aboutsummaryrefslogblamecommitdiff
path: root/modules/private/environment.nix
blob: f0af57203145b472cf0929cace8205740045e842 (plain) (tree)
1
                           























                                                                                                                            
                                                                                             
















                                                                                                        
                                         





                                                                                                
                


























































                                                                                                        












                                                                                               





                                  







                                                                      










                                                                           

                                                                                                  




















                                                                                               
                         




                                       
                                









                                         







                                                                                       
                             
































                                                                    
                                                                                          










































                                                                                                                



                                                  






























                                                         
                                                                                                           




                                              







                                                                           































































                                                                                                 









                                                                                








                                                                           




                                                                







                                                                           
                                                                                                     







































                                                                                                                                    

















                                                                                                 


          















                                                                                              





                                                       













                                                                                              
                                                                                                                                          







































                                                                                                         
                                                                                                                        
                                                                         



                                                                                    
                                                                                                              











                                                                                                      



                                                         
                                                                      



                                                                              


                                                                                                              

                                                                                                                      
                                                                                                                    







                                                                                                                 

                                                                                                                                        


                





















                                                                                                       









                                                                                            










































                                                                                                                                                                                                                                                            


                                                                                                                         













































                                                                                                                       
                                                                                                                     



























                                                                                                                   
                                                                                                  


















                                                                                               





















                                                                          






                                             
                                                                                              


















































                                                                                                                                           
                                                                                            










































                                                                                               
                                                                                     









                                                                                   



















                                                                                      




                                                        
                                                                                                


                







                                                                                             
                                                                                                            

























































































                                                                                                      









                                                                                          








































                                                                                                








                                                         











































                                                                                              



                                                                      









                                                                                                       









                                                                                          









                                                                                                     

















                                                                                                       









                                                                                          



                                                 
                                                   







                                                                                 
                                                                                                             



                                              
















                                                                                                  

                                                                   














                                                                                                  

                                                     









                                                                                                   










                                                                
                                                                                               
                                                        




















                                                                                                  
                                                                 
















                                                                                                   
                                                         



                                                                                             
                                   






                                                                                             
                               







                                                                                                  
                                                                 













































                                                                                                  
                                                              











                                                                                            



                                                                        
                                                   











                                                                                    














                                                                                                                








                                                                                                  
                                                                






















                                                                                                       




                                             

    
{ config, lib, name, ... }:
with lib;
with types;
with lists;
let
  ldapOptions = {
    base = mkOption { description = "Base of the LDAP tree"; type = str; };
    host = mkOption { description = "Host to access LDAP"; type = str; };
    root_dn = mkOption { description = "DN of the root user"; type = str; };
    root_pw = mkOption { description = "Hashed password of the root user"; type = str; };
    replication_dn = mkOption { description = "DN of the user allowed to replicate the LDAP directory"; type = str; };
    replication_pw = mkOption { description = "Password of the user allowed to replicate the LDAP directory"; type = str; };
  };
  mkLdapOptions = name: more: mkOption {
    description = "${name} LDAP configuration";
    type = submodule {
      options = ldapOptions // {
        dn = mkOption { description = "DN of the ${name} user"; type = str; };
        password = mkOption { description = "password of the ${name} user"; type = str; };
        filter = mkOption { description = "Filter for ${name} users"; type = str; default = ""; };
      } // more;
    };
  };
  mysqlOptions = {
    host = mkOption { description = "Host to access Mysql"; type = str; };
    remoteHost = mkOption { description = "Host to access Mysql from outside"; type = str; };
    port = mkOption { description = "Port to access Mysql"; type = str; };
    socket = mkOption { description = "Socket to access Mysql"; type = path; };
    systemUsers = mkOption {
      description = "Attrs of user-passwords allowed to access mysql";
      type = attrsOf str;
    };
    pam = mkOption {
      description = "PAM configuration for mysql";
      type = submodule {
        options = {
          dn = mkOption { description = "DN to connect as to check users"; type = str; };
          password = mkOption { description = "DN password to connect as to check users"; type = str; };
          filter = mkOption { description = "filter to match users"; type = str; };
        };
      };
    };
  };
  mkMysqlOptions = name: more: mkOption {
    description = "${name} mysql configuration";
    type = submodule {
      options = mysqlOptions // {
        database = mkOption { description = "${name} database"; type = str; };
        user = mkOption { description = "${name} user"; type = str; };
        password = mkOption { description = "mysql password of the ${name} user"; type = str; };
      } // more;
    };
  };
  psqlOptions = {
    host = mkOption { description = "Host to access Postgresql"; type = str; };
    port = mkOption { description = "Port to access Postgresql"; type = str; };
    socket = mkOption { description = "Socket to access Postgresql"; type = path; };
    pam = mkOption {
      description = "PAM configuration for psql";
      type = submodule {
        options = {
          dn = mkOption { description = "DN to connect as to check users"; type = str; };
          password = mkOption { description = "DN password to connect as to check users"; type = str; };
          filter = mkOption { description = "filter to match users"; type = str; };
        };
      };
    };
  };
  mkPsqlOptions = name: mkOption {
    description = "${name} psql configuration";
    type = submodule {
      options = psqlOptions // {
        database = mkOption { description = "${name} database"; type = str; };
        schema = mkOption { description = "${name} schema"; type = nullOr str; default = null; };
        user = mkOption { description = "${name} user"; type = str; };
        password = mkOption { description = "psql password of the ${name} user"; type = str; };
      };
    };
  };
  redisOptions = {
    host = mkOption { description = "Host to access Redis"; type = str; };
    port = mkOption { description = "Port to access Redis"; type = str; };
    socket = mkOption { description = "Socket to access Redis"; type = path; };
    dbs = mkOption {
      description = "Attrs of db number. Each number should be unique to avoid collision!";
      type = attrsOf str;
    };
    spiped_key = mkOption {
      type = str;
      description = ''
        Key to use with spiped to make a secure channel to replication
        '';
    };
    predixy = mkOption {
      description = "Predixy configuration. Unused yet";
      type = submodule {
        options = {
          read = mkOption { type = str; description = "Read password"; };
        };
      };
    };
  };
  mkRedisOptions = name: mkOption {
    description = "${name} redis configuration";
    type = submodule {
      options = redisOptions // {
        db = mkOption { description = "${name} database"; type = str; };
      };
    };
  };
  smtpOptions = {
    host = mkOption { description = "Host to access SMTP"; type = str; };
    port = mkOption { description = "Port to access SMTP"; type = str; };
  };
  mkSmtpOptions = name: mkOption {
    description = "${name} smtp configuration";
    type = submodule {
      options = smtpOptions // {
        email = mkOption { description = "${name} email"; type = str; };
        password = mkOption { description = "SMTP password of the ${name} user"; type = str; };
      };
    };
  };
  hostEnv = submodule {
    options = {
      fqdn = mkOption {
        description = "Host FQDN";
        type = str;
      };
      users = mkOption {
        type = unspecified;
        default = pkgs: [];
        description = ''
          Sublist of users from realUsers. Function that takes pkgs as
          argument and gives an array as a result
        '';
      };
      emails = mkOption {
        default = [];
        description = "List of e-mails that the server can be a sender of";
        type = listOf str;
      };
      ldap = mkOption {
        description = ''
          LDAP credentials for the host
        '';
        type = submodule {
          options = {
            password = mkOption { type = str; description = "Password for the LDAP connection"; };
            dn = mkOption { type = str; description = "DN for the LDAP connection"; };
          };
        };
      };
      mx = mkOption {
        description = "subdomain and priority for MX server";
        default = { enable = false; };
        type = submodule {
          options = {
            enable = mkEnableOption "Enable MX";
            subdomain = mkOption { type = nullOr str; description = "Subdomain name (mx-*)"; };
            priority = mkOption { type = nullOr str; description = "Priority"; };
          };
        };
      };
      ips = mkOption {
        description = ''
          attrs of ip4/ip6 grouped by section
        '';
        type = attrsOf (submodule {
          options = {
            ip4 = mkOption {
              type = str;
              description = ''
                ip4 address of the host
              '';
            };
            ip6 = mkOption {
              type = listOf str;
              default = [];
              description = ''
                ip6 addresses of the host
              '';
            };
          };
        });
      };
    };
  };
in
{
  options.myEnv = {
    servers = mkOption {
      description = ''
        Attrs of servers information in the cluster (not necessarily handled by nixops)
      '';
      default = {};
      type = attrsOf hostEnv;
    };
    hetznerCloud = mkOption {
      description = ''
        Hetzner Cloud credential information
      '';
      type = submodule {
        options = {
          authToken = mkOption {
            type = str;
            description = ''
              The API auth token.
            '';
          };
        };
      };
    };
    hetzner = mkOption {
      description = ''
        Hetzner credential information
      '';
      type = submodule {
        options = {
          user = mkOption { type = str; description = "User"; };
          pass = mkOption { type = str; description = "Password"; };
        };
      };
    };
    sshd = mkOption {
      description = ''
        sshd service credential information
      '';
      type = submodule {
        options = {
          rootKeys = mkOption { type = attrsOf str; description = "Keys of root users"; };
          ldap = mkOption {
            description = ''
              LDAP credentials for cn=ssh,ou=services,dc=immae,dc=eu dn
            '';
            type = submodule {
              options = {
                password = mkOption { description = "Password"; type = str; };
              };
            };
          };
        };
      };
    };
    ports = mkOption {
      description = ''
        non-standard reserved ports. Must be unique!
      '';
      type = attrsOf port;
      default = {};
      apply = let
        noDupl = x: builtins.length (builtins.attrValues x) == builtins.length (unique (builtins.attrValues x));
      in
        x: if isAttrs x && noDupl x then x else throw "Non unique values for ports";
    };
    httpd = mkOption {
      description = ''
        httpd service credential information
      '';
      type = submodule {
        options = {
          ldap = mkOption {
            description = ''
              LDAP credentials for cn=httpd,ou=services,dc=immae,dc=eu dn
            '';
            type = submodule {
              options = {
                password = mkOption { description = "Password"; type = str; };
              };
            };
          };
        };
      };
    };
    smtp = mkOption {
      type = submodule { options = smtpOptions; };
      description = "SMTP configuration";
    };
    ldap = mkOption {
      description = ''
        LDAP server configuration
        '';
      type = submodule {
        options = ldapOptions;
      };
    };
    databases = mkOption {
      description = "Databases configuration";
      type = submodule {
        options = {
          mysql = mkOption {
            type = submodule { options = mysqlOptions; };
            description = "Mysql configuration";
          };
          redis = mkOption {
            type = submodule { options = redisOptions; };
            description = "Redis configuration";
          };
          postgresql = mkOption {
            type = submodule { options = psqlOptions; };
            description = "Postgresql configuration";
          };
        };
      };
    };
    jabber = mkOption {
      description = "Jabber configuration";
      type = submodule {
        options = {
          postfix_user_filter = mkOption { type = str; description = "Postfix filter to get xmpp users"; };
          ldap = mkLdapOptions "Jabber" {};
          postgresql = mkPsqlOptions "Jabber";
        };
      };
    };
    realUsers = mkOption {
      description = ''
        Attrset of function taking pkgs as argument.
        Real users settings, should provide a subattr of users.users.<name>
        with at least: name, (hashed)Password, shell
      '';
      type = attrsOf unspecified;
    };
    users = mkOption {
      description = "System and regular users uid/gid";
      type = attrsOf (submodule {
        options = {
          uid = mkOption {
            description = "user uid";
            type = int;
          };
          gid = mkOption {
            description = "user gid";
            type = int;
          };
        };
      });
    };
    dns = mkOption {
      description = "DNS configuration";
      type = submodule {
        options = {
          soa = mkOption {
            description = "SOA information";
            type = submodule {
              options = {
                serial = mkOption {
                  description = "Serial number. Should be incremented at each change and unique";
                  type = str;
                };
                refresh = mkOption {
                  description = "Refresh time";
                  type = str;
                };
                retry = mkOption {
                  description = "Retry time";
                  type = str;
                };
                expire = mkOption {
                  description = "Expire time";
                  type = str;
                };
                ttl = mkOption {
                  description = "Default TTL time";
                  type = str;
                };
                email = mkOption {
                  description = "hostmaster e-mail";
                  type = str;
                };
                primary = mkOption {
                  description = "Primary NS";
                  type = str;
                };
              };
            };
          };
          ns = mkOption {
            description = "Attrs of NS servers group";
            example = {
              foo = {
                "ns1.foo.com" = [ "198.51.100.10" "2001:db8:abcd::1" ];
                "ns2.foo.com" = [ "198.51.100.15" "2001:db8:1234::1" ];
              };
            };
            type = attrsOf (attrsOf (listOf str));
          };
          keys = mkOption {
            default = {};
            description = "DNS keys";
            type = attrsOf (submodule {
              options = {
                algorithm = mkOption { type = str; description = "Algorithm"; };
                secret    = mkOption { type = str; description = "Secret"; };
              };
            });
          };
          slaveZones = mkOption {
            description = "List of slave zones";
            type = listOf (submodule {
              options = {
                name = mkOption { type = str; description = "zone name"; };
                masters = mkOption {
                  description = "NS master groups of this zone";
                  type = listOf str;
                };
                keys = mkOption {
                  default = [];
                  description = "Keys associated to the server";
                  type = listOf str;
                };
              };
            });
          };
          masterZones = mkOption {
            description = "List of master zones";
            type = listOf (submodule {
              options = {
                name = mkOption { type = str; description = "zone name"; };
                withCAA = mkOption { type = nullOr str; description = "CAA entry"; default = null; };
                slaves = mkOption {
                  description = "NS slave groups of this zone";
                  type = listOf str;
                };
                ns = mkOption {
                  description = "groups names that should have their NS entries listed here";
                  type = listOf str;
                };
                extra = mkOption {
                  description = "Extra zone configuration for bind";
                  example = ''
                    notify yes;
                    '';
                  type = lines;
                };
                entries = mkOption { type = lines; description = "Regular entries of the NS zone"; };
                withEmail = mkOption {
                  description = "List of domains that should have mail entries (MX, dkim, SPF, ...)";
                  default = [];
                  type = listOf (submodule {
                    options = {
                      domain = mkOption { type = str; description = "Which subdomain is concerned"; };
                      send = mkOption { type = bool; description = "Whether there can be e-mails originating from the subdomain"; };
                      receive = mkOption { type = bool; description = "Whether there can be e-mails arriving to the subdomain"; };
                    };
                  });
                };
              };
            });
          };
        };
      };
    };
    backup = mkOption {
      description = ''
        Remote backup with duplicity
        '';
      type = submodule {
        options = {
          password = mkOption { type = str; description = "Password for encrypting files"; };
          remotes = mkOption {
            type = attrsOf (submodule {
              options = {
                remote = mkOption {
                  type = unspecified;
                  example = literalExample ''
                    bucket: "s3://some_host/${bucket}";
                    '';
                  description = ''
                    Function.
                    Takes a bucket name as argument and returns a url
                    '';
                };
                accessKeyId = mkOption { type = str; description = "Remote access-key"; };
                secretAccessKey = mkOption { type = str; description = "Remote access secret"; };
              };
            });
          };
        };
      };
    };
    zrepl_backup = mkOption {
      type = submodule {
        options = {
          ssh_key = mkOption {
            description = "SSH key information";
            type = submodule {
              options = {
                public = mkOption { type = str; description = "Public part of the key"; };
                private = mkOption { type = lines; description = "Private part of the key"; };
              };
            };
          };
          mysql = mkMysqlOptions "Zrepl" {};
        };
      };
    };
    rsync_backup = mkOption {
      description  =''
        Rsync backup configuration from controlled host
        '';
      type = submodule {
        options = {
          ssh_key = mkOption {
            description = "SSH key information";
            type = submodule {
              options = {
                public = mkOption { type = str; description = "Public part of the key"; };
                private = mkOption { type = lines; description = "Private part of the key"; };
              };
            };
          };
          profiles = mkOption {
            description = "Attrs of profiles to backup";
            type = attrsOf (submodule {
              options = {
                keep = mkOption { type = int; description = "Number of backups to keep"; };
                check_command = mkOption { type = str; description = "command to check if backup needs to be done"; default = "backup"; };
                login = mkOption { type = str; description = "Login to connect to host"; };
                port = mkOption { type = str; default = "22"; description = "Port to connect to host"; };
                host = mkOption { type = str; description = "Host to connect to"; };
                host_key = mkOption { type = str; description = "Host key"; };
                host_key_type = mkOption { type = str; description = "Host key type"; };
                parts = mkOption {
                  description = "Parts to backup for this host";
                  type = attrsOf (submodule {
                    options = {
                      remote_folder = mkOption { type = path; description = "Remote folder to backup";};
                      exclude_from = mkOption {
                        type = listOf path;
                        default = [];
                        description = "List of folders/files to exclude from the backup";
                      };
                      files_from = mkOption {
                        type = listOf path;
                        default = [];
                        description = "List of folders/files to backup in the base folder";
                      };
                      args = mkOption {
                        type = nullOr str;
                        default = null;
                        description = "Extra arguments to pass to rsync";
                      };
                    };
                  });
                };
              };
            });
          };
        };
      };
    };
    monitoring = mkOption {
      description = "Monitoring configuration";
      type = submodule {
        options = {
          status_url = mkOption { type = str; description = "URL to push status to"; };
          status_token = mkOption { type = str; description = "Token for the status url"; };
          http_user_password = mkOption { type = str; description = "HTTP credentials to check services behind wall"; };
          email = mkOption { type = str; description = "Admin E-mail"; };
          ssh_public_key = mkOption { type = str; description = "SSH public key"; };
          ssh_secret_key = mkOption { type = str; description = "SSH secret key"; };
          imap_login = mkOption { type = str; description = "IMAP login"; };
          imap_password = mkOption { type = str; description = "IMAP password"; };
          eriomem_keys = mkOption { type = listOf (listOf str); description = "Eriomem keys"; default = []; };
          ovh_sms = mkOption {
            description = "OVH credentials for sms script";
            type = submodule {
              options = {
                endpoint = mkOption { type = str; default = "ovh-eu"; description = "OVH endpoint"; };
                application_key = mkOption { type = str; description = "Application key"; };
                application_secret = mkOption { type = str; description = "Application secret"; };
                consumer_key = mkOption { type = str; description = "Consumer key"; };
                account = mkOption { type = str; description = "Account"; };
              };
            };
          };
          eban = mkOption {
            description = "Eban credentials for webhook";
            type = submodule {
              options = {
                user = mkOption { type = str; description = "User"; };
                password = mkOption { type = str; description = "Password"; };
              };
            };
          };
          nrdp_tokens = mkOption { type = listOf str; description = "Tokens allowed to push status update"; };
          slack_url = mkOption { type = str; description = "Slack webhook url to push status update"; };
          slack_channel = mkOption { type = str; description = "Slack channel to push status update"; };
          netdata_aggregator = mkOption { type = str; description = "Url where netdata information should be sent"; };
          netdata_keys = mkOption { type = attrsOf str; description = "netdata host keys"; };
          contacts = mkOption { type = attrsOf unspecified; description = "Contact dicts to fill naemon objects"; };
          email_check = mkOption {
            description = "Emails services to check";
            type = attrsOf (submodule {
              options = {
                local = mkOption { type = bool; default = false; description = "Use local configuration"; };
                port = mkOption { type = nullOr str; default = null; description = "Port to connect to ssh"; };
                login = mkOption { type = nullOr str; default = null; description = "Login to connect to ssh"; };
                targets = mkOption { type = listOf str; description = "Hosts to send E-mails to"; };
                mail_address = mkOption { type = nullOr str; default = null; description = "E-mail recipient part to send e-mail to"; };
                mail_domain = mkOption { type = nullOr str; default = null; description = "E-mail domain part to send e-mail to"; };
              };
            });
          };
        };
      };
    };
    mpd = mkOption {
      description = "MPD configuration";
      type = submodule {
        options = {
          folder = mkOption { type = str; description = "Folder to serve from the MPD instance"; };
          password = mkOption { type = str; description = "Password to connect to the MPD instance"; };
          host = mkOption { type = str; description = "Host to connect to the MPD instance"; };
          port = mkOption { type = str; description = "Port to connect to the MPD instance"; };
        };
      };
    };
    ftp = mkOption {
      description = "FTP configuration";
      type = submodule {
        options = {
          ldap = mkLdapOptions "FTP" {};
        };
      };
    };
    vpn = mkOption {
      description = "VPN configuration";
      type = attrsOf (submodule {
        options = {
          prefix = mkOption { type = str; description = "ipv6 prefix for the vpn subnet"; };
          privateKey = mkOption { type = str; description = "Private key for the host"; };
          publicKey = mkOption { type = str; description = "Public key for the host"; };
        };
      });
    };
    mail = mkOption {
      description = "Mail configuration";
      type = submodule {
        options = {
          dmarc = mkOption {
            description = "DMARC configuration";
            type = submodule {
              options = {
                ignore_hosts = mkOption {
                  type = lines;
                  description = ''
                    Hosts to ignore when checking for dmarc
                    '';
                };
              };
            };
          };
          dkim = mkOption {
            description = "DKIM configuration";
            type = attrsOf (submodule {
              options = {
                public = mkOption {
                  type = str;
                  example = ''
                    ( "v=DKIM1; k=rsa; "
                              "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3w1a2aMxWw9+hdcmbqX4UevcVqr204y0K73Wdc7MPZiOOlUJQYsMNSYR1Y/SC7jmPKeitpcJCpQgn/cveJZbuikjjPLsDReHyFEYmC278ZLRTELHx6f1IXM8WE08JIRT69CfZiMi1rVcOh9qRT4F93PyjCauU8Y5hJjtg9ThsWwIDAQAB" )
                    '';
                  description = "Public entry to put in DNS TXT field";
                };
                private = mkOption { type = str; description = "Private key"; };
              };
            });
          };
          postfix = mkOption {
            description = "Postfix configuration";
            type = submodule {
              options = {
                additional_mailbox_domains = mkOption {
                  description = ''
                    List of domains that are used as mailbox final destination, in addition to those defined in the DNS records
                  '';
                  type = listOf str;
                };
                mysql = mkMysqlOptions "Postfix" {
                  password_encrypt = mkOption { type = str; description = "Key to encrypt relay password in database"; };
                };
                backup_domains = mkOption {
                  description = ''
                    Domains that are accepted for relay as backup domain
                  '';
                  type = attrsOf (submodule {
                    options = {
                      domains = mkOption { type = listOf str; description = "Domains list"; };
                      relay_restrictions = mkOption {
                        type = lines;
                        description = ''
                          Restrictions for relaying the e-mails from the domains
                          '';
                      };
                      recipient_maps = mkOption {
                        description = ''
                          Recipient map to accept relay for.
                          Must be specified for domain, the rules apply to everyone!
                        '';
                        type = listOf (submodule {
                          options = {
                            type = mkOption {
                              type = enum [ "hash" ];
                              description = "Map type";
                            };
                            content = mkOption {
                              type = str;
                              description = "Map content";
                            };
                          };
                        });
                      };
                    };
                  });
                };
              };
            };
          };
          dovecot = mkOption {
            description = "Dovecot configuration";
            type = submodule {
              options = {
                ldap = mkLdapOptions "Dovecot" {
                  pass_attrs = mkOption { type = str; description = "Password attribute in LDAP"; };
                  user_attrs = mkOption { type = str; description = "User attribute mapping in LDAP"; };
                  iterate_attrs = mkOption { type = str; description = "User attribute mapping for listing in LDAP"; };
                  iterate_filter = mkOption { type = str; description = "User attribute filter for listing in LDAP"; };
                  postfix_mailbox_filter = mkOption { type = str; description = "Postfix filter to get mailboxes"; };
                };
              };
            };
          };
          rspamd = mkOption {
            description = "rspamd configuration";
            type = submodule {
              options = {
                redis = mkRedisOptions "Redis";
                read_password_hashed = mkOption { type = str; description = "Hashed read password for rspamd"; };
                write_password_hashed = mkOption { type = str; description = "Hashed write password for rspamd"; };
                read_password = mkOption {
                  type = str;
                  description = "Read password for rspamd. Unused";
                  apply = x: "";
                };
                write_password = mkOption {
                  type = str;
                  description = "Write password for rspamd. Unused";
                  apply = x: "";
                };
              };
            };
          };
          scripts = mkOption {
            description = "Mail script recipients";
            type = attrsOf (submodule {
              options = {
                external = mkEnableOption "Create a script_<name>@mail.immae.eu external address";
                src = mkOption {
                  description = ''
                    git source to fetch the script from.
                    It must have a default.nix file as its root accepting a scriptEnv parameter
                  '';
                  type = submodule {
                    options = {
                      url = mkOption { type = str; description = "git url to fetch"; };
                      rev = mkOption { type = str; description = "git reference to fetch"; };
                    };
                  };
                };
                env = mkOption {
                  description = "Variables to pass to the script";
                  type = unspecified;
                };
              };
            });
          };
          sympa = mkOption {
            description = "Sympa configuration";
            type = submodule {
              options = {
                listmasters = mkOption {
                  type = listOf str;
                  description = "Listmasters";
                };
                postgresql = mkPsqlOptions "Sympa";
                data_sources = mkOption {
                  type = attrsOf str;
                  default = {};
                  description = "Data sources to make available to sympa";
                };
                scenari = mkOption {
                  type = attrsOf str;
                  default = {};
                  description = "Scenari to make available to sympa";
                };
              };
            };
          };
        };
      };
    };
    buildbot = mkOption {
      description = "Buildbot configuration";
      type = submodule {
        options = {
          workerPassword = mkOption { description = "Buildbot worker password"; type = str; };
          user = mkOption {
            description = "Buildbot user";
            type = submodule {
              options = {
                uid = mkOption {
                  description = "user uid";
                  type = int;
                };
                gid = mkOption {
                  description = "user gid";
                  type = int;
                };
              };
            };
          };
          ldap = mkOption {
            description = "Ldap configuration for buildbot";
            type = submodule {
              options = {
                password = mkOption { type = str; description = "Buildbot password"; };
              };
            };
          };
          projects = mkOption {
            description = "Projects to make a buildbot for";
            type = attrsOf (submodule {
              options = {
                name = mkOption { type = str; description = "Project name"; };
                packages = mkOption {
                  type = unspecified;
                  example = literalExample ''
                    pkgs: [ pkgs.bash pkgs.git pkgs.gzip pkgs.openssh ];
                    '';
                  description = ''
                    Function.
                    Builds packages list to make available to buildbot project.
                    Takes pkgs as argument.
                  '';
                };
                pythonPackages = mkOption {
                  type = unspecified;
                  example = literalExample ''
                    p: pkgs: [ pkgs.python3Packages.pip ];
                    '';
                  description = ''
                    Function.
                    Builds python packages list to make available to buildbot project.
                    Takes buildbot python module as first argument and pkgs as second argument in order to augment the python modules list.
                    '';
                };
                pythonPathHome = mkOption { type = bool; description = "Whether to add project’s python home to python path"; };
                workerPort = mkOption { type = port; description = "Port for the worker"; };
                secrets = mkOption {
                  type = attrsOf str;
                  description = "Secrets for the project to dump as files";
                };
                environment = mkOption {
                  type = attrsOf str;
                  description = ''
                    Environment variables for the project.
                    BUILDBOT_ is prefixed to the variable names
                  '';
                };
                activationScript = mkOption {
                  type = lines;
                  description = ''
                    Activation script to run during deployment
                  '';
                };
                builderPaths = mkOption {
                  type = attrsOf unspecified;
                  default = {};
                  description = ''
                    Attrs of functions to make accessible specifically per builder.
                    Takes pkgs as argument and should return a single path containing binaries.
                    This path will be accessible as BUILDBOT_PATH_<attrskey>
                    '';
                };
                webhookTokens = mkOption {
                  type = nullOr (listOf str);
                  default = null;
                  description = ''
                    List of tokens allowed to push to project’s change_hook/base endpoint
                  '';
                };
              };
            });
          };
        };
      };
    };
    tools = mkOption {
      description = "Tools configurations";
      type = submodule {
        options = {
          contact = mkOption { type = str; description = "Contact e-mail address"; };
          assets = mkOption {
            default = {};
            type = attrsOf (submodule {
              options = {
                url = mkOption { type = str; description = "URL to fetch"; };
                sha256 = mkOption { type = str; description = "Hash of the url"; };
              };
            });
            description = "Assets to provide on assets.immae.eu";
          };
          davical = mkOption {
            description = "Davical configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Davical";
                ldap = mkLdapOptions "Davical" {};
              };
            };
          };
          diaspora = mkOption {
            description = "Diaspora configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Diaspora";
                redis = mkRedisOptions "Diaspora";
                ldap = mkLdapOptions "Diaspora" {};
                secret_token = mkOption { type = str; description = "Secret token"; };
              };
            };
          };
          dmarc_reports = mkOption {
            description = "DMARC reports configuration";
            type = submodule {
              options = {
                mysql = mkMysqlOptions "DMARC" {};
                anonymous_key = mkOption { type = str; description = "Anonymous hashing key"; };
              };
            };
          };
          etherpad-lite = mkOption {
            description = "Etherpad configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Etherpad";
                ldap = mkLdapOptions "Etherpad" {
                  group_filter = mkOption { type = str; description = "Filter for groups"; };
                };
                adminPassword = mkOption { type = str; description = "Admin password for mypads / admin"; };
                session_key = mkOption { type = str; description = "Session key"; };
                api_key = mkOption { type = str; description = "API key"; };
                redirects = mkOption { type = str; description = "Redirects for apache"; };
              };
            };
          };
          gitolite = mkOption {
            description = "Gitolite configuration";
            type = submodule {
              options = {
                ldap = mkLdapOptions "Gitolite" {};
              };
            };
          };
          kanboard = mkOption {
            description = "Kanboard configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Kanboard";
                ldap = mkLdapOptions "Kanboard" {
                  admin_dn = mkOption { type = str; description = "Admin DN"; };
                };
              };
            };
          };
          mantisbt = mkOption {
            description = "Mantisbt configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Mantisbt";
                ldap = mkLdapOptions "Mantisbt" {};
                master_salt = mkOption { type = str; description = "Master salt for password hash"; };
              };
            };
          };
          mastodon = mkOption {
            description = "Mastodon configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Mastodon";
                redis = mkRedisOptions "Mastodon";
                ldap = mkLdapOptions "Mastodon" {};
                paperclip_secret = mkOption { type = str; description = "Paperclip secret"; };
                otp_secret = mkOption { type = str; description = "OTP secret"; };
                secret_key_base = mkOption { type = str; description = "Secret key base"; };
                vapid = mkOption {
                  description = "vapid key";
                  type = submodule {
                    options = {
                      private = mkOption { type = str; description = "Private key"; };
                      public = mkOption { type = str; description = "Public key"; };
                    };
                  };
                };
              };
            };
          };
          mediagoblin = mkOption {
            description = "Mediagoblin configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Mediagoblin";
                redis = mkRedisOptions "Mediagoblin";
                ldap = mkLdapOptions "Mediagoblin" {};
              };
            };
          };
          nextcloud = mkOption {
            description = "Nextcloud configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Peertube";
                redis = mkRedisOptions "Peertube";
                password_salt = mkOption { type = str; description = "Password salt"; };
                instance_id = mkOption { type = str; description = "Instance ID"; };
                secret = mkOption { type = str; description = "App secret"; };
              };
            };
          };
          peertube = mkOption {
            description = "Peertube configuration";
            type = submodule {
              options = {
                listenPort = mkOption { type = port; description = "Port to listen to"; };
                postgresql = mkPsqlOptions "Peertube";
                redis = mkRedisOptions "Peertube";
                ldap = mkLdapOptions "Peertube" {};
              };
            };
          };
          syden_peertube = mkOption {
            description = "Peertube Syden configuration";
            type = submodule {
              options = {
                listenPort = mkOption { type = port; description = "Port to listen to"; };
                postgresql = mkPsqlOptions "Peertube";
                redis = mkRedisOptions "Peertube";
              };
            };
          };
          phpldapadmin = mkOption {
            description = "phpLdapAdmin configuration";
            type = submodule {
              options = {
                ldap = mkLdapOptions "phpldapadmin" {};
              };
            };
          };
          rompr = mkOption {
            description = "Rompr configuration";
            type = submodule {
              options = {
                mpd = mkOption {
                  description = "MPD configuration";
                  type = submodule {
                    options = {
                      host = mkOption { type = str; description = "Host for MPD"; };
                      port = mkOption { type = port; description = "Port to access MPD host"; };
                    };
                  };
                };
              };
            };
          };
          roundcubemail = mkOption {
            description = "Roundcubemail configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "TT-RSS";
                secret = mkOption { type = str; description = "Secret"; };
              };
            };
          };
          shaarli = mkOption {
            description = "Shaarli configuration";
            type = submodule {
              options = {
                ldap = mkLdapOptions "Shaarli" {};
              };
            };
          };
          status_engine = mkOption {
            description = "Status Engine configuration";
            type = submodule {
              options = {
                mysql = mkMysqlOptions "StatusEngine" {};
                ldap = mkLdapOptions "StatusEngine" {};
              };
            };
          };
          task = mkOption {
            description = "Taskwarrior configuration";
            type = submodule {
              options = {
                ldap = mkLdapOptions "Taskwarrior" {};
                taskwarrior-web = mkOption {
                  description = "taskwarrior-web profiles";
                  type = attrsOf (submodule {
                    options = {
                      uid = mkOption {
                        type = listOf str;
                        description = "List of ldap uids having access to this profile";
                      };
                      org = mkOption { type = str; description = "Taskd organisation"; };
                      key = mkOption { type = str; description = "Taskd key"; };
                      date = mkOption { type = str; description = "Preferred date format"; };
                    };
                  });
                };
              };
            };
          };
          ttrss = mkOption {
            description = "TT-RSS configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "TT-RSS";
                ldap = mkLdapOptions "TT-RSS" {};
              };
            };
          };
          wallabag = mkOption {
            description = "Wallabag configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Wallabag";
                ldap = mkLdapOptions "Wallabag" {
                  admin_filter = mkOption { type = str; description = "Admin users filter"; };
                };
                redis = mkRedisOptions "Wallabag";
                secret = mkOption { type = str; description = "App secret"; };
              };
            };
          };
          webhooks = mkOption {
            type = attrsOf str;
            description = "Mapping 'name'.php => script for webhooks";
          };
          csp_reports = mkOption {
            description = "CSP report configuration";
            type = submodule {
              options = {
                report_uri = mkOption { type = str; description = "URI to report CSP violations to"; };
                policies = mkOption { type = attrsOf str; description = "CSP policies to apply"; };
                postgresql = mkPsqlOptions "CSP reports";
              };
            };
          };
          commento = mkOption {
            description = "Commento configuration";
            type = submodule {
              options = {
                listenPort = mkOption { type = port; description = "Port to listen to"; };
                postgresql = mkPsqlOptions "Commento";
                smtp = mkSmtpOptions "Commento";
              };
            };
          };
          cryptpad = mkOption {
            description = "Cryptpad configuration";
            type = attrsOf (submodule {
              options = {
                email = mkOption { type = str; description = "Admin e-mail"; };
                admins = mkOption { type = listOf str; description = "Instance admin public keys"; };
                port = mkOption { type = port; description = "Port to listen to"; };
              };
            });
          };
          ympd = mkOption {
            description = "Ympd configuration";
            type = submodule {
              options = {
                listenPort = mkOption { type = port; description = "Port to listen to"; };
                mpd = mkOption {
                  description = "MPD configuration";
                  type = submodule {
                    options = {
                      password = mkOption { type = str; description = "Password to access MPD host"; };
                      host = mkOption { type = str; description = "Host for MPD"; };
                      port = mkOption { type = port; description = "Port to access MPD host"; };
                    };
                  };
                };
              };
            };
          };
          umami = mkOption {
            description = "Umami configuration";
            type = submodule {
              options = {
                listenPort = mkOption { type = port; description = "Port to listen to"; };
                postgresql = mkPsqlOptions "Umami";
                hashSalt = mkOption { type = str; description = "Hash salt"; };
              };
            };
          };
          yourls = mkOption {
            description = "Yourls configuration";
            type = submodule {
              options = {
                mysql = mkMysqlOptions "Yourls" {};
                ldap = mkLdapOptions "Yourls" {};
                cookieKey = mkOption { type = str; description = "Cookie key"; };
              };
            };
          };
        };
      };
    };
    serverSpecific = mkOption { type = attrsOf unspecified; description = "Server specific configuration"; };
    websites = mkOption {
      description = "Websites configurations";
      type = submodule {
        options = {
          immae = mkOption {
            description = "Immae configuration by environment";
            type = submodule {
              options = {
                temp = mkOption {
                  description = "Temp configuration";
                  type = submodule {
                    options = {
                      ldap = mkLdapOptions "Immae temp" {
                        filter = mkOption { type = str; description = "Filter for user access"; };
                      };
                    };
                  };
                };
              };
            };
          };
          isabelle = mkOption {
            description = "Isabelle configurations by environment";
            type =
              let
                atenSubmodule = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      environment = mkOption { type = str; description = "Symfony environment"; };
                      secret = mkOption { type = str; description = "Symfony App secret"; };
                      postgresql = mkPsqlOptions "Aten";
                    };
                  };
                };
              in
                submodule {
                  options = {
                    aten_production = atenSubmodule;
                    aten_integration = atenSubmodule;
                    iridologie = mkOption {
                      description = "environment configuration";
                      type = submodule {
                        options = {
                          environment = mkOption { type = str; description = "SPIP environment"; };
                          mysql = mkMysqlOptions "Iridologie" {};
                          ldap = mkLdapOptions "Iridologie" {};
                        };
                      };
                    };
                  };
                };
          };
          chloe = mkOption {
            description = "Chloe configurations by environment";
            type =
              let
                chloeSubmodule = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      environment = mkOption { type = str; description = "SPIP environment"; };
                      mysql = mkMysqlOptions "Chloe" {};
                      ldap = mkLdapOptions "Chloe" {};
                    };
                  };
                };
              in
                submodule {
                  options = {
                    production = chloeSubmodule;
                    integration = chloeSubmodule;
                  };
                };
          };
          connexionswing = mkOption {
            description = "Connexionswing configurations by environment";
            type =
              let
                csSubmodule = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      environment = mkOption { type = str; description = "Symfony environment"; };
                      mysql = mkMysqlOptions "Connexionswing" {};
                      secret = mkOption { type = str; description = "Symfony App secret"; };
                      email = mkOption { type = str; description = "Symfony email notification"; };
                    };
                  };
                };
              in
                submodule {
                  options = {
                    production = csSubmodule;
                    integration = csSubmodule;
                  };
                };
          };
          jerome = mkOption {
            description = "Naturaloutil configuration";
            type = submodule {
              options = {
                mysql = mkMysqlOptions "Naturaloutil" {};
                server_admin = mkOption { type = str; description = "Server admin e-mail"; };
              };
            };
          };
          telio_tortay = mkOption {
            description = "Telio Tortay configuration";
            type = submodule {
              options = {
                server_admin = mkOption { type = str; description = "Server admin e-mail"; };
              };
            };
          };
          ludivine = mkOption {
            description = "Ludivinecassal configurations by environment";
            type =
              let
                lcSubmodule = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      environment = mkOption { type = str; description = "Symfony environment"; };
                      mysql = mkMysqlOptions "LudivineCassal" {};
                      ldap = mkLdapOptions "LudivineCassal" {};
                      secret = mkOption { type = str; description = "Symfony App secret"; };
                    };
                  };
                };
              in
                submodule {
                  options = {
                    production = lcSubmodule;
                    integration = lcSubmodule;
                  };
                };
          };
          emilia = mkOption {
            description = "Emilia configuration";
            type = submodule {
              options = {
                postgresql = mkPsqlOptions "Emilia";
              };
            };
          };
          florian = mkOption {
            description = "Florian configuration";
            type = submodule {
              options = {
                server_admin = mkOption { type = str; description = "Server admin e-mail"; };
              };
            };
          };
          nassime = mkOption {
            description = "Nassime configuration";
            type = submodule {
              options = {
                server_admin = mkOption { type = str; description = "Server admin e-mail"; };
              };
            };
          };
          piedsjaloux = mkOption {
            description = "Piedsjaloux configurations by environment";
            type =
              let
                pjSubmodule = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      environment = mkOption { type = str; description = "Symfony environment"; };
                      mysql = mkMysqlOptions "Piedsjaloux" {};
                      secret = mkOption { type = str; description = "Symfony App secret"; };
                    };
                  };
                };
              in
                submodule {
                  options = {
                    production = pjSubmodule;
                    integration = pjSubmodule;
                  };
                };
          };
          richie = mkOption {
            description = "Europe Richie configurations by environment";
            type = submodule {
              options = {
                mysql = mkMysqlOptions "Richie" {};
                smtp_mailer = mkOption {
                  description = "SMTP mailer configuration";
                  type = submodule {
                    options = {
                      user = mkOption { type = str; description = "Username"; };
                      password = mkOption { type = str; description = "Password"; };
                    };
                  };
                };
              };
            };
          };
          caldance = mkOption {
            description = "Caldance configurations by environment";
            type = submodule {
              options = {
                integration = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      password = mkOption { type = str; description = "Password file content for basic auth"; };
                    };
                  };
                };
              };
            };
          };
          tellesflorian = mkOption {
            description = "Tellesflorian configurations by environment";
            type =
              let
                tfSubmodule = mkOption {
                  description = "environment configuration";
                  type = submodule {
                    options = {
                      environment = mkOption { type = str; description = "Symfony environment"; };
                      mysql = mkMysqlOptions "Tellesflorian" {};
                      secret = mkOption { type = str; description = "Symfony App secret"; };
                      invite_passwords = mkOption { type = str; description = "Password basic auth"; };
                    };
                  };
                };
              in
                submodule {
                  options = {
                    integration = tfSubmodule;
                  };
                };
          };
        };
      };
    };

    privateFiles = mkOption {
      type = path;
      description = ''
        Path to secret files to make available during build
        '';
    };
  };
  options.hostEnv = mkOption {
    readOnly = true;
    type = hostEnv;
    default = config.myEnv.servers."${name}";
    description = "Host environment";
  };
}