+++ /dev/null
-{ lib, pkgs, config, mylibs, myconfig, ... }:
-let
- cfg = config.services.myWebsites;
- makeService = name: cfg: let
- toVhost = vhostConf: {
- enableSSL = true;
- sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
- sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
- sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
- logFormat = "combinedVhost";
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
- hostName = builtins.head vhostConf.hosts;
- serverAliases = builtins.tail vhostConf.hosts or [];
- documentRoot = vhostConf.root;
- extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
- };
- redirectVhost = { # Should go last, catchall http -> https redirect
- listen = [ { ip = cfg.ip; port = 80; } ];
- hostName = "redirectSSL";
- serverAliases = [ "*" ];
- enableSSL = false;
- logFormat = "combinedVhost";
- documentRoot = "/var/lib/acme/acme-challenge";
- extraConfig = ''
- RewriteEngine on
- RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
- RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
- # To redirect in specific "VirtualHost *:80", do
- # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
- # rather than rewrite
- '';
- };
- fallbackVhost = toVhost { # Should go first, default choice
- certName = "eldiron";
- hosts = ["eldiron.immae.eu" ];
- root = ../../www;
- extraConfig = [ "DirectoryIndex index.htm" ];
- };
- in rec {
- enable = true;
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
- stateDir = "/run/httpd_${name}";
- logPerVirtualHost = true;
- multiProcessingModule = "worker";
- adminAddr = "httpd@immae.eu";
- logFormat = "combinedVhost";
- extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
- extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
- virtualHosts = [ fallbackVhost ]
- ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
- ++ [ redirectVhost ];
- };
- makeServiceOptions = name: ip: {
- enable = lib.mkEnableOption "enable websites in ${name}";
- ip = lib.mkOption {
- type = lib.types.string;
- default = ip;
- description = "${name} ip to listen to";
- };
- modules = lib.mkOption {
- type = lib.types.listOf (lib.types.str);
- default = [];
- };
- extraConfig = lib.mkOption {
- type = lib.types.listOf (lib.types.lines);
- default = [];
- };
- vhostConfs = lib.mkOption {
- type = lib.types.attrsOf (lib.types.submodule {
- options = {
- certName = lib.mkOption { type = lib.types.string; };
- hosts = lib.mkOption { type = lib.types.listOf lib.types.string; };
- root = lib.mkOption { type = lib.types.nullOr lib.types.path; };
- extraConfig = lib.mkOption { type = lib.types.listOf lib.types.lines; default = []; };
- };
- });
- };
- };
- makeModules = cfg: pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
- makeExtraConfig = cfg: (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
-in
-{
- imports = [
- ./chloe
- ./ludivine
- ./aten
- ./piedsjaloux
- ./connexionswing
- ./tellesflorian
- ./tools/db
- ./tools/tools
- ./tools/dav
- ./tools/cloud
- ./tools/git
- ./tools/mastodon
- ./tools/mediagoblin
- ./tools/diaspora
- ./tools/ether
- # built using:
- # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
- # Removed allGranted
- # And removed users / groups
- ./apache/httpd_prod.nix
- ./apache/httpd_inte.nix
- # except for this one for users/groups
- ./apache/httpd_tools.nix
- # Adapted from base phpfpm
- ./phpfpm
- ];
-
- options.services.myWebsites = {
- production = makeServiceOptions "production" myconfig.ips.production;
- integration = makeServiceOptions "integration" myconfig.ips.integration;
- tools = makeServiceOptions "tools" myconfig.ips.main;
-
- apacheConfig = lib.mkOption {
- type = lib.types.attrsOf (lib.types.submodule {
- options = {
- modules = lib.mkOption {
- type = lib.types.listOf (lib.types.str);
- default = [];
- };
- extraConfig = lib.mkOption {
- type = lib.types.nullOr lib.types.lines;
- default = null;
- };
- };
- });
- default = {};
- description = "Extra global config";
- };
-
- };
-
- config = {
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 80 443 ];
- };
- interfaces."eth0".ipv4.addresses = [
- # 176.9.151.89 declared in nixops -> infra / tools
- { address = myconfig.ips.production; prefixLength = 32; }
- { address = myconfig.ips.integration; prefixLength = 32; }
- ];
- };
-
- nixpkgs.config.packageOverrides = oldpkgs: rec {
- php = php72;
- php72 = (oldpkgs.php72.override {
- mysql.connector-c = pkgs.mariadb;
- config.php.mysqlnd = false;
- config.php.mysqli = false;
- }).overrideAttrs(old: rec {
- # Didn't manage to build with mysqli + mysql_config connector
- configureFlags = old.configureFlags ++ [
- "--with-mysqli=shared,mysqlnd"
- ];
- # preConfigure = (old.preConfigure or "") + ''
- # export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
- # sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
- # ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
- # '';
- });
- phpPackages = oldpkgs.php72Packages.override { inherit php; };
- composerEnv = import ./commons/composer-env.nix {
- inherit (pkgs) stdenv writeTextFile fetchurl php unzip;
- };
- };
-
- services.myWebsites.tools.databases.enable = true;
- services.myWebsites.tools.tools.enable = true;
- services.myWebsites.tools.dav.enable = true;
- services.myWebsites.tools.cloud.enable = true;
- services.myWebsites.tools.git.enable = true;
- services.myWebsites.tools.mastodon.enable = true;
- services.myWebsites.tools.mediagoblin.enable = true;
- services.myWebsites.tools.diaspora.enable = true;
- services.myWebsites.tools.etherpad-lite.enable = true;
-
- services.myWebsites.Chloe.production.enable = cfg.production.enable;
- services.myWebsites.Ludivine.production.enable = cfg.production.enable;
- services.myWebsites.Aten.production.enable = cfg.production.enable;
- services.myWebsites.PiedsJaloux.production.enable = cfg.production.enable;
- services.myWebsites.Connexionswing.production.enable = cfg.production.enable;
-
- services.myWebsites.Chloe.integration.enable = cfg.integration.enable;
- services.myWebsites.Ludivine.integration.enable = cfg.integration.enable;
- services.myWebsites.Aten.integration.enable = cfg.integration.enable;
- services.myWebsites.PiedsJaloux.integration.enable = cfg.integration.enable;
- services.myWebsites.Connexionswing.integration.enable = cfg.integration.enable;
- services.myWebsites.TellesFlorian.integration.enable = true;
-
- services.myWebsites.apacheConfig = {
- gzip = {
- modules = [ "deflate" "filter" ];
- extraConfig = ''
- AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
- '';
- };
- macros = {
- modules = [ "macro" ];
- };
- ldap = {
- modules = [ "ldap" "authnz_ldap" ];
- extraConfig = ''
- <IfModule ldap_module>
- LDAPSharedCacheSize 500000
- LDAPCacheEntries 1024
- LDAPCacheTTL 600
- LDAPOpCacheEntries 1024
- LDAPOpCacheTTL 600
- </IfModule>
-
- <Macro LDAPConnect>
- <IfModule authnz_ldap_module>
- AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
- AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
- AuthType Basic
- AuthName "Authentification requise (Acces LDAP)"
- AuthBasicProvider ldap
- </IfModule>
- </Macro>
-
- <Macro Stats %{domain}>
- Alias /awstats /var/lib/goaccess/%{domain}
- <Directory /var/lib/goaccess/%{domain}>
- DirectoryIndex index.html
- AllowOverride None
- Require all granted
- </Directory>
- <Location /awstats>
- Use LDAPConnect
- Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
- </Location>
- </Macro>
-
- ErrorDocument 500 /maintenance_immae.html
- ErrorDocument 501 /maintenance_immae.html
- ErrorDocument 502 /maintenance_immae.html
- ErrorDocument 503 /maintenance_immae.html
- ErrorDocument 504 /maintenance_immae.html
- Alias /maintenance_immae.html ${../../www}/maintenance_immae.html
- ProxyPass /maintenance_immae.html !
-
- AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${../../www}/googleb6d69446ff4ca3e5.html
- '';
- };
- http2 = {
- modules = [ "http2" ];
- extraConfig = ''
- Protocols h2 http/1.1
- '';
- };
- customLog = {
- extraConfig = ''
- LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
- '';
- };
- };
-
- system.activationScripts = {
- httpd = ''
- install -d -m 0755 /var/lib/acme/acme-challenge
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
- install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
- '';
- };
-
- services.myPhpfpm = {
- phpPackage = pkgs.php;
- phpOptions = ''
- session.save_path = "/var/lib/php/sessions"
- session.gc_maxlifetime = 60*60*24*15
- session.cache_expire = 60*24*30
- '';
- extraConfig = ''
- log_level = notice
- '';
- };
-
- services.httpdProd = makeService "production" config.services.myWebsites.production;
- services.myWebsites.production.modules = makeModules cfg;
- services.myWebsites.production.extraConfig = makeExtraConfig cfg;
-
- services.httpdInte = makeService "integration" config.services.myWebsites.integration;
- services.myWebsites.integration.modules = makeModules cfg;
- services.myWebsites.integration.extraConfig = makeExtraConfig cfg;
-
- services.httpdTools = makeService "tools" config.services.myWebsites.tools;
- services.myWebsites.tools.modules = makeModules cfg;
- services.myWebsites.tools.extraConfig = makeExtraConfig cfg ++
- [ ''
- RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
- RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
- RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
- RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
- RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
- RedirectMatch ^/CGU$ https://www.immae.eu/CGU
- ''
- ]
- ;
- };
-}