aboutsummaryrefslogblamecommitdiff
path: root/modules/private/websites/default.nix
blob: 5c0e65540e639039e4f8eed3ac7a2277a2966ea3 (plain) (tree)
1
                           
























































                                                                                                                   
                                                                                                          





                                                                                                                              
 









                                                             

    
                                                       
                                         

                               

































                                                                                                          
                                                                      









                                                                        
                                                       


















                                                                    



                                                                            
                                        



                                   
                                                              










                                                     
                                         



                                   
                                                               










                                                     
                                   



                                   
                                                        


































                                                                                                                                                            


                                              

                                          
 

                                      
 

                                               
 
                                            
 
                                      
                                             
 


                                        
 


                                     
 
                                     
 

                                               
 
                                       
 
                                        
                                            
                                           
 
                                      
                                    
 

                                            
 









                                        
                                

      
 
{ lib, pkgs, config, ... }:
let
  www_root = "/run/current-system/webapps/_www";
  theme_root = "/run/current-system/webapps/_theme";
  apacheConfig = {
    gzip = {
      modules = [ "deflate" "filter" ];
      extraConfig = ''
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
      '';
    };
    macros = {
      modules = [ "macro" ];
    };
    stats = {
      extraConfig = ''
        <Macro Stats %{domain}>
          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
          <Directory ${config.services.webstats.dataDir}/%{domain}>
            DirectoryIndex index.html
            AllowOverride None
            Require all granted
          </Directory>
          <Location /webstats>
            Use LDAPConnect
            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
          </Location>
        </Macro>
      '';
    };
    ldap = {
      modules = [ "ldap" "authnz_ldap" ];
      extraConfig = ''
        <IfModule ldap_module>
          LDAPSharedCacheSize 500000
          LDAPCacheEntries 1024
          LDAPCacheTTL 600
          LDAPOpCacheEntries 1024
          LDAPOpCacheTTL 600
        </IfModule>

        Include /var/secrets/apache-ldap
      '';
    };
    global = {
      extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
    };
    apaxy = {
      extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
    };
    http2 = {
      modules = [ "http2" ];
      extraConfig = ''
        Protocols h2 http/1.1
      '';
    };
    customLog = {
      extraConfig = ''
        LogFormat "%{Host}i:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
      '';
    };
  };
  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
in
{
  options.myServices.websites = {
    enable = lib.mkEnableOption "enable websites";

    webappDirs = lib.mkOption {
      type = lib.types.attrsOf lib.types.path;
      description = ''
        Webapp paths to create in /run/current-system/webapps
        '';
      default = {};
    };
  };

  config = lib.mkIf config.myServices.websites.enable {
    services.duplyBackup.profiles.php = {
      rootDir = "/var/lib/php";
    };
    users.users.wwwrun.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 80 443 ];

    nixpkgs.overlays = [ (self: super: rec {
      #openssl = self.openssl_1_1;
      php = php72;
      php72 = (super.php72.override {
        mysql.connector-c = self.mariadb;
        config.php.mysqlnd = false;
        config.php.mysqli = false;
      }).overrideAttrs(old: rec {
        # Didn't manage to build with mysqli + mysql_config connector
        configureFlags = old.configureFlags ++ [
          "--with-mysqli=shared,mysqlnd"
          ];
        # preConfigure = (old.preConfigure or "") + ''
        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
        #   '';
      });
      phpPackages = super.php72Packages.override { inherit php; };
    }) ];

    secrets.keys = [{
      dest = "apache-ldap";
      user = "wwwrun";
      group = "wwwrun";
      permissions = "0400";
      text = ''
        <Macro LDAPConnect>
          <IfModule authnz_ldap_module>
            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
            AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}"
            AuthType             Basic
            AuthName             "Authentification requise (Acces LDAP)"
            AuthBasicProvider    ldap
          </IfModule>
        </Macro>
        '';
    }];

    system.activationScripts = {
      httpd = ''
        install -d -m 0755 /var/lib/acme/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        '';
    };

    services.phpfpm = {
      phpPackage = pkgs.php;
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        post_max_size = 20M
        ; 15 days (seconds)
        session.gc_maxlifetime = 1296000
        ; 30 days (minutes)
        session.cache_expire = 43200
        '';
      extraConfig = ''
        log_level = notice
        '';
    };

    services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ];
    services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ];
    services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ];

    services.websites.env.production = {
      enable = true;
      adminAddr = "httpd@immae.eu";
      httpdName = "Prod";
      ips =
        let ips = config.myEnv.servers.eldiron.ips.production;
        in [ips.ip4] ++ (ips.ip6 or []);
      modules = makeModules;
      extraConfig = makeExtraConfig;
      fallbackVhost = {
        certName    = "eldiron";
        hosts       = ["eldiron.immae.eu" ];
        root        = www_root;
        extraConfig = [ "DirectoryIndex index.htm" ];
      };
    };

    services.websites.env.integration = {
      enable = true;
      adminAddr = "httpd@immae.eu";
      httpdName = "Inte";
      ips =
        let ips = config.myEnv.servers.eldiron.ips.integration;
        in [ips.ip4] ++ (ips.ip6 or []);
      modules = makeModules;
      extraConfig = makeExtraConfig;
      fallbackVhost = {
        certName    = "eldiron";
        hosts       = ["eldiron.immae.eu" ];
        root        = www_root;
        extraConfig = [ "DirectoryIndex index.htm" ];
      };
    };

    services.websites.env.tools = {
      enable = true;
      adminAddr = "httpd@immae.eu";
      httpdName = "Tools";
      ips =
        let ips = config.myEnv.servers.eldiron.ips.main;
        in [ips.ip4] ++ (ips.ip6 or []);
      modules = makeModules;
      extraConfig = makeExtraConfig ++
        [ ''
            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
          ''
          ];
      nosslVhost = {
        enable = true;
        host = "nossl.immae.eu";
      };
      fallbackVhost = {
        certName    = "eldiron";
        hosts       = ["eldiron.immae.eu" ];
        root        = www_root;
        extraConfig = [ "DirectoryIndex index.htm" ];
      };
    };

    system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues config.myServices.websites.webappDirs) > 0) ''
    mkdir -p $out/webapps
    ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (name: path: "ln -s ${path} $out/webapps/${name}") config.myServices.websites.webappDirs)}
    '';

    myServices.websites = {
      webappDirs = {
        _www = pkgs.webapps.apache-default.www;
        _theme = pkgs.webapps.apache-theme.theme;
      };

      isabelle.aten_integration.enable = true;
      isabelle.aten_production.enable = true;
      isabelle.iridologie.enable = true;

      capitaines.production.enable = true;

      chloe.integration.enable = true;
      chloe.production.enable = true;

      connexionswing.integration.enable = true;
      connexionswing.production.enable = true;

      denisejerome.production.enable = true;

      emilia.production.enable = true;
      emilia.richie_production.enable = true;

      florian.app.enable = true;
      florian.integration.enable = true;
      florian.production.enable = true;

      immae.production.enable = true;
      immae.release.enable = true;
      immae.temp.enable = true;

      leila.production.enable = true;

      ludivinecassal.integration.enable = true;
      ludivinecassal.production.enable = true;

      nassime.production.enable = true;

      evariste.production.enable = true;
      naturaloutil.production.enable = true;
      telioTortay.production.enable = true;

      papa.surveillance.enable = true;
      papa.maison_bbc.enable = true;

      piedsjaloux.integration.enable = true;
      piedsjaloux.production.enable = true;

      tools.cloud.enable = true;
      tools.dav.enable = true;
      tools.db.enable = true;
      tools.diaspora.enable = true;
      tools.etherpad-lite.enable = true;
      tools.git.enable = true;
      tools.mastodon.enable = true;
      tools.mediagoblin.enable = true;
      tools.peertube.enable = true;
      tools.tools.enable = true;
      tools.email.enable = true;
    };
  };
}