diff options
Diffstat (limited to 'modules/private/websites/aten/production.nix')
-rw-r--r-- | modules/private/websites/aten/production.nix | 89 |
1 files changed, 67 insertions, 22 deletions
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix index 0fab309..21ecdcf 100644 --- a/modules/private/websites/aten/production.nix +++ b/modules/private/websites/aten/production.nix | |||
@@ -1,36 +1,81 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | 1 | { lib, pkgs, config, myconfig, ... }: |
2 | let | 2 | let |
3 | aten = pkgs.callPackage ./builder.nix { | 3 | secrets = myconfig.env.websites.aten.production; |
4 | inherit (pkgs.webapps) aten; | 4 | app = pkgs.webapps.aten.override { environment = secrets.environment; }; |
5 | config = myconfig.env.websites.aten.production; | ||
6 | apacheUser = config.services.httpd.Prod.user; | ||
7 | apacheGroup = config.services.httpd.Prod.group; | ||
8 | }; | ||
9 | |||
10 | cfg = config.myServices.websites.aten.production; | 5 | cfg = config.myServices.websites.aten.production; |
6 | pcfg = config.services.phpApplication; | ||
11 | in { | 7 | in { |
12 | options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production"; | 8 | options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production"; |
13 | 9 | ||
14 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
15 | secrets.keys = aten.keys; | ||
16 | services.webstats.sites = [ { name = "aten.pro"; } ]; | 11 | services.webstats.sites = [ { name = "aten.pro"; } ]; |
12 | services.phpApplication.apps.aten_prod = { | ||
13 | websiteEnv = "production"; | ||
14 | httpdUser = config.services.httpd.Prod.user; | ||
15 | httpdGroup = config.services.httpd.Prod.group; | ||
16 | httpdWatchFiles = [ | ||
17 | config.secrets.fullPaths."webapps/${app.environment}-aten" | ||
18 | ]; | ||
19 | inherit (app) webRoot varDir; | ||
20 | inherit app; | ||
21 | serviceDeps = [ "postgresql.service" ]; | ||
22 | preStartActions = [ | ||
23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | ||
24 | ]; | ||
25 | phpOpenbasedir = [ "/tmp" ]; | ||
26 | phpPool = '' | ||
27 | php_admin_value[upload_max_filesize] = 20M | ||
28 | php_admin_value[post_max_size] = 20M | ||
29 | ;php_admin_flag[log_errors] = on | ||
30 | pm = dynamic | ||
31 | pm.max_children = 20 | ||
32 | pm.start_servers = 2 | ||
33 | pm.min_spare_servers = 1 | ||
34 | pm.max_spare_servers = 3 | ||
35 | ''; | ||
36 | }; | ||
17 | 37 | ||
18 | systemd.services.phpfpm-aten_prod.preStart = lib.mkAfter aten.phpFpm.preStart; | 38 | secrets.keys = [{ |
19 | systemd.services.phpfpm-aten_prod.after = lib.mkAfter aten.phpFpm.serviceDeps; | 39 | dest = "webapps/${app.environment}-aten"; |
20 | systemd.services.phpfpm-aten_prod.wants = aten.phpFpm.serviceDeps; | 40 | user = config.services.httpd.Prod.user; |
21 | services.phpfpm.poolConfigs.aten_prod = aten.phpFpm.pool; | 41 | group = config.services.httpd.Prod.user; |
22 | system.activationScripts.aten_prod = aten.activationScript; | 42 | permissions = "0400"; |
23 | myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot; | 43 | text = '' |
24 | services.websites.env.production.modules = aten.apache.modules; | 44 | SetEnv APP_ENV "${app.environment}" |
25 | services.websites.env.production.vhostConfs.aten = { | 45 | SetEnv APP_SECRET "${secrets.secret}" |
46 | SetEnv DATABASE_URL "${secrets.psql_url}" | ||
47 | ''; | ||
48 | }]; | ||
49 | services.websites.env.production.vhostConfs.aten_prod = { | ||
26 | certName = "aten"; | 50 | certName = "aten"; |
27 | certMainHost = "aten.pro"; | 51 | certMainHost = "aten.pro"; |
28 | hosts = [ "aten.pro" "www.aten.pro" ]; | 52 | hosts = [ "aten.pro" "www.aten.pro" ]; |
29 | root = aten.apache.root; | 53 | root = pcfg.webappDirs.aten_prod; |
30 | extraConfig = [ aten.apache.vhostConf ]; | 54 | extraConfig = [ |
55 | '' | ||
56 | <FilesMatch "\.php$"> | ||
57 | SetHandler "proxy:unix:${pcfg.phpListenPaths.aten_prod}|fcgi://localhost" | ||
58 | </FilesMatch> | ||
59 | |||
60 | Include ${config.secrets.fullPaths."webapps/${app.environment}-aten"} | ||
61 | |||
62 | Use Stats aten.pro | ||
63 | |||
64 | <Location /backend> | ||
65 | Use LDAPConnect | ||
66 | Require ldap-group cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu | ||
67 | ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>" | ||
68 | </Location> | ||
69 | |||
70 | <Directory ${pcfg.webappDirs.aten_prod}> | ||
71 | Options Indexes FollowSymLinks MultiViews Includes | ||
72 | AllowOverride All | ||
73 | Require all granted | ||
74 | DirectoryIndex index.php | ||
75 | FallbackResource /index.php | ||
76 | </Directory> | ||
77 | '' | ||
78 | ]; | ||
31 | }; | 79 | }; |
32 | services.websites.env.production.watchPaths = [ | ||
33 | "/var/secrets/webapps/${aten.app.environment}-aten" | ||
34 | ]; | ||
35 | }; | 80 | }; |
36 | } | 81 | } |