enableSSL = true;
sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
- sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
+ sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
logFormat = "combinedVhost";
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
hostName = builtins.head vhostConf.hosts;
serverAliases = builtins.tail vhostConf.hosts or [];
documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
nosslVhost = {
- listen = [ { ip = cfg.ip; port = 80; } ];
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
hostName = "nossl.immae.eu";
enableSSL = false;
logFormat = "combinedVhost";
'';
};
redirectVhost = { # Should go last, catchall http -> https redirect
- listen = [ { ip = cfg.ip; port = 80; } ];
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
hostName = "redirectSSL";
serverAliases = [ "*" ];
enableSSL = false;
};
in rec {
enable = true;
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
stateDir = "/run/httpd_${name}";
logPerVirtualHost = true;
multiProcessingModule = "worker";
++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
++ [ redirectVhost ];
};
- makeServiceOptions = name: ip: {
+ makeServiceOptions = name: {
enable = lib.mkEnableOption "enable websites in ${name}";
- ip = lib.mkOption {
- type = lib.types.string;
- default = ip;
- description = "${name} ip to listen to";
+ ips = lib.mkOption {
+ type = lib.types.listOf lib.types.string;
+ default = let
+ ips = myconfig.env.servers.eldiron.ips.${name};
+ in
+ [ips.ip4] ++ (ips.ip6 or []);
+ description = "${name} ips to listen to";
};
modules = lib.mkOption {
type = lib.types.listOf (lib.types.str);
./ftp/nassime.nix
./ftp/florian.nix
./ftp/denisejerome.nix
+ ./ftp/leila.nix
./ftp/immae.nix
./ftp/release.nix
./ftp/temp.nix
];
options.services.myWebsites = {
- production = makeServiceOptions "production" myconfig.ips.production;
- integration = makeServiceOptions "integration" myconfig.ips.integration;
- tools = makeServiceOptions "tools" myconfig.ips.main;
+ production = makeServiceOptions "production";
+ integration = makeServiceOptions "integration";
+ tools = makeServiceOptions "main";
apacheConfig = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
};
config = {
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 80 443 ];
- };
- interfaces."eth0".ipv4.addresses = [
- # 176.9.151.89 declared in nixops -> infra / tools
- { address = myconfig.ips.production; prefixLength = 32; }
- { address = myconfig.ips.integration; prefixLength = 32; }
- ];
- };
+ users.users.wwwrun.extraGroups = [ "keys" ];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
nixpkgs.overlays = [ (self: super: rec {
+ #openssl = self.openssl_1_1;
php = php72;
php72 = (super.php72.override {
mysql.connector-c = self.mariadb;
services.myWebsites.Jerome.production.enable = cfg.production.enable;
services.myWebsites.Nassime.production.enable = cfg.production.enable;
services.myWebsites.Florian.production.enable = cfg.production.enable;
+ services.myWebsites.Leila.production.enable = cfg.production.enable;
services.myWebsites.DeniseJerome.production.enable = cfg.production.enable;
services.myWebsites.Emilia.production.enable = cfg.production.enable;
services.myWebsites.Capitaines.production.enable = cfg.production.enable;
services.myWebsites.TellesFlorian.integration.enable = true;
services.myWebsites.Florian.integration.enable = true;
+ mySecrets.keys = [{
+ dest = "apache-ldap";
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ <Macro LDAPConnect>
+ <IfModule authnz_ldap_module>
+ AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+ AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
+ AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+ AuthType Basic
+ AuthName "Authentification requise (Acces LDAP)"
+ AuthBasicProvider ldap
+ </IfModule>
+ </Macro>
+ '';
+ }];
+
services.myWebsites.apacheConfig = {
gzip = {
modules = [ "deflate" "filter" ];
LDAPOpCacheTTL 600
</IfModule>
- <Macro LDAPConnect>
- <IfModule authnz_ldap_module>
- AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
- AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
- AuthType Basic
- AuthName "Authentification requise (Acces LDAP)"
- AuthBasicProvider ldap
- </IfModule>
- </Macro>
+ Include /var/secrets/apache-ldap
'';
};
global = {
install -d -m 0755 /var/lib/acme/acme-challenge
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
'';
};
phpOptions = ''
session.save_path = "/var/lib/php/sessions"
post_max_size = 20M
- session.gc_maxlifetime = 60*60*24*15
- session.cache_expire = 60*24*30
+ ; 15 days (seconds)
+ session.gc_maxlifetime = 1296000
+ ; 30 days (minutes)
+ session.cache_expire = 43200
'';
extraConfig = ''
log_level = notice