Move websites/tools to modules

28 files changed, 1 insertions, 2905 deletions

diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index a0c5c7c..59ff85a 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -36,7 +36,6 @@
       ./modules/certificates.nix
       ./modules/gitolite
       ./modules/mpd.nix
-      ./modules/websites
       ./modules/mail.nix
       ./modules/ftp.nix
       ./modules/pub
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index e620318..9aeaa3f 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -180,9 +180,7 @@ in {
       '';
     };
 
-    system.extraSystemBuilderCmds = ''
-      ln -s ${./www} $out/webapps/_task
-      '';
+    myServices.websites.webappDirs._task = ./www;
 
     security.acme.certs."task" = config.services.myCertificates.certConfig // {
       inherit user group;
diff --git a/nixops/modules/websites/commons/adminer.nix b/nixops/modules/websites/commons/adminer.nix
deleted file mode 100644
index e911347..0000000
--- a/nixops/modules/websites/commons/adminer.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ stdenv, fetchurl, webapps }:
-rec {
-  webRoot = webapps.adminer;
-  phpFpm = rec {
-    socket = "/var/run/phpfpm/adminer.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 5
-      pm.process_idle_timeout = 60
-      ;php_admin_flag[log_errors] = on
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = AdminerPHPSESSID
-      php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"
-      php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer"
-      php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer"
-      '';
-  };
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "_adminer";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /adminer ${root}
-      <Directory ${root}>
-        DirectoryIndex index.php
-        Require all granted
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-      </Directory>
-      '';
-  };
-}
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
deleted file mode 100644
index 1948fe9..0000000
--- a/nixops/modules/websites/default.nix
+++ /dev/null
@@ -1,236 +0,0 @@
-{ lib, pkgs, config,  myconfig, ... }:
-let
-  cfg = config.services.myWebsites;
-  www_root = "/run/current-system/webapps/_www";
-  theme_root = "/run/current-system/webapps/_theme";
-  apacheConfig = {
-    gzip = {
-      modules = [ "deflate" "filter" ];
-      extraConfig = ''
-        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
-      '';
-    };
-    macros = {
-      modules = [ "macro" ];
-    };
-    stats = {
-      extraConfig = ''
-        <Macro Stats %{domain}>
-          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
-          <Directory ${config.services.webstats.dataDir}/%{domain}>
-            DirectoryIndex index.html
-            AllowOverride None
-            Require all granted
-          </Directory>
-          <Location /webstats>
-            Use LDAPConnect
-            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
-          </Location>
-        </Macro>
-      '';
-    };
-    ldap = {
-      modules = [ "ldap" "authnz_ldap" ];
-      extraConfig = ''
-        <IfModule ldap_module>
-          LDAPSharedCacheSize 500000
-          LDAPCacheEntries 1024
-          LDAPCacheTTL 600
-          LDAPOpCacheEntries 1024
-          LDAPOpCacheTTL 600
-        </IfModule>
-
-        Include /var/secrets/apache-ldap
-      '';
-    };
-    global = {
-      extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
-    };
-    apaxy = {
-      extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
-    };
-    http2 = {
-      modules = [ "http2" ];
-      extraConfig = ''
-        Protocols h2 http/1.1
-      '';
-    };
-    customLog = {
-      extraConfig = ''
-        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
-      '';
-    };
-  };
-  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
-  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
-in
-{
-  imports = [
-    ./tools/db.nix
-    ./tools/tools
-    ./tools/dav
-    ./tools/cloud.nix
-    ./tools/git
-    ./tools/mastodon.nix
-    ./tools/mediagoblin.nix
-    ./tools/diaspora.nix
-    ./tools/ether.nix
-    ./tools/peertube.nix
-  ];
-
-  config = {
-    users.users.wwwrun.extraGroups = [ "keys" ];
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    nixpkgs.overlays = [ (self: super: rec {
-      #openssl = self.openssl_1_1;
-      php = php72;
-      php72 = (super.php72.override {
-        mysql.connector-c = self.mariadb;
-        config.php.mysqlnd = false;
-        config.php.mysqli = false;
-      }).overrideAttrs(old: rec {
-        # Didn't manage to build with mysqli + mysql_config connector
-        configureFlags = old.configureFlags ++ [
-          "--with-mysqli=shared,mysqlnd"
-          ];
-        # preConfigure = (old.preConfigure or "") + ''
-        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
-        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
-        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
-        #   '';
-      });
-      phpPackages = super.php72Packages.override { inherit php; };
-    }) ];
-
-    services.myWebsites.tools.databases.enable = true;
-    services.myWebsites.tools.tools.enable = true;
-    services.myWebsites.tools.dav.enable = true;
-    services.myWebsites.tools.cloud.enable = true;
-    services.myWebsites.tools.git.enable = true;
-    services.myWebsites.tools.mastodon.enable = true;
-    services.myWebsites.tools.mediagoblin.enable = true;
-    services.myWebsites.tools.diaspora.enable = true;
-    services.myWebsites.tools.etherpad-lite.enable = true;
-    services.myWebsites.tools.peertube.enable = true;
-
-    secrets.keys = [{
-      dest = "apache-ldap";
-      user = "wwwrun";
-      group = "wwwrun";
-      permissions = "0400";
-      text = ''
-        <Macro LDAPConnect>
-          <IfModule authnz_ldap_module>
-            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
-            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
-            AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
-            AuthType             Basic
-            AuthName             "Authentification requise (Acces LDAP)"
-            AuthBasicProvider    ldap
-          </IfModule>
-        </Macro>
-        '';
-    }];
-
-    system.activationScripts = {
-      httpd = ''
-        install -d -m 0755 ${config.security.acme.directory}/acme-challenge
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
-        '';
-    };
-
-    system.extraSystemBuilderCmds = let
-      adminer = pkgs.callPackage ./commons/adminer.nix {};
-    in ''
-      mkdir -p $out/webapps
-      ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www
-      ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme
-      ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
-      '';
-
-    services.phpfpm = {
-      phpPackage = pkgs.php;
-      phpOptions = ''
-        session.save_path = "/var/lib/php/sessions"
-        post_max_size = 20M
-        ; 15 days (seconds)
-        session.gc_maxlifetime = 1296000
-        ; 30 days (minutes)
-        session.cache_expire = 43200
-        '';
-      extraConfig = ''
-        log_level = notice
-        '';
-    };
-
-    services.websites.production = {
-      enable = true;
-      adminAddr = "httpd@immae.eu";
-      httpdName = "Prod";
-      ips =
-        let ips = myconfig.env.servers.eldiron.ips.production;
-        in [ips.ip4] ++ (ips.ip6 or []);
-      modules = makeModules;
-      extraConfig = makeExtraConfig;
-      fallbackVhost = {
-        certName    = "eldiron";
-        hosts       = ["eldiron.immae.eu" ];
-        root        = www_root;
-        extraConfig = [ "DirectoryIndex index.htm" ];
-      };
-    };
-
-    services.websites.integration = {
-      enable = true;
-      adminAddr = "httpd@immae.eu";
-      httpdName = "Inte";
-      ips =
-        let ips = myconfig.env.servers.eldiron.ips.integration;
-        in [ips.ip4] ++ (ips.ip6 or []);
-      modules = makeModules;
-      extraConfig = makeExtraConfig;
-      fallbackVhost = {
-        certName    = "eldiron";
-        hosts       = ["eldiron.immae.eu" ];
-        root        = www_root;
-        extraConfig = [ "DirectoryIndex index.htm" ];
-      };
-    };
-
-    services.websites.tools = {
-      enable = true;
-      adminAddr = "httpd@immae.eu";
-      httpdName = "Tools";
-      ips =
-        let ips = myconfig.env.servers.eldiron.ips.main;
-        in [ips.ip4] ++ (ips.ip6 or []);
-      modules = makeModules;
-      extraConfig = makeExtraConfig ++
-        [ ''
-            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
-            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
-            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
-            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
-            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
-            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
-          ''
-          ];
-      nosslVhost = {
-        enable = true;
-        host = "nossl.immae.eu";
-      };
-      fallbackVhost = {
-        certName    = "eldiron";
-        hosts       = ["eldiron.immae.eu" ];
-        root        = www_root;
-        extraConfig = [ "DirectoryIndex index.htm" ];
-      };
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/cloud.nix b/nixops/modules/websites/tools/cloud.nix
deleted file mode 100644
index 5d2ca40..0000000
--- a/nixops/modules/websites/tools/cloud.nix
+++ /dev/null
@@ -1,188 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-  nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps);
-  env = myconfig.env.tools.nextcloud;
-  varDir = "/var/lib/nextcloud";
-  webappName = "tools_nextcloud";
-  apacheRoot = "/run/current-system/webapps/${webappName}";
-  cfg = config.services.myWebsites.tools.cloud;
-  phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" (
-      [ nextcloud varDir ]
-      ++ builtins.attrValues pkgs.webapps.nextcloud-apps);
-    socket = "/var/run/phpfpm/nextcloud.sock";
-    phpConfig = ''
-      extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
-      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-      zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
-      '';
-    pool = ''
-      user = wwwrun
-      group = wwwrun
-      listen.owner = wwwrun
-      listen.group = wwwrun
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      php_admin_value[output_buffering] = 0
-      php_admin_value[max_execution_time] = 1800
-      php_admin_value[zend_extension] = "opcache"
-      ;already enabled by default?
-      ;php_value[opcache.enable] = 1
-      php_value[opcache.enable_cli] = 1
-      php_value[opcache.interned_strings_buffer] = 8
-      php_value[opcache.max_accelerated_files] = 10000
-      php_value[opcache.memory_consumption] = 128
-      php_value[opcache.save_comments] = 1
-      php_value[opcache.revalidate_freq] = 1
-      php_admin_value[memory_limit] = 512M
-
-      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      '';
-  };
-in {
-  options.services.myWebsites.tools.cloud = {
-    enable = lib.mkEnableOption "enable cloud website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.websites.tools.modules = [ "proxy_fcgi" ];
-
-    services.websites.tools.vhostConfs.cloud = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["cloud.immae.eu" ];
-      root        = apacheRoot;
-      extraConfig = [
-        ''
-          SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
-          <Directory ${apacheRoot}>
-            AcceptPathInfo On
-            DirectoryIndex index.php
-            Options FollowSymlinks
-            Require all granted
-            AllowOverride all
-
-            <IfModule mod_headers.c>
-              Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
-            </IfModule>
-            <FilesMatch "\.php$">
-              CGIPassAuth on
-              SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-            </FilesMatch>
-
-          </Directory>
-        ''
-      ];
-    };
-
-    secrets.keys = [{
-      dest = "webapps/tools-nextcloud";
-      user = "wwwrun";
-      group = "wwwrun";
-      permissions = "0600";
-      text = ''
-        <?php
-        $CONFIG = array (
-          // FIXME: change this value when nextcloud starts getting slow
-          'instanceid' => '${env.instance_id}1',
-          'datadirectory' => '/var/lib/nextcloud/',
-          'passwordsalt' => '${env.password_salt}',
-          'debug' => false,
-          'dbtype' => 'pgsql',
-          'version' => '16.0.0.9',
-          'dbname' => '${env.postgresql.database}',
-          'dbhost' => '${env.postgresql.socket}',
-          'dbtableprefix' => 'oc_',
-          'dbuser' => '${env.postgresql.user}',
-          'dbpassword' => '${env.postgresql.password}',
-          'installed' => true,
-          'maxZipInputSize' => 0,
-          'allowZipDownload' => true,
-          'forcessl' => true,
-          'theme' => ${"''"},
-          'maintenance' => false,
-          'trusted_domains' => 
-          array (
-            0 => 'cloud.immae.eu',
-          ),
-          'secret' => '${env.secret}',
-          'appstoreenabled' => false,
-          'appstore.experimental.enabled' => true,
-          'loglevel' => 2,
-          'trashbin_retention_obligation' => 'auto',
-          'htaccess.RewriteBase' => '/',
-          'mail_smtpmode' => 'sendmail',
-          'mail_smtphost' => '127.0.0.1',
-          'mail_smtpname' => ''',
-          'mail_smtppassword' => ''',
-          'mail_from_address' => 'nextcloud',
-          'mail_smtpauth' => false,
-          'mail_domain' => 'tools.immae.eu',
-          'memcache.local' => '\\OC\\Memcache\\APCu',
-          'memcache.locking' => '\\OC\\Memcache\\Redis',
-          'filelocking.enabled' => true,
-          'redis' => 
-          array (
-            'host' => '${env.redis.socket}',
-            'port' => 0,
-            'dbindex' => ${env.redis.db_index},
-          ),
-          'overwrite.cli.url' => 'https://cloud.immae.eu',
-          'ldapIgnoreNamingRules' => false,
-          'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
-          'has_rebuilt_cache' => true,
-        );
-      '';
-    }];
-    users.users.root.packages = let
-      occ = pkgs.writeScriptBin "nextcloud-occ" ''
-        #! ${pkgs.stdenv.shell}
-        cd ${nextcloud}
-        NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \
-          exec \
-          sudo -u wwwrun ${pkgs.php}/bin/php \
-          -c ${pkgs.php}/etc/php.ini \
-          occ $*
-        '';
-    in [ occ ];
-
-    system.activationScripts.nextcloud = {
-      deps = [ "secrets" ];
-      text = let
-        confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig;
-      in
-        ''
-        install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
-        install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions
-        ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v:
-          "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json"
-          ) confs)}
-        install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php
-      '';
-    };
-    # FIXME: add a warning when config.php changes
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${nextcloud} $out/webapps/${webappName}
-      '';
-
-    services.phpfpm.pools.nextcloud = {
-      listen = phpFpm.socket;
-      extraConfig = phpFpm.pool;
-      phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig;
-    };
-
-    services.cron = {
-      enable = true;
-      systemCronJobs = [
-        ''
-          LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
-          */15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php
-        ''
-      ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/nixops/modules/websites/tools/dav/davical.nix
deleted file mode 100644
index 634359d..0000000
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ /dev/null
@@ -1,133 +0,0 @@
-{ stdenv, fetchurl, gettext, writeText, env, awl, davical }:
-rec {
-  keys = [{
-    dest = "webapps/dav-davical";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-      $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
-
-      $c->readonly_webdav_collections = false;
-
-      $c->admin_email ='davical@tools.immae.eu';
-
-      $c->restrict_setup_to_admin = true;
-
-      $c->collections_always_exist = false;
-
-      $c->external_refresh = 60;
-
-      $c->enable_scheduling = true;
-
-      $c->iMIP = (object) array("send_email" => true);
-
-      $c->authenticate_hook['optional'] = false;
-      $c->authenticate_hook['call'] = 'LDAP_check';
-      $c->authenticate_hook['config'] = array(
-          'host' => 'ldap.immae.eu',
-          'port' => '389',
-          'startTLS' => 'yes',
-          'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu',
-          'passDN'=> '${env.ldap.password}',
-          'protocolVersion' => '3',
-          'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'),
-          'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu',
-          'baseDNGroups' => 'ou=groups,dc=immae,dc=eu',
-          'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu',
-          'mapping_field' => array(
-            "username" => "uid",
-            "fullname" => "cn",
-            "email"    => "mail",
-            "modified" => "modifyTimestamp",
-          ),
-          'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
-            /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
-      //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
-          'group_mapping_field' => array(
-            "username"    => "cn",
-            "updated"     => "modifyTimestamp",
-            "fullname"    => "givenName",
-            "displayname" => "givenName",
-            "members"     => "memberUid",
-            "email"       => "mail",
-          ),
-        );
-
-      $c->do_not_sync_from_ldap = array('admin' => true);
-      include('drivers_ldap.php');
-    '';
-  }];
-  webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
-  webRoot = "${webapp}/htdocs";
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_davical";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /davical "${root}"
-      Alias /caldav.php  "${root}/caldav.php"
-      <Directory "${root}">
-        DirectoryIndex index.php index.html
-        AcceptPathInfo On
-        AllowOverride None
-        Require all granted
-
-        <FilesMatch "\.php$">
-          CGIPassAuth on
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        RewriteEngine On
-        <IfModule mod_headers.c>
-                Header unset Access-Control-Allow-Origin
-                Header unset Access-Control-Allow-Methods
-                Header unset Access-Control-Allow-Headers
-                Header unset Access-Control-Allow-Credentials
-                Header unset Access-Control-Expose-Headers
-
-                Header always set Access-Control-Allow-Origin "*"
-                Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
-                Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
-                Header always set Access-Control-Allow-Credentials false
-                Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
-
-                RewriteCond %{HTTP:Access-Control-Request-Method} !^$
-                RewriteCond %{REQUEST_METHOD} OPTIONS
-                RewriteRule ^(.*)$ $1 [R=200,L]
-        </IfModule>
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "postgresql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
-    socket = "/var/run/phpfpm/davical.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = dynamic
-      pm.max_children = 60
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 10
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = DavicalPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical"
-      php_admin_value[include_path] = "${awl}/inc:${webapp}/inc"
-      php_admin_value[session.save_path] = "/var/lib/php/sessions/davical"
-      php_flag[magic_quotes_gpc] = Off
-      php_flag[register_globals] = Off
-      php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE"
-      php_admin_value[default_charset] = "utf-8"
-      php_flag[magic_quotes_runtime] = Off
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/dav/default.nix b/nixops/modules/websites/tools/dav/default.nix
deleted file mode 100644
index 78e0ba3..0000000
--- a/nixops/modules/websites/tools/dav/default.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-    infcloud = rec {
-      webappName = "tools_infcloud";
-      root = "/run/current-system/webapps/${webappName}";
-      vhostConf = ''
-          Alias /carddavmate ${root}
-          Alias /caldavzap ${root}
-          Alias /infcloud ${root}
-          <Directory ${root}>
-            AllowOverride All
-            Options FollowSymlinks
-            Require all granted
-            DirectoryIndex index.html
-          </Directory>
-      '';
-    };
-    davical = pkgs.callPackage ./davical.nix {
-      env = myconfig.env.tools.davical;
-      inherit (pkgs.webapps) davical awl;
-    };
-
-    cfg = config.services.myWebsites.tools.dav;
-in {
-  options.services.myWebsites.tools.dav = {
-    enable = lib.mkEnableOption "enable dav website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    secrets.keys = davical.keys;
-    services.websites.tools.modules = davical.apache.modules;
-
-    services.websites.tools.vhostConfs.dav = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["dav.immae.eu" ];
-      root        = null;
-      extraConfig = [
-        infcloud.vhostConf
-        davical.apache.vhostConf
-      ];
-    };
-
-    services.phpfpm.poolConfigs = {
-      davical = davical.phpFpm.pool;
-    };
-
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${davical.webRoot} $out/webapps/${davical.apache.webappName}
-      ln -s ${pkgs.webapps.infcloud} $out/webapps/${infcloud.webappName}
-      '';
-  };
-}
-
diff --git a/nixops/modules/websites/tools/db.nix b/nixops/modules/websites/tools/db.nix
deleted file mode 100644
index 7c15c23..0000000
--- a/nixops/modules/websites/tools/db.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ lib, pkgs, config,  ... }:
-let
-    adminer = pkgs.callPackage ../commons/adminer.nix {};
-
-    cfg = config.services.myWebsites.tools.databases;
-in {
-  options.services.myWebsites.tools.databases = {
-    enable = lib.mkEnableOption "enable database's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.websites.tools.modules = adminer.apache.modules;
-    services.websites.tools.vhostConfs.db-1 = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["db-1.immae.eu" ];
-      root        = null;
-      extraConfig = [ adminer.apache.vhostConf ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/diaspora.nix b/nixops/modules/websites/tools/diaspora.nix
deleted file mode 100644
index ee5507d..0000000
--- a/nixops/modules/websites/tools/diaspora.nix
+++ /dev/null
@@ -1,181 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-  env = myconfig.env.tools.diaspora;
-  root = "/run/current-system/webapps/tools_diaspora";
-  cfg = config.services.myWebsites.tools.diaspora;
-  dcfg = config.services.diaspora;
-in {
-  options.services.myWebsites.tools.diaspora = {
-    enable = lib.mkEnableOption "enable diaspora's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    users.users.diaspora.extraGroups = [ "keys" ];
-
-    secrets.keys = [
-      {
-        dest = "webapps/diaspora/diaspora.yml";
-        user = "diaspora";
-        group = "diaspora";
-        permissions = "0400";
-        text = ''
-        configuration:
-          environment:
-            url: "https://diaspora.immae.eu/"
-            certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
-            redis: '${env.redis_url}'
-            sidekiq:
-            s3:
-            assets:
-            logging:
-              logrotate:
-              debug:
-          server:
-            listen: '${dcfg.sockets.rails}'
-            rails_environment: 'production'
-          chat:
-            server:
-              bosh:
-              log:
-          map:
-            mapbox:
-          privacy:
-            piwik:
-            statistics:
-            camo:
-          settings:
-            enable_registrations: false
-            welcome_message:
-            invitations:
-              open: false
-            paypal_donations:
-            community_spotlight:
-            captcha:
-              enable: false
-            terms:
-            maintenance:
-              remove_old_users:
-            default_metas:
-            csp:
-          services:
-            twitter:
-            tumblr:
-            wordpress:
-          mail:
-            enable: true
-            sender_address: 'diaspora@tools.immae.eu'
-            method: 'sendmail'
-            smtp:
-            sendmail:
-              location: '/run/wrappers/bin/sendmail'
-          admins:
-            account: "ismael"
-            podmin_email: 'diaspora@tools.immae.eu'
-          relay:
-            outbound:
-            inbound:
-          ldap:
-              enable: true
-              host: ldap.immae.eu
-              port: 636
-              only_ldap: true
-              mail_attribute: mail
-              skip_email_confirmation: true
-              use_bind_dn: true
-              bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
-              bind_pw: "${env.ldap.password}"
-              search_base: "dc=immae,dc=eu"
-              search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
-        production:
-          environment:
-        development:
-          environment:
-        '';
-      }
-      {
-        dest = "webapps/diaspora/database.yml";
-        user = "diaspora";
-        group = "diaspora";
-        permissions = "0400";
-        text = ''
-        postgresql: &postgresql
-          adapter: postgresql
-          host: "${env.postgresql.socket}"
-          port: "${env.postgresql.port}"
-          username: "${env.postgresql.user}"
-          password: "${env.postgresql.password}"
-          encoding: unicode
-        common: &common
-          <<: *postgresql
-        combined: &combined
-          <<: *common
-        development:
-          <<: *combined
-          database: diaspora_development
-        production:
-          <<: *combined
-          database: ${env.postgresql.database}
-        test:
-          <<: *combined
-          database: "diaspora_test"
-        integration1:
-          <<: *combined
-          database: diaspora_integration1
-        integration2:
-          <<: *combined
-          database: diaspora_integration2
-        '';
-      }
-      {
-        dest = "webapps/diaspora/secret_token.rb";
-        user = "diaspora";
-        group = "diaspora";
-        permissions = "0400";
-        text = ''
-          Diaspora::Application.config.secret_key_base = '${env.secret_token}'
-        '';
-      }
-    ];
-
-    services.diaspora = {
-      enable = true;
-      package = pkgs.webapps.diaspora.override { ldap = true; };
-      dataDir = "/var/lib/diaspora_immae";
-      adminEmail = "diaspora@tools.immae.eu";
-      configDir = "/var/secrets/webapps/diaspora";
-    };
-
-    services.websites.tools.modules = [
-      "headers" "proxy" "proxy_http"
-    ];
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora
-      '';
-    services.websites.tools.vhostConfs.diaspora = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = [ "diaspora.immae.eu" ];
-      root        = root;
-      extraConfig = [ ''
-        RewriteEngine On
-        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
-        RewriteRule ^/(.*)$ unix://${dcfg.sockets.rails}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L]
-
-        ProxyRequests Off
-        ProxyVia On
-        ProxyPreserveHost On
-        RequestHeader set X_FORWARDED_PROTO https
-
-        <Proxy *>
-            Require all granted
-        </Proxy>
-
-        <Directory ${root}>
-            Require all granted
-            Options -MultiViews
-        </Directory>
-      '' ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/ether.nix b/nixops/modules/websites/tools/ether.nix
deleted file mode 100644
index 8c9bbb1..0000000
--- a/nixops/modules/websites/tools/ether.nix
+++ /dev/null
@@ -1,175 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-  env = myconfig.env.tools.etherpad-lite;
-  cfg = config.services.myWebsites.tools.etherpad-lite;
-  # Make sure we’re not rebuilding whole libreoffice just because of a
-  # dependency
-  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
-  ecfg = config.services.etherpad-lite;
-in {
-  options.services.myWebsites.tools.etherpad-lite = {
-    enable = lib.mkEnableOption "enable etherpad's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    secrets.keys = [
-      {
-        dest = "webapps/tools-etherpad-apikey";
-        permissions = "0400";
-        text = env.api_key;
-      }
-      {
-        dest = "webapps/tools-etherpad-sessionkey";
-        permissions = "0400";
-        text = env.session_key;
-      }
-      {
-        dest = "webapps/tools-etherpad";
-        permissions = "0400";
-        text = ''
-          {
-            "title": "Etherpad",
-            "favicon": "favicon.ico",
-
-            "ip": "",
-            "port" : "${ecfg.sockets.node}",
-            "showSettingsInAdminPage" : false,
-            "dbType" : "postgres",
-            "dbSettings" : {
-              "user"    : "${env.postgresql.user}",
-              "host"    : "${env.postgresql.socket}",
-              "password": "${env.postgresql.password}",
-              "database": "${env.postgresql.database}",
-              "charset" : "utf8mb4"
-            },
-
-            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
-            "padOptions": {
-              "noColors": false,
-              "showControls": true,
-              "showChat": true,
-              "showLineNumbers": true,
-              "useMonospaceFont": false,
-              "userName": false,
-              "userColor": false,
-              "rtl": false,
-              "alwaysShowChat": false,
-              "chatAndUsers": false,
-              "lang": "en-gb"
-            },
-
-            "suppressErrorsInPadText" : false,
-            "requireSession" : false,
-            "editOnly" : false,
-            "sessionNoPassword" : false,
-            "minify" : true,
-            "maxAge" : 21600,
-            "abiword" : null,
-            "soffice" : "${libreoffice}/bin/soffice",
-            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
-            "allowUnknownFileEnds" : true,
-            "requireAuthentication" : false,
-            "requireAuthorization" : false,
-            "trustProxy" : false,
-            "disableIPlogging" : false,
-            "automaticReconnectionTimeout" : 0,
-            "scrollWhenFocusLineIsOutOfViewport": {
-              "percentage": {
-                "editionAboveViewport": 0,
-                "editionBelowViewport": 0
-              },
-              "duration": 0,
-              "scrollWhenCaretIsInTheLastLineOfViewport": false,
-              "percentageToScrollWhenUserPressesArrowUp": 0
-            },
-            "users": {
-              "ldapauth": {
-                "url": "ldaps://${env.ldap.host}",
-                "accountBase": "${env.ldap.base}",
-                "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
-                "displayNameAttribute": "cn",
-                "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
-                "searchPWD": "${env.ldap.password}",
-                "groupSearchBase": "${env.ldap.base}",
-                "groupAttribute": "member",
-                "groupAttributeIsDN": true,
-                "searchScope": "sub",
-                "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
-                "anonymousReadonly": false
-              }
-            },
-            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
-            "loadTest": false,
-            "indentationOnNewLine": false,
-            "toolbar": {
-              "left": [
-                ["bold", "italic", "underline", "strikethrough"],
-                ["orderedlist", "unorderedlist", "indent", "outdent"],
-                ["undo", "redo"],
-                ["clearauthorship"]
-              ],
-              "right": [
-                ["importexport", "timeslider", "savedrevision"],
-                ["settings", "embed"],
-                ["showusers"]
-              ],
-              "timeslider": [
-                ["timeslider_export", "timeslider_returnToPad"]
-              ]
-            },
-            "loglevel": "INFO",
-            "logconfig" : { "appenders": [ { "type": "console" } ] }
-          }
-        '';
-      }
-    ];
-    services.etherpad-lite = {
-      enable = true;
-      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
-      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
-      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
-      configFile = "/var/secrets/webapps/tools-etherpad";
-    };
-
-    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
-
-    services.websites.tools.modules = [
-      "headers" "proxy" "proxy_http" "proxy_wstunnel"
-    ];
-    services.websites.tools.vhostConfs.etherpad-lite = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = [ "ether.immae.eu" ];
-      root        = null;
-      extraConfig = [ ''
-        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
-        RequestHeader set X-Forwarded-Proto "https"
-
-        RewriteEngine On
-
-        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
-        RewriteCond %{QUERY_STRING}         "!noredirect"
-        RewriteCond %{REQUEST_URI}          "^(.*)$"
-        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
-        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
-
-        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
-        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
-        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
-
-        <IfModule mod_proxy.c>
-          ProxyVia On
-          ProxyRequests Off
-          ProxyPreserveHost On
-          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
-          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
-          <Proxy *>
-            Options FollowSymLinks MultiViews
-            AllowOverride None
-            Require all granted
-          </Proxy>
-        </IfModule>
-      '' ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/git/default.nix b/nixops/modules/websites/tools/git/default.nix
deleted file mode 100644
index 495c5ea..0000000
--- a/nixops/modules/websites/tools/git/default.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{ lib, pkgs, config, myconfig, ... }:
-let
-    mantisbt = pkgs.callPackage ./mantisbt.nix {
-      inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins;
-      env = myconfig.env.tools.mantisbt;
-    };
-    gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
-
-    cfg = config.services.myWebsites.tools.git;
-in {
-  options.services.myWebsites.tools.git = {
-    enable = lib.mkEnableOption "enable git's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    secrets.keys = mantisbt.keys;
-    services.websites.tools.modules =
-      gitweb.apache.modules ++
-      mantisbt.apache.modules;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${gitweb.webRoot} $out/webapps/${gitweb.apache.webappName}
-      ln -s ${mantisbt.webRoot} $out/webapps/${mantisbt.apache.webappName}
-      '';
-
-    services.websites.tools.vhostConfs.git = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["git.immae.eu" ];
-      root        = gitweb.apache.root;
-      extraConfig = [
-        gitweb.apache.vhostConf
-        mantisbt.apache.vhostConf
-        ''
-          RewriteEngine on
-          RewriteCond %{REQUEST_URI}       ^/releases
-          RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
-          ''
-      ];
-    };
-    services.phpfpm.poolConfigs = {
-      mantisbt = mantisbt.phpFpm.pool;
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/git/gitweb.nix b/nixops/modules/websites/tools/git/gitweb.nix
deleted file mode 100644
index 2ee7a63..0000000
--- a/nixops/modules/websites/tools/git/gitweb.nix
+++ /dev/null
@@ -1,64 +0,0 @@
-{ gitweb, writeText, gitolite, git, gitoliteDir, highlight }:
-rec {
-  varDir = gitoliteDir;
-  webRoot = gitweb;
-  config = writeText "gitweb.conf" ''
-    $git_temp = "/tmp";
-
-    # The directories where your projects are. Must not end with a
-    # slash.
-    $projectroot = "${varDir}/repositories";
-
-    $projects_list = "${varDir}/projects.list";
-    $strict_export = "true";
-
-    # Base URLs for links displayed in the web interface.
-    our @git_base_url_list = qw(ssh://gitolite@git.immae.eu https://git.immae.eu);
-
-    $feature{'blame'}{'default'} = [1];
-    $feature{'avatar'}{'default'} = ['gravatar'];
-    $feature{'highlight'}{'default'} = [1];
-
-    @stylesheets = ("gitweb-theme/gitweb.css");
-    $logo = "gitweb-theme/git-logo.png";
-    $favicon = "gitweb-theme/git-favicon.png";
-    $javascript = "gitweb-theme/gitweb.js";
-    $logo_url = "https://git.immae.eu/";
-    $projects_list_group_categories = "true";
-    $projects_list_description_width = 60;
-    $project_list_default_category = "__Others__";
-    $highlight_bin = "${highlight}/bin/highlight";
-    '';
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "cgid" ];
-    webappName = "tools_gitweb";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      SetEnv GIT_PROJECT_ROOT ${varDir}/repositories/
-      ScriptAliasMatch \
-                  "(?x)^/(.*/(HEAD | \
-                                  info/refs | \
-                                  objects/(info/[^/]+ | \
-                                          [0-9a-f]{2}/[0-9a-f]{38} | \
-                                          pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
-                                  git-(upload|receive)-pack))$" \
-                  ${git}/libexec/git-core/git-http-backend/$1
-
-      <Directory "${git}/libexec/git-core">
-        Require all granted
-      </Directory>
-      <Directory "${root}">
-        DirectoryIndex gitweb.cgi
-        Require all granted
-        AllowOverride None
-        Options ExecCGI FollowSymLinks
-        <Files gitweb.cgi>
-          SetHandler cgi-script
-          SetEnv  GITWEB_CONFIG  "${config}"
-        </Files>
-      </Directory>
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/git/mantisbt.nix b/nixops/modules/websites/tools/git/mantisbt.nix
deleted file mode 100644
index 0c459a7..0000000
--- a/nixops/modules/websites/tools/git/mantisbt.nix
+++ /dev/null
@@ -1,90 +0,0 @@
-{ env, mantisbt_2, mantisbt_2-plugins }:
-rec {
-  keys = [{
-    dest = "webapps/tools-mantisbt";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-      $g_hostname              = '${env.postgresql.socket}';
-      $g_db_username           = '${env.postgresql.user}';
-      $g_db_password           = '${env.postgresql.password}';
-      $g_database_name         = '${env.postgresql.database}';
-      $g_db_type               = 'pgsql';
-      $g_crypto_master_salt    = '${env.master_salt}';
-      $g_allow_signup          = OFF;
-      $g_allow_anonymous_login = ON;
-      $g_anonymous_account     = 'anonymous';
-
-      $g_phpMailer_method       = PHPMAILER_METHOD_SENDMAIL;
-      $g_smtp_host              = 'localhost';
-      $g_smtp_username          = ''';
-      $g_smtp_password          = ''';
-      $g_webmaster_email        = 'mantisbt@tools.immae.eu';
-      $g_from_email             = 'mantisbt@tools.immae.eu';
-      $g_return_path_email      = 'mantisbt@tools.immae.eu';
-      $g_from_name              = 'Mantis Bug Tracker at git.immae.eu';
-      $g_email_receive_own      = OFF;
-      # --- LDAP ---
-      $g_login_method = LDAP;
-      $g_ldap_protocol_version = 3;
-      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
-      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
-      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
-      $g_ldap_bind_passwd = '${env.ldap.password}';
-      $g_use_ldap_email = ON;
-      $g_use_ldap_realname = ON;
-      $g_ldap_uid_field = 'uid';
-      $g_ldap_realname_field = 'cn';
-      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
-    '';
-  }];
-  webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (builtins.attrValues mantisbt_2-plugins);
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_mantisbt";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /mantisbt "${root}"
-      <Directory "${root}">
-        DirectoryIndex index.php
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        AllowOverride All
-        Options FollowSymlinks
-        Require all granted
-      </Directory>
-      <Directory "${root}/admin">
-        #Reenable during upgrade
-        Require all denied
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "postgresql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" (
-      [ webRoot "/var/secrets/webapps/tools-mantisbt" ]
-      ++ webRoot.plugins);
-    socket = "/var/run/phpfpm/mantisbt.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      php_admin_value[upload_max_filesize] = 5000000
-
-      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"
-      php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/mastodon.nix b/nixops/modules/websites/tools/mastodon.nix
deleted file mode 100644
index ffd59dd..0000000
--- a/nixops/modules/websites/tools/mastodon.nix
+++ /dev/null
@@ -1,128 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-  env = myconfig.env.tools.mastodon;
-  root = "/run/current-system/webapps/tools_mastodon";
-  cfg = config.services.myWebsites.tools.mastodon;
-  mcfg = config.services.mastodon;
-in {
-  options.services.myWebsites.tools.mastodon = {
-    enable = lib.mkEnableOption "enable mastodon's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    secrets.keys = [{
-      dest = "webapps/tools-mastodon";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0400";
-      text = ''
-        REDIS_HOST=${env.redis.host}
-        REDIS_PORT=${env.redis.port}
-        REDIS_DB=${env.redis.db}
-        DB_HOST=${env.postgresql.socket}
-        DB_USER=${env.postgresql.user}
-        DB_NAME=${env.postgresql.database}
-        DB_PASS=${env.postgresql.password}
-        DB_PORT=${env.postgresql.port}
-
-        LOCAL_DOMAIN=mastodon.immae.eu
-        LOCAL_HTTPS=true
-        ALTERNATE_DOMAINS=immae.eu
-
-        PAPERCLIP_SECRET=${env.paperclip_secret}
-        SECRET_KEY_BASE=${env.secret_key_base}
-        OTP_SECRET=${env.otp_secret}
-
-        VAPID_PRIVATE_KEY=${env.vapid.private}
-        VAPID_PUBLIC_KEY=${env.vapid.public}
-
-        SMTP_DELIVERY_METHOD=sendmail
-        SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
-        SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
-        PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
-
-        STREAMING_CLUSTER_NUM=1
-
-        RAILS_LOG_LEVEL=warn
-
-        # LDAP authentication (optional)
-        LDAP_ENABLED=true
-        LDAP_HOST=ldap.immae.eu
-        LDAP_PORT=636
-        LDAP_METHOD=simple_tls
-        LDAP_BASE="dc=immae,dc=eu"
-        LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
-        LDAP_PASSWORD="${env.ldap.password}"
-        LDAP_UID="uid"
-        LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
-      '';
-    }];
-    services.mastodon = {
-      enable = true;
-      configFile = "/var/secrets/webapps/tools-mastodon";
-      socketsPrefix = "live_immae";
-      dataDir = "/var/lib/mastodon_immae";
-    };
-
-    services.websites.tools.modules = [
-      "headers" "proxy" "proxy_wstunnel" "proxy_http"
-    ];
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
-      '';
-    services.websites.tools.vhostConfs.mastodon = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["mastodon.immae.eu" ];
-      root        = root;
-      extraConfig = [ ''
-        Header always set Referrer-Policy "strict-origin-when-cross-origin"
-        Header always set Strict-Transport-Security "max-age=31536000"
-
-        <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
-          Header always set Cache-Control "public, max-age=31536000, immutable"
-          Require all granted
-        </LocationMatch>
-
-        ProxyPreserveHost On
-        RequestHeader set X-Forwarded-Proto "https"
-
-        RewriteEngine On
-
-        ProxyPass /500.html !
-        ProxyPass /sw.js !
-        ProxyPass /embed.js !
-        ProxyPass /robots.txt !
-        ProxyPass /manifest.json !
-        ProxyPass /browserconfig.xml !
-        ProxyPass /mask-icon.svg !
-        ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
-        ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
-
-        RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
-        RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
-        ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
-        ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
-
-        Alias /system ${mcfg.dataDir}
-
-        <Directory ${mcfg.dataDir}>
-          Require all granted
-          Options -MultiViews
-        </Directory>
-
-        <Directory ${root}>
-          Require all granted
-          Options -MultiViews +FollowSymlinks
-        </Directory>
-
-        ErrorDocument 500 /500.html
-        ErrorDocument 501 /500.html
-        ErrorDocument 502 /500.html
-        ErrorDocument 503 /500.html
-        ErrorDocument 504 /500.html
-      '' ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/nixops/modules/websites/tools/mediagoblin.nix
deleted file mode 100644
index eb56b35..0000000
--- a/nixops/modules/websites/tools/mediagoblin.nix
+++ /dev/null
@@ -1,122 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-  env = myconfig.env.tools.mediagoblin;
-  cfg = config.services.myWebsites.tools.mediagoblin;
-  mcfg = config.services.mediagoblin;
-in {
-  options.services.myWebsites.tools.mediagoblin = {
-    enable = lib.mkEnableOption "enable mediagoblin's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    secrets.keys = [{
-      dest = "webapps/tools-mediagoblin";
-      user = "mediagoblin";
-      group = "mediagoblin";
-      permissions = "0400";
-      text = ''
-        [DEFAULT]
-        data_basedir = "${mcfg.dataDir}"
-
-        [mediagoblin]
-        direct_remote_path = /mgoblin_static/
-        email_sender_address = "mediagoblin@tools.immae.eu"
-
-        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
-        sql_engine = ${env.psql_url}
-
-        email_debug_mode = false
-        allow_registration = false
-        allow_reporting = true
-
-        theme = airymodified
-
-        user_privilege_scheme = "uploader,commenter,reporter"
-
-        # We need to redefine them here since we override data_basedir
-        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
-        workbench_path = %(data_basedir)s/media/workbench
-        crypto_path = %(data_basedir)s/crypto
-        theme_install_dir = %(data_basedir)s/themes/
-        theme_linked_assets_dir = %(data_basedir)s/theme_static/
-        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
-
-        [storage:queuestore]
-        base_dir = %(data_basedir)s/media/queue
-
-        [storage:publicstore]
-        base_dir = %(data_basedir)s/media/public
-        base_url = /mgoblin_media/
-
-        [celery]
-        CELERY_RESULT_DBURI = ${env.redis_url}
-        BROKER_URL = ${env.redis_url}
-        CELERYD_CONCURRENCY = 1
-
-        [plugins]
-          [[mediagoblin.plugins.geolocation]]
-          [[mediagoblin.plugins.ldap]]
-            [[[immae.eu]]]
-              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
-              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
-              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
-              LDAP_BIND_PW = '${env.ldap.password}'
-              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
-              EMAIL_SEARCH_FIELD = 'mail'
-          [[mediagoblin.plugins.basicsearch]]
-          [[mediagoblin.plugins.piwigo]]
-          [[mediagoblin.plugins.processing_info]]
-          [[mediagoblin.media_types.image]]
-          [[mediagoblin.media_types.video]]
-        '';
-    }];
-
-    users.users.mediagoblin.extraGroups = [ "keys" ];
-
-    services.mediagoblin = {
-      enable     = true;
-      plugins    = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
-      configFile = "/var/secrets/webapps/tools-mediagoblin";
-    };
-
-    services.websites.tools.modules = [
-      "proxy" "proxy_http"
-    ];
-    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
-    services.websites.tools.vhostConfs.mgoblin = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["mgoblin.immae.eu" ];
-      root        = null;
-      extraConfig = [ ''
-        Alias /mgoblin_media ${mcfg.dataDir}/media/public
-        <Directory ${mcfg.dataDir}/media/public>
-          Options -Indexes +FollowSymLinks +MultiViews +Includes
-          Require all granted
-        </Directory>
-
-        Alias /theme_static ${mcfg.dataDir}/theme_static
-        <Directory ${mcfg.dataDir}/theme_static>
-          Options -Indexes +FollowSymLinks +MultiViews +Includes
-          Require all granted
-        </Directory>
-
-        Alias /plugin_static ${mcfg.dataDir}/plugin_static
-        <Directory ${mcfg.dataDir}/plugin_static>
-          Options -Indexes +FollowSymLinks +MultiViews +Includes
-          Require all granted
-        </Directory>
-
-        ProxyPreserveHost on
-        ProxyVia On
-        ProxyRequests Off
-        ProxyPass /mgoblin_media !
-        ProxyPass /theme_static !
-        ProxyPass /plugin_static !
-        ProxyPassMatch ^/.well-known/acme-challenge !
-        ProxyPass / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
-        ProxyPassReverse / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
-      '' ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/peertube.nix b/nixops/modules/websites/tools/peertube.nix
deleted file mode 100644
index 12ab3c4..0000000
--- a/nixops/modules/websites/tools/peertube.nix
+++ /dev/null
@@ -1,179 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-  env = myconfig.env.tools.peertube;
-  cfg = config.services.myWebsites.tools.peertube;
-  pcfg = config.services.peertube;
-in {
-  options.services.myWebsites.tools.peertube = {
-    enable = lib.mkEnableOption "enable Peertube's website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    services.peertube = {
-      enable = true;
-      configFile = "/var/secrets/webapps/tools-peertube";
-      package = pkgs.webapps.peertube.override { ldap = true; };
-    };
-    users.users.peertube.extraGroups = [ "keys" ];
-
-    secrets.keys = [{
-      dest = "webapps/tools-peertube";
-      user = "peertube";
-      group = "peertube";
-      permissions = "0640";
-      text = ''
-        listen:
-          hostname: 'localhost'
-          port: ${env.listenPort}
-        webserver:
-          https: true
-          hostname: 'peertube.immae.eu'
-          port: 443
-        trust_proxy:
-          - 'loopback'
-        database:
-          hostname: '${env.postgresql.socket}'
-          port: 5432
-          suffix: '_prod'
-          username: '${env.postgresql.user}'
-          password: '${env.postgresql.password}'
-          pool:
-            max: 5
-        redis:
-          socket: '${env.redis.socket}'
-          auth: null
-          db: ${env.redis.db_index}
-        ldap:
-          enable: true
-          ldap_only: false
-          url: ldaps://${env.ldap.host}/${env.ldap.base}
-          bind_dn: ${env.ldap.dn}
-          bind_password: ${env.ldap.password}
-          base: ${env.ldap.base}
-          mail_entry: "mail"
-          user_filter: "${env.ldap.filter}"
-        smtp:
-          transport: sendmail
-          sendmail: '/run/wrappers/bin/sendmail'
-          hostname: null
-          port: 465 # If you use StartTLS: 587
-          username: null
-          password: null
-          tls: true # If you use StartTLS: false
-          disable_starttls: false
-          ca_file: null # Used for self signed certificates
-          from_address: 'peertube@tools.immae.eu'
-        storage:
-          tmp: '${pcfg.dataDir}/storage/tmp/'
-          avatars: '${pcfg.dataDir}/storage/avatars/'
-          videos: '${pcfg.dataDir}/storage/videos/'
-          redundancy: '${pcfg.dataDir}/storage/videos/'
-          logs: '${pcfg.dataDir}/storage/logs/'
-          previews: '${pcfg.dataDir}/storage/previews/'
-          thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
-          torrents: '${pcfg.dataDir}/storage/torrents/'
-          captions: '${pcfg.dataDir}/storage/captions/'
-          cache: '${pcfg.dataDir}/storage/cache/'
-        log:
-          level: 'info'
-        search:
-          remote_uri:
-            users: true
-            anonymous: false
-        trending:
-          videos:
-            interval_days: 7
-        redundancy:
-          videos:
-            check_interval: '1 hour' # How often you want to check new videos to cache
-            strategies: # Just uncomment strategies you want
-        # Following are saved in local-production.json
-        cache:
-          previews:
-            size: 500 # Max number of previews you want to cache
-          captions:
-            size: 500 # Max number of video captions/subtitles you want to cache
-        admin:
-          email: 'peertube@tools.immae.eu'
-        contact_form:
-          enabled: true
-        signup:
-          enabled: false
-          limit: 10
-          requires_email_verification: false
-          filters:
-            cidr:
-              whitelist: []
-              blacklist: []
-        user:
-          video_quota: -1
-          video_quota_daily: -1
-        transcoding:
-          enabled: false
-          allow_additional_extensions: true
-          threads: 1
-          resolutions:
-            240p: false
-            360p: false
-            480p: true
-            720p: true
-            1080p: true
-          hls:
-            enabled: false
-        import:
-          videos:
-            http:
-              enabled: true
-            torrent:
-              enabled: false
-        instance:
-          name: 'Immae&#x2019;s PeerTube'
-          short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
-          description: '''
-          terms: '''
-          default_client_route: '/videos/trending'
-          default_nsfw_policy: 'blur'
-          customizations:
-            javascript: '''
-            css: '''
-          robots: |
-            User-agent: *
-            Disallow:
-          securitytxt:
-            "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
-        services:
-          # You can provide a reporting endpoint for Content Security Policy violations
-          csp-logger:
-          twitter:
-            username: '@_immae'
-            whitelisted: false
-        '';
-    }];
-
-    services.websites.tools.modules = [
-      "headers" "proxy" "proxy_http" "proxy_wstunnel"
-    ];
-    services.websites.tools.vhostConfs.peertube = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = [ "peertube.immae.eu" ];
-      root        = null;
-      extraConfig = [ ''
-          RewriteEngine On
-
-          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
-          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
-          RewriteRule /(.*)           ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
-
-          RewriteCond %{REQUEST_URI}  ^/tracker/socket       [NC]
-          RewriteRule /(.*)           ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
-
-          ProxyPass /        http://localhost:${env.listenPort}/
-          ProxyPassReverse / http://localhost:${env.listenPort}/
-
-          ProxyPreserveHost On
-          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
-      '' ];
-    };
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/default.nix b/nixops/modules/websites/tools/tools/default.nix
deleted file mode 100644
index 642755f..0000000
--- a/nixops/modules/websites/tools/tools/default.nix
+++ /dev/null
@@ -1,298 +0,0 @@
-{ lib, pkgs, config, myconfig,  ... }:
-let
-    adminer = pkgs.callPackage ../../commons/adminer.nix {};
-    ympd = pkgs.callPackage ./ympd.nix {
-      env = myconfig.env.tools.ympd;
-    };
-    ttrss = pkgs.callPackage ./ttrss.nix {
-      inherit (pkgs.webapps) ttrss ttrss-plugins;
-      env = myconfig.env.tools.ttrss;
-    };
-    roundcubemail = pkgs.callPackage ./roundcubemail.nix {
-      inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins;
-      env = myconfig.env.tools.roundcubemail;
-    };
-    rainloop = pkgs.callPackage ./rainloop.nix  {};
-    kanboard = pkgs.callPackage ./kanboard.nix  {
-      env = myconfig.env.tools.kanboard;
-    };
-    wallabag = pkgs.callPackage ./wallabag.nix {
-      inherit (pkgs.webapps) wallabag;
-      env = myconfig.env.tools.wallabag;
-    };
-    yourls = pkgs.callPackage ./yourls.nix {
-      inherit (pkgs.webapps) yourls yourls-plugins;
-      env = myconfig.env.tools.yourls;
-    };
-    rompr = pkgs.callPackage ./rompr.nix {
-      inherit (pkgs.webapps) rompr;
-      env = myconfig.env.tools.rompr;
-    };
-    shaarli = pkgs.callPackage ./shaarli.nix {
-      env = myconfig.env.tools.shaarli;
-    };
-    dokuwiki = pkgs.callPackage ./dokuwiki.nix {
-      inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
-    };
-    ldap = pkgs.callPackage ./ldap.nix {
-      inherit (pkgs.webapps) phpldapadmin;
-      env = myconfig.env.tools.phpldapadmin;
-    };
-
-    cfg = config.services.myWebsites.tools.tools;
-in {
-  options.services.myWebsites.tools.tools = {
-    enable = lib.mkEnableOption "enable tools website";
-  };
-
-  config = lib.mkIf cfg.enable {
-    secrets.keys =
-      kanboard.keys
-      ++ ldap.keys
-      ++ roundcubemail.keys
-      ++ shaarli.keys
-      ++ ttrss.keys
-      ++ wallabag.keys
-      ++ yourls.keys;
-
-    services.websites.integration.modules =
-      rainloop.apache.modules;
-
-    services.websites.tools.modules =
-      [ "proxy_fcgi" ]
-      ++ adminer.apache.modules
-      ++ ympd.apache.modules
-      ++ ttrss.apache.modules
-      ++ roundcubemail.apache.modules
-      ++ wallabag.apache.modules
-      ++ yourls.apache.modules
-      ++ rompr.apache.modules
-      ++ shaarli.apache.modules
-      ++ dokuwiki.apache.modules
-      ++ ldap.apache.modules
-      ++ kanboard.apache.modules;
-
-    services.websites.integration.vhostConfs.devtools = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["devtools.immae.eu" ];
-      root        = "/var/lib/ftp/devtools.immae.eu";
-      extraConfig = [
-        ''
-          <Directory "/var/lib/ftp/devtools.immae.eu">
-            DirectoryIndex index.php index.htm index.html
-            AllowOverride all
-            Require all granted
-            <FilesMatch "\.php$">
-              SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost"
-            </FilesMatch>
-          </Directory>
-          ''
-        rainloop.apache.vhostConf
-      ];
-    };
-
-    services.websites.tools.vhostConfs.tools = {
-      certName    = "eldiron";
-      addToCerts  = true;
-      hosts       = ["tools.immae.eu" ];
-      root        = "/var/lib/ftp/tools.immae.eu";
-      extraConfig = [
-        ''
-          <Directory "/var/lib/ftp/tools.immae.eu">
-            DirectoryIndex index.php index.htm index.html
-            AllowOverride all
-            Require all granted
-            <FilesMatch "\.php$">
-              SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost"
-            </FilesMatch>
-          </Directory>
-          ''
-        adminer.apache.vhostConf
-        ympd.apache.vhostConf
-        ttrss.apache.vhostConf
-        roundcubemail.apache.vhostConf
-        wallabag.apache.vhostConf
-        yourls.apache.vhostConf
-        rompr.apache.vhostConf
-        shaarli.apache.vhostConf
-        dokuwiki.apache.vhostConf
-        ldap.apache.vhostConf
-        kanboard.apache.vhostConf
-      ];
-    };
-
-    services.websites.tools.vhostConfs.outils = {
-      certName   = "eldiron";
-      addToCerts = true;
-      hosts      = [ "outils.immae.eu" ];
-      root       = null;
-      extraConfig = [
-        ''
-        RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
-
-        RedirectMatch 301 ^/ether(.*)$       https://ether.immae.eu$1
-
-        RedirectMatch 301 ^/nextcloud(.*)$   https://cloud.immae.eu$1
-        RedirectMatch 301 ^/owncloud(.*)$    https://cloud.immae.eu$1
-
-        RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
-        RedirectMatch 301 ^/caldavzap(.*)$   https://dav.immae.eu/infcloud$1
-        RedirectMatch 301 ^/caldav.php(.*)$  https://dav.immae.eu/caldav.php$1
-        RedirectMatch 301 ^/davical(.*)$     https://dav.immae.eu/davical$1
-
-        RedirectMatch 301 ^/taskweb(.*)$     https://task.immae.eu/taskweb$1
-
-        RedirectMatch 301 ^/(.*)$            https://tools.immae.eu/$1
-        ''
-      ];
-    };
-
-    systemd.services = {
-      phpfpm-dokuwiki = {
-        after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
-        wants = dokuwiki.phpFpm.serviceDeps;
-      };
-      phpfpm-kanboard = {
-        after = lib.mkAfter kanboard.phpFpm.serviceDeps;
-        wants = kanboard.phpFpm.serviceDeps;
-      };
-      phpfpm-ldap = {
-        after = lib.mkAfter ldap.phpFpm.serviceDeps;
-        wants = ldap.phpFpm.serviceDeps;
-      };
-      phpfpm-rainloop = {
-        after = lib.mkAfter rainloop.phpFpm.serviceDeps;
-        wants = rainloop.phpFpm.serviceDeps;
-      };
-      phpfpm-roundcubemail = {
-        after = lib.mkAfter roundcubemail.phpFpm.serviceDeps;
-        wants = roundcubemail.phpFpm.serviceDeps;
-      };
-      phpfpm-shaarli = {
-        after = lib.mkAfter shaarli.phpFpm.serviceDeps;
-        wants = shaarli.phpFpm.serviceDeps;
-      };
-      phpfpm-ttrss = {
-        after = lib.mkAfter ttrss.phpFpm.serviceDeps;
-        wants = ttrss.phpFpm.serviceDeps;
-      };
-      phpfpm-wallabag = {
-        after = lib.mkAfter wallabag.phpFpm.serviceDeps;
-        wants = wallabag.phpFpm.serviceDeps;
-        preStart = lib.mkAfter wallabag.phpFpm.preStart;
-      };
-      phpfpm-yourls = {
-        after = lib.mkAfter yourls.phpFpm.serviceDeps;
-        wants = yourls.phpFpm.serviceDeps;
-      };
-      ympd = {
-        description = "Standalone MPD Web GUI written in C";
-        wantedBy = [ "multi-user.target" ];
-        script = ''
-          export MPD_PASSWORD=$(cat /var/secrets/mpd)
-          ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
-          '';
-      };
-      tt-rss = {
-        description = "Tiny Tiny RSS feeds update daemon";
-        serviceConfig = {
-          User = "wwwrun";
-          ExecStart = "${pkgs.php}/bin/php ${ttrss.webRoot}/update.php --daemon";
-          StandardOutput = "syslog";
-          StandardError = "syslog";
-          PermissionsStartOnly = true;
-        };
-
-        wantedBy = [ "multi-user.target" ];
-        requires = ["postgresql.service"];
-        after = ["network.target" "postgresql.service"];
-      };
-    };
-
-    services.phpfpm.pools.roundcubemail = {
-      listen = roundcubemail.phpFpm.socket;
-      extraConfig = roundcubemail.phpFpm.pool;
-      phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig;
-    };
-
-    services.phpfpm.pools.devtools = {
-      listen = "/var/run/phpfpm/devtools.sock";
-      extraConfig = ''
-        user = wwwrun
-        group = wwwrun
-        listen.owner = wwwrun
-        listen.group = wwwrun
-        pm = dynamic
-        pm.max_children = 60
-        pm.start_servers = 2
-        pm.min_spare_servers = 1
-        pm.max_spare_servers = 10
-
-        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"
-        '';
-      phpOptions = config.services.phpfpm.phpOptions + ''
-        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
-        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
-        '';
-    };
-
-    services.phpfpm.poolConfigs = {
-      adminer = adminer.phpFpm.pool;
-      ttrss = ttrss.phpFpm.pool;
-      wallabag = wallabag.phpFpm.pool;
-      yourls = yourls.phpFpm.pool;
-      rompr = rompr.phpFpm.pool;
-      shaarli = shaarli.phpFpm.pool;
-      dokuwiki = dokuwiki.phpFpm.pool;
-      ldap = ldap.phpFpm.pool;
-      rainloop = rainloop.phpFpm.pool;
-      kanboard = kanboard.phpFpm.pool;
-      tools = ''
-        listen = /var/run/phpfpm/tools.sock
-        user = wwwrun
-        group = wwwrun
-        listen.owner = wwwrun
-        listen.group = wwwrun
-        pm = dynamic
-        pm.max_children = 60
-        pm.start_servers = 2
-        pm.min_spare_servers = 1
-        pm.max_spare_servers = 10
-
-        ; Needed to avoid clashes in browser cookies (same domain)
-        php_value[session.name] = ToolsPHPSESSID
-        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"
-        '';
-    };
-
-    system.activationScripts = {
-      ttrss = ttrss.activationScript;
-      roundcubemail = roundcubemail.activationScript;
-      wallabag = wallabag.activationScript;
-      yourls = yourls.activationScript;
-      rompr = rompr.activationScript;
-      shaarli = shaarli.activationScript;
-      dokuwiki = dokuwiki.activationScript;
-      rainloop = rainloop.activationScript;
-      kanboard = kanboard.activationScript;
-    };
-
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${dokuwiki.webRoot} $out/webapps/${dokuwiki.apache.webappName}
-      ln -s ${ldap.webRoot}/htdocs $out/webapps/${ldap.apache.webappName}
-      ln -s ${rompr.webRoot} $out/webapps/${rompr.apache.webappName}
-      ln -s ${roundcubemail.webRoot} $out/webapps/${roundcubemail.apache.webappName}
-      ln -s ${shaarli.webRoot} $out/webapps/${shaarli.apache.webappName}
-      ln -s ${ttrss.webRoot} $out/webapps/${ttrss.apache.webappName}
-      ln -s ${wallabag.webRoot} $out/webapps/${wallabag.apache.webappName}
-      ln -s ${yourls.webRoot} $out/webapps/${yourls.apache.webappName}
-      ln -s ${rainloop.webRoot} $out/webapps/${rainloop.apache.webappName}
-      ln -s ${kanboard.webRoot} $out/webapps/${kanboard.apache.webappName}
-      '';
-
-  };
-}
-
diff --git a/nixops/modules/websites/tools/tools/dokuwiki.nix b/nixops/modules/websites/tools/tools/dokuwiki.nix
deleted file mode 100644
index c61d15f..0000000
--- a/nixops/modules/websites/tools/tools/dokuwiki.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-{ lib, stdenv, dokuwiki, dokuwiki-plugins }:
-rec {
-  varDir = "/var/lib/dokuwiki";
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-      if [ ! -d ${varDir} ]; then
-        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-          ${varDir}/animals
-        cp -a ${webRoot}/conf.dist ${varDir}/conf
-        cp -a ${webRoot}/data.dist ${varDir}/data
-        cp -a ${webRoot}/
-        chown -R ${apache.user}:${apache.user} ${varDir}/config ${varDir}/data
-        chmod -R 755 ${varDir}/config ${varDir}/data
-      fi
-      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
-    '';
-  };
-  webRoot = dokuwiki.withPlugins (builtins.attrValues dokuwiki-plugins);
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_dokuwiki";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /dokuwiki "${root}"
-      <Directory "${root}">
-        DirectoryIndex index.php
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        AllowOverride All
-        Options +FollowSymlinks
-        Require all granted
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" (
-      [ webRoot varDir ] ++ webRoot.plugins);
-    socket = "/var/run/phpfpm/dokuwiki.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = DokuwikiPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/nixops/modules/websites/tools/tools/kanboard.nix
deleted file mode 100644
index 68f92b8..0000000
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-{ env, kanboard }:
-rec {
-  varDir = "/var/lib/kanboard";
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
-      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
-      install -TDm644 ${webRoot}/dataold/.htaccess ${varDir}/data/.htaccess
-      install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
-    '';
-  };
-  keys = [{
-    dest = "webapps/tools-kanboard";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-      define('MAIL_FROM', 'kanboard@tools.immae.eu');
-
-      define('DB_DRIVER', 'postgres');
-      define('DB_USERNAME', '${env.postgresql.user}');
-      define('DB_PASSWORD', '${env.postgresql.password}');
-      define('DB_HOSTNAME', '${env.postgresql.socket}');
-      define('DB_NAME', '${env.postgresql.database}');
-
-      define('DATA_DIR', '${varDir}');
-      define('LDAP_AUTH', true);
-      define('LDAP_SERVER', '${env.ldap.host}');
-      define('LDAP_START_TLS', true);
-
-      define('LDAP_BIND_TYPE', 'proxy');
-      define('LDAP_USERNAME', '${env.ldap.dn}');
-      define('LDAP_PASSWORD', '${env.ldap.password}');
-      define('LDAP_USER_BASE_DN', '${env.ldap.base}');
-      define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
-      define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
-      ?>
-      '';
-  }];
-  webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; };
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_kanboard";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    Alias /kanboard "${root}"
-    <Directory "${root}">
-      DirectoryIndex index.php
-      AllowOverride All
-      Options FollowSymlinks
-      Require all granted
-
-      <FilesMatch "\.php$">
-        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-      </FilesMatch>
-    </Directory>
-    <DirectoryMatch "${root}/data">
-      Require all denied
-    </DirectoryMatch>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "postgresql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ];
-    socket = "/var/run/phpfpm/kanboard.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = KanboardPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/nixops/modules/websites/tools/tools/ldap.nix
deleted file mode 100644
index 8ee39f6..0000000
--- a/nixops/modules/websites/tools/tools/ldap.nix
+++ /dev/null
@@ -1,68 +0,0 @@
-{ lib, php, env, writeText, phpldapadmin }:
-rec {
-  keys = [{
-    dest = "webapps/tools-ldap";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-      $config->custom->appearance['show_clear_password'] = true;
-      $config->custom->appearance['hide_template_warning'] = true;
-      $config->custom->appearance['theme'] = "tango";
-      $config->custom->appearance['minimalMode'] = true;
-
-      $servers = new Datastore();
-
-      $servers->newServer('ldap_pla');
-      $servers->setValue('server','name','Immae&#x2019;s LDAP');
-      $servers->setValue('server','host','ldaps://${env.ldap.host}');
-      $servers->setValue('login','auth_type','cookie');
-      $servers->setValue('login','bind_id','${env.ldap.dn}');
-      $servers->setValue('login','bind_pass','${env.ldap.password}');
-      $servers->setValue('appearance','password_hash','ssha');
-      $servers->setValue('login','attr','uid');
-      $servers->setValue('login','fallback_dn',true);
-      '';
-  }];
-  webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_ldap";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /ldap "${root}"
-      <Directory "${root}">
-        DirectoryIndex index.php
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        AllowOverride None
-        Require all granted
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ];
-    socket = "/var/run/phpfpm/ldap.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = LdapPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"
-      php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/rainloop.nix b/nixops/modules/websites/tools/tools/rainloop.nix
deleted file mode 100644
index dbf0f24..0000000
--- a/nixops/modules/websites/tools/tools/rainloop.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{ lib, pkgs, writeText, stdenv, fetchurl }:
-rec {
-  varDir = "/var/lib/rainloop";
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
-      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
-      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
-    '';
-  };
-  webRoot = pkgs.rainloop-community.override { dataPath = "${varDir}/data"; };
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_rainloop";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    Alias /rainloop "${root}"
-    <Directory "${root}">
-      DirectoryIndex index.php
-      AllowOverride All
-      Options -FollowSymlinks
-      Require all granted
-
-      <FilesMatch "\.php$">
-        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-      </FilesMatch>
-    </Directory>
-
-    <DirectoryMatch "${root}/data">
-      Require all denied
-    </DirectoryMatch>
-    '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "postgresql.service" ];
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
-    socket = "/var/run/phpfpm/rainloop.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = RainloopPHPSESSID
-      php_admin_value[upload_max_filesize] = 200M
-      php_admin_value[post_max_size] = 200M
-      php_admin_value[open_basedir] = "${basedir}:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/rompr.nix b/nixops/modules/websites/tools/tools/rompr.nix
deleted file mode 100644
index fea59fc..0000000
--- a/nixops/modules/websites/tools/tools/rompr.nix
+++ /dev/null
@@ -1,77 +0,0 @@
-{ lib, env, rompr }:
-rec {
-  varDir = "/var/lib/rompr";
-  activationScript = ''
-    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-      ${varDir}/prefs ${varDir}/albumart ${varDir}/phpSessions
-  '';
-  webRoot = rompr;
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "headers" "mime" "proxy_fcgi" ];
-    webappName = "tools_rompr";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /rompr ${root}
-
-      <Directory ${root}>
-        Options Indexes FollowSymLinks
-        DirectoryIndex index.php
-        AllowOverride all
-        Require all granted
-        Order allow,deny
-        Allow from all
-        ErrorDocument 404 /rompr/404.php
-        AddType image/x-icon .ico
-
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-      </Directory>
-
-      <Directory ${root}/albumart/small>
-          Header Set Cache-Control "max-age=0, no-store"
-          Header Set Cache-Control "no-cache, must-revalidate"
-      </Directory>
-
-      <Directory ${root}/albumart/asdownloaded>
-          Header Set Cache-Control "max-age=0, no-store"
-          Header Set Cache-Control "no-cache, must-revalidate"
-      </Directory>
-
-      <LocationMatch "^/rompr">
-        Use LDAPConnect
-        Require ldap-group   cn=users,cn=mpd,ou=services,dc=immae,dc=eu
-      </LocationMatch>
-      '';
-  };
-  phpFpm = rec {
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
-    socket = "/var/run/phpfpm/rompr.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = RomprPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      php_flag[magic_quotes_gpc] = Off
-      php_flag[track_vars] = On
-      php_flag[register_globals] = Off
-      php_admin_flag[allow_url_fopen] = On
-      php_value[include_path] = ${webRoot}
-      php_admin_value[upload_tmp_dir] = "${varDir}/prefs"
-      php_admin_value[post_max_size] = 32M
-      php_admin_value[upload_max_filesize] = 32M
-      php_admin_value[memory_limit] = 256M
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/nixops/modules/websites/tools/tools/roundcubemail.nix
deleted file mode 100644
index 8974d1b..0000000
--- a/nixops/modules/websites/tools/tools/roundcubemail.nix
+++ /dev/null
@@ -1,121 +0,0 @@
-{ env, roundcubemail, roundcubemail-plugins, roundcubemail-skins, phpPackages, apacheHttpd }:
-rec {
-  varDir = "/var/lib/roundcubemail";
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-        ${varDir}/cache ${varDir}/logs
-      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
-    '';
-  };
-  keys = [{
-    dest = "webapps/tools-roundcube";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-        $config['db_dsnw'] = '${env.psql_url}';
-        $config['default_host'] = 'ssl://mail.immae.eu';
-        $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
-        $config['smtp_server'] = 'tls://mail.immae.eu';
-        $config['smtp_port'] = '25';
-        $config['managesieve_host'] = 'mail.immae.eu';
-        $config['managesieve_port'] = '4190';
-        $config['managesieve_usetls'] = true;
-        $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
-
-        $config['imap_cache'] = 'db';
-        $config['messages_cache'] = 'db';
-
-        $config['support_url'] = ''';
-
-        $config['des_key'] = '${env.secret}';
-
-        $config['skin'] = 'elastic';
-        $config['plugins'] = array(
-          'attachment_reminder',
-          'emoticons',
-          'filesystem_attachments',
-          'hide_blockquote',
-          'identicon',
-          'identity_select',
-          'jqueryui',
-          'managesieve',
-          'newmail_notifier',
-          'vcard_attachments',
-          'zipdownload',
-
-          'automatic_addressbook',
-          'message_highlight',
-          'carddav',
-          // Ne marche pas ?: 'ident_switch',
-          // Ne marche pas ?: 'thunderbird_labels',
-        );
-
-        $config['language'] = 'fr_FR';
-
-        $config['drafts_mbox'] = 'Mail/Drafts';
-        $config['junk_mbox'] = 'Mail/Spam';
-        $config['sent_mbox'] = 'Mail/sent';
-        $config['trash_mbox'] = ''';
-        $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
-        $config['draft_autosave'] = 60;
-        $config['enable_installer'] = false;
-        $config['log_driver'] = 'file';
-        $config['temp_dir'] = '${varDir}/cache';
-        $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
-    '';
-  }];
-  webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins
-    (builtins.attrValues roundcubemail-plugins) (builtins.attrValues roundcubemail-skins);
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_roundcubemail";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-    Alias /roundcube "${root}"
-    <Directory "${root}">
-        DirectoryIndex index.php
-        AllowOverride All
-        Options FollowSymlinks
-        Require all granted
-
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "postgresql.service" ];
-    basedir = builtins.concatStringsSep ":" (
-      [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ]
-      ++ webRoot.plugins
-      ++ webRoot.skins);
-    phpConfig = ''
-      date.timezone = 'CET'
-      extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
-      '';
-    socket = "/var/run/phpfpm/roundcubemail.sock";
-    pool = ''
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = RoundcubemailPHPSESSID
-      php_admin_value[upload_max_filesize] = 200M
-      php_admin_value[post_max_size] = 200M
-      php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/nixops/modules/websites/tools/tools/shaarli.nix
deleted file mode 100644
index 2e89a47..0000000
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-{ lib, env, stdenv, fetchurl, shaarli }:
-let
-  varDir = "/var/lib/shaarli";
-in rec {
-  activationScript = ''
-    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-      ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \
-      ${varDir}/phpSessions
-    '';
-  webRoot = shaarli varDir;
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules =  [ "proxy_fcgi" "rewrite" "env" ];
-    webappName = "tools_shaarli";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /Shaarli "${root}"
-
-      Include /var/secrets/webapps/tools-shaarli
-      <Directory "${root}">
-        DirectoryIndex index.php index.htm index.html
-        Options Indexes FollowSymLinks MultiViews Includes
-        AllowOverride All
-        Require all granted
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-      </Directory>
-      '';
-  };
-  keys = [{
-    dest = "webapps/tools-shaarli";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
-      SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
-      SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
-      SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
-      SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
-      '';
-  }];
-  phpFpm = rec {
-    serviceDeps = [ "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
-    socket = "/var/run/phpfpm/shaarli.sock";
-    pool = ''
-        listen = ${socket}
-        user = ${apache.user}
-        group = ${apache.group}
-        listen.owner = ${apache.user}
-        listen.group = ${apache.group}
-        pm = ondemand
-        pm.max_children = 60
-        pm.process_idle_timeout = 60
-
-        ; Needed to avoid clashes in browser cookies (same domain)
-        php_value[session.name] = ShaarliPHPSESSID
-        php_admin_value[open_basedir] = "${basedir}:/tmp"
-        php_admin_value[session.save_path] = "${varDir}/phpSessions"
-    '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/nixops/modules/websites/tools/tools/ttrss.nix
deleted file mode 100644
index 05c8cab..0000000
--- a/nixops/modules/websites/tools/tools/ttrss.nix
+++ /dev/null
@@ -1,131 +0,0 @@
-{ php, env, ttrss, ttrss-plugins }:
-rec {
-  varDir = "/var/lib/ttrss";
-  activationScript = {
-    deps = [ "wrappers" ];
-    text = ''
-      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-        ${varDir}/lock ${varDir}/cache ${varDir}/feed-icons
-      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/cache/export/ \
-        ${varDir}/cache/feeds/ \
-        ${varDir}/cache/images/ \
-        ${varDir}/cache/js/ \
-        ${varDir}/cache/simplepie/ \
-        ${varDir}/cache/upload/
-      touch ${varDir}/feed-icons/index.html
-      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
-    '';
-  };
-  keys = [{
-    dest = "webapps/tools-ttrss";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-
-        define('PHP_EXECUTABLE', '${php}/bin/php');
-
-        define('LOCK_DIRECTORY', 'lock');
-        define('CACHE_DIR', 'cache');
-        define('ICONS_DIR', 'feed-icons');
-        define('ICONS_URL', 'feed-icons');
-        define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/');
-
-        define('MYSQL_CHARSET', 'UTF8');
-
-        define('DB_TYPE', 'pgsql');
-        define('DB_HOST', '${env.postgresql.socket}');
-        define('DB_USER', '${env.postgresql.user}');
-        define('DB_NAME', '${env.postgresql.database}');
-        define('DB_PASS', '${env.postgresql.password}');
-        define('DB_PORT', '${env.postgresql.port}');
-
-        define('AUTH_AUTO_CREATE', true);
-        define('AUTH_AUTO_LOGIN', true);
-
-        define('SINGLE_USER_MODE', false);
-
-        define('SIMPLE_UPDATE_MODE', false);
-        define('CHECK_FOR_UPDATES', true);
-
-        define('FORCE_ARTICLE_PURGE', 0);
-        define('SESSION_COOKIE_LIFETIME', 60*60*24*120);
-        define('ENABLE_GZIP_OUTPUT', false);
-
-        define('PLUGINS', 'auth_ldap, note, instances');
-
-        define('LOG_DESTINATION', ''');
-        define('CONFIG_VERSION', 26);
-
-
-        define('SPHINX_SERVER', 'localhost:9312');
-        define('SPHINX_INDEX', 'ttrss, delta');
-
-        define('ENABLE_REGISTRATION', false);
-        define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu');
-        define('REG_MAX_USERS', 10);
-
-        define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
-        define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu');
-        define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
-
-        define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
-        define('LDAP_AUTH_USETLS', TRUE);
-        define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
-        define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
-        define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
-        define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
-
-        define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
-        define('LDAP_AUTH_BINDPW', '${env.ldap.password}');
-        define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
-
-        define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
-        define('LDAP_AUTH_DEBUG', FALSE);
-      '';
-  }];
-  webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (builtins.attrValues ttrss-plugins);
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_ttrss";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /ttrss "${root}"
-      <Directory "${root}">
-        DirectoryIndex index.php
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        AllowOverride All
-        Options FollowSymlinks
-        Require all granted
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "postgresql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" (
-      [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ]
-      ++ webRoot.plugins);
-    socket = "/var/run/phpfpm/ttrss.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = TtrssPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp"
-      php_admin_value[session.save_path] = "${varDir}/phpSessions"
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/nixops/modules/websites/tools/tools/wallabag.nix
deleted file mode 100644
index d6e5882..0000000
--- a/nixops/modules/websites/tools/tools/wallabag.nix
+++ /dev/null
@@ -1,148 +0,0 @@
-{ env, wallabag }:
-rec {
-  varDir = "/var/lib/wallabag";
-  keys = [{
-    dest = "webapps/tools-wallabag";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      # This file is auto-generated during the composer install
-      parameters:
-          database_driver: pdo_pgsql
-          database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
-          database_host: ${env.postgresql.socket}
-          database_port: ${env.postgresql.port}
-          database_name: ${env.postgresql.database}
-          database_user: ${env.postgresql.user}
-          database_password: ${env.postgresql.password}
-          database_path: null
-          database_table_prefix: wallabag_
-          database_socket: null
-          database_charset: utf8
-          domain_name: https://tools.immae.eu/wallabag
-          mailer_transport: sendmail
-          mailer_host: 127.0.0.1
-          mailer_user: null
-          mailer_password: null
-          locale: fr
-          secret: ${env.secret}
-          twofactor_auth: true
-          twofactor_sender: wallabag@tools.immae.eu
-          fosuser_registration: false
-          fosuser_confirmation: true
-          from_email: wallabag@tools.immae.eu
-          rss_limit: 50
-          rabbitmq_host: localhost
-          rabbitmq_port: 5672
-          rabbitmq_user: guest
-          rabbitmq_password: guest
-          rabbitmq_prefetch_count: 10
-          redis_scheme: unix
-          redis_host: null
-          redis_port: null
-          redis_path: ${env.redis.socket}
-          redis_password: null
-          sites_credentials: {  }
-          ldap_enabled: true
-          ldap_host: ldap.immae.eu
-          ldap_port: 636
-          ldap_tls: false
-          ldap_ssl: true
-          ldap_bind_requires_dn: true
-          ldap_base: 'dc=immae,dc=eu'
-          ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
-          ldap_manager_pw: ${env.ldap.password}
-          ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
-          ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
-          ldap_username_attribute: uid
-          ldap_email_attribute: mail
-          ldap_name_attribute: cn
-          ldap_enabled_attribute: null
-      services:
-          swiftmailer.mailer.default.transport:
-              class:     Swift_SendmailTransport
-              arguments: ['/run/wrappers/bin/sendmail -bs']
-      '';
-  }];
-  webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; };
-  activationScript = ''
-    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
-      ${varDir}/var ${varDir}/data/db ${varDir}/assets/images
-    '';
-  webRoot = "${webappDir}/web";
-  # Domain migration: Table wallabag_entry contains whole
-  # https://tools.immae.eu/wallabag domain name in preview_picture
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_wallabag";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /wallabag "${root}"
-      <Directory "${root}">
-        AllowOverride None
-        Require all granted
-        # For OAuth (apps)
-        CGIPassAuth On
-
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        <IfModule mod_rewrite.c>
-          Options -MultiViews
-          RewriteEngine On
-          RewriteCond %{REQUEST_FILENAME} !-f
-          RewriteRule ^(.*)$ app.php [QSA,L]
-        </IfModule>
-      </Directory>
-      <Directory "${root}/bundles">
-        <IfModule mod_rewrite.c>
-          RewriteEngine Off
-        </IfModule>
-      </Directory>
-      <Directory "${varDir}/assets">
-        AllowOverride None
-        Require all granted
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    preStart = ''
-      if [ ! -f "${varDir}/currentWebappDir" -o \
-          ! -f "${varDir}/currentKey" -o \
-          "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ] \
-          || ! sha512sum -c --status ${varDir}/currentKey; then
-        pushd ${webappDir} > /dev/null
-        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear
-        rm -rf /var/lib/wallabag/var/cache/pro_
-        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction
-        popd > /dev/null
-        echo -n "${webappDir}" > ${varDir}/currentWebappDir
-        sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey
-      fi
-      '';
-    serviceDeps = [ "postgresql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ];
-    socket = "/var/run/phpfpm/wallabag.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = dynamic
-      pm.max_children = 60
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 10
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = WallabagPHPSESSID
-      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp"
-      php_value[max_execution_time] = 300
-      '';
-  };
-}
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/nixops/modules/websites/tools/tools/ympd.nix
deleted file mode 100644
index b54c486..0000000
--- a/nixops/modules/websites/tools/tools/ympd.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ env }:
-let
-  ympd = rec {
-    config = {
-      webPort = "localhost:${env.listenPort}";
-      host = env.mpd.host;
-      port = env.mpd.port;
-    };
-    apache = {
-      modules = [
-        "proxy_wstunnel"
-        ];
-      vhostConf = ''
-        <LocationMatch "^/mpd(?!/music.(mp3|ogg))">
-          Use LDAPConnect
-          Require ldap-group   cn=users,cn=mpd,ou=services,dc=immae,dc=eu
-        </LocationMatch>
-
-        RedirectMatch permanent "^/mpd$" "/mpd/"
-        <Location "/mpd/">
-          ProxyPass http://${config.webPort}/
-          ProxyPassReverse http://${config.webPort}/
-          ProxyPreserveHost on
-        </Location>
-        <Location "/mpd/ws">
-          ProxyPass ws://${config.webPort}/ws
-        </Location>
-        <Location "/mpd/music.mp3">
-          ProxyPass unix:///run/mpd/mp3.sock|http://tools.immae.eu/
-          ProxyPassReverse unix:///run/mpd/mp3.sock|http://tools.immae.eu/
-        </Location>
-        <Location "/mpd/music.ogg">
-          ProxyPass unix:///run/mpd/ogg.sock|http://tools.immae.eu/
-          ProxyPassReverse unix:///run/mpd/ogg.sock|http://tools.immae.eu/
-        </Location>
-      '';
-    };
-  };
-in
-  ympd
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/nixops/modules/websites/tools/tools/yourls.nix
deleted file mode 100644
index df1b3a2..0000000
--- a/nixops/modules/websites/tools/tools/yourls.nix
+++ /dev/null
@@ -1,90 +0,0 @@
-{ env, yourls, yourls-plugins }:
-rec {
-  activationScript = ''
-    install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
-  '';
-  keys = [{
-    dest = "webapps/tools-yourls";
-    user = apache.user;
-    group = apache.group;
-    permissions = "0400";
-    text = ''
-      <?php
-      define( 'YOURLS_DB_USER', '${env.mysql.user}' );
-      define( 'YOURLS_DB_PASS', '${env.mysql.password}' );
-      define( 'YOURLS_DB_NAME', '${env.mysql.database}' );
-      define( 'YOURLS_DB_HOST', '${env.mysql.host}' );
-      define( 'YOURLS_DB_PREFIX', 'yourls_' );
-      define( 'YOURLS_SITE', 'https://tools.immae.eu/url' );
-      define( 'YOURLS_HOURS_OFFSET', 0 ); 
-      define( 'YOURLS_LANG', ''' ); 
-      define( 'YOURLS_UNIQUE_URLS', true );
-      define( 'YOURLS_PRIVATE', true );
-      define( 'YOURLS_COOKIEKEY', '${env.cookieKey}' );
-      $yourls_user_passwords = array();
-      define( 'YOURLS_DEBUG', false );
-      define( 'YOURLS_URL_CONVERT', 36 );
-      $yourls_reserved_URL = array();
-      define( 'LDAPAUTH_HOST', 'ldaps://ldap.immae.eu' );
-      define( 'LDAPAUTH_PORT', '636' );
-      define( 'LDAPAUTH_BASE', 'dc=immae,dc=eu' );
-      define( 'LDAPAUTH_SEARCH_USER', 'cn=yourls,ou=services,dc=immae,dc=eu' );
-      define( 'LDAPAUTH_SEARCH_PASS', '${env.ldap.password}' );
-
-      define( 'LDAPAUTH_GROUP_ATTR', 'memberof' );
-      define( 'LDAPAUTH_GROUP_REQ', 'cn=admin,cn=yourls,ou=services,dc=immae,dc=eu');
-
-      define( 'LDAPAUTH_USERCACHE_TYPE', 0);
-    '';
-  }];
-  webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins
-    (builtins.attrValues yourls-plugins);
-  apache = rec {
-    user = "wwwrun";
-    group = "wwwrun";
-    modules = [ "proxy_fcgi" ];
-    webappName = "tools_yourls";
-    root = "/run/current-system/webapps/${webappName}";
-    vhostConf = ''
-      Alias /url "${root}"
-      <Directory "${root}">
-        <FilesMatch "\.php$">
-          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
-        </FilesMatch>
-
-        AllowOverride None
-        Require all granted
-        <IfModule mod_rewrite.c>
-          RewriteEngine On
-          RewriteBase /url/
-          RewriteCond %{REQUEST_FILENAME} !-f
-          RewriteCond %{REQUEST_FILENAME} !-d
-          RewriteRule ^.*$ /url/yourls-loader.php [L]
-        </IfModule>
-        DirectoryIndex index.php
-      </Directory>
-      '';
-  };
-  phpFpm = rec {
-    serviceDeps = [ "mysql.service" "openldap.service" ];
-    basedir = builtins.concatStringsSep ":" (
-      [ webRoot "/var/secrets/webapps/tools-yourls" ]
-      ++ webRoot.plugins);
-    socket = "/var/run/phpfpm/yourls.sock";
-    pool = ''
-      listen = ${socket}
-      user = ${apache.user}
-      group = ${apache.group}
-      listen.owner = ${apache.user}
-      listen.group = ${apache.group}
-      pm = ondemand
-      pm.max_children = 60
-      pm.process_idle_timeout = 60
-
-      ; Needed to avoid clashes in browser cookies (same domain)
-      php_value[session.name] = YourlsPHPSESSID
-      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls"
-      php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls"
-      '';
-  };
-}