From 252dd7d899b7a0deea1537cc5d2d48b825afffb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Thu, 13 Dec 2018 21:25:24 +0100
Subject: Initial commit published for NUR

---
 modules/private/websites/chloe/builder.nix        | 102 ++++++++++++++++++++++
 modules/private/websites/chloe/config/chmod.php   |   4 +
 modules/private/websites/chloe/config/connect.php |  15 ++++
 modules/private/websites/chloe/config/ldap.php    |   9 ++
 modules/private/websites/chloe/integration.nix    |  36 ++++++++
 modules/private/websites/chloe/production.nix     |  38 ++++++++
 6 files changed, 204 insertions(+)
 create mode 100644 modules/private/websites/chloe/builder.nix
 create mode 100644 modules/private/websites/chloe/config/chmod.php
 create mode 100644 modules/private/websites/chloe/config/connect.php
 create mode 100644 modules/private/websites/chloe/config/ldap.php
 create mode 100644 modules/private/websites/chloe/integration.nix
 create mode 100644 modules/private/websites/chloe/production.nix

(limited to 'modules/private/websites/chloe')

diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix
new file mode 100644
index 00000000..f65e9a95
--- /dev/null
+++ b/modules/private/websites/chloe/builder.nix
@@ -0,0 +1,102 @@
+{ apacheUser, apacheGroup, chloe, config }:
+rec {
+  app = chloe.override { inherit (config) environment; };
+  phpFpm = rec {
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/chloe-${app.environment}.sock";
+    pool = ''
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  keys = [{
+    dest = "webapps/${app.environment}-chloe";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      SetEnv SPIP_CONFIG_DIR     "${configDir}"
+      SetEnv SPIP_VAR_DIR        "${app.varDir}"
+      SetEnv SPIP_SITE           "chloe-${app.environment}"
+      SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+      SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+      SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
+      SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
+      SetEnv SPIP_LDAP_SEARCH    "${config.ldap.search}"
+      SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
+      SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
+      SetEnv SPIP_MYSQL_DB       "${config.mysql.name}"
+      SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
+      SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
+    '';
+  }];
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "chloe_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Include /var/secrets/webapps/${app.environment}-chloe
+
+      RewriteEngine On
+      ${if app.environment == "prod" then ''
+      RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
+      '' else ""}
+
+      <FilesMatch "\.php$">
+        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+      </FilesMatch>
+
+      <Directory ${root}>
+        DirectoryIndex index.php index.htm index.html
+        Options -Indexes +FollowSymLinks +MultiViews +Includes
+        Include ${root}/htaccess.txt
+
+        AllowOverride AuthConfig FileInfo Limit
+        Require all granted
+      </Directory>
+
+      <DirectoryMatch "${root}/squelettes">
+        Require all denied
+      </DirectoryMatch>
+
+      <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
+        Require all denied
+      </FilesMatch>
+
+      ${if app.environment == "dev" then ''
+      <Location />
+        Use LDAPConnect
+        Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
+      </Location>
+      '' else ''
+      Use Stats osteopathe-cc.fr
+      ''}
+      '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
+      install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+  configDir = ./config;
+}
diff --git a/modules/private/websites/chloe/config/chmod.php b/modules/private/websites/chloe/config/chmod.php
new file mode 100644
index 00000000..aae16cdf
--- /dev/null
+++ b/modules/private/websites/chloe/config/chmod.php
@@ -0,0 +1,4 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+if (!defined('_SPIP_CHMOD')) define('_SPIP_CHMOD', 0777);
+?>
\ No newline at end of file
diff --git a/modules/private/websites/chloe/config/connect.php b/modules/private/websites/chloe/config/connect.php
new file mode 100644
index 00000000..18b09330
--- /dev/null
+++ b/modules/private/websites/chloe/config/connect.php
@@ -0,0 +1,15 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+define('_MYSQL_SET_SQL_MODE',true);
+$GLOBALS['spip_connect_version'] = 0.7;
+spip_connect_db(
+  getenv("SPIP_MYSQL_HOST"),
+  getenv("SPIP_MYSQL_PORT"),
+  getenv("SPIP_MYSQL_USER"),
+  getenv("SPIP_MYSQL_PASSWORD"),
+  getenv("SPIP_MYSQL_DB"),
+  'mysql',
+  'spip',
+  'ldap.php'
+);
+?>
diff --git a/modules/private/websites/chloe/config/ldap.php b/modules/private/websites/chloe/config/ldap.php
new file mode 100644
index 00000000..825b7edb
--- /dev/null
+++ b/modules/private/websites/chloe/config/ldap.php
@@ -0,0 +1,9 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+$GLOBALS['ldap_base'] = getenv("SPIP_LDAP_BASE");
+$GLOBALS['ldap_link'] = @ldap_connect(getenv("SPIP_LDAP_HOST"));
+@ldap_set_option($GLOBALS['ldap_link'],LDAP_OPT_PROTOCOL_VERSION,'3');
+@ldap_bind($GLOBALS['ldap_link'],getenv("SPIP_LDAP_SEARCH_DN"), getenv("SPIP_LDAP_SEARCH_PW"));
+$GLOBALS['ldap_champs'] = array('login' => array('sAMAccountName','uid','login','userid','cn','sn'),'nom' => 'cn','email' => 'mail','bio' => 'description',);
+$GLOBALS['ldap_search'] = getenv("SPIP_LDAP_SEARCH");
+?>
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
new file mode 100644
index 00000000..c42a4282
--- /dev/null
+++ b/modules/private/websites/chloe/integration.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  chloe  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) chloe;
+    config = myconfig.env.websites.chloe.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.chloe.integration;
+in {
+  options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = chloe.keys;
+    systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps;
+    systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps;
+    services.phpfpm.pools.chloe_dev = {
+      listen = chloe.phpFpm.socket;
+      extraConfig = chloe.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    };
+    system.activationScripts.chloe_dev = chloe.activationScript;
+    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
+    services.websites.integration.modules = chloe.apache.modules;
+    services.websites.integration.vhostConfs.chloe = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["chloe.immae.eu" ];
+      root        = chloe.apache.root;
+      extraConfig = [ chloe.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
new file mode 100644
index 00000000..0bf2d8fd
--- /dev/null
+++ b/modules/private/websites/chloe/production.nix
@@ -0,0 +1,38 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  chloe = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) chloe;
+    config = myconfig.env.websites.chloe.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.chloe.production;
+in {
+  options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = chloe.keys;
+    services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
+
+    systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps;
+    systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps;
+    services.phpfpm.pools.chloe_prod = {
+      listen = chloe.phpFpm.socket;
+      extraConfig = chloe.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    };
+    system.activationScripts.chloe_prod = chloe.activationScript;
+    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
+    services.websites.production.modules = chloe.apache.modules;
+    services.websites.production.vhostConfs.chloe = {
+      certName     = "chloe";
+      certMainHost = "osteopathe-cc.fr";
+      hosts        = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ];
+      root         = chloe.apache.root;
+      extraConfig  = [ chloe.apache.vhostConf ];
+    };
+  };
+}
-- 
cgit v1.2.3