{ lib, pkgs, config, ... }:
let
secrets = config.myEnv.websites.ludivine.integration;
app = pkgs.callPackage ./app {
composerEnv = pkgs.composerEnv.override { php = pkgs.php72; };
environment = secrets.environment;
varDir = "/var/lib/ludivine_integration";
secretsPath = config.secrets.fullPaths."websites/ludivine/integration";
};
cfg = config.myServices.websites.ludivine.integration;
pcfg = config.services.phpApplication;
in {
options.myServices.websites.ludivine.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
config = lib.mkIf cfg.enable {
services.duplyBackup.profiles.ludivine_integration.rootDir = app.varDir;
services.phpApplication.apps.ludivine_integration = {
websiteEnv = "integration";
httpdUser = config.services.httpd.Inte.user;
httpdGroup = config.services.httpd.Inte.group;
inherit (app) webRoot varDir;
varDirPaths = {
"tmp" = "0700";
};
inherit app;
serviceDeps = [ "mysql.service" ];
preStartActions = [
"./bin/console --env=${app.environment} cache:clear --no-warmup"
];
phpOpenbasedir = [ "/tmp" ];
phpPool = {
"php_admin_value[upload_max_filesize]" = "20M";
"php_admin_value[post_max_size]" = "20M";
#"php_admin_flag[log_errors]" = "on";
"pm" = "ondemand";
"pm.max_children" = "5";
"pm.process_idle_timeout" = "60";
};
phpEnv = {
PATH = lib.makeBinPath [
# below ones don't need to be in the PATH but they’re used in
# secrets
pkgs.imagemagick pkgs.sass pkgs.ruby
];
SYMFONY_DEBUG_MODE = "\"yes\"";
};
phpWatchFiles = [
config.secrets.fullPaths."websites/ludivine/integration"
];
phpPackage = pkgs.php72;
};
secrets.keys = [
{
dest = "websites/ludivine/integration";
user = config.services.httpd.Inte.user;
group = config.services.httpd.Inte.group;
permissions = "0400";
text = ''
# This file is auto-generated during the composer install
parameters:
database_host: ${secrets.mysql.host}
database_port: ${secrets.mysql.port}
database_name: ${secrets.mysql.database}
database_user: ${secrets.mysql.user}
database_password: ${secrets.mysql.password}
database_server_version: ${pkgs.mariadb.mysqlVersion}
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
mailer_password: null
secret: ${secrets.secret}
ldap_host: ldap.immae.eu
ldap_port: 636
ldap_version: 3
ldap_ssl: true
ldap_tls: false
ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
ldap_base_dn: 'dc=immae,dc=eu'
ldap_search_dn: '${secrets.ldap.dn}'
ldap_search_password: '${secrets.ldap.password}'
ldap_search_filter: '${secrets.ldap.filter}'
leapt_im:
binary_path: ${pkgs.imagemagick}/bin
assetic:
sass: ${pkgs.sass}/bin/sass
ruby: ${pkgs.ruby}/bin/ruby
'';
}
];
services.websites.env.integration.vhostConfs.ludivine_integration = {
certName = "integration";
addToCerts = true;
hosts = [ "ludivine.immae.eu" ];
root = pcfg.webappDirs.ludivine_integration;
extraConfig = [
''
SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivine_integration}|fcgi://localhost"
Use LDAPConnect
Require ldap-group cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
ErrorDocument 401 ""
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride None
Require all granted
DirectoryIndex app_dev.php
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Maintenance script
RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.php
RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
ErrorDocument 503 /maintenance.php
# Sets the HTTP_AUTHORIZATION header removed by Apache
RewriteCond %{HTTP:Authorization} .
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
# If the requested filename exists, simply serve it.
# We only want to let Apache serve files and not directories.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
# Rewrite all other queries to the front controller.
RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
''
];
};
};
}