]>
Commit | Line | Data |
---|---|---|
f8bde3d6 | 1 | { lib, pkgs, config, mylibs, myconfig, ... }: |
42429ef0 IB |
2 | let |
3 | cfg = config.services.myWebsites; | |
f8bde3d6 IB |
4 | makeService = name: cfg: let |
5 | toVhost = vhostConf: { | |
6 | enableSSL = true; | |
7 | sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem"; | |
8 | sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem"; | |
9 | sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem"; | |
10 | logFormat = "combinedVhost"; | |
11 | listen = [ | |
12 | { ip = cfg.ip; port = 443; } | |
13 | ]; | |
14 | hostName = builtins.head vhostConf.hosts; | |
15 | serverAliases = builtins.tail vhostConf.hosts or []; | |
16 | documentRoot = vhostConf.root; | |
17 | extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig; | |
18 | }; | |
19 | in rec { | |
20 | enable = true; | |
21 | listen = [ | |
22 | { ip = cfg.ip; port = 443; } | |
23 | ]; | |
24 | stateDir = "/run/httpd_${name}"; | |
25 | logPerVirtualHost = true; | |
26 | multiProcessingModule = "worker"; | |
27 | adminAddr = "httpd@immae.eu"; | |
28 | logFormat = "combinedVhost"; | |
29 | extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules); | |
30 | extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig; | |
31 | virtualHosts = pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs; | |
32 | }; | |
33 | makeServiceOptions = name: ip: { | |
34 | enable = lib.mkEnableOption "enable websites in ${name}"; | |
35 | ip = lib.mkOption { | |
36 | type = lib.types.string; | |
37 | default = ip; | |
38 | description = "${name} ip to listen to"; | |
39 | }; | |
40 | modules = lib.mkOption { | |
41 | type = lib.types.listOf (lib.types.str); | |
42 | default = []; | |
43 | }; | |
44 | extraConfig = lib.mkOption { | |
45 | type = lib.types.listOf (lib.types.lines); | |
46 | default = []; | |
47 | }; | |
48 | vhostConfs = lib.mkOption { | |
49 | type = lib.types.attrsOf (lib.types.submodule { | |
50 | options = { | |
51 | certName = lib.mkOption { type = lib.types.string; }; | |
52 | hosts = lib.mkOption { type = lib.types.listOf lib.types.string; }; | |
53 | root = lib.mkOption { type = lib.types.nullOr lib.types.path; }; | |
54 | extraConfig = lib.mkOption { type = lib.types.listOf lib.types.lines; default = []; }; | |
55 | }; | |
56 | }); | |
57 | }; | |
58 | }; | |
42429ef0 IB |
59 | in |
60 | { | |
61 | imports = [ | |
54307da4 IB |
62 | ./chloe |
63 | ./ludivine | |
64 | ./aten | |
65 | ./piedsjaloux | |
66 | ./connexionswing | |
f8bde3d6 IB |
67 | # built using: |
68 | # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix | |
69 | # And removed users / groups | |
54307da4 IB |
70 | ./apache/httpd_prod.nix |
71 | ./apache/httpd_inte.nix | |
42429ef0 IB |
72 | ]; |
73 | ||
74 | options.services.myWebsites = { | |
f8bde3d6 IB |
75 | production = makeServiceOptions "production" myconfig.ips.production; |
76 | integration = makeServiceOptions "integration" myconfig.ips.integration; | |
42429ef0 IB |
77 | |
78 | apacheConfig = lib.mkOption { | |
79 | type = lib.types.attrsOf (lib.types.submodule { | |
80 | options = { | |
81 | modules = lib.mkOption { | |
82 | type = lib.types.listOf (lib.types.str); | |
83 | default = []; | |
84 | }; | |
85 | extraConfig = lib.mkOption { | |
86 | type = lib.types.nullOr lib.types.lines; | |
87 | default = null; | |
88 | }; | |
89 | }; | |
90 | }); | |
91 | default = {}; | |
92 | description = "Extra global config"; | |
93 | }; | |
94 | ||
95 | }; | |
96 | ||
97 | config = { | |
54307da4 IB |
98 | networking = { |
99 | firewall = { | |
100 | enable = true; | |
101 | allowedTCPPorts = [ 80 443 ]; | |
102 | }; | |
103 | interfaces."eth0".ipv4.addresses = [ | |
104 | # 176.9.151.89 declared in nixops -> infra / tools | |
105 | { address = myconfig.ips.production; prefixLength = 32; } | |
106 | { address = myconfig.ips.integration; prefixLength = 32; } | |
107 | ]; | |
108 | }; | |
109 | ||
98584540 IB |
110 | nixpkgs.config.packageOverrides = oldpkgs: rec { |
111 | php = php72; | |
112 | php72 = (oldpkgs.php72.override { | |
113 | mysql.connector-c = pkgs.mariadb; | |
114 | config.php.mysqlnd = false; | |
115 | config.php.mysqli = false; | |
116 | }).overrideAttrs(old: rec { | |
117 | # Didn't manage to build with mysqli + mysql_config connector | |
118 | configureFlags = old.configureFlags ++ [ | |
912921a7 | 119 | "--with-mysqli=shared,mysqlnd" |
98584540 IB |
120 | ]; |
121 | # preConfigure = (old.preConfigure or "") + '' | |
122 | # export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server"; | |
123 | # sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \ | |
124 | # ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c | |
125 | # ''; | |
126 | }); | |
127 | phpPackages = oldpkgs.php72Packages.override { inherit php; }; | |
128 | }; | |
129 | ||
42429ef0 IB |
130 | services.myWebsites.Chloe.production.enable = cfg.production.enable; |
131 | services.myWebsites.Ludivine.production.enable = cfg.production.enable; | |
132 | services.myWebsites.Aten.production.enable = cfg.production.enable; | |
133 | services.myWebsites.PiedsJaloux.production.enable = cfg.production.enable; | |
134 | services.myWebsites.Connexionswing.production.enable = cfg.production.enable; | |
135 | ||
136 | services.myWebsites.Chloe.integration.enable = cfg.integration.enable; | |
137 | services.myWebsites.Ludivine.integration.enable = cfg.integration.enable; | |
138 | services.myWebsites.Aten.integration.enable = cfg.integration.enable; | |
139 | services.myWebsites.PiedsJaloux.integration.enable = cfg.integration.enable; | |
140 | services.myWebsites.Connexionswing.integration.enable = cfg.integration.enable; | |
141 | ||
142 | services.myWebsites.apacheConfig = { | |
143 | gzip = { | |
144 | modules = [ "deflate" "filter" ]; | |
145 | extraConfig = '' | |
146 | AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript | |
147 | ''; | |
148 | }; | |
149 | macros = { | |
150 | modules = [ "macro" ]; | |
151 | }; | |
152 | ldap = { | |
153 | modules = [ "ldap" "authnz_ldap" ]; | |
154 | # FIXME: starttls | |
155 | extraConfig = assert mylibs.checkEnv "NIXOPS_HTTP_LDAP_PASSWORD"; '' | |
156 | <IfModule ldap_module> | |
157 | LDAPSharedCacheSize 500000 | |
158 | LDAPCacheEntries 1024 | |
159 | LDAPCacheTTL 600 | |
160 | LDAPOpCacheEntries 1024 | |
161 | LDAPOpCacheTTL 600 | |
162 | </IfModule> | |
163 | ||
164 | <Macro LDAPConnect> | |
165 | <IfModule authnz_ldap_module> | |
166 | AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS | |
167 | AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu | |
168 | AuthLDAPBindPassword "${builtins.getEnv "NIXOPS_HTTP_LDAP_PASSWORD"}" | |
169 | AuthType Basic | |
170 | AuthName "Authentification requise (Acces LDAP)" | |
171 | AuthBasicProvider ldap | |
172 | </IfModule> | |
173 | </Macro> | |
174 | ||
175 | <Macro Stats %{domain}> | |
176 | Alias /awstats /var/lib/goaccess/%{domain} | |
177 | <Directory /var/lib/goaccess/%{domain}> | |
178 | DirectoryIndex index.html | |
179 | AllowOverride None | |
180 | Require all granted | |
181 | </Directory> | |
182 | <Location /awstats> | |
183 | Use LDAPConnect | |
184 | Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu | |
185 | </Location> | |
186 | </Macro> | |
187 | ''; | |
188 | }; | |
189 | http2 = { | |
190 | modules = [ "http2" ]; | |
191 | extraConfig = '' | |
192 | Protocols h2 http/1.1 | |
193 | ''; | |
194 | }; | |
195 | customLog = { | |
196 | extraConfig = '' | |
197 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost | |
198 | ''; | |
199 | }; | |
200 | }; | |
f8bde3d6 IB |
201 | |
202 | # FIXME: logrotate | |
203 | # FIXME: ipv6 | |
204 | services.httpdProd = makeService "production" config.services.myWebsites.production; | |
205 | services.myWebsites.production.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig); | |
206 | services.myWebsites.production.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig)); | |
207 | ||
208 | services.httpdInte = makeService "integration" config.services.myWebsites.integration; | |
209 | services.myWebsites.integration.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig); | |
210 | services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig)); | |
42429ef0 IB |
211 | }; |
212 | } |