host    all     all             188.165.209.148/32      md5
-        #host   all     all             all                     pam
-      '';
-    };
    services.cron = {
      enable = true;
      systemCronJobs = let
diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix
new file mode 100644
index 0000000..25bd645
--- /dev/null
+++ b/virtual/modules/databases.nix
@@ -0,0 +1,133 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    cfg = config.services.myDatabases;
+in {
+  options.services.myDatabases = {
+    enable = lib.mkEnableOption "my databases service";
+    postgresql = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable postgresql database";
+        type = lib.types.bool;
+      };
+    };
+    mariadb = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable mariadb database";
+        type = lib.types.bool;
+      };
+    };
+    redis = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable redis database";
+        type = lib.types.bool;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      postgresql = postgresql111;
+      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
+        passthru = old.passthru // { psqlSchema = "11.0"; };
+        name = "postgresql-11.1";
+        src = pkgs.fetchurl {
+          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
+          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
+        };
+      });
+      mariadb = mariadbPAM;
+      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
+        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
+        buildInputs = old.buildInputs ++ [ pkgs.pam ];
+      });
+    };
+    networking.firewall.allowedTCPPorts = [ 3306 5432 ];
+    # FIXME: initial sync
+    # FIXME: backup
+    # FIXME: restart after pam
+    # FIXME: pam access doesn’t work (because of php module)
+    # FIXME: ssl
+    services.mysql = rec {
+      enable = cfg.mariadb.enable;
+      package = pkgs.mariadb;
+    };
+    # FIXME: initial sync
+    # FIXME: backup
+    # FIXME: ssl
+    services.postgresql = rec {
+      enable = cfg.postgresql.enable;
+      package = pkgs.postgresql;
+      enableTCPIP = true;
+      extraConfig = ''
+        max_connections = 100
+        wal_level = logical
+        shared_buffers = 128MB
+        max_wal_size = 1GB
+        min_wal_size = 80MB
+        log_timezone = 'Europe/Paris'
+        datestyle = 'iso, mdy'
+        timezone = 'Europe/Paris'
+        lc_messages = 'en_US.UTF-8'
+        lc_monetary = 'en_US.UTF-8'
+        lc_numeric = 'en_US.UTF-8'
+        lc_time = 'en_US.UTF-8'
+        default_text_search_config = 'pg_catalog.english'
+        # ssl = on
+        # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
+        # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
+        '';
+      authentication = ''
+        local   all     postgres                                ident
+        local   all     all                                     md5
+        host    all     all             samehost                md5
+        host    all     all             178.33.252.96/32        md5
+        host    all     all             188.165.209.148/32      md5
+        #host   all     all             all                     pam
+      '';
+    };
+    security.pam.services = let
+      pam_ldap = pkgs.pam_ldap;
+      pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
+              pkgs.writeText "mysql.conf" ''
+        host ldap.immae.eu
+        base dc=immae,dc=eu
+        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
+        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
+        '';
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
+          '';
+      }
+    ];
+    # FIXME: backup
+    # Nextcloud: 14
+    services.redis = rec {
+      enable = config.services.myDatabases.redis.enable;
+      bind = "127.0.0.1";
+      unixSocket = "/run/redis/redis.sock";
+      extraConfig = ''
+        unixsocketperm 777
+        maxclients 1024
+        '';
+    };
+  };
+}
diff --git a/virtual/modules/gitolite.nix b/virtual/modules/gitolite.nix
new file mode 100644
index 0000000..85c7be1
--- /dev/null
+++ b/virtual/modules/gitolite.nix
@@ -0,0 +1,73 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    cfg = config.services.myGitolite;
+in {
+  options.services.myGitolite = {
+    enable = lib.mkEnableOption "my gitolite service";
+  };
+  config = lib.mkIf cfg.enable {
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
+        name = "gitolite-${version}";
+        version = "3.6.10";
+        src = pkgs.fetchFromGitHub {
+          owner = "sitaramc";
+          repo = "gitolite";
+          rev = "v${version}";
+          sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
+        };
+      });
+    };
+    system.activationScripts.gitolite =
+      assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+      let
+      gitolite_ldap_groups = mylibs.wrap {
+        name = "gitolite_ldap_groups.sh";
+        file = ./gitolite/gitolite_ldap_groups.sh;
+        vars = {
+          LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
+        };
+        paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+      };
+    in {
+      deps = [ "users" ];
+      text = ''
+        if [ -d /var/lib/gitolite ]; then
+          ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
+          chmod g+rx /var/lib/gitolite
+        fi
+        if [ -f /var/lib/gitolite/projects.list ]; then
+          chmod g+r /var/lib/gitolite/projects.list
+        fi
+      '';
+    };
+    users.users.wwwrun.extraGroups = [ "gitolite" ];
+    users.users.gitolite.packages = let
+      python-packages = python-packages: with python-packages; [
+        simplejson
+        urllib3
+      ];
+    in
+      [
+        (pkgs.python3.withPackages python-packages)
+      ];
+    # FIXME: after initial install, need to
+    # (1) copy rc file (adjust gitolite_ldap_groups.sh)
+    # (2) (mark old readonly and) sync repos except gitolite-admin
+    #     rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
+    #     chown -R gitolite:gitolite /var/lib/gitolite
+    # (3) push force the gitolite-admin to new location (from external point)
+    #     Don't use an existing key, it will take precedence over
+    #     gitolite-admin
+    # (4) su -u gitolite gitolite setup
+    services.gitolite = {
+      enable = true;
+      # FIXME: key from ./ssh
+      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
+    };
+  };
+}
diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/modules/gitolite/gitolite_ldap_groups.sh
index 5f7ef6d..5f7ef6d 100755
--- a/virtual/packages/gitolite_ldap_groups.sh
+++ b/virtual/modules/gitolite/gitolite_ldap_groups.sh
diff --git a/virtual/modules/gitweb.nix b/virtual/modules/gitweb.nix
new file mode 100644
index 0000000..f3ef1bd
--- /dev/null
+++ b/virtual/modules/gitweb.nix
@@ -0,0 +1,21 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    cfg = config.services.myGitweb;
+in {
+  options.services.myGitweb = {
+    enable = lib.mkEnableOption "my gitweb service";
+  };
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      gitweb = oldpkgs.gitweb.overrideAttrs(old: {
+        installPhase = old.installPhase + ''
+          cp -r ${./gitweb/theme} $out/gitweb-theme;
+          '';
+      });
+    };
+  };
+}
diff --git a/virtual/packages/gitweb/git-favicon.png b/virtual/modules/gitweb/theme/git-favicon.png
index 4fa44bb..4fa44bb 100644
--- a/virtual/packages/gitweb/git-favicon.png
+++ b/virtual/modules/gitweb/theme/git-favicon.png
Binary files differ
diff --git a/virtual/packages/gitweb/git-logo.png b/virtual/modules/gitweb/theme/git-logo.png
index fdaf7b7..fdaf7b7 100644
--- a/virtual/packages/gitweb/git-logo.png
+++ b/virtual/modules/gitweb/theme/git-logo.png
Binary files differ
diff --git a/virtual/packages/gitweb/gitweb.css b/virtual/modules/gitweb/theme/gitweb.css
index 83e0742..83e0742 100644
--- a/virtual/packages/gitweb/gitweb.css
+++ b/virtual/modules/gitweb/theme/gitweb.css
diff --git a/virtual/packages/gitweb/gitweb.js b/virtual/modules/gitweb/theme/gitweb.js
index 72f3cfa..72f3cfa 100644
--- a/virtual/packages/gitweb/gitweb.js
+++ b/virtual/modules/gitweb/theme/gitweb.js
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-09 23:35:11 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-09 23:35:11 +0100
commit	4d4f13f4a8e7df6480da895d80d487c891441745 (patch)
tree	ed559d3b3155bf79c0b2fa789948a3434dad3df4 /virtual
parent	43b726ed3ba5e9a5ce91f7b39ffbe895d3ada18b (diff)
download	Nix-4d4f13f4a8e7df6480da895d80d487c891441745.tar.gz Nix-4d4f13f4a8e7df6480da895d80d487c891441745.tar.zst Nix-4d4f13f4a8e7df6480da895d80d487c891441745.zip

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 7dbca92..acd2cbd 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix
@@ -4,44 +4,28 @@
4	enableRollback = true;	4	enableRollback = true;
5	};	5	};
6		6
7	eldiron = { config, pkgs, ... }:	7	eldiron = { config, pkgs, mylibs, ... }:
8	with import ../libs.nix;	8	with mylibs;
9	let	9	let
10	mypkgs = pkgs.callPackage ./packages.nix {	10	mypkgs = pkgs.callPackage ./packages.nix {
11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;	11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
12	};	12	};
13	in	13	in
14	{	14	{
		15	_module.args = {
		16	mylibs = import ../libs.nix;
		17	};
		18
		19	imports = [
		20	./modules/gitolite.nix
		21	./modules/gitweb.nix
		22	./modules/databases.nix
		23	];
		24	services.myGitolite.enable = true;
		25	services.myGitweb.enable = true;
		26	services.myDatabases.enable = true;
		27
15	nixpkgs.config.packageOverrides = oldpkgs: rec {	28	nixpkgs.config.packageOverrides = oldpkgs: rec {
16	gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
17	name = "gitolite-${version}";
18	version = "3.6.10";
19	src = pkgs.fetchFromGitHub {
20	owner = "sitaramc";
21	repo = "gitolite";
22	rev = "v${version}";
23	sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
24	};
25	});
26	gitweb = oldpkgs.gitweb.overrideAttrs(old: {
27	installPhase = old.installPhase + ''
28	cp -r ${./packages/gitweb} $out/gitweb-theme;
29	'';
30	});
31	postgresql = postgresql111;
32	postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
33	passthru = old.passthru // { psqlSchema = "11.0"; };
34	name = "postgresql-11.1";
35	src = pkgs.fetchurl {
36	url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
37	sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
38	};
39	});
40	mariadb = mariadbPAM;
41	mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
42	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
43	buildInputs = old.buildInputs ++ [ pkgs.pam ];
44	});
45	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {	29	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
46	name = "goaccess-${version}";	30	name = "goaccess-${version}";
47	version = "1.3";	31	version = "1.3";
@@ -57,7 +41,7 @@
57	networking = {	41	networking = {
58	firewall = {	42	firewall = {
59	enable = true;	43	enable = true;
60	allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];	44	allowedTCPPorts = [ 22 80 443 9418 ];
61	};	45	};
62	};	46	};
63		47
@@ -116,7 +100,6 @@
116	allowKeysForGroup = true;	100	allowKeysForGroup = true;
117	extraDomains = {	101	extraDomains = {
118	"db-1.immae.eu" = null;	102	"db-1.immae.eu" = null;
119	"git.immae.eu" = null;
120	"tools.immae.eu" = null;	103	"tools.immae.eu" = null;
121	"connexionswing.immae.eu" = null;	104	"connexionswing.immae.eu" = null;
122	"sandetludo.immae.eu" = null;	105	"sandetludo.immae.eu" = null;
@@ -197,32 +180,6 @@
197	AuthorizedKeysCommandUser nobody	180	AuthorizedKeysCommandUser nobody
198	'';	181	'';
199		182
200	users.users.wwwrun.extraGroups = [ "gitolite" ];
201
202	users.users.gitolite.packages = let
203	python-packages = python-packages: with python-packages; [
204	simplejson
205	urllib3
206	];
207	in
208	[
209	(pkgs.python3.withPackages python-packages)
210	];
211	# FIXME: after initial install, need to
212	# (1) copy rc file (adjust gitolite_ldap_groups.sh)
213	# (2) (mark old readonly and) sync repos except gitolite-admin
214	# rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
215	# chown -R gitolite:gitolite /var/lib/gitolite
216	# (3) push force the gitolite-admin to new location (from external point)
217	# Don't use an existing key, it will take precedence over
218	# gitolite-admin
219	# (4) su -u gitolite gitolite setup
220	services.gitolite = {
221	enable = true;
222	# FIXME: key from ./ssh
223	adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
224	};
225
226	services.ympd = mypkgs.ympd.config // { enable = false; };	183	services.ympd = mypkgs.ympd.config // { enable = false; };
227		184
228	services.phpfpm = {	185	services.phpfpm = {
@@ -288,29 +245,6 @@
288	mkdir -p /run/redis	245	mkdir -p /run/redis
289	chown redis /run/redis	246	chown redis /run/redis
290	'';	247	'';
291	gitolite =
292	assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
293	let
294	gitolite_ldap_groups = wrap {
295	name = "gitolite_ldap_groups.sh";
296	file = ./packages/gitolite_ldap_groups.sh;
297	vars = {
298	LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
299	};
300	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
301	};
302	in {
303	deps = [ "users" ];
304	text = ''
305	if [ -d /var/lib/gitolite ]; then
306	ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
307	chmod g+rx /var/lib/gitolite
308	fi
309	if [ -f /var/lib/gitolite/projects.list ]; then
310	chmod g+r /var/lib/gitolite/projects.list
311	fi
312	'';
313	};
314	# FIXME: initial sync	248	# FIXME: initial sync
315	goaccess = ''	249	goaccess = ''
316	mkdir -p /var/lib/goaccess	250	mkdir -p /var/lib/goaccess
@@ -590,84 +524,6 @@
590	];	524	];
591	};	525	};
592		526
593	security.pam.services = let
594	pam_ldap = pkgs.pam_ldap;
595	pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
596	pkgs.writeText "mysql.conf" ''
597	host ldap.immae.eu
598	base dc=immae,dc=eu
599	binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
600	bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
601	pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
602	'';
603	in [
604	{
605	name = "mysql";
606	text = ''
607	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
608	auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
609	account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
610	'';
611	}
612	];
613
614	# FIXME: backup
615	# Nextcloud: 14
616	services.redis = rec {
617	enable = true;
618	bind = "127.0.0.1";
619	unixSocket = "/run/redis/redis.sock";
620	extraConfig = ''
621	unixsocketperm 777
622	maxclients 1024
623	'';
624	};
625
626	# FIXME: initial sync
627	# FIXME: backup
628	# FIXME: restart after pam
629	# FIXME: pam access doesn’t work (because of php module)
630	# FIXME: ssl
631	services.mysql = rec {
632	enable = true;
633	package = pkgs.mariadb;
634	};
635
636	# FIXME: initial sync
637	# FIXME: backup
638	# FIXME: ssl
639	services.postgresql = rec {
640	enable = true;
641	package = pkgs.postgresql;
642	enableTCPIP = true;
643	extraConfig = ''
644	max_connections = 100
645	wal_level = logical
646	shared_buffers = 128MB
647	max_wal_size = 1GB
648	min_wal_size = 80MB
649	log_timezone = 'Europe/Paris'
650	datestyle = 'iso, mdy'
651	timezone = 'Europe/Paris'
652	lc_messages = 'en_US.UTF-8'
653	lc_monetary = 'en_US.UTF-8'
654	lc_numeric = 'en_US.UTF-8'
655	lc_time = 'en_US.UTF-8'
656	default_text_search_config = 'pg_catalog.english'
657	# ssl = on
658	# ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
659	# ssl_key_file = '/var/lib/acme/eldiron/key.pem'
660	'';
661	authentication = ''
662	local all postgres ident
663	local all all md5
664	host all all samehost md5
665	host all all 178.33.252.96/32 md5
666	host all all 188.165.209.148/32 md5
667	#host all all all pam
668	'';
669	};
670
671	services.cron = {	527	services.cron = {
672	enable = true;	528	enable = true;
673	systemCronJobs = let	529	systemCronJobs = let


diff --git a/virtual/modules/databases.nix b/virtual/modules/databases.nix new file mode 100644 index 0000000..25bd645 --- /dev/null +++ b/virtual/modules/databases.nix
@@ -0,0 +1,133 @@
		1	{ lib, pkgs, config, mylibs, ... }:
		2	let
		3	cfg = config.services.myDatabases;
		4	in {
		5	options.services.myDatabases = {
		6	enable = lib.mkEnableOption "my databases service";
		7	postgresql = {
		8	enable = lib.mkOption {
		9	default = cfg.enable;
		10	example = true;
		11	description = "Whether to enable postgresql database";
		12	type = lib.types.bool;
		13	};
		14	};
		15
		16	mariadb = {
		17	enable = lib.mkOption {
		18	default = cfg.enable;
		19	example = true;
		20	description = "Whether to enable mariadb database";
		21	type = lib.types.bool;
		22	};
		23	};
		24
		25	redis = {
		26	enable = lib.mkOption {
		27	default = cfg.enable;
		28	example = true;
		29	description = "Whether to enable redis database";
		30	type = lib.types.bool;
		31	};
		32	};
		33	};
		34
		35	config = lib.mkIf cfg.enable {
		36	nixpkgs.config.packageOverrides = oldpkgs: rec {
		37	postgresql = postgresql111;
		38	postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
		39	passthru = old.passthru // { psqlSchema = "11.0"; };
		40	name = "postgresql-11.1";
		41	src = pkgs.fetchurl {
		42	url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
		43	sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
		44	};
		45	});
		46	mariadb = mariadbPAM;
		47	mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
		48	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
		49	buildInputs = old.buildInputs ++ [ pkgs.pam ];
		50	});
		51	};
		52
		53	networking.firewall.allowedTCPPorts = [ 3306 5432 ];
		54
		55	# FIXME: initial sync
		56	# FIXME: backup
		57	# FIXME: restart after pam
		58	# FIXME: pam access doesn’t work (because of php module)
		59	# FIXME: ssl
		60	services.mysql = rec {
		61	enable = cfg.mariadb.enable;
		62	package = pkgs.mariadb;
		63	};
		64
		65	# FIXME: initial sync
		66	# FIXME: backup
		67	# FIXME: ssl
		68	services.postgresql = rec {
		69	enable = cfg.postgresql.enable;
		70	package = pkgs.postgresql;
		71	enableTCPIP = true;
		72	extraConfig = ''
		73	max_connections = 100
		74	wal_level = logical
		75	shared_buffers = 128MB
		76	max_wal_size = 1GB
		77	min_wal_size = 80MB
		78	log_timezone = 'Europe/Paris'
		79	datestyle = 'iso, mdy'
		80	timezone = 'Europe/Paris'
		81	lc_messages = 'en_US.UTF-8'
		82	lc_monetary = 'en_US.UTF-8'
		83	lc_numeric = 'en_US.UTF-8'
		84	lc_time = 'en_US.UTF-8'
		85	default_text_search_config = 'pg_catalog.english'
		86	# ssl = on
		87	# ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
		88	# ssl_key_file = '/var/lib/acme/eldiron/key.pem'
		89	'';
		90	authentication = ''
		91	local all postgres ident
		92	local all all md5
		93	host all all samehost md5
		94	host all all 178.33.252.96/32 md5
		95	host all all 188.165.209.148/32 md5
		96	#host all all all pam
		97	'';
		98	};
		99
		100	security.pam.services = let
		101	pam_ldap = pkgs.pam_ldap;
		102	pam_ldap_mysql = assert mylibs.checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
		103	pkgs.writeText "mysql.conf" ''
		104	host ldap.immae.eu
		105	base dc=immae,dc=eu
		106	binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
		107	bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
		108	pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
		109	'';
		110	in [
		111	{
		112	name = "mysql";
		113	text = ''
		114	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
		115	auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
		116	account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
		117	'';
		118	}
		119	];
		120
		121	# FIXME: backup
		122	# Nextcloud: 14
		123	services.redis = rec {
		124	enable = config.services.myDatabases.redis.enable;
		125	bind = "127.0.0.1";
		126	unixSocket = "/run/redis/redis.sock";
		127	extraConfig = ''
		128	unixsocketperm 777
		129	maxclients 1024
		130	'';
		131	};
		132	};
		133	}


diff --git a/virtual/modules/gitolite.nix b/virtual/modules/gitolite.nix new file mode 100644 index 0000000..85c7be1 --- /dev/null +++ b/virtual/modules/gitolite.nix
@@ -0,0 +1,73 @@
		1	{ lib, pkgs, config, mylibs, ... }:
		2	let
		3	cfg = config.services.myGitolite;
		4	in {
		5	options.services.myGitolite = {
		6	enable = lib.mkEnableOption "my gitolite service";
		7	};
		8
		9	config = lib.mkIf cfg.enable {
		10	nixpkgs.config.packageOverrides = oldpkgs: rec {
		11	gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
		12	name = "gitolite-${version}";
		13	version = "3.6.10";
		14	src = pkgs.fetchFromGitHub {
		15	owner = "sitaramc";
		16	repo = "gitolite";
		17	rev = "v${version}";
		18	sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
		19	};
		20	});
		21	};
		22
		23	system.activationScripts.gitolite =
		24	assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
		25	let
		26	gitolite_ldap_groups = mylibs.wrap {
		27	name = "gitolite_ldap_groups.sh";
		28	file = ./gitolite/gitolite_ldap_groups.sh;
		29	vars = {
		30	LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
		31	};
		32	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
		33	};
		34	in {
		35	deps = [ "users" ];
		36	text = ''
		37	if [ -d /var/lib/gitolite ]; then
		38	ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
		39	chmod g+rx /var/lib/gitolite
		40	fi
		41	if [ -f /var/lib/gitolite/projects.list ]; then
		42	chmod g+r /var/lib/gitolite/projects.list
		43	fi
		44	'';
		45	};
		46
		47	users.users.wwwrun.extraGroups = [ "gitolite" ];
		48
		49	users.users.gitolite.packages = let
		50	python-packages = python-packages: with python-packages; [
		51	simplejson
		52	urllib3
		53	];
		54	in
		55	[
		56	(pkgs.python3.withPackages python-packages)
		57	];
		58	# FIXME: after initial install, need to
		59	# (1) copy rc file (adjust gitolite_ldap_groups.sh)
		60	# (2) (mark old readonly and) sync repos except gitolite-admin
		61	# rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
		62	# chown -R gitolite:gitolite /var/lib/gitolite
		63	# (3) push force the gitolite-admin to new location (from external point)
		64	# Don't use an existing key, it will take precedence over
		65	# gitolite-admin
		66	# (4) su -u gitolite gitolite setup
		67	services.gitolite = {
		68	enable = true;
		69	# FIXME: key from ./ssh
		70	adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
		71	};
		72	};
		73	}


diff --git a/virtual/packages/gitolite_ldap_groups.sh b/virtual/modules/gitolite/gitolite_ldap_groups.sh index 5f7ef6d..5f7ef6d 100755 --- a/virtual/packages/gitolite_ldap_groups.sh +++ b/virtual/modules/gitolite/gitolite_ldap_groups.sh


diff --git a/virtual/modules/gitweb.nix b/virtual/modules/gitweb.nix new file mode 100644 index 0000000..f3ef1bd --- /dev/null +++ b/virtual/modules/gitweb.nix
@@ -0,0 +1,21 @@
		1	{ lib, pkgs, config, mylibs, ... }:
		2	let
		3	cfg = config.services.myGitweb;
		4	in {
		5	options.services.myGitweb = {
		6	enable = lib.mkEnableOption "my gitweb service";
		7	};
		8
		9	config = lib.mkIf cfg.enable {
		10	security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
		11
		12	nixpkgs.config.packageOverrides = oldpkgs: rec {
		13	gitweb = oldpkgs.gitweb.overrideAttrs(old: {
		14	installPhase = old.installPhase + ''
		15	cp -r ${./gitweb/theme} $out/gitweb-theme;
		16	'';
		17	});
		18	};
		19
		20	};
		21	}


diff --git a/virtual/packages/gitweb/git-favicon.png b/virtual/modules/gitweb/theme/git-favicon.png index 4fa44bb..4fa44bb 100644 --- a/virtual/packages/gitweb/git-favicon.png +++ b/virtual/modules/gitweb/theme/git-favicon.png
Binary files differ


diff --git a/virtual/packages/gitweb/git-logo.png b/virtual/modules/gitweb/theme/git-logo.png index fdaf7b7..fdaf7b7 100644 --- a/virtual/packages/gitweb/git-logo.png +++ b/virtual/modules/gitweb/theme/git-logo.png
Binary files differ


diff --git a/virtual/packages/gitweb/gitweb.css b/virtual/modules/gitweb/theme/gitweb.css index 83e0742..83e0742 100644 --- a/virtual/packages/gitweb/gitweb.css +++ b/virtual/modules/gitweb/theme/gitweb.css


diff --git a/virtual/packages/gitweb/gitweb.js b/virtual/modules/gitweb/theme/gitweb.js index 72f3cfa..72f3cfa 100644 --- a/virtual/packages/gitweb/gitweb.js +++ b/virtual/modules/gitweb/theme/gitweb.js