[perso/Immae/Config/Nix.git] / virtual / modules / websites / default.nix

{ lib, pkgs, config, mylibs, myconfig, ... }:
let
  cfg = config.services.myWebsites;
  makeService = name: cfg: let
    toVhost = vhostConf: {
      enableSSL = true;
      sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
      sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
      sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
      logFormat = "combinedVhost";
      listen = [
        { ip = cfg.ip;  port = 443; }
      ];
      hostName = builtins.head vhostConf.hosts;
      serverAliases = builtins.tail vhostConf.hosts or [];
      documentRoot = vhostConf.root;
      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
    };
  in rec {
    enable = true;
    listen = [
      { ip = cfg.ip;  port = 443; }
    ];
    stateDir = "/run/httpd_${name}";
    logPerVirtualHost = true;
    multiProcessingModule = "worker";
    adminAddr = "httpd@immae.eu";
    logFormat = "combinedVhost";
    extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
    extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
    virtualHosts = pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs;
  };
  makeServiceOptions = name: ip: {
    enable = lib.mkEnableOption "enable websites in ${name}";
    ip = lib.mkOption {
      type = lib.types.string;
      default = ip;
      description = "${name} ip to listen to";
    };
    modules = lib.mkOption {
      type = lib.types.listOf (lib.types.str);
      default = [];
    };
    extraConfig = lib.mkOption {
      type = lib.types.listOf (lib.types.lines);
      default = [];
    };
    vhostConfs = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          certName = lib.mkOption { type = lib.types.string; };
          hosts    = lib.mkOption { type = lib.types.listOf lib.types.string; };
          root     = lib.mkOption { type = lib.types.nullOr lib.types.path; };
          extraConfig = lib.mkOption { type = lib.types.listOf lib.types.lines; default = []; };
        };
      });
    };
  };
in
{
  imports = [
    ./chloe
    ./ludivine
    ./aten
    ./piedsjaloux
    ./connexionswing
    # built using:
    # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
    # And removed users / groups
    ./apache/httpd_prod.nix
    ./apache/httpd_inte.nix
  ];

  options.services.myWebsites = {
    production = makeServiceOptions "production" myconfig.ips.production;
    integration = makeServiceOptions "integration" myconfig.ips.integration;

    apacheConfig = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          modules = lib.mkOption {
            type = lib.types.listOf (lib.types.str);
            default = [];
          };
          extraConfig = lib.mkOption {
            type = lib.types.nullOr lib.types.lines;
            default = null;
          };
        };
      });
      default = {};
      description = "Extra global config";
    };

  };

  config = {
    networking = {
      firewall = {
        enable = true;
        allowedTCPPorts = [ 80 443 ];
      };
      interfaces."eth0".ipv4.addresses = [
        # 176.9.151.89 declared in nixops -> infra / tools
        { address = myconfig.ips.production; prefixLength = 32; }
        { address = myconfig.ips.integration; prefixLength = 32; }
      ];
    };

    nixpkgs.config.packageOverrides = oldpkgs: rec {
      php = php72;
      php72 = (oldpkgs.php72.override {
        mysql.connector-c = pkgs.mariadb;
        config.php.mysqlnd = false;
        config.php.mysqli = false;
      }).overrideAttrs(old: rec {
        # Didn't manage to build with mysqli + mysql_config connector
        configureFlags = old.configureFlags ++ [
          "--with-mysqli=shared,mysqlnd"
          ];
        # preConfigure = (old.preConfigure or "") + ''
        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
        #   '';
      });
      phpPackages = oldpkgs.php72Packages.override { inherit php; };
    };

    services.myWebsites.Chloe.production.enable = cfg.production.enable;
    services.myWebsites.Ludivine.production.enable = cfg.production.enable;
    services.myWebsites.Aten.production.enable = cfg.production.enable;
    services.myWebsites.PiedsJaloux.production.enable = cfg.production.enable;
    services.myWebsites.Connexionswing.production.enable = cfg.production.enable;

    services.myWebsites.Chloe.integration.enable = cfg.integration.enable;
    services.myWebsites.Ludivine.integration.enable = cfg.integration.enable;
    services.myWebsites.Aten.integration.enable = cfg.integration.enable;
    services.myWebsites.PiedsJaloux.integration.enable = cfg.integration.enable;
    services.myWebsites.Connexionswing.integration.enable = cfg.integration.enable;

    services.myWebsites.apacheConfig = {
      gzip = {
        modules = [ "deflate" "filter" ];
        extraConfig = ''
          AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
        '';
      };
      macros = {
        modules = [ "macro" ];
      };
      ldap = {
        modules = [ "ldap" "authnz_ldap" ];
        # FIXME: starttls
        extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
          <IfModule ldap_module>
            LDAPSharedCacheSize 500000
            LDAPCacheEntries 1024
            LDAPCacheTTL 600
            LDAPOpCacheEntries 1024
            LDAPOpCacheTTL 600
          </IfModule>

          <Macro LDAPConnect>
            <IfModule authnz_ldap_module>
              AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
              AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
              AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
              AuthType             Basic
              AuthName             "Authentification requise (Acces LDAP)"
              AuthBasicProvider    ldap
            </IfModule>
          </Macro>

          <Macro Stats %{domain}>
            Alias /awstats /var/lib/goaccess/%{domain}
            <Directory /var/lib/goaccess/%{domain}>
              DirectoryIndex index.html
              AllowOverride None
              Require all granted
            </Directory>
            <Location /awstats>
              Use LDAPConnect
              Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
            </Location>
          </Macro>
        '';
      };
      http2 = {
        modules = [ "http2" ];
        extraConfig = ''
          Protocols h2 http/1.1
        '';
      };
      customLog = {
        extraConfig = ''
          LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
        '';
      };
    };

    # FIXME: logrotate
    # FIXME: ipv6
    services.httpdProd = makeService "production" config.services.myWebsites.production;
    services.myWebsites.production.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
    services.myWebsites.production.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));

    services.httpdInte = makeService "integration" config.services.myWebsites.integration;
    services.myWebsites.integration.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
    services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
  };
}
Commit	Line	Data
f8bde3d6	1	{ lib, pkgs, config, mylibs, myconfig, ... }:
42429ef0 IB	2	let
42429ef0 IB	3	cfg = config.services.myWebsites;
f8bde3d6 IB	4	makeService = name: cfg: let
	5	toVhost = vhostConf: {
	6	enableSSL = true;
	7	sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
	8	sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
	9	sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
	10	logFormat = "combinedVhost";
	11	listen = [
	12	{ ip = cfg.ip; port = 443; }
	13	];
	14	hostName = builtins.head vhostConf.hosts;
	15	serverAliases = builtins.tail vhostConf.hosts or [];
	16	documentRoot = vhostConf.root;
	17	extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
	18	};
	19	in rec {
	20	enable = true;
	21	listen = [
	22	{ ip = cfg.ip; port = 443; }
	23	];
	24	stateDir = "/run/httpd_${name}";
	25	logPerVirtualHost = true;
	26	multiProcessingModule = "worker";
	27	adminAddr = "httpd@immae.eu";
	28	logFormat = "combinedVhost";
	29	extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
	30	extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
	31	virtualHosts = pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs;
	32	};
	33	makeServiceOptions = name: ip: {
	34	enable = lib.mkEnableOption "enable websites in ${name}";
	35	ip = lib.mkOption {
	36	type = lib.types.string;
	37	default = ip;
	38	description = "${name} ip to listen to";
	39	};
	40	modules = lib.mkOption {
	41	type = lib.types.listOf (lib.types.str);
	42	default = [];
	43	};
	44	extraConfig = lib.mkOption {
	45	type = lib.types.listOf (lib.types.lines);
	46	default = [];
	47	};
	48	vhostConfs = lib.mkOption {
	49	type = lib.types.attrsOf (lib.types.submodule {
	50	options = {
	51	certName = lib.mkOption { type = lib.types.string; };
	52	hosts = lib.mkOption { type = lib.types.listOf lib.types.string; };
	53	root = lib.mkOption { type = lib.types.nullOr lib.types.path; };
	54	extraConfig = lib.mkOption { type = lib.types.listOf lib.types.lines; default = []; };
	55	};
	56	});
	57	};
	58	};
42429ef0 IB	59	in
	60	{
	61	imports = [
54307da4 IB	62	./chloe
	63	./ludivine
	64	./aten
	65	./piedsjaloux
	66	./connexionswing
f8bde3d6 IB	67	# built using:
	68	# sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
	69	# And removed users / groups
54307da4 IB	70	./apache/httpd_prod.nix
54307da4 IB	71	./apache/httpd_inte.nix
42429ef0 IB	72	];
	73
	74	options.services.myWebsites = {
f8bde3d6 IB	75	production = makeServiceOptions "production" myconfig.ips.production;
f8bde3d6 IB	76	integration = makeServiceOptions "integration" myconfig.ips.integration;
42429ef0 IB	77
	78	apacheConfig = lib.mkOption {
	79	type = lib.types.attrsOf (lib.types.submodule {
	80	options = {
	81	modules = lib.mkOption {
	82	type = lib.types.listOf (lib.types.str);
	83	default = [];
	84	};
	85	extraConfig = lib.mkOption {
	86	type = lib.types.nullOr lib.types.lines;
	87	default = null;
	88	};
	89	};
	90	});
	91	default = {};
	92	description = "Extra global config";
	93	};
	94
	95	};
	96
	97	config = {
54307da4 IB	98	networking = {
	99	firewall = {
	100	enable = true;
	101	allowedTCPPorts = [ 80 443 ];
	102	};
	103	interfaces."eth0".ipv4.addresses = [
	104	# 176.9.151.89 declared in nixops -> infra / tools
	105	{ address = myconfig.ips.production; prefixLength = 32; }
	106	{ address = myconfig.ips.integration; prefixLength = 32; }
	107	];
	108	};
	109
98584540 IB	110	nixpkgs.config.packageOverrides = oldpkgs: rec {
	111	php = php72;
	112	php72 = (oldpkgs.php72.override {
	113	mysql.connector-c = pkgs.mariadb;
	114	config.php.mysqlnd = false;
	115	config.php.mysqli = false;
	116	}).overrideAttrs(old: rec {
	117	# Didn't manage to build with mysqli + mysql_config connector
	118	configureFlags = old.configureFlags ++ [
912921a7	119	"--with-mysqli=shared,mysqlnd"
98584540 IB	120	];
	121	# preConfigure = (old.preConfigure or "") + ''
	122	# export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
	123	# sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
	124	# ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
	125	# '';
	126	});
	127	phpPackages = oldpkgs.php72Packages.override { inherit php; };
	128	};
	129
42429ef0 IB	130	services.myWebsites.Chloe.production.enable = cfg.production.enable;
	131	services.myWebsites.Ludivine.production.enable = cfg.production.enable;
	132	services.myWebsites.Aten.production.enable = cfg.production.enable;
	133	services.myWebsites.PiedsJaloux.production.enable = cfg.production.enable;
	134	services.myWebsites.Connexionswing.production.enable = cfg.production.enable;
	135
	136	services.myWebsites.Chloe.integration.enable = cfg.integration.enable;
	137	services.myWebsites.Ludivine.integration.enable = cfg.integration.enable;
	138	services.myWebsites.Aten.integration.enable = cfg.integration.enable;
	139	services.myWebsites.PiedsJaloux.integration.enable = cfg.integration.enable;
	140	services.myWebsites.Connexionswing.integration.enable = cfg.integration.enable;
	141
	142	services.myWebsites.apacheConfig = {
	143	gzip = {
	144	modules = [ "deflate" "filter" ];
	145	extraConfig = ''
	146	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
	147	'';
	148	};
	149	macros = {
	150	modules = [ "macro" ];
	151	};
	152	ldap = {
	153	modules = [ "ldap" "authnz_ldap" ];
	154	# FIXME: starttls
	155	extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; ''
	156	<IfModule ldap_module>
	157	LDAPSharedCacheSize 500000
	158	LDAPCacheEntries 1024
	159	LDAPCacheTTL 600
	160	LDAPOpCacheEntries 1024
	161	LDAPOpCacheTTL 600
	162	</IfModule>
	163
	164	<Macro LDAPConnect>
	165	<IfModule authnz_ldap_module>
	166	AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
	167	AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
	168	AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}"
	169	AuthType Basic
	170	AuthName "Authentification requise (Acces LDAP)"
	171	AuthBasicProvider ldap
	172	</IfModule>
	173	</Macro>
	174
	175	<Macro Stats %{domain}>
	176	Alias /awstats /var/lib/goaccess/%{domain}
	177	<Directory /var/lib/goaccess/%{domain}>
	178	DirectoryIndex index.html
	179	AllowOverride None
	180	Require all granted
	181	</Directory>
	182	<Location /awstats>
	183	Use LDAPConnect
	184	Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
	185	</Location>
	186	</Macro>
	187	'';
	188	};
	189	http2 = {
	190	modules = [ "http2" ];
	191	extraConfig = ''
	192	Protocols h2 http/1.1
	193	'';
194	};
195	customLog = {
196	extraConfig = ''
197	LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
198	'';
199	};
200	};
f8bde3d6 IB	201
	202	# FIXME: logrotate
	203	# FIXME: ipv6
	204	services.httpdProd = makeService "production" config.services.myWebsites.production;
	205	services.myWebsites.production.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
	206	services.myWebsites.production.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
	207
	208	services.httpdInte = makeService "integration" config.services.myWebsites.integration;
	209	services.myWebsites.integration.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
	210	services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
42429ef0 IB	211	};
42429ef0 IB	212	}