blob: 90a8c1a837da6b91d69a5f2d49828b0c8d4dc616 (
plain) (
tree)
|
|
{ lib, pkgs, config, ... }:
let
www_root = "/run/current-system/webapps/_www";
theme_root = "/run/current-system/webapps/_theme";
apacheConfig = {
cache = {
# This setting permits to ignore time-based cache for files in the
# nix store:
# If a client requires an If-Modified-Since from timestamp 1, then
# this header is removed, and if the response contains a
# too old Last-Modified tag, then it is removed too
extraConfig = ''
<If "%{HTTP:If-Modified-Since} =~ /01 Jan 1970 00:00:01/" >
RequestHeader unset If-Modified-Since
</If>
Header unset Last-Modified "expr=%{LAST_MODIFIED} < 19991231235959"
'';
};
gzip = {
modules = [ "deflate" "filter" ];
extraConfig = ''
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
'';
};
macros = {
modules = [ "macro" ];
};
stats = {
extraConfig = ''
<Macro Stats %{domain}>
Alias /webstats ${config.services.webstats.dataDir}/%{domain}
<Directory ${config.services.webstats.dataDir}/%{domain}>
DirectoryIndex index.html
AllowOverride None
Require all granted
</Directory>
<Location /webstats>
Use LDAPConnect
Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
</Location>
</Macro>
'';
};
ldap = {
modules = [ "ldap" "authnz_ldap" ];
extraConfig = ''
<IfModule ldap_module>
LDAPSharedCacheSize 500000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
</IfModule>
Include /var/secrets/apache-ldap
'';
};
global = {
extraConfig = ''
ErrorDocument 500 /maintenance_immae.html
ErrorDocument 501 /maintenance_immae.html
ErrorDocument 502 /maintenance_immae.html
ErrorDocument 503 /maintenance_immae.html
ErrorDocument 504 /maintenance_immae.html
Alias /maintenance_immae.html ${www_root}/maintenance_immae.html
ProxyPass /maintenance_immae.html !
AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html
<Directory ${www_root}>
AllowOverride None
Require all granted
</Directory>
'';
};
apaxy = {
extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
};
http2 = {
modules = [ "http2" ];
extraConfig = ''
Protocols h2 http/1.1
'';
};
customLog = {
extraConfig = ''
LogFormat "%{Host}i:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
'';
};
};
makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
moomin = let
lines = lib.splitString "\n" (lib.fileContents ./moomin.txt);
pad = width: str: let
padWidth = width - lib.stringLength str;
padding = lib.concatStrings (lib.genList (lib.const "0") padWidth);
in lib.optionalString (padWidth > 0) padding + str;
in
lib.imap0 (i: e: ''Header always set "X-Moomin-${pad 2 (builtins.toString i)}" "${e}"'') lines;
in
{
options.myServices.websites.enable = lib.mkEnableOption "enable websites";
config = lib.mkIf config.myServices.websites.enable {
services.duplyBackup.profiles.php = {
rootDir = "/var/lib/php";
remotes = [ "eriomem" "ovh" ];
};
users.users.wwwrun.extraGroups = [ "keys" ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
secrets.keys = [{
dest = "apache-ldap";
user = "wwwrun";
group = "wwwrun";
permissions = "0400";
text = ''
<Macro LDAPConnect>
<IfModule authnz_ldap_module>
AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}"
AuthType Basic
AuthName "Authentification requise (Acces LDAP)"
AuthBasicProvider ldap
</IfModule>
</Macro>
'';
}];
system.activationScripts = {
httpd = ''
install -d -m 0755 /var/lib/acme/acme-challenges
install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
'';
};
services.phpfpm = {
phpOptions = ''
session.save_path = "/var/lib/php/sessions"
post_max_size = 20M
; 15 days (seconds)
session.gc_maxlifetime = 1296000
; 30 days (minutes)
session.cache_expire = 43200
'';
settings = {
log_level = "notice";
};
};
services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ];
services.filesWatcher.httpdInte.paths = [ "/var/secrets/apache-ldap" ];
services.filesWatcher.httpdTools.paths = [ "/var/secrets/apache-ldap" ];
services.websites.env.production = {
enable = true;
adminAddr = "httpd@immae.eu";
httpdName = "Prod";
ips =
let ips = config.myEnv.servers.eldiron.ips.production;
in [ips.ip4] ++ (ips.ip6 or []);
modules = makeModules;
extraConfig = makeExtraConfig;
fallbackVhost = {
certName = "eldiron";
hosts = ["eldiron.immae.eu" ];
root = www_root;
extraConfig = [ "DirectoryIndex index.htm" ];
};
};
services.websites.env.integration = {
enable = true;
adminAddr = "httpd@immae.eu";
httpdName = "Inte";
ips =
let ips = config.myEnv.servers.eldiron.ips.integration;
in [ips.ip4] ++ (ips.ip6 or []);
modules = makeModules;
extraConfig = makeExtraConfig ++ moomin;
fallbackVhost = {
certName = "eldiron";
hosts = ["eldiron.immae.eu" ];
root = www_root;
extraConfig = [ "DirectoryIndex index.htm" ];
};
};
services.websites.env.tools = {
enable = true;
adminAddr = "httpd@immae.eu";
httpdName = "Tools";
ips =
let ips = config.myEnv.servers.eldiron.ips.main;
in [ips.ip4] ++ (ips.ip6 or []);
modules = makeModules;
extraConfig = makeExtraConfig ++
[ ''
RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
RedirectMatch ^/CGU$ https://www.immae.eu/CGU
''
];
nosslVhost = {
enable = true;
host = "nossl.immae.eu";
};
fallbackVhost = {
certName = "eldiron";
hosts = ["eldiron.immae.eu" ];
root = www_root;
extraConfig = [ "DirectoryIndex index.htm" ];
};
};
services.websites.webappDirs = {
_www = ./_www;
_theme = pkgs.webapps.apache-theme.theme;
};
myServices.websites = {
capitaines.landing_pages.enable = true;
chloe = {
integration.enable = true;
production.enable = true;
};
cip-ca = {
sympa.enable = true;
};
connexionswing = {
integration.enable = true;
production.enable = true;
};
denise = {
evariste.enable = true;
denisejerome.enable = true;
oms.enable = true;
aventuriers.enable = true;
production.enable = true;
};
emilia.moodle.enable = true;
florian = {
app.enable = true;
integration.enable = true;
production.enable = true;
};
immae = {
production.enable = true;
release.enable = true;
temp.enable = true;
};
isabelle = {
aten_integration.enable = true;
aten_production.enable = true;
iridologie.enable = true;
};
jerome.naturaloutil.enable = true;
leila.production.enable = true;
ludivine = {
integration.enable = true;
production.enable = true;
};
nassime.production.enable = true;
nathanael.villon.enable = true;
papa = {
surveillance.enable = true;
maison_bbc.enable = true;
};
patrick_fodella.production.enable = true;
piedsjaloux = {
integration.enable = true;
production.enable = true;
};
richie.production.enable = true;
syden.peertube.enable = true;
telio_tortay.production.enable = true;
tools.assets.enable = true;
tools.cloud.enable = true;
tools.commento.enable = true;
tools.dav.enable = true;
tools.db.enable = true;
tools.diaspora.enable = true;
tools.etherpad-lite.enable = true;
tools.git.enable = true;
tools.mastodon.enable = true;
tools.mediagoblin.enable = true;
tools.peertube.enable = true;
tools.performance.enable = true;
tools.tools.enable = true;
tools.email.enable = true;
games.codenames.enable = true;
};
};
}
|
