diff options
-rw-r--r-- | virtual/eldiron.nix | 37 | ||||
-rw-r--r-- | virtual/packages.nix | 3 | ||||
-rw-r--r-- | virtual/packages/connexionswing.nix | 8 | ||||
-rw-r--r-- | virtual/packages/ludivinecassal.nix | 177 | ||||
-rw-r--r-- | virtual/packages/ludivinecassal_master.json | 14 |
5 files changed, 238 insertions, 1 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 71ff57d..d76977c 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix | |||
@@ -89,6 +89,8 @@ | |||
89 | ]; | 89 | ]; |
90 | 90 | ||
91 | security.acme.certs = { | 91 | security.acme.certs = { |
92 | # /!\ To create a new certificate, add first the domain to an | ||
93 | # existing certificate, deploy, and then use it in httpd. | ||
92 | "eldiron" = { | 94 | "eldiron" = { |
93 | webroot = "/var/lib/acme/acme-challenge"; | 95 | webroot = "/var/lib/acme/acme-challenge"; |
94 | email = "ismael@bouya.org"; | 96 | email = "ismael@bouya.org"; |
@@ -104,6 +106,20 @@ | |||
104 | "connexionswing.immae.eu" = null; | 106 | "connexionswing.immae.eu" = null; |
105 | "sandetludo.immae.eu" = null; | 107 | "sandetludo.immae.eu" = null; |
106 | "cloud.immae.eu" = null; | 108 | "cloud.immae.eu" = null; |
109 | "ludivine.immae.eu" = null; | ||
110 | "ludivinecassal.com" = null; | ||
111 | }; | ||
112 | }; | ||
113 | "ludivinecassal" = { | ||
114 | webroot = "/var/lib/acme/acme-challenge"; | ||
115 | email = "ismael@bouya.org"; | ||
116 | domain = "ludivinecassal.com"; | ||
117 | plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ]; | ||
118 | postRun = '' | ||
119 | systemctl reload httpd.service | ||
120 | ''; | ||
121 | extraDomains = { | ||
122 | "www.ludivinecassal.com" = null; | ||
107 | }; | 123 | }; |
108 | }; | 124 | }; |
109 | # "connexionswing" = { | 125 | # "connexionswing" = { |
@@ -172,6 +188,8 @@ | |||
172 | adminer = mypkgs.adminer.phpFpm.pool; | 188 | adminer = mypkgs.adminer.phpFpm.pool; |
173 | connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool; | 189 | connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool; |
174 | connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool; | 190 | connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool; |
191 | ludivinecassal_dev = mypkgs.ludivinecassal_dev.phpFpm.pool; | ||
192 | ludivinecassal_prod = mypkgs.ludivinecassal_prod.phpFpm.pool; | ||
175 | nextcloud = mypkgs.nextcloud.phpFpm.pool; | 193 | nextcloud = mypkgs.nextcloud.phpFpm.pool; |
176 | mantisbt = mypkgs.mantisbt.phpFpm.pool; | 194 | mantisbt = mypkgs.mantisbt.phpFpm.pool; |
177 | }; | 195 | }; |
@@ -180,6 +198,8 @@ | |||
180 | system.activationScripts = { | 198 | system.activationScripts = { |
181 | connexionswing_dev = mypkgs.connexionswing_dev.activationScript; | 199 | connexionswing_dev = mypkgs.connexionswing_dev.activationScript; |
182 | connexionswing_prod = mypkgs.connexionswing_prod.activationScript; | 200 | connexionswing_prod = mypkgs.connexionswing_prod.activationScript; |
201 | ludivinecassal_dev = mypkgs.ludivinecassal_dev.activationScript; | ||
202 | ludivinecassal_prod = mypkgs.ludivinecassal_prod.activationScript; | ||
183 | nextcloud = mypkgs.nextcloud.activationScript; | 203 | nextcloud = mypkgs.nextcloud.activationScript; |
184 | httpd = '' | 204 | httpd = '' |
185 | install -d -m 0755 /var/lib/acme/acme-challenge | 205 | install -d -m 0755 /var/lib/acme/acme-challenge |
@@ -303,6 +323,8 @@ | |||
303 | mypkgs.nextcloud.apache.modules ++ | 323 | mypkgs.nextcloud.apache.modules ++ |
304 | mypkgs.connexionswing_dev.apache.modules ++ | 324 | mypkgs.connexionswing_dev.apache.modules ++ |
305 | mypkgs.connexionswing_prod.apache.modules ++ | 325 | mypkgs.connexionswing_prod.apache.modules ++ |
326 | mypkgs.ludivinecassal_dev.apache.modules ++ | ||
327 | mypkgs.ludivinecassal_prod.apache.modules ++ | ||
306 | mypkgs.ympd.apache.modules ++ | 328 | mypkgs.ympd.apache.modules ++ |
307 | mypkgs.git.web.apache.modules ++ | 329 | mypkgs.git.web.apache.modules ++ |
308 | mypkgs.mantisbt.apache.modules ++ | 330 | mypkgs.mantisbt.apache.modules ++ |
@@ -342,6 +364,21 @@ | |||
342 | ]; | 364 | ]; |
343 | }) | 365 | }) |
344 | (withConf "eldiron" // { | 366 | (withConf "eldiron" // { |
367 | hostName = "ludivine.immae.eu"; | ||
368 | documentRoot = mypkgs.ludivinecassal_dev.webRoot; | ||
369 | extraConfig = builtins.concatStringsSep "\n" [ | ||
370 | mypkgs.ludivinecassal_dev.apache.vhostConf | ||
371 | ]; | ||
372 | }) | ||
373 | (withConf "ludivinecassal" // { | ||
374 | hostName = "ludivinecassal.com"; | ||
375 | serverAliases = [ "www.ludivinecassal.com" ]; | ||
376 | documentRoot = mypkgs.ludivinecassal_prod.webRoot; | ||
377 | extraConfig = builtins.concatStringsSep "\n" [ | ||
378 | mypkgs.ludivinecassal_prod.apache.vhostConf | ||
379 | ]; | ||
380 | }) | ||
381 | (withConf "eldiron" // { | ||
345 | hostName = "cloud.immae.eu"; | 382 | hostName = "cloud.immae.eu"; |
346 | documentRoot = mypkgs.nextcloud.webRoot; | 383 | documentRoot = mypkgs.nextcloud.webRoot; |
347 | extraConfig = builtins.concatStringsSep "\n" [ | 384 | extraConfig = builtins.concatStringsSep "\n" [ |
diff --git a/virtual/packages.nix b/virtual/packages.nix index 03c8b89..557bc6b 100644 --- a/virtual/packages.nix +++ b/virtual/packages.nix | |||
@@ -1,6 +1,7 @@ | |||
1 | { callPackage, checkEnv, fetchedGitPrivate, fetchedGithub }: | 1 | { callPackage, checkEnv, fetchedGitPrivate, fetchedGithub }: |
2 | let | 2 | let |
3 | connexionswing = callPackage ./packages/connexionswing.nix { inherit checkEnv fetchedGitPrivate; }; | 3 | connexionswing = callPackage ./packages/connexionswing.nix { inherit checkEnv fetchedGitPrivate; }; |
4 | ludivinecassal = callPackage ./packages/ludivinecassal.nix { inherit checkEnv fetchedGitPrivate; }; | ||
4 | nextcloud = callPackage ./packages/nextcloud.nix { inherit checkEnv; }; | 5 | nextcloud = callPackage ./packages/nextcloud.nix { inherit checkEnv; }; |
5 | adminer = callPackage ./packages/adminer.nix {}; | 6 | adminer = callPackage ./packages/adminer.nix {}; |
6 | ympd = callPackage ./packages/ympd.nix {}; | 7 | ympd = callPackage ./packages/ympd.nix {}; |
@@ -12,6 +13,8 @@ in | |||
12 | inherit ympd; | 13 | inherit ympd; |
13 | connexionswing_dev = connexionswing { environment = "dev"; }; | 14 | connexionswing_dev = connexionswing { environment = "dev"; }; |
14 | connexionswing_prod = connexionswing { environment = "prod"; }; | 15 | connexionswing_prod = connexionswing { environment = "prod"; }; |
16 | ludivinecassal_dev = ludivinecassal { environment = "dev"; }; | ||
17 | ludivinecassal_prod = ludivinecassal { environment = "prod"; }; | ||
15 | inherit nextcloud; | 18 | inherit nextcloud; |
16 | inherit mantisbt; | 19 | inherit mantisbt; |
17 | # FIXME: add buildbot | 20 | # FIXME: add buildbot |
diff --git a/virtual/packages/connexionswing.nix b/virtual/packages/connexionswing.nix index f178e49..7f7dc16 100644 --- a/virtual/packages/connexionswing.nix +++ b/virtual/packages/connexionswing.nix | |||
@@ -119,7 +119,13 @@ let | |||
119 | </IfModule> | 119 | </IfModule> |
120 | 120 | ||
121 | </Directory> | 121 | </Directory> |
122 | '' else ""} | 122 | '' else '' |
123 | <Directory ${webRoot}> | ||
124 | Options Indexes FollowSymLinks MultiViews Includes | ||
125 | AllowOverride All | ||
126 | Require all granted | ||
127 | </Directory> | ||
128 | ''} | ||
123 | ''; | 129 | ''; |
124 | }; | 130 | }; |
125 | activationScript = { | 131 | activationScript = { |
diff --git a/virtual/packages/ludivinecassal.nix b/virtual/packages/ludivinecassal.nix new file mode 100644 index 0000000..636306a --- /dev/null +++ b/virtual/packages/ludivinecassal.nix | |||
@@ -0,0 +1,177 @@ | |||
1 | { lib, checkEnv, writeText, fetchedGitPrivate, stdenv, php, git, cacert, phpPackages, ruby, sass, imagemagick }: | ||
2 | let | ||
3 | ludivinecassal = { environment ? "dev" }: rec { | ||
4 | varPrefix = "LUDIVINECASSAL"; | ||
5 | varDir = "/var/lib/ludivinecassal_${environment}"; | ||
6 | envName= lib.strings.toUpper environment; | ||
7 | configRoot = | ||
8 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_PASSWORD"; | ||
9 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_USER"; | ||
10 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_NAME"; | ||
11 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_SECRET"; | ||
12 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_LDAP_PASSWORD"; | ||
13 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_LDAP_SEARCH_DN"; | ||
14 | assert checkEnv "NIXOPS_${varPrefix}_${envName}_LDAP_SEARCH_FILTER"; | ||
15 | writeText "parameters.yml" '' | ||
16 | # This file is auto-generated during the composer install | ||
17 | parameters: | ||
18 | database_host: db-1.immae.eu | ||
19 | database_port: null | ||
20 | database_name: ${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_NAME"} | ||
21 | database_user: ${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_USER"} | ||
22 | database_password: ${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_MYSQL_PASSWORD"} | ||
23 | mailer_transport: smtp | ||
24 | mailer_host: mail.immae.eu | ||
25 | mailer_user: null | ||
26 | mailer_password: null | ||
27 | secret: ${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_SECRET"} | ||
28 | ldap_host: ldap.immae.eu | ||
29 | ldap_port: 636 | ||
30 | ldap_version: 3 | ||
31 | ldap_ssl: true | ||
32 | ldap_tls: false | ||
33 | ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu' | ||
34 | ldap_base_dn: 'dc=immae,dc=eu' | ||
35 | ldap_search_dn: '${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_LDAP_SEARCH_DN"}' | ||
36 | ldap_search_password: '${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_LDAP_PASSWORD"}' | ||
37 | ldap_search_filter: '${builtins.getEnv "NIXOPS_${varPrefix}_${envName}_LDAP_SEARCH_FILTER"}' | ||
38 | leapt_im: | ||
39 | binary_path: ${imagemagick}/bin | ||
40 | assetic: | ||
41 | sass: ${sass}/bin/sass | ||
42 | ruby: ${ruby}/bin/ruby | ||
43 | ''; | ||
44 | phpFpm = rec { | ||
45 | socket = "/var/run/phpfpm/ludivinecassal-${environment}.sock"; | ||
46 | pool = '' | ||
47 | listen = ${socket} | ||
48 | user = ${apache.user} | ||
49 | group = ${apache.group} | ||
50 | listen.owner = ${apache.user} | ||
51 | listen.group = ${apache.group} | ||
52 | php_admin_value[upload_max_filesize] = 20M | ||
53 | php_admin_value[post_max_size] = 20M | ||
54 | ;php_admin_flag[log_errors] = on | ||
55 | php_admin_value[open_basedir] = "${configRoot}:${webappDir}:${varDir}:/tmp" | ||
56 | ${if environment == "dev" then '' | ||
57 | pm = ondemand | ||
58 | pm.max_children = 5 | ||
59 | pm.process_idle_timeout = 60 | ||
60 | env[SYMFONY_DEBUG_MODE] = "yes" | ||
61 | '' else '' | ||
62 | pm = dynamic | ||
63 | pm.max_children = 20 | ||
64 | pm.start_servers = 2 | ||
65 | pm.min_spare_servers = 1 | ||
66 | pm.max_spare_servers = 3 | ||
67 | ''}''; | ||
68 | }; | ||
69 | apache = { | ||
70 | user = "wwwrun"; | ||
71 | group = "wwwrun"; | ||
72 | modules = [ "proxy_fcgi" ]; | ||
73 | vhostConf = '' | ||
74 | <FilesMatch "\.php$"> | ||
75 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
76 | </FilesMatch> | ||
77 | |||
78 | ${if environment == "dev" then '' | ||
79 | <Location /> | ||
80 | Use LDAPConnect | ||
81 | Require ldap-group cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu | ||
82 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>" | ||
83 | </Location> | ||
84 | |||
85 | <Directory ${webRoot}> | ||
86 | Options Indexes FollowSymLinks MultiViews Includes | ||
87 | AllowOverride None | ||
88 | Require all granted | ||
89 | |||
90 | DirectoryIndex app_dev.php | ||
91 | |||
92 | <IfModule mod_negotiation.c> | ||
93 | Options -MultiViews | ||
94 | </IfModule> | ||
95 | |||
96 | <IfModule mod_rewrite.c> | ||
97 | RewriteEngine On | ||
98 | |||
99 | RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$ | ||
100 | RewriteRule ^(.*) - [E=BASE:%1] | ||
101 | |||
102 | # Maintenance script | ||
103 | RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f | ||
104 | RewriteCond %{SCRIPT_FILENAME} !maintenance.php | ||
105 | RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L] | ||
106 | ErrorDocument 503 /maintenance.php | ||
107 | |||
108 | # Sets the HTTP_AUTHORIZATION header removed by Apache | ||
109 | RewriteCond %{HTTP:Authorization} . | ||
110 | RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] | ||
111 | |||
112 | RewriteCond %{ENV:REDIRECT_STATUS} ^$ | ||
113 | RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] | ||
114 | |||
115 | # If the requested filename exists, simply serve it. | ||
116 | # We only want to let Apache serve files and not directories. | ||
117 | RewriteCond %{REQUEST_FILENAME} -f | ||
118 | RewriteRule ^ - [L] | ||
119 | |||
120 | # Rewrite all other queries to the front controller. | ||
121 | RewriteRule ^ %{ENV:BASE}/app_dev.php [L] | ||
122 | </IfModule> | ||
123 | |||
124 | </Directory> | ||
125 | '' else '' | ||
126 | <Directory ${webRoot}> | ||
127 | Options Indexes FollowSymLinks MultiViews Includes | ||
128 | AllowOverride All | ||
129 | Require all granted | ||
130 | </Directory> | ||
131 | ''} | ||
132 | ''; | ||
133 | }; | ||
134 | activationScript = { | ||
135 | deps = [ "wrappers" ]; | ||
136 | text = '' | ||
137 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} | ||
138 | if [ ! -f "${varDir}/currentWebappDir" -o \ | ||
139 | "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ]; then | ||
140 | pushd ${webappDir} > /dev/null | ||
141 | $wrapperDir/sudo -u wwwrun ./bin/console --env=${environment} cache:clear --no-warmup | ||
142 | popd > /dev/null | ||
143 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | ||
144 | fi | ||
145 | ''; | ||
146 | }; | ||
147 | webappDir = stdenv.mkDerivation (fetchedGitPrivate ./ludivinecassal_master.json // rec { | ||
148 | # FIXME: can we do better than symlink? | ||
149 | # FIXME: initial sync | ||
150 | # FIXME: backup | ||
151 | # FIXME: miniatures and data need to be in the same dir due to a | ||
152 | # bug in leapt.im (searches for data/../miniatures) | ||
153 | buildPhase = '' | ||
154 | export GIT_SSL_CAINFO=${cacert}/etc/ssl/certs/ca-bundle.crt | ||
155 | export SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt | ||
156 | |||
157 | ln -sf ${configRoot} app/config/parameters.yml | ||
158 | sed -i -e "/Incenteev..ParameterHandler..ScriptHandler::buildParameters/d" composer.json | ||
159 | ${if environment == "dev" then '' | ||
160 | composer install | ||
161 | '' else '' | ||
162 | SYMFONY_ENV=prod composer install --no-dev | ||
163 | ''} | ||
164 | rm -rf var | ||
165 | ln -sf ../../../../../${varDir} var | ||
166 | ''; | ||
167 | installPhase = '' | ||
168 | cp -a . $out | ||
169 | ''; | ||
170 | buildInputs = [ | ||
171 | php git cacert phpPackages.composer sass | ||
172 | ]; | ||
173 | }); | ||
174 | webRoot = "${webappDir}/web"; | ||
175 | }; | ||
176 | in | ||
177 | ludivinecassal | ||
diff --git a/virtual/packages/ludivinecassal_master.json b/virtual/packages/ludivinecassal_master.json new file mode 100644 index 0000000..403f9b0 --- /dev/null +++ b/virtual/packages/ludivinecassal_master.json | |||
@@ -0,0 +1,14 @@ | |||
1 | { | ||
2 | "tag": "4327b82-master", | ||
3 | "meta": { | ||
4 | "name": "ludivinecassal_master", | ||
5 | "url": "gitolite@git.immae.eu:perso/Immae/Sites/Ludivine", | ||
6 | "branch": "master" | ||
7 | }, | ||
8 | "git": { | ||
9 | "url": "gitolite@git.immae.eu:perso/Immae/Sites/Ludivine", | ||
10 | "rev": "4327b82ec00cc514bfce5aa7155bcdbcc871c065", | ||
11 | "sha256": "1c5hnzvyvj45j61v2v5mh1l405ih74f58isr9dq21428kcfc2gyd", | ||
12 | "fetchSubmodules": true | ||
13 | } | ||
14 | } | ||