Move production php application to dedicated module

6 files changed, 255 insertions, 524 deletions

diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix
deleted file mode 100644
index 004b979..0000000
--- a/modules/private/websites/connexionswing/builder.nix
+++ /dev/null
@@ -1,161 +0,0 @@
-{ apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, mylibs, config }:
-rec {
-  app = connexionswing.override { inherit (config) environment; };
-  keys = [{
-    dest = "webapps/${app.environment}-connexionswing";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      # This file is auto-generated during the composer install
-      parameters:
-          database_host: ${config.mysql.host}
-          database_port: ${config.mysql.port}
-          database_name: ${config.mysql.name}
-          database_user: ${config.mysql.user}
-          database_password: ${config.mysql.password}
-          database_server_version: ${pkgs.mariadb.mysqlVersion}
-          mailer_transport: sendmail
-          mailer_host: null
-          mailer_user: null
-          mailer_password: null
-          subscription_email: ${config.email}
-          allow_robots: true
-          secret: ${config.secret}
-      ${if app.environment == "prod" then ''
-      services:
-        swiftmailer.mailer.default.transport:
-            class:     Swift_SendmailTransport
-            arguments: ['/run/wrappers/bin/sendmail -bs']
-      '' else ""}
-    '';
-  }];
-  phpFpm = rec {
-    preStart = mylibs.phpFpmPreStart {
-      inherit app;
-      inherit (app) varDir;
-      keyFiles = [
-        "/var/secrets/webapps/${app.environment}-connexionswing"
-      ];
-      actions = [
-        "/run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup"
-      ];
-    };
-    serviceDeps = [ "mysql.service" ];
-    socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock";
-    phpConfig = ''
-      extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
-      '';
-    pool = ''
-      user = ${apacheUser}
-      group = ${apacheGroup}
-      listen.owner = ${apacheUser}
-      listen.group = ${apacheGroup}
-      php_admin_value[upload_max_filesize] = 20M
-      php_admin_value[post_max_size] = 20M
-      ;php_admin_flag[log_errors] = on
-      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp"
-      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
-      ${if app.environment == "dev" then ''
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      env[SYMFONY_DEBUG_MODE] = "yes"
-      '' else ''
-      pm = dynamic
-      pm.max_children = 20
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      ''}'';
-  };
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "connexionswing_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    <FilesMatch "\.php$">
-      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-    </FilesMatch>
-
-    <Directory ${app.varDir}/medias>
-      Options FollowSymLinks
-      AllowOverride None
-      Require all granted
-    </Directory>
-
-    <Directory ${app.varDir}/uploads>
-      Options FollowSymLinks
-      AllowOverride None
-      Require all granted
-    </Directory>
-
-    ${if app.environment == "dev" then ''
-    <Location />
-      Use LDAPConnect
-      Require ldap-group   cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://connexionswing.com\"></html>"
-    </Location>
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride None
-      Require all granted
-
-      DirectoryIndex app_dev.php
-
-      <IfModule mod_negotiation.c>
-      Options -MultiViews
-      </IfModule>
-
-      <IfModule mod_rewrite.c>
-        RewriteEngine On
-
-        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
-        RewriteRule ^(.*) - [E=BASE:%1]
-
-        # Maintenance script
-        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
-        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
-        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
-        ErrorDocument 503 /maintenance.php
-
-        # Sets the HTTP_AUTHORIZATION header removed by Apache
-        RewriteCond %{HTTP:Authorization} .
-        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-
-        RewriteCond %{ENV:REDIRECT_STATUS} ^$
-        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
-
-        # If the requested filename exists, simply serve it.
-        # We only want to let Apache serve files and not directories.
-        RewriteCond %{REQUEST_FILENAME} -f
-        RewriteRule ^ - [L]
-
-        # Rewrite all other queries to the front controller.
-        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
-      </IfModule>
-
-    </Directory>
-    '' else ''
-    Use Stats connexionswing.com
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride All
-      Require all granted
-    </Directory>
-    ''}
-    '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
-      ${app.varDir}/medias \
-      ${app.varDir}/uploads \
-      ${app.varDir}/var
-    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-}
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index 07647da..1427c8d 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -1,42 +1,107 @@
 { lib, pkgs, config,  myconfig, ... }:
 let
-  connexionswing = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) connexionswing;
-    config = myconfig.env.websites.connexionswing.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
-  };
-
+  secrets = myconfig.env.websites.connexionswing.production;
+  app = pkgs.webapps.connexionswing.override { environment = secrets.environment; };
   cfg = config.myServices.websites.connexionswing.production;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = connexionswing.keys;
     services.webstats.sites = [ { name = "connexionswing.com"; } ];
-
-    systemd.services.phpfpm-connexionswing_prod.after = lib.mkAfter connexionswing.phpFpm.serviceDeps;
-    systemd.services.phpfpm-connexionswing_prod.wants = connexionswing.phpFpm.serviceDeps;
-    systemd.services.phpfpm-connexionswing_prod.preStart = lib.mkAfter connexionswing.phpFpm.preStart;
-    services.phpfpm.pools.connexionswing_prod = {
-      listen = connexionswing.phpFpm.socket;
-      extraConfig = connexionswing.phpFpm.pool;
-      phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig;
+    services.phpApplication.apps.connexionswing_prod = {
+      websiteEnv = "production";
+      httpdUser = config.services.httpd.Prod.user;
+      httpdGroup = config.services.httpd.Prod.group;
+      inherit (app) webRoot varDir;
+      varDirPaths = {
+        "medias" = "0700";
+        "uploads" = "0700";
+        "var" = "0700";
+      };
+      inherit app;
+      serviceDeps = [ "mysql.service" ];
+      preStartActions = [
+        "./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = dynamic
+        pm.max_children = 20
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+      '';
+      phpWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-connexionswing"
+      ];
     };
-    system.activationScripts.connexionswing_prod = connexionswing.activationScript;
-    myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot;
-    services.websites.env.production.modules = connexionswing.apache.modules;
-    services.websites.env.production.vhostConfs.connexionswing = {
+
+    secrets.keys = [
+      {
+        dest = "webapps/${app.environment}-connexionswing";
+        user = config.services.httpd.Prod.user;
+        group = config.services.httpd.Prod.group;
+        permissions = "0400";
+        text = ''
+          # This file is auto-generated during the composer install
+          parameters:
+              database_host: ${secrets.mysql.host}
+              database_port: ${secrets.mysql.port}
+              database_name: ${secrets.mysql.name}
+              database_user: ${secrets.mysql.user}
+              database_password: ${secrets.mysql.password}
+              database_server_version: ${pkgs.mariadb.mysqlVersion}
+              mailer_transport: sendmail
+              mailer_host: null
+              mailer_user: null
+              mailer_password: null
+              subscription_email: ${secrets.email}
+              allow_robots: true
+              secret: ${secrets.secret}
+          services:
+            swiftmailer.mailer.default.transport:
+                class:     Swift_SendmailTransport
+                arguments: ['/run/wrappers/bin/sendmail -bs']
+        '';
+      }
+    ];
+
+    services.websites.env.production.vhostConfs.connexionswing_prod = {
       certName     = "connexionswing";
       certMainHost = "connexionswing.com";
       hosts        = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
-      root         = connexionswing.apache.root;
-      extraConfig  = [ connexionswing.apache.vhostConf ];
-    };
-    services.filesWatcher.phpfpm-connexionswing_prod = {
-      restart = true;
-      paths = [ "/var/secrets/webapps/${connexionswing.app.environment}-connexionswing" ];
+      root         = pcfg.webappDirs.connexionswing_prod;
+      extraConfig  = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.connexionswing_prod}|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${app.varDir}/medias>
+          Options FollowSymLinks
+          AllowOverride None
+          Require all granted
+        </Directory>
+
+        <Directory ${app.varDir}/uploads>
+          Options FollowSymLinks
+          AllowOverride None
+          Require all granted
+        </Directory>
+
+        Use Stats connexionswing.com
+
+        <Directory ${pcfg.webappDirs.connexionswing_prod}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+        </Directory>
+        ''
+      ];
     };
   };
 }
-
diff --git a/modules/private/websites/ludivinecassal/builder.nix b/modules/private/websites/ludivinecassal/builder.nix
deleted file mode 100644
index e2a0f19..0000000
--- a/modules/private/websites/ludivinecassal/builder.nix
+++ /dev/null
@@ -1,153 +0,0 @@
-{ apacheUser, apacheGroup, config, ludivinecassal, mylibs, pkgs, ruby, sass, imagemagick }:
-rec {
-  app = ludivinecassal.override { inherit (config) environment; };
-  varDir = "/var/lib/ludivinecassal_${app.environment}";
-  keys = [{
-    dest = "webapps/${app.environment}-ludivinecassal";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      # This file is auto-generated during the composer install
-      parameters:
-          database_host: ${config.mysql.host}
-          database_port: ${config.mysql.port}
-          database_name: ${config.mysql.name}
-          database_user: ${config.mysql.user}
-          database_password: ${config.mysql.password}
-          database_server_version: ${pkgs.mariadb.mysqlVersion}
-          mailer_transport: smtp
-          mailer_host: 127.0.0.1
-          mailer_user: null
-          mailer_password: null
-          secret: ${config.secret}
-          ldap_host: ldap.immae.eu
-          ldap_port: 636
-          ldap_version: 3
-          ldap_ssl: true
-          ldap_tls: false
-          ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
-          ldap_base_dn: 'dc=immae,dc=eu'
-          ldap_search_dn: '${config.ldap.dn}'
-          ldap_search_password: '${config.ldap.password}'
-          ldap_search_filter: '${config.ldap.search}'
-      leapt_im:
-          binary_path: ${imagemagick}/bin
-      assetic:
-          sass: ${sass}/bin/sass
-          ruby: ${ruby}/bin/ruby
-    '';
-  }];
-  phpFpm = rec {
-    preStart = mylibs.phpFpmPreStart {
-      inherit app;
-      inherit (app) varDir;
-      keyFiles = [
-        "/var/secrets/webapps/${app.environment}-ludivinecassal"
-      ];
-      actions = [
-        "/run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup"
-      ];
-    };
-    serviceDeps = [ "mysql.service" ];
-    socket = "/var/run/phpfpm/ludivinecassal-${app.environment}.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apacheUser}
-      group = ${apacheGroup}
-      listen.owner = ${apacheUser}
-      listen.group = ${apacheGroup}
-      php_admin_value[upload_max_filesize] = 20M
-      php_admin_value[post_max_size] = 20M
-      ;php_admin_flag[log_errors] = on
-      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-ludivinecassal:${app}:${app.varDir}:/tmp"
-      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
-      ${if app.environment == "dev" then ''
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      env[SYMFONY_DEBUG_MODE] = "yes"
-      '' else ''
-      pm = dynamic
-      pm.max_children = 20
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      ''}'';
-  };
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "ludivine_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    <FilesMatch "\.php$">
-      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-    </FilesMatch>
-
-    ${if app.environment == "dev" then ''
-    <Location />
-      Use LDAPConnect
-      Require ldap-group   cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>"
-    </Location>
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride None
-      Require all granted
-
-      DirectoryIndex app_dev.php
-
-      <IfModule mod_negotiation.c>
-      Options -MultiViews
-      </IfModule>
-
-      <IfModule mod_rewrite.c>
-        RewriteEngine On
-
-        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
-        RewriteRule ^(.*) - [E=BASE:%1]
-
-        # Maintenance script
-        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
-        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
-        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
-        ErrorDocument 503 /maintenance.php
-
-        # Sets the HTTP_AUTHORIZATION header removed by Apache
-        RewriteCond %{HTTP:Authorization} .
-        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-
-        RewriteCond %{ENV:REDIRECT_STATUS} ^$
-        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
-
-        # If the requested filename exists, simply serve it.
-        # We only want to let Apache serve files and not directories.
-        RewriteCond %{REQUEST_FILENAME} -f
-        RewriteRule ^ - [L]
-
-        # Rewrite all other queries to the front controller.
-        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
-      </IfModule>
-
-    </Directory>
-    '' else ''
-    Use Stats ludivinecassal.com
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride All
-      Require all granted
-    </Directory>
-    ''}
-    '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/tmp
-    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-}
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
index 9d8407d..82f6899 100644
--- a/modules/private/websites/ludivinecassal/production.nix
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -1,37 +1,102 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-  ludivinecassal = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) ludivinecassal;
-    config = myconfig.env.websites.ludivinecassal.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
-  };
-
+  secrets = myconfig.env.websites.ludivinecassal.production;
+  app = pkgs.webapps.ludivinecassal.override { environment = secrets.environment; };
+  pcfg = config.services.phpApplication;
   cfg = config.myServices.websites.ludivinecassal.production;
 in {
   options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production";
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = ludivinecassal.keys;
     services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
+    services.phpApplication.apps.ludivinecassal_prod = {
+      websiteEnv = "production";
+      httpdUser = config.services.httpd.Prod.user;
+      httpdGroup = config.services.httpd.Prod.group;
+      inherit (app) webRoot varDir;
+      varDirPaths = {
+        "tmp" = "0700";
+      };
+      inherit app;
+      serviceDeps = [ "mysql.service" ];
+      preStartActions = [
+        "./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        pm = dynamic
+        pm.max_children = 20
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+      '';
+      phpWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal"
+      ];
+    };
+
+    secrets.keys = [
+      {
+        dest = "webapps/${app.environment}-ludivinecassal";
+        user = config.services.httpd.Prod.user;
+        group = config.services.httpd.Prod.group;
+        permissions = "0400";
+        text = ''
+          # This file is auto-generated during the composer install
+          parameters:
+              database_host: ${secrets.mysql.host}
+              database_port: ${secrets.mysql.port}
+              database_name: ${secrets.mysql.name}
+              database_user: ${secrets.mysql.user}
+              database_password: ${secrets.mysql.password}
+              database_server_version: ${pkgs.mariadb.mysqlVersion}
+              mailer_transport: smtp
+              mailer_host: 127.0.0.1
+              mailer_user: null
+              mailer_password: null
+              secret: ${secrets.secret}
+              ldap_host: ldap.immae.eu
+              ldap_port: 636
+              ldap_version: 3
+              ldap_ssl: true
+              ldap_tls: false
+              ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
+              ldap_base_dn: 'dc=immae,dc=eu'
+              ldap_search_dn: '${secrets.ldap.dn}'
+              ldap_search_password: '${secrets.ldap.password}'
+              ldap_search_filter: '${secrets.ldap.search}'
+          leapt_im:
+              binary_path: ${pkgs.imagemagick}/bin
+          assetic:
+              sass: ${pkgs.sass}/bin/sass
+              ruby: ${pkgs.ruby}/bin/ruby
+        '';
+      }
+    ];
 
-    systemd.services.phpfpm-ludivinecassal_prod.after = lib.mkAfter ludivinecassal.phpFpm.serviceDeps;
-    systemd.services.phpfpm-ludivinecassal_prod.wants = ludivinecassal.phpFpm.serviceDeps;
-    systemd.services.phpfpm-ludivinecassal_prod.preStart = lib.mkAfter ludivinecassal.phpFpm.preStart;
-    services.phpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal.phpFpm.pool;
-    system.activationScripts.ludivinecassal_prod = ludivinecassal.activationScript;
-    myServices.websites.webappDirs."${ludivinecassal.apache.webappName}" = ludivinecassal.app.webRoot;
-    services.websites.env.production.modules = ludivinecassal.apache.modules;
-    services.websites.env.production.vhostConfs.ludivine = {
+    services.websites.env.production.vhostConfs.ludivinecassal_prod = {
       certName     = "ludivinecassal";
       certMainHost = "ludivinecassal.com";
       hosts        = ["ludivinecassal.com" "www.ludivinecassal.com" ];
-      root         = ludivinecassal.apache.root;
-      extraConfig  = [ ludivinecassal.apache.vhostConf ];
-    };
-    services.filesWatcher.phpfpm-ludivinecassal_prod = {
-      restart = true;
-      paths = [ "/var/secrets/webapps/${ludivinecassal.app.environment}-ludivinecassal" ];
+      root         = pcfg.webappDirs.ludivinecassal_prod;
+      extraConfig  = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.ludivinecassal_prod}|fcgi://localhost"
+        </FilesMatch>
+
+        Use Stats ludivinecassal.com
+
+        <Directory ${pcfg.webappDirs.ludivinecassal_prod}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+        </Directory>
+        ''
+      ];
     };
   };
 }
diff --git a/modules/private/websites/piedsjaloux/builder.nix b/modules/private/websites/piedsjaloux/builder.nix
deleted file mode 100644
index d9a78b3..0000000
--- a/modules/private/websites/piedsjaloux/builder.nix
+++ /dev/null
@@ -1,142 +0,0 @@
-{ apacheUser, apacheGroup, piedsjaloux, config, pkgs, lib, mylibs, texlive, imagemagick }:
-rec {
-  app = piedsjaloux.override { inherit (config) environment; };
-  varDir = "/var/lib/piedsjaloux_${app.environment}";
-  keys = [{
-    dest = "webapps/${app.environment}-piedsjaloux";
-    user = apacheUser;
-    group = apacheGroup;
-    permissions = "0400";
-    text = ''
-      # This file is auto-generated during the composer install
-      parameters:
-          database_host: ${config.mysql.host}
-          database_port: ${config.mysql.port}
-          database_name: ${config.mysql.name}
-          database_user: ${config.mysql.user}
-          database_password: ${config.mysql.password}
-          database_server_version: ${pkgs.mariadb.mysqlVersion}
-          mailer_transport: smtp
-          mailer_host: 127.0.0.1
-          mailer_user: null
-          mailer_password: null
-          secret: ${config.secret}
-          pdflatex: "${texlive.combine { inherit (texlive) attachfile preprint scheme-small; }}/bin/pdflatex"
-      leapt_im:
-          binary_path: ${imagemagick}/bin
-    '';
-  }];
-  phpFpm = rec {
-    preStart = mylibs.phpFpmPreStart {
-      inherit app;
-      inherit (app) varDir;
-      keyFiles = [
-        "/var/secrets/webapps/${app.environment}-piedsjaloux"
-      ];
-      actions = [
-        "/run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup"
-      ];
-    };
-    serviceDeps = [ "mysql.service" ];
-    socket = "/var/run/phpfpm/piedsjaloux-${app.environment}.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apacheUser}
-      group = ${apacheGroup}
-      listen.owner = ${apacheUser}
-      listen.group = ${apacheGroup}
-      php_admin_value[upload_max_filesize] = 20M
-      php_admin_value[post_max_size] = 20M
-      ;php_admin_flag[log_errors] = on
-      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-piedsjaloux:${app}:${app.varDir}:/tmp"
-      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
-      env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]}
-      ${if app.environment == "dev" then ''
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      env[SYMFONY_DEBUG_MODE] = "yes"
-      '' else ''
-      pm = dynamic
-      pm.max_children = 20
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      ''}'';
-  };
-  apache = rec {
-    modules = [ "proxy_fcgi" ];
-    webappName = "piedsjaloux_${app.environment}";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    <FilesMatch "\.php$">
-      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-    </FilesMatch>
-
-    ${if app.environment == "dev" then ''
-    <Location />
-      Use LDAPConnect
-      Require ldap-group   cn=piedsjaloux.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
-      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://piedsjaloux.fr\"></html>"
-    </Location>
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride None
-      Require all granted
-
-      DirectoryIndex app_dev.php
-
-      <IfModule mod_negotiation.c>
-      Options -MultiViews
-      </IfModule>
-
-      <IfModule mod_rewrite.c>
-        RewriteEngine On
-
-        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
-        RewriteRule ^(.*) - [E=BASE:%1]
-
-        # Maintenance script
-        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
-        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
-        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
-        ErrorDocument 503 /maintenance.php
-
-        # Sets the HTTP_AUTHORIZATION header removed by Apache
-        RewriteCond %{HTTP:Authorization} .
-        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-
-        RewriteCond %{ENV:REDIRECT_STATUS} ^$
-        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
-
-        # If the requested filename exists, simply serve it.
-        # We only want to let Apache serve files and not directories.
-        RewriteCond %{REQUEST_FILENAME} -f
-        RewriteRule ^ - [L]
-
-        # Rewrite all other queries to the front controller.
-        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
-      </IfModule>
-
-    </Directory>
-    '' else ''
-    Use Stats piedsjaloux.fr
-
-    <Directory ${root}>
-      Options Indexes FollowSymLinks MultiViews Includes
-      AllowOverride All
-      Require all granted
-    </Directory>
-    ''}
-    '';
-  };
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
-      ${app.varDir}/tmp
-    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
-    '';
-  };
-}
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index 30066a5..9007f19 100644
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -1,34 +1,91 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-  piedsjaloux = pkgs.callPackage ./builder.nix {
-    inherit (pkgs.webapps) piedsjaloux;
-    config = myconfig.env.websites.piedsjaloux.production;
-    apacheUser = config.services.httpd.Prod.user;
-    apacheGroup = config.services.httpd.Prod.group;
-  };
-
+  secrets = myconfig.env.websites.piedsjaloux.production;
+  app = pkgs.webapps.piedsjaloux.override { environment = secrets.environment; };
   cfg = config.myServices.websites.piedsjaloux.production;
+  pcfg = config.services.phpApplication;
 in {
   options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production";
 
   config = lib.mkIf cfg.enable {
-    secrets.keys = piedsjaloux.keys;
     services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
+    services.phpApplication.apps.piedsjaloux_prod = {
+      websiteEnv = "production";
+      httpdUser = config.services.httpd.Prod.user;
+      httpdGroup = config.services.httpd.Prod.group;
+      inherit (app) webRoot varDir;
+      varDirPaths = {
+        "tmp" = "0700";
+      };
+      inherit app;
+      serviceDeps = [ "mysql.service" ];
+      preStartActions = [
+        "./bin/console --env=${app.environment} cache:clear --no-warmup"
+      ];
+      phpOpenbasedir = [ "/tmp" ];
+      phpPool = ''
+        php_admin_value[upload_max_filesize] = 20M
+        php_admin_value[post_max_size] = 20M
+        ;php_admin_flag[log_errors] = on
+        env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]}
+        pm = dynamic
+        pm.max_children = 20
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+      '';
+      phpWatchFiles = [
+        config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux"
+      ];
+    };
+
+    secrets.keys = [
+      {
+        dest = "webapps/${app.environment}-piedsjaloux";
+        user = config.services.httpd.Prod.user;
+        group = config.services.httpd.Prod.group;
+        permissions = "0400";
+        text = ''
+          # This file is auto-generated during the composer install
+          parameters:
+              database_host: ${secrets.mysql.host}
+              database_port: ${secrets.mysql.port}
+              database_name: ${secrets.mysql.name}
+              database_user: ${secrets.mysql.user}
+              database_password: ${secrets.mysql.password}
+              database_server_version: ${pkgs.mariadb.mysqlVersion}
+              mailer_transport: smtp
+              mailer_host: 127.0.0.1
+              mailer_user: null
+              mailer_password: null
+              secret: ${secrets.secret}
+              pdflatex: "${pkgs.texlive.combine { inherit (pkgs.texlive) attachfile preprint scheme-small; }}/bin/pdflatex"
+          leapt_im:
+              binary_path: ${pkgs.imagemagick}/bin
+        '';
+      }
+    ];
 
-    systemd.services.phpfpm-piedsjaloux_prod.after = lib.mkAfter piedsjaloux.phpFpm.serviceDeps;
-    systemd.services.phpfpm-piedsjaloux_prod.wants = piedsjaloux.phpFpm.serviceDeps;
-    systemd.services.phpfpm-piedsjaloux_prod.preStart = lib.mkAfter piedsjaloux.phpFpm.preStart;
-    services.phpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux.phpFpm.pool;
-    system.activationScripts.piedsjaloux_prod = piedsjaloux.activationScript;
-    myServices.websites.webappDirs."${piedsjaloux.apache.webappName}" = piedsjaloux.app.webRoot;
-    services.websites.env.production.modules = piedsjaloux.apache.modules;
-    services.websites.env.production.vhostConfs.piedsjaloux = {
+    services.websites.env.production.vhostConfs.piedsjaloux_prod = {
       certName     = "piedsjaloux";
       certMainHost = "piedsjaloux.fr";
       hosts        = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ];
-      root         = piedsjaloux.apache.root;
-      extraConfig  = [ piedsjaloux.apache.vhostConf ];
+      root         = pcfg.webappDirs.piedsjaloux_prod;
+      extraConfig  = [
+        ''
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${pcfg.phpListenPaths.piedsjaloux_prod}|fcgi://localhost"
+        </FilesMatch>
+
+        Use Stats piedsjaloux.fr
+
+        <Directory ${pcfg.webappDirs.piedsjaloux_prod}>
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+        </Directory>
+        ''
+      ];
     };
   };
 }
-