{ lib, pkgs, config, mylibs, myconfig, ... }:
let
cfg = config.services.myWebsites;
+ www_root = "/run/current-system/webapps/_www";
+ theme_root = "/run/current-system/webapps/_theme";
makeService = name: cfg: let
toVhost = vhostConf: {
enableSSL = true;
sslServerCert = "/var/lib/acme/${vhostConf.certName}/cert.pem";
sslServerKey = "/var/lib/acme/${vhostConf.certName}/key.pem";
- sslServerChain = "/var/lib/acme/${vhostConf.certName}/fullchain.pem";
+ sslServerChain = "/var/lib/acme/${vhostConf.certName}/chain.pem";
logFormat = "combinedVhost";
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
hostName = builtins.head vhostConf.hosts;
serverAliases = builtins.tail vhostConf.hosts or [];
documentRoot = vhostConf.root;
extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
};
+ nosslVhost = {
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
+ hostName = "nossl.immae.eu";
+ enableSSL = false;
+ logFormat = "combinedVhost";
+ documentRoot = www_root;
+ extraConfig = ''
+ <Directory ${www_root}>
+ DirectoryIndex nossl.html
+ AllowOverride None
+ Require all granted
+
+ RewriteEngine on
+ RewriteRule ^/(.+) / [L]
+ </Directory>
+ '';
+ };
redirectVhost = { # Should go last, catchall http -> https redirect
- listen = [ { ip = cfg.ip; port = 80; } ];
+ listen = map (ip: { inherit ip; port = 80; }) cfg.ips;
hostName = "redirectSSL";
serverAliases = [ "*" ];
enableSSL = false;
fallbackVhost = toVhost { # Should go first, default choice
certName = "eldiron";
hosts = ["eldiron.immae.eu" ];
- root = ../../www;
+ root = www_root;
extraConfig = [ "DirectoryIndex index.htm" ];
};
in rec {
enable = true;
- listen = [
- { ip = cfg.ip; port = 443; }
- ];
+ listen = map (ip: { inherit ip; port = 443; }) cfg.ips;
stateDir = "/run/httpd_${name}";
logPerVirtualHost = true;
multiProcessingModule = "worker";
extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
virtualHosts = [ fallbackVhost ]
+ ++ lib.optionals (name == "tools") [ nosslVhost ]
++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
++ [ redirectVhost ];
};
- makeServiceOptions = name: ip: {
+ makeServiceOptions = name: {
enable = lib.mkEnableOption "enable websites in ${name}";
- ip = lib.mkOption {
- type = lib.types.string;
- default = ip;
- description = "${name} ip to listen to";
+ ips = lib.mkOption {
+ type = lib.types.listOf lib.types.string;
+ default = let
+ ips = myconfig.env.servers.eldiron.ips.${name};
+ in
+ [ips.ip4] ++ (ips.ip6 or []);
+ description = "${name} ips to listen to";
};
modules = lib.mkOption {
type = lib.types.listOf (lib.types.str);
./ftp/nassime.nix
./ftp/florian.nix
./ftp/denisejerome.nix
+ ./ftp/leila.nix
./ftp/immae.nix
./ftp/release.nix
./ftp/temp.nix
./tools/mediagoblin
./tools/diaspora
./tools/ether
+ ./tools/peertube
# built using:
# sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
# Removed allGranted
];
options.services.myWebsites = {
- production = makeServiceOptions "production" myconfig.ips.production;
- integration = makeServiceOptions "integration" myconfig.ips.integration;
- tools = makeServiceOptions "tools" myconfig.ips.main;
+ production = makeServiceOptions "production";
+ integration = makeServiceOptions "integration";
+ tools = makeServiceOptions "main";
apacheConfig = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
};
config = {
- networking = {
- firewall = {
- enable = true;
- allowedTCPPorts = [ 80 443 ];
- };
- interfaces."eth0".ipv4.addresses = [
- # 176.9.151.89 declared in nixops -> infra / tools
- { address = myconfig.ips.production; prefixLength = 32; }
- { address = myconfig.ips.integration; prefixLength = 32; }
- ];
- };
+ users.users.wwwrun.extraGroups = [ "keys" ];
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
- nixpkgs.config.packageOverrides = oldpkgs: rec {
+ nixpkgs.overlays = [ (self: super: rec {
+ #openssl = self.openssl_1_1;
php = php72;
- php72 = (oldpkgs.php72.override {
- mysql.connector-c = pkgs.mariadb;
+ php72 = (super.php72.override {
+ mysql.connector-c = self.mariadb;
config.php.mysqlnd = false;
config.php.mysqli = false;
}).overrideAttrs(old: rec {
# ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
# '';
});
- phpPackages = oldpkgs.php72Packages.override { inherit php; };
+ phpPackages = super.php72Packages.override { inherit php; };
composerEnv = import ./commons/composer-env.nix {
- inherit (pkgs) stdenv writeTextFile fetchurl php unzip;
+ inherit (self) stdenv writeTextFile fetchurl php unzip;
};
- };
+ }) ];
services.myWebsites.tools.databases.enable = true;
services.myWebsites.tools.tools.enable = true;
services.myWebsites.tools.mediagoblin.enable = true;
services.myWebsites.tools.diaspora.enable = true;
services.myWebsites.tools.etherpad-lite.enable = true;
+ services.myWebsites.tools.peertube.enable = true;
services.myWebsites.Chloe.production.enable = cfg.production.enable;
services.myWebsites.Ludivine.production.enable = cfg.production.enable;
services.myWebsites.Jerome.production.enable = cfg.production.enable;
services.myWebsites.Nassime.production.enable = cfg.production.enable;
services.myWebsites.Florian.production.enable = cfg.production.enable;
+ services.myWebsites.Leila.production.enable = cfg.production.enable;
services.myWebsites.DeniseJerome.production.enable = cfg.production.enable;
services.myWebsites.Emilia.production.enable = cfg.production.enable;
services.myWebsites.Capitaines.production.enable = cfg.production.enable;
services.myWebsites.TellesFlorian.integration.enable = true;
services.myWebsites.Florian.integration.enable = true;
+ deployment.keys.apache-ldap = {
+ user = "wwwrun";
+ group = "wwwrun";
+ permissions = "0400";
+ text = ''
+ <Macro LDAPConnect>
+ <IfModule authnz_ldap_module>
+ AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+ AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
+ AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+ AuthType Basic
+ AuthName "Authentification requise (Acces LDAP)"
+ AuthBasicProvider ldap
+ </IfModule>
+ </Macro>
+ '';
+ };
+
services.myWebsites.apacheConfig = {
gzip = {
modules = [ "deflate" "filter" ];
LDAPOpCacheTTL 600
</IfModule>
- <Macro LDAPConnect>
- <IfModule authnz_ldap_module>
- AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
- AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
- AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
- AuthType Basic
- AuthName "Authentification requise (Acces LDAP)"
- AuthBasicProvider ldap
- </IfModule>
- </Macro>
+ Include /run/keys/apache-ldap
'';
};
global = {
ErrorDocument 502 /maintenance_immae.html
ErrorDocument 503 /maintenance_immae.html
ErrorDocument 504 /maintenance_immae.html
- Alias /maintenance_immae.html ${../../www}/maintenance_immae.html
+ Alias /maintenance_immae.html ${www_root}/maintenance_immae.html
ProxyPass /maintenance_immae.html !
- AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${../../www}/googleb6d69446ff4ca3e5.html
+ AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html
+ <Directory ${www_root}>
+ AllowOverride None
+ Require all granted
+ </Directory>
'';
};
apaxy = {
extraConfig = ''
<Macro Apaxy %{folder} %{ignored}>
- Alias /theme ${./apache/theme}
- <Directory ${./apache/theme}>
+ Alias /theme ${theme_root}
+ <Directory ${theme_root}>
Options -Indexes
AllowOverride None
Require all granted
install -d -m 0755 /var/lib/acme/acme-challenge
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
+ install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
'';
};
+ system.extraSystemBuilderCmds = let
+ adminer = pkgs.callPackage ./commons/adminer.nix {};
+ in ''
+ mkdir -p $out/webapps
+ ln -s ${../../www} $out/webapps/_www
+ ln -s ${./apache/theme} $out/webapps/_theme
+ ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
+ '';
+
services.myPhpfpm = {
phpPackage = pkgs.php;
phpOptions = ''
session.save_path = "/var/lib/php/sessions"
- session.gc_maxlifetime = 60*60*24*15
- session.cache_expire = 60*24*30
+ post_max_size = 20M
+ ; 15 days (seconds)
+ session.gc_maxlifetime = 1296000
+ ; 30 days (minutes)
+ session.cache_expire = 43200
'';
extraConfig = ''
log_level = notice
projects / perso / Immae / Config / Nix.git / blobdiff