1 files changed, 138 insertions, 33 deletions

diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix
index 36329d9..a02af38 100644
--- a/nixops/modules/websites/tools/mediagoblin/default.nix
+++ b/nixops/modules/websites/tools/mediagoblin/default.nix
@@ -1,18 +1,123 @@
 { lib, pkgs, config, myconfig, mylibs, ... }:
 let
-  mediagoblin = pkgs.callPackage ./mediagoblin.nix {
-    inherit (mylibs) fetchedGit fetchedGithub;
-    env = myconfig.env.tools.mediagoblin;
-  };
-
+  env = myconfig.env.tools.mediagoblin;
+  socketsDir = "/run/mediagoblin";
+  varDir = "/var/lib/mediagoblin";
   cfg = config.services.myWebsites.tools.mediagoblin;
+  mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin";
+  paste_local = pkgs.writeText "paste_local.ini" ''
+    [DEFAULT]
+    debug = false
+
+    [pipeline:main]
+    pipeline = mediagoblin
+
+    [app:mediagoblin]
+    use = egg:mediagoblin#app
+    config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini
+    /mgoblin_static = ${pythonRoot}/mediagoblin/static
+
+    [loggers]
+    keys = root
+
+    [handlers]
+    keys = console
+
+    [formatters]
+    keys = generic
+
+    [logger_root]
+    level = INFO
+    handlers = console
+
+    [handler_console]
+    class = StreamHandler
+    args = (sys.stderr,)
+    level = NOTSET
+    formatter = generic
+
+    [formatter_generic]
+    format = %(levelname)-7.7s [%(name)s] %(message)s
+
+    [filter:errors]
+    use = egg:mediagoblin#errors
+    debug = false
+
+    [server:main]
+    use = egg:waitress#main
+    unix_socket = ${socketsDir}/mediagoblin.sock
+    unix_socket_perms = 777
+    url_scheme = https
+    '';
+  pythonRoot = pkgs.webapps.mediagoblin-with-plugins;
 in {
   options.services.myWebsites.tools.mediagoblin = {
     enable = lib.mkEnableOption "enable mediagoblin's website";
   };
 
   config = lib.mkIf cfg.enable {
-    mySecrets.keys = mediagoblin.keys;
+    mySecrets.keys = [{
+      dest = "webapps/tools-mediagoblin";
+      user = "mediagoblin";
+      group = "mediagoblin";
+      permissions = "0400";
+      text = ''
+        [DEFAULT]
+        data_basedir = "${varDir}"
+
+        [mediagoblin]
+        direct_remote_path = /mgoblin_static/
+        email_sender_address = "mediagoblin@tools.immae.eu"
+
+        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
+        sql_engine = ${env.psql_url}
+
+        email_debug_mode = false
+        allow_registration = false
+        allow_reporting = true
+
+        theme = airymodified
+
+        user_privilege_scheme = "uploader,commenter,reporter"
+
+        # We need to redefine them here since we override data_basedir
+        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
+        workbench_path = %(data_basedir)s/media/workbench
+        crypto_path = %(data_basedir)s/crypto
+        theme_install_dir = %(data_basedir)s/themes/
+        theme_linked_assets_dir = %(data_basedir)s/theme_static/
+        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
+
+        [storage:queuestore]
+        base_dir = %(data_basedir)s/media/queue
+
+        [storage:publicstore]
+        base_dir = %(data_basedir)s/media/public
+        base_url = /mgoblin_media/
+
+        [celery]
+        CELERY_RESULT_DBURI = ${env.redis_url}
+        BROKER_URL = ${env.redis_url}
+        CELERYD_CONCURRENCY = 1
+
+        [plugins]
+          [[mediagoblin.plugins.geolocation]]
+          [[mediagoblin.plugins.ldap]]
+            [[[immae.eu]]]
+              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
+              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
+              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
+              LDAP_BIND_PW = '${env.ldap.password}'
+              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
+              EMAIL_SEARCH_FIELD = 'mail'
+          [[mediagoblin.plugins.basicsearch]]
+          [[mediagoblin.plugins.piwigo]]
+          [[mediagoblin.plugins.processing_info]]
+          [[mediagoblin.media_types.image]]
+          [[mediagoblin.media_types.video]]
+        '';
+    }];
+
     ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid;
     ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid;
 
@@ -21,7 +126,7 @@ in {
       uid = config.ids.uids.mediagoblin;
       group = "mediagoblin";
       description = "Mediagoblin user";
-      home = mediagoblin.varDir;
+      home = varDir;
       useDefaultShell = true;
       extraGroups = [ "keys" ];
     };
@@ -38,17 +143,17 @@ in {
 
       script = ''
         exec ./bin/paster serve \
-          ${mediagoblin.pythonRoot}/paste_local.ini \
-          --pid-file=${mediagoblin.socketsDir}/mediagoblin.pid
+          ${paste_local} \
+          --pid-file=${socketsDir}/mediagoblin.pid
       '';
 
       preStop = ''
         exec ./bin/paster serve \
-          --pid-file=${mediagoblin.socketsDir}/mediagoblin.pid \
-          ${mediagoblin.pythonRoot}/paste_local.ini stop
+          --pid-file=${socketsDir}/mediagoblin.pid \
+          ${paste_local} stop
         '';
       preStart = ''
-        ./bin/gmg dbupdate
+        ./bin/gmg -cf ${mediagoblin_init} dbupdate
       '';
 
       serviceConfig = {
@@ -57,11 +162,11 @@ in {
         Restart = "always";
         TimeoutSec = 15;
         Type = "simple";
-        WorkingDirectory = mediagoblin.pythonRoot;
-        PIDFile = "${mediagoblin.socketsDir}/mediagoblin.pid";
+        WorkingDirectory = pythonRoot;
+        PIDFile = "${socketsDir}/mediagoblin.pid";
       };
 
-      unitConfig.RequiresMountsFor = mediagoblin.varDir;
+      unitConfig.RequiresMountsFor = varDir;
     };
 
     systemd.services.mediagoblin-celeryd = {
@@ -69,12 +174,12 @@ in {
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" "mediagoblin-web.service" ];
 
-      environment.MEDIAGOBLIN_CONFIG = "${mediagoblin.pythonRoot}/mediagoblin_local.ini";
+      environment.MEDIAGOBLIN_CONFIG = "${pythonRoot}/mediagoblin_local.ini";
       environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
 
       script = ''
         exec ./bin/celery worker \
-          --logfile=${mediagoblin.varDir}/celery.log \
+          --logfile=${varDir}/celery.log \
           --loglevel=INFO
       '';
 
@@ -84,21 +189,21 @@ in {
         Restart = "always";
         TimeoutSec = 60;
         Type = "simple";
-        WorkingDirectory = mediagoblin.pythonRoot;
-        PIDFile = "${mediagoblin.socketsDir}/mediagoblin-celeryd.pid";
+        WorkingDirectory = pythonRoot;
+        PIDFile = "${socketsDir}/mediagoblin-celeryd.pid";
       };
 
-      unitConfig.RequiresMountsFor = mediagoblin.varDir;
+      unitConfig.RequiresMountsFor = varDir;
     };
 
     system.activationScripts.mediagoblin = {
       deps = [ "users" ];
       text = ''
-      install -m 0755 -o mediagoblin -g mediagoblin -d ${mediagoblin.socketsDir}
-      install -m 0755 -o mediagoblin -g mediagoblin -d ${mediagoblin.varDir}
-      if [ -d ${mediagoblin.varDir}/plugin_static/ ]; then
-        rm ${mediagoblin.varDir}/plugin_static/coreplugin_basic_auth
-        ln -sf ${mediagoblin.pythonRoot}/mediagoblin/plugins/basic_auth/static ${mediagoblin.varDir}/plugin_static/coreplugin_basic_auth
+      install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir}
+      install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir}
+      if [ -d ${varDir}/plugin_static/ ]; then
+        rm ${varDir}/plugin_static/coreplugin_basic_auth
+        ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth
       fi
       '';
     };
@@ -113,20 +218,20 @@ in {
       hosts       = ["mgoblin.immae.eu" ];
       root        = null;
       extraConfig = [ ''
-        Alias /mgoblin_media ${mediagoblin.varDir}/media/public
-        <Directory ${mediagoblin.varDir}/media/public>
+        Alias /mgoblin_media ${varDir}/media/public
+        <Directory ${varDir}/media/public>
           Options -Indexes +FollowSymLinks +MultiViews +Includes
           Require all granted
         </Directory>
 
-        Alias /theme_static ${mediagoblin.varDir}/theme_static
-        <Directory ${mediagoblin.varDir}/theme_static>
+        Alias /theme_static ${varDir}/theme_static
+        <Directory ${varDir}/theme_static>
           Options -Indexes +FollowSymLinks +MultiViews +Includes
           Require all granted
         </Directory>
 
-        Alias /plugin_static ${mediagoblin.varDir}/plugin_static
-        <Directory ${mediagoblin.varDir}/plugin_static>
+        Alias /plugin_static ${varDir}/plugin_static
+        <Directory ${varDir}/plugin_static>
           Options -Indexes +FollowSymLinks +MultiViews +Includes
           Require all granted
         </Directory>
@@ -138,8 +243,8 @@ in {
         ProxyPass /theme_static !
         ProxyPass /plugin_static !
         ProxyPassMatch ^/.well-known/acme-challenge !
-        ProxyPass / unix://${mediagoblin.socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
-        ProxyPassReverse / unix://${mediagoblin.socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
+        ProxyPass / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
+        ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/
       '' ];
     };
   };