[perso/Immae/Config/Nix.git] / virtual / eldiron.nix

{
  network = {
    description = "Immae's network";
    enableRollback = true;
  };

  eldiron = { config, pkgs, mylibs, ... }:
    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
        };
    in
  {
    _module.args = {
      mylibs = import ../libs.nix;
    };

    imports = [
      ./modules/gitolite.nix
      ./modules/gitweb.nix
      ./modules/databases.nix
    ];
    services.myGitolite.enable = true;
    services.myGitweb.enable = true;
    services.myDatabases.enable = true;

    nixpkgs.config.packageOverrides = oldpkgs: rec {
      goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
        name = "goaccess-${version}";
        version = "1.3";
        src = pkgs.fetchurl {
          url = "https://tar.goaccess.io/${name}.tar.gz";
          sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
        };
        configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
        buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
      });
    };

    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [ 22 80 443 9418 ];
      };
    };

    deployment = {
      targetEnv = "hetzner";
      hetzner = {
        #robotUser = "defined in HETZNER_ROBOT_USER";
        #robotPass = "defined in HETZNER_ROBOT_PASS";
        mainIPv4 = "176.9.151.89";
        partitions = ''
          clearpart --all --initlabel --drives=sda,sdb

          part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
          part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb

          part raid.1 --grow --ondisk=sda
          part raid.2 --grow --ondisk=sdb

          raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
        '';
      };
    };

    environment.systemPackages = let
      # FIXME: move it to nextcloud
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
        cd ${mypkgs.nextcloud.webRoot}
        NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
          exec \
          ${config.services.phpfpm.phpPackage}/bin/php \
          -c ${config.services.phpfpm.phpPackage}/etc/php.ini \
          occ $*
        '';
    in [
      pkgs.telnet
      pkgs.htop
      pkgs.vim
      pkgs.goaccess
      occ
    ];

    # FIXME: doesn't work with httpd?
    security.acme.preliminarySelfsigned = true;
    security.acme.certs = {
      # FIXME: /!\ To create a new certificate, create it before using
      # it in httpd
      "eldiron" = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        domain = "eldiron.immae.eu";
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        postRun = ''
          systemctl reload httpd.service
        '';
        allowKeysForGroup = true;
        extraDomains = {
          "db-1.immae.eu" = null;
          "tools.immae.eu" = null;
          "connexionswing.immae.eu" = null;
          "sandetludo.immae.eu" = null;
          "cloud.immae.eu" = null;
          "ludivine.immae.eu" = null;
          "dev.aten.pro" = null;
          "piedsjaloux.immae.eu" = null;
          "chloe.immae.eu" = null;
          "dav.immae.eu" = null;
        };
      };
      "ludivinecassal" = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        domain = "ludivinecassal.com";
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        postRun = ''
          systemctl reload httpd.service
        '';
        extraDomains = {
          "www.ludivinecassal.com" = null;
        };
      };
      "aten" = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        domain = "aten.pro";
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        postRun = ''
          systemctl reload httpd.service
        '';
        extraDomains = {
          "www.aten.pro" = null;
        };
      };
      "piedsjaloux" = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        domain = "piedsjaloux.fr";
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        postRun = ''
          systemctl reload httpd.service
        '';
        extraDomains = {
          "www.piedsjaloux.fr" = null;
        };
      };
      "chloe" = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        domain = "osteopathe-cc.fr";
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        postRun = ''
          systemctl reload httpd.service
        '';
        extraDomains = {
          "www.osteopathe-cc.fr" = null;
        };
      };
      "connexionswing" = {
        webroot = "/var/lib/acme/acme-challenge";
        email = "ismael@bouya.org";
        domain = "connexionswing.com";
        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
        postRun = ''
          systemctl reload httpd.service
        '';
        extraDomains = {
          "www.connexionswing.com" = null;
          "sandetludo.com" = null;
          "www.sandetludo.com" = null;
        };
      };
    };

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    services.ympd = mypkgs.ympd.config // { enable = false; };

    services.phpfpm = {
      # FIXME: move session files to separate dirs
      # /!\ phppackage is used in nextcloud configuation
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        session.gc_maxlifetime = 60*60*24*15
        session.cache_expire = 60*24*30
        ; For nextcloud
        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
        ; For nextcloud
        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
        ; For nextcloud
        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
        '';
      extraConfig = ''
        log_level = notice
        '';
      poolConfigs = {
        adminer = mypkgs.adminer.phpFpm.pool;
        connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
        connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
        ludivinecassal_dev = mypkgs.ludivinecassal_dev.phpFpm.pool;
        ludivinecassal_prod = mypkgs.ludivinecassal_prod.phpFpm.pool;
        piedsjaloux_dev = mypkgs.piedsjaloux_dev.phpFpm.pool;
        piedsjaloux_prod = mypkgs.piedsjaloux_prod.phpFpm.pool;
        chloe_dev = mypkgs.chloe_dev.phpFpm.pool;
        chloe_prod = mypkgs.chloe_prod.phpFpm.pool;
        aten_dev = mypkgs.aten_dev.phpFpm.pool;
        aten_prod = mypkgs.aten_prod.phpFpm.pool;
        nextcloud = mypkgs.nextcloud.phpFpm.pool;
        mantisbt = mypkgs.mantisbt.phpFpm.pool;
        ttrss = mypkgs.ttrss.phpFpm.pool;
        roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
        davical = mypkgs.davical.phpFpm.pool;
      };
    };

    system.activationScripts = {
      connexionswing_dev  = mypkgs.connexionswing_dev.activationScript;
      connexionswing_prod = mypkgs.connexionswing_prod.activationScript;
      ludivinecassal_dev  = mypkgs.ludivinecassal_dev.activationScript;
      ludivinecassal_prod = mypkgs.ludivinecassal_prod.activationScript;
      piedsjaloux_dev     = mypkgs.piedsjaloux_dev.activationScript;
      piedsjaloux_prod    = mypkgs.piedsjaloux_prod.activationScript;
      chloe_dev  = mypkgs.chloe_dev.activationScript;
      chloe_prod = mypkgs.chloe_prod.activationScript;
      aten_dev  = mypkgs.aten_dev.activationScript;
      aten_prod = mypkgs.aten_prod.activationScript;
      nextcloud = mypkgs.nextcloud.activationScript;
      ttrss = mypkgs.ttrss.activationScript;
      roundcubemail = mypkgs.roundcubemail.activationScript;
      httpd = ''
        install -d -m 0755 /var/lib/acme/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/ttrss
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
        '';
      redis = ''
        mkdir -p /run/redis
        chown redis /run/redis
        '';
      # FIXME: initial sync
      goaccess = ''
        mkdir -p /var/lib/goaccess
        mkdir -p /var/lib/goaccess/aten.pro
        mkdir -p /var/lib/goaccess/ludivinecassal.com
        mkdir -p /var/lib/goaccess/piedsjaloux.fr
        mkdir -p /var/lib/goaccess/osteopathe-cc.fr
        mkdir -p /var/lib/goaccess/connexionswing.com
        '';
    };

    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
        wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          vars = {
            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
            ECHO = "${pkgs.coreutils}/bin/echo";
          };
          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };

    services.gitDaemon = {
      enable = true;
      user = "gitolite";
      group = "gitolite";
      basePath = "${mypkgs.git.web.varDir}/repositories";
    };

    # FIXME: logrotate
    services.httpd = let
      withConf = domain: {
        enableSSL = true;
        sslServerCert = "/var/lib/acme/${domain}/cert.pem";
        sslServerKey = "/var/lib/acme/${domain}/key.pem";
        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
        logFormat = "combinedVhost";
        listen = [ { ip = "*"; port = 443; } ];
      };
      apacheConfig = {
        gzip = {
          modules = [ "deflate" "filter" ];
          extraConfig = ''
            AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
          '';
        };
        ldap = {
          modules = [ "ldap" "authnz_ldap" ];
          extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
            <IfModule ldap_module>
              LDAPSharedCacheSize 500000
              LDAPCacheEntries 1024
              LDAPCacheTTL 600
              LDAPOpCacheEntries 1024
              LDAPOpCacheTTL 600
            </IfModule>

            <Macro LDAPConnect>
              <IfModule authnz_ldap_module>
                AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu
                AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
                AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
                AuthType             Basic
                AuthName             "Authentification requise (Acces LDAP)"
                AuthBasicProvider    ldap
              </IfModule>
            </Macro>

            <Macro Stats %{domain}>
              Alias /awstats /var/lib/goaccess/%{domain}
              <Directory /var/lib/goaccess/%{domain}>
                DirectoryIndex index.html
                AllowOverride None
                Require all granted
              </Directory>
              <Location /awstats>
                Use LDAPConnect
                Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
              </Location>
            </Macro>
          '';
        };
        http2 = {
          modules = [ "http2" ];
          extraConfig = ''
            Protocols h2 http/1.1
          '';
        };
        customLog = {
          modules = [];
          extraConfig = ''
            LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
          '';
        };
      };
    in rec {
      enable = true;
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      adminAddr = "httpd@immae.eu";
      logFormat = "combinedVhost";
      extraModules = pkgs.lib.lists.unique (
        mypkgs.adminer.apache.modules ++
        mypkgs.nextcloud.apache.modules ++
        mypkgs.connexionswing_dev.apache.modules ++
        mypkgs.connexionswing_prod.apache.modules ++
        mypkgs.ludivinecassal_dev.apache.modules ++
        mypkgs.ludivinecassal_prod.apache.modules ++
        mypkgs.piedsjaloux_dev.apache.modules ++
        mypkgs.piedsjaloux_prod.apache.modules ++
        mypkgs.chloe_dev.apache.modules ++
        mypkgs.chloe_prod.apache.modules ++
        mypkgs.aten_dev.apache.modules ++
        mypkgs.aten_prod.apache.modules ++
        mypkgs.ympd.apache.modules ++
        mypkgs.git.web.apache.modules ++
        mypkgs.mantisbt.apache.modules ++
        mypkgs.ttrss.apache.modules ++
        mypkgs.roundcubemail.apache.modules ++
        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
        [ "macro" ]);
      extraConfig = builtins.concatStringsSep "\n"
        (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
      virtualHosts = [
        (withConf "eldiron" // {
          hostName = "eldiron.immae.eu";
          documentRoot = ./www;
          extraConfig = ''
            DirectoryIndex index.htm
            '';
        })
        (withConf "eldiron" // {
          hostName = "db-1.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "tools.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
            mypkgs.ympd.apache.vhostConf
            mypkgs.ttrss.apache.vhostConf
            mypkgs.roundcubemail.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dav.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.infcloud.apache.vhostConf
            mypkgs.davical.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "connexionswing.immae.eu";
          serverAliases = [ "sandetludo.immae.eu" ];
          documentRoot = mypkgs.connexionswing_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.connexionswing_dev.apache.vhostConf
          ];
        })
        (withConf "connexionswing" // {
          hostName = "connexionswing.com";
          serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
          documentRoot = mypkgs.connexionswing_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.connexionswing_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "ludivine.immae.eu";
          documentRoot = mypkgs.ludivinecassal_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.ludivinecassal_dev.apache.vhostConf
          ];
        })
        (withConf "ludivinecassal" // {
          hostName = "ludivinecassal.com";
          serverAliases = [ "www.ludivinecassal.com" ];
          documentRoot = mypkgs.ludivinecassal_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.ludivinecassal_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "piedsjaloux.immae.eu";
          documentRoot = mypkgs.piedsjaloux_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.piedsjaloux_dev.apache.vhostConf
          ];
        })
        (withConf "piedsjaloux" // {
          hostName = "piedsjaloux.fr";
          serverAliases = [ "www.piedsjaloux.fr" ];
          documentRoot = mypkgs.piedsjaloux_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.piedsjaloux_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "chloe.immae.eu";
          documentRoot = mypkgs.chloe_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.chloe_dev.apache.vhostConf
          ];
        })
        (withConf "chloe" // {
          hostName = "osteopathe-cc.fr";
          serverAliases = [ "www.osteopathe-cc.fr" ];
          documentRoot = mypkgs.chloe_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.chloe_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dev.aten.pro";
          documentRoot = mypkgs.aten_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.aten_dev.apache.vhostConf
          ];
        })
        (withConf "aten" // {
          hostName = "aten.pro";
          serverAliases = [ "www.aten.pro" ];
          documentRoot = mypkgs.aten_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.aten_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "cloud.immae.eu";
          documentRoot = mypkgs.nextcloud.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.nextcloud.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "git.immae.eu";
          documentRoot = mypkgs.git.web.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.git.web.apache.vhostConf
            mypkgs.mantisbt.apache.vhostConf
          ] + ''
            RewriteEngine on
            RewriteCond %{REQUEST_URI}       ^/releases
            RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
            '';
        })
        { # Should go last, default fallback
          listen = [ { ip = "*"; port = 80; } ];
          hostName = "redirectSSL";
          serverAliases = [ "*" ];
          enableSSL = false;
          logFormat = "combinedVhost";
          documentRoot = "/var/lib/acme/acme-challenge";
          extraConfig = ''
            RewriteEngine on
            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
            # To redirect in specific "VirtualHost *:80", do
            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
            # rather than rewrite
            '';
        }
      ];
    };

    services.cron = {
      enable = true;
      systemCronJobs = let
        stats = domain: conf: let
          d = pkgs.writeScriptBin "stats-${domain}" ''
            #!${pkgs.stdenv.shell}
            set -e
            shopt -s nullglob
            date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
            TMPFILE=$(mktemp)
            trap "rm -f $TMPFILE" EXIT

            cat /var/log/httpd/access_log-${domain} | sed -n "/\\[$date_regex/ p" > $TMPFILE
            for i in /var/log/httpd/access_log-${domain}*.gz; do
              zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE
            done
            goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
            '';
          in "${d}/bin/stats-${domain}";
      # FIXME: running several goaccess simultaneously seems to be
      # bugged?
      in [
        "5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
        "6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
        "7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
        "8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}"
        "9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}"
        ];
    };

    systemd.services.tt-rss = {
      description = "Tiny Tiny RSS feeds update daemon";
      serviceConfig = {
        User = "wwwrun";
        ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
        StandardOutput = "syslog";
        StandardError = "syslog";
        PermissionsStartOnly = true;
      };

      wantedBy = [ "multi-user.target" ];
      requires = ["postgresql.service"];
      after = ["network.target" "postgresql.service"];
    };
  };
}
Commit	Line	Data
a1bb33c4 IB	1	{
	2	network = {
	3	description = "Immae's network";
	4	enableRollback = true;
	5	};
	6
4d4f13f4 IB	7	eldiron = { config, pkgs, mylibs, ... }:
4d4f13f4 IB	8	with mylibs;
5c101474	9	let
712ccefd	10	mypkgs = pkgs.callPackage ./packages.nix {
eb770e14	11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
5c101474	12	};
ab5d04b8 IB	13	in
ab5d04b8 IB	14	{
4d4f13f4 IB	15	_module.args = {
	16	mylibs = import ../libs.nix;
	17	};
	18
	19	imports = [
	20	./modules/gitolite.nix
	21	./modules/gitweb.nix
	22	./modules/databases.nix
	23	];
	24	services.myGitolite.enable = true;
	25	services.myGitweb.enable = true;
	26	services.myDatabases.enable = true;
	27
91493dc0	28	nixpkgs.config.packageOverrides = oldpkgs: rec {
6f0d92b4 IB	29	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
	30	name = "goaccess-${version}";
	31	version = "1.3";
	32	src = pkgs.fetchurl {
	33	url = "https://tar.goaccess.io/${name}.tar.gz";
	34	sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
	35	};
	36	configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
	37	buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
	38	});
91493dc0 IB	39	};
91493dc0 IB	40
a1bb33c4 IB	41	networking = {
	42	firewall = {
	43	enable = true;
4d4f13f4	44	allowedTCPPorts = [ 22 80 443 9418 ];
a1bb33c4 IB	45	};
	46	};
	47
	48	deployment = {
	49	targetEnv = "hetzner";
	50	hetzner = {
	51	#robotUser = "defined in HETZNER_ROBOT_USER";
	52	#robotPass = "defined in HETZNER_ROBOT_PASS";
	53	mainIPv4 = "176.9.151.89";
	54	partitions = ''
	55	clearpart --all --initlabel --drives=sda,sdb
	56
	57	part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
	58	part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
	59
	60	part raid.1 --grow --ondisk=sda
	61	part raid.2 --grow --ondisk=sdb
	62
	63	raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
	64	'';
	65	};
	66	};
	67
66b5bbf6 IB	68	environment.systemPackages = let
	69	# FIXME: move it to nextcloud
	70	occ = pkgs.writeScriptBin "nextcloud-occ" ''
	71	#! ${pkgs.stdenv.shell}
	72	cd ${mypkgs.nextcloud.webRoot}
	73	NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
	74	exec \
	75	${config.services.phpfpm.phpPackage}/bin/php \
	76	-c ${config.services.phpfpm.phpPackage}/etc/php.ini \
	77	occ $*
	78	'';
	79	in [
ce6ee3b8	80	pkgs.telnet
beeed847	81	pkgs.htop
ce6ee3b8	82	pkgs.vim
6f0d92b4	83	pkgs.goaccess
66b5bbf6	84	occ
ce6ee3b8 IB	85	];
ce6ee3b8 IB	86
6bd6d033 IB	87	# FIXME: doesn't work with httpd?
6bd6d033 IB	88	security.acme.preliminarySelfsigned = true;
a1bb33c4	89	security.acme.certs = {
6bd6d033 IB	90	# FIXME: /!\ To create a new certificate, create it before using
6bd6d033 IB	91	# it in httpd
a1bb33c4 IB	92	"eldiron" = {
	93	webroot = "/var/lib/acme/acme-challenge";
	94	email = "ismael@bouya.org";
	95	domain = "eldiron.immae.eu";
e379fd29 IB	96	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
e379fd29 IB	97	postRun = ''
e273ef92	98	systemctl reload httpd.service
e379fd29	99	'';
beeed847	100	allowKeysForGroup = true;
a1bb33c4 IB	101	extraDomains = {
a1bb33c4 IB	102	"db-1.immae.eu" = null;
e379fd29	103	"tools.immae.eu" = null;
65fe7543 IB	104	"connexionswing.immae.eu" = null;
65fe7543 IB	105	"sandetludo.immae.eu" = null;
66b5bbf6	106	"cloud.immae.eu" = null;
e42ba74f	107	"ludivine.immae.eu" = null;
6c672f34	108	"dev.aten.pro" = null;
34e2fd14	109	"piedsjaloux.immae.eu" = null;
7d8b50d3	110	"chloe.immae.eu" = null;
43b726ed	111	"dav.immae.eu" = null;
e42ba74f IB	112	};
	113	};
	114	"ludivinecassal" = {
	115	webroot = "/var/lib/acme/acme-challenge";
	116	email = "ismael@bouya.org";
	117	domain = "ludivinecassal.com";
	118	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
	119	postRun = ''
	120	systemctl reload httpd.service
	121	'';
	122	extraDomains = {
	123	"www.ludivinecassal.com" = null;
a1bb33c4 IB	124	};
a1bb33c4 IB	125	};
6c672f34 IB	126	"aten" = {
	127	webroot = "/var/lib/acme/acme-challenge";
	128	email = "ismael@bouya.org";
	129	domain = "aten.pro";
	130	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
	131	postRun = ''
	132	systemctl reload httpd.service
	133	'';
	134	extraDomains = {
	135	"www.aten.pro" = null;
	136	};
	137	};
34e2fd14 IB	138	"piedsjaloux" = {
	139	webroot = "/var/lib/acme/acme-challenge";
	140	email = "ismael@bouya.org";
	141	domain = "piedsjaloux.fr";
	142	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
	143	postRun = ''
	144	systemctl reload httpd.service
	145	'';
	146	extraDomains = {
	147	"www.piedsjaloux.fr" = null;
	148	};
	149	};
6bd6d033 IB	150	"chloe" = {
	151	webroot = "/var/lib/acme/acme-challenge";
	152	email = "ismael@bouya.org";
	153	domain = "osteopathe-cc.fr";
	154	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
	155	postRun = ''
	156	systemctl reload httpd.service
	157	'';
	158	extraDomains = {
	159	"www.osteopathe-cc.fr" = null;
	160	};
	161	};
527e32ad IB	162	"connexionswing" = {
	163	webroot = "/var/lib/acme/acme-challenge";
	164	email = "ismael@bouya.org";
	165	domain = "connexionswing.com";
	166	plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
	167	postRun = ''
	168	systemctl reload httpd.service
	169	'';
	170	extraDomains = {
	171	"www.connexionswing.com" = null;
	172	"sandetludo.com" = null;
	173	"www.sandetludo.com" = null;
	174	};
	175	};
a1bb33c4 IB	176	};
a1bb33c4 IB	177
5566d26d IB	178	services.openssh.extraConfig = ''
	179	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	180	AuthorizedKeysCommandUser nobody
	181	'';
	182
beeed847	183	services.ympd = mypkgs.ympd.config // { enable = false; };
a05f8abe	184
58d1a782	185	services.phpfpm = {
beeed847	186	# FIXME: move session files to separate dirs
66b5bbf6 IB	187	# /!\ phppackage is used in nextcloud configuation
66b5bbf6 IB	188	phpOptions = ''
c8e019b6 IB	189	session.save_path = "/var/lib/php/sessions"
	190	session.gc_maxlifetime = 606024*15
	191	session.cache_expire = 602430
66b5bbf6 IB	192	; For nextcloud
	193	extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
	194	; For nextcloud
	195	extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
ec9ff2b8 IB	196	; For nextcloud
ec9ff2b8 IB	197	zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
66b5bbf6	198	'';
58d1a782 IB	199	extraConfig = ''
	200	log_level = notice
	201	'';
	202	poolConfigs = {
27e22b76	203	adminer = mypkgs.adminer.phpFpm.pool;
65fe7543	204	connexionswing_dev = mypkgs.connexionswing_dev.phpFpm.pool;
e273ef92	205	connexionswing_prod = mypkgs.connexionswing_prod.phpFpm.pool;
e42ba74f IB	206	ludivinecassal_dev = mypkgs.ludivinecassal_dev.phpFpm.pool;
e42ba74f IB	207	ludivinecassal_prod = mypkgs.ludivinecassal_prod.phpFpm.pool;
34e2fd14 IB	208	piedsjaloux_dev = mypkgs.piedsjaloux_dev.phpFpm.pool;
34e2fd14 IB	209	piedsjaloux_prod = mypkgs.piedsjaloux_prod.phpFpm.pool;
7d8b50d3 IB	210	chloe_dev = mypkgs.chloe_dev.phpFpm.pool;
7d8b50d3 IB	211	chloe_prod = mypkgs.chloe_prod.phpFpm.pool;
6c672f34 IB	212	aten_dev = mypkgs.aten_dev.phpFpm.pool;
6c672f34 IB	213	aten_prod = mypkgs.aten_prod.phpFpm.pool;
66b5bbf6	214	nextcloud = mypkgs.nextcloud.phpFpm.pool;
50d8fa14	215	mantisbt = mypkgs.mantisbt.phpFpm.pool;
eb770e14	216	ttrss = mypkgs.ttrss.phpFpm.pool;
d252d718	217	roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
d9998b44	218	davical = mypkgs.davical.phpFpm.pool;
58d1a782 IB	219	};
	220	};
	221
65fe7543 IB	222	system.activationScripts = {
65fe7543 IB	223	connexionswing_dev = mypkgs.connexionswing_dev.activationScript;
e273ef92	224	connexionswing_prod = mypkgs.connexionswing_prod.activationScript;
e42ba74f	225	ludivinecassal_dev = mypkgs.ludivinecassal_dev.activationScript;
34e2fd14 IB	226	ludivinecassal_prod = mypkgs.ludivinecassal_prod.activationScript;
	227	piedsjaloux_dev = mypkgs.piedsjaloux_dev.activationScript;
	228	piedsjaloux_prod = mypkgs.piedsjaloux_prod.activationScript;
7d8b50d3 IB	229	chloe_dev = mypkgs.chloe_dev.activationScript;
7d8b50d3 IB	230	chloe_prod = mypkgs.chloe_prod.activationScript;
6c672f34 IB	231	aten_dev = mypkgs.aten_dev.activationScript;
6c672f34 IB	232	aten_prod = mypkgs.aten_prod.activationScript;
66b5bbf6	233	nextcloud = mypkgs.nextcloud.activationScript;
eb770e14	234	ttrss = mypkgs.ttrss.activationScript;
d252d718	235	roundcubemail = mypkgs.roundcubemail.activationScript;
5dd28b43 IB	236	httpd = ''
5dd28b43 IB	237	install -d -m 0755 /var/lib/acme/acme-challenge
c8e019b6 IB	238	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
	239	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
	240	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
eb770e14	241	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/ttrss
1635a4ae	242	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
5dd28b43	243	'';
60f67ae3 IB	244	redis = ''
	245	mkdir -p /run/redis
	246	chown redis /run/redis
	247	'';
6bd6d033	248	# FIXME: initial sync
6f0d92b4 IB	249	goaccess = ''
	250	mkdir -p /var/lib/goaccess
	251	mkdir -p /var/lib/goaccess/aten.pro
34e2fd14 IB	252	mkdir -p /var/lib/goaccess/ludivinecassal.com
34e2fd14 IB	253	mkdir -p /var/lib/goaccess/piedsjaloux.fr
6bd6d033	254	mkdir -p /var/lib/goaccess/osteopathe-cc.fr
527e32ad	255	mkdir -p /var/lib/goaccess/connexionswing.com
6f0d92b4	256	'';
5566d26d IB	257	};
	258
	259	environment.etc."ssh/ldap_authorized_keys" = let
	260	ldap_authorized_keys =
5c101474 IB	261	assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
5c101474 IB	262	wrap {
5566d26d IB	263	name = "ldap_authorized_keys";
	264	file = ./ldap_authorized_keys.sh;
	265	vars = {
	266	LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
	267	GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
	268	ECHO = "${pkgs.coreutils}/bin/echo";
	269	};
	270	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
	271	};
	272	in {
	273	enable = true;
	274	mode = "0755";
	275	user = "root";
	276	source = ldap_authorized_keys;
65fe7543 IB	277	};
65fe7543 IB	278
7611e4e2 IB	279	services.gitDaemon = {
	280	enable = true;
	281	user = "gitolite";
	282	group = "gitolite";
	283	basePath = "${mypkgs.git.web.varDir}/repositories";
	284	};
	285
beeed847	286	# FIXME: logrotate
58d1a782	287	services.httpd = let
b7cd7e4b	288	withConf = domain: {
58d1a782	289	enableSSL = true;
5dd28b43	290	sslServerCert = "/var/lib/acme/${domain}/cert.pem";
58d1a782 IB	291	sslServerKey = "/var/lib/acme/${domain}/key.pem";
58d1a782 IB	292	sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
b7cd7e4b IB	293	logFormat = "combinedVhost";
b7cd7e4b IB	294	listen = [ { ip = "*"; port = 443; } ];
58d1a782	295	};
94818b75 IB	296	apacheConfig = {
	297	gzip = {
	298	modules = [ "deflate" "filter" ];
	299	extraConfig = ''
	300	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
	301	'';
	302	};
	303	ldap = {
	304	modules = [ "ldap" "authnz_ldap" ];
5c101474	305	extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
94818b75 IB	306	<IfModule ldap_module>
	307	LDAPSharedCacheSize 500000
	308	LDAPCacheEntries 1024
	309	LDAPCacheTTL 600
	310	LDAPOpCacheEntries 1024
	311	LDAPOpCacheTTL 600
	312	</IfModule>
	313
	314	<Macro LDAPConnect>
	315	<IfModule authnz_ldap_module>
	316	AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu
	317	AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
	318	AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
	319	AuthType Basic
	320	AuthName "Authentification requise (Acces LDAP)"
	321	AuthBasicProvider ldap
	322	</IfModule>
	323	</Macro>
6f0d92b4 IB	324
	325	<Macro Stats %{domain}>
	326	Alias /awstats /var/lib/goaccess/%{domain}
	327	<Directory /var/lib/goaccess/%{domain}>
	328	DirectoryIndex index.html
	329	AllowOverride None
	330	Require all granted
	331	</Directory>
	332	<Location /awstats>
	333	Use LDAPConnect
	334	Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
	335	</Location>
	336	</Macro>
94818b75 IB	337	'';
94818b75 IB	338	};
b7cd7e4b IB	339	http2 = {
	340	modules = [ "http2" ];
	341	extraConfig = ''
	342	Protocols h2 http/1.1
	343	'';
	344	};
	345	customLog = {
	346	modules = [];
	347	extraConfig = ''
6f0d92b4	348	LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
b7cd7e4b IB	349	'';
b7cd7e4b IB	350	};
94818b75	351	};
58d1a782	352	in rec {
a1bb33c4	353	enable = true;
58d1a782 IB	354	logPerVirtualHost = true;
	355	multiProcessingModule = "worker";
	356	adminAddr = "httpd@immae.eu";
b7cd7e4b	357	logFormat = "combinedVhost";
25fd1d16 IB	358	extraModules = pkgs.lib.lists.unique (
25fd1d16 IB	359	mypkgs.adminer.apache.modules ++
66b5bbf6	360	mypkgs.nextcloud.apache.modules ++
65fe7543	361	mypkgs.connexionswing_dev.apache.modules ++
e273ef92	362	mypkgs.connexionswing_prod.apache.modules ++
e42ba74f IB	363	mypkgs.ludivinecassal_dev.apache.modules ++
e42ba74f IB	364	mypkgs.ludivinecassal_prod.apache.modules ++
34e2fd14 IB	365	mypkgs.piedsjaloux_dev.apache.modules ++
34e2fd14 IB	366	mypkgs.piedsjaloux_prod.apache.modules ++
7d8b50d3 IB	367	mypkgs.chloe_dev.apache.modules ++
7d8b50d3 IB	368	mypkgs.chloe_prod.apache.modules ++
6c672f34 IB	369	mypkgs.aten_dev.apache.modules ++
6c672f34 IB	370	mypkgs.aten_prod.apache.modules ++
5f3e023d	371	mypkgs.ympd.apache.modules ++
cf80b4f2	372	mypkgs.git.web.apache.modules ++
50d8fa14	373	mypkgs.mantisbt.apache.modules ++
eb770e14	374	mypkgs.ttrss.apache.modules ++
d252d718	375	mypkgs.roundcubemail.apache.modules ++
94818b75 IB	376	pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
	377	[ "macro" ]);
	378	extraConfig = builtins.concatStringsSep "\n"
	379	(pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
58d1a782	380	virtualHosts = [
b7cd7e4b	381	(withConf "eldiron" // {
58d1a782	382	hostName = "eldiron.immae.eu";
1d4ccb2c IB	383	documentRoot = ./www;
	384	extraConfig = ''
	385	DirectoryIndex index.htm
	386	'';
58d1a782	387	})
b7cd7e4b	388	(withConf "eldiron" // {
58d1a782 IB	389	hostName = "db-1.immae.eu";
58d1a782 IB	390	documentRoot = null;
27e22b76	391	extraConfig = builtins.concatStringsSep "\n" [
1bb2ff2c	392	mypkgs.adminer.apache.vhostConf
27e22b76	393	];
58d1a782	394	})
b7cd7e4b	395	(withConf "eldiron" // {
e379fd29 IB	396	hostName = "tools.immae.eu";
	397	documentRoot = null;
	398	extraConfig = builtins.concatStringsSep "\n" [
1bb2ff2c	399	mypkgs.adminer.apache.vhostConf
a05f8abe	400	mypkgs.ympd.apache.vhostConf
eb770e14	401	mypkgs.ttrss.apache.vhostConf
d252d718	402	mypkgs.roundcubemail.apache.vhostConf
43b726ed IB	403	];
	404	})
	405	(withConf "eldiron" // {
	406	hostName = "dav.immae.eu";
	407	documentRoot = null;
	408	extraConfig = builtins.concatStringsSep "\n" [
1635a4ae	409	mypkgs.infcloud.apache.vhostConf
d9998b44	410	mypkgs.davical.apache.vhostConf
e379fd29 IB	411	];
e379fd29 IB	412	})
b7cd7e4b	413	(withConf "eldiron" // {
65fe7543 IB	414	hostName = "connexionswing.immae.eu";
	415	serverAliases = [ "sandetludo.immae.eu" ];
	416	documentRoot = mypkgs.connexionswing_dev.webRoot;
	417	extraConfig = builtins.concatStringsSep "\n" [
	418	mypkgs.connexionswing_dev.apache.vhostConf
	419	];
	420	})
527e32ad IB	421	(withConf "connexionswing" // {
	422	hostName = "connexionswing.com";
	423	serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
	424	documentRoot = mypkgs.connexionswing_prod.webRoot;
	425	extraConfig = builtins.concatStringsSep "\n" [
	426	mypkgs.connexionswing_prod.apache.vhostConf
	427	];
	428	})
e42ba74f IB	429	(withConf "eldiron" // {
	430	hostName = "ludivine.immae.eu";
	431	documentRoot = mypkgs.ludivinecassal_dev.webRoot;
	432	extraConfig = builtins.concatStringsSep "\n" [
	433	mypkgs.ludivinecassal_dev.apache.vhostConf
	434	];
	435	})
	436	(withConf "ludivinecassal" // {
	437	hostName = "ludivinecassal.com";
	438	serverAliases = [ "www.ludivinecassal.com" ];
	439	documentRoot = mypkgs.ludivinecassal_prod.webRoot;
	440	extraConfig = builtins.concatStringsSep "\n" [
	441	mypkgs.ludivinecassal_prod.apache.vhostConf
	442	];
	443	})
34e2fd14 IB	444	(withConf "eldiron" // {
	445	hostName = "piedsjaloux.immae.eu";
	446	documentRoot = mypkgs.piedsjaloux_dev.webRoot;
	447	extraConfig = builtins.concatStringsSep "\n" [
	448	mypkgs.piedsjaloux_dev.apache.vhostConf
	449	];
	450	})
	451	(withConf "piedsjaloux" // {
	452	hostName = "piedsjaloux.fr";
	453	serverAliases = [ "www.piedsjaloux.fr" ];
	454	documentRoot = mypkgs.piedsjaloux_prod.webRoot;
	455	extraConfig = builtins.concatStringsSep "\n" [
	456	mypkgs.piedsjaloux_prod.apache.vhostConf
	457	];
	458	})
7d8b50d3 IB	459	(withConf "eldiron" // {
	460	hostName = "chloe.immae.eu";
	461	documentRoot = mypkgs.chloe_dev.webRoot;
	462	extraConfig = builtins.concatStringsSep "\n" [
	463	mypkgs.chloe_dev.apache.vhostConf
	464	];
	465	})
6bd6d033	466	(withConf "chloe" // {
7d8b50d3 IB	467	hostName = "osteopathe-cc.fr";
	468	serverAliases = [ "www.osteopathe-cc.fr" ];
	469	documentRoot = mypkgs.chloe_prod.webRoot;
	470	extraConfig = builtins.concatStringsSep "\n" [
	471	mypkgs.chloe_prod.apache.vhostConf
	472	];
	473	})
6c672f34 IB	474	(withConf "eldiron" // {
	475	hostName = "dev.aten.pro";
	476	documentRoot = mypkgs.aten_dev.webRoot;
	477	extraConfig = builtins.concatStringsSep "\n" [
	478	mypkgs.aten_dev.apache.vhostConf
	479	];
	480	})
	481	(withConf "aten" // {
	482	hostName = "aten.pro";
	483	serverAliases = [ "www.aten.pro" ];
	484	documentRoot = mypkgs.aten_prod.webRoot;
	485	extraConfig = builtins.concatStringsSep "\n" [
	486	mypkgs.aten_prod.apache.vhostConf
	487	];
	488	})
b7cd7e4b	489	(withConf "eldiron" // {
66b5bbf6 IB	490	hostName = "cloud.immae.eu";
	491	documentRoot = mypkgs.nextcloud.webRoot;
	492	extraConfig = builtins.concatStringsSep "\n" [
	493	mypkgs.nextcloud.apache.vhostConf
	494	];
	495	})
b7cd7e4b	496	(withConf "eldiron" // {
cf80b4f2 IB	497	hostName = "git.immae.eu";
	498	documentRoot = mypkgs.git.web.webRoot;
	499	extraConfig = builtins.concatStringsSep "\n" [
	500	mypkgs.git.web.apache.vhostConf
50d8fa14	501	mypkgs.mantisbt.apache.vhostConf
cf80b4f2 IB	502	] + ''
	503	RewriteEngine on
	504	RewriteCond %{REQUEST_URI} ^/releases
	505	RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
	506	'';
	507	})
58d1a782 IB	508	{ # Should go last, default fallback
	509	listen = [ { ip = "*"; port = 80; } ];
	510	hostName = "redirectSSL";
	511	serverAliases = [ "*" ];
	512	enableSSL = false;
b7cd7e4b	513	logFormat = "combinedVhost";
58d1a782 IB	514	documentRoot = "/var/lib/acme/acme-challenge";
	515	extraConfig = ''
	516	RewriteEngine on
	517	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
	518	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
	519	# To redirect in specific "VirtualHost *:80", do
	520	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
	521	# rather than rewrite
	522	'';
	523	}
43b726ed	524	];
58d1a782 IB	525	};
58d1a782 IB	526
6f0d92b4 IB	527	services.cron = {
	528	enable = true;
	529	systemCronJobs = let
6bd6d033	530	stats = domain: conf: let
0facadb8 IB	531	d = pkgs.writeScriptBin "stats-${domain}" ''
	532	#!${pkgs.stdenv.shell}
	533	set -e
	534	shopt -s nullglob
	535	date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
	536	TMPFILE=$(mktemp)
	537	trap "rm -f $TMPFILE" EXIT
	538
	539	cat /var/log/httpd/access_log-${domain} \| sed -n "/\\[$date_regex/ p" > $TMPFILE
	540	for i in /var/log/httpd/access_log-${domain}*.gz; do
	541	zcat "$i" \| sed -n "/\\[$date_regex/ p" >> $TMPFILE
	542	done
	543	goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
	544	'';
6bd6d033	545	in "${d}/bin/stats-${domain}";
56991aa7 IB	546	# FIXME: running several goaccess simultaneously seems to be
56991aa7 IB	547	# bugged?
6f0d92b4 IB	548	in [
6f0d92b4 IB	549	"5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
56991aa7 IB	550	"6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
	551	"7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
	552	"8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}"
	553	"9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}"
6f0d92b4 IB	554	];
6f0d92b4 IB	555	};
eb770e14 IB	556
	557	systemd.services.tt-rss = {
	558	description = "Tiny Tiny RSS feeds update daemon";
	559	serviceConfig = {
	560	User = "wwwrun";
	561	ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
	562	StandardOutput = "syslog";
	563	StandardError = "syslog";
	564	PermissionsStartOnly = true;
	565	};
	566
	567	wantedBy = [ "multi-user.target" ];
	568	requires = ["postgresql.service"];
	569	after = ["network.target" "postgresql.service"];
	570	};
a1bb33c4 IB	571	};
a1bb33c4 IB	572	}