[perso/Immae/Config/Nix.git] / virtual / eldiron.nix

{
  network = {
    description = "Immae's network";
    enableRollback = true;
  };

  eldiron = { config, pkgs, mylibs, ... }:
    with mylibs;
    let
        mypkgs = pkgs.callPackage ./packages.nix {
          inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
        };
    in
  {
    _module.args = {
      mylibs = import ../libs.nix;
    };

    imports = [
      ./modules/certificates.nix
      ./modules/gitolite.nix
      ./modules/gitweb.nix
      ./modules/databases.nix
      ./modules/websites/chloe.nix
      ./modules/websites/ludivine.nix
      ./modules/websites/aten.nix
      ./modules/websites/piedsjaloux.nix
      ./modules/websites/connexionswing.nix
    ];
    services.myGitolite.enable = true;
    services.myGitweb.enable = true;
    services.myDatabases.enable = true;
    services.myWebsites.Chloe.production.enable = true;
    services.myWebsites.Chloe.integration.enable = true;
    services.myWebsites.Ludivine.production.enable = true;
    services.myWebsites.Ludivine.integration.enable = true;
    services.myWebsites.Aten.production.enable = true;
    services.myWebsites.Aten.integration.enable = true;
    services.myWebsites.PiedsJaloux.production.enable = true;
    services.myWebsites.PiedsJaloux.integration.enable = true;
    services.myWebsites.Connexionswing.production.enable = true;
    services.myWebsites.Connexionswing.integration.enable = true;

    nixpkgs.config.packageOverrides = oldpkgs: rec {
      goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
        name = "goaccess-${version}";
        version = "1.3";
        src = pkgs.fetchurl {
          url = "https://tar.goaccess.io/${name}.tar.gz";
          sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
        };
        configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
        buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
      });
    };

    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [ 22 80 443 9418 ];
      };
    };

    deployment = {
      targetEnv = "hetzner";
      hetzner = {
        #robotUser = "defined in HETZNER_ROBOT_USER";
        #robotPass = "defined in HETZNER_ROBOT_PASS";
        mainIPv4 = "176.9.151.89";
        partitions = ''
          clearpart --all --initlabel --drives=sda,sdb

          part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
          part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb

          part raid.1 --grow --ondisk=sda
          part raid.2 --grow --ondisk=sdb

          raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
        '';
      };
    };

    environment.systemPackages = let
      # FIXME: move it to nextcloud
      occ = pkgs.writeScriptBin "nextcloud-occ" ''
        #! ${pkgs.stdenv.shell}
        cd ${mypkgs.nextcloud.webRoot}
        NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
          exec \
          ${config.services.phpfpm.phpPackage}/bin/php \
          -c ${config.services.phpfpm.phpPackage}/etc/php.ini \
          occ $*
        '';
    in [
      pkgs.telnet
      pkgs.htop
      pkgs.vim
      pkgs.goaccess
      occ
    ];

    security.acme.certs."eldiron".extraDomains = {
      "db-1.immae.eu" = null;
      "tools.immae.eu" = null;
      "cloud.immae.eu" = null;
      "dav.immae.eu" = null;
    };

    services.openssh.extraConfig = ''
      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
      AuthorizedKeysCommandUser nobody
      '';

    services.ympd = mypkgs.ympd.config // { enable = false; };

    services.phpfpm = {
      # FIXME: move session files to separate dirs
      # /!\ phppackage is used in nextcloud configuation
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        session.gc_maxlifetime = 60*60*24*15
        session.cache_expire = 60*24*30
        ; For nextcloud
        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
        ; For nextcloud
        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
        ; For nextcloud
        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
        '';
      extraConfig = ''
        log_level = notice
        '';
      poolConfigs = {
        adminer = mypkgs.adminer.phpFpm.pool;
        nextcloud = mypkgs.nextcloud.phpFpm.pool;
        mantisbt = mypkgs.mantisbt.phpFpm.pool;
        ttrss = mypkgs.ttrss.phpFpm.pool;
        roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
        davical = mypkgs.davical.phpFpm.pool;
      };
    };

    system.activationScripts = {
      nextcloud = mypkgs.nextcloud.activationScript;
      ttrss = mypkgs.ttrss.activationScript;
      roundcubemail = mypkgs.roundcubemail.activationScript;
      httpd = ''
        install -d -m 0755 /var/lib/acme/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/ttrss
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
        '';
      redis = ''
        mkdir -p /run/redis
        chown redis /run/redis
        '';
      # FIXME: initial sync
      goaccess = ''
        mkdir -p /var/lib/goaccess
        mkdir -p /var/lib/goaccess/aten.pro
        mkdir -p /var/lib/goaccess/ludivinecassal.com
        mkdir -p /var/lib/goaccess/piedsjaloux.fr
        mkdir -p /var/lib/goaccess/osteopathe-cc.fr
        mkdir -p /var/lib/goaccess/connexionswing.com
        '';
    };

    environment.etc."ssh/ldap_authorized_keys" = let
      ldap_authorized_keys =
        assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
        wrap {
          name = "ldap_authorized_keys";
          file = ./ldap_authorized_keys.sh;
          vars = {
            LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
            GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
            ECHO = "${pkgs.coreutils}/bin/echo";
          };
          paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
        };
    in {
      enable = true;
      mode = "0755";
      user = "root";
      source = ldap_authorized_keys;
    };

    services.gitDaemon = {
      enable = true;
      user = "gitolite";
      group = "gitolite";
      basePath = "${mypkgs.git.web.varDir}/repositories";
    };

    # FIXME: logrotate
    services.httpd = let
      withConf = domain: {
        enableSSL = true;
        sslServerCert = "/var/lib/acme/${domain}/cert.pem";
        sslServerKey = "/var/lib/acme/${domain}/key.pem";
        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
        logFormat = "combinedVhost";
        listen = [ { ip = "*"; port = 443; } ];
      };
      apacheConfig = {
        gzip = {
          modules = [ "deflate" "filter" ];
          extraConfig = ''
            AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
          '';
        };
        ldap = {
          modules = [ "ldap" "authnz_ldap" ];
          extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
            <IfModule ldap_module>
              LDAPSharedCacheSize 500000
              LDAPCacheEntries 1024
              LDAPCacheTTL 600
              LDAPOpCacheEntries 1024
              LDAPOpCacheTTL 600
            </IfModule>

            <Macro LDAPConnect>
              <IfModule authnz_ldap_module>
                AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu
                AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
                AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
                AuthType             Basic
                AuthName             "Authentification requise (Acces LDAP)"
                AuthBasicProvider    ldap
              </IfModule>
            </Macro>

            <Macro Stats %{domain}>
              Alias /awstats /var/lib/goaccess/%{domain}
              <Directory /var/lib/goaccess/%{domain}>
                DirectoryIndex index.html
                AllowOverride None
                Require all granted
              </Directory>
              <Location /awstats>
                Use LDAPConnect
                Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
              </Location>
            </Macro>
          '';
        };
        http2 = {
          modules = [ "http2" ];
          extraConfig = ''
            Protocols h2 http/1.1
          '';
        };
        customLog = {
          modules = [];
          extraConfig = ''
            LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
          '';
        };
      };
    in rec {
      enable = true;
      logPerVirtualHost = true;
      multiProcessingModule = "worker";
      adminAddr = "httpd@immae.eu";
      logFormat = "combinedVhost";
      extraModules = pkgs.lib.lists.unique (
        mypkgs.adminer.apache.modules ++
        mypkgs.nextcloud.apache.modules ++
        mypkgs.connexionswing_dev.apache.modules ++
        mypkgs.connexionswing_prod.apache.modules ++
        mypkgs.ludivinecassal_dev.apache.modules ++
        mypkgs.ludivinecassal_prod.apache.modules ++
        mypkgs.piedsjaloux_dev.apache.modules ++
        mypkgs.piedsjaloux_prod.apache.modules ++
        mypkgs.chloe_dev.apache.modules ++
        mypkgs.chloe_prod.apache.modules ++
        mypkgs.aten_dev.apache.modules ++
        mypkgs.aten_prod.apache.modules ++
        mypkgs.ympd.apache.modules ++
        mypkgs.git.web.apache.modules ++
        mypkgs.mantisbt.apache.modules ++
        mypkgs.ttrss.apache.modules ++
        mypkgs.roundcubemail.apache.modules ++
        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
        [ "macro" ]);
      extraConfig = builtins.concatStringsSep "\n"
        (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
      virtualHosts = [
        (withConf "eldiron" // {
          hostName = "eldiron.immae.eu";
          documentRoot = ./www;
          extraConfig = ''
            DirectoryIndex index.htm
            '';
        })
        (withConf "eldiron" // {
          hostName = "db-1.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "tools.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.adminer.apache.vhostConf
            mypkgs.ympd.apache.vhostConf
            mypkgs.ttrss.apache.vhostConf
            mypkgs.roundcubemail.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dav.immae.eu";
          documentRoot = null;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.infcloud.apache.vhostConf
            mypkgs.davical.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "connexionswing.immae.eu";
          serverAliases = [ "sandetludo.immae.eu" ];
          documentRoot = mypkgs.connexionswing_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.connexionswing_dev.apache.vhostConf
          ];
        })
        (withConf "connexionswing" // {
          hostName = "connexionswing.com";
          serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
          documentRoot = mypkgs.connexionswing_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.connexionswing_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "ludivine.immae.eu";
          documentRoot = mypkgs.ludivinecassal_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.ludivinecassal_dev.apache.vhostConf
          ];
        })
        (withConf "ludivinecassal" // {
          hostName = "ludivinecassal.com";
          serverAliases = [ "www.ludivinecassal.com" ];
          documentRoot = mypkgs.ludivinecassal_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.ludivinecassal_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "piedsjaloux.immae.eu";
          documentRoot = mypkgs.piedsjaloux_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.piedsjaloux_dev.apache.vhostConf
          ];
        })
        (withConf "piedsjaloux" // {
          hostName = "piedsjaloux.fr";
          serverAliases = [ "www.piedsjaloux.fr" ];
          documentRoot = mypkgs.piedsjaloux_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.piedsjaloux_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "chloe.immae.eu";
          documentRoot = mypkgs.chloe_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.chloe_dev.apache.vhostConf
          ];
        })
        (withConf "chloe" // {
          hostName = "osteopathe-cc.fr";
          serverAliases = [ "www.osteopathe-cc.fr" ];
          documentRoot = mypkgs.chloe_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.chloe_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "dev.aten.pro";
          documentRoot = mypkgs.aten_dev.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.aten_dev.apache.vhostConf
          ];
        })
        (withConf "aten" // {
          hostName = "aten.pro";
          serverAliases = [ "www.aten.pro" ];
          documentRoot = mypkgs.aten_prod.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.aten_prod.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "cloud.immae.eu";
          documentRoot = mypkgs.nextcloud.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.nextcloud.apache.vhostConf
          ];
        })
        (withConf "eldiron" // {
          hostName = "git.immae.eu";
          documentRoot = mypkgs.git.web.webRoot;
          extraConfig = builtins.concatStringsSep "\n" [
            mypkgs.git.web.apache.vhostConf
            mypkgs.mantisbt.apache.vhostConf
          ] + ''
            RewriteEngine on
            RewriteCond %{REQUEST_URI}       ^/releases
            RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
            '';
        })
        { # Should go last, default fallback
          listen = [ { ip = "*"; port = 80; } ];
          hostName = "redirectSSL";
          serverAliases = [ "*" ];
          enableSSL = false;
          logFormat = "combinedVhost";
          documentRoot = "/var/lib/acme/acme-challenge";
          extraConfig = ''
            RewriteEngine on
            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
            # To redirect in specific "VirtualHost *:80", do
            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
            # rather than rewrite
            '';
        }
      ];
    };

    services.cron = {
      enable = true;
      systemCronJobs = let
        stats = domain: conf: let
          d = pkgs.writeScriptBin "stats-${domain}" ''
            #!${pkgs.stdenv.shell}
            set -e
            shopt -s nullglob
            date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
            TMPFILE=$(mktemp)
            trap "rm -f $TMPFILE" EXIT

            cat /var/log/httpd/access_log-${domain} | sed -n "/\\[$date_regex/ p" > $TMPFILE
            for i in /var/log/httpd/access_log-${domain}*.gz; do
              zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE
            done
            goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
            '';
          in "${d}/bin/stats-${domain}";
      # FIXME: running several goaccess simultaneously seems to be
      # bugged?
      in [
        "5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
        "6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
        "7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
        "8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}"
        "9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}"
        ];
    };

    systemd.services.tt-rss = {
      description = "Tiny Tiny RSS feeds update daemon";
      serviceConfig = {
        User = "wwwrun";
        ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
        StandardOutput = "syslog";
        StandardError = "syslog";
        PermissionsStartOnly = true;
      };

      wantedBy = [ "multi-user.target" ];
      requires = ["postgresql.service"];
      after = ["network.target" "postgresql.service"];
    };
  };
}
Commit	Line	Data
a1bb33c4 IB	1	{
	2	network = {
	3	description = "Immae's network";
	4	enableRollback = true;
	5	};
	6
4d4f13f4 IB	7	eldiron = { config, pkgs, mylibs, ... }:
4d4f13f4 IB	8	with mylibs;
5c101474	9	let
712ccefd	10	mypkgs = pkgs.callPackage ./packages.nix {
eb770e14	11	inherit checkEnv fetchedGit fetchedGitPrivate fetchedGithub;
5c101474	12	};
ab5d04b8 IB	13	in
ab5d04b8 IB	14	{
4d4f13f4 IB	15	_module.args = {
	16	mylibs = import ../libs.nix;
	17	};
	18
	19	imports = [
3013caf1	20	./modules/certificates.nix
4d4f13f4 IB	21	./modules/gitolite.nix
	22	./modules/gitweb.nix
	23	./modules/databases.nix
3013caf1 IB	24	./modules/websites/chloe.nix
	25	./modules/websites/ludivine.nix
	26	./modules/websites/aten.nix
	27	./modules/websites/piedsjaloux.nix
	28	./modules/websites/connexionswing.nix
4d4f13f4 IB	29	];
	30	services.myGitolite.enable = true;
	31	services.myGitweb.enable = true;
	32	services.myDatabases.enable = true;
3013caf1 IB	33	services.myWebsites.Chloe.production.enable = true;
	34	services.myWebsites.Chloe.integration.enable = true;
	35	services.myWebsites.Ludivine.production.enable = true;
	36	services.myWebsites.Ludivine.integration.enable = true;
	37	services.myWebsites.Aten.production.enable = true;
	38	services.myWebsites.Aten.integration.enable = true;
	39	services.myWebsites.PiedsJaloux.production.enable = true;
	40	services.myWebsites.PiedsJaloux.integration.enable = true;
	41	services.myWebsites.Connexionswing.production.enable = true;
	42	services.myWebsites.Connexionswing.integration.enable = true;
4d4f13f4	43
91493dc0	44	nixpkgs.config.packageOverrides = oldpkgs: rec {
6f0d92b4 IB	45	goaccess = oldpkgs.goaccess.overrideAttrs(old: rec {
	46	name = "goaccess-${version}";
	47	version = "1.3";
	48	src = pkgs.fetchurl {
	49	url = "https://tar.goaccess.io/${name}.tar.gz";
	50	sha256 = "16vv3pj7pbraq173wlxa89jjsd279004j4kgzlrsk1dz4if5qxwc";
	51	};
	52	configureFlags = old.configureFlags ++ [ "--enable-tcb=btree" ];
	53	buildInputs = old.buildInputs ++ [ pkgs.tokyocabinet pkgs.bzip2 ];
	54	});
91493dc0 IB	55	};
91493dc0 IB	56
a1bb33c4 IB	57	networking = {
	58	firewall = {
	59	enable = true;
4d4f13f4	60	allowedTCPPorts = [ 22 80 443 9418 ];
a1bb33c4 IB	61	};
	62	};
	63
	64	deployment = {
	65	targetEnv = "hetzner";
	66	hetzner = {
	67	#robotUser = "defined in HETZNER_ROBOT_USER";
	68	#robotPass = "defined in HETZNER_ROBOT_PASS";
	69	mainIPv4 = "176.9.151.89";
	70	partitions = ''
	71	clearpart --all --initlabel --drives=sda,sdb
	72
	73	part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
	74	part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
	75
	76	part raid.1 --grow --ondisk=sda
	77	part raid.2 --grow --ondisk=sdb
	78
	79	raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
	80	'';
	81	};
	82	};
	83
66b5bbf6 IB	84	environment.systemPackages = let
	85	# FIXME: move it to nextcloud
	86	occ = pkgs.writeScriptBin "nextcloud-occ" ''
	87	#! ${pkgs.stdenv.shell}
	88	cd ${mypkgs.nextcloud.webRoot}
	89	NEXTCLOUD_CONFIG_DIR="${mypkgs.nextcloud.webRoot}/config" \
	90	exec \
	91	${config.services.phpfpm.phpPackage}/bin/php \
	92	-c ${config.services.phpfpm.phpPackage}/etc/php.ini \
	93	occ $*
	94	'';
	95	in [
ce6ee3b8	96	pkgs.telnet
beeed847	97	pkgs.htop
ce6ee3b8	98	pkgs.vim
6f0d92b4	99	pkgs.goaccess
66b5bbf6	100	occ
ce6ee3b8 IB	101	];
ce6ee3b8 IB	102
3013caf1 IB	103	security.acme.certs."eldiron".extraDomains = {
	104	"db-1.immae.eu" = null;
	105	"tools.immae.eu" = null;
	106	"cloud.immae.eu" = null;
	107	"dav.immae.eu" = null;
a1bb33c4 IB	108	};
a1bb33c4 IB	109
5566d26d IB	110	services.openssh.extraConfig = ''
	111	AuthorizedKeysCommand /etc/ssh/ldap_authorized_keys
	112	AuthorizedKeysCommandUser nobody
	113	'';
	114
beeed847	115	services.ympd = mypkgs.ympd.config // { enable = false; };
a05f8abe	116
58d1a782	117	services.phpfpm = {
beeed847	118	# FIXME: move session files to separate dirs
66b5bbf6 IB	119	# /!\ phppackage is used in nextcloud configuation
66b5bbf6 IB	120	phpOptions = ''
c8e019b6 IB	121	session.save_path = "/var/lib/php/sessions"
	122	session.gc_maxlifetime = 606024*15
	123	session.cache_expire = 602430
66b5bbf6 IB	124	; For nextcloud
	125	extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
	126	; For nextcloud
	127	extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
ec9ff2b8 IB	128	; For nextcloud
ec9ff2b8 IB	129	zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
66b5bbf6	130	'';
58d1a782 IB	131	extraConfig = ''
	132	log_level = notice
	133	'';
	134	poolConfigs = {
27e22b76	135	adminer = mypkgs.adminer.phpFpm.pool;
66b5bbf6	136	nextcloud = mypkgs.nextcloud.phpFpm.pool;
50d8fa14	137	mantisbt = mypkgs.mantisbt.phpFpm.pool;
eb770e14	138	ttrss = mypkgs.ttrss.phpFpm.pool;
d252d718	139	roundcubemail = mypkgs.roundcubemail.phpFpm.pool;
d9998b44	140	davical = mypkgs.davical.phpFpm.pool;
58d1a782 IB	141	};
	142	};
	143
65fe7543	144	system.activationScripts = {
66b5bbf6	145	nextcloud = mypkgs.nextcloud.activationScript;
eb770e14	146	ttrss = mypkgs.ttrss.activationScript;
d252d718	147	roundcubemail = mypkgs.roundcubemail.activationScript;
5dd28b43 IB	148	httpd = ''
5dd28b43 IB	149	install -d -m 0755 /var/lib/acme/acme-challenge
c8e019b6 IB	150	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
	151	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
	152	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
eb770e14	153	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/ttrss
1635a4ae	154	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
5dd28b43	155	'';
60f67ae3 IB	156	redis = ''
	157	mkdir -p /run/redis
	158	chown redis /run/redis
	159	'';
6bd6d033	160	# FIXME: initial sync
6f0d92b4 IB	161	goaccess = ''
	162	mkdir -p /var/lib/goaccess
	163	mkdir -p /var/lib/goaccess/aten.pro
34e2fd14 IB	164	mkdir -p /var/lib/goaccess/ludivinecassal.com
34e2fd14 IB	165	mkdir -p /var/lib/goaccess/piedsjaloux.fr
6bd6d033	166	mkdir -p /var/lib/goaccess/osteopathe-cc.fr
527e32ad	167	mkdir -p /var/lib/goaccess/connexionswing.com
6f0d92b4	168	'';
5566d26d IB	169	};
	170
	171	environment.etc."ssh/ldap_authorized_keys" = let
	172	ldap_authorized_keys =
5c101474 IB	173	assert checkEnv "NIXOPS_SSHD_LDAP_PASSWORD";
5c101474 IB	174	wrap {
5566d26d IB	175	name = "ldap_authorized_keys";
	176	file = ./ldap_authorized_keys.sh;
	177	vars = {
	178	LDAP_PASS = builtins.getEnv "NIXOPS_SSHD_LDAP_PASSWORD";
	179	GITOLITE_SHELL = "${pkgs.gitolite}/bin/gitolite-shell";
	180	ECHO = "${pkgs.coreutils}/bin/echo";
	181	};
	182	paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
	183	};
	184	in {
	185	enable = true;
	186	mode = "0755";
	187	user = "root";
	188	source = ldap_authorized_keys;
65fe7543 IB	189	};
65fe7543 IB	190
7611e4e2 IB	191	services.gitDaemon = {
	192	enable = true;
	193	user = "gitolite";
	194	group = "gitolite";
	195	basePath = "${mypkgs.git.web.varDir}/repositories";
	196	};
	197
beeed847	198	# FIXME: logrotate
58d1a782	199	services.httpd = let
b7cd7e4b	200	withConf = domain: {
58d1a782	201	enableSSL = true;
5dd28b43	202	sslServerCert = "/var/lib/acme/${domain}/cert.pem";
58d1a782 IB	203	sslServerKey = "/var/lib/acme/${domain}/key.pem";
58d1a782 IB	204	sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
b7cd7e4b IB	205	logFormat = "combinedVhost";
b7cd7e4b IB	206	listen = [ { ip = "*"; port = 443; } ];
58d1a782	207	};
94818b75 IB	208	apacheConfig = {
	209	gzip = {
	210	modules = [ "deflate" "filter" ];
	211	extraConfig = ''
	212	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
	213	'';
	214	};
	215	ldap = {
	216	modules = [ "ldap" "authnz_ldap" ];
5c101474	217	extraConfig = assert checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
94818b75 IB	218	<IfModule ldap_module>
	219	LDAPSharedCacheSize 500000
	220	LDAPCacheEntries 1024
	221	LDAPCacheTTL 600
	222	LDAPOpCacheEntries 1024
	223	LDAPOpCacheTTL 600
	224	</IfModule>
	225
	226	<Macro LDAPConnect>
	227	<IfModule authnz_ldap_module>
	228	AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu
	229	AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
	230	AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
	231	AuthType Basic
	232	AuthName "Authentification requise (Acces LDAP)"
	233	AuthBasicProvider ldap
	234	</IfModule>
	235	</Macro>
6f0d92b4 IB	236
	237	<Macro Stats %{domain}>
	238	Alias /awstats /var/lib/goaccess/%{domain}
	239	<Directory /var/lib/goaccess/%{domain}>
	240	DirectoryIndex index.html
	241	AllowOverride None
	242	Require all granted
	243	</Directory>
	244	<Location /awstats>
	245	Use LDAPConnect
	246	Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
	247	</Location>
	248	</Macro>
94818b75 IB	249	'';
94818b75 IB	250	};
b7cd7e4b IB	251	http2 = {
	252	modules = [ "http2" ];
	253	extraConfig = ''
	254	Protocols h2 http/1.1
	255	'';
	256	};
	257	customLog = {
	258	modules = [];
	259	extraConfig = ''
6f0d92b4	260	LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
b7cd7e4b IB	261	'';
b7cd7e4b IB	262	};
94818b75	263	};
58d1a782	264	in rec {
a1bb33c4	265	enable = true;
58d1a782 IB	266	logPerVirtualHost = true;
	267	multiProcessingModule = "worker";
	268	adminAddr = "httpd@immae.eu";
b7cd7e4b	269	logFormat = "combinedVhost";
25fd1d16 IB	270	extraModules = pkgs.lib.lists.unique (
25fd1d16 IB	271	mypkgs.adminer.apache.modules ++
66b5bbf6	272	mypkgs.nextcloud.apache.modules ++
65fe7543	273	mypkgs.connexionswing_dev.apache.modules ++
e273ef92	274	mypkgs.connexionswing_prod.apache.modules ++
e42ba74f IB	275	mypkgs.ludivinecassal_dev.apache.modules ++
e42ba74f IB	276	mypkgs.ludivinecassal_prod.apache.modules ++
34e2fd14 IB	277	mypkgs.piedsjaloux_dev.apache.modules ++
34e2fd14 IB	278	mypkgs.piedsjaloux_prod.apache.modules ++
7d8b50d3 IB	279	mypkgs.chloe_dev.apache.modules ++
7d8b50d3 IB	280	mypkgs.chloe_prod.apache.modules ++
6c672f34 IB	281	mypkgs.aten_dev.apache.modules ++
6c672f34 IB	282	mypkgs.aten_prod.apache.modules ++
5f3e023d	283	mypkgs.ympd.apache.modules ++
cf80b4f2	284	mypkgs.git.web.apache.modules ++
50d8fa14	285	mypkgs.mantisbt.apache.modules ++
eb770e14	286	mypkgs.ttrss.apache.modules ++
d252d718	287	mypkgs.roundcubemail.apache.modules ++
94818b75 IB	288	pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules) apacheConfig) ++
	289	[ "macro" ]);
	290	extraConfig = builtins.concatStringsSep "\n"
	291	(pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig) apacheConfig);
58d1a782	292	virtualHosts = [
b7cd7e4b	293	(withConf "eldiron" // {
58d1a782	294	hostName = "eldiron.immae.eu";
1d4ccb2c IB	295	documentRoot = ./www;
	296	extraConfig = ''
	297	DirectoryIndex index.htm
	298	'';
58d1a782	299	})
b7cd7e4b	300	(withConf "eldiron" // {
58d1a782 IB	301	hostName = "db-1.immae.eu";
58d1a782 IB	302	documentRoot = null;
27e22b76	303	extraConfig = builtins.concatStringsSep "\n" [
1bb2ff2c	304	mypkgs.adminer.apache.vhostConf
27e22b76	305	];
58d1a782	306	})
b7cd7e4b	307	(withConf "eldiron" // {
e379fd29 IB	308	hostName = "tools.immae.eu";
	309	documentRoot = null;
	310	extraConfig = builtins.concatStringsSep "\n" [
1bb2ff2c	311	mypkgs.adminer.apache.vhostConf
a05f8abe	312	mypkgs.ympd.apache.vhostConf
eb770e14	313	mypkgs.ttrss.apache.vhostConf
d252d718	314	mypkgs.roundcubemail.apache.vhostConf
43b726ed IB	315	];
	316	})
	317	(withConf "eldiron" // {
	318	hostName = "dav.immae.eu";
	319	documentRoot = null;
	320	extraConfig = builtins.concatStringsSep "\n" [
1635a4ae	321	mypkgs.infcloud.apache.vhostConf
d9998b44	322	mypkgs.davical.apache.vhostConf
e379fd29 IB	323	];
e379fd29 IB	324	})
b7cd7e4b	325	(withConf "eldiron" // {
65fe7543 IB	326	hostName = "connexionswing.immae.eu";
	327	serverAliases = [ "sandetludo.immae.eu" ];
	328	documentRoot = mypkgs.connexionswing_dev.webRoot;
	329	extraConfig = builtins.concatStringsSep "\n" [
	330	mypkgs.connexionswing_dev.apache.vhostConf
	331	];
	332	})
527e32ad IB	333	(withConf "connexionswing" // {
	334	hostName = "connexionswing.com";
	335	serverAliases = [ "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
	336	documentRoot = mypkgs.connexionswing_prod.webRoot;
	337	extraConfig = builtins.concatStringsSep "\n" [
	338	mypkgs.connexionswing_prod.apache.vhostConf
	339	];
	340	})
e42ba74f IB	341	(withConf "eldiron" // {
	342	hostName = "ludivine.immae.eu";
	343	documentRoot = mypkgs.ludivinecassal_dev.webRoot;
	344	extraConfig = builtins.concatStringsSep "\n" [
	345	mypkgs.ludivinecassal_dev.apache.vhostConf
	346	];
	347	})
	348	(withConf "ludivinecassal" // {
	349	hostName = "ludivinecassal.com";
	350	serverAliases = [ "www.ludivinecassal.com" ];
	351	documentRoot = mypkgs.ludivinecassal_prod.webRoot;
	352	extraConfig = builtins.concatStringsSep "\n" [
	353	mypkgs.ludivinecassal_prod.apache.vhostConf
	354	];
	355	})
34e2fd14 IB	356	(withConf "eldiron" // {
	357	hostName = "piedsjaloux.immae.eu";
	358	documentRoot = mypkgs.piedsjaloux_dev.webRoot;
	359	extraConfig = builtins.concatStringsSep "\n" [
	360	mypkgs.piedsjaloux_dev.apache.vhostConf
	361	];
	362	})
	363	(withConf "piedsjaloux" // {
	364	hostName = "piedsjaloux.fr";
	365	serverAliases = [ "www.piedsjaloux.fr" ];
	366	documentRoot = mypkgs.piedsjaloux_prod.webRoot;
	367	extraConfig = builtins.concatStringsSep "\n" [
	368	mypkgs.piedsjaloux_prod.apache.vhostConf
	369	];
	370	})
7d8b50d3 IB	371	(withConf "eldiron" // {
	372	hostName = "chloe.immae.eu";
	373	documentRoot = mypkgs.chloe_dev.webRoot;
	374	extraConfig = builtins.concatStringsSep "\n" [
	375	mypkgs.chloe_dev.apache.vhostConf
	376	];
	377	})
6bd6d033	378	(withConf "chloe" // {
7d8b50d3 IB	379	hostName = "osteopathe-cc.fr";
	380	serverAliases = [ "www.osteopathe-cc.fr" ];
	381	documentRoot = mypkgs.chloe_prod.webRoot;
	382	extraConfig = builtins.concatStringsSep "\n" [
	383	mypkgs.chloe_prod.apache.vhostConf
	384	];
	385	})
6c672f34 IB	386	(withConf "eldiron" // {
	387	hostName = "dev.aten.pro";
	388	documentRoot = mypkgs.aten_dev.webRoot;
	389	extraConfig = builtins.concatStringsSep "\n" [
	390	mypkgs.aten_dev.apache.vhostConf
	391	];
	392	})
	393	(withConf "aten" // {
	394	hostName = "aten.pro";
	395	serverAliases = [ "www.aten.pro" ];
	396	documentRoot = mypkgs.aten_prod.webRoot;
	397	extraConfig = builtins.concatStringsSep "\n" [
	398	mypkgs.aten_prod.apache.vhostConf
	399	];
	400	})
b7cd7e4b	401	(withConf "eldiron" // {
66b5bbf6 IB	402	hostName = "cloud.immae.eu";
	403	documentRoot = mypkgs.nextcloud.webRoot;
	404	extraConfig = builtins.concatStringsSep "\n" [
	405	mypkgs.nextcloud.apache.vhostConf
	406	];
	407	})
b7cd7e4b	408	(withConf "eldiron" // {
cf80b4f2 IB	409	hostName = "git.immae.eu";
	410	documentRoot = mypkgs.git.web.webRoot;
	411	extraConfig = builtins.concatStringsSep "\n" [
	412	mypkgs.git.web.apache.vhostConf
50d8fa14	413	mypkgs.mantisbt.apache.vhostConf
cf80b4f2 IB	414	] + ''
	415	RewriteEngine on
	416	RewriteCond %{REQUEST_URI} ^/releases
	417	RewriteRule /releases(.*) https://release.immae.eu$1 [P,L]
	418	'';
	419	})
58d1a782 IB	420	{ # Should go last, default fallback
	421	listen = [ { ip = "*"; port = 80; } ];
	422	hostName = "redirectSSL";
	423	serverAliases = [ "*" ];
	424	enableSSL = false;
b7cd7e4b	425	logFormat = "combinedVhost";
58d1a782 IB	426	documentRoot = "/var/lib/acme/acme-challenge";
	427	extraConfig = ''
	428	RewriteEngine on
	429	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
	430	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
	431	# To redirect in specific "VirtualHost *:80", do
	432	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
	433	# rather than rewrite
	434	'';
	435	}
43b726ed	436	];
58d1a782 IB	437	};
58d1a782 IB	438
6f0d92b4 IB	439	services.cron = {
	440	enable = true;
	441	systemCronJobs = let
6bd6d033	442	stats = domain: conf: let
0facadb8 IB	443	d = pkgs.writeScriptBin "stats-${domain}" ''
	444	#!${pkgs.stdenv.shell}
	445	set -e
	446	shopt -s nullglob
	447	date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
	448	TMPFILE=$(mktemp)
	449	trap "rm -f $TMPFILE" EXIT
	450
	451	cat /var/log/httpd/access_log-${domain} \| sed -n "/\\[$date_regex/ p" > $TMPFILE
	452	for i in /var/log/httpd/access_log-${domain}*.gz; do
	453	zcat "$i" \| sed -n "/\\[$date_regex/ p" >> $TMPFILE
	454	done
	455	goaccess $TMPFILE --no-progress -o /var/lib/goaccess/${domain}/index.html -p ${conf}
	456	'';
6bd6d033	457	in "${d}/bin/stats-${domain}";
56991aa7 IB	458	# FIXME: running several goaccess simultaneously seems to be
56991aa7 IB	459	# bugged?
6f0d92b4 IB	460	in [
6f0d92b4 IB	461	"5 0 * * * root ${stats "aten.pro" ./packages/aten_goaccess.conf}"
56991aa7 IB	462	"6 0 * * * root ${stats "ludivinecassal.com" ./packages/ludivinecassal_goaccess.conf}"
	463	"7 0 * * * root ${stats "piedsjaloux.fr" ./packages/piedsjaloux_goaccess.conf}"
	464	"8 0 * * * root ${stats "osteopathe-cc.fr" ./packages/chloe_goaccess.conf}"
	465	"9 0 * * * root ${stats "connexionswing.com" ./packages/connexionswing_goaccess.conf}"
6f0d92b4 IB	466	];
6f0d92b4 IB	467	};
eb770e14 IB	468
	469	systemd.services.tt-rss = {
	470	description = "Tiny Tiny RSS feeds update daemon";
	471	serviceConfig = {
	472	User = "wwwrun";
	473	ExecStart = "${pkgs.php}/bin/php ${mypkgs.ttrss.webRoot}/update.php --daemon";
	474	StandardOutput = "syslog";
	475	StandardError = "syslog";
	476	PermissionsStartOnly = true;
	477	};
	478
	479	wantedBy = [ "multi-user.target" ];
	480	requires = ["postgresql.service"];
	481	after = ["network.target" "postgresql.service"];
	482	};
a1bb33c4 IB	483	};
a1bb33c4 IB	484	}