diff options
Diffstat (limited to 'nixops/modules')
27 files changed, 1 insertions, 2904 deletions
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix index e620318..9aeaa3f 100644 --- a/nixops/modules/task/default.nix +++ b/nixops/modules/task/default.nix | |||
@@ -180,9 +180,7 @@ in { | |||
180 | ''; | 180 | ''; |
181 | }; | 181 | }; |
182 | 182 | ||
183 | system.extraSystemBuilderCmds = '' | 183 | myServices.websites.webappDirs._task = ./www; |
184 | ln -s ${./www} $out/webapps/_task | ||
185 | ''; | ||
186 | 184 | ||
187 | security.acme.certs."task" = config.services.myCertificates.certConfig // { | 185 | security.acme.certs."task" = config.services.myCertificates.certConfig // { |
188 | inherit user group; | 186 | inherit user group; |
diff --git a/nixops/modules/websites/commons/adminer.nix b/nixops/modules/websites/commons/adminer.nix deleted file mode 100644 index e911347..0000000 --- a/nixops/modules/websites/commons/adminer.nix +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | { stdenv, fetchurl, webapps }: | ||
2 | rec { | ||
3 | webRoot = webapps.adminer; | ||
4 | phpFpm = rec { | ||
5 | socket = "/var/run/phpfpm/adminer.sock"; | ||
6 | pool = '' | ||
7 | listen = ${socket} | ||
8 | user = ${apache.user} | ||
9 | group = ${apache.group} | ||
10 | listen.owner = ${apache.user} | ||
11 | listen.group = ${apache.group} | ||
12 | pm = ondemand | ||
13 | pm.max_children = 5 | ||
14 | pm.process_idle_timeout = 60 | ||
15 | ;php_admin_flag[log_errors] = on | ||
16 | ; Needed to avoid clashes in browser cookies (same domain) | ||
17 | php_value[session.name] = AdminerPHPSESSID | ||
18 | php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer" | ||
19 | php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer" | ||
20 | php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer" | ||
21 | ''; | ||
22 | }; | ||
23 | apache = rec { | ||
24 | user = "wwwrun"; | ||
25 | group = "wwwrun"; | ||
26 | modules = [ "proxy_fcgi" ]; | ||
27 | webappName = "_adminer"; | ||
28 | root = "/run/current-system/webapps/${webappName}"; | ||
29 | vhostConf = '' | ||
30 | Alias /adminer ${root} | ||
31 | <Directory ${root}> | ||
32 | DirectoryIndex index.php | ||
33 | Require all granted | ||
34 | <FilesMatch "\.php$"> | ||
35 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
36 | </FilesMatch> | ||
37 | </Directory> | ||
38 | ''; | ||
39 | }; | ||
40 | } | ||
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix deleted file mode 100644 index 1948fe9..0000000 --- a/nixops/modules/websites/default.nix +++ /dev/null | |||
@@ -1,236 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | cfg = config.services.myWebsites; | ||
4 | www_root = "/run/current-system/webapps/_www"; | ||
5 | theme_root = "/run/current-system/webapps/_theme"; | ||
6 | apacheConfig = { | ||
7 | gzip = { | ||
8 | modules = [ "deflate" "filter" ]; | ||
9 | extraConfig = '' | ||
10 | AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript | ||
11 | ''; | ||
12 | }; | ||
13 | macros = { | ||
14 | modules = [ "macro" ]; | ||
15 | }; | ||
16 | stats = { | ||
17 | extraConfig = '' | ||
18 | <Macro Stats %{domain}> | ||
19 | Alias /webstats ${config.services.webstats.dataDir}/%{domain} | ||
20 | <Directory ${config.services.webstats.dataDir}/%{domain}> | ||
21 | DirectoryIndex index.html | ||
22 | AllowOverride None | ||
23 | Require all granted | ||
24 | </Directory> | ||
25 | <Location /webstats> | ||
26 | Use LDAPConnect | ||
27 | Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu | ||
28 | </Location> | ||
29 | </Macro> | ||
30 | ''; | ||
31 | }; | ||
32 | ldap = { | ||
33 | modules = [ "ldap" "authnz_ldap" ]; | ||
34 | extraConfig = '' | ||
35 | <IfModule ldap_module> | ||
36 | LDAPSharedCacheSize 500000 | ||
37 | LDAPCacheEntries 1024 | ||
38 | LDAPCacheTTL 600 | ||
39 | LDAPOpCacheEntries 1024 | ||
40 | LDAPOpCacheTTL 600 | ||
41 | </IfModule> | ||
42 | |||
43 | Include /var/secrets/apache-ldap | ||
44 | ''; | ||
45 | }; | ||
46 | global = { | ||
47 | extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig; | ||
48 | }; | ||
49 | apaxy = { | ||
50 | extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig; | ||
51 | }; | ||
52 | http2 = { | ||
53 | modules = [ "http2" ]; | ||
54 | extraConfig = '' | ||
55 | Protocols h2 http/1.1 | ||
56 | ''; | ||
57 | }; | ||
58 | customLog = { | ||
59 | extraConfig = '' | ||
60 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost | ||
61 | ''; | ||
62 | }; | ||
63 | }; | ||
64 | makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig); | ||
65 | makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); | ||
66 | in | ||
67 | { | ||
68 | imports = [ | ||
69 | ./tools/db.nix | ||
70 | ./tools/tools | ||
71 | ./tools/dav | ||
72 | ./tools/cloud.nix | ||
73 | ./tools/git | ||
74 | ./tools/mastodon.nix | ||
75 | ./tools/mediagoblin.nix | ||
76 | ./tools/diaspora.nix | ||
77 | ./tools/ether.nix | ||
78 | ./tools/peertube.nix | ||
79 | ]; | ||
80 | |||
81 | config = { | ||
82 | users.users.wwwrun.extraGroups = [ "keys" ]; | ||
83 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | ||
84 | |||
85 | nixpkgs.overlays = [ (self: super: rec { | ||
86 | #openssl = self.openssl_1_1; | ||
87 | php = php72; | ||
88 | php72 = (super.php72.override { | ||
89 | mysql.connector-c = self.mariadb; | ||
90 | config.php.mysqlnd = false; | ||
91 | config.php.mysqli = false; | ||
92 | }).overrideAttrs(old: rec { | ||
93 | # Didn't manage to build with mysqli + mysql_config connector | ||
94 | configureFlags = old.configureFlags ++ [ | ||
95 | "--with-mysqli=shared,mysqlnd" | ||
96 | ]; | ||
97 | # preConfigure = (old.preConfigure or "") + '' | ||
98 | # export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server"; | ||
99 | # sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \ | ||
100 | # ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c | ||
101 | # ''; | ||
102 | }); | ||
103 | phpPackages = super.php72Packages.override { inherit php; }; | ||
104 | }) ]; | ||
105 | |||
106 | services.myWebsites.tools.databases.enable = true; | ||
107 | services.myWebsites.tools.tools.enable = true; | ||
108 | services.myWebsites.tools.dav.enable = true; | ||
109 | services.myWebsites.tools.cloud.enable = true; | ||
110 | services.myWebsites.tools.git.enable = true; | ||
111 | services.myWebsites.tools.mastodon.enable = true; | ||
112 | services.myWebsites.tools.mediagoblin.enable = true; | ||
113 | services.myWebsites.tools.diaspora.enable = true; | ||
114 | services.myWebsites.tools.etherpad-lite.enable = true; | ||
115 | services.myWebsites.tools.peertube.enable = true; | ||
116 | |||
117 | secrets.keys = [{ | ||
118 | dest = "apache-ldap"; | ||
119 | user = "wwwrun"; | ||
120 | group = "wwwrun"; | ||
121 | permissions = "0400"; | ||
122 | text = '' | ||
123 | <Macro LDAPConnect> | ||
124 | <IfModule authnz_ldap_module> | ||
125 | AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS | ||
126 | AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu | ||
127 | AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}" | ||
128 | AuthType Basic | ||
129 | AuthName "Authentification requise (Acces LDAP)" | ||
130 | AuthBasicProvider ldap | ||
131 | </IfModule> | ||
132 | </Macro> | ||
133 | ''; | ||
134 | }]; | ||
135 | |||
136 | system.activationScripts = { | ||
137 | httpd = '' | ||
138 | install -d -m 0755 ${config.security.acme.directory}/acme-challenge | ||
139 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions | ||
140 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer | ||
141 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer | ||
142 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt | ||
143 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical | ||
144 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin | ||
145 | ''; | ||
146 | }; | ||
147 | |||
148 | system.extraSystemBuilderCmds = let | ||
149 | adminer = pkgs.callPackage ./commons/adminer.nix {}; | ||
150 | in '' | ||
151 | mkdir -p $out/webapps | ||
152 | ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www | ||
153 | ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme | ||
154 | ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName} | ||
155 | ''; | ||
156 | |||
157 | services.phpfpm = { | ||
158 | phpPackage = pkgs.php; | ||
159 | phpOptions = '' | ||
160 | session.save_path = "/var/lib/php/sessions" | ||
161 | post_max_size = 20M | ||
162 | ; 15 days (seconds) | ||
163 | session.gc_maxlifetime = 1296000 | ||
164 | ; 30 days (minutes) | ||
165 | session.cache_expire = 43200 | ||
166 | ''; | ||
167 | extraConfig = '' | ||
168 | log_level = notice | ||
169 | ''; | ||
170 | }; | ||
171 | |||
172 | services.websites.production = { | ||
173 | enable = true; | ||
174 | adminAddr = "httpd@immae.eu"; | ||
175 | httpdName = "Prod"; | ||
176 | ips = | ||
177 | let ips = myconfig.env.servers.eldiron.ips.production; | ||
178 | in [ips.ip4] ++ (ips.ip6 or []); | ||
179 | modules = makeModules; | ||
180 | extraConfig = makeExtraConfig; | ||
181 | fallbackVhost = { | ||
182 | certName = "eldiron"; | ||
183 | hosts = ["eldiron.immae.eu" ]; | ||
184 | root = www_root; | ||
185 | extraConfig = [ "DirectoryIndex index.htm" ]; | ||
186 | }; | ||
187 | }; | ||
188 | |||
189 | services.websites.integration = { | ||
190 | enable = true; | ||
191 | adminAddr = "httpd@immae.eu"; | ||
192 | httpdName = "Inte"; | ||
193 | ips = | ||
194 | let ips = myconfig.env.servers.eldiron.ips.integration; | ||
195 | in [ips.ip4] ++ (ips.ip6 or []); | ||
196 | modules = makeModules; | ||
197 | extraConfig = makeExtraConfig; | ||
198 | fallbackVhost = { | ||
199 | certName = "eldiron"; | ||
200 | hosts = ["eldiron.immae.eu" ]; | ||
201 | root = www_root; | ||
202 | extraConfig = [ "DirectoryIndex index.htm" ]; | ||
203 | }; | ||
204 | }; | ||
205 | |||
206 | services.websites.tools = { | ||
207 | enable = true; | ||
208 | adminAddr = "httpd@immae.eu"; | ||
209 | httpdName = "Tools"; | ||
210 | ips = | ||
211 | let ips = myconfig.env.servers.eldiron.ips.main; | ||
212 | in [ips.ip4] ++ (ips.ip6 or []); | ||
213 | modules = makeModules; | ||
214 | extraConfig = makeExtraConfig ++ | ||
215 | [ '' | ||
216 | RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html | ||
217 | RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html | ||
218 | RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html | ||
219 | RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html | ||
220 | RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html | ||
221 | RedirectMatch ^/CGU$ https://www.immae.eu/CGU | ||
222 | '' | ||
223 | ]; | ||
224 | nosslVhost = { | ||
225 | enable = true; | ||
226 | host = "nossl.immae.eu"; | ||
227 | }; | ||
228 | fallbackVhost = { | ||
229 | certName = "eldiron"; | ||
230 | hosts = ["eldiron.immae.eu" ]; | ||
231 | root = www_root; | ||
232 | extraConfig = [ "DirectoryIndex index.htm" ]; | ||
233 | }; | ||
234 | }; | ||
235 | }; | ||
236 | } | ||
diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix deleted file mode 100644 index 5d2ca40..0000000 --- a/nixops/modules/websites/tools/cloud.nix +++ /dev/null | |||
@@ -1,188 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps); | ||
4 | env = myconfig.env.tools.nextcloud; | ||
5 | varDir = "/var/lib/nextcloud"; | ||
6 | webappName = "tools_nextcloud"; | ||
7 | apacheRoot = "/run/current-system/webapps/${webappName}"; | ||
8 | cfg = config.services.myWebsites.tools.cloud; | ||
9 | phpFpm = rec { | ||
10 | basedir = builtins.concatStringsSep ":" ( | ||
11 | [ nextcloud varDir ] | ||
12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); | ||
13 | socket = "/var/run/phpfpm/nextcloud.sock"; | ||
14 | phpConfig = '' | ||
15 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | ||
16 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | ||
17 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | ||
18 | ''; | ||
19 | pool = '' | ||
20 | user = wwwrun | ||
21 | group = wwwrun | ||
22 | listen.owner = wwwrun | ||
23 | listen.group = wwwrun | ||
24 | pm = ondemand | ||
25 | pm.max_children = 60 | ||
26 | pm.process_idle_timeout = 60 | ||
27 | |||
28 | php_admin_value[output_buffering] = 0 | ||
29 | php_admin_value[max_execution_time] = 1800 | ||
30 | php_admin_value[zend_extension] = "opcache" | ||
31 | ;already enabled by default? | ||
32 | ;php_value[opcache.enable] = 1 | ||
33 | php_value[opcache.enable_cli] = 1 | ||
34 | php_value[opcache.interned_strings_buffer] = 8 | ||
35 | php_value[opcache.max_accelerated_files] = 10000 | ||
36 | php_value[opcache.memory_consumption] = 128 | ||
37 | php_value[opcache.save_comments] = 1 | ||
38 | php_value[opcache.revalidate_freq] = 1 | ||
39 | php_admin_value[memory_limit] = 512M | ||
40 | |||
41 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" | ||
42 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
43 | ''; | ||
44 | }; | ||
45 | in { | ||
46 | options.services.myWebsites.tools.cloud = { | ||
47 | enable = lib.mkEnableOption "enable cloud website"; | ||
48 | }; | ||
49 | |||
50 | config = lib.mkIf cfg.enable { | ||
51 | services.websites.tools.modules = [ "proxy_fcgi" ]; | ||
52 | |||
53 | services.websites.tools.vhostConfs.cloud = { | ||
54 | certName = "eldiron"; | ||
55 | addToCerts = true; | ||
56 | hosts = ["cloud.immae.eu" ]; | ||
57 | root = apacheRoot; | ||
58 | extraConfig = [ | ||
59 | '' | ||
60 | SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 | ||
61 | <Directory ${apacheRoot}> | ||
62 | AcceptPathInfo On | ||
63 | DirectoryIndex index.php | ||
64 | Options FollowSymlinks | ||
65 | Require all granted | ||
66 | AllowOverride all | ||
67 | |||
68 | <IfModule mod_headers.c> | ||
69 | Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" | ||
70 | </IfModule> | ||
71 | <FilesMatch "\.php$"> | ||
72 | CGIPassAuth on | ||
73 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
74 | </FilesMatch> | ||
75 | |||
76 | </Directory> | ||
77 | '' | ||
78 | ]; | ||
79 | }; | ||
80 | |||
81 | secrets.keys = [{ | ||
82 | dest = "webapps/tools-nextcloud"; | ||
83 | user = "wwwrun"; | ||
84 | group = "wwwrun"; | ||
85 | permissions = "0600"; | ||
86 | text = '' | ||
87 | <?php | ||
88 | $CONFIG = array ( | ||
89 | // FIXME: change this value when nextcloud starts getting slow | ||
90 | 'instanceid' => '${env.instance_id}1', | ||
91 | 'datadirectory' => '/var/lib/nextcloud/', | ||
92 | 'passwordsalt' => '${env.password_salt}', | ||
93 | 'debug' => false, | ||
94 | 'dbtype' => 'pgsql', | ||
95 | 'version' => '16.0.0.9', | ||
96 | 'dbname' => '${env.postgresql.database}', | ||
97 | 'dbhost' => '${env.postgresql.socket}', | ||
98 | 'dbtableprefix' => 'oc_', | ||
99 | 'dbuser' => '${env.postgresql.user}', | ||
100 | 'dbpassword' => '${env.postgresql.password}', | ||
101 | 'installed' => true, | ||
102 | 'maxZipInputSize' => 0, | ||
103 | 'allowZipDownload' => true, | ||
104 | 'forcessl' => true, | ||
105 | 'theme' => ${"''"}, | ||
106 | 'maintenance' => false, | ||
107 | 'trusted_domains' => | ||
108 | array ( | ||
109 | 0 => 'cloud.immae.eu', | ||
110 | ), | ||
111 | 'secret' => '${env.secret}', | ||
112 | 'appstoreenabled' => false, | ||
113 | 'appstore.experimental.enabled' => true, | ||
114 | 'loglevel' => 2, | ||
115 | 'trashbin_retention_obligation' => 'auto', | ||
116 | 'htaccess.RewriteBase' => '/', | ||
117 | 'mail_smtpmode' => 'sendmail', | ||
118 | 'mail_smtphost' => '127.0.0.1', | ||
119 | 'mail_smtpname' => ''', | ||
120 | 'mail_smtppassword' => ''', | ||
121 | 'mail_from_address' => 'nextcloud', | ||
122 | 'mail_smtpauth' => false, | ||
123 | 'mail_domain' => 'tools.immae.eu', | ||
124 | 'memcache.local' => '\\OC\\Memcache\\APCu', | ||
125 | 'memcache.locking' => '\\OC\\Memcache\\Redis', | ||
126 | 'filelocking.enabled' => true, | ||
127 | 'redis' => | ||
128 | array ( | ||
129 | 'host' => '${env.redis.socket}', | ||
130 | 'port' => 0, | ||
131 | 'dbindex' => ${env.redis.db_index}, | ||
132 | ), | ||
133 | 'overwrite.cli.url' => 'https://cloud.immae.eu', | ||
134 | 'ldapIgnoreNamingRules' => false, | ||
135 | 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', | ||
136 | 'has_rebuilt_cache' => true, | ||
137 | ); | ||
138 | ''; | ||
139 | }]; | ||
140 | users.users.root.packages = let | ||
141 | occ = pkgs.writeScriptBin "nextcloud-occ" '' | ||
142 | #! ${pkgs.stdenv.shell} | ||
143 | cd ${nextcloud} | ||
144 | NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ | ||
145 | exec \ | ||
146 | sudo -u wwwrun ${pkgs.php}/bin/php \ | ||
147 | -c ${pkgs.php}/etc/php.ini \ | ||
148 | occ $* | ||
149 | ''; | ||
150 | in [ occ ]; | ||
151 | |||
152 | system.activationScripts.nextcloud = { | ||
153 | deps = [ "secrets" ]; | ||
154 | text = let | ||
155 | confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; | ||
156 | in | ||
157 | '' | ||
158 | install -m 0755 -o wwwrun -g wwwrun -d ${varDir} | ||
159 | install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions | ||
160 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: | ||
161 | "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" | ||
162 | ) confs)} | ||
163 | install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php | ||
164 | ''; | ||
165 | }; | ||
166 | # FIXME: add a warning when config.php changes | ||
167 | system.extraSystemBuilderCmds = '' | ||
168 | mkdir -p $out/webapps | ||
169 | ln -s ${nextcloud} $out/webapps/${webappName} | ||
170 | ''; | ||
171 | |||
172 | services.phpfpm.pools.nextcloud = { | ||
173 | listen = phpFpm.socket; | ||
174 | extraConfig = phpFpm.pool; | ||
175 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; | ||
176 | }; | ||
177 | |||
178 | services.cron = { | ||
179 | enable = true; | ||
180 | systemCronJobs = [ | ||
181 | '' | ||
182 | LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive | ||
183 | */15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php | ||
184 | '' | ||
185 | ]; | ||
186 | }; | ||
187 | }; | ||
188 | } | ||
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix deleted file mode 100644 index 634359d..0000000 --- a/nixops/modules/websites/tools/dav/davical.nix +++ /dev/null | |||
@@ -1,133 +0,0 @@ | |||
1 | { stdenv, fetchurl, gettext, writeText, env, awl, davical }: | ||
2 | rec { | ||
3 | keys = [{ | ||
4 | dest = "webapps/dav-davical"; | ||
5 | user = apache.user; | ||
6 | group = apache.group; | ||
7 | permissions = "0400"; | ||
8 | text = '' | ||
9 | <?php | ||
10 | $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}"; | ||
11 | |||
12 | $c->readonly_webdav_collections = false; | ||
13 | |||
14 | $c->admin_email ='davical@tools.immae.eu'; | ||
15 | |||
16 | $c->restrict_setup_to_admin = true; | ||
17 | |||
18 | $c->collections_always_exist = false; | ||
19 | |||
20 | $c->external_refresh = 60; | ||
21 | |||
22 | $c->enable_scheduling = true; | ||
23 | |||
24 | $c->iMIP = (object) array("send_email" => true); | ||
25 | |||
26 | $c->authenticate_hook['optional'] = false; | ||
27 | $c->authenticate_hook['call'] = 'LDAP_check'; | ||
28 | $c->authenticate_hook['config'] = array( | ||
29 | 'host' => 'ldap.immae.eu', | ||
30 | 'port' => '389', | ||
31 | 'startTLS' => 'yes', | ||
32 | 'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu', | ||
33 | 'passDN'=> '${env.ldap.password}', | ||
34 | 'protocolVersion' => '3', | ||
35 | 'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'), | ||
36 | 'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu', | ||
37 | 'baseDNGroups' => 'ou=groups,dc=immae,dc=eu', | ||
38 | 'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu', | ||
39 | 'mapping_field' => array( | ||
40 | "username" => "uid", | ||
41 | "fullname" => "cn", | ||
42 | "email" => "mail", | ||
43 | "modified" => "modifyTimestamp", | ||
44 | ), | ||
45 | 'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)), | ||
46 | /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/ | ||
47 | // 'default_value' => array("date_format_type" => "E","locale" => "fr_FR"), | ||
48 | 'group_mapping_field' => array( | ||
49 | "username" => "cn", | ||
50 | "updated" => "modifyTimestamp", | ||
51 | "fullname" => "givenName", | ||
52 | "displayname" => "givenName", | ||
53 | "members" => "memberUid", | ||
54 | "email" => "mail", | ||
55 | ), | ||
56 | ); | ||
57 | |||
58 | $c->do_not_sync_from_ldap = array('admin' => true); | ||
59 | include('drivers_ldap.php'); | ||
60 | ''; | ||
61 | }]; | ||
62 | webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; }; | ||
63 | webRoot = "${webapp}/htdocs"; | ||
64 | apache = rec { | ||
65 | user = "wwwrun"; | ||
66 | group = "wwwrun"; | ||
67 | modules = [ "proxy_fcgi" ]; | ||
68 | webappName = "tools_davical"; | ||
69 | root = "/run/current-system/webapps/${webappName}"; | ||
70 | vhostConf = '' | ||
71 | Alias /davical "${root}" | ||
72 | Alias /caldav.php "${root}/caldav.php" | ||
73 | <Directory "${root}"> | ||
74 | DirectoryIndex index.php index.html | ||
75 | AcceptPathInfo On | ||
76 | AllowOverride None | ||
77 | Require all granted | ||
78 | |||
79 | <FilesMatch "\.php$"> | ||
80 | CGIPassAuth on | ||
81 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
82 | </FilesMatch> | ||
83 | |||
84 | RewriteEngine On | ||
85 | <IfModule mod_headers.c> | ||
86 | Header unset Access-Control-Allow-Origin | ||
87 | Header unset Access-Control-Allow-Methods | ||
88 | Header unset Access-Control-Allow-Headers | ||
89 | Header unset Access-Control-Allow-Credentials | ||
90 | Header unset Access-Control-Expose-Headers | ||
91 | |||
92 | Header always set Access-Control-Allow-Origin "*" | ||
93 | Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK" | ||
94 | Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With" | ||
95 | Header always set Access-Control-Allow-Credentials false | ||
96 | Header always set Access-Control-Expose-Headers "Etag,Preference-Applied" | ||
97 | |||
98 | RewriteCond %{HTTP:Access-Control-Request-Method} !^$ | ||
99 | RewriteCond %{REQUEST_METHOD} OPTIONS | ||
100 | RewriteRule ^(.*)$ $1 [R=200,L] | ||
101 | </IfModule> | ||
102 | </Directory> | ||
103 | ''; | ||
104 | }; | ||
105 | phpFpm = rec { | ||
106 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | ||
107 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; | ||
108 | socket = "/var/run/phpfpm/davical.sock"; | ||
109 | pool = '' | ||
110 | listen = ${socket} | ||
111 | user = ${apache.user} | ||
112 | group = ${apache.group} | ||
113 | listen.owner = ${apache.user} | ||
114 | listen.group = ${apache.group} | ||
115 | pm = dynamic | ||
116 | pm.max_children = 60 | ||
117 | pm.start_servers = 2 | ||
118 | pm.min_spare_servers = 1 | ||
119 | pm.max_spare_servers = 10 | ||
120 | |||
121 | ; Needed to avoid clashes in browser cookies (same domain) | ||
122 | php_value[session.name] = DavicalPHPSESSID | ||
123 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical" | ||
124 | php_admin_value[include_path] = "${awl}/inc:${webapp}/inc" | ||
125 | php_admin_value[session.save_path] = "/var/lib/php/sessions/davical" | ||
126 | php_flag[magic_quotes_gpc] = Off | ||
127 | php_flag[register_globals] = Off | ||
128 | php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE" | ||
129 | php_admin_value[default_charset] = "utf-8" | ||
130 | php_flag[magic_quotes_runtime] = Off | ||
131 | ''; | ||
132 | }; | ||
133 | } | ||
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix deleted file mode 100644 index 78e0ba3..0000000 --- a/nixops/modules/websites/tools/dav/default.nix +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | infcloud = rec { | ||
4 | webappName = "tools_infcloud"; | ||
5 | root = "/run/current-system/webapps/${webappName}"; | ||
6 | vhostConf = '' | ||
7 | Alias /carddavmate ${root} | ||
8 | Alias /caldavzap ${root} | ||
9 | Alias /infcloud ${root} | ||
10 | <Directory ${root}> | ||
11 | AllowOverride All | ||
12 | Options FollowSymlinks | ||
13 | Require all granted | ||
14 | DirectoryIndex index.html | ||
15 | </Directory> | ||
16 | ''; | ||
17 | }; | ||
18 | davical = pkgs.callPackage ./davical.nix { | ||
19 | env = myconfig.env.tools.davical; | ||
20 | inherit (pkgs.webapps) davical awl; | ||
21 | }; | ||
22 | |||
23 | cfg = config.services.myWebsites.tools.dav; | ||
24 | in { | ||
25 | options.services.myWebsites.tools.dav = { | ||
26 | enable = lib.mkEnableOption "enable dav website"; | ||
27 | }; | ||
28 | |||
29 | config = lib.mkIf cfg.enable { | ||
30 | secrets.keys = davical.keys; | ||
31 | services.websites.tools.modules = davical.apache.modules; | ||
32 | |||
33 | services.websites.tools.vhostConfs.dav = { | ||
34 | certName = "eldiron"; | ||
35 | addToCerts = true; | ||
36 | hosts = ["dav.immae.eu" ]; | ||
37 | root = null; | ||
38 | extraConfig = [ | ||
39 | infcloud.vhostConf | ||
40 | davical.apache.vhostConf | ||
41 | ]; | ||
42 | }; | ||
43 | |||
44 | services.phpfpm.poolConfigs = { | ||
45 | davical = davical.phpFpm.pool; | ||
46 | }; | ||
47 | |||
48 | system.extraSystemBuilderCmds = '' | ||
49 | mkdir -p $out/webapps | ||
50 | ln -s ${davical.webRoot} $out/webapps/${davical.apache.webappName} | ||
51 | ln -s ${pkgs.webapps.infcloud} $out/webapps/${infcloud.webappName} | ||
52 | ''; | ||
53 | }; | ||
54 | } | ||
55 | |||
diff --git a/nixops/modules/websites/tools/db.nix b/nixops/modules/websites/tools/db.nix deleted file mode 100644 index 7c15c23..0000000 --- a/nixops/modules/websites/tools/db.nix +++ /dev/null | |||
@@ -1,21 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | ||
4 | |||
5 | cfg = config.services.myWebsites.tools.databases; | ||
6 | in { | ||
7 | options.services.myWebsites.tools.databases = { | ||
8 | enable = lib.mkEnableOption "enable database's website"; | ||
9 | }; | ||
10 | |||
11 | config = lib.mkIf cfg.enable { | ||
12 | services.websites.tools.modules = adminer.apache.modules; | ||
13 | services.websites.tools.vhostConfs.db-1 = { | ||
14 | certName = "eldiron"; | ||
15 | addToCerts = true; | ||
16 | hosts = ["db-1.immae.eu" ]; | ||
17 | root = null; | ||
18 | extraConfig = [ adminer.apache.vhostConf ]; | ||
19 | }; | ||
20 | }; | ||
21 | } | ||
diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix deleted file mode 100644 index ee5507d..0000000 --- a/nixops/modules/websites/tools/diaspora.nix +++ /dev/null | |||
@@ -1,181 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.diaspora; | ||
4 | root = "/run/current-system/webapps/tools_diaspora"; | ||
5 | cfg = config.services.myWebsites.tools.diaspora; | ||
6 | dcfg = config.services.diaspora; | ||
7 | in { | ||
8 | options.services.myWebsites.tools.diaspora = { | ||
9 | enable = lib.mkEnableOption "enable diaspora's website"; | ||
10 | }; | ||
11 | |||
12 | config = lib.mkIf cfg.enable { | ||
13 | users.users.diaspora.extraGroups = [ "keys" ]; | ||
14 | |||
15 | secrets.keys = [ | ||
16 | { | ||
17 | dest = "webapps/diaspora/diaspora.yml"; | ||
18 | user = "diaspora"; | ||
19 | group = "diaspora"; | ||
20 | permissions = "0400"; | ||
21 | text = '' | ||
22 | configuration: | ||
23 | environment: | ||
24 | url: "https://diaspora.immae.eu/" | ||
25 | certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt' | ||
26 | redis: '${env.redis_url}' | ||
27 | sidekiq: | ||
28 | s3: | ||
29 | assets: | ||
30 | logging: | ||
31 | logrotate: | ||
32 | debug: | ||
33 | server: | ||
34 | listen: '${dcfg.sockets.rails}' | ||
35 | rails_environment: 'production' | ||
36 | chat: | ||
37 | server: | ||
38 | bosh: | ||
39 | log: | ||
40 | map: | ||
41 | mapbox: | ||
42 | privacy: | ||
43 | piwik: | ||
44 | statistics: | ||
45 | camo: | ||
46 | settings: | ||
47 | enable_registrations: false | ||
48 | welcome_message: | ||
49 | invitations: | ||
50 | open: false | ||
51 | paypal_donations: | ||
52 | community_spotlight: | ||
53 | captcha: | ||
54 | enable: false | ||
55 | terms: | ||
56 | maintenance: | ||
57 | remove_old_users: | ||
58 | default_metas: | ||
59 | csp: | ||
60 | services: | ||
61 | twitter: | ||
62 | tumblr: | ||
63 | wordpress: | ||
64 | mail: | ||
65 | enable: true | ||
66 | sender_address: 'diaspora@tools.immae.eu' | ||
67 | method: 'sendmail' | ||
68 | smtp: | ||
69 | sendmail: | ||
70 | location: '/run/wrappers/bin/sendmail' | ||
71 | admins: | ||
72 | account: "ismael" | ||
73 | podmin_email: 'diaspora@tools.immae.eu' | ||
74 | relay: | ||
75 | outbound: | ||
76 | inbound: | ||
77 | ldap: | ||
78 | enable: true | ||
79 | host: ldap.immae.eu | ||
80 | port: 636 | ||
81 | only_ldap: true | ||
82 | mail_attribute: mail | ||
83 | skip_email_confirmation: true | ||
84 | use_bind_dn: true | ||
85 | bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu" | ||
86 | bind_pw: "${env.ldap.password}" | ||
87 | search_base: "dc=immae,dc=eu" | ||
88 | search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))" | ||
89 | production: | ||
90 | environment: | ||
91 | development: | ||
92 | environment: | ||
93 | ''; | ||
94 | } | ||
95 | { | ||
96 | dest = "webapps/diaspora/database.yml"; | ||
97 | user = "diaspora"; | ||
98 | group = "diaspora"; | ||
99 | permissions = "0400"; | ||
100 | text = '' | ||
101 | postgresql: &postgresql | ||
102 | adapter: postgresql | ||
103 | host: "${env.postgresql.socket}" | ||
104 | port: "${env.postgresql.port}" | ||
105 | username: "${env.postgresql.user}" | ||
106 | password: "${env.postgresql.password}" | ||
107 | encoding: unicode | ||
108 | common: &common | ||
109 | <<: *postgresql | ||
110 | combined: &combined | ||
111 | <<: *common | ||
112 | development: | ||
113 | <<: *combined | ||
114 | database: diaspora_development | ||
115 | production: | ||
116 | <<: *combined | ||
117 | database: ${env.postgresql.database} | ||
118 | test: | ||
119 | <<: *combined | ||
120 | database: "diaspora_test" | ||
121 | integration1: | ||
122 | <<: *combined | ||
123 | database: diaspora_integration1 | ||
124 | integration2: | ||
125 | <<: *combined | ||
126 | database: diaspora_integration2 | ||
127 | ''; | ||
128 | } | ||
129 | { | ||
130 | dest = "webapps/diaspora/secret_token.rb"; | ||
131 | user = "diaspora"; | ||
132 | group = "diaspora"; | ||
133 | permissions = "0400"; | ||
134 | text = '' | ||
135 | Diaspora::Application.config.secret_key_base = '${env.secret_token}' | ||
136 | ''; | ||
137 | } | ||
138 | ]; | ||
139 | |||
140 | services.diaspora = { | ||
141 | enable = true; | ||
142 | package = pkgs.webapps.diaspora.override { ldap = true; }; | ||
143 | dataDir = "/var/lib/diaspora_immae"; | ||
144 | adminEmail = "diaspora@tools.immae.eu"; | ||
145 | configDir = "/var/secrets/webapps/diaspora"; | ||
146 | }; | ||
147 | |||
148 | services.websites.tools.modules = [ | ||
149 | "headers" "proxy" "proxy_http" | ||
150 | ]; | ||
151 | system.extraSystemBuilderCmds = '' | ||
152 | mkdir -p $out/webapps | ||
153 | ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora | ||
154 | ''; | ||
155 | services.websites.tools.vhostConfs.diaspora = { | ||
156 | certName = "eldiron"; | ||
157 | addToCerts = true; | ||
158 | hosts = [ "diaspora.immae.eu" ]; | ||
159 | root = root; | ||
160 | extraConfig = [ '' | ||
161 | RewriteEngine On | ||
162 | RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f | ||
163 | RewriteRule ^/(.*)$ unix://${dcfg.sockets.rails}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L] | ||
164 | |||
165 | ProxyRequests Off | ||
166 | ProxyVia On | ||
167 | ProxyPreserveHost On | ||
168 | RequestHeader set X_FORWARDED_PROTO https | ||
169 | |||
170 | <Proxy *> | ||
171 | Require all granted | ||
172 | </Proxy> | ||
173 | |||
174 | <Directory ${root}> | ||
175 | Require all granted | ||
176 | Options -MultiViews | ||
177 | </Directory> | ||
178 | '' ]; | ||
179 | }; | ||
180 | }; | ||
181 | } | ||
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix deleted file mode 100644 index 8c9bbb1..0000000 --- a/nixops/modules/websites/tools/ether.nix +++ /dev/null | |||
@@ -1,175 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.etherpad-lite; | ||
4 | cfg = config.services.myWebsites.tools.etherpad-lite; | ||
5 | # Make sure we’re not rebuilding whole libreoffice just because of a | ||
6 | # dependency | ||
7 | libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh; | ||
8 | ecfg = config.services.etherpad-lite; | ||
9 | in { | ||
10 | options.services.myWebsites.tools.etherpad-lite = { | ||
11 | enable = lib.mkEnableOption "enable etherpad's website"; | ||
12 | }; | ||
13 | |||
14 | config = lib.mkIf cfg.enable { | ||
15 | secrets.keys = [ | ||
16 | { | ||
17 | dest = "webapps/tools-etherpad-apikey"; | ||
18 | permissions = "0400"; | ||
19 | text = env.api_key; | ||
20 | } | ||
21 | { | ||
22 | dest = "webapps/tools-etherpad-sessionkey"; | ||
23 | permissions = "0400"; | ||
24 | text = env.session_key; | ||
25 | } | ||
26 | { | ||
27 | dest = "webapps/tools-etherpad"; | ||
28 | permissions = "0400"; | ||
29 | text = '' | ||
30 | { | ||
31 | "title": "Etherpad", | ||
32 | "favicon": "favicon.ico", | ||
33 | |||
34 | "ip": "", | ||
35 | "port" : "${ecfg.sockets.node}", | ||
36 | "showSettingsInAdminPage" : false, | ||
37 | "dbType" : "postgres", | ||
38 | "dbSettings" : { | ||
39 | "user" : "${env.postgresql.user}", | ||
40 | "host" : "${env.postgresql.socket}", | ||
41 | "password": "${env.postgresql.password}", | ||
42 | "database": "${env.postgresql.database}", | ||
43 | "charset" : "utf8mb4" | ||
44 | }, | ||
45 | |||
46 | "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n", | ||
47 | "padOptions": { | ||
48 | "noColors": false, | ||
49 | "showControls": true, | ||
50 | "showChat": true, | ||
51 | "showLineNumbers": true, | ||
52 | "useMonospaceFont": false, | ||
53 | "userName": false, | ||
54 | "userColor": false, | ||
55 | "rtl": false, | ||
56 | "alwaysShowChat": false, | ||
57 | "chatAndUsers": false, | ||
58 | "lang": "en-gb" | ||
59 | }, | ||
60 | |||
61 | "suppressErrorsInPadText" : false, | ||
62 | "requireSession" : false, | ||
63 | "editOnly" : false, | ||
64 | "sessionNoPassword" : false, | ||
65 | "minify" : true, | ||
66 | "maxAge" : 21600, | ||
67 | "abiword" : null, | ||
68 | "soffice" : "${libreoffice}/bin/soffice", | ||
69 | "tidyHtml" : "${pkgs.html-tidy}/bin/tidy", | ||
70 | "allowUnknownFileEnds" : true, | ||
71 | "requireAuthentication" : false, | ||
72 | "requireAuthorization" : false, | ||
73 | "trustProxy" : false, | ||
74 | "disableIPlogging" : false, | ||
75 | "automaticReconnectionTimeout" : 0, | ||
76 | "scrollWhenFocusLineIsOutOfViewport": { | ||
77 | "percentage": { | ||
78 | "editionAboveViewport": 0, | ||
79 | "editionBelowViewport": 0 | ||
80 | }, | ||
81 | "duration": 0, | ||
82 | "scrollWhenCaretIsInTheLastLineOfViewport": false, | ||
83 | "percentageToScrollWhenUserPressesArrowUp": 0 | ||
84 | }, | ||
85 | "users": { | ||
86 | "ldapauth": { | ||
87 | "url": "ldaps://${env.ldap.host}", | ||
88 | "accountBase": "${env.ldap.base}", | ||
89 | "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))", | ||
90 | "displayNameAttribute": "cn", | ||
91 | "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu", | ||
92 | "searchPWD": "${env.ldap.password}", | ||
93 | "groupSearchBase": "${env.ldap.base}", | ||
94 | "groupAttribute": "member", | ||
95 | "groupAttributeIsDN": true, | ||
96 | "searchScope": "sub", | ||
97 | "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)", | ||
98 | "anonymousReadonly": false | ||
99 | } | ||
100 | }, | ||
101 | "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"], | ||
102 | "loadTest": false, | ||
103 | "indentationOnNewLine": false, | ||
104 | "toolbar": { | ||
105 | "left": [ | ||
106 | ["bold", "italic", "underline", "strikethrough"], | ||
107 | ["orderedlist", "unorderedlist", "indent", "outdent"], | ||
108 | ["undo", "redo"], | ||
109 | ["clearauthorship"] | ||
110 | ], | ||
111 | "right": [ | ||
112 | ["importexport", "timeslider", "savedrevision"], | ||
113 | ["settings", "embed"], | ||
114 | ["showusers"] | ||
115 | ], | ||
116 | "timeslider": [ | ||
117 | ["timeslider_export", "timeslider_returnToPad"] | ||
118 | ] | ||
119 | }, | ||
120 | "loglevel": "INFO", | ||
121 | "logconfig" : { "appenders": [ { "type": "console" } ] } | ||
122 | } | ||
123 | ''; | ||
124 | } | ||
125 | ]; | ||
126 | services.etherpad-lite = { | ||
127 | enable = true; | ||
128 | modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules; | ||
129 | sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey"; | ||
130 | apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey"; | ||
131 | configFile = "/var/secrets/webapps/tools-etherpad"; | ||
132 | }; | ||
133 | |||
134 | systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys"; | ||
135 | |||
136 | services.websites.tools.modules = [ | ||
137 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | ||
138 | ]; | ||
139 | services.websites.tools.vhostConfs.etherpad-lite = { | ||
140 | certName = "eldiron"; | ||
141 | addToCerts = true; | ||
142 | hosts = [ "ether.immae.eu" ]; | ||
143 | root = null; | ||
144 | extraConfig = [ '' | ||
145 | Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" | ||
146 | RequestHeader set X-Forwarded-Proto "https" | ||
147 | |||
148 | RewriteEngine On | ||
149 | |||
150 | RewriteMap redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}" | ||
151 | RewriteCond %{QUERY_STRING} "!noredirect" | ||
152 | RewriteCond %{REQUEST_URI} "^(.*)$" | ||
153 | RewriteCond ''${redirects:$1|Unknown} "!Unknown" | ||
154 | RewriteRule "^(.*)$" ''${redirects:$1} [L,NE,R=301,QSD] | ||
155 | |||
156 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | ||
157 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | ||
158 | RewriteRule /(.*) unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L] | ||
159 | |||
160 | <IfModule mod_proxy.c> | ||
161 | ProxyVia On | ||
162 | ProxyRequests Off | ||
163 | ProxyPreserveHost On | ||
164 | ProxyPass / unix://${ecfg.sockets.node}|http://ether.immae.eu/ | ||
165 | ProxyPassReverse / unix://${ecfg.sockets.node}|http://ether.immae.eu/ | ||
166 | <Proxy *> | ||
167 | Options FollowSymLinks MultiViews | ||
168 | AllowOverride None | ||
169 | Require all granted | ||
170 | </Proxy> | ||
171 | </IfModule> | ||
172 | '' ]; | ||
173 | }; | ||
174 | }; | ||
175 | } | ||
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix deleted file mode 100644 index 495c5ea..0000000 --- a/nixops/modules/websites/tools/git/default.nix +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | mantisbt = pkgs.callPackage ./mantisbt.nix { | ||
4 | inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins; | ||
5 | env = myconfig.env.tools.mantisbt; | ||
6 | }; | ||
7 | gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; }; | ||
8 | |||
9 | cfg = config.services.myWebsites.tools.git; | ||
10 | in { | ||
11 | options.services.myWebsites.tools.git = { | ||
12 | enable = lib.mkEnableOption "enable git's website"; | ||
13 | }; | ||
14 | |||
15 | config = lib.mkIf cfg.enable { | ||
16 | secrets.keys = mantisbt.keys; | ||
17 | services.websites.tools.modules = | ||
18 | gitweb.apache.modules ++ | ||
19 | mantisbt.apache.modules; | ||
20 | system.extraSystemBuilderCmds = '' | ||
21 | mkdir -p $out/webapps | ||
22 | ln -s ${gitweb.webRoot} $out/webapps/${gitweb.apache.webappName} | ||
23 | ln -s ${mantisbt.webRoot} $out/webapps/${mantisbt.apache.webappName} | ||
24 | ''; | ||
25 | |||
26 | services.websites.tools.vhostConfs.git = { | ||
27 | certName = "eldiron"; | ||
28 | addToCerts = true; | ||
29 | hosts = ["git.immae.eu" ]; | ||
30 | root = gitweb.apache.root; | ||
31 | extraConfig = [ | ||
32 | gitweb.apache.vhostConf | ||
33 | mantisbt.apache.vhostConf | ||
34 | '' | ||
35 | RewriteEngine on | ||
36 | RewriteCond %{REQUEST_URI} ^/releases | ||
37 | RewriteRule /releases(.*) https://release.immae.eu$1 [P,L] | ||
38 | '' | ||
39 | ]; | ||
40 | }; | ||
41 | services.phpfpm.poolConfigs = { | ||
42 | mantisbt = mantisbt.phpFpm.pool; | ||
43 | }; | ||
44 | }; | ||
45 | } | ||
diff --git a/nixops/modules/websites/tools/git/gitweb.nix b/nixops/modules/websites/tools/git/gitweb.nix deleted file mode 100644 index 2ee7a63..0000000 --- a/nixops/modules/websites/tools/git/gitweb.nix +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | { gitweb, writeText, gitolite, git, gitoliteDir, highlight }: | ||
2 | rec { | ||
3 | varDir = gitoliteDir; | ||
4 | webRoot = gitweb; | ||
5 | config = writeText "gitweb.conf" '' | ||
6 | $git_temp = "/tmp"; | ||
7 | |||
8 | # The directories where your projects are. Must not end with a | ||
9 | # slash. | ||
10 | $projectroot = "${varDir}/repositories"; | ||
11 | |||
12 | $projects_list = "${varDir}/projects.list"; | ||
13 | $strict_export = "true"; | ||
14 | |||
15 | # Base URLs for links displayed in the web interface. | ||
16 | our @git_base_url_list = qw(ssh://gitolite@git.immae.eu https://git.immae.eu); | ||
17 | |||
18 | $feature{'blame'}{'default'} = [1]; | ||
19 | $feature{'avatar'}{'default'} = ['gravatar']; | ||
20 | $feature{'highlight'}{'default'} = [1]; | ||
21 | |||
22 | @stylesheets = ("gitweb-theme/gitweb.css"); | ||
23 | $logo = "gitweb-theme/git-logo.png"; | ||
24 | $favicon = "gitweb-theme/git-favicon.png"; | ||
25 | $javascript = "gitweb-theme/gitweb.js"; | ||
26 | $logo_url = "https://git.immae.eu/"; | ||
27 | $projects_list_group_categories = "true"; | ||
28 | $projects_list_description_width = 60; | ||
29 | $project_list_default_category = "__Others__"; | ||
30 | $highlight_bin = "${highlight}/bin/highlight"; | ||
31 | ''; | ||
32 | apache = rec { | ||
33 | user = "wwwrun"; | ||
34 | group = "wwwrun"; | ||
35 | modules = [ "cgid" ]; | ||
36 | webappName = "tools_gitweb"; | ||
37 | root = "/run/current-system/webapps/${webappName}"; | ||
38 | vhostConf = '' | ||
39 | SetEnv GIT_PROJECT_ROOT ${varDir}/repositories/ | ||
40 | ScriptAliasMatch \ | ||
41 | "(?x)^/(.*/(HEAD | \ | ||
42 | info/refs | \ | ||
43 | objects/(info/[^/]+ | \ | ||
44 | [0-9a-f]{2}/[0-9a-f]{38} | \ | ||
45 | pack/pack-[0-9a-f]{40}\.(pack|idx)) | \ | ||
46 | git-(upload|receive)-pack))$" \ | ||
47 | ${git}/libexec/git-core/git-http-backend/$1 | ||
48 | |||
49 | <Directory "${git}/libexec/git-core"> | ||
50 | Require all granted | ||
51 | </Directory> | ||
52 | <Directory "${root}"> | ||
53 | DirectoryIndex gitweb.cgi | ||
54 | Require all granted | ||
55 | AllowOverride None | ||
56 | Options ExecCGI FollowSymLinks | ||
57 | <Files gitweb.cgi> | ||
58 | SetHandler cgi-script | ||
59 | SetEnv GITWEB_CONFIG "${config}" | ||
60 | </Files> | ||
61 | </Directory> | ||
62 | ''; | ||
63 | }; | ||
64 | } | ||
diff --git a/nixops/modules/websites/tools/git/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt.nix deleted file mode 100644 index 0c459a7..0000000 --- a/nixops/modules/websites/tools/git/mantisbt.nix +++ /dev/null | |||
@@ -1,90 +0,0 @@ | |||
1 | { env, mantisbt_2, mantisbt_2-plugins }: | ||
2 | rec { | ||
3 | keys = [{ | ||
4 | dest = "webapps/tools-mantisbt"; | ||
5 | user = apache.user; | ||
6 | group = apache.group; | ||
7 | permissions = "0400"; | ||
8 | text = '' | ||
9 | <?php | ||
10 | $g_hostname = '${env.postgresql.socket}'; | ||
11 | $g_db_username = '${env.postgresql.user}'; | ||
12 | $g_db_password = '${env.postgresql.password}'; | ||
13 | $g_database_name = '${env.postgresql.database}'; | ||
14 | $g_db_type = 'pgsql'; | ||
15 | $g_crypto_master_salt = '${env.master_salt}'; | ||
16 | $g_allow_signup = OFF; | ||
17 | $g_allow_anonymous_login = ON; | ||
18 | $g_anonymous_account = 'anonymous'; | ||
19 | |||
20 | $g_phpMailer_method = PHPMAILER_METHOD_SENDMAIL; | ||
21 | $g_smtp_host = 'localhost'; | ||
22 | $g_smtp_username = '''; | ||
23 | $g_smtp_password = '''; | ||
24 | $g_webmaster_email = 'mantisbt@tools.immae.eu'; | ||
25 | $g_from_email = 'mantisbt@tools.immae.eu'; | ||
26 | $g_return_path_email = 'mantisbt@tools.immae.eu'; | ||
27 | $g_from_name = 'Mantis Bug Tracker at git.immae.eu'; | ||
28 | $g_email_receive_own = OFF; | ||
29 | # --- LDAP --- | ||
30 | $g_login_method = LDAP; | ||
31 | $g_ldap_protocol_version = 3; | ||
32 | $g_ldap_server = 'ldaps://ldap.immae.eu:636'; | ||
33 | $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu'; | ||
34 | $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu'; | ||
35 | $g_ldap_bind_passwd = '${env.ldap.password}'; | ||
36 | $g_use_ldap_email = ON; | ||
37 | $g_use_ldap_realname = ON; | ||
38 | $g_ldap_uid_field = 'uid'; | ||
39 | $g_ldap_realname_field = 'cn'; | ||
40 | $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)'; | ||
41 | ''; | ||
42 | }]; | ||
43 | webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (builtins.attrValues mantisbt_2-plugins); | ||
44 | apache = rec { | ||
45 | user = "wwwrun"; | ||
46 | group = "wwwrun"; | ||
47 | modules = [ "proxy_fcgi" ]; | ||
48 | webappName = "tools_mantisbt"; | ||
49 | root = "/run/current-system/webapps/${webappName}"; | ||
50 | vhostConf = '' | ||
51 | Alias /mantisbt "${root}" | ||
52 | <Directory "${root}"> | ||
53 | DirectoryIndex index.php | ||
54 | <FilesMatch "\.php$"> | ||
55 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
56 | </FilesMatch> | ||
57 | |||
58 | AllowOverride All | ||
59 | Options FollowSymlinks | ||
60 | Require all granted | ||
61 | </Directory> | ||
62 | <Directory "${root}/admin"> | ||
63 | #Reenable during upgrade | ||
64 | Require all denied | ||
65 | </Directory> | ||
66 | ''; | ||
67 | }; | ||
68 | phpFpm = rec { | ||
69 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | ||
70 | basedir = builtins.concatStringsSep ":" ( | ||
71 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] | ||
72 | ++ webRoot.plugins); | ||
73 | socket = "/var/run/phpfpm/mantisbt.sock"; | ||
74 | pool = '' | ||
75 | listen = ${socket} | ||
76 | user = ${apache.user} | ||
77 | group = ${apache.group} | ||
78 | listen.owner = ${apache.user} | ||
79 | listen.group = ${apache.group} | ||
80 | pm = ondemand | ||
81 | pm.max_children = 60 | ||
82 | pm.process_idle_timeout = 60 | ||
83 | |||
84 | php_admin_value[upload_max_filesize] = 5000000 | ||
85 | |||
86 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt" | ||
87 | php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt" | ||
88 | ''; | ||
89 | }; | ||
90 | } | ||
diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix deleted file mode 100644 index ffd59dd..0000000 --- a/nixops/modules/websites/tools/mastodon.nix +++ /dev/null | |||
@@ -1,128 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.mastodon; | ||
4 | root = "/run/current-system/webapps/tools_mastodon"; | ||
5 | cfg = config.services.myWebsites.tools.mastodon; | ||
6 | mcfg = config.services.mastodon; | ||
7 | in { | ||
8 | options.services.myWebsites.tools.mastodon = { | ||
9 | enable = lib.mkEnableOption "enable mastodon's website"; | ||
10 | }; | ||
11 | |||
12 | config = lib.mkIf cfg.enable { | ||
13 | secrets.keys = [{ | ||
14 | dest = "webapps/tools-mastodon"; | ||
15 | user = "mastodon"; | ||
16 | group = "mastodon"; | ||
17 | permissions = "0400"; | ||
18 | text = '' | ||
19 | REDIS_HOST=${env.redis.host} | ||
20 | REDIS_PORT=${env.redis.port} | ||
21 | REDIS_DB=${env.redis.db} | ||
22 | DB_HOST=${env.postgresql.socket} | ||
23 | DB_USER=${env.postgresql.user} | ||
24 | DB_NAME=${env.postgresql.database} | ||
25 | DB_PASS=${env.postgresql.password} | ||
26 | DB_PORT=${env.postgresql.port} | ||
27 | |||
28 | LOCAL_DOMAIN=mastodon.immae.eu | ||
29 | LOCAL_HTTPS=true | ||
30 | ALTERNATE_DOMAINS=immae.eu | ||
31 | |||
32 | PAPERCLIP_SECRET=${env.paperclip_secret} | ||
33 | SECRET_KEY_BASE=${env.secret_key_base} | ||
34 | OTP_SECRET=${env.otp_secret} | ||
35 | |||
36 | VAPID_PRIVATE_KEY=${env.vapid.private} | ||
37 | VAPID_PUBLIC_KEY=${env.vapid.public} | ||
38 | |||
39 | SMTP_DELIVERY_METHOD=sendmail | ||
40 | SMTP_FROM_ADDRESS=mastodon@tools.immae.eu | ||
41 | SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" | ||
42 | PAPERCLIP_ROOT_PATH=${mcfg.dataDir} | ||
43 | |||
44 | STREAMING_CLUSTER_NUM=1 | ||
45 | |||
46 | RAILS_LOG_LEVEL=warn | ||
47 | |||
48 | # LDAP authentication (optional) | ||
49 | LDAP_ENABLED=true | ||
50 | LDAP_HOST=ldap.immae.eu | ||
51 | LDAP_PORT=636 | ||
52 | LDAP_METHOD=simple_tls | ||
53 | LDAP_BASE="dc=immae,dc=eu" | ||
54 | LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" | ||
55 | LDAP_PASSWORD="${env.ldap.password}" | ||
56 | LDAP_UID="uid" | ||
57 | LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" | ||
58 | ''; | ||
59 | }]; | ||
60 | services.mastodon = { | ||
61 | enable = true; | ||
62 | configFile = "/var/secrets/webapps/tools-mastodon"; | ||
63 | socketsPrefix = "live_immae"; | ||
64 | dataDir = "/var/lib/mastodon_immae"; | ||
65 | }; | ||
66 | |||
67 | services.websites.tools.modules = [ | ||
68 | "headers" "proxy" "proxy_wstunnel" "proxy_http" | ||
69 | ]; | ||
70 | system.extraSystemBuilderCmds = '' | ||
71 | mkdir -p $out/webapps | ||
72 | ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon | ||
73 | ''; | ||
74 | services.websites.tools.vhostConfs.mastodon = { | ||
75 | certName = "eldiron"; | ||
76 | addToCerts = true; | ||
77 | hosts = ["mastodon.immae.eu" ]; | ||
78 | root = root; | ||
79 | extraConfig = [ '' | ||
80 | Header always set Referrer-Policy "strict-origin-when-cross-origin" | ||
81 | Header always set Strict-Transport-Security "max-age=31536000" | ||
82 | |||
83 | <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)> | ||
84 | Header always set Cache-Control "public, max-age=31536000, immutable" | ||
85 | Require all granted | ||
86 | </LocationMatch> | ||
87 | |||
88 | ProxyPreserveHost On | ||
89 | RequestHeader set X-Forwarded-Proto "https" | ||
90 | |||
91 | RewriteEngine On | ||
92 | |||
93 | ProxyPass /500.html ! | ||
94 | ProxyPass /sw.js ! | ||
95 | ProxyPass /embed.js ! | ||
96 | ProxyPass /robots.txt ! | ||
97 | ProxyPass /manifest.json ! | ||
98 | ProxyPass /browserconfig.xml ! | ||
99 | ProxyPass /mask-icon.svg ! | ||
100 | ProxyPassMatch ^(/.*\.(png|ico|gif)$) ! | ||
101 | ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) ! | ||
102 | |||
103 | RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] | ||
104 | RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L] | ||
105 | ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/ | ||
106 | ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/ | ||
107 | |||
108 | Alias /system ${mcfg.dataDir} | ||
109 | |||
110 | <Directory ${mcfg.dataDir}> | ||
111 | Require all granted | ||
112 | Options -MultiViews | ||
113 | </Directory> | ||
114 | |||
115 | <Directory ${root}> | ||
116 | Require all granted | ||
117 | Options -MultiViews +FollowSymlinks | ||
118 | </Directory> | ||
119 | |||
120 | ErrorDocument 500 /500.html | ||
121 | ErrorDocument 501 /500.html | ||
122 | ErrorDocument 502 /500.html | ||
123 | ErrorDocument 503 /500.html | ||
124 | ErrorDocument 504 /500.html | ||
125 | '' ]; | ||
126 | }; | ||
127 | }; | ||
128 | } | ||
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix deleted file mode 100644 index eb56b35..0000000 --- a/nixops/modules/websites/tools/mediagoblin.nix +++ /dev/null | |||
@@ -1,122 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.mediagoblin; | ||
4 | cfg = config.services.myWebsites.tools.mediagoblin; | ||
5 | mcfg = config.services.mediagoblin; | ||
6 | in { | ||
7 | options.services.myWebsites.tools.mediagoblin = { | ||
8 | enable = lib.mkEnableOption "enable mediagoblin's website"; | ||
9 | }; | ||
10 | |||
11 | config = lib.mkIf cfg.enable { | ||
12 | secrets.keys = [{ | ||
13 | dest = "webapps/tools-mediagoblin"; | ||
14 | user = "mediagoblin"; | ||
15 | group = "mediagoblin"; | ||
16 | permissions = "0400"; | ||
17 | text = '' | ||
18 | [DEFAULT] | ||
19 | data_basedir = "${mcfg.dataDir}" | ||
20 | |||
21 | [mediagoblin] | ||
22 | direct_remote_path = /mgoblin_static/ | ||
23 | email_sender_address = "mediagoblin@tools.immae.eu" | ||
24 | |||
25 | #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db | ||
26 | sql_engine = ${env.psql_url} | ||
27 | |||
28 | email_debug_mode = false | ||
29 | allow_registration = false | ||
30 | allow_reporting = true | ||
31 | |||
32 | theme = airymodified | ||
33 | |||
34 | user_privilege_scheme = "uploader,commenter,reporter" | ||
35 | |||
36 | # We need to redefine them here since we override data_basedir | ||
37 | # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini | ||
38 | workbench_path = %(data_basedir)s/media/workbench | ||
39 | crypto_path = %(data_basedir)s/crypto | ||
40 | theme_install_dir = %(data_basedir)s/themes/ | ||
41 | theme_linked_assets_dir = %(data_basedir)s/theme_static/ | ||
42 | plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ | ||
43 | |||
44 | [storage:queuestore] | ||
45 | base_dir = %(data_basedir)s/media/queue | ||
46 | |||
47 | [storage:publicstore] | ||
48 | base_dir = %(data_basedir)s/media/public | ||
49 | base_url = /mgoblin_media/ | ||
50 | |||
51 | [celery] | ||
52 | CELERY_RESULT_DBURI = ${env.redis_url} | ||
53 | BROKER_URL = ${env.redis_url} | ||
54 | CELERYD_CONCURRENCY = 1 | ||
55 | |||
56 | [plugins] | ||
57 | [[mediagoblin.plugins.geolocation]] | ||
58 | [[mediagoblin.plugins.ldap]] | ||
59 | [[[immae.eu]]] | ||
60 | LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' | ||
61 | LDAP_SEARCH_BASE = 'dc=immae,dc=eu' | ||
62 | LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' | ||
63 | LDAP_BIND_PW = '${env.ldap.password}' | ||
64 | LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' | ||
65 | EMAIL_SEARCH_FIELD = 'mail' | ||
66 | [[mediagoblin.plugins.basicsearch]] | ||
67 | [[mediagoblin.plugins.piwigo]] | ||
68 | [[mediagoblin.plugins.processing_info]] | ||
69 | [[mediagoblin.media_types.image]] | ||
70 | [[mediagoblin.media_types.video]] | ||
71 | ''; | ||
72 | }]; | ||
73 | |||
74 | users.users.mediagoblin.extraGroups = [ "keys" ]; | ||
75 | |||
76 | services.mediagoblin = { | ||
77 | enable = true; | ||
78 | plugins = builtins.attrValues pkgs.webapps.mediagoblin-plugins; | ||
79 | configFile = "/var/secrets/webapps/tools-mediagoblin"; | ||
80 | }; | ||
81 | |||
82 | services.websites.tools.modules = [ | ||
83 | "proxy" "proxy_http" | ||
84 | ]; | ||
85 | users.users.wwwrun.extraGroups = [ "mediagoblin" ]; | ||
86 | services.websites.tools.vhostConfs.mgoblin = { | ||
87 | certName = "eldiron"; | ||
88 | addToCerts = true; | ||
89 | hosts = ["mgoblin.immae.eu" ]; | ||
90 | root = null; | ||
91 | extraConfig = [ '' | ||
92 | Alias /mgoblin_media ${mcfg.dataDir}/media/public | ||
93 | <Directory ${mcfg.dataDir}/media/public> | ||
94 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
95 | Require all granted | ||
96 | </Directory> | ||
97 | |||
98 | Alias /theme_static ${mcfg.dataDir}/theme_static | ||
99 | <Directory ${mcfg.dataDir}/theme_static> | ||
100 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
101 | Require all granted | ||
102 | </Directory> | ||
103 | |||
104 | Alias /plugin_static ${mcfg.dataDir}/plugin_static | ||
105 | <Directory ${mcfg.dataDir}/plugin_static> | ||
106 | Options -Indexes +FollowSymLinks +MultiViews +Includes | ||
107 | Require all granted | ||
108 | </Directory> | ||
109 | |||
110 | ProxyPreserveHost on | ||
111 | ProxyVia On | ||
112 | ProxyRequests Off | ||
113 | ProxyPass /mgoblin_media ! | ||
114 | ProxyPass /theme_static ! | ||
115 | ProxyPass /plugin_static ! | ||
116 | ProxyPassMatch ^/.well-known/acme-challenge ! | ||
117 | ProxyPass / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/ | ||
118 | ProxyPassReverse / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/ | ||
119 | '' ]; | ||
120 | }; | ||
121 | }; | ||
122 | } | ||
diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix deleted file mode 100644 index 12ab3c4..0000000 --- a/nixops/modules/websites/tools/peertube.nix +++ /dev/null | |||
@@ -1,179 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | env = myconfig.env.tools.peertube; | ||
4 | cfg = config.services.myWebsites.tools.peertube; | ||
5 | pcfg = config.services.peertube; | ||
6 | in { | ||
7 | options.services.myWebsites.tools.peertube = { | ||
8 | enable = lib.mkEnableOption "enable Peertube's website"; | ||
9 | }; | ||
10 | |||
11 | config = lib.mkIf cfg.enable { | ||
12 | services.peertube = { | ||
13 | enable = true; | ||
14 | configFile = "/var/secrets/webapps/tools-peertube"; | ||
15 | package = pkgs.webapps.peertube.override { ldap = true; }; | ||
16 | }; | ||
17 | users.users.peertube.extraGroups = [ "keys" ]; | ||
18 | |||
19 | secrets.keys = [{ | ||
20 | dest = "webapps/tools-peertube"; | ||
21 | user = "peertube"; | ||
22 | group = "peertube"; | ||
23 | permissions = "0640"; | ||
24 | text = '' | ||
25 | listen: | ||
26 | hostname: 'localhost' | ||
27 | port: ${env.listenPort} | ||
28 | webserver: | ||
29 | https: true | ||
30 | hostname: 'peertube.immae.eu' | ||
31 | port: 443 | ||
32 | trust_proxy: | ||
33 | - 'loopback' | ||
34 | database: | ||
35 | hostname: '${env.postgresql.socket}' | ||
36 | port: 5432 | ||
37 | suffix: '_prod' | ||
38 | username: '${env.postgresql.user}' | ||
39 | password: '${env.postgresql.password}' | ||
40 | pool: | ||
41 | max: 5 | ||
42 | redis: | ||
43 | socket: '${env.redis.socket}' | ||
44 | auth: null | ||
45 | db: ${env.redis.db_index} | ||
46 | ldap: | ||
47 | enable: true | ||
48 | ldap_only: false | ||
49 | url: ldaps://${env.ldap.host}/${env.ldap.base} | ||
50 | bind_dn: ${env.ldap.dn} | ||
51 | bind_password: ${env.ldap.password} | ||
52 | base: ${env.ldap.base} | ||
53 | mail_entry: "mail" | ||
54 | user_filter: "${env.ldap.filter}" | ||
55 | smtp: | ||
56 | transport: sendmail | ||
57 | sendmail: '/run/wrappers/bin/sendmail' | ||
58 | hostname: null | ||
59 | port: 465 # If you use StartTLS: 587 | ||
60 | username: null | ||
61 | password: null | ||
62 | tls: true # If you use StartTLS: false | ||
63 | disable_starttls: false | ||
64 | ca_file: null # Used for self signed certificates | ||
65 | from_address: 'peertube@tools.immae.eu' | ||
66 | storage: | ||
67 | tmp: '${pcfg.dataDir}/storage/tmp/' | ||
68 | avatars: '${pcfg.dataDir}/storage/avatars/' | ||
69 | videos: '${pcfg.dataDir}/storage/videos/' | ||
70 | redundancy: '${pcfg.dataDir}/storage/videos/' | ||
71 | logs: '${pcfg.dataDir}/storage/logs/' | ||
72 | previews: '${pcfg.dataDir}/storage/previews/' | ||
73 | thumbnails: '${pcfg.dataDir}/storage/thumbnails/' | ||
74 | torrents: '${pcfg.dataDir}/storage/torrents/' | ||
75 | captions: '${pcfg.dataDir}/storage/captions/' | ||
76 | cache: '${pcfg.dataDir}/storage/cache/' | ||
77 | log: | ||
78 | level: 'info' | ||
79 | search: | ||
80 | remote_uri: | ||
81 | users: true | ||
82 | anonymous: false | ||
83 | trending: | ||
84 | videos: | ||
85 | interval_days: 7 | ||
86 | redundancy: | ||
87 | videos: | ||
88 | check_interval: '1 hour' # How often you want to check new videos to cache | ||
89 | strategies: # Just uncomment strategies you want | ||
90 | # Following are saved in local-production.json | ||
91 | cache: | ||
92 | previews: | ||
93 | size: 500 # Max number of previews you want to cache | ||
94 | captions: | ||
95 | size: 500 # Max number of video captions/subtitles you want to cache | ||
96 | admin: | ||
97 | email: 'peertube@tools.immae.eu' | ||
98 | contact_form: | ||
99 | enabled: true | ||
100 | signup: | ||
101 | enabled: false | ||
102 | limit: 10 | ||
103 | requires_email_verification: false | ||
104 | filters: | ||
105 | cidr: | ||
106 | whitelist: [] | ||
107 | blacklist: [] | ||
108 | user: | ||
109 | video_quota: -1 | ||
110 | video_quota_daily: -1 | ||
111 | transcoding: | ||
112 | enabled: false | ||
113 | allow_additional_extensions: true | ||
114 | threads: 1 | ||
115 | resolutions: | ||
116 | 240p: false | ||
117 | 360p: false | ||
118 | 480p: true | ||
119 | 720p: true | ||
120 | 1080p: true | ||
121 | hls: | ||
122 | enabled: false | ||
123 | import: | ||
124 | videos: | ||
125 | http: | ||
126 | enabled: true | ||
127 | torrent: | ||
128 | enabled: false | ||
129 | instance: | ||
130 | name: 'Immae’s PeerTube' | ||
131 | short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.' | ||
132 | description: ''' | ||
133 | terms: ''' | ||
134 | default_client_route: '/videos/trending' | ||
135 | default_nsfw_policy: 'blur' | ||
136 | customizations: | ||
137 | javascript: ''' | ||
138 | css: ''' | ||
139 | robots: | | ||
140 | User-agent: * | ||
141 | Disallow: | ||
142 | securitytxt: | ||
143 | "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:" | ||
144 | services: | ||
145 | # You can provide a reporting endpoint for Content Security Policy violations | ||
146 | csp-logger: | ||
147 | twitter: | ||
148 | username: '@_immae' | ||
149 | whitelisted: false | ||
150 | ''; | ||
151 | }]; | ||
152 | |||
153 | services.websites.tools.modules = [ | ||
154 | "headers" "proxy" "proxy_http" "proxy_wstunnel" | ||
155 | ]; | ||
156 | services.websites.tools.vhostConfs.peertube = { | ||
157 | certName = "eldiron"; | ||
158 | addToCerts = true; | ||
159 | hosts = [ "peertube.immae.eu" ]; | ||
160 | root = null; | ||
161 | extraConfig = [ '' | ||
162 | RewriteEngine On | ||
163 | |||
164 | RewriteCond %{REQUEST_URI} ^/socket.io [NC] | ||
165 | RewriteCond %{QUERY_STRING} transport=websocket [NC] | ||
166 | RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L] | ||
167 | |||
168 | RewriteCond %{REQUEST_URI} ^/tracker/socket [NC] | ||
169 | RewriteRule /(.*) ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L] | ||
170 | |||
171 | ProxyPass / http://localhost:${env.listenPort}/ | ||
172 | ProxyPassReverse / http://localhost:${env.listenPort}/ | ||
173 | |||
174 | ProxyPreserveHost On | ||
175 | RequestHeader set X-Real-IP %{REMOTE_ADDR}s | ||
176 | '' ]; | ||
177 | }; | ||
178 | }; | ||
179 | } | ||
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix deleted file mode 100644 index 642755f..0000000 --- a/nixops/modules/websites/tools/tools/default.nix +++ /dev/null | |||
@@ -1,298 +0,0 @@ | |||
1 | { lib, pkgs, config, myconfig, ... }: | ||
2 | let | ||
3 | adminer = pkgs.callPackage ../../commons/adminer.nix {}; | ||
4 | ympd = pkgs.callPackage ./ympd.nix { | ||
5 | env = myconfig.env.tools.ympd; | ||
6 | }; | ||
7 | ttrss = pkgs.callPackage ./ttrss.nix { | ||
8 | inherit (pkgs.webapps) ttrss ttrss-plugins; | ||
9 | env = myconfig.env.tools.ttrss; | ||
10 | }; | ||
11 | roundcubemail = pkgs.callPackage ./roundcubemail.nix { | ||
12 | inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins; | ||
13 | env = myconfig.env.tools.roundcubemail; | ||
14 | }; | ||
15 | rainloop = pkgs.callPackage ./rainloop.nix {}; | ||
16 | kanboard = pkgs.callPackage ./kanboard.nix { | ||
17 | env = myconfig.env.tools.kanboard; | ||
18 | }; | ||
19 | wallabag = pkgs.callPackage ./wallabag.nix { | ||
20 | inherit (pkgs.webapps) wallabag; | ||
21 | env = myconfig.env.tools.wallabag; | ||
22 | }; | ||
23 | yourls = pkgs.callPackage ./yourls.nix { | ||
24 | inherit (pkgs.webapps) yourls yourls-plugins; | ||
25 | env = myconfig.env.tools.yourls; | ||
26 | }; | ||
27 | rompr = pkgs.callPackage ./rompr.nix { | ||
28 | inherit (pkgs.webapps) rompr; | ||
29 | env = myconfig.env.tools.rompr; | ||
30 | }; | ||
31 | shaarli = pkgs.callPackage ./shaarli.nix { | ||
32 | env = myconfig.env.tools.shaarli; | ||
33 | }; | ||
34 | dokuwiki = pkgs.callPackage ./dokuwiki.nix { | ||
35 | inherit (pkgs.webapps) dokuwiki dokuwiki-plugins; | ||
36 | }; | ||
37 | ldap = pkgs.callPackage ./ldap.nix { | ||
38 | inherit (pkgs.webapps) phpldapadmin; | ||
39 | env = myconfig.env.tools.phpldapadmin; | ||
40 | }; | ||
41 | |||
42 | cfg = config.services.myWebsites.tools.tools; | ||
43 | in { | ||
44 | options.services.myWebsites.tools.tools = { | ||
45 | enable = lib.mkEnableOption "enable tools website"; | ||
46 | }; | ||
47 | |||
48 | config = lib.mkIf cfg.enable { | ||
49 | secrets.keys = | ||
50 | kanboard.keys | ||
51 | ++ ldap.keys | ||
52 | ++ roundcubemail.keys | ||
53 | ++ shaarli.keys | ||
54 | ++ ttrss.keys | ||
55 | ++ wallabag.keys | ||
56 | ++ yourls.keys; | ||
57 | |||
58 | services.websites.integration.modules = | ||
59 | rainloop.apache.modules; | ||
60 | |||
61 | services.websites.tools.modules = | ||
62 | [ "proxy_fcgi" ] | ||
63 | ++ adminer.apache.modules | ||
64 | ++ ympd.apache.modules | ||
65 | ++ ttrss.apache.modules | ||
66 | ++ roundcubemail.apache.modules | ||
67 | ++ wallabag.apache.modules | ||
68 | ++ yourls.apache.modules | ||
69 | ++ rompr.apache.modules | ||
70 | ++ shaarli.apache.modules | ||
71 | ++ dokuwiki.apache.modules | ||
72 | ++ ldap.apache.modules | ||
73 | ++ kanboard.apache.modules; | ||
74 | |||
75 | services.websites.integration.vhostConfs.devtools = { | ||
76 | certName = "eldiron"; | ||
77 | addToCerts = true; | ||
78 | hosts = ["devtools.immae.eu" ]; | ||
79 | root = "/var/lib/ftp/devtools.immae.eu"; | ||
80 | extraConfig = [ | ||
81 | '' | ||
82 | <Directory "/var/lib/ftp/devtools.immae.eu"> | ||
83 | DirectoryIndex index.php index.htm index.html | ||
84 | AllowOverride all | ||
85 | Require all granted | ||
86 | <FilesMatch "\.php$"> | ||
87 | SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost" | ||
88 | </FilesMatch> | ||
89 | </Directory> | ||
90 | '' | ||
91 | rainloop.apache.vhostConf | ||
92 | ]; | ||
93 | }; | ||
94 | |||
95 | services.websites.tools.vhostConfs.tools = { | ||
96 | certName = "eldiron"; | ||
97 | addToCerts = true; | ||
98 | hosts = ["tools.immae.eu" ]; | ||
99 | root = "/var/lib/ftp/tools.immae.eu"; | ||
100 | extraConfig = [ | ||
101 | '' | ||
102 | <Directory "/var/lib/ftp/tools.immae.eu"> | ||
103 | DirectoryIndex index.php index.htm index.html | ||
104 | AllowOverride all | ||
105 | Require all granted | ||
106 | <FilesMatch "\.php$"> | ||
107 | SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost" | ||
108 | </FilesMatch> | ||
109 | </Directory> | ||
110 | '' | ||
111 | adminer.apache.vhostConf | ||
112 | ympd.apache.vhostConf | ||
113 | ttrss.apache.vhostConf | ||
114 | roundcubemail.apache.vhostConf | ||
115 | wallabag.apache.vhostConf | ||
116 | yourls.apache.vhostConf | ||
117 | rompr.apache.vhostConf | ||
118 | shaarli.apache.vhostConf | ||
119 | dokuwiki.apache.vhostConf | ||
120 | ldap.apache.vhostConf | ||
121 | kanboard.apache.vhostConf | ||
122 | ]; | ||
123 | }; | ||
124 | |||
125 | services.websites.tools.vhostConfs.outils = { | ||
126 | certName = "eldiron"; | ||
127 | addToCerts = true; | ||
128 | hosts = [ "outils.immae.eu" ]; | ||
129 | root = null; | ||
130 | extraConfig = [ | ||
131 | '' | ||
132 | RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1 | ||
133 | |||
134 | RedirectMatch 301 ^/ether(.*)$ https://ether.immae.eu$1 | ||
135 | |||
136 | RedirectMatch 301 ^/nextcloud(.*)$ https://cloud.immae.eu$1 | ||
137 | RedirectMatch 301 ^/owncloud(.*)$ https://cloud.immae.eu$1 | ||
138 | |||
139 | RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1 | ||
140 | RedirectMatch 301 ^/caldavzap(.*)$ https://dav.immae.eu/infcloud$1 | ||
141 | RedirectMatch 301 ^/caldav.php(.*)$ https://dav.immae.eu/caldav.php$1 | ||
142 | RedirectMatch 301 ^/davical(.*)$ https://dav.immae.eu/davical$1 | ||
143 | |||
144 | RedirectMatch 301 ^/taskweb(.*)$ https://task.immae.eu/taskweb$1 | ||
145 | |||
146 | RedirectMatch 301 ^/(.*)$ https://tools.immae.eu/$1 | ||
147 | '' | ||
148 | ]; | ||
149 | }; | ||
150 | |||
151 | systemd.services = { | ||
152 | phpfpm-dokuwiki = { | ||
153 | after = lib.mkAfter dokuwiki.phpFpm.serviceDeps; | ||
154 | wants = dokuwiki.phpFpm.serviceDeps; | ||
155 | }; | ||
156 | phpfpm-kanboard = { | ||
157 | after = lib.mkAfter kanboard.phpFpm.serviceDeps; | ||
158 | wants = kanboard.phpFpm.serviceDeps; | ||
159 | }; | ||
160 | phpfpm-ldap = { | ||
161 | after = lib.mkAfter ldap.phpFpm.serviceDeps; | ||
162 | wants = ldap.phpFpm.serviceDeps; | ||
163 | }; | ||
164 | phpfpm-rainloop = { | ||
165 | after = lib.mkAfter rainloop.phpFpm.serviceDeps; | ||
166 | wants = rainloop.phpFpm.serviceDeps; | ||
167 | }; | ||
168 | phpfpm-roundcubemail = { | ||
169 | after = lib.mkAfter roundcubemail.phpFpm.serviceDeps; | ||
170 | wants = roundcubemail.phpFpm.serviceDeps; | ||
171 | }; | ||
172 | phpfpm-shaarli = { | ||
173 | after = lib.mkAfter shaarli.phpFpm.serviceDeps; | ||
174 | wants = shaarli.phpFpm.serviceDeps; | ||
175 | }; | ||
176 | phpfpm-ttrss = { | ||
177 | after = lib.mkAfter ttrss.phpFpm.serviceDeps; | ||
178 | wants = ttrss.phpFpm.serviceDeps; | ||
179 | }; | ||
180 | phpfpm-wallabag = { | ||
181 | after = lib.mkAfter wallabag.phpFpm.serviceDeps; | ||
182 | wants = wallabag.phpFpm.serviceDeps; | ||
183 | preStart = lib.mkAfter wallabag.phpFpm.preStart; | ||
184 | }; | ||
185 | phpfpm-yourls = { | ||
186 | after = lib.mkAfter yourls.phpFpm.serviceDeps; | ||
187 | wants = yourls.phpFpm.serviceDeps; | ||
188 | }; | ||
189 | ympd = { | ||
190 | description = "Standalone MPD Web GUI written in C"; | ||
191 | wantedBy = [ "multi-user.target" ]; | ||
192 | script = '' | ||
193 | export MPD_PASSWORD=$(cat /var/secrets/mpd) | ||
194 | ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody | ||
195 | ''; | ||
196 | }; | ||
197 | tt-rss = { | ||
198 | description = "Tiny Tiny RSS feeds update daemon"; | ||
199 | serviceConfig = { | ||
200 | User = "wwwrun"; | ||
201 | ExecStart = "${pkgs.php}/bin/php ${ttrss.webRoot}/update.php --daemon"; | ||
202 | StandardOutput = "syslog"; | ||
203 | StandardError = "syslog"; | ||
204 | PermissionsStartOnly = true; | ||
205 | }; | ||
206 | |||
207 | wantedBy = [ "multi-user.target" ]; | ||
208 | requires = ["postgresql.service"]; | ||
209 | after = ["network.target" "postgresql.service"]; | ||
210 | }; | ||
211 | }; | ||
212 | |||
213 | services.phpfpm.pools.roundcubemail = { | ||
214 | listen = roundcubemail.phpFpm.socket; | ||
215 | extraConfig = roundcubemail.phpFpm.pool; | ||
216 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; | ||
217 | }; | ||
218 | |||
219 | services.phpfpm.pools.devtools = { | ||
220 | listen = "/var/run/phpfpm/devtools.sock"; | ||
221 | extraConfig = '' | ||
222 | user = wwwrun | ||
223 | group = wwwrun | ||
224 | listen.owner = wwwrun | ||
225 | listen.group = wwwrun | ||
226 | pm = dynamic | ||
227 | pm.max_children = 60 | ||
228 | pm.start_servers = 2 | ||
229 | pm.min_spare_servers = 1 | ||
230 | pm.max_spare_servers = 10 | ||
231 | |||
232 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp" | ||
233 | ''; | ||
234 | phpOptions = config.services.phpfpm.phpOptions + '' | ||
235 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | ||
236 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | ||
237 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | ||
238 | ''; | ||
239 | }; | ||
240 | |||
241 | services.phpfpm.poolConfigs = { | ||
242 | adminer = adminer.phpFpm.pool; | ||
243 | ttrss = ttrss.phpFpm.pool; | ||
244 | wallabag = wallabag.phpFpm.pool; | ||
245 | yourls = yourls.phpFpm.pool; | ||
246 | rompr = rompr.phpFpm.pool; | ||
247 | shaarli = shaarli.phpFpm.pool; | ||
248 | dokuwiki = dokuwiki.phpFpm.pool; | ||
249 | ldap = ldap.phpFpm.pool; | ||
250 | rainloop = rainloop.phpFpm.pool; | ||
251 | kanboard = kanboard.phpFpm.pool; | ||
252 | tools = '' | ||
253 | listen = /var/run/phpfpm/tools.sock | ||
254 | user = wwwrun | ||
255 | group = wwwrun | ||
256 | listen.owner = wwwrun | ||
257 | listen.group = wwwrun | ||
258 | pm = dynamic | ||
259 | pm.max_children = 60 | ||
260 | pm.start_servers = 2 | ||
261 | pm.min_spare_servers = 1 | ||
262 | pm.max_spare_servers = 10 | ||
263 | |||
264 | ; Needed to avoid clashes in browser cookies (same domain) | ||
265 | php_value[session.name] = ToolsPHPSESSID | ||
266 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp" | ||
267 | ''; | ||
268 | }; | ||
269 | |||
270 | system.activationScripts = { | ||
271 | ttrss = ttrss.activationScript; | ||
272 | roundcubemail = roundcubemail.activationScript; | ||
273 | wallabag = wallabag.activationScript; | ||
274 | yourls = yourls.activationScript; | ||
275 | rompr = rompr.activationScript; | ||
276 | shaarli = shaarli.activationScript; | ||
277 | dokuwiki = dokuwiki.activationScript; | ||
278 | rainloop = rainloop.activationScript; | ||
279 | kanboard = kanboard.activationScript; | ||
280 | }; | ||
281 | |||
282 | system.extraSystemBuilderCmds = '' | ||
283 | mkdir -p $out/webapps | ||
284 | ln -s ${dokuwiki.webRoot} $out/webapps/${dokuwiki.apache.webappName} | ||
285 | ln -s ${ldap.webRoot}/htdocs $out/webapps/${ldap.apache.webappName} | ||
286 | ln -s ${rompr.webRoot} $out/webapps/${rompr.apache.webappName} | ||
287 | ln -s ${roundcubemail.webRoot} $out/webapps/${roundcubemail.apache.webappName} | ||
288 | ln -s ${shaarli.webRoot} $out/webapps/${shaarli.apache.webappName} | ||
289 | ln -s ${ttrss.webRoot} $out/webapps/${ttrss.apache.webappName} | ||
290 | ln -s ${wallabag.webRoot} $out/webapps/${wallabag.apache.webappName} | ||
291 | ln -s ${yourls.webRoot} $out/webapps/${yourls.apache.webappName} | ||
292 | ln -s ${rainloop.webRoot} $out/webapps/${rainloop.apache.webappName} | ||
293 | ln -s ${kanboard.webRoot} $out/webapps/${kanboard.apache.webappName} | ||
294 | ''; | ||
295 | |||
296 | }; | ||
297 | } | ||
298 | |||
diff --git a/nixops/modules/websites/tools/tools/dokuwiki.nix b/nixops/modules/websites/tools/tools/dokuwiki.nix deleted file mode 100644 index c61d15f..0000000 --- a/nixops/modules/websites/tools/tools/dokuwiki.nix +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | { lib, stdenv, dokuwiki, dokuwiki-plugins }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/dokuwiki"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | if [ ! -d ${varDir} ]; then | ||
8 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
9 | ${varDir}/animals | ||
10 | cp -a ${webRoot}/conf.dist ${varDir}/conf | ||
11 | cp -a ${webRoot}/data.dist ${varDir}/data | ||
12 | cp -a ${webRoot}/ | ||
13 | chown -R ${apache.user}:${apache.user} ${varDir}/config ${varDir}/data | ||
14 | chmod -R 755 ${varDir}/config ${varDir}/data | ||
15 | fi | ||
16 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
17 | ''; | ||
18 | }; | ||
19 | webRoot = dokuwiki.withPlugins (builtins.attrValues dokuwiki-plugins); | ||
20 | apache = rec { | ||
21 | user = "wwwrun"; | ||
22 | group = "wwwrun"; | ||
23 | modules = [ "proxy_fcgi" ]; | ||
24 | webappName = "tools_dokuwiki"; | ||
25 | root = "/run/current-system/webapps/${webappName}"; | ||
26 | vhostConf = '' | ||
27 | Alias /dokuwiki "${root}" | ||
28 | <Directory "${root}"> | ||
29 | DirectoryIndex index.php | ||
30 | <FilesMatch "\.php$"> | ||
31 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
32 | </FilesMatch> | ||
33 | |||
34 | AllowOverride All | ||
35 | Options +FollowSymlinks | ||
36 | Require all granted | ||
37 | </Directory> | ||
38 | ''; | ||
39 | }; | ||
40 | phpFpm = rec { | ||
41 | serviceDeps = [ "openldap.service" ]; | ||
42 | basedir = builtins.concatStringsSep ":" ( | ||
43 | [ webRoot varDir ] ++ webRoot.plugins); | ||
44 | socket = "/var/run/phpfpm/dokuwiki.sock"; | ||
45 | pool = '' | ||
46 | listen = ${socket} | ||
47 | user = ${apache.user} | ||
48 | group = ${apache.group} | ||
49 | listen.owner = ${apache.user} | ||
50 | listen.group = ${apache.group} | ||
51 | pm = ondemand | ||
52 | pm.max_children = 60 | ||
53 | pm.process_idle_timeout = 60 | ||
54 | |||
55 | ; Needed to avoid clashes in browser cookies (same domain) | ||
56 | php_value[session.name] = DokuwikiPHPSESSID | ||
57 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
58 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
59 | ''; | ||
60 | }; | ||
61 | } | ||
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix deleted file mode 100644 index 68f92b8..0000000 --- a/nixops/modules/websites/tools/tools/kanboard.nix +++ /dev/null | |||
@@ -1,86 +0,0 @@ | |||
1 | { env, kanboard }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/kanboard"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/data | ||
8 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
9 | install -TDm644 ${webRoot}/dataold/.htaccess ${varDir}/data/.htaccess | ||
10 | install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config | ||
11 | ''; | ||
12 | }; | ||
13 | keys = [{ | ||
14 | dest = "webapps/tools-kanboard"; | ||
15 | user = apache.user; | ||
16 | group = apache.group; | ||
17 | permissions = "0400"; | ||
18 | text = '' | ||
19 | <?php | ||
20 | define('MAIL_FROM', 'kanboard@tools.immae.eu'); | ||
21 | |||
22 | define('DB_DRIVER', 'postgres'); | ||
23 | define('DB_USERNAME', '${env.postgresql.user}'); | ||
24 | define('DB_PASSWORD', '${env.postgresql.password}'); | ||
25 | define('DB_HOSTNAME', '${env.postgresql.socket}'); | ||
26 | define('DB_NAME', '${env.postgresql.database}'); | ||
27 | |||
28 | define('DATA_DIR', '${varDir}'); | ||
29 | define('LDAP_AUTH', true); | ||
30 | define('LDAP_SERVER', '${env.ldap.host}'); | ||
31 | define('LDAP_START_TLS', true); | ||
32 | |||
33 | define('LDAP_BIND_TYPE', 'proxy'); | ||
34 | define('LDAP_USERNAME', '${env.ldap.dn}'); | ||
35 | define('LDAP_PASSWORD', '${env.ldap.password}'); | ||
36 | define('LDAP_USER_BASE_DN', '${env.ldap.base}'); | ||
37 | define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))'); | ||
38 | define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu'); | ||
39 | ?> | ||
40 | ''; | ||
41 | }]; | ||
42 | webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; }; | ||
43 | apache = rec { | ||
44 | user = "wwwrun"; | ||
45 | group = "wwwrun"; | ||
46 | modules = [ "proxy_fcgi" ]; | ||
47 | webappName = "tools_kanboard"; | ||
48 | root = "/run/current-system/webapps/${webappName}"; | ||
49 | vhostConf = '' | ||
50 | Alias /kanboard "${root}" | ||
51 | <Directory "${root}"> | ||
52 | DirectoryIndex index.php | ||
53 | AllowOverride All | ||
54 | Options FollowSymlinks | ||
55 | Require all granted | ||
56 | |||
57 | <FilesMatch "\.php$"> | ||
58 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
59 | </FilesMatch> | ||
60 | </Directory> | ||
61 | <DirectoryMatch "${root}/data"> | ||
62 | Require all denied | ||
63 | </DirectoryMatch> | ||
64 | ''; | ||
65 | }; | ||
66 | phpFpm = rec { | ||
67 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | ||
68 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; | ||
69 | socket = "/var/run/phpfpm/kanboard.sock"; | ||
70 | pool = '' | ||
71 | listen = ${socket} | ||
72 | user = ${apache.user} | ||
73 | group = ${apache.group} | ||
74 | listen.owner = ${apache.user} | ||
75 | listen.group = ${apache.group} | ||
76 | pm = ondemand | ||
77 | pm.max_children = 60 | ||
78 | pm.process_idle_timeout = 60 | ||
79 | |||
80 | ; Needed to avoid clashes in browser cookies (same domain) | ||
81 | php_value[session.name] = KanboardPHPSESSID | ||
82 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
83 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
84 | ''; | ||
85 | }; | ||
86 | } | ||
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix deleted file mode 100644 index 8ee39f6..0000000 --- a/nixops/modules/websites/tools/tools/ldap.nix +++ /dev/null | |||
@@ -1,68 +0,0 @@ | |||
1 | { lib, php, env, writeText, phpldapadmin }: | ||
2 | rec { | ||
3 | keys = [{ | ||
4 | dest = "webapps/tools-ldap"; | ||
5 | user = apache.user; | ||
6 | group = apache.group; | ||
7 | permissions = "0400"; | ||
8 | text = '' | ||
9 | <?php | ||
10 | $config->custom->appearance['show_clear_password'] = true; | ||
11 | $config->custom->appearance['hide_template_warning'] = true; | ||
12 | $config->custom->appearance['theme'] = "tango"; | ||
13 | $config->custom->appearance['minimalMode'] = true; | ||
14 | |||
15 | $servers = new Datastore(); | ||
16 | |||
17 | $servers->newServer('ldap_pla'); | ||
18 | $servers->setValue('server','name','Immae’s LDAP'); | ||
19 | $servers->setValue('server','host','ldaps://${env.ldap.host}'); | ||
20 | $servers->setValue('login','auth_type','cookie'); | ||
21 | $servers->setValue('login','bind_id','${env.ldap.dn}'); | ||
22 | $servers->setValue('login','bind_pass','${env.ldap.password}'); | ||
23 | $servers->setValue('appearance','password_hash','ssha'); | ||
24 | $servers->setValue('login','attr','uid'); | ||
25 | $servers->setValue('login','fallback_dn',true); | ||
26 | ''; | ||
27 | }]; | ||
28 | webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; }; | ||
29 | apache = rec { | ||
30 | user = "wwwrun"; | ||
31 | group = "wwwrun"; | ||
32 | modules = [ "proxy_fcgi" ]; | ||
33 | webappName = "tools_ldap"; | ||
34 | root = "/run/current-system/webapps/${webappName}"; | ||
35 | vhostConf = '' | ||
36 | Alias /ldap "${root}" | ||
37 | <Directory "${root}"> | ||
38 | DirectoryIndex index.php | ||
39 | <FilesMatch "\.php$"> | ||
40 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
41 | </FilesMatch> | ||
42 | |||
43 | AllowOverride None | ||
44 | Require all granted | ||
45 | </Directory> | ||
46 | ''; | ||
47 | }; | ||
48 | phpFpm = rec { | ||
49 | serviceDeps = [ "openldap.service" ]; | ||
50 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; | ||
51 | socket = "/var/run/phpfpm/ldap.sock"; | ||
52 | pool = '' | ||
53 | listen = ${socket} | ||
54 | user = ${apache.user} | ||
55 | group = ${apache.group} | ||
56 | listen.owner = ${apache.user} | ||
57 | listen.group = ${apache.group} | ||
58 | pm = ondemand | ||
59 | pm.max_children = 60 | ||
60 | pm.process_idle_timeout = 60 | ||
61 | |||
62 | ; Needed to avoid clashes in browser cookies (same domain) | ||
63 | php_value[session.name] = LdapPHPSESSID | ||
64 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin" | ||
65 | php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin" | ||
66 | ''; | ||
67 | }; | ||
68 | } | ||
diff --git a/nixops/modules/websites/tools/tools/rainloop.nix b/nixops/modules/websites/tools/tools/rainloop.nix deleted file mode 100644 index dbf0f24..0000000 --- a/nixops/modules/websites/tools/tools/rainloop.nix +++ /dev/null | |||
@@ -1,59 +0,0 @@ | |||
1 | { lib, pkgs, writeText, stdenv, fetchurl }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/rainloop"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} | ||
8 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
9 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/data | ||
10 | ''; | ||
11 | }; | ||
12 | webRoot = pkgs.rainloop-community.override { dataPath = "${varDir}/data"; }; | ||
13 | apache = rec { | ||
14 | user = "wwwrun"; | ||
15 | group = "wwwrun"; | ||
16 | modules = [ "proxy_fcgi" ]; | ||
17 | webappName = "tools_rainloop"; | ||
18 | root = "/run/current-system/webapps/${webappName}"; | ||
19 | vhostConf = '' | ||
20 | Alias /rainloop "${root}" | ||
21 | <Directory "${root}"> | ||
22 | DirectoryIndex index.php | ||
23 | AllowOverride All | ||
24 | Options -FollowSymlinks | ||
25 | Require all granted | ||
26 | |||
27 | <FilesMatch "\.php$"> | ||
28 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
29 | </FilesMatch> | ||
30 | </Directory> | ||
31 | |||
32 | <DirectoryMatch "${root}/data"> | ||
33 | Require all denied | ||
34 | </DirectoryMatch> | ||
35 | ''; | ||
36 | }; | ||
37 | phpFpm = rec { | ||
38 | serviceDeps = [ "postgresql.service" ]; | ||
39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | ||
40 | socket = "/var/run/phpfpm/rainloop.sock"; | ||
41 | pool = '' | ||
42 | listen = ${socket} | ||
43 | user = ${apache.user} | ||
44 | group = ${apache.group} | ||
45 | listen.owner = ${apache.user} | ||
46 | listen.group = ${apache.group} | ||
47 | pm = ondemand | ||
48 | pm.max_children = 60 | ||
49 | pm.process_idle_timeout = 60 | ||
50 | |||
51 | ; Needed to avoid clashes in browser cookies (same domain) | ||
52 | php_value[session.name] = RainloopPHPSESSID | ||
53 | php_admin_value[upload_max_filesize] = 200M | ||
54 | php_admin_value[post_max_size] = 200M | ||
55 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
56 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
57 | ''; | ||
58 | }; | ||
59 | } | ||
diff --git a/nixops/modules/websites/tools/tools/rompr.nix b/nixops/modules/websites/tools/tools/rompr.nix deleted file mode 100644 index fea59fc..0000000 --- a/nixops/modules/websites/tools/tools/rompr.nix +++ /dev/null | |||
@@ -1,77 +0,0 @@ | |||
1 | { lib, env, rompr }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/rompr"; | ||
4 | activationScript = '' | ||
5 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
6 | ${varDir}/prefs ${varDir}/albumart ${varDir}/phpSessions | ||
7 | ''; | ||
8 | webRoot = rompr; | ||
9 | apache = rec { | ||
10 | user = "wwwrun"; | ||
11 | group = "wwwrun"; | ||
12 | modules = [ "headers" "mime" "proxy_fcgi" ]; | ||
13 | webappName = "tools_rompr"; | ||
14 | root = "/run/current-system/webapps/${webappName}"; | ||
15 | vhostConf = '' | ||
16 | Alias /rompr ${root} | ||
17 | |||
18 | <Directory ${root}> | ||
19 | Options Indexes FollowSymLinks | ||
20 | DirectoryIndex index.php | ||
21 | AllowOverride all | ||
22 | Require all granted | ||
23 | Order allow,deny | ||
24 | Allow from all | ||
25 | ErrorDocument 404 /rompr/404.php | ||
26 | AddType image/x-icon .ico | ||
27 | |||
28 | <FilesMatch "\.php$"> | ||
29 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
30 | </FilesMatch> | ||
31 | </Directory> | ||
32 | |||
33 | <Directory ${root}/albumart/small> | ||
34 | Header Set Cache-Control "max-age=0, no-store" | ||
35 | Header Set Cache-Control "no-cache, must-revalidate" | ||
36 | </Directory> | ||
37 | |||
38 | <Directory ${root}/albumart/asdownloaded> | ||
39 | Header Set Cache-Control "max-age=0, no-store" | ||
40 | Header Set Cache-Control "no-cache, must-revalidate" | ||
41 | </Directory> | ||
42 | |||
43 | <LocationMatch "^/rompr"> | ||
44 | Use LDAPConnect | ||
45 | Require ldap-group cn=users,cn=mpd,ou=services,dc=immae,dc=eu | ||
46 | </LocationMatch> | ||
47 | ''; | ||
48 | }; | ||
49 | phpFpm = rec { | ||
50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | ||
51 | socket = "/var/run/phpfpm/rompr.sock"; | ||
52 | pool = '' | ||
53 | listen = ${socket} | ||
54 | user = ${apache.user} | ||
55 | group = ${apache.group} | ||
56 | listen.owner = ${apache.user} | ||
57 | listen.group = ${apache.group} | ||
58 | pm = ondemand | ||
59 | pm.max_children = 60 | ||
60 | pm.process_idle_timeout = 60 | ||
61 | |||
62 | ; Needed to avoid clashes in browser cookies (same domain) | ||
63 | php_value[session.name] = RomprPHPSESSID | ||
64 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
65 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
66 | php_flag[magic_quotes_gpc] = Off | ||
67 | php_flag[track_vars] = On | ||
68 | php_flag[register_globals] = Off | ||
69 | php_admin_flag[allow_url_fopen] = On | ||
70 | php_value[include_path] = ${webRoot} | ||
71 | php_admin_value[upload_tmp_dir] = "${varDir}/prefs" | ||
72 | php_admin_value[post_max_size] = 32M | ||
73 | php_admin_value[upload_max_filesize] = 32M | ||
74 | php_admin_value[memory_limit] = 256M | ||
75 | ''; | ||
76 | }; | ||
77 | } | ||
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix deleted file mode 100644 index 8974d1b..0000000 --- a/nixops/modules/websites/tools/tools/roundcubemail.nix +++ /dev/null | |||
@@ -1,121 +0,0 @@ | |||
1 | { env, roundcubemail, roundcubemail-plugins, roundcubemail-skins, phpPackages, apacheHttpd }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/roundcubemail"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
8 | ${varDir}/cache ${varDir}/logs | ||
9 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
10 | ''; | ||
11 | }; | ||
12 | keys = [{ | ||
13 | dest = "webapps/tools-roundcube"; | ||
14 | user = apache.user; | ||
15 | group = apache.group; | ||
16 | permissions = "0400"; | ||
17 | text = '' | ||
18 | <?php | ||
19 | $config['db_dsnw'] = '${env.psql_url}'; | ||
20 | $config['default_host'] = 'ssl://mail.immae.eu'; | ||
21 | $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false)); | ||
22 | $config['smtp_server'] = 'tls://mail.immae.eu'; | ||
23 | $config['smtp_port'] = '25'; | ||
24 | $config['managesieve_host'] = 'mail.immae.eu'; | ||
25 | $config['managesieve_port'] = '4190'; | ||
26 | $config['managesieve_usetls'] = true; | ||
27 | $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false)); | ||
28 | |||
29 | $config['imap_cache'] = 'db'; | ||
30 | $config['messages_cache'] = 'db'; | ||
31 | |||
32 | $config['support_url'] = '''; | ||
33 | |||
34 | $config['des_key'] = '${env.secret}'; | ||
35 | |||
36 | $config['skin'] = 'elastic'; | ||
37 | $config['plugins'] = array( | ||
38 | 'attachment_reminder', | ||
39 | 'emoticons', | ||
40 | 'filesystem_attachments', | ||
41 | 'hide_blockquote', | ||
42 | 'identicon', | ||
43 | 'identity_select', | ||
44 | 'jqueryui', | ||
45 | 'managesieve', | ||
46 | 'newmail_notifier', | ||
47 | 'vcard_attachments', | ||
48 | 'zipdownload', | ||
49 | |||
50 | 'automatic_addressbook', | ||
51 | 'message_highlight', | ||
52 | 'carddav', | ||
53 | // Ne marche pas ?: 'ident_switch', | ||
54 | // Ne marche pas ?: 'thunderbird_labels', | ||
55 | ); | ||
56 | |||
57 | $config['language'] = 'fr_FR'; | ||
58 | |||
59 | $config['drafts_mbox'] = 'Mail/Drafts'; | ||
60 | $config['junk_mbox'] = 'Mail/Spam'; | ||
61 | $config['sent_mbox'] = 'Mail/sent'; | ||
62 | $config['trash_mbox'] = '''; | ||
63 | $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', '''); | ||
64 | $config['draft_autosave'] = 60; | ||
65 | $config['enable_installer'] = false; | ||
66 | $config['log_driver'] = 'file'; | ||
67 | $config['temp_dir'] = '${varDir}/cache'; | ||
68 | $config['mime_types'] = '${apacheHttpd}/conf/mime.types'; | ||
69 | ''; | ||
70 | }]; | ||
71 | webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins | ||
72 | (builtins.attrValues roundcubemail-plugins) (builtins.attrValues roundcubemail-skins); | ||
73 | apache = rec { | ||
74 | user = "wwwrun"; | ||
75 | group = "wwwrun"; | ||
76 | modules = [ "proxy_fcgi" ]; | ||
77 | webappName = "tools_roundcubemail"; | ||
78 | root = "/run/current-system/webapps/${webappName}"; | ||
79 | vhostConf = '' | ||
80 | Alias /roundcube "${root}" | ||
81 | <Directory "${root}"> | ||
82 | DirectoryIndex index.php | ||
83 | AllowOverride All | ||
84 | Options FollowSymlinks | ||
85 | Require all granted | ||
86 | |||
87 | <FilesMatch "\.php$"> | ||
88 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
89 | </FilesMatch> | ||
90 | </Directory> | ||
91 | ''; | ||
92 | }; | ||
93 | phpFpm = rec { | ||
94 | serviceDeps = [ "postgresql.service" ]; | ||
95 | basedir = builtins.concatStringsSep ":" ( | ||
96 | [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ] | ||
97 | ++ webRoot.plugins | ||
98 | ++ webRoot.skins); | ||
99 | phpConfig = '' | ||
100 | date.timezone = 'CET' | ||
101 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | ||
102 | ''; | ||
103 | socket = "/var/run/phpfpm/roundcubemail.sock"; | ||
104 | pool = '' | ||
105 | user = ${apache.user} | ||
106 | group = ${apache.group} | ||
107 | listen.owner = ${apache.user} | ||
108 | listen.group = ${apache.group} | ||
109 | pm = ondemand | ||
110 | pm.max_children = 60 | ||
111 | pm.process_idle_timeout = 60 | ||
112 | |||
113 | ; Needed to avoid clashes in browser cookies (same domain) | ||
114 | php_value[session.name] = RoundcubemailPHPSESSID | ||
115 | php_admin_value[upload_max_filesize] = 200M | ||
116 | php_admin_value[post_max_size] = 200M | ||
117 | php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp" | ||
118 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
119 | ''; | ||
120 | }; | ||
121 | } | ||
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix deleted file mode 100644 index 2e89a47..0000000 --- a/nixops/modules/websites/tools/tools/shaarli.nix +++ /dev/null | |||
@@ -1,65 +0,0 @@ | |||
1 | { lib, env, stdenv, fetchurl, shaarli }: | ||
2 | let | ||
3 | varDir = "/var/lib/shaarli"; | ||
4 | in rec { | ||
5 | activationScript = '' | ||
6 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
7 | ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \ | ||
8 | ${varDir}/phpSessions | ||
9 | ''; | ||
10 | webRoot = shaarli varDir; | ||
11 | apache = rec { | ||
12 | user = "wwwrun"; | ||
13 | group = "wwwrun"; | ||
14 | modules = [ "proxy_fcgi" "rewrite" "env" ]; | ||
15 | webappName = "tools_shaarli"; | ||
16 | root = "/run/current-system/webapps/${webappName}"; | ||
17 | vhostConf = '' | ||
18 | Alias /Shaarli "${root}" | ||
19 | |||
20 | Include /var/secrets/webapps/tools-shaarli | ||
21 | <Directory "${root}"> | ||
22 | DirectoryIndex index.php index.htm index.html | ||
23 | Options Indexes FollowSymLinks MultiViews Includes | ||
24 | AllowOverride All | ||
25 | Require all granted | ||
26 | <FilesMatch "\.php$"> | ||
27 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
28 | </FilesMatch> | ||
29 | </Directory> | ||
30 | ''; | ||
31 | }; | ||
32 | keys = [{ | ||
33 | dest = "webapps/tools-shaarli"; | ||
34 | user = apache.user; | ||
35 | group = apache.group; | ||
36 | permissions = "0400"; | ||
37 | text = '' | ||
38 | SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}" | ||
39 | SetEnv SHAARLI_LDAP_DN "${env.ldap.dn}" | ||
40 | SetEnv SHAARLI_LDAP_HOST "ldaps://${env.ldap.host}" | ||
41 | SetEnv SHAARLI_LDAP_BASE "${env.ldap.base}" | ||
42 | SetEnv SHAARLI_LDAP_FILTER "${env.ldap.search}" | ||
43 | ''; | ||
44 | }]; | ||
45 | phpFpm = rec { | ||
46 | serviceDeps = [ "openldap.service" ]; | ||
47 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | ||
48 | socket = "/var/run/phpfpm/shaarli.sock"; | ||
49 | pool = '' | ||
50 | listen = ${socket} | ||
51 | user = ${apache.user} | ||
52 | group = ${apache.group} | ||
53 | listen.owner = ${apache.user} | ||
54 | listen.group = ${apache.group} | ||
55 | pm = ondemand | ||
56 | pm.max_children = 60 | ||
57 | pm.process_idle_timeout = 60 | ||
58 | |||
59 | ; Needed to avoid clashes in browser cookies (same domain) | ||
60 | php_value[session.name] = ShaarliPHPSESSID | ||
61 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
62 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
63 | ''; | ||
64 | }; | ||
65 | } | ||
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix deleted file mode 100644 index 05c8cab..0000000 --- a/nixops/modules/websites/tools/tools/ttrss.nix +++ /dev/null | |||
@@ -1,131 +0,0 @@ | |||
1 | { php, env, ttrss, ttrss-plugins }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/ttrss"; | ||
4 | activationScript = { | ||
5 | deps = [ "wrappers" ]; | ||
6 | text = '' | ||
7 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
8 | ${varDir}/lock ${varDir}/cache ${varDir}/feed-icons | ||
9 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/cache/export/ \ | ||
10 | ${varDir}/cache/feeds/ \ | ||
11 | ${varDir}/cache/images/ \ | ||
12 | ${varDir}/cache/js/ \ | ||
13 | ${varDir}/cache/simplepie/ \ | ||
14 | ${varDir}/cache/upload/ | ||
15 | touch ${varDir}/feed-icons/index.html | ||
16 | install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions | ||
17 | ''; | ||
18 | }; | ||
19 | keys = [{ | ||
20 | dest = "webapps/tools-ttrss"; | ||
21 | user = apache.user; | ||
22 | group = apache.group; | ||
23 | permissions = "0400"; | ||
24 | text = '' | ||
25 | <?php | ||
26 | |||
27 | define('PHP_EXECUTABLE', '${php}/bin/php'); | ||
28 | |||
29 | define('LOCK_DIRECTORY', 'lock'); | ||
30 | define('CACHE_DIR', 'cache'); | ||
31 | define('ICONS_DIR', 'feed-icons'); | ||
32 | define('ICONS_URL', 'feed-icons'); | ||
33 | define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/'); | ||
34 | |||
35 | define('MYSQL_CHARSET', 'UTF8'); | ||
36 | |||
37 | define('DB_TYPE', 'pgsql'); | ||
38 | define('DB_HOST', '${env.postgresql.socket}'); | ||
39 | define('DB_USER', '${env.postgresql.user}'); | ||
40 | define('DB_NAME', '${env.postgresql.database}'); | ||
41 | define('DB_PASS', '${env.postgresql.password}'); | ||
42 | define('DB_PORT', '${env.postgresql.port}'); | ||
43 | |||
44 | define('AUTH_AUTO_CREATE', true); | ||
45 | define('AUTH_AUTO_LOGIN', true); | ||
46 | |||
47 | define('SINGLE_USER_MODE', false); | ||
48 | |||
49 | define('SIMPLE_UPDATE_MODE', false); | ||
50 | define('CHECK_FOR_UPDATES', true); | ||
51 | |||
52 | define('FORCE_ARTICLE_PURGE', 0); | ||
53 | define('SESSION_COOKIE_LIFETIME', 60*60*24*120); | ||
54 | define('ENABLE_GZIP_OUTPUT', false); | ||
55 | |||
56 | define('PLUGINS', 'auth_ldap, note, instances'); | ||
57 | |||
58 | define('LOG_DESTINATION', '''); | ||
59 | define('CONFIG_VERSION', 26); | ||
60 | |||
61 | |||
62 | define('SPHINX_SERVER', 'localhost:9312'); | ||
63 | define('SPHINX_INDEX', 'ttrss, delta'); | ||
64 | |||
65 | define('ENABLE_REGISTRATION', false); | ||
66 | define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu'); | ||
67 | define('REG_MAX_USERS', 10); | ||
68 | |||
69 | define('SMTP_FROM_NAME', 'Tiny Tiny RSS'); | ||
70 | define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu'); | ||
71 | define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours'); | ||
72 | |||
73 | define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/'); | ||
74 | define('LDAP_AUTH_USETLS', TRUE); | ||
75 | define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); | ||
76 | define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu'); | ||
77 | define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); | ||
78 | define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))'); | ||
79 | |||
80 | define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu'); | ||
81 | define('LDAP_AUTH_BINDPW', '${env.ldap.password}'); | ||
82 | define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin'); | ||
83 | |||
84 | define('LDAP_AUTH_LOG_ATTEMPTS', FALSE); | ||
85 | define('LDAP_AUTH_DEBUG', FALSE); | ||
86 | ''; | ||
87 | }]; | ||
88 | webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (builtins.attrValues ttrss-plugins); | ||
89 | apache = rec { | ||
90 | user = "wwwrun"; | ||
91 | group = "wwwrun"; | ||
92 | modules = [ "proxy_fcgi" ]; | ||
93 | webappName = "tools_ttrss"; | ||
94 | root = "/run/current-system/webapps/${webappName}"; | ||
95 | vhostConf = '' | ||
96 | Alias /ttrss "${root}" | ||
97 | <Directory "${root}"> | ||
98 | DirectoryIndex index.php | ||
99 | <FilesMatch "\.php$"> | ||
100 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
101 | </FilesMatch> | ||
102 | |||
103 | AllowOverride All | ||
104 | Options FollowSymlinks | ||
105 | Require all granted | ||
106 | </Directory> | ||
107 | ''; | ||
108 | }; | ||
109 | phpFpm = rec { | ||
110 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | ||
111 | basedir = builtins.concatStringsSep ":" ( | ||
112 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] | ||
113 | ++ webRoot.plugins); | ||
114 | socket = "/var/run/phpfpm/ttrss.sock"; | ||
115 | pool = '' | ||
116 | listen = ${socket} | ||
117 | user = ${apache.user} | ||
118 | group = ${apache.group} | ||
119 | listen.owner = ${apache.user} | ||
120 | listen.group = ${apache.group} | ||
121 | pm = ondemand | ||
122 | pm.max_children = 60 | ||
123 | pm.process_idle_timeout = 60 | ||
124 | |||
125 | ; Needed to avoid clashes in browser cookies (same domain) | ||
126 | php_value[session.name] = TtrssPHPSESSID | ||
127 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
128 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
129 | ''; | ||
130 | }; | ||
131 | } | ||
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix deleted file mode 100644 index d6e5882..0000000 --- a/nixops/modules/websites/tools/tools/wallabag.nix +++ /dev/null | |||
@@ -1,148 +0,0 @@ | |||
1 | { env, wallabag }: | ||
2 | rec { | ||
3 | varDir = "/var/lib/wallabag"; | ||
4 | keys = [{ | ||
5 | dest = "webapps/tools-wallabag"; | ||
6 | user = apache.user; | ||
7 | group = apache.group; | ||
8 | permissions = "0400"; | ||
9 | text = '' | ||
10 | # This file is auto-generated during the composer install | ||
11 | parameters: | ||
12 | database_driver: pdo_pgsql | ||
13 | database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver | ||
14 | database_host: ${env.postgresql.socket} | ||
15 | database_port: ${env.postgresql.port} | ||
16 | database_name: ${env.postgresql.database} | ||
17 | database_user: ${env.postgresql.user} | ||
18 | database_password: ${env.postgresql.password} | ||
19 | database_path: null | ||
20 | database_table_prefix: wallabag_ | ||
21 | database_socket: null | ||
22 | database_charset: utf8 | ||
23 | domain_name: https://tools.immae.eu/wallabag | ||
24 | mailer_transport: sendmail | ||
25 | mailer_host: 127.0.0.1 | ||
26 | mailer_user: null | ||
27 | mailer_password: null | ||
28 | locale: fr | ||
29 | secret: ${env.secret} | ||
30 | twofactor_auth: true | ||
31 | twofactor_sender: wallabag@tools.immae.eu | ||
32 | fosuser_registration: false | ||
33 | fosuser_confirmation: true | ||
34 | from_email: wallabag@tools.immae.eu | ||
35 | rss_limit: 50 | ||
36 | rabbitmq_host: localhost | ||
37 | rabbitmq_port: 5672 | ||
38 | rabbitmq_user: guest | ||
39 | rabbitmq_password: guest | ||
40 | rabbitmq_prefetch_count: 10 | ||
41 | redis_scheme: unix | ||
42 | redis_host: null | ||
43 | redis_port: null | ||
44 | redis_path: ${env.redis.socket} | ||
45 | redis_password: null | ||
46 | sites_credentials: { } | ||
47 | ldap_enabled: true | ||
48 | ldap_host: ldap.immae.eu | ||
49 | ldap_port: 636 | ||
50 | ldap_tls: false | ||
51 | ldap_ssl: true | ||
52 | ldap_bind_requires_dn: true | ||
53 | ldap_base: 'dc=immae,dc=eu' | ||
54 | ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu' | ||
55 | ldap_manager_pw: ${env.ldap.password} | ||
56 | ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))' | ||
57 | ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))' | ||
58 | ldap_username_attribute: uid | ||
59 | ldap_email_attribute: mail | ||
60 | ldap_name_attribute: cn | ||
61 | ldap_enabled_attribute: null | ||
62 | services: | ||
63 | swiftmailer.mailer.default.transport: | ||
64 | class: Swift_SendmailTransport | ||
65 | arguments: ['/run/wrappers/bin/sendmail -bs'] | ||
66 | ''; | ||
67 | }]; | ||
68 | webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; }; | ||
69 | activationScript = '' | ||
70 | install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \ | ||
71 | ${varDir}/var ${varDir}/data/db ${varDir}/assets/images | ||
72 | ''; | ||
73 | webRoot = "${webappDir}/web"; | ||
74 | # Domain migration: Table wallabag_entry contains whole | ||
75 | # https://tools.immae.eu/wallabag domain name in preview_picture | ||
76 | apache = rec { | ||
77 | user = "wwwrun"; | ||
78 | group = "wwwrun"; | ||
79 | modules = [ "proxy_fcgi" ]; | ||
80 | webappName = "tools_wallabag"; | ||
81 | root = "/run/current-system/webapps/${webappName}"; | ||
82 | vhostConf = '' | ||
83 | Alias /wallabag "${root}" | ||
84 | <Directory "${root}"> | ||
85 | AllowOverride None | ||
86 | Require all granted | ||
87 | # For OAuth (apps) | ||
88 | CGIPassAuth On | ||
89 | |||
90 | <FilesMatch "\.php$"> | ||
91 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
92 | </FilesMatch> | ||
93 | |||
94 | <IfModule mod_rewrite.c> | ||
95 | Options -MultiViews | ||
96 | RewriteEngine On | ||
97 | RewriteCond %{REQUEST_FILENAME} !-f | ||
98 | RewriteRule ^(.*)$ app.php [QSA,L] | ||
99 | </IfModule> | ||
100 | </Directory> | ||
101 | <Directory "${root}/bundles"> | ||
102 | <IfModule mod_rewrite.c> | ||
103 | RewriteEngine Off | ||
104 | </IfModule> | ||
105 | </Directory> | ||
106 | <Directory "${varDir}/assets"> | ||
107 | AllowOverride None | ||
108 | Require all granted | ||
109 | </Directory> | ||
110 | ''; | ||
111 | }; | ||
112 | phpFpm = rec { | ||
113 | preStart = '' | ||
114 | if [ ! -f "${varDir}/currentWebappDir" -o \ | ||
115 | ! -f "${varDir}/currentKey" -o \ | ||
116 | "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ] \ | ||
117 | || ! sha512sum -c --status ${varDir}/currentKey; then | ||
118 | pushd ${webappDir} > /dev/null | ||
119 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear | ||
120 | rm -rf /var/lib/wallabag/var/cache/pro_ | ||
121 | /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction | ||
122 | popd > /dev/null | ||
123 | echo -n "${webappDir}" > ${varDir}/currentWebappDir | ||
124 | sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey | ||
125 | fi | ||
126 | ''; | ||
127 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | ||
128 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; | ||
129 | socket = "/var/run/phpfpm/wallabag.sock"; | ||
130 | pool = '' | ||
131 | listen = ${socket} | ||
132 | user = ${apache.user} | ||
133 | group = ${apache.group} | ||
134 | listen.owner = ${apache.user} | ||
135 | listen.group = ${apache.group} | ||
136 | pm = dynamic | ||
137 | pm.max_children = 60 | ||
138 | pm.start_servers = 2 | ||
139 | pm.min_spare_servers = 1 | ||
140 | pm.max_spare_servers = 10 | ||
141 | |||
142 | ; Needed to avoid clashes in browser cookies (same domain) | ||
143 | php_value[session.name] = WallabagPHPSESSID | ||
144 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp" | ||
145 | php_value[max_execution_time] = 300 | ||
146 | ''; | ||
147 | }; | ||
148 | } | ||
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix deleted file mode 100644 index b54c486..0000000 --- a/nixops/modules/websites/tools/tools/ympd.nix +++ /dev/null | |||
@@ -1,40 +0,0 @@ | |||
1 | { env }: | ||
2 | let | ||
3 | ympd = rec { | ||
4 | config = { | ||
5 | webPort = "localhost:${env.listenPort}"; | ||
6 | host = env.mpd.host; | ||
7 | port = env.mpd.port; | ||
8 | }; | ||
9 | apache = { | ||
10 | modules = [ | ||
11 | "proxy_wstunnel" | ||
12 | ]; | ||
13 | vhostConf = '' | ||
14 | <LocationMatch "^/mpd(?!/music.(mp3|ogg))"> | ||
15 | Use LDAPConnect | ||
16 | Require ldap-group cn=users,cn=mpd,ou=services,dc=immae,dc=eu | ||
17 | </LocationMatch> | ||
18 | |||
19 | RedirectMatch permanent "^/mpd$" "/mpd/" | ||
20 | <Location "/mpd/"> | ||
21 | ProxyPass http://${config.webPort}/ | ||
22 | ProxyPassReverse http://${config.webPort}/ | ||
23 | ProxyPreserveHost on | ||
24 | </Location> | ||
25 | <Location "/mpd/ws"> | ||
26 | ProxyPass ws://${config.webPort}/ws | ||
27 | </Location> | ||
28 | <Location "/mpd/music.mp3"> | ||
29 | ProxyPass unix:///run/mpd/mp3.sock|http://tools.immae.eu/ | ||
30 | ProxyPassReverse unix:///run/mpd/mp3.sock|http://tools.immae.eu/ | ||
31 | </Location> | ||
32 | <Location "/mpd/music.ogg"> | ||
33 | ProxyPass unix:///run/mpd/ogg.sock|http://tools.immae.eu/ | ||
34 | ProxyPassReverse unix:///run/mpd/ogg.sock|http://tools.immae.eu/ | ||
35 | </Location> | ||
36 | ''; | ||
37 | }; | ||
38 | }; | ||
39 | in | ||
40 | ympd | ||
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix deleted file mode 100644 index df1b3a2..0000000 --- a/nixops/modules/websites/tools/tools/yourls.nix +++ /dev/null | |||
@@ -1,90 +0,0 @@ | |||
1 | { env, yourls, yourls-plugins }: | ||
2 | rec { | ||
3 | activationScript = '' | ||
4 | install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls | ||
5 | ''; | ||
6 | keys = [{ | ||
7 | dest = "webapps/tools-yourls"; | ||
8 | user = apache.user; | ||
9 | group = apache.group; | ||
10 | permissions = "0400"; | ||
11 | text = '' | ||
12 | <?php | ||
13 | define( 'YOURLS_DB_USER', '${env.mysql.user}' ); | ||
14 | define( 'YOURLS_DB_PASS', '${env.mysql.password}' ); | ||
15 | define( 'YOURLS_DB_NAME', '${env.mysql.database}' ); | ||
16 | define( 'YOURLS_DB_HOST', '${env.mysql.host}' ); | ||
17 | define( 'YOURLS_DB_PREFIX', 'yourls_' ); | ||
18 | define( 'YOURLS_SITE', 'https://tools.immae.eu/url' ); | ||
19 | define( 'YOURLS_HOURS_OFFSET', 0 ); | ||
20 | define( 'YOURLS_LANG', ''' ); | ||
21 | define( 'YOURLS_UNIQUE_URLS', true ); | ||
22 | define( 'YOURLS_PRIVATE', true ); | ||
23 | define( 'YOURLS_COOKIEKEY', '${env.cookieKey}' ); | ||
24 | $yourls_user_passwords = array(); | ||
25 | define( 'YOURLS_DEBUG', false ); | ||
26 | define( 'YOURLS_URL_CONVERT', 36 ); | ||
27 | $yourls_reserved_URL = array(); | ||
28 | define( 'LDAPAUTH_HOST', 'ldaps://ldap.immae.eu' ); | ||
29 | define( 'LDAPAUTH_PORT', '636' ); | ||
30 | define( 'LDAPAUTH_BASE', 'dc=immae,dc=eu' ); | ||
31 | define( 'LDAPAUTH_SEARCH_USER', 'cn=yourls,ou=services,dc=immae,dc=eu' ); | ||
32 | define( 'LDAPAUTH_SEARCH_PASS', '${env.ldap.password}' ); | ||
33 | |||
34 | define( 'LDAPAUTH_GROUP_ATTR', 'memberof' ); | ||
35 | define( 'LDAPAUTH_GROUP_REQ', 'cn=admin,cn=yourls,ou=services,dc=immae,dc=eu'); | ||
36 | |||
37 | define( 'LDAPAUTH_USERCACHE_TYPE', 0); | ||
38 | ''; | ||
39 | }]; | ||
40 | webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins | ||
41 | (builtins.attrValues yourls-plugins); | ||
42 | apache = rec { | ||
43 | user = "wwwrun"; | ||
44 | group = "wwwrun"; | ||
45 | modules = [ "proxy_fcgi" ]; | ||
46 | webappName = "tools_yourls"; | ||
47 | root = "/run/current-system/webapps/${webappName}"; | ||
48 | vhostConf = '' | ||
49 | Alias /url "${root}" | ||
50 | <Directory "${root}"> | ||
51 | <FilesMatch "\.php$"> | ||
52 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
53 | </FilesMatch> | ||
54 | |||
55 | AllowOverride None | ||
56 | Require all granted | ||
57 | <IfModule mod_rewrite.c> | ||
58 | RewriteEngine On | ||
59 | RewriteBase /url/ | ||
60 | RewriteCond %{REQUEST_FILENAME} !-f | ||
61 | RewriteCond %{REQUEST_FILENAME} !-d | ||
62 | RewriteRule ^.*$ /url/yourls-loader.php [L] | ||
63 | </IfModule> | ||
64 | DirectoryIndex index.php | ||
65 | </Directory> | ||
66 | ''; | ||
67 | }; | ||
68 | phpFpm = rec { | ||
69 | serviceDeps = [ "mysql.service" "openldap.service" ]; | ||
70 | basedir = builtins.concatStringsSep ":" ( | ||
71 | [ webRoot "/var/secrets/webapps/tools-yourls" ] | ||
72 | ++ webRoot.plugins); | ||
73 | socket = "/var/run/phpfpm/yourls.sock"; | ||
74 | pool = '' | ||
75 | listen = ${socket} | ||
76 | user = ${apache.user} | ||
77 | group = ${apache.group} | ||
78 | listen.owner = ${apache.user} | ||
79 | listen.group = ${apache.group} | ||
80 | pm = ondemand | ||
81 | pm.max_children = 60 | ||
82 | pm.process_idle_timeout = 60 | ||
83 | |||
84 | ; Needed to avoid clashes in browser cookies (same domain) | ||
85 | php_value[session.name] = YourlsPHPSESSID | ||
86 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls" | ||
87 | php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls" | ||
88 | ''; | ||
89 | }; | ||
90 | } | ||