[perso/Immae/Config/Nix.git] / virtual / eldiron.nix

{
  network = {
    description = "Immae's network";
    enableRollback = true;
  };

  eldiron = { config, pkgs, mylibs, myconfig, ... }:
    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
        };
    in
  {
    _module.args = {
      mylibs = import ../libs.nix;
      myconfig = {
        ips = {
          main = "176.9.151.89";
          production = "176.9.151.154";
          integration = "176.9.151.155";
        };
      };
    };

    imports = [
      ./modules/certificates.nix
      ./modules/gitolite.nix
      ./modules/gitweb.nix
      ./modules/databases.nix
      ./modules/websites.nix
    ];
    services.myGitolite.enable = true;
    services.myGitweb.enable = true;
    services.myDatabases.enable = true;
    services.myWebsites.production.enable = true;
    services.myWebsites.integration.enable = true;

    nixpkgs.config.packageOverrides = oldpkgs: rec {
      goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
        name = "goaccess-${version}";
        version = "1.3";
        src = pkgs.fetchurl {
          url = "https://tar.goaccess.io/${name}.tar.gz";
          sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
        };
        configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
        buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
      });
    };

    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [ 22 80 443 9418 ];
      };
      interfaces."eth0".ipv4.addresses = [
        # 176.9.151.89 declared in nixops -> infra / tools
        { address = myconfig.ips.production; prefixLength = 32; }
        { address = myconfig.ips.integration; prefixLength = 32; }
      ];
    };

    deployment = {
      targetEnv = "hetzner";
      hetzner = {
        #robotUser = "defined in HETZNER_ROBOT_USER";
        #robotPass = "defined in HETZNER_ROBOT_PASS";
        mainIPv4 = myconfig.ips.main;
        partitions = ''
          clearpart --all --initlabel --drives=sda,sdb

          part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
          part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb

          part raid.1 --grow --ondisk=sda
          part raid.2 --grow --ondisk=sdb

          raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
        '';
      };
    };

    environment.systemPackages = let
      # FIXME: move it to nextcloud
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
        cd ${mypkgs.nextcloud.webRoot}
        NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
          exec \
          ${config.services.phpfpm.phpPackage}/bin/php \
          -c ${config.services.phpfpm.phpPackage}/etc/php.ini \
          occ $*
        '';
    in [
      pkgs.telnet
      pkgs.htop
      pkgs.vim
      pkgs.goaccess
      occ
    ];

    security.acme.certs."eldiron".extraDomains = {
      "db-1.immae.eu" = null;
      "tools.immae.eu" = null;
      "cloud.immae.eu" = null;
      "dav.immae.eu" = null;
    };

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    services.ympd = mypkgs.ympd.config // { enable = false; };

    services.phpfpm = {
      # FIXME: move session files to separate dirs
      # /!\ phppackage is used in nextcloud configuation
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        session.gc_maxlifetime = 60*60*24*15
        session.cache_expire = 60*24*30
        ; For nextcloud
        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
        ; For nextcloud
        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
        ; For nextcloud
        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
        '';
      extraConfig = ''
        log_level = notice
        '';
      poolConfigs = {
        adminer = mypkgs.adminer.phpFpm.pool;
        nextcloud = mypkgs.nextcloud.phpFpm.pool;
        mantisbt = mypkgs.mantisbt.phpFpm.pool;
        ttrss = mypkgs.ttrss.phpFpm.pool;
        roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
        davical = mypkgs.davical.phpFpm.pool;
      };
    };

    system.activationScripts = {
      nextcloud = mypkgs.nextcloud.activationScript;
      ttrss = mypkgs.ttrss.activationScript;
      roundcubemail = mypkgs.roundcubemail.activationScript;
      httpd = ''
        install -d -m 0755 /var/lib/acme/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
        '';
      # FIXME: initial sync
      goaccess = ''
        mkdir -p /var/lib/goaccess
        mkdir -p /var/lib/goaccess/aten.pro
        mkdir -p /var/lib/goaccess/ludivinecassal.com
        mkdir -p /var/lib/goaccess/piedsjaloux.fr
        mkdir -p /var/lib/goaccess/osteopathe-cc.fr
        mkdir -p /var/lib/goaccess/connexionswing.com
        '';
    };

    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
        wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          vars = {
            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
            ECHO = "${pkgs.coreutils}/bin/echo";
          };
          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };

    services.gitDaemon = {
      enable = true;
      user = "gitolite";
      group = "gitolite";
      basePath = "${mypkgs.git.web.varDir}/repositories";
    };

    # FIXME: logrotate
    services.httpd = let
      withConf = domain: {
        enableSSL = true;
        sslServerCert = "/var/lib/acme/${domain}/cert.pem";
        sslServerKey = "/var/lib/acme/${domain}/key.pem";
        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
        logFormat = "combinedVhost";
        listen = [
          { ip = "176.9.151.89";  port = 443; }
        ];
      };
      apacheConfig = config.services.myWebsites.apacheConfig;
    in rec {
      enable = true;
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      adminAddr = "httpd@immae.eu";
      logFormat = "combinedVhost";
      extraModules = pkgs.lib.lists.unique (
        mypkgs.adminer.apache.modules ++
        mypkgs.nextcloud.apache.modules ++
        mypkgs.ympd.apache.modules ++
        mypkgs.git.web.apache.modules ++
        mypkgs.mantisbt.apache.modules ++
        mypkgs.ttrss.apache.modules ++
        mypkgs.roundcubemail.apache.modules ++
        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
      extraConfig = builtins.concatStringsSep "\n"
        (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
      virtualHosts = [
        (withConf "eldiron" // {
          hostName = "eldiron.immae.eu";
          documentRoot = ./www;
          extraConfig = ''
            DirectoryIndex index.htm
            '';
        })
        (withConf "eldiron" // {
          hostName = "db-1.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "tools.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
            mypkgs.ympd.apache.vhostConf
            mypkgs.ttrss.apache.vhostConf
            mypkgs.roundcubemail.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dav.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.infcloud.apache.vhostConf
            mypkgs.davical.apache.vhostConf
          ];
        })
        (withConf "connexionswing" // {
          hostName = "connexionswing.com";
          serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
          documentRoot = mypkgs.connexionswing_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.connexionswing_prod.apache.vhostConf
          ];
        })
        (withConf "ludivinecassal" // {
          hostName = "ludivinecassal.com";
          serverAliases = [ "www.ludivinecassal.com" ];
          documentRoot = mypkgs.ludivinecassal_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.ludivinecassal_prod.apache.vhostConf
          ];
        })
        (withConf "piedsjaloux" // {
          hostName = "piedsjaloux.fr";
          serverAliases = [ "www.piedsjaloux.fr" ];
          documentRoot = mypkgs.piedsjaloux_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.piedsjaloux_prod.apache.vhostConf
          ];
        })
        (withConf "chloe" // {
          hostName = "osteopathe-cc.fr";
          serverAliases = [ "www.osteopathe-cc.fr" ];
          documentRoot = mypkgs.chloe_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.chloe_prod.apache.vhostConf
          ];
        })
        (withConf "aten" // {
          hostName = "aten.pro";
          serverAliases = [ "www.aten.pro" ];
          documentRoot = mypkgs.aten_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.aten_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "cloud.immae.eu";
          documentRoot = mypkgs.nextcloud.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.nextcloud.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "git.immae.eu";
          documentRoot = mypkgs.git.web.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.git.web.apache.vhostConf
            mypkgs.mantisbt.apache.vhostConf
          ] + ''
            RewriteEngine on
            RewriteCond %{REQUEST_URI}       ^/releases
            RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
            '';
        })
        { # Should go last, default fallback
          listen = [ { ip = "*"; port = 80; } ];
          hostName = "redirectSSL";
          serverAliases = [ "*" ];
          enableSSL = false;
          logFormat = "combinedVhost";
          documentRoot = "/var/lib/acme/acme-challenge";
          extraConfig = ''
            RewriteEngine on
            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
            # To redirect in specific "VirtualHost *:80", do
            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
            # rather than rewrite
            '';
        }
      ];
    };

    services.cron = {
      enable = true;
      systemCronJobs = let
        stats = domain: conf: let
          d = pkgs.writeScriptBin "stats-${domain}" ''
            #!${pkgs.stdenv.shell}
            set -e
            shopt -s nullglob
            date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
            TMPFILE=$(mktemp)
            trap "rm -f $TMPFILE" EXIT

            cat /var/log/httpd/access_log-${domain} | sed -n "/\\[$date_regex/ p" > $TMPFILE
            for i in /var/log/httpd/access_log-${domain}*.gz; do
              zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE
            done
            goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
            '';
          in "${d}/bin/stats-${domain}";
      # FIXME: running several goaccess simultaneously seems to be
      # bugged?
      in [
        "5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
        "6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
        "7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
        "8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}"
        "9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}"
        ];
    };

    systemd.services.tt-rss = {
      description = "Tiny Tiny RSS feeds update daemon";
      serviceConfig = {
        User = "wwwrun";
        ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
        StandardOutput = "syslog";
        StandardError = "syslog";
        PermissionsStartOnly = true;
      };

      wantedBy = [ "multi-user.target" ];
      requires = ["postgresql.service"];
      after = ["network.target" "postgresql.service"];
    };
  };
}
Commit	Line	Data
a1bb33c4 IB	1	{
	2	network = {
	3	description = "Immae's network";
	4	enableRollback = true;
	5	};
	6
f8bde3d6	7	eldiron = { config, pkgs, mylibs, myconfig, ... }:
4d4f13f4	8	with mylibs;
5c101474	9	let
712ccefd	10	mypkgs = pkgs.callPackage ./packages.nix {
eb770e14	11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
5c101474	12	};
ab5d04b8 IB	13	in
ab5d04b8 IB	14	{
4d4f13f4 IB	15	_module.args = {
4d4f13f4 IB	16	mylibs = import ../libs.nix;
f8bde3d6 IB	17	myconfig = {
	18	ips = {
	19	main = "176.9.151.89";
	20	production = "176.9.151.154";
	21	integration = "176.9.151.155";
	22	};
	23	};
4d4f13f4 IB	24	};
	25
	26	imports = [
3013caf1	27	./modules/certificates.nix
4d4f13f4 IB	28	./modules/gitolite.nix
	29	./modules/gitweb.nix
	30	./modules/databases.nix
42429ef0	31	./modules/websites.nix
4d4f13f4 IB	32	];
	33	services.myGitolite.enable = true;
	34	services.myGitweb.enable = true;
	35	services.myDatabases.enable = true;
42429ef0 IB	36	services.myWebsites.production.enable = true;
42429ef0 IB	37	services.myWebsites.integration.enable = true;
4d4f13f4	38
91493dc0	39	nixpkgs.config.packageOverrides = oldpkgs: rec {
6f0d92b4 IB	40	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
	41	name = "goaccess-${version}";
	42	version = "1.3";
	43	src = pkgs.fetchurl {
	44	url = "https://tar.goaccess.io/${name}.tar.gz";
	45	sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
	46	};
	47	configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
	48	buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
	49	});
91493dc0 IB	50	};
91493dc0 IB	51
a1bb33c4 IB	52	networking = {
	53	firewall = {
	54	enable = true;
4d4f13f4	55	allowedTCPPorts = [ 22 80 443 9418 ];
a1bb33c4	56	};
f8bde3d6 IB	57	interfaces."eth0".ipv4.addresses = [
	58	# 176.9.151.89 declared in nixops -> infra / tools
	59	{ address = myconfig.ips.production; prefixLength = 32; }
	60	{ address = myconfig.ips.integration; prefixLength = 32; }
	61	];
a1bb33c4 IB	62	};
	63
	64	deployment = {
	65	targetEnv = "hetzner";
	66	hetzner = {
	67	#robotUser = "defined in HETZNER_ROBOT_USER";
	68	#robotPass = "defined in HETZNER_ROBOT_PASS";
f8bde3d6	69	mainIPv4 = myconfig.ips.main;
a1bb33c4 IB	70	partitions = ''
	71	clearpart --all --initlabel --drives=sda,sdb
	72
	73	part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
	74	part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
	75
	76	part raid.1 --grow --ondisk=sda
	77	part raid.2 --grow --ondisk=sdb
	78
	79	raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
	80	'';
	81	};
	82	};
	83
66b5bbf6 IB	84	environment.systemPackages = let
	85	# FIXME: move it to nextcloud
	86	occ = pkgs.writeScriptBin "nextcloud-occ" ''
	87	#! ${pkgs.stdenv.shell}
	88	cd ${mypkgs.nextcloud.webRoot}
	89	NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
	90	exec \
	91	${config.services.phpfpm.phpPackage}/bin/php \
	92	-c ${config.services.phpfpm.phpPackage}/etc/php.ini \
	93	occ $*
	94	'';
	95	in [
ce6ee3b8	96	pkgs.telnet
beeed847	97	pkgs.htop
ce6ee3b8	98	pkgs.vim
6f0d92b4	99	pkgs.goaccess
66b5bbf6	100	occ
ce6ee3b8 IB	101	];
ce6ee3b8 IB	102
3013caf1 IB	103	security.acme.certs."eldiron".extraDomains = {
	104	"db-1.immae.eu" = null;
	105	"tools.immae.eu" = null;
	106	"cloud.immae.eu" = null;
	107	"dav.immae.eu" = null;
a1bb33c4 IB	108	};
a1bb33c4 IB	109
5566d26d IB	110	services.openssh.extraConfig = ''
	111	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	112	AuthorizedKeysCommandUser nobody
	113	'';
	114
beeed847	115	services.ympd = mypkgs.ympd.config // { enable = false; };
a05f8abe	116
58d1a782	117	services.phpfpm = {
beeed847	118	# FIXME: move session files to separate dirs
66b5bbf6 IB	119	# /!\ phppackage is used in nextcloud configuation
66b5bbf6 IB	120	phpOptions = ''
c8e019b6 IB	121	session.save_path = "/var/lib/php/sessions"
	122	session.gc_maxlifetime = 606024*15
	123	session.cache_expire = 602430
66b5bbf6 IB	124	; For nextcloud
	125	extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
	126	; For nextcloud
	127	extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
ec9ff2b8 IB	128	; For nextcloud
ec9ff2b8 IB	129	zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
66b5bbf6	130	'';
58d1a782 IB	131	extraConfig = ''
	132	log_level = notice
	133	'';
	134	poolConfigs = {
27e22b76	135	adminer = mypkgs.adminer.phpFpm.pool;
66b5bbf6	136	nextcloud = mypkgs.nextcloud.phpFpm.pool;
50d8fa14	137	mantisbt = mypkgs.mantisbt.phpFpm.pool;
eb770e14	138	ttrss = mypkgs.ttrss.phpFpm.pool;
d252d718	139	roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
d9998b44	140	davical = mypkgs.davical.phpFpm.pool;
58d1a782 IB	141	};
	142	};
	143
65fe7543	144	system.activationScripts = {
66b5bbf6	145	nextcloud = mypkgs.nextcloud.activationScript;
eb770e14	146	ttrss = mypkgs.ttrss.activationScript;
d252d718	147	roundcubemail = mypkgs.roundcubemail.activationScript;
5dd28b43 IB	148	httpd = ''
5dd28b43 IB	149	install -d -m 0755 /var/lib/acme/acme-challenge
c8e019b6 IB	150	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
	151	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
	152	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
1635a4ae	153	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
5dd28b43	154	'';
6bd6d033	155	# FIXME: initial sync
6f0d92b4 IB	156	goaccess = ''
	157	mkdir -p /var/lib/goaccess
	158	mkdir -p /var/lib/goaccess/aten.pro
34e2fd14 IB	159	mkdir -p /var/lib/goaccess/ludivinecassal.com
34e2fd14 IB	160	mkdir -p /var/lib/goaccess/piedsjaloux.fr
6bd6d033	161	mkdir -p /var/lib/goaccess/osteopathe-cc.fr
527e32ad	162	mkdir -p /var/lib/goaccess/connexionswing.com
6f0d92b4	163	'';
5566d26d IB	164	};
	165
	166	environment.etc."ssh/ldap_authorized_keys" = let
	167	ldap_authorized_keys =
5c101474 IB	168	assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
5c101474 IB	169	wrap {
5566d26d IB	170	name = "ldap_authorized_keys";
	171	file = ./ldap_authorized_keys.sh;
	172	vars = {
	173	LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
	174	GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
	175	ECHO = "${pkgs.coreutils}/bin/echo";
	176	};
	177	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
	178	};
	179	in {
	180	enable = true;
	181	mode = "0755";
	182	user = "root";
	183	source = ldap_authorized_keys;
65fe7543 IB	184	};
65fe7543 IB	185
7611e4e2 IB	186	services.gitDaemon = {
	187	enable = true;
	188	user = "gitolite";
	189	group = "gitolite";
	190	basePath = "${mypkgs.git.web.varDir}/repositories";
	191	};
	192
beeed847	193	# FIXME: logrotate
58d1a782	194	services.httpd = let
b7cd7e4b	195	withConf = domain: {
58d1a782	196	enableSSL = true;
5dd28b43	197	sslServerCert = "/var/lib/acme/${domain}/cert.pem";
58d1a782 IB	198	sslServerKey = "/var/lib/acme/${domain}/key.pem";
58d1a782 IB	199	sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
b7cd7e4b	200	logFormat = "combinedVhost";
f8bde3d6 IB	201	listen = [
	202	{ ip = "176.9.151.89"; port = 443; }
	203	];
58d1a782	204	};
42429ef0	205	apacheConfig = config.services.myWebsites.apacheConfig;
58d1a782	206	in rec {
a1bb33c4	207	enable = true;
58d1a782 IB	208	logPerVirtualHost = true;
	209	multiProcessingModule = "worker";
	210	adminAddr = "httpd@immae.eu";
b7cd7e4b	211	logFormat = "combinedVhost";
25fd1d16 IB	212	extraModules = pkgs.lib.lists.unique (
25fd1d16 IB	213	mypkgs.adminer.apache.modules ++
66b5bbf6	214	mypkgs.nextcloud.apache.modules ++
5f3e023d	215	mypkgs.ympd.apache.modules ++
cf80b4f2	216	mypkgs.git.web.apache.modules ++
50d8fa14	217	mypkgs.mantisbt.apache.modules ++
eb770e14	218	mypkgs.ttrss.apache.modules ++
d252d718	219	mypkgs.roundcubemail.apache.modules ++
42429ef0	220	pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
94818b75	221	extraConfig = builtins.concatStringsSep "\n"
42429ef0	222	(builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
58d1a782	223	virtualHosts = [
b7cd7e4b	224	(withConf "eldiron" // {
58d1a782	225	hostName = "eldiron.immae.eu";
1d4ccb2c IB	226	documentRoot = ./www;
	227	extraConfig = ''
	228	DirectoryIndex index.htm
	229	'';
58d1a782	230	})
b7cd7e4b	231	(withConf "eldiron" // {
58d1a782 IB	232	hostName = "db-1.immae.eu";
58d1a782 IB	233	documentRoot = null;
27e22b76	234	extraConfig = builtins.concatStringsSep "\n" [
1bb2ff2c	235	mypkgs.adminer.apache.vhostConf
27e22b76	236	];
58d1a782	237	})
b7cd7e4b	238	(withConf "eldiron" // {
e379fd29 IB	239	hostName = "tools.immae.eu";
	240	documentRoot = null;
	241	extraConfig = builtins.concatStringsSep "\n" [
1bb2ff2c	242	mypkgs.adminer.apache.vhostConf
a05f8abe	243	mypkgs.ympd.apache.vhostConf
eb770e14	244	mypkgs.ttrss.apache.vhostConf
d252d718	245	mypkgs.roundcubemail.apache.vhostConf
43b726ed IB	246	];
	247	})
	248	(withConf "eldiron" // {
	249	hostName = "dav.immae.eu";
	250	documentRoot = null;
	251	extraConfig = builtins.concatStringsSep "\n" [
1635a4ae	252	mypkgs.infcloud.apache.vhostConf
d9998b44	253	mypkgs.davical.apache.vhostConf
e379fd29 IB	254	];
e379fd29 IB	255	})
527e32ad IB	256	(withConf "connexionswing" // {
	257	hostName = "connexionswing.com";
	258	serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
	259	documentRoot = mypkgs.connexionswing_prod.webRoot;
	260	extraConfig = builtins.concatStringsSep "\n" [
	261	mypkgs.connexionswing_prod.apache.vhostConf
	262	];
	263	})
e42ba74f IB	264	(withConf "ludivinecassal" // {
	265	hostName = "ludivinecassal.com";
	266	serverAliases = [ "www.ludivinecassal.com" ];
	267	documentRoot = mypkgs.ludivinecassal_prod.webRoot;
	268	extraConfig = builtins.concatStringsSep "\n" [
	269	mypkgs.ludivinecassal_prod.apache.vhostConf
	270	];
	271	})
34e2fd14 IB	272	(withConf "piedsjaloux" // {
	273	hostName = "piedsjaloux.fr";
	274	serverAliases = [ "www.piedsjaloux.fr" ];
	275	documentRoot = mypkgs.piedsjaloux_prod.webRoot;
	276	extraConfig = builtins.concatStringsSep "\n" [
	277	mypkgs.piedsjaloux_prod.apache.vhostConf
	278	];
	279	})
6bd6d033	280	(withConf "chloe" // {
7d8b50d3 IB	281	hostName = "osteopathe-cc.fr";
	282	serverAliases = [ "www.osteopathe-cc.fr" ];
	283	documentRoot = mypkgs.chloe_prod.webRoot;
	284	extraConfig = builtins.concatStringsSep "\n" [
	285	mypkgs.chloe_prod.apache.vhostConf
	286	];
	287	})
6c672f34 IB	288	(withConf "aten" // {
	289	hostName = "aten.pro";
	290	serverAliases = [ "www.aten.pro" ];
	291	documentRoot = mypkgs.aten_prod.webRoot;
	292	extraConfig = builtins.concatStringsSep "\n" [
	293	mypkgs.aten_prod.apache.vhostConf
	294	];
	295	})
b7cd7e4b	296	(withConf "eldiron" // {
66b5bbf6 IB	297	hostName = "cloud.immae.eu";
	298	documentRoot = mypkgs.nextcloud.webRoot;
	299	extraConfig = builtins.concatStringsSep "\n" [
	300	mypkgs.nextcloud.apache.vhostConf
	301	];
	302	})
b7cd7e4b	303	(withConf "eldiron" // {
cf80b4f2 IB	304	hostName = "git.immae.eu";
	305	documentRoot = mypkgs.git.web.webRoot;
	306	extraConfig = builtins.concatStringsSep "\n" [
	307	mypkgs.git.web.apache.vhostConf
50d8fa14	308	mypkgs.mantisbt.apache.vhostConf
cf80b4f2 IB	309	] + ''
	310	RewriteEngine on
	311	RewriteCond %{REQUEST_URI} ^/releases
	312	RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
	313	'';
	314	})
58d1a782 IB	315	{ # Should go last, default fallback
	316	listen = [ { ip = "*"; port = 80; } ];
	317	hostName = "redirectSSL";
	318	serverAliases = [ "*" ];
	319	enableSSL = false;
b7cd7e4b	320	logFormat = "combinedVhost";
58d1a782 IB	321	documentRoot = "/var/lib/acme/acme-challenge";
	322	extraConfig = ''
	323	RewriteEngine on
	324	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
	325	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
	326	# To redirect in specific "VirtualHost *:80", do
	327	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
	328	# rather than rewrite
	329	'';
	330	}
43b726ed	331	];
58d1a782 IB	332	};
58d1a782 IB	333
6f0d92b4 IB	334	services.cron = {
	335	enable = true;
	336	systemCronJobs = let
6bd6d033	337	stats = domain: conf: let
0facadb8 IB	338	d = pkgs.writeScriptBin "stats-${domain}" ''
	339	#!${pkgs.stdenv.shell}
	340	set -e
	341	shopt -s nullglob
	342	date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
	343	TMPFILE=$(mktemp)
	344	trap "rm -f $TMPFILE" EXIT
	345
	346	cat /var/log/httpd/access_log-${domain} \| sed -n "/\\[$date_regex/ p" > $TMPFILE
	347	for i in /var/log/httpd/access_log-${domain}*.gz; do
	348	zcat "$i" \| sed -n "/\\[$date_regex/ p" >> $TMPFILE
	349	done
	350	goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
	351	'';
6bd6d033	352	in "${d}/bin/stats-${domain}";
56991aa7 IB	353	# FIXME: running several goaccess simultaneously seems to be
56991aa7 IB	354	# bugged?
6f0d92b4 IB	355	in [
6f0d92b4 IB	356	"5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
56991aa7 IB	357	"6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
	358	"7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
	359	"8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}"
	360	"9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}"
6f0d92b4 IB	361	];
6f0d92b4 IB	362	};
eb770e14 IB	363
	364	systemd.services.tt-rss = {
	365	description = "Tiny Tiny RSS feeds update daemon";
	366	serviceConfig = {
	367	User = "wwwrun";
	368	ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
	369	StandardOutput = "syslog";
	370	StandardError = "syslog";
	371	PermissionsStartOnly = true;
	372	};
	373
	374	wantedBy = [ "multi-user.target" ];
	375	requires = ["postgresql.service"];
	376	after = ["network.target" "postgresql.service"];
	377	};
a1bb33c4 IB	378	};
a1bb33c4 IB	379	}