+++ /dev/null
-{ lib, pkgs, config, myconfig, ... }:
-let
- cfg = config.services.myWebsites;
- www_root = "/run/current-system/webapps/_www";
- theme_root = "/run/current-system/webapps/_theme";
- apacheConfig = {
- gzip = {
- modules = [ "deflate" "filter" ];
- extraConfig = ''
- AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
- '';
- };
- macros = {
- modules = [ "macro" ];
- };
- stats = {
- extraConfig = ''
- <Macro Stats %{domain}>
- Alias /webstats ${config.services.webstats.dataDir}/%{domain}
- <Directory ${config.services.webstats.dataDir}/%{domain}>
- DirectoryIndex index.html
- AllowOverride None
- Require all granted
- </Directory>
- <Location /webstats>
- Use LDAPConnect
- Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
- </Location>
- </Macro>
- '';
- };
- ldap = {
- modules = [ "ldap" "authnz_ldap" ];
- extraConfig = ''
- <IfModule ldap_module>
- LDAPSharedCacheSize 500000
- LDAPCacheEntries 1024
- LDAPCacheTTL 600
- LDAPOpCacheEntries 1024
- LDAPOpCacheTTL 600
- </IfModule>
-
- Include /var/secrets/apache-ldap
- '';
- };
- global = {
- extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
- };
- apaxy = {
- extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
- };
- http2 = {
- modules = [ "http2" ];
- extraConfig = ''
- Protocols h2 http/1.1
- '';
- };
- customLog = {
- extraConfig = ''
- LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
- '';
- };
- };
- makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
- makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
-in
-{
- imports = [
- ./tools/db.nix
- ./tools/tools
- ./tools/dav
- ./tools/cloud.nix
- ./tools/git
- ./tools/mastodon.nix
- ./tools/mediagoblin.nix
- ./tools/diaspora.nix
- ./tools/ether.nix
- ./tools/peertube.nix
- ];
-
- config = {
- users.users.wwwrun.extraGroups = [ "keys" ];
- networking.firewall.allowedTCPPorts = [ 80 443 ];
-
- nixpkgs.overlays = [ (self: super: rec {
- #openssl = self.openssl_1_1;
- php = php72;
- php72 = (super.php72.override {
- mysql.connector-c = self.mariadb;
- config.php.mysqlnd = false;
- config.php.mysqli = false;
- }).overrideAttrs(old: rec {
- # Didn't manage to build with mysqli + mysql_config connector
- configureFlags = old.configureFlags ++ [
- "--with-mysqli=shared,mysqlnd"
- ];
- # preConfigure = (old.preConfigure or "") + ''
- # export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
- # sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
- # ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
- # '';
- });
- phpPackages = super.php72Packages.override { inherit php; };
- }) ];
-
- services.myWebsites.tools.databases.enable = true;
- services.myWebsites.tools.tools.enable = true;
- services.myWebsites.tools.dav.enable = true;
- services.myWebsites.tools.cloud.enable = true;
- services.myWebsites.tools.git.enable = true;
- services.myWebsites.tools.mastodon.enable = true;
- services.myWebsites.tools.mediagoblin.enable = true;
- services.myWebsites.tools.diaspora.enable = true;
- services.myWebsites.tools.etherpad-lite.enable = true;
- services.myWebsites.tools.peertube.enable = true;
-
- secrets.keys = [{
- dest = "apache-ldap";
- user = "wwwrun";
- group = "wwwrun";
- permissions = "0400";
- text = ''
- <Macro LDAPConnect>
- <IfModule authnz_ldap_module>
- AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
- AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
- AuthType Basic
- AuthName "Authentification requise (Acces LDAP)"
- AuthBasicProvider ldap
- </IfModule>
- </Macro>
- '';
- }];
-
- system.activationScripts = {
- httpd = ''
- install -d -m 0755 ${config.security.acme.directory}/acme-challenge
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
- '';
- };
-
- system.extraSystemBuilderCmds = let
- adminer = pkgs.callPackage ./commons/adminer.nix {};
- in ''
- mkdir -p $out/webapps
- ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www
- ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme
- ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
- '';
-
- services.phpfpm = {
- phpPackage = pkgs.php;
- phpOptions = ''
- session.save_path = "/var/lib/php/sessions"
- post_max_size = 20M
- ; 15 days (seconds)
- session.gc_maxlifetime = 1296000
- ; 30 days (minutes)
- session.cache_expire = 43200
- '';
- extraConfig = ''
- log_level = notice
- '';
- };
-
- services.websites.production = {
- enable = true;
- adminAddr = "httpd@immae.eu";
- httpdName = "Prod";
- ips =
- let ips = myconfig.env.servers.eldiron.ips.production;
- in [ips.ip4] ++ (ips.ip6 or []);
- modules = makeModules;
- extraConfig = makeExtraConfig;
- fallbackVhost = {
- certName = "eldiron";
- hosts = ["eldiron.immae.eu" ];
- root = www_root;
- extraConfig = [ "DirectoryIndex index.htm" ];
- };
- };
-
- services.websites.integration = {
- enable = true;
- adminAddr = "httpd@immae.eu";
- httpdName = "Inte";
- ips =
- let ips = myconfig.env.servers.eldiron.ips.integration;
- in [ips.ip4] ++ (ips.ip6 or []);
- modules = makeModules;
- extraConfig = makeExtraConfig;
- fallbackVhost = {
- certName = "eldiron";
- hosts = ["eldiron.immae.eu" ];
- root = www_root;
- extraConfig = [ "DirectoryIndex index.htm" ];
- };
- };
-
- services.websites.tools = {
- enable = true;
- adminAddr = "httpd@immae.eu";
- httpdName = "Tools";
- ips =
- let ips = myconfig.env.servers.eldiron.ips.main;
- in [ips.ip4] ++ (ips.ip6 or []);
- modules = makeModules;
- extraConfig = makeExtraConfig ++
- [ ''
- RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
- RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
- RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
- RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
- RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
- RedirectMatch ^/CGU$ https://www.immae.eu/CGU
- ''
- ];
- nosslVhost = {
- enable = true;
- host = "nossl.immae.eu";
- };
- fallbackVhost = {
- certName = "eldiron";
- hosts = ["eldiron.immae.eu" ];
- root = www_root;
- extraConfig = [ "DirectoryIndex index.htm" ];
- };
- };
- };
-}
projects / perso / Immae / Config / Nix.git / blobdiff