diff options
Diffstat (limited to 'nixops/modules/websites/tools/mediagoblin.nix')
-rw-r--r-- | nixops/modules/websites/tools/mediagoblin.nix | 251 |
1 files changed, 251 insertions, 0 deletions
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix new file mode 100644 index 0000000..a02af38 --- /dev/null +++ b/nixops/modules/websites/tools/mediagoblin.nix | |||
@@ -0,0 +1,251 @@ | |||
1 | { lib, pkgs, config, myconfig, mylibs, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.mediagoblin; | ||
4 | socketsDir = "/run/mediagoblin"; | ||
5 | varDir = "/var/lib/mediagoblin"; | ||
6 | cfg = config.services.myWebsites.tools.mediagoblin; | ||
7 | mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin"; | ||
8 | paste_local = pkgs.writeText "paste_local.ini" '' | ||
9 | [DEFAULT] | ||
10 | debug = false | ||
11 | |||
12 | [pipeline:main] | ||
13 | pipeline = mediagoblin | ||
14 | |||
15 | [app:mediagoblin] | ||
16 | use = egg:mediagoblin#app | ||
17 | config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini | ||
18 | /mgoblin_static = ${pythonRoot}/mediagoblin/static | ||
19 | |||
20 | [loggers] | ||
21 | keys = root | ||
22 | |||
23 | [handlers] | ||
24 | keys = console | ||
25 | |||
26 | [formatters] | ||
27 | keys = generic | ||
28 | |||
29 | [logger_root] | ||
30 | level = INFO | ||
31 | handlers = console | ||
32 | |||
33 | [handler_console] | ||
34 | class = StreamHandler | ||
35 | args = (sys.stderr,) | ||
36 | level = NOTSET | ||
37 | formatter = generic | ||
38 | |||
39 | [formatter_generic] | ||
40 | format = %(levelname)-7.7s [%(name)s] %(message)s | ||
41 | |||
42 | [filter:errors] | ||
43 | use = egg:mediagoblin#errors | ||
44 | debug = false | ||
45 | |||
46 | [server:main] | ||
47 | use = egg:waitress#main | ||
48 | unix_socket = ${socketsDir}/mediagoblin.sock | ||
49 | unix_socket_perms = 777 | ||
50 | url_scheme = https | ||
51 | ''; | ||
52 | pythonRoot = pkgs.webapps.mediagoblin-with-plugins; | ||
53 | in { | ||
54 | options.services.myWebsites.tools.mediagoblin = { | ||
55 | enable = lib.mkEnableOption "enable mediagoblin's website"; | ||
56 | }; | ||
57 | |||
58 | config = lib.mkIf cfg.enable { | ||
59 | mySecrets.keys = [{ | ||
60 | dest = "webapps/tools-mediagoblin"; | ||
61 | user = "mediagoblin"; | ||
62 | group = "mediagoblin"; | ||
63 | permissions = "0400"; | ||
64 | text = '' | ||
65 | [DEFAULT] | ||
66 | data_basedir = "${varDir}" | ||
67 | |||
68 | [mediagoblin] | ||
69 | direct_remote_path = /mgoblin_static/ | ||
70 | email_sender_address = "mediagoblin@tools.immae.eu" | ||
71 | |||
72 | #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db | ||
73 | sql_engine = ${env.psql_url} | ||
74 | |||
75 | email_debug_mode = false | ||
76 | allow_registration = false | ||
77 | allow_reporting = true | ||
78 | |||
79 | theme = airymodified | ||
80 | |||
81 | user_privilege_scheme = "uploader,commenter,reporter" | ||
82 | |||
83 | # We need to redefine them here since we override data_basedir | ||
84 | # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini | ||
85 | workbench_path = %(data_basedir)s/media/workbench | ||
86 | crypto_path = %(data_basedir)s/crypto | ||
87 | theme_install_dir = %(data_basedir)s/themes/ | ||
88 | theme_linked_assets_dir = %(data_basedir)s/theme_static/ | ||
89 | plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ | ||
90 | |||
91 | [storage:queuestore] | ||
92 | base_dir = %(data_basedir)s/media/queue | ||
93 | |||
94 | [storage:publicstore] | ||
95 | base_dir = %(data_basedir)s/media/public | ||
96 | base_url = /mgoblin_media/ | ||
97 | |||
98 | [celery] | ||
99 | CELERY_RESULT_DBURI = ${env.redis_url} | ||
100 | BROKER_URL = ${env.redis_url} | ||
101 | CELERYD_CONCURRENCY = 1 | ||
102 | |||
103 | [plugins] | ||
104 | [[mediagoblin.plugins.geolocation]] | ||
105 | [[mediagoblin.plugins.ldap]] | ||
106 | [[[immae.eu]]] | ||
107 | LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' | ||
108 | LDAP_SEARCH_BASE = 'dc=immae,dc=eu' | ||
109 | LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' | ||
110 | LDAP_BIND_PW = '${env.ldap.password}' | ||
111 | LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' | ||
112 | EMAIL_SEARCH_FIELD = 'mail' | ||
113 | [[mediagoblin.plugins.basicsearch]] | ||
114 | [[mediagoblin.plugins.piwigo]] | ||
115 | [[mediagoblin.plugins.processing_info]] | ||
116 | [[mediagoblin.media_types.image]] | ||
117 | [[mediagoblin.media_types.video]] | ||
118 | ''; | ||
119 | }]; | ||
120 | |||
121 | ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; | ||
122 | ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; | ||
123 | |||
124 | users.users.mediagoblin = { | ||
125 | name = "mediagoblin"; | ||
126 | uid = config.ids.uids.mediagoblin; | ||
127 | group = "mediagoblin"; | ||
128 | description = "Mediagoblin user"; | ||
129 | home = varDir; | ||
130 | useDefaultShell = true; | ||
131 | extraGroups = [ "keys" ]; | ||
132 | }; | ||
133 | |||
134 | users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; | ||
135 | |||
136 | systemd.services.mediagoblin-web = { | ||
137 | description = "Mediagoblin service"; | ||
138 | wantedBy = [ "multi-user.target" ]; | ||
139 | after = [ "network.target" ]; | ||
140 | wants = [ "postgresql.service" "redis.service" ]; | ||
141 | |||
142 | environment.SCRIPT_NAME = "/mediagoblin/"; | ||
143 | |||
144 | script = '' | ||
145 | exec ./bin/paster serve \ | ||
146 | ${paste_local} \ | ||
147 | --pid-file=${socketsDir}/mediagoblin.pid | ||
148 | ''; | ||
149 | |||
150 | preStop = '' | ||
151 | exec ./bin/paster serve \ | ||
152 | --pid-file=${socketsDir}/mediagoblin.pid \ | ||
153 | ${paste_local} stop | ||
154 | ''; | ||
155 | preStart = '' | ||
156 | ./bin/gmg -cf ${mediagoblin_init} dbupdate | ||
157 | ''; | ||
158 | |||
159 | serviceConfig = { | ||
160 | User = "mediagoblin"; | ||
161 | PrivateTmp = true; | ||
162 | Restart = "always"; | ||
163 | TimeoutSec = 15; | ||
164 | Type = "simple"; | ||
165 | WorkingDirectory = pythonRoot; | ||
166 | PIDFile = "${socketsDir}/mediagoblin.pid"; | ||
167 | }; | ||
168 | |||
169 | unitConfig.RequiresMountsFor = varDir; | ||
170 | }; | ||
171 | |||
172 | systemd.services.mediagoblin-celeryd = { | ||
173 | description = "Mediagoblin service"; | ||
174 | wantedBy = [ "multi-user.target" ]; | ||
175 | after = [ "network.target" "mediagoblin-web.service" ]; | ||
176 | |||
177 | environment.MEDIAGOBLIN_CONFIG = "${pythonRoot}/mediagoblin_local.ini"; | ||
178 | environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery"; | ||
179 | |||
180 | script = '' | ||
181 | exec ./bin/celery worker \ | ||
182 | --logfile=${varDir}/celery.log \ | ||
183 | --loglevel=INFO | ||
184 | ''; | ||
185 | |||
186 | serviceConfig = { | ||
187 | User = "mediagoblin"; | ||
188 | PrivateTmp = true; | ||
189 | Restart = "always"; | ||
190 | TimeoutSec = 60; | ||
191 | Type = "simple"; | ||
192 | WorkingDirectory = pythonRoot; | ||
193 | PIDFile = "${socketsDir}/mediagoblin-celeryd.pid"; | ||
194 | }; | ||
195 | |||
196 | unitConfig.RequiresMountsFor = varDir; | ||
197 | }; | ||
198 | |||
199 | system.activationScripts.mediagoblin = { | ||
200 | deps = [ "users" ]; | ||
201 | text = '' | ||
202 | install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir} | ||
203 | install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir} | ||
204 | if [ -d ${varDir}/plugin_static/ ]; then | ||
205 | rm ${varDir}/plugin_static/coreplugin_basic_auth | ||
206 | ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth | ||
207 | fi | ||
208 | ''; | ||
209 | }; | ||
210 | |||
211 | services.myWebsites.tools.modules = [ | ||
212 | "proxy" "proxy_http" | ||
213 | ]; | ||
214 | users.users.wwwrun.extraGroups = [ "mediagoblin" ]; | ||
215 | security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null; | ||
216 | services.myWebsites.tools.vhostConfs.mgoblin = { | ||
217 | certName = "eldiron"; | ||
218 | hosts = ["mgoblin.immae.eu" ]; | ||
219 | root = null; | ||
220 | extraConfig = [ '' | ||
221 | Alias /mgoblin_media ${varDir}/media/public | ||
222 | <Directory ${varDir}/media/public> | ||
223 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
224 | Require all granted | ||
225 | </Directory> | ||
226 | |||
227 | Alias /theme_static ${varDir}/theme_static | ||
228 | <Directory ${varDir}/theme_static> | ||
229 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
230 | Require all granted | ||
231 | </Directory> | ||
232 | |||
233 | Alias /plugin_static ${varDir}/plugin_static | ||
234 | <Directory ${varDir}/plugin_static> | ||
235 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
236 | Require all granted | ||
237 | </Directory> | ||
238 | |||
239 | ProxyPreserveHost on | ||
240 | ProxyVia On | ||
241 | ProxyRequests Off | ||
242 | ProxyPass /mgoblin_media ! | ||
243 | ProxyPass /theme_static ! | ||
244 | ProxyPass /plugin_static ! | ||
245 | ProxyPassMatch ^/.well-known/acme-challenge ! | ||
246 | ProxyPass / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/ | ||
247 | ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/ | ||
248 | '' ]; | ||
249 | }; | ||
250 | }; | ||
251 | } | ||