From 79d2de8b83d765721b2cb720b2bc59673df54a4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Tue, 7 May 2019 15:07:00 +0200 Subject: Move directories with only default.nix to standalone file --- nixops/modules/websites/tools/cloud.nix | 189 ++++++++++++++++ nixops/modules/websites/tools/cloud/default.nix | 189 ---------------- nixops/modules/websites/tools/db.nix | 22 ++ nixops/modules/websites/tools/db/default.nix | 22 -- nixops/modules/websites/tools/diaspora.nix | 249 ++++++++++++++++++++ nixops/modules/websites/tools/diaspora/default.nix | 249 -------------------- nixops/modules/websites/tools/mastodon.nix | 249 ++++++++++++++++++++ nixops/modules/websites/tools/mastodon/default.nix | 249 -------------------- nixops/modules/websites/tools/mediagoblin.nix | 251 +++++++++++++++++++++ .../modules/websites/tools/mediagoblin/default.nix | 251 --------------------- 10 files changed, 960 insertions(+), 960 deletions(-) create mode 100644 nixops/modules/websites/tools/cloud.nix delete mode 100644 nixops/modules/websites/tools/cloud/default.nix create mode 100644 nixops/modules/websites/tools/db.nix delete mode 100644 nixops/modules/websites/tools/db/default.nix create mode 100644 nixops/modules/websites/tools/diaspora.nix delete mode 100644 nixops/modules/websites/tools/diaspora/default.nix create mode 100644 nixops/modules/websites/tools/mastodon.nix delete mode 100644 nixops/modules/websites/tools/mastodon/default.nix create mode 100644 nixops/modules/websites/tools/mediagoblin.nix delete mode 100644 nixops/modules/websites/tools/mediagoblin/default.nix (limited to 'nixops/modules/websites/tools') diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix new file mode 100644 index 0000000..a7fcd61 --- /dev/null +++ b/nixops/modules/websites/tools/cloud.nix @@ -0,0 +1,189 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps); + env = myconfig.env.tools.nextcloud; + varDir = "/var/lib/nextcloud"; + webappName = "tools_nextcloud"; + apacheRoot = "/run/current-system/webapps/${webappName}"; + cfg = config.services.myWebsites.tools.cloud; + phpFpm = rec { + basedir = builtins.concatStringsSep ":" ( + [ nextcloud varDir ] + ++ builtins.attrValues pkgs.webapps.nextcloud-apps); + socket = "/var/run/phpfpm/nextcloud.sock"; + phpConfig = '' + extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + zend_extension=${pkgs.php}/lib/php/extensions/opcache.so + ''; + pool = '' + listen = ${socket} + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + pm = ondemand + pm.max_children = 60 + pm.process_idle_timeout = 60 + + php_admin_value[output_buffering] = 0 + php_admin_value[max_execution_time] = 1800 + php_admin_value[zend_extension] = "opcache" + ;already enabled by default? + ;php_value[opcache.enable] = 1 + php_value[opcache.enable_cli] = 1 + php_value[opcache.interned_strings_buffer] = 8 + php_value[opcache.max_accelerated_files] = 10000 + php_value[opcache.memory_consumption] = 128 + php_value[opcache.save_comments] = 1 + php_value[opcache.revalidate_freq] = 1 + php_admin_value[memory_limit] = 512M + + php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" + php_admin_value[session.save_path] = "${varDir}/phpSessions" + ''; + }; +in { + options.services.myWebsites.tools.cloud = { + enable = lib.mkEnableOption "enable cloud website"; + }; + + config = lib.mkIf cfg.enable { + security.acme.certs."eldiron".extraDomains."cloud.immae.eu" = null; + + services.myWebsites.tools.modules = [ "proxy_fcgi" ]; + + services.myWebsites.tools.vhostConfs.cloud = { + certName = "eldiron"; + hosts = ["cloud.immae.eu" ]; + root = apacheRoot; + extraConfig = [ + '' + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + + AcceptPathInfo On + DirectoryIndex index.php + Options FollowSymlinks + Require all granted + AllowOverride all + + + Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" + + + CGIPassAuth on + SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + + + + '' + ]; + }; + + mySecrets.keys = [{ + dest = "webapps/tools-nextcloud"; + user = "wwwrun"; + group = "wwwrun"; + permissions = "0600"; + text = '' + '${env.instance_id}1', + 'datadirectory' => '/var/lib/nextcloud/', + 'passwordsalt' => '${env.password_salt}', + 'debug' => false, + 'dbtype' => 'pgsql', + 'version' => '16.0.0.9', + 'dbname' => '${env.postgresql.database}', + 'dbhost' => '${env.postgresql.socket}', + 'dbtableprefix' => 'oc_', + 'dbuser' => '${env.postgresql.user}', + 'dbpassword' => '${env.postgresql.password}', + 'installed' => true, + 'maxZipInputSize' => 0, + 'allowZipDownload' => true, + 'forcessl' => true, + 'theme' => ${"''"}, + 'maintenance' => false, + 'trusted_domains' => + array ( + 0 => 'cloud.immae.eu', + ), + 'secret' => '${env.secret}', + 'appstoreenabled' => false, + 'appstore.experimental.enabled' => true, + 'loglevel' => 2, + 'trashbin_retention_obligation' => 'auto', + 'htaccess.RewriteBase' => '/', + 'mail_smtpmode' => 'sendmail', + 'mail_smtphost' => '127.0.0.1', + 'mail_smtpname' => ''', + 'mail_smtppassword' => ''', + 'mail_from_address' => 'nextcloud', + 'mail_smtpauth' => false, + 'mail_domain' => 'tools.immae.eu', + 'memcache.local' => '\\OC\\Memcache\\APCu', + 'memcache.locking' => '\\OC\\Memcache\\Redis', + 'filelocking.enabled' => true, + 'redis' => + array ( + 'host' => '${env.redis.socket}', + 'port' => 0, + 'dbindex' => ${env.redis.db_index}, + ), + 'overwrite.cli.url' => 'https://cloud.immae.eu', + 'ldapIgnoreNamingRules' => false, + 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', + 'has_rebuilt_cache' => true, + ); + ''; + }]; + users.users.root.packages = let + occ = pkgs.writeScriptBin "nextcloud-occ" '' + #! ${pkgs.stdenv.shell} + cd ${nextcloud} + NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ + exec \ + sudo -u wwwrun ${pkgs.php}/bin/php \ + -c ${pkgs.php}/etc/php.ini \ + occ $* + ''; + in [ occ ]; + + system.activationScripts.nextcloud = { + deps = [ "secrets" ]; + text = let + confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; + in + '' + install -m 0755 -o wwwrun -g wwwrun -d ${varDir} + install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions + ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: + "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" + ) confs)} + install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php + ''; + }; + # FIXME: add a warning when config.php changes + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${nextcloud} $out/webapps/${webappName} + ''; + + services.myPhpfpm = { + poolPhpConfigs.nextcloud = phpFpm.phpConfig; + poolConfigs.nextcloud = phpFpm.pool; + }; + + services.cron = { + enable = true; + systemCronJobs = [ + '' + LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive + */15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php + '' + ]; + }; + }; +} diff --git a/nixops/modules/websites/tools/cloud/default.nix b/nixops/modules/websites/tools/cloud/default.nix deleted file mode 100644 index a7fcd61..0000000 --- a/nixops/modules/websites/tools/cloud/default.nix +++ /dev/null @@ -1,189 +0,0 @@ -{ lib, pkgs, config, myconfig, mylibs, ... }: -let - nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps); - env = myconfig.env.tools.nextcloud; - varDir = "/var/lib/nextcloud"; - webappName = "tools_nextcloud"; - apacheRoot = "/run/current-system/webapps/${webappName}"; - cfg = config.services.myWebsites.tools.cloud; - phpFpm = rec { - basedir = builtins.concatStringsSep ":" ( - [ nextcloud varDir ] - ++ builtins.attrValues pkgs.webapps.nextcloud-apps); - socket = "/var/run/phpfpm/nextcloud.sock"; - phpConfig = '' - extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so - extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so - zend_extension=${pkgs.php}/lib/php/extensions/opcache.so - ''; - pool = '' - listen = ${socket} - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 - - php_admin_value[output_buffering] = 0 - php_admin_value[max_execution_time] = 1800 - php_admin_value[zend_extension] = "opcache" - ;already enabled by default? - ;php_value[opcache.enable] = 1 - php_value[opcache.enable_cli] = 1 - php_value[opcache.interned_strings_buffer] = 8 - php_value[opcache.max_accelerated_files] = 10000 - php_value[opcache.memory_consumption] = 128 - php_value[opcache.save_comments] = 1 - php_value[opcache.revalidate_freq] = 1 - php_admin_value[memory_limit] = 512M - - php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; - }; -in { - options.services.myWebsites.tools.cloud = { - enable = lib.mkEnableOption "enable cloud website"; - }; - - config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."cloud.immae.eu" = null; - - services.myWebsites.tools.modules = [ "proxy_fcgi" ]; - - services.myWebsites.tools.vhostConfs.cloud = { - certName = "eldiron"; - hosts = ["cloud.immae.eu" ]; - root = apacheRoot; - extraConfig = [ - '' - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - - AcceptPathInfo On - DirectoryIndex index.php - Options FollowSymlinks - Require all granted - AllowOverride all - - - Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" - - - CGIPassAuth on - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" - - - - '' - ]; - }; - - mySecrets.keys = [{ - dest = "webapps/tools-nextcloud"; - user = "wwwrun"; - group = "wwwrun"; - permissions = "0600"; - text = '' - '${env.instance_id}1', - 'datadirectory' => '/var/lib/nextcloud/', - 'passwordsalt' => '${env.password_salt}', - 'debug' => false, - 'dbtype' => 'pgsql', - 'version' => '16.0.0.9', - 'dbname' => '${env.postgresql.database}', - 'dbhost' => '${env.postgresql.socket}', - 'dbtableprefix' => 'oc_', - 'dbuser' => '${env.postgresql.user}', - 'dbpassword' => '${env.postgresql.password}', - 'installed' => true, - 'maxZipInputSize' => 0, - 'allowZipDownload' => true, - 'forcessl' => true, - 'theme' => ${"''"}, - 'maintenance' => false, - 'trusted_domains' => - array ( - 0 => 'cloud.immae.eu', - ), - 'secret' => '${env.secret}', - 'appstoreenabled' => false, - 'appstore.experimental.enabled' => true, - 'loglevel' => 2, - 'trashbin_retention_obligation' => 'auto', - 'htaccess.RewriteBase' => '/', - 'mail_smtpmode' => 'sendmail', - 'mail_smtphost' => '127.0.0.1', - 'mail_smtpname' => ''', - 'mail_smtppassword' => ''', - 'mail_from_address' => 'nextcloud', - 'mail_smtpauth' => false, - 'mail_domain' => 'tools.immae.eu', - 'memcache.local' => '\\OC\\Memcache\\APCu', - 'memcache.locking' => '\\OC\\Memcache\\Redis', - 'filelocking.enabled' => true, - 'redis' => - array ( - 'host' => '${env.redis.socket}', - 'port' => 0, - 'dbindex' => ${env.redis.db_index}, - ), - 'overwrite.cli.url' => 'https://cloud.immae.eu', - 'ldapIgnoreNamingRules' => false, - 'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory', - 'has_rebuilt_cache' => true, - ); - ''; - }]; - users.users.root.packages = let - occ = pkgs.writeScriptBin "nextcloud-occ" '' - #! ${pkgs.stdenv.shell} - cd ${nextcloud} - NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ - exec \ - sudo -u wwwrun ${pkgs.php}/bin/php \ - -c ${pkgs.php}/etc/php.ini \ - occ $* - ''; - in [ occ ]; - - system.activationScripts.nextcloud = { - deps = [ "secrets" ]; - text = let - confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; - in - '' - install -m 0755 -o wwwrun -g wwwrun -d ${varDir} - install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions - ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: - "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" - ) confs)} - install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php - ''; - }; - # FIXME: add a warning when config.php changes - system.extraSystemBuilderCmds = '' - mkdir -p $out/webapps - ln -s ${nextcloud} $out/webapps/${webappName} - ''; - - services.myPhpfpm = { - poolPhpConfigs.nextcloud = phpFpm.phpConfig; - poolConfigs.nextcloud = phpFpm.pool; - }; - - services.cron = { - enable = true; - systemCronJobs = [ - '' - LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive - */15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php - '' - ]; - }; - }; -} diff --git a/nixops/modules/websites/tools/db.nix b/nixops/modules/websites/tools/db.nix new file mode 100644 index 0000000..6957e30 --- /dev/null +++ b/nixops/modules/websites/tools/db.nix @@ -0,0 +1,22 @@ +{ lib, pkgs, config, mylibs, ... }: +let + adminer = pkgs.callPackage ../commons/adminer.nix {}; + + cfg = config.services.myWebsites.tools.databases; +in { + options.services.myWebsites.tools.databases = { + enable = lib.mkEnableOption "enable database's website"; + }; + + config = lib.mkIf cfg.enable { + security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null; + + services.myWebsites.tools.modules = adminer.apache.modules; + services.myWebsites.tools.vhostConfs.db-1 = { + certName = "eldiron"; + hosts = ["db-1.immae.eu" ]; + root = null; + extraConfig = [ adminer.apache.vhostConf ]; + }; + }; +} diff --git a/nixops/modules/websites/tools/db/default.nix b/nixops/modules/websites/tools/db/default.nix deleted file mode 100644 index 2a82bd6..0000000 --- a/nixops/modules/websites/tools/db/default.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ lib, pkgs, config, mylibs, ... }: -let - adminer = pkgs.callPackage ../../commons/adminer.nix {}; - - cfg = config.services.myWebsites.tools.databases; -in { - options.services.myWebsites.tools.databases = { - enable = lib.mkEnableOption "enable database's website"; - }; - - config = lib.mkIf cfg.enable { - security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null; - - services.myWebsites.tools.modules = adminer.apache.modules; - services.myWebsites.tools.vhostConfs.db-1 = { - certName = "eldiron"; - hosts = ["db-1.immae.eu" ]; - root = null; - extraConfig = [ adminer.apache.vhostConf ]; - }; - }; -} diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix new file mode 100644 index 0000000..53989b7 --- /dev/null +++ b/nixops/modules/websites/tools/diaspora.nix @@ -0,0 +1,249 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + varDir = "/var/lib/diaspora_immae"; + + diaspora = pkgs.webapps.diaspora.override { + ldap = true; + inherit varDir; + podmin_email = "diaspora@tools.immae.eu"; + config_dir = "/var/secrets/webapps/diaspora"; + }; + + railsSocket = "${socketsDir}/diaspora.sock"; + socketsDir = "/run/diaspora"; + env = myconfig.env.tools.diaspora; + root = "/run/current-system/webapps/tools_diaspora"; + cfg = config.services.myWebsites.tools.diaspora; +in { + options.services.myWebsites.tools.diaspora = { + enable = lib.mkEnableOption "enable diaspora's website"; + }; + + config = lib.mkIf cfg.enable { + ids.uids.diaspora = env.user.uid; + ids.gids.diaspora = env.user.gid; + + users.users.diaspora = { + name = "diaspora"; + uid = config.ids.uids.diaspora; + group = "diaspora"; + description = "Diaspora user"; + home = varDir; + useDefaultShell = true; + packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ]; + extraGroups = [ "keys" ]; + }; + + users.groups.diaspora.gid = config.ids.gids.diaspora; + mySecrets.keys = [ + { + dest = "webapps/diaspora/diaspora.yml"; + user = "diaspora"; + group = "diaspora"; + permissions = "0400"; + text = '' + configuration: + environment: + url: "https://diaspora.immae.eu/" + certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt' + redis: '${env.redis_url}' + sidekiq: + s3: + assets: + logging: + logrotate: + debug: + server: + listen: '${socketsDir}/diaspora.sock' + rails_environment: 'production' + chat: + server: + bosh: + log: + map: + mapbox: + privacy: + piwik: + statistics: + camo: + settings: + enable_registrations: false + welcome_message: + invitations: + open: false + paypal_donations: + community_spotlight: + captcha: + enable: false + terms: + maintenance: + remove_old_users: + default_metas: + csp: + services: + twitter: + tumblr: + wordpress: + mail: + enable: true + sender_address: 'diaspora@tools.immae.eu' + method: 'sendmail' + smtp: + sendmail: + location: '/run/wrappers/bin/sendmail' + admins: + account: "ismael" + podmin_email: 'diaspora@tools.immae.eu' + relay: + outbound: + inbound: + ldap: + enable: true + host: ldap.immae.eu + port: 636 + only_ldap: true + mail_attribute: mail + skip_email_confirmation: true + use_bind_dn: true + bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu" + bind_pw: "${env.ldap.password}" + search_base: "dc=immae,dc=eu" + search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))" + production: + environment: + development: + environment: + ''; + } + { + dest = "webapps/diaspora/database.yml"; + user = "diaspora"; + group = "diaspora"; + permissions = "0400"; + text = '' + postgresql: &postgresql + adapter: postgresql + host: "${env.postgresql.socket}" + port: "${env.postgresql.port}" + username: "${env.postgresql.user}" + password: "${env.postgresql.password}" + encoding: unicode + common: &common + <<: *postgresql + combined: &combined + <<: *common + development: + <<: *combined + database: diaspora_development + production: + <<: *combined + database: ${env.postgresql.database} + test: + <<: *combined + database: "diaspora_test" + integration1: + <<: *combined + database: diaspora_integration1 + integration2: + <<: *combined + database: diaspora_integration2 + ''; + } + { + dest = "webapps/diaspora/secret_token.rb"; + user = "diaspora"; + group = "diaspora"; + permissions = "0400"; + text = '' + Diaspora::Application.config.secret_key_base = '${env.secret_token}' + ''; + } + ]; + + systemd.services.diaspora = { + description = "Diaspora"; + wantedBy = [ "multi-user.target" ]; + after = [ + "network.target" "redis.service" "postgresql.service" + ]; + wants = [ + "redis.service" "postgresql.service" + ]; + + environment.RAILS_ENV = "production"; + environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${diaspora.gems.confFiles}/Gemfile"; + environment.EYE_SOCK = "${socketsDir}/eye.sock"; + environment.EYE_PID = "${socketsDir}/eye.pid"; + + path = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby pkgs.curl pkgs.which pkgs.gawk ]; + + preStart = '' + ./bin/bundle exec rails db:migrate + ''; + + script = '' + exec ${diaspora}/script/server + ''; + + serviceConfig = { + User = "diaspora"; + PrivateTmp = true; + Restart = "always"; + Type = "simple"; + WorkingDirectory = diaspora; + StandardInput = "null"; + KillMode = "control-group"; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + system.activationScripts.diaspora = { + deps = [ "users" ]; + text = '' + install -m 0755 -o diaspora -g diaspora -d ${socketsDir} + install -m 0755 -o diaspora -g diaspora -d ${varDir} \ + ${varDir}/uploads ${varDir}/tmp \ + ${varDir}/log + install -m 0700 -o diaspora -g diaspora -d ${varDir}/tmp/pids + if [ ! -f ${varDir}/schedule.yml ]; then + echo "{}" | $wrapperDir/sudo -u diaspora tee ${varDir}/schedule.yml + fi + ''; + }; + + services.myWebsites.tools.modules = [ + "headers" "proxy" "proxy_http" + ]; + security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${diaspora}/public/ $out/webapps/tools_diaspora + ''; + services.myWebsites.tools.vhostConfs.diaspora = { + certName = "eldiron"; + hosts = [ "diaspora.immae.eu" ]; + root = root; + extraConfig = [ '' + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f + RewriteRule ^/(.*)$ unix://${railsSocket}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L] + + ProxyRequests Off + ProxyVia On + ProxyPreserveHost On + RequestHeader set X_FORWARDED_PROTO https + + + Require all granted + + + + Require all granted + Options -MultiViews + + '' ]; + }; + }; +} diff --git a/nixops/modules/websites/tools/diaspora/default.nix b/nixops/modules/websites/tools/diaspora/default.nix deleted file mode 100644 index 53989b7..0000000 --- a/nixops/modules/websites/tools/diaspora/default.nix +++ /dev/null @@ -1,249 +0,0 @@ -{ lib, pkgs, config, myconfig, mylibs, ... }: -let - varDir = "/var/lib/diaspora_immae"; - - diaspora = pkgs.webapps.diaspora.override { - ldap = true; - inherit varDir; - podmin_email = "diaspora@tools.immae.eu"; - config_dir = "/var/secrets/webapps/diaspora"; - }; - - railsSocket = "${socketsDir}/diaspora.sock"; - socketsDir = "/run/diaspora"; - env = myconfig.env.tools.diaspora; - root = "/run/current-system/webapps/tools_diaspora"; - cfg = config.services.myWebsites.tools.diaspora; -in { - options.services.myWebsites.tools.diaspora = { - enable = lib.mkEnableOption "enable diaspora's website"; - }; - - config = lib.mkIf cfg.enable { - ids.uids.diaspora = env.user.uid; - ids.gids.diaspora = env.user.gid; - - users.users.diaspora = { - name = "diaspora"; - uid = config.ids.uids.diaspora; - group = "diaspora"; - description = "Diaspora user"; - home = varDir; - useDefaultShell = true; - packages = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby ]; - extraGroups = [ "keys" ]; - }; - - users.groups.diaspora.gid = config.ids.gids.diaspora; - mySecrets.keys = [ - { - dest = "webapps/diaspora/diaspora.yml"; - user = "diaspora"; - group = "diaspora"; - permissions = "0400"; - text = '' - configuration: - environment: - url: "https://diaspora.immae.eu/" - certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt' - redis: '${env.redis_url}' - sidekiq: - s3: - assets: - logging: - logrotate: - debug: - server: - listen: '${socketsDir}/diaspora.sock' - rails_environment: 'production' - chat: - server: - bosh: - log: - map: - mapbox: - privacy: - piwik: - statistics: - camo: - settings: - enable_registrations: false - welcome_message: - invitations: - open: false - paypal_donations: - community_spotlight: - captcha: - enable: false - terms: - maintenance: - remove_old_users: - default_metas: - csp: - services: - twitter: - tumblr: - wordpress: - mail: - enable: true - sender_address: 'diaspora@tools.immae.eu' - method: 'sendmail' - smtp: - sendmail: - location: '/run/wrappers/bin/sendmail' - admins: - account: "ismael" - podmin_email: 'diaspora@tools.immae.eu' - relay: - outbound: - inbound: - ldap: - enable: true - host: ldap.immae.eu - port: 636 - only_ldap: true - mail_attribute: mail - skip_email_confirmation: true - use_bind_dn: true - bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu" - bind_pw: "${env.ldap.password}" - search_base: "dc=immae,dc=eu" - search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))" - production: - environment: - development: - environment: - ''; - } - { - dest = "webapps/diaspora/database.yml"; - user = "diaspora"; - group = "diaspora"; - permissions = "0400"; - text = '' - postgresql: &postgresql - adapter: postgresql - host: "${env.postgresql.socket}" - port: "${env.postgresql.port}" - username: "${env.postgresql.user}" - password: "${env.postgresql.password}" - encoding: unicode - common: &common - <<: *postgresql - combined: &combined - <<: *common - development: - <<: *combined - database: diaspora_development - production: - <<: *combined - database: ${env.postgresql.database} - test: - <<: *combined - database: "diaspora_test" - integration1: - <<: *combined - database: diaspora_integration1 - integration2: - <<: *combined - database: diaspora_integration2 - ''; - } - { - dest = "webapps/diaspora/secret_token.rb"; - user = "diaspora"; - group = "diaspora"; - permissions = "0400"; - text = '' - Diaspora::Application.config.secret_key_base = '${env.secret_token}' - ''; - } - ]; - - systemd.services.diaspora = { - description = "Diaspora"; - wantedBy = [ "multi-user.target" ]; - after = [ - "network.target" "redis.service" "postgresql.service" - ]; - wants = [ - "redis.service" "postgresql.service" - ]; - - environment.RAILS_ENV = "production"; - environment.BUNDLE_PATH = "${diaspora.gems}/${diaspora.gems.ruby.gemPath}"; - environment.BUNDLE_GEMFILE = "${diaspora.gems.confFiles}/Gemfile"; - environment.EYE_SOCK = "${socketsDir}/eye.sock"; - environment.EYE_PID = "${socketsDir}/eye.pid"; - - path = [ diaspora.gems pkgs.nodejs diaspora.gems.ruby pkgs.curl pkgs.which pkgs.gawk ]; - - preStart = '' - ./bin/bundle exec rails db:migrate - ''; - - script = '' - exec ${diaspora}/script/server - ''; - - serviceConfig = { - User = "diaspora"; - PrivateTmp = true; - Restart = "always"; - Type = "simple"; - WorkingDirectory = diaspora; - StandardInput = "null"; - KillMode = "control-group"; - }; - - unitConfig.RequiresMountsFor = varDir; - }; - - system.activationScripts.diaspora = { - deps = [ "users" ]; - text = '' - install -m 0755 -o diaspora -g diaspora -d ${socketsDir} - install -m 0755 -o diaspora -g diaspora -d ${varDir} \ - ${varDir}/uploads ${varDir}/tmp \ - ${varDir}/log - install -m 0700 -o diaspora -g diaspora -d ${varDir}/tmp/pids - if [ ! -f ${varDir}/schedule.yml ]; then - echo "{}" | $wrapperDir/sudo -u diaspora tee ${varDir}/schedule.yml - fi - ''; - }; - - services.myWebsites.tools.modules = [ - "headers" "proxy" "proxy_http" - ]; - security.acme.certs."eldiron".extraDomains."diaspora.immae.eu" = null; - system.extraSystemBuilderCmds = '' - mkdir -p $out/webapps - ln -s ${diaspora}/public/ $out/webapps/tools_diaspora - ''; - services.myWebsites.tools.vhostConfs.diaspora = { - certName = "eldiron"; - hosts = [ "diaspora.immae.eu" ]; - root = root; - extraConfig = [ '' - RewriteEngine On - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f - RewriteRule ^/(.*)$ unix://${railsSocket}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L] - - ProxyRequests Off - ProxyVia On - ProxyPreserveHost On - RequestHeader set X_FORWARDED_PROTO https - - - Require all granted - - - - Require all granted - Options -MultiViews - - '' ]; - }; - }; -} diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix new file mode 100644 index 0000000..3279cf8 --- /dev/null +++ b/nixops/modules/websites/tools/mastodon.nix @@ -0,0 +1,249 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + varDir = "/var/lib/mastodon_immae"; + socketsDir = "/run/mastodon"; + nodeSocket = "${socketsDir}/live_immae_node.sock"; + railsSocket = "${socketsDir}/live_immae_puma.sock"; + + mastodon = pkgs.webapps.mastodon.override { inherit varDir; }; + + env = myconfig.env.tools.mastodon; + root = "/run/current-system/webapps/tools_mastodon"; + cfg = config.services.myWebsites.tools.mastodon; +in { + options.services.myWebsites.tools.mastodon = { + enable = lib.mkEnableOption "enable mastodon's website"; + }; + + config = lib.mkIf cfg.enable { + mySecrets.keys = [{ + dest = "webapps/tools-mastodon"; + user = "mastodon"; + group = "mastodon"; + permissions = "0400"; + text = '' + REDIS_HOST=${env.redis.host} + REDIS_PORT=${env.redis.port} + REDIS_DB=${env.redis.db} + DB_HOST=${env.postgresql.socket} + DB_USER=${env.postgresql.user} + DB_NAME=${env.postgresql.database} + DB_PASS=${env.postgresql.password} + DB_PORT=${env.postgresql.port} + + LOCAL_DOMAIN=mastodon.immae.eu + LOCAL_HTTPS=true + ALTERNATE_DOMAINS=immae.eu + + PAPERCLIP_SECRET=${env.paperclip_secret} + SECRET_KEY_BASE=${env.secret_key_base} + OTP_SECRET=${env.otp_secret} + + VAPID_PRIVATE_KEY=${env.vapid.private} + VAPID_PUBLIC_KEY=${env.vapid.public} + + SMTP_DELIVERY_METHOD=sendmail + SMTP_FROM_ADDRESS=mastodon@tools.immae.eu + SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" + PAPERCLIP_ROOT_PATH=${varDir} + + STREAMING_CLUSTER_NUM=1 + + RAILS_LOG_LEVEL=warn + + # LDAP authentication (optional) + LDAP_ENABLED=true + LDAP_HOST=ldap.immae.eu + LDAP_PORT=636 + LDAP_METHOD=simple_tls + LDAP_BASE="dc=immae,dc=eu" + LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" + LDAP_PASSWORD="${env.ldap.password}" + LDAP_UID="uid" + LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" + ''; + }]; + ids.uids.mastodon = env.user.uid; + ids.gids.mastodon = env.user.gid; + + users.users.mastodon = { + name = "mastodon"; + uid = config.ids.uids.mastodon; + group = "mastodon"; + description = "Mastodon user"; + home = varDir; + useDefaultShell = true; + }; + + users.groups.mastodon.gid = config.ids.gids.mastodon; + + systemd.services.mastodon-streaming = { + description = "Mastodon Streaming"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mastodon-web.service" ]; + + environment.NODE_ENV = "production"; + environment.SOCKET = nodeSocket; + + path = [ pkgs.nodejs pkgs.bashInteractive ]; + + script = '' + exec npm run start + ''; + + postStart = '' + while [ ! -S $SOCKET ]; do + sleep 0.5 + done + chmod a+w $SOCKET + ''; + + postStop = '' + rm $SOCKET + ''; + + serviceConfig = { + User = "mastodon"; + EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 15; + Type = "simple"; + WorkingDirectory = mastodon; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + systemd.services.mastodon-web = { + description = "Mastodon Web app"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment.RAILS_ENV = "production"; + environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile"; + environment.SOCKET = railsSocket; + + path = [ mastodon.gems mastodon.gems.ruby pkgs.file ]; + + preStart = '' + ./bin/bundle exec rails db:migrate + ''; + + script = '' + exec ./bin/bundle exec puma -C config/puma.rb + ''; + + serviceConfig = { + User = "mastodon"; + EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 60; + Type = "simple"; + WorkingDirectory = mastodon; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + systemd.services.mastodon-sidekiq = { + description = "Mastodon Sidekiq"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mastodon-web.service" ]; + + environment.RAILS_ENV="production"; + environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}"; + environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile"; + environment.DB_POOL="5"; + + path = [ mastodon.gems mastodon.gems.ruby pkgs.imagemagick pkgs.ffmpeg pkgs.file ]; + + script = '' + exec ./bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push + ''; + + serviceConfig = { + User = "mastodon"; + EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 15; + Type = "simple"; + WorkingDirectory = mastodon; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + system.activationScripts.mastodon = { + deps = [ "users" ]; + text = '' + install -m 0755 -o mastodon -g mastodon -d ${socketsDir} + install -m 0755 -o mastodon -g mastodon -d ${varDir} ${varDir}/tmp/cache + ''; + }; + + services.myWebsites.tools.modules = [ + "headers" "proxy" "proxy_wstunnel" "proxy_http" + ]; + security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null; + system.extraSystemBuilderCmds = '' + mkdir -p $out/webapps + ln -s ${mastodon}/public/ $out/webapps/tools_mastodon + ''; + services.myWebsites.tools.vhostConfs.mastodon = { + certName = "eldiron"; + hosts = ["mastodon.immae.eu" ]; + root = root; + extraConfig = [ '' + Header always set Referrer-Policy "strict-origin-when-cross-origin" + Header always set Strict-Transport-Security "max-age=31536000" + + + Header always set Cache-Control "public, max-age=31536000, immutable" + Require all granted + + + ProxyPreserveHost On + RequestHeader set X-Forwarded-Proto "https" + + RewriteEngine On + + ProxyPass /500.html ! + ProxyPass /sw.js ! + ProxyPass /embed.js ! + ProxyPass /robots.txt ! + ProxyPass /manifest.json ! + ProxyPass /browserconfig.xml ! + ProxyPass /mask-icon.svg ! + ProxyPassMatch ^(/.*\.(png|ico|gif)$) ! + ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) ! + + RewriteRule ^/api/v1/streaming/(.+)$ unix://${nodeSocket}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] + RewriteRule ^/api/v1/streaming/$ unix://${nodeSocket}|ws://mastodon.immae.eu/ [P,NE,QSA,L] + ProxyPass / unix://${railsSocket}|http://mastodon.immae.eu/ + ProxyPassReverse / unix://${railsSocket}|http://mastodon.immae.eu/ + + Alias /system ${varDir} + + + Require all granted + Options -MultiViews + + + + Require all granted + Options -MultiViews +FollowSymlinks + + + ErrorDocument 500 /500.html + ErrorDocument 501 /500.html + ErrorDocument 502 /500.html + ErrorDocument 503 /500.html + ErrorDocument 504 /500.html + '' ]; + }; + }; +} diff --git a/nixops/modules/websites/tools/mastodon/default.nix b/nixops/modules/websites/tools/mastodon/default.nix deleted file mode 100644 index 3279cf8..0000000 --- a/nixops/modules/websites/tools/mastodon/default.nix +++ /dev/null @@ -1,249 +0,0 @@ -{ lib, pkgs, config, myconfig, mylibs, ... }: -let - varDir = "/var/lib/mastodon_immae"; - socketsDir = "/run/mastodon"; - nodeSocket = "${socketsDir}/live_immae_node.sock"; - railsSocket = "${socketsDir}/live_immae_puma.sock"; - - mastodon = pkgs.webapps.mastodon.override { inherit varDir; }; - - env = myconfig.env.tools.mastodon; - root = "/run/current-system/webapps/tools_mastodon"; - cfg = config.services.myWebsites.tools.mastodon; -in { - options.services.myWebsites.tools.mastodon = { - enable = lib.mkEnableOption "enable mastodon's website"; - }; - - config = lib.mkIf cfg.enable { - mySecrets.keys = [{ - dest = "webapps/tools-mastodon"; - user = "mastodon"; - group = "mastodon"; - permissions = "0400"; - text = '' - REDIS_HOST=${env.redis.host} - REDIS_PORT=${env.redis.port} - REDIS_DB=${env.redis.db} - DB_HOST=${env.postgresql.socket} - DB_USER=${env.postgresql.user} - DB_NAME=${env.postgresql.database} - DB_PASS=${env.postgresql.password} - DB_PORT=${env.postgresql.port} - - LOCAL_DOMAIN=mastodon.immae.eu - LOCAL_HTTPS=true - ALTERNATE_DOMAINS=immae.eu - - PAPERCLIP_SECRET=${env.paperclip_secret} - SECRET_KEY_BASE=${env.secret_key_base} - OTP_SECRET=${env.otp_secret} - - VAPID_PRIVATE_KEY=${env.vapid.private} - VAPID_PUBLIC_KEY=${env.vapid.public} - - SMTP_DELIVERY_METHOD=sendmail - SMTP_FROM_ADDRESS=mastodon@tools.immae.eu - SENDMAIL_LOCATION="/run/wrappers/bin/sendmail" - PAPERCLIP_ROOT_PATH=${varDir} - - STREAMING_CLUSTER_NUM=1 - - RAILS_LOG_LEVEL=warn - - # LDAP authentication (optional) - LDAP_ENABLED=true - LDAP_HOST=ldap.immae.eu - LDAP_PORT=636 - LDAP_METHOD=simple_tls - LDAP_BASE="dc=immae,dc=eu" - LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu" - LDAP_PASSWORD="${env.ldap.password}" - LDAP_UID="uid" - LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))" - ''; - }]; - ids.uids.mastodon = env.user.uid; - ids.gids.mastodon = env.user.gid; - - users.users.mastodon = { - name = "mastodon"; - uid = config.ids.uids.mastodon; - group = "mastodon"; - description = "Mastodon user"; - home = varDir; - useDefaultShell = true; - }; - - users.groups.mastodon.gid = config.ids.gids.mastodon; - - systemd.services.mastodon-streaming = { - description = "Mastodon Streaming"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "mastodon-web.service" ]; - - environment.NODE_ENV = "production"; - environment.SOCKET = nodeSocket; - - path = [ pkgs.nodejs pkgs.bashInteractive ]; - - script = '' - exec npm run start - ''; - - postStart = '' - while [ ! -S $SOCKET ]; do - sleep 0.5 - done - chmod a+w $SOCKET - ''; - - postStop = '' - rm $SOCKET - ''; - - serviceConfig = { - User = "mastodon"; - EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; - PrivateTmp = true; - Restart = "always"; - TimeoutSec = 15; - Type = "simple"; - WorkingDirectory = mastodon; - }; - - unitConfig.RequiresMountsFor = varDir; - }; - - systemd.services.mastodon-web = { - description = "Mastodon Web app"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - environment.RAILS_ENV = "production"; - environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}"; - environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile"; - environment.SOCKET = railsSocket; - - path = [ mastodon.gems mastodon.gems.ruby pkgs.file ]; - - preStart = '' - ./bin/bundle exec rails db:migrate - ''; - - script = '' - exec ./bin/bundle exec puma -C config/puma.rb - ''; - - serviceConfig = { - User = "mastodon"; - EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; - PrivateTmp = true; - Restart = "always"; - TimeoutSec = 60; - Type = "simple"; - WorkingDirectory = mastodon; - }; - - unitConfig.RequiresMountsFor = varDir; - }; - - systemd.services.mastodon-sidekiq = { - description = "Mastodon Sidekiq"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "mastodon-web.service" ]; - - environment.RAILS_ENV="production"; - environment.BUNDLE_PATH = "${mastodon.gems}/${mastodon.gems.ruby.gemPath}"; - environment.BUNDLE_GEMFILE = "${mastodon.gems.confFiles}/Gemfile"; - environment.DB_POOL="5"; - - path = [ mastodon.gems mastodon.gems.ruby pkgs.imagemagick pkgs.ffmpeg pkgs.file ]; - - script = '' - exec ./bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push - ''; - - serviceConfig = { - User = "mastodon"; - EnvironmentFile = "/var/secrets/webapps/tools-mastodon"; - PrivateTmp = true; - Restart = "always"; - TimeoutSec = 15; - Type = "simple"; - WorkingDirectory = mastodon; - }; - - unitConfig.RequiresMountsFor = varDir; - }; - - system.activationScripts.mastodon = { - deps = [ "users" ]; - text = '' - install -m 0755 -o mastodon -g mastodon -d ${socketsDir} - install -m 0755 -o mastodon -g mastodon -d ${varDir} ${varDir}/tmp/cache - ''; - }; - - services.myWebsites.tools.modules = [ - "headers" "proxy" "proxy_wstunnel" "proxy_http" - ]; - security.acme.certs."eldiron".extraDomains."mastodon.immae.eu" = null; - system.extraSystemBuilderCmds = '' - mkdir -p $out/webapps - ln -s ${mastodon}/public/ $out/webapps/tools_mastodon - ''; - services.myWebsites.tools.vhostConfs.mastodon = { - certName = "eldiron"; - hosts = ["mastodon.immae.eu" ]; - root = root; - extraConfig = [ '' - Header always set Referrer-Policy "strict-origin-when-cross-origin" - Header always set Strict-Transport-Security "max-age=31536000" - - - Header always set Cache-Control "public, max-age=31536000, immutable" - Require all granted - - - ProxyPreserveHost On - RequestHeader set X-Forwarded-Proto "https" - - RewriteEngine On - - ProxyPass /500.html ! - ProxyPass /sw.js ! - ProxyPass /embed.js ! - ProxyPass /robots.txt ! - ProxyPass /manifest.json ! - ProxyPass /browserconfig.xml ! - ProxyPass /mask-icon.svg ! - ProxyPassMatch ^(/.*\.(png|ico|gif)$) ! - ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) ! - - RewriteRule ^/api/v1/streaming/(.+)$ unix://${nodeSocket}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L] - RewriteRule ^/api/v1/streaming/$ unix://${nodeSocket}|ws://mastodon.immae.eu/ [P,NE,QSA,L] - ProxyPass / unix://${railsSocket}|http://mastodon.immae.eu/ - ProxyPassReverse / unix://${railsSocket}|http://mastodon.immae.eu/ - - Alias /system ${varDir} - - - Require all granted - Options -MultiViews - - - - Require all granted - Options -MultiViews +FollowSymlinks - - - ErrorDocument 500 /500.html - ErrorDocument 501 /500.html - ErrorDocument 502 /500.html - ErrorDocument 503 /500.html - ErrorDocument 504 /500.html - '' ]; - }; - }; -} diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix new file mode 100644 index 0000000..a02af38 --- /dev/null +++ b/nixops/modules/websites/tools/mediagoblin.nix @@ -0,0 +1,251 @@ +{ lib, pkgs, config, myconfig, mylibs, ... }: +let + env = myconfig.env.tools.mediagoblin; + socketsDir = "/run/mediagoblin"; + varDir = "/var/lib/mediagoblin"; + cfg = config.services.myWebsites.tools.mediagoblin; + mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin"; + paste_local = pkgs.writeText "paste_local.ini" '' + [DEFAULT] + debug = false + + [pipeline:main] + pipeline = mediagoblin + + [app:mediagoblin] + use = egg:mediagoblin#app + config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini + /mgoblin_static = ${pythonRoot}/mediagoblin/static + + [loggers] + keys = root + + [handlers] + keys = console + + [formatters] + keys = generic + + [logger_root] + level = INFO + handlers = console + + [handler_console] + class = StreamHandler + args = (sys.stderr,) + level = NOTSET + formatter = generic + + [formatter_generic] + format = %(levelname)-7.7s [%(name)s] %(message)s + + [filter:errors] + use = egg:mediagoblin#errors + debug = false + + [server:main] + use = egg:waitress#main + unix_socket = ${socketsDir}/mediagoblin.sock + unix_socket_perms = 777 + url_scheme = https + ''; + pythonRoot = pkgs.webapps.mediagoblin-with-plugins; +in { + options.services.myWebsites.tools.mediagoblin = { + enable = lib.mkEnableOption "enable mediagoblin's website"; + }; + + config = lib.mkIf cfg.enable { + mySecrets.keys = [{ + dest = "webapps/tools-mediagoblin"; + user = "mediagoblin"; + group = "mediagoblin"; + permissions = "0400"; + text = '' + [DEFAULT] + data_basedir = "${varDir}" + + [mediagoblin] + direct_remote_path = /mgoblin_static/ + email_sender_address = "mediagoblin@tools.immae.eu" + + #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db + sql_engine = ${env.psql_url} + + email_debug_mode = false + allow_registration = false + allow_reporting = true + + theme = airymodified + + user_privilege_scheme = "uploader,commenter,reporter" + + # We need to redefine them here since we override data_basedir + # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini + workbench_path = %(data_basedir)s/media/workbench + crypto_path = %(data_basedir)s/crypto + theme_install_dir = %(data_basedir)s/themes/ + theme_linked_assets_dir = %(data_basedir)s/theme_static/ + plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ + + [storage:queuestore] + base_dir = %(data_basedir)s/media/queue + + [storage:publicstore] + base_dir = %(data_basedir)s/media/public + base_url = /mgoblin_media/ + + [celery] + CELERY_RESULT_DBURI = ${env.redis_url} + BROKER_URL = ${env.redis_url} + CELERYD_CONCURRENCY = 1 + + [plugins] + [[mediagoblin.plugins.geolocation]] + [[mediagoblin.plugins.ldap]] + [[[immae.eu]]] + LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' + LDAP_SEARCH_BASE = 'dc=immae,dc=eu' + LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' + LDAP_BIND_PW = '${env.ldap.password}' + LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' + EMAIL_SEARCH_FIELD = 'mail' + [[mediagoblin.plugins.basicsearch]] + [[mediagoblin.plugins.piwigo]] + [[mediagoblin.plugins.processing_info]] + [[mediagoblin.media_types.image]] + [[mediagoblin.media_types.video]] + ''; + }]; + + ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; + ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; + + users.users.mediagoblin = { + name = "mediagoblin"; + uid = config.ids.uids.mediagoblin; + group = "mediagoblin"; + description = "Mediagoblin user"; + home = varDir; + useDefaultShell = true; + extraGroups = [ "keys" ]; + }; + + users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; + + systemd.services.mediagoblin-web = { + description = "Mediagoblin service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + wants = [ "postgresql.service" "redis.service" ]; + + environment.SCRIPT_NAME = "/mediagoblin/"; + + script = '' + exec ./bin/paster serve \ + ${paste_local} \ + --pid-file=${socketsDir}/mediagoblin.pid + ''; + + preStop = '' + exec ./bin/paster serve \ + --pid-file=${socketsDir}/mediagoblin.pid \ + ${paste_local} stop + ''; + preStart = '' + ./bin/gmg -cf ${mediagoblin_init} dbupdate + ''; + + serviceConfig = { + User = "mediagoblin"; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 15; + Type = "simple"; + WorkingDirectory = pythonRoot; + PIDFile = "${socketsDir}/mediagoblin.pid"; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + systemd.services.mediagoblin-celeryd = { + description = "Mediagoblin service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "mediagoblin-web.service" ]; + + environment.MEDIAGOBLIN_CONFIG = "${pythonRoot}/mediagoblin_local.ini"; + environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery"; + + script = '' + exec ./bin/celery worker \ + --logfile=${varDir}/celery.log \ + --loglevel=INFO + ''; + + serviceConfig = { + User = "mediagoblin"; + PrivateTmp = true; + Restart = "always"; + TimeoutSec = 60; + Type = "simple"; + WorkingDirectory = pythonRoot; + PIDFile = "${socketsDir}/mediagoblin-celeryd.pid"; + }; + + unitConfig.RequiresMountsFor = varDir; + }; + + system.activationScripts.mediagoblin = { + deps = [ "users" ]; + text = '' + install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir} + install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir} + if [ -d ${varDir}/plugin_static/ ]; then + rm ${varDir}/plugin_static/coreplugin_basic_auth + ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth + fi + ''; + }; + + services.myWebsites.tools.modules = [ + "proxy" "proxy_http" + ]; + users.users.wwwrun.extraGroups = [ "mediagoblin" ]; + security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null; + services.myWebsites.tools.vhostConfs.mgoblin = { + certName = "eldiron"; + hosts = ["mgoblin.immae.eu" ]; + root = null; + extraConfig = [ '' + Alias /mgoblin_media ${varDir}/media/public + + Options -Indexes +FollowSymLinks +MultiViews +Includes + Require all granted + + + Alias /theme_static ${varDir}/theme_static + + Options -Indexes +FollowSymLinks +MultiViews +Includes + Require all granted + + + Alias /plugin_static ${varDir}/plugin_static + + Options -Indexes +FollowSymLinks +MultiViews +Includes + Require all granted + + + ProxyPreserveHost on + ProxyVia On + ProxyRequests Off + ProxyPass /mgoblin_media ! + ProxyPass /theme_static ! + ProxyPass /plugin_static ! + ProxyPassMatch ^/.well-known/acme-challenge ! + ProxyPass / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/ + ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/ + '' ]; + }; + }; +} diff --git a/nixops/modules/websites/tools/mediagoblin/default.nix b/nixops/modules/websites/tools/mediagoblin/default.nix deleted file mode 100644 index a02af38..0000000 --- a/nixops/modules/websites/tools/mediagoblin/default.nix +++ /dev/null @@ -1,251 +0,0 @@ -{ lib, pkgs, config, myconfig, mylibs, ... }: -let - env = myconfig.env.tools.mediagoblin; - socketsDir = "/run/mediagoblin"; - varDir = "/var/lib/mediagoblin"; - cfg = config.services.myWebsites.tools.mediagoblin; - mediagoblin_init = "/var/secrets/webapps/tools-mediagoblin"; - paste_local = pkgs.writeText "paste_local.ini" '' - [DEFAULT] - debug = false - - [pipeline:main] - pipeline = mediagoblin - - [app:mediagoblin] - use = egg:mediagoblin#app - config = ${mediagoblin_init} ${pythonRoot}/mediagoblin.ini - /mgoblin_static = ${pythonRoot}/mediagoblin/static - - [loggers] - keys = root - - [handlers] - keys = console - - [formatters] - keys = generic - - [logger_root] - level = INFO - handlers = console - - [handler_console] - class = StreamHandler - args = (sys.stderr,) - level = NOTSET - formatter = generic - - [formatter_generic] - format = %(levelname)-7.7s [%(name)s] %(message)s - - [filter:errors] - use = egg:mediagoblin#errors - debug = false - - [server:main] - use = egg:waitress#main - unix_socket = ${socketsDir}/mediagoblin.sock - unix_socket_perms = 777 - url_scheme = https - ''; - pythonRoot = pkgs.webapps.mediagoblin-with-plugins; -in { - options.services.myWebsites.tools.mediagoblin = { - enable = lib.mkEnableOption "enable mediagoblin's website"; - }; - - config = lib.mkIf cfg.enable { - mySecrets.keys = [{ - dest = "webapps/tools-mediagoblin"; - user = "mediagoblin"; - group = "mediagoblin"; - permissions = "0400"; - text = '' - [DEFAULT] - data_basedir = "${varDir}" - - [mediagoblin] - direct_remote_path = /mgoblin_static/ - email_sender_address = "mediagoblin@tools.immae.eu" - - #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db - sql_engine = ${env.psql_url} - - email_debug_mode = false - allow_registration = false - allow_reporting = true - - theme = airymodified - - user_privilege_scheme = "uploader,commenter,reporter" - - # We need to redefine them here since we override data_basedir - # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini - workbench_path = %(data_basedir)s/media/workbench - crypto_path = %(data_basedir)s/crypto - theme_install_dir = %(data_basedir)s/themes/ - theme_linked_assets_dir = %(data_basedir)s/theme_static/ - plugin_linked_assets_dir = %(data_basedir)s/plugin_static/ - - [storage:queuestore] - base_dir = %(data_basedir)s/media/queue - - [storage:publicstore] - base_dir = %(data_basedir)s/media/public - base_url = /mgoblin_media/ - - [celery] - CELERY_RESULT_DBURI = ${env.redis_url} - BROKER_URL = ${env.redis_url} - CELERYD_CONCURRENCY = 1 - - [plugins] - [[mediagoblin.plugins.geolocation]] - [[mediagoblin.plugins.ldap]] - [[[immae.eu]]] - LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636' - LDAP_SEARCH_BASE = 'dc=immae,dc=eu' - LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu' - LDAP_BIND_PW = '${env.ldap.password}' - LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))' - EMAIL_SEARCH_FIELD = 'mail' - [[mediagoblin.plugins.basicsearch]] - [[mediagoblin.plugins.piwigo]] - [[mediagoblin.plugins.processing_info]] - [[mediagoblin.media_types.image]] - [[mediagoblin.media_types.video]] - ''; - }]; - - ids.uids.mediagoblin = myconfig.env.tools.mediagoblin.user.uid; - ids.gids.mediagoblin = myconfig.env.tools.mediagoblin.user.gid; - - users.users.mediagoblin = { - name = "mediagoblin"; - uid = config.ids.uids.mediagoblin; - group = "mediagoblin"; - description = "Mediagoblin user"; - home = varDir; - useDefaultShell = true; - extraGroups = [ "keys" ]; - }; - - users.groups.mediagoblin.gid = config.ids.gids.mediagoblin; - - systemd.services.mediagoblin-web = { - description = "Mediagoblin service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - wants = [ "postgresql.service" "redis.service" ]; - - environment.SCRIPT_NAME = "/mediagoblin/"; - - script = '' - exec ./bin/paster serve \ - ${paste_local} \ - --pid-file=${socketsDir}/mediagoblin.pid - ''; - - preStop = '' - exec ./bin/paster serve \ - --pid-file=${socketsDir}/mediagoblin.pid \ - ${paste_local} stop - ''; - preStart = '' - ./bin/gmg -cf ${mediagoblin_init} dbupdate - ''; - - serviceConfig = { - User = "mediagoblin"; - PrivateTmp = true; - Restart = "always"; - TimeoutSec = 15; - Type = "simple"; - WorkingDirectory = pythonRoot; - PIDFile = "${socketsDir}/mediagoblin.pid"; - }; - - unitConfig.RequiresMountsFor = varDir; - }; - - systemd.services.mediagoblin-celeryd = { - description = "Mediagoblin service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" "mediagoblin-web.service" ]; - - environment.MEDIAGOBLIN_CONFIG = "${pythonRoot}/mediagoblin_local.ini"; - environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery"; - - script = '' - exec ./bin/celery worker \ - --logfile=${varDir}/celery.log \ - --loglevel=INFO - ''; - - serviceConfig = { - User = "mediagoblin"; - PrivateTmp = true; - Restart = "always"; - TimeoutSec = 60; - Type = "simple"; - WorkingDirectory = pythonRoot; - PIDFile = "${socketsDir}/mediagoblin-celeryd.pid"; - }; - - unitConfig.RequiresMountsFor = varDir; - }; - - system.activationScripts.mediagoblin = { - deps = [ "users" ]; - text = '' - install -m 0755 -o mediagoblin -g mediagoblin -d ${socketsDir} - install -m 0755 -o mediagoblin -g mediagoblin -d ${varDir} - if [ -d ${varDir}/plugin_static/ ]; then - rm ${varDir}/plugin_static/coreplugin_basic_auth - ln -sf ${pythonRoot}/mediagoblin/plugins/basic_auth/static ${varDir}/plugin_static/coreplugin_basic_auth - fi - ''; - }; - - services.myWebsites.tools.modules = [ - "proxy" "proxy_http" - ]; - users.users.wwwrun.extraGroups = [ "mediagoblin" ]; - security.acme.certs."eldiron".extraDomains."mgoblin.immae.eu" = null; - services.myWebsites.tools.vhostConfs.mgoblin = { - certName = "eldiron"; - hosts = ["mgoblin.immae.eu" ]; - root = null; - extraConfig = [ '' - Alias /mgoblin_media ${varDir}/media/public - - Options -Indexes +FollowSymLinks +MultiViews +Includes - Require all granted - - - Alias /theme_static ${varDir}/theme_static - - Options -Indexes +FollowSymLinks +MultiViews +Includes - Require all granted - - - Alias /plugin_static ${varDir}/plugin_static - - Options -Indexes +FollowSymLinks +MultiViews +Includes - Require all granted - - - ProxyPreserveHost on - ProxyVia On - ProxyRequests Off - ProxyPass /mgoblin_media ! - ProxyPass /theme_static ! - ProxyPass /plugin_static ! - ProxyPassMatch ^/.well-known/acme-challenge ! - ProxyPass / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/ - ProxyPassReverse / unix://${socketsDir}/mediagoblin.sock|http://mgoblin.immae.eu/ - '' ]; - }; - }; -} -- cgit v1.2.3