-{ lib, pkgs, config, mylibs, myconfig, ... }:
+{ lib, pkgs, config, myconfig, ... }:
let
cfg = config.services.myWebsites;
+ www_root = "/run/current-system/webapps/_www";
+ theme_root = "/run/current-system/webapps/_theme";
makeService = name: cfg: let
toVhost = vhostConf: {
enableSSL = true;
sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
- sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
+ sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
logFormat = "combinedVhost";
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
hostName = builtins.head vhostConf.hosts;
serverAliases = builtins.tail vhostConf.hosts or [];
documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
+ nosslVhost = {
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
+ hostName = "nossl.immae.eu";
+ enableSSL = false;
+ logFormat = "combinedVhost";
+ documentRoot = www_root;
+ extraConfig = ''
+ <Directory ${www_root}>
+ DirectoryIndex nossl.html
+ AllowOverride None
+ Require all granted
+
+ RewriteEngine on
+ RewriteRule ^/(.+) / [L]
+ </Directory>
+ '';
+ };
redirectVhost = { # Should go last, catchall http -> https redirect
- listen = [ { ip = cfg.ip; port = 80; } ];
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
hostName = "redirectSSL";
serverAliases = [ "*" ];
enableSSL = false;
fallbackVhost = toVhost { # Should go first, default choice
certName = "eldiron";
hosts = ["eldiron.immae.eu" ];
- root = ../../www;
+ root = www_root;
extraConfig = [ "DirectoryIndex index.htm" ];
};
in rec {
enable = true;
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
stateDir = "/run/httpd_${name}";
logPerVirtualHost = true;
multiProcessingModule = "worker";
extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
virtualHosts = [ fallbackVhost ]
+ ++ lib.optionals (name == "tools") [ nosslVhost ]
++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
++ [ redirectVhost ];
};
- makeServiceOptions = name: ip: {
+ makeServiceOptions = name: {
enable = lib.mkEnableOption "enable websites in ${name}";
- ip = lib.mkOption {
- type = lib.types.string;
- default = ip;
- description = "${name} ip to listen to";
+ ips = lib.mkOption {
+ type = lib.types.listOf lib.types.string;
+ default = let
+ ips = myconfig.env.servers.eldiron.ips.${name};
+ in
+ [ips.ip4] ++ (ips.ip6 or []);
+ description = "${name} ips to listen to";
};
modules = lib.mkOption {
type = lib.types.listOf (lib.types.str);
./piedsjaloux
./connexionswing
./tellesflorian
+ ./emilia
+ ./capitaines
./ftp/jerome.nix
./ftp/nassime.nix
./ftp/florian.nix
- ./tools/db
+ ./ftp/denisejerome.nix
+ ./ftp/leila.nix
+ ./ftp/papa.nix
+ ./ftp/immae.nix
+ ./ftp/release.nix
+ ./ftp/temp.nix
+ ./tools/db.nix
./tools/tools
./tools/dav
- ./tools/cloud
+ ./tools/cloud.nix
./tools/git
- ./tools/mastodon
- ./tools/mediagoblin
- ./tools/diaspora
- ./tools/ether
- # built using:
- # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
- # Removed allGranted
- # And removed users / groups
- ./apache/httpd_prod.nix
- ./apache/httpd_inte.nix
- # except for this one for users/groups
- ./apache/httpd_tools.nix
+ ./tools/mastodon.nix
+ ./tools/mediagoblin.nix
+ ./tools/diaspora.nix
+ ./tools/ether.nix
+ ./tools/peertube.nix
# Adapted from base phpfpm
./phpfpm
];
options.services.myWebsites = {
- production = makeServiceOptions "production" myconfig.ips.production;
- integration = makeServiceOptions "integration" myconfig.ips.integration;
- tools = makeServiceOptions "tools" myconfig.ips.main;
+ production = makeServiceOptions "production";
+ integration = makeServiceOptions "integration";
+ tools = makeServiceOptions "main";
apacheConfig = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
};
config = {
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 80 443 ];
- };
- interfaces."eth0".ipv4.addresses = [
- # 176.9.151.89 declared in nixops -> infra / tools
- { address = myconfig.ips.production; prefixLength = 32; }
- { address = myconfig.ips.integration; prefixLength = 32; }
- ];
- };
+ users.users.wwwrun.extraGroups = [ "keys" ];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
- nixpkgs.config.packageOverrides = oldpkgs: rec {
+ nixpkgs.overlays = [ (self: super: rec {
+ #openssl = self.openssl_1_1;
php = php72;
- php72 = (oldpkgs.php72.override {
- mysql.connector-c = pkgs.mariadb;
+ php72 = (super.php72.override {
+ mysql.connector-c = self.mariadb;
config.php.mysqlnd = false;
config.php.mysqli = false;
}).overrideAttrs(old: rec {
# ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
# '';
});
- phpPackages = oldpkgs.php72Packages.override { inherit php; };
- composerEnv = import ./commons/composer-env.nix {
- inherit (pkgs) stdenv writeTextFile fetchurl php unzip;
- };
- };
+ phpPackages = super.php72Packages.override { inherit php; };
+ }) ];
services.myWebsites.tools.databases.enable = true;
services.myWebsites.tools.tools.enable = true;
services.myWebsites.tools.mediagoblin.enable = true;
services.myWebsites.tools.diaspora.enable = true;
services.myWebsites.tools.etherpad-lite.enable = true;
+ services.myWebsites.tools.peertube.enable = true;
services.myWebsites.Chloe.production.enable = cfg.production.enable;
services.myWebsites.Ludivine.production.enable = cfg.production.enable;
services.myWebsites.Jerome.production.enable = cfg.production.enable;
services.myWebsites.Nassime.production.enable = cfg.production.enable;
services.myWebsites.Florian.production.enable = cfg.production.enable;
+ services.myWebsites.Leila.production.enable = cfg.production.enable;
+ services.myWebsites.Papa.production.enable = cfg.production.enable;
+ services.myWebsites.DeniseJerome.production.enable = cfg.production.enable;
+ services.myWebsites.Emilia.production.enable = cfg.production.enable;
+ services.myWebsites.Capitaines.production.enable = cfg.production.enable;
+ services.myWebsites.Immae.production.enable = cfg.production.enable;
+ services.myWebsites.Release.production.enable = cfg.production.enable;
+ services.myWebsites.Temp.production.enable = cfg.production.enable;
services.myWebsites.Chloe.integration.enable = cfg.integration.enable;
services.myWebsites.Ludivine.integration.enable = cfg.integration.enable;
services.myWebsites.TellesFlorian.integration.enable = true;
services.myWebsites.Florian.integration.enable = true;
+ secrets.keys = [{
+ dest = "apache-ldap";
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ <Macro LDAPConnect>
+ <IfModule authnz_ldap_module>
+ AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+ AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
+ AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+ AuthType Basic
+ AuthName "Authentification requise (Acces LDAP)"
+ AuthBasicProvider ldap
+ </IfModule>
+ </Macro>
+ '';
+ }];
+
services.myWebsites.apacheConfig = {
gzip = {
modules = [ "deflate" "filter" ];
macros = {
modules = [ "macro" ];
};
- ldap = {
- modules = [ "ldap" "authnz_ldap" ];
+ stats = {
extraConfig = ''
- <IfModule ldap_module>
- LDAPSharedCacheSize 500000
- LDAPCacheEntries 1024
- LDAPCacheTTL 600
- LDAPOpCacheEntries 1024
- LDAPOpCacheTTL 600
- </IfModule>
-
- <Macro LDAPConnect>
- <IfModule authnz_ldap_module>
- AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
- AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
- AuthType Basic
- AuthName "Authentification requise (Acces LDAP)"
- AuthBasicProvider ldap
- </IfModule>
- </Macro>
-
<Macro Stats %{domain}>
- Alias /awstats /var/lib/goaccess/%{domain}
- <Directory /var/lib/goaccess/%{domain}>
+ Alias /webstats ${config.services.webstats.dataDir}/%{domain}
+ <Directory ${config.services.webstats.dataDir}/%{domain}>
DirectoryIndex index.html
AllowOverride None
Require all granted
</Directory>
- <Location /awstats>
+ <Location /webstats>
Use LDAPConnect
Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
</Location>
</Macro>
+ '';
+ };
+ ldap = {
+ modules = [ "ldap" "authnz_ldap" ];
+ extraConfig = ''
+ <IfModule ldap_module>
+ LDAPSharedCacheSize 500000
+ LDAPCacheEntries 1024
+ LDAPCacheTTL 600
+ LDAPOpCacheEntries 1024
+ LDAPOpCacheTTL 600
+ </IfModule>
- ErrorDocument 500 /maintenance_immae.html
- ErrorDocument 501 /maintenance_immae.html
- ErrorDocument 502 /maintenance_immae.html
- ErrorDocument 503 /maintenance_immae.html
- ErrorDocument 504 /maintenance_immae.html
- Alias /maintenance_immae.html ${../../www}/maintenance_immae.html
- ProxyPass /maintenance_immae.html !
-
- AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${../../www}/googleb6d69446ff4ca3e5.html
+ Include /var/secrets/apache-ldap
'';
};
+ global = {
+ extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
+ };
+ apaxy = {
+ extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
+ };
http2 = {
modules = [ "http2" ];
extraConfig = ''
install -d -m 0755 /var/lib/acme/acme-challenge
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
'';
};
+ system.extraSystemBuilderCmds = let
+ adminer = pkgs.callPackage ./commons/adminer.nix {};
+ in ''
+ mkdir -p $out/webapps
+ ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www
+ ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme
+ ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
+ '';
+
services.myPhpfpm = {
phpPackage = pkgs.php;
phpOptions = ''
session.save_path = "/var/lib/php/sessions"
- session.gc_maxlifetime = 60*60*24*15
- session.cache_expire = 60*24*30
+ post_max_size = 20M
+ ; 15 days (seconds)
+ session.gc_maxlifetime = 1296000
+ ; 30 days (minutes)
+ session.cache_expire = 43200
'';
extraConfig = ''
log_level = notice