path: root/nixops/modules/websites/default.nix

{ lib, pkgs, config,  myconfig, ... }:
let
  cfg = config.services.myWebsites;
  www_root = "/run/current-system/webapps/_www";
  theme_root = "/run/current-system/webapps/_theme";
  apacheConfig = {
    gzip = {
      modules = [ "deflate" "filter" ];
      extraConfig = ''
        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
      '';
    };
    macros = {
      modules = [ "macro" ];
    };
    stats = {
      extraConfig = ''
        <Macro Stats %{domain}>
          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
          <Directory ${config.services.webstats.dataDir}/%{domain}>
            DirectoryIndex index.html
            AllowOverride None
            Require all granted
          </Directory>
          <Location /webstats>
            Use LDAPConnect
            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
          </Location>
        </Macro>
      '';
    };
    ldap = {
      modules = [ "ldap" "authnz_ldap" ];
      extraConfig = ''
        <IfModule ldap_module>
          LDAPSharedCacheSize 500000
          LDAPCacheEntries 1024
          LDAPCacheTTL 600
          LDAPOpCacheEntries 1024
          LDAPOpCacheTTL 600
        </IfModule>

        Include /var/secrets/apache-ldap
      '';
    };
    global = {
      extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
    };
    apaxy = {
      extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
    };
    http2 = {
      modules = [ "http2" ];
      extraConfig = ''
        Protocols h2 http/1.1
      '';
    };
    customLog = {
      extraConfig = ''
        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
      '';
    };
  };
  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
in
{
  imports = [
    ./tools/db.nix
    ./tools/tools
    ./tools/dav
    ./tools/cloud.nix
    ./tools/git
    ./tools/mastodon.nix
    ./tools/mediagoblin.nix
    ./tools/diaspora.nix
    ./tools/ether.nix
    ./tools/peertube.nix
  ];

  config = {
    users.users.wwwrun.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 80 443 ];

    nixpkgs.overlays = [ (self: super: rec {
      #openssl = self.openssl_1_1;
      php = php72;
      php72 = (super.php72.override {
        mysql.connector-c = self.mariadb;
        config.php.mysqlnd = false;
        config.php.mysqli = false;
      }).overrideAttrs(old: rec {
        # Didn't manage to build with mysqli + mysql_config connector
        configureFlags = old.configureFlags ++ [
          "--with-mysqli=shared,mysqlnd"
          ];
        # preConfigure = (old.preConfigure or "") + ''
        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
        #   '';
      });
      phpPackages = super.php72Packages.override { inherit php; };
    }) ];

    services.myWebsites.tools.databases.enable = true;
    services.myWebsites.tools.tools.enable = true;
    services.myWebsites.tools.dav.enable = true;
    services.myWebsites.tools.cloud.enable = true;
    services.myWebsites.tools.git.enable = true;
    services.myWebsites.tools.mastodon.enable = true;
    services.myWebsites.tools.mediagoblin.enable = true;
    services.myWebsites.tools.diaspora.enable = true;
    services.myWebsites.tools.etherpad-lite.enable = true;
    services.myWebsites.tools.peertube.enable = true;

    secrets.keys = [{
      dest = "apache-ldap";
      user = "wwwrun";
      group = "wwwrun";
      permissions = "0400";
      text = ''
        <Macro LDAPConnect>
          <IfModule authnz_ldap_module>
            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
            AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
            AuthType             Basic
            AuthName             "Authentification requise (Acces LDAP)"
            AuthBasicProvider    ldap
          </IfModule>
        </Macro>
        '';
    }];

    system.activationScripts = {
      httpd = ''
        install -d -m 0755 ${config.security.acme.directory}/acme-challenge
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
        '';
    };

    system.extraSystemBuilderCmds = let
      adminer = pkgs.callPackage ./commons/adminer.nix {};
    in ''
      mkdir -p $out/webapps
      ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www
      ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme
      ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
      '';

    services.phpfpm = {
      phpPackage = pkgs.php;
      phpOptions = ''
        session.save_path = "/var/lib/php/sessions"
        post_max_size = 20M
        ; 15 days (seconds)
        session.gc_maxlifetime = 1296000
        ; 30 days (minutes)
        session.cache_expire = 43200
        '';
      extraConfig = ''
        log_level = notice
        '';
    };

    services.websites.production = {
      enable = true;
      adminAddr = "httpd@immae.eu";
      httpdName = "Prod";
      ips =
        let ips = myconfig.env.servers.eldiron.ips.production;
        in [ips.ip4] ++ (ips.ip6 or []);
      modules = makeModules;
      extraConfig = makeExtraConfig;
      fallbackVhost = {
        certName    = "eldiron";
        hosts       = ["eldiron.immae.eu" ];
        root        = www_root;
        extraConfig = [ "DirectoryIndex index.htm" ];
      };
    };

    services.websites.integration = {
      enable = true;
      adminAddr = "httpd@immae.eu";
      httpdName = "Inte";
      ips =
        let ips = myconfig.env.servers.eldiron.ips.integration;
        in [ips.ip4] ++ (ips.ip6 or []);
      modules = makeModules;
      extraConfig = makeExtraConfig;
      fallbackVhost = {
        certName    = "eldiron";
        hosts       = ["eldiron.immae.eu" ];
        root        = www_root;
        extraConfig = [ "DirectoryIndex index.htm" ];
      };
    };

    services.websites.tools = {
      enable = true;
      adminAddr = "httpd@immae.eu";
      httpdName = "Tools";
      ips =
        let ips = myconfig.env.servers.eldiron.ips.main;
        in [ips.ip4] ++ (ips.ip6 or []);
      modules = makeModules;
      extraConfig = makeExtraConfig ++
        [ ''
            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
          ''
          ];
      nosslVhost = {
        enable = true;
        host = "nossl.immae.eu";
      };
      fallbackVhost = {
        certName    = "eldiron";
        hosts       = ["eldiron.immae.eu" ];
        root        = www_root;
        extraConfig = [ "DirectoryIndex index.htm" ];
      };
    };
  };
}