path: root/nixops/modules/websites/tools/tools/wallabag.nix

{ stdenv, fetchurl, writeText, env, composerEnv, phpPackages, php, which }:
let
  wallabag = rec {
    varDir = "/var/lib/wallabag";
    keys = [{
      dest = "webapps/tools-wallabag";
      user = apache.user;
      group = apache.group;
      permissions = "0400";
      text = ''
        # This file is auto-generated during the composer install
        parameters:
            database_driver: pdo_pgsql
            database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
            database_host: ${env.postgresql.socket}
            database_port: ${env.postgresql.port}
            database_name: ${env.postgresql.database}
            database_user: ${env.postgresql.user}
            database_password: ${env.postgresql.password}
            database_path: null
            database_table_prefix: wallabag_
            database_socket: null
            database_charset: utf8
            domain_name: https://tools.immae.eu/wallabag
            mailer_transport: sendmail
            mailer_host: 127.0.0.1
            mailer_user: null
            mailer_password: null
            locale: fr
            secret: ${env.secret}
            twofactor_auth: true
            twofactor_sender: wallabag@tools.immae.eu
            fosuser_registration: false
            fosuser_confirmation: true
            from_email: wallabag@tools.immae.eu
            rss_limit: 50
            rabbitmq_host: localhost
            rabbitmq_port: 5672
            rabbitmq_user: guest
            rabbitmq_password: guest
            rabbitmq_prefetch_count: 10
            redis_scheme: unix
            redis_host: null
            redis_port: null
            redis_path: ${env.redis.socket}
            redis_password: null
            sites_credentials: {  }
            ldap_enabled: true
            ldap_host: ldap.immae.eu
            ldap_port: 636
            ldap_tls: false
            ldap_ssl: true
            ldap_bind_requires_dn: true
            ldap_base: 'dc=immae,dc=eu'
            ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
            ldap_manager_pw: ${env.ldap.password}
            ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
            ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
            ldap_username_attribute: uid
            ldap_email_attribute: mail
            ldap_name_attribute: cn
            ldap_enabled_attribute: null
        services:
            swiftmailer.mailer.default.transport:
                class:     Swift_SendmailTransport
                arguments: ['/run/wrappers/bin/sendmail -bs']
        '';
    }];
    webappDir = composerEnv.buildPackage rec {
      packages = {
        "fr3d/ldap-bundle" = {
          targetDir = "";
          src = composerEnv.buildZipPackage {
            name = "fr3d-ldap-bundle-5a8927c11af45fa06331b97221c6da1a4a237475";
            src = fetchurl {
              url = https://api.github.com/repos/Maks3w/FR3DLdapBundle/zipball/5a8927c11af45fa06331b97221c6da1a4a237475;
              sha256 = "168zkd82j200wd6h0a3lq81g5s2pifg889rv27q2g429nppsbfxc";
            };
          };
        };
        "zendframework/zend-ldap" = {
          targetDir = "";
          src = composerEnv.buildZipPackage {
            name = "zendframework-zend-ldap-b63c7884a08d3a6bda60ebcf7d6238cf8ad89f49";
            src = fetchurl {
              url = https://api.github.com/repos/zendframework/zend-ldap/zipball/b63c7884a08d3a6bda60ebcf7d6238cf8ad89f49;
              sha256 = "0mn4yqnb5prqhrbbybmw1i2rx7xf4s4wagbdq9qi55fa0vk3jgw9";
            };
          };
        };
      };
      noDev = true;
      doRemoveVendor = false;
      # Beware when upgrading, I probably messed up with the migrations table
      # (due to a psql bug in wallabag)
      version = "2.3.6";
      name = "wallabag-${version}";
      src = fetchurl {
        url = "https://static.wallabag.org/releases/wallabag-release-${version}.tar.gz";
        sha256 = "0m0dy3r94ks5pfxyb9vbgrsm0vrwdl3jd5wqwg4f5vd107lq90q1";
      };
      unpackPhase = ''
        unpackFile "$src"
        sourceRoot=${version}
        src=$PWD/${version}
        '';
      patches = [ ./wallabag_ldap.patch ];
      preInstall = ''
        export SYMFONY_ENV="prod"
      '';
      postInstall = ''
        rm -rf web/assets var/{cache,logs,sessions} app/config/parameters.yml data
        ln -sf /var/secrets/webapps/tools-wallabag app/config/parameters.yml
        ln -sf ${varDir}/var/{cache,logs,sessions} var
        ln -sf ${varDir}/data data
        ln -sf ${varDir}/assets web/assets
      '';
    };
    activationScript = ''
      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
        ${varDir}/var ${varDir}/data/db ${varDir}/assets/images
      '';
    webRoot = "${webappDir}/web";
    # Domain migration: Table wallabag_entry contains whole
    # https://tools.immae.eu/wallabag domain name in preview_picture
    apache = rec {
      user = "wwwrun";
      group = "wwwrun";
      modules = [ "proxy_fcgi" ];
      webappName = "tools_wallabag";
      root = "/run/current-system/webapps/${webappName}";
      vhostConf = ''
        Alias /wallabag "${root}"
        <Directory "${root}">
          AllowOverride None
          Require all granted
          # For OAuth (apps)
          CGIPassAuth On

          <FilesMatch "\.php$">
            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
          </FilesMatch>

          <IfModule mod_rewrite.c>
            Options -MultiViews
            RewriteEngine On
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*)$ app.php [QSA,L]
          </IfModule>
        </Directory>
        <Directory "${root}/bundles">
          <IfModule mod_rewrite.c>
            RewriteEngine Off
          </IfModule>
        </Directory>
        <Directory "${varDir}/assets">
          AllowOverride None
          Require all granted
        </Directory>
        '';
    };
    phpFpm = rec {
      preStart = ''
        if [ ! -f "${varDir}/currentWebappDir" -o \
            ! -f "${varDir}/currentKey" -o \
            "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ] \
            || ! sha512sum -c --status ${varDir}/currentKey; then
          pushd ${webappDir} > /dev/null
          /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear
          rm -rf /var/lib/wallabag/var/cache/pro_
          /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction
          popd > /dev/null
          echo -n "${webappDir}" > ${varDir}/currentWebappDir
          sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey
        fi
        '';
      serviceDeps = [ "postgresql.service" "openldap.service" ];
      basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ];
      socket = "/var/run/phpfpm/wallabag.sock";
      pool = ''
        listen = ${socket}
        user = ${apache.user}
        group = ${apache.group}
        listen.owner = ${apache.user}
        listen.group = ${apache.group}
        pm = dynamic
        pm.max_children = 60
        pm.start_servers = 2
        pm.min_spare_servers = 1
        pm.max_spare_servers = 10

        ; Needed to avoid clashes in browser cookies (same domain)
        php_value[session.name] = WallabagPHPSESSID
        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp"
        php_value[max_execution_time] = 300
        '';
    };
  };
in
  wallabag