1 files changed, 16 insertions, 160 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 7dbca92..acd2cbd 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -4,44 +4,28 @@
    enableRollback = true;
  };
-  eldiron = { config, pkgs, ... }:
+  eldiron = { config, pkgs, mylibs, ... }:
-    with import ../libs.nix;
+    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
        };
    in
  {
+    _module.args = {
+      mylibs = import ../libs.nix;
+    };
+    imports = [
+      ./modules/gitolite.nix
+      ./modules/gitweb.nix
+      ./modules/databases.nix
+    ];
+    services.myGitolite.enable = true;
+    services.myGitweb.enable = true;
+    services.myDatabases.enable = true;
    nixpkgs.config.packageOverrides = oldpkgs: rec {
-      gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
-        name = "gitolite-${version}";
-        version = "3.6.10";
-        src = pkgs.fetchFromGitHub {
-          owner = "sitaramc";
-          repo = "gitolite";
-          rev = "v${version}";
-          sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
-        };
-      });
-      gitweb = oldpkgs.gitweb.overrideAttrs(old: {
-        installPhase = old.installPhase + ''
-          cp -r ${./packages/gitweb} $out/gitweb-theme;
-          '';
-      });
-      postgresql = postgresql111;
-      postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
-        passthru = old.passthru // { psqlSchema = "11.0"; };
-        name = "postgresql-11.1";
-        src = pkgs.fetchurl {
-          url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
-          sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
-        };
-      });
-      mariadb = mariadbPAM;
-      mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
-        cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
-        buildInputs = old.buildInputs ++ [ pkgs.pam ];
-      });
      goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
        name = "goaccess-${version}";
        version = "1.3";
@@ -57,7 +41,7 @@
    networking = {
      firewall = {
        enable = true;
-        allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];
+        allowedTCPPorts = [ 22 80 443 9418 ];
      };
    };
@@ -116,7 +100,6 @@
        allowKeysForGroup = true;
        extraDomains = {
          "db-1.immae.eu" = null;
-          "git.immae.eu" = null;
          "tools.immae.eu" = null;
          "connexionswing.immae.eu" = null;
          "sandetludo.immae.eu" = null;
@@ -197,32 +180,6 @@
      AuthorizedKeysCommandUser nobody
      '';
-    users.users.wwwrun.extraGroups = [ "gitolite" ];
-    users.users.gitolite.packages = let
-      python-packages = python-packages: with python-packages; [
-        simplejson
-        urllib3
-      ];
-    in
-      [
-        (pkgs.python3.withPackages python-packages)
-      ];
-    # FIXME: after initial install, need to
-    # (1) copy rc file (adjust gitolite_ldap_groups.sh)
-    # (2) (mark old readonly and) sync repos except gitolite-admin
-    #     rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
-    #     chown -R gitolite:gitolite /var/lib/gitolite
-    # (3) push force the gitolite-admin to new location (from external point)
-    #     Don't use an existing key, it will take precedence over
-    #     gitolite-admin
-    # (4) su -u gitolite gitolite setup
-    services.gitolite = {
-      enable = true;
-      # FIXME: key from ./ssh
-      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
-    };
    services.ympd = mypkgs.ympd.config // { enable = false; };
    services.phpfpm = {
@@ -288,29 +245,6 @@
        mkdir -p /run/redis
        chown redis /run/redis
        '';
-      gitolite =
-        assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
-        let
-        gitolite_ldap_groups = wrap {
-          name = "gitolite_ldap_groups.sh";
-          file = ./packages/gitolite_ldap_groups.sh;
-          vars = {
-            LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
-          };
-          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
-        };
-      in {
-        deps = [ "users" ];
-        text = ''
-          if [ -d /var/lib/gitolite ]; then
-            ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
-            chmod g+rx /var/lib/gitolite
-          fi
-          if [ -f /var/lib/gitolite/projects.list ]; then
-            chmod g+r /var/lib/gitolite/projects.list
-          fi
-        '';
-      };
      # FIXME: initial sync
      goaccess = ''
        mkdir -p /var/lib/goaccess
@@ -590,84 +524,6 @@
      ];
    };
-    security.pam.services = let
-      pam_ldap = pkgs.pam_ldap;
-      pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
-              pkgs.writeText "mysql.conf" ''
-        host ldap.immae.eu
-        base dc=immae,dc=eu
-        binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
-        pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
-        '';
-    in [
-      {
-        name = "mysql";
-        text = ''
-          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
-          auth    required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
-          '';
-      }
-    ];
-    # FIXME: backup
-    # Nextcloud: 14
-    services.redis = rec {
-      enable = true;
-      bind = "127.0.0.1";
-      unixSocket = "/run/redis/redis.sock";
-      extraConfig = ''
-        unixsocketperm 777
-        maxclients 1024
-        '';
-    };
-    # FIXME: initial sync
-    # FIXME: backup
-    # FIXME: restart after pam
-    # FIXME: pam access doesn’t work (because of php module)
-    # FIXME: ssl
-    services.mysql = rec {
-      enable = true;
-      package = pkgs.mariadb;
-    };
-    # FIXME: initial sync
-    # FIXME: backup
-    # FIXME: ssl
-    services.postgresql = rec {
-      enable = true;
-      package = pkgs.postgresql;
-      enableTCPIP = true;
-      extraConfig = ''
-        max_connections = 100
-        wal_level = logical
-        shared_buffers = 128MB
-        max_wal_size = 1GB
-        min_wal_size = 80MB
-        log_timezone = 'Europe/Paris'
-        datestyle = 'iso, mdy'
-        timezone = 'Europe/Paris'
-        lc_messages = 'en_US.UTF-8'
-        lc_monetary = 'en_US.UTF-8'
-        lc_numeric = 'en_US.UTF-8'
-        lc_time = 'en_US.UTF-8'
-        default_text_search_config = 'pg_catalog.english'
-        # ssl = on
-        # ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
-        # ssl_key_file = '/var/lib/acme/eldiron/key.pem'
-        '';
-      authentication = ''
-        local   all     postgres                                ident
-        local   all     all                                     md5
-        host    all     all             samehost                md5
-        host    all     all             178.33.252.96/32        md5
-        host    all     all             188.165.209.148/32      md5
-        #host   all     all             all                     pam
-      '';
-    };
    services.cron = {
      enable = true;
      systemCronJobs = let

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 7dbca92..acd2cbd 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix
@@ -4,44 +4,28 @@
4	enableRollback = true;	4	enableRollback = true;
5	};	5	};
6		6
7	eldiron = { config, pkgs, ... }:	7	eldiron = { config, pkgs, mylibs, ... }:
8	with import ../libs.nix;	8	with mylibs;
9	let	9	let
10	mypkgs = pkgs.callPackage ./packages.nix {	10	mypkgs = pkgs.callPackage ./packages.nix {
11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;	11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
12	};	12	};
13	in	13	in
14	{	14	{
		15	_module.args = {
		16	mylibs = import ../libs.nix;
		17	};
		18
		19	imports = [
		20	./modules/gitolite.nix
		21	./modules/gitweb.nix
		22	./modules/databases.nix
		23	];
		24	services.myGitolite.enable = true;
		25	services.myGitweb.enable = true;
		26	services.myDatabases.enable = true;
		27
15	nixpkgs.config.packageOverrides = oldpkgs: rec {	28	nixpkgs.config.packageOverrides = oldpkgs: rec {
16	gitolite = oldpkgs.gitolite.overrideAttrs(old: rec {
17	name = "gitolite-${version}";
18	version = "3.6.10";
19	src = pkgs.fetchFromGitHub {
20	owner = "sitaramc";
21	repo = "gitolite";
22	rev = "v${version}";
23	sha256 = "0p2697mn6rwm03ndlv7q137zczai82n41aplq1g006ii7f12xy8h";
24	};
25	});
26	gitweb = oldpkgs.gitweb.overrideAttrs(old: {
27	installPhase = old.installPhase + ''
28	cp -r ${./packages/gitweb} $out/gitweb-theme;
29	'';
30	});
31	postgresql = postgresql111;
32	postgresql111 = oldpkgs.postgresql100.overrideAttrs(old: rec {
33	passthru = old.passthru // { psqlSchema = "11.0"; };
34	name = "postgresql-11.1";
35	src = pkgs.fetchurl {
36	url = "mirror://postgresql/source/v11.1/${name}.tar.bz2";
37	sha256 = "026v0sicsh7avzi45waf8shcbhivyxmi7qgn9fd1x0vl520mx0ch";
38	};
39	});
40	mariadb = mariadbPAM;
41	mariadbPAM = oldpkgs.mariadb.overrideAttrs(old: rec {
42	cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
43	buildInputs = old.buildInputs ++ [ pkgs.pam ];
44	});
45	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {	29	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
46	name = "goaccess-${version}";	30	name = "goaccess-${version}";
47	version = "1.3";	31	version = "1.3";
@@ -57,7 +41,7 @@
57	networking = {	41	networking = {
58	firewall = {	42	firewall = {
59	enable = true;	43	enable = true;
60	allowedTCPPorts = [ 22 80 443 3306 5432 9418 ];	44	allowedTCPPorts = [ 22 80 443 9418 ];
61	};	45	};
62	};	46	};
63		47
@@ -116,7 +100,6 @@
116	allowKeysForGroup = true;	100	allowKeysForGroup = true;
117	extraDomains = {	101	extraDomains = {
118	"db-1.immae.eu" = null;	102	"db-1.immae.eu" = null;
119	"git.immae.eu" = null;
120	"tools.immae.eu" = null;	103	"tools.immae.eu" = null;
121	"connexionswing.immae.eu" = null;	104	"connexionswing.immae.eu" = null;
122	"sandetludo.immae.eu" = null;	105	"sandetludo.immae.eu" = null;
@@ -197,32 +180,6 @@
197	AuthorizedKeysCommandUser nobody	180	AuthorizedKeysCommandUser nobody
198	'';	181	'';
199		182
200	users.users.wwwrun.extraGroups = [ "gitolite" ];
201
202	users.users.gitolite.packages = let
203	python-packages = python-packages: with python-packages; [
204	simplejson
205	urllib3
206	];
207	in
208	[
209	(pkgs.python3.withPackages python-packages)
210	];
211	# FIXME: after initial install, need to
212	# (1) copy rc file (adjust gitolite_ldap_groups.sh)
213	# (2) (mark old readonly and) sync repos except gitolite-admin
214	# rsync -av --exclude=gitolite-admin.git old:/var/lib/gitolite/repositories /var/lib/gitolite/
215	# chown -R gitolite:gitolite /var/lib/gitolite
216	# (3) push force the gitolite-admin to new location (from external point)
217	# Don't use an existing key, it will take precedence over
218	# gitolite-admin
219	# (4) su -u gitolite gitolite setup
220	services.gitolite = {
221	enable = true;
222	# FIXME: key from ./ssh
223	adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
224	};
225
226	services.ympd = mypkgs.ympd.config // { enable = false; };	183	services.ympd = mypkgs.ympd.config // { enable = false; };
227		184
228	services.phpfpm = {	185	services.phpfpm = {
@@ -288,29 +245,6 @@
288	mkdir -p /run/redis	245	mkdir -p /run/redis
289	chown redis /run/redis	246	chown redis /run/redis
290	'';	247	'';
291	gitolite =
292	assert checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
293	let
294	gitolite_ldap_groups = wrap {
295	name = "gitolite_ldap_groups.sh";
296	file = ./packages/gitolite_ldap_groups.sh;
297	vars = {
298	LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
299	};
300	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
301	};
302	in {
303	deps = [ "users" ];
304	text = ''
305	if [ -d /var/lib/gitolite ]; then
306	ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
307	chmod g+rx /var/lib/gitolite
308	fi
309	if [ -f /var/lib/gitolite/projects.list ]; then
310	chmod g+r /var/lib/gitolite/projects.list
311	fi
312	'';
313	};
314	# FIXME: initial sync	248	# FIXME: initial sync
315	goaccess = ''	249	goaccess = ''
316	mkdir -p /var/lib/goaccess	250	mkdir -p /var/lib/goaccess
@@ -590,84 +524,6 @@
590	];	524	];
591	};	525	};
592		526
593	security.pam.services = let
594	pam_ldap = pkgs.pam_ldap;
595	pam_ldap_mysql = assert checkEnv "NIXOPS_MYSQL_PAM_PASSWORD";
596	pkgs.writeText "mysql.conf" ''
597	host ldap.immae.eu
598	base dc=immae,dc=eu
599	binddn cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
600	bindpw ${builtins.getEnv "NIXOPS_MYSQL_PAM_PASSWORD"}
601	pam_filter memberOf=cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu
602	'';
603	in [
604	{
605	name = "mysql";
606	text = ''
607	# https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
608	auth required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
609	account required ${pam_ldap}/lib/security/pam_ldap.so config=${pam_ldap_mysql}
610	'';
611	}
612	];
613
614	# FIXME: backup
615	# Nextcloud: 14
616	services.redis = rec {
617	enable = true;
618	bind = "127.0.0.1";
619	unixSocket = "/run/redis/redis.sock";
620	extraConfig = ''
621	unixsocketperm 777
622	maxclients 1024
623	'';
624	};
625
626	# FIXME: initial sync
627	# FIXME: backup
628	# FIXME: restart after pam
629	# FIXME: pam access doesn’t work (because of php module)
630	# FIXME: ssl
631	services.mysql = rec {
632	enable = true;
633	package = pkgs.mariadb;
634	};
635
636	# FIXME: initial sync
637	# FIXME: backup
638	# FIXME: ssl
639	services.postgresql = rec {
640	enable = true;
641	package = pkgs.postgresql;
642	enableTCPIP = true;
643	extraConfig = ''
644	max_connections = 100
645	wal_level = logical
646	shared_buffers = 128MB
647	max_wal_size = 1GB
648	min_wal_size = 80MB
649	log_timezone = 'Europe/Paris'
650	datestyle = 'iso, mdy'
651	timezone = 'Europe/Paris'
652	lc_messages = 'en_US.UTF-8'
653	lc_monetary = 'en_US.UTF-8'
654	lc_numeric = 'en_US.UTF-8'
655	lc_time = 'en_US.UTF-8'
656	default_text_search_config = 'pg_catalog.english'
657	# ssl = on
658	# ssl_cert_file = '/var/lib/acme/eldiron/fullchain.pem'
659	# ssl_key_file = '/var/lib/acme/eldiron/key.pem'
660	'';
661	authentication = ''
662	local all postgres ident
663	local all all md5
664	host all all samehost md5
665	host all all 178.33.252.96/32 md5
666	host all all 188.165.209.148/32 md5
667	#host all all all pam
668	'';
669	};
670
671	services.cron = {	527	services.cron = {
672	enable = true;	528	enable = true;
673	systemCronJobs = let	529	systemCronJobs = let