documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
+ redirectVhost = { # Should go last, catchall http -> https redirect
+ listen = [ { ip = cfg.ip; port = 80; } ];
+ hostName = "redirectSSL";
+ serverAliases = [ "*" ];
+ enableSSL = false;
+ logFormat = "combinedVhost";
+ documentRoot = "/var/lib/acme/acme-challenge";
+ extraConfig = ''
+ RewriteEngine on
+ RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
+ RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
+ # To redirect in specific "VirtualHost *:80", do
+ # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+ # rather than rewrite
+ '';
+ };
+ fallbackVhost = toVhost { # Should go first, default choice
+ certName = "eldiron";
+ hosts = ["eldiron.immae.eu" ];
+ root = ../../www;
+ extraConfig = [ "DirectoryIndex index.htm" ];
+ };
in rec {
enable = true;
listen = [
logFormat = "combinedVhost";
extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
- virtualHosts = pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs;
+ virtualHosts = [ fallbackVhost ]
+ ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
+ ++ [ redirectVhost ];
};
makeServiceOptions = name: ip: {
enable = lib.mkEnableOption "enable websites in ${name}";
});
};
};
+ makeModules = cfg: pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
+ makeExtraConfig = cfg: (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
in
{
imports = [
./aten
./piedsjaloux
./connexionswing
+ ./tellesflorian
+ ./tools/db
+ ./tools/tools
+ ./tools/dav
+ ./tools/cloud
+ ./tools/git
+ ./tools/mastodon
+ ./tools/mediagoblin
+ ./tools/diaspora
# built using:
# sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
+ # Removed allGranted
# And removed users / groups
./apache/httpd_prod.nix
./apache/httpd_inte.nix
+ # except for this one for users/groups
+ ./apache/httpd_tools.nix
+ # Adapted from base phpfpm
+ ./phpfpm
];
options.services.myWebsites = {
production = makeServiceOptions "production" myconfig.ips.production;
integration = makeServiceOptions "integration" myconfig.ips.integration;
+ tools = makeServiceOptions "tools" myconfig.ips.main;
apacheConfig = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
];
};
+ nixpkgs.config.packageOverrides = oldpkgs: rec {
+ php = php72;
+ php72 = (oldpkgs.php72.override {
+ mysql.connector-c = pkgs.mariadb;
+ config.php.mysqlnd = false;
+ config.php.mysqli = false;
+ }).overrideAttrs(old: rec {
+ # Didn't manage to build with mysqli + mysql_config connector
+ configureFlags = old.configureFlags ++ [
+ "--with-mysqli=shared,mysqlnd"
+ ];
+ # preConfigure = (old.preConfigure or "") + ''
+ # export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
+ # sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
+ # ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
+ # '';
+ });
+ phpPackages = oldpkgs.php72Packages.override { inherit php; };
+ composerEnv = import ./commons/composer-env.nix {
+ inherit (pkgs) stdenv writeTextFile fetchurl php unzip;
+ };
+ };
+
+ services.myWebsites.tools.databases.enable = true;
+ services.myWebsites.tools.tools.enable = true;
+ services.myWebsites.tools.dav.enable = true;
+ services.myWebsites.tools.cloud.enable = true;
+ services.myWebsites.tools.git.enable = true;
+ services.myWebsites.tools.mastodon.enable = true;
+ services.myWebsites.tools.mediagoblin.enable = true;
+ services.myWebsites.tools.diaspora.enable = true;
+
services.myWebsites.Chloe.production.enable = cfg.production.enable;
services.myWebsites.Ludivine.production.enable = cfg.production.enable;
services.myWebsites.Aten.production.enable = cfg.production.enable;
services.myWebsites.Aten.integration.enable = cfg.integration.enable;
services.myWebsites.PiedsJaloux.integration.enable = cfg.integration.enable;
services.myWebsites.Connexionswing.integration.enable = cfg.integration.enable;
+ services.myWebsites.TellesFlorian.integration.enable = true;
services.myWebsites.apacheConfig = {
gzip = {
};
ldap = {
modules = [ "ldap" "authnz_ldap" ];
- # FIXME: starttls
- extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
+ extraConfig = ''
<IfModule ldap_module>
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
<IfModule authnz_ldap_module>
AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
+ AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
AuthType Basic
AuthName "Authentification requise (Acces LDAP)"
AuthBasicProvider ldap
Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
</Location>
</Macro>
+
+ ErrorDocument 500 /maintenance_immae.html
+ ErrorDocument 501 /maintenance_immae.html
+ ErrorDocument 502 /maintenance_immae.html
+ ErrorDocument 503 /maintenance_immae.html
+ ErrorDocument 504 /maintenance_immae.html
+ Alias /maintenance_immae.html ${../../www}/maintenance_immae.html
+ ProxyPass /maintenance_immae.html !
+
+ AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${../../www}/googleb6d69446ff4ca3e5.html
'';
};
http2 = {
};
};
- # FIXME: logrotate
- # FIXME: ipv6
+ system.activationScripts = {
+ httpd = ''
+ install -d -m 0755 /var/lib/acme/acme-challenge
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
+ '';
+ };
+
+ services.myPhpfpm = {
+ phpPackage = pkgs.php;
+ phpOptions = ''
+ session.save_path = "/var/lib/php/sessions"
+ session.gc_maxlifetime = 60*60*24*15
+ session.cache_expire = 60*24*30
+ '';
+ extraConfig = ''
+ log_level = notice
+ '';
+ };
+
services.httpdProd = makeService "production" config.services.myWebsites.production;
- services.myWebsites.production.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
- services.myWebsites.production.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
+ services.myWebsites.production.modules = makeModules cfg;
+ services.myWebsites.production.extraConfig = makeExtraConfig cfg;
services.httpdInte = makeService "integration" config.services.myWebsites.integration;
- services.myWebsites.integration.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
- services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
+ services.myWebsites.integration.modules = makeModules cfg;
+ services.myWebsites.integration.extraConfig = makeExtraConfig cfg;
+
+ services.httpdTools = makeService "tools" config.services.myWebsites.tools;
+ services.myWebsites.tools.modules = makeModules cfg;
+ services.myWebsites.tools.extraConfig = makeExtraConfig cfg ++
+ [ ''
+ RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
+ RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+ RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
+ RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+ RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
+ RedirectMatch ^/CGU$ https://www.immae.eu/CGU
+ ''
+ ]
+ ;
};
}