Refactor websites.

This commit refactors websites into module per "vhost".

42 files changed, 3021 insertions, 88 deletions

diff --git a/virtual/modules/databases.nix b/virtual/modules/databases/default.nix
index de4ace6..de4ace6 100644
--- a/virtual/modules/databases.nix
+++ b/virtual/modules/databases/default.nix
diff --git a/virtual/modules/postgresql_run_socket_path.patch b/virtual/modules/databases/postgresql_run_socket_path.patch
index b558c7b..b558c7b 100644
--- a/virtual/modules/postgresql_run_socket_path.patch
+++ b/virtual/modules/databases/postgresql_run_socket_path.patch
diff --git a/virtual/modules/gitolite.nix b/virtual/modules/gitolite/default.nix
index d6b9c79..78691fa 100644
--- a/virtual/modules/gitolite.nix
+++ b/virtual/modules/gitolite/default.nix
@@ -24,6 +24,8 @@ in {
       });
     };
 
+    networking.firewall.allowedTCPPorts = [ 9418 ];
+
     services.gitDaemon = {
       enable = true;
       user = "gitolite";
@@ -36,7 +38,7 @@ in {
       let
       gitolite_ldap_groups = mylibs.wrap {
         name = "gitolite_ldap_groups.sh";
-        file = ./gitolite/gitolite_ldap_groups.sh;
+        file = ./gitolite_ldap_groups.sh;
         vars = {
           LDAP_PASS = builtins.getEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
         };
diff --git a/virtual/modules/gitweb/default.nix b/virtual/modules/gitweb/default.nix
deleted file mode 100644
index 2a860ba..0000000
--- a/virtual/modules/gitweb/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{ lib, pkgs, config, mylibs, ... }:
-let
-    # FIXME: add buildbot
-    gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
-    cfg = config.services.myGitweb;
-in {
-  options.services.myGitweb = {
-    enable = lib.mkEnableOption "my gitweb service";
-  };
-
-  config = lib.mkIf cfg.enable {
-    security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
-
-    nixpkgs.config.packageOverrides = oldpkgs: rec {
-      gitweb = oldpkgs.gitweb.overrideAttrs(old: {
-        installPhase = old.installPhase + ''
-          cp -r ${./theme} $out/gitweb-theme;
-          '';
-      });
-    };
-
-    services.myWebsites.tools.modules = gitweb.apache.modules;
-    services.myWebsites.tools.vhostConfs.git = {
-      certName    = "eldiron";
-      hosts       = ["git.immae.eu" ];
-      root        = gitweb.webRoot;
-      extraConfig = [ gitweb.apache.vhostConf ];
-    };
-  };
-}
diff --git a/virtual/modules/websites/commons/adminer.nix b/virtual/modules/websites/commons/adminer.nix
new file mode 100644
index 0000000..7094e45
--- /dev/null
+++ b/virtual/modules/websites/commons/adminer.nix
@@ -0,0 +1,64 @@
+{ stdenv, fetchurl, nginx }:
+let
+  adminer = rec {
+    webRoot = stdenv.mkDerivation rec {
+      version = "4.7.0";
+      name = "adminer-${version}";
+      src = fetchurl {
+        url = "https://www.adminer.org/static/download/${version}/${name}.php";
+        sha256 = "1qq2g7rbfh2vrqfm3g0bz0qs057b049n0mhabnsbd1sgnpvnc5z7";
+      };
+      phases = "installPhase";
+      installPhase = ''
+        mkdir -p $out
+        cp $src $out/index.php
+      '';
+    };
+    phpFpm = rec {
+      socket = "/var/run/phpfpm/adminer.sock";
+      pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = ondemand
+        pm.max_children = 5
+        pm.process_idle_timeout = 60
+        ;php_admin_flag[log_errors] = on
+        ; Needed to avoid clashes in browser cookies (same domain)
+        php_value[session.name] = AdminerPHPSESSID
+        php_admin_value[open_basedir] = "${webRoot}:/tmp"
+        php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer"
+        '';
+    };
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      modules = [ "proxy_fcgi" ];
+      vhostConf = ''
+        Alias /adminer ${webRoot}
+        <Directory ${webRoot}>
+          DirectoryIndex index.php
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+          </FilesMatch>
+        </Directory>
+        '';
+    };
+    nginxConf = {
+      alias = webRoot;
+      index = "index.php";
+      extraConfig = ''
+        include ${nginx}/conf/fastcgi.conf;
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        fastcgi_param HTTP_PROXY "";
+        fastcgi_param SCRIPT_FILENAME ${webRoot}/index.php;
+        fastcgi_pass unix:${phpFpm.socket};
+        fastcgi_index index.php;
+        fastcgi_intercept_errors on;
+        '';
+    };
+  };
+in
+  adminer
diff --git a/virtual/modules/websites/default.nix b/virtual/modules/websites/default.nix
index b027b81..6b31381 100644
--- a/virtual/modules/websites/default.nix
+++ b/virtual/modules/websites/default.nix
@@ -91,11 +91,18 @@ in
     ./aten
     ./piedsjaloux
     ./connexionswing
+    ./tools/db
+    ./tools/tools
+    ./tools/dav
+    ./tools/cloud
+    ./tools/git
     # built using:
     # sed -e "s/services\.httpd/services\.httpdProd/g" .nix-defexpr/channels/nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
     # And removed users / groups
     ./apache/httpd_prod.nix
     ./apache/httpd_inte.nix
+    # Adapted from base phpfpm
+    ./phpfpm
   ];
 
   options.services.myWebsites = {
@@ -155,6 +162,12 @@ in
       phpPackages = oldpkgs.php72Packages.override { inherit php; };
     };
 
+    services.myWebsites.tools.databases.enable = true;
+    services.myWebsites.tools.tools.enable = true;
+    services.myWebsites.tools.dav.enable = true;
+    services.myWebsites.tools.cloud.enable = true;
+    services.myWebsites.tools.git.enable = true;
+
     services.myWebsites.Chloe.production.enable = cfg.production.enable;
     services.myWebsites.Ludivine.production.enable = cfg.production.enable;
     services.myWebsites.Aten.production.enable = cfg.production.enable;
@@ -227,6 +240,28 @@ in
       };
     };
 
+    system.activationScripts = {
+      httpd = ''
+        install -d -m 0755 /var/lib/acme/acme-challenge
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
+        '';
+    };
+
+    services.myPhpfpm = {
+      phpPackage = pkgs.php;
+      phpOptions = ''
+        session.save_path = "/var/lib/php/sessions"
+        session.gc_maxlifetime = 60*60*24*15
+        session.cache_expire = 60*24*30
+        '';
+      extraConfig = ''
+        log_level = notice
+        '';
+    };
+
     # FIXME: logrotate
     # FIXME: ipv6
     services.httpdProd = makeService "production" config.services.myWebsites.production;
@@ -238,63 +273,7 @@ in
     services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
 
     services.httpd = makeService "tools" config.services.myWebsites.tools;
-    services.myWebsites.tools.modules =
-      mypkgs.adminer.apache.modules ++
-      mypkgs.nextcloud.apache.modules ++
-      mypkgs.ympd.apache.modules ++
-      mypkgs.mantisbt.apache.modules ++
-      mypkgs.ttrss.apache.modules ++
-      mypkgs.roundcubemail.apache.modules ++
-      pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
+    services.myWebsites.tools.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
     services.myWebsites.tools.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
-    # FIXME: move them all to separate modules
-    services.myWebsites.tools.vhostConfs.eldiron = {
-      certName    = "eldiron";
-      hosts       = ["eldiron.immae.eu" ];
-      root        = ../../www;
-      extraConfig = [ "DirectoryIndex index.htm" ];
-    };
-    services.myWebsites.tools.vhostConfs.db-1 = {
-      certName    = "eldiron";
-      hosts       = ["db-1.immae.eu" ];
-      root        = null;
-      extraConfig = [ mypkgs.adminer.apache.vhostConf ];
-    };
-    services.myWebsites.tools.vhostConfs.tools = {
-      certName    = "eldiron";
-      hosts       = ["tools.immae.eu" ];
-      root        = null;
-      extraConfig = [
-        mypkgs.adminer.apache.vhostConf
-        mypkgs.ympd.apache.vhostConf
-        mypkgs.ttrss.apache.vhostConf
-        mypkgs.roundcubemail.apache.vhostConf
-      ];
-    };
-    services.myWebsites.tools.vhostConfs.dav = {
-      certName    = "eldiron";
-      hosts       = ["dav.immae.eu" ];
-      root        = null;
-      extraConfig = [
-        mypkgs.infcloud.apache.vhostConf
-        mypkgs.davical.apache.vhostConf
-      ];
-    };
-    services.myWebsites.tools.vhostConfs.cloud = {
-      certName    = "eldiron";
-      hosts       = ["cloud.immae.eu" ];
-      root        = mypkgs.nextcloud.webRoot;
-      extraConfig = [
-        mypkgs.nextcloud.apache.vhostConf
-      ];
-    };
-    services.myWebsites.tools.vhostConfs.git.extraConfig = [
-      mypkgs.mantisbt.apache.vhostConf
-      ''
-        RewriteEngine on
-        RewriteCond %{REQUEST_URI}       ^/releases
-        RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
-        ''
-    ];
   };
 }
diff --git a/virtual/modules/websites/tools/cloud/default.nix b/virtual/modules/websites/tools/cloud/default.nix
new file mode 100644
index 0000000..7dd5c6e
--- /dev/null
+++ b/virtual/modules/websites/tools/cloud/default.nix
@@ -0,0 +1,45 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    nextcloud = pkgs.callPackage ./nextcloud.nix { inherit (mylibs) checkEnv; };
+
+    cfg = config.services.myWebsites.tools.cloud;
+in {
+  options.services.myWebsites.tools.cloud = {
+    enable = lib.mkEnableOption "enable cloud website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."eldiron".extraDomains."cloud.immae.eu" = null;
+
+    services.myWebsites.tools.modules = nextcloud.apache.modules;
+
+    services.myWebsites.tools.vhostConfs.cloud = {
+      certName    = "eldiron";
+      hosts       = ["cloud.immae.eu" ];
+      root        = nextcloud.webRoot;
+      extraConfig = [
+        nextcloud.apache.vhostConf
+      ];
+    };
+
+    environment.systemPackages = let
+      occ = pkgs.writeScriptBin "nextcloud-occ" ''
+        #! ${pkgs.stdenv.shell}
+        cd ${nextcloud.webRoot}
+        NEXTCLOUD_CONFIG_DIR="${nextcloud.webRoot}/config" \
+          exec \
+          ${pkgs.php}/bin/php \
+          -c ${pkgs.php}/etc/php.ini \
+          occ $*
+        '';
+    in [ occ ];
+
+    system.activationScripts.nextcloud = nextcloud.activationScript;
+
+    services.myPhpfpm = {
+      poolPhpConfigs.nextcloud = nextcloud.phpFpm.phpConfig;
+      poolConfigs.nextcloud = nextcloud.phpFpm.pool;
+    };
+
+  };
+}
diff --git a/virtual/modules/websites/tools/cloud/nextcloud-config/mimetypealiases.json b/virtual/modules/websites/tools/cloud/nextcloud-config/mimetypealiases.json
new file mode 100644
index 0000000..3806e53
--- /dev/null
+++ b/virtual/modules/websites/tools/cloud/nextcloud-config/mimetypealiases.json
@@ -0,0 +1,4 @@
+{
+  "application/gpx+xml": "gpx",
+  "x-application/kdbx": "kdbx"
+}
diff --git a/virtual/modules/websites/tools/cloud/nextcloud-config/mimetypemapping.json b/virtual/modules/websites/tools/cloud/nextcloud-config/mimetypemapping.json
new file mode 100644
index 0000000..2db4691
--- /dev/null
+++ b/virtual/modules/websites/tools/cloud/nextcloud-config/mimetypemapping.json
@@ -0,0 +1,4 @@
+{
+  "gpx": ["application/gpx+xml"],
+  "kdbx": ["x-application/kdbx"]
+}
diff --git a/virtual/modules/websites/tools/cloud/nextcloud.nix b/virtual/modules/websites/tools/cloud/nextcloud.nix
new file mode 100644
index 0000000..b8d8e59
--- /dev/null
+++ b/virtual/modules/websites/tools/cloud/nextcloud.nix
@@ -0,0 +1,267 @@
+{ stdenv, fetchurl, checkEnv, writeText, lib, phpPackages, php }:
+let
+  nextcloud = let
+    # FIXME: initial sync
+    # FIXME: backup
+    buildApp = { appName, version, url, sha256, installPhase ? "mkdir -p $out && cp -R . $out/" }:
+      stdenv.mkDerivation rec {
+        name = "nextcloud-app-${appName}-${version}";
+        inherit version;
+        phases = "unpackPhase installPhase";
+        inherit installPhase;
+        src = fetchurl { inherit url sha256; };
+      };
+    apps = {
+      # FIXME: nextcloud complains that he cannot write into config
+      # directory when an app needs upgrade
+      # /!\ Attention, just changing the version number is not
+      # sufficient when the downloaded file doesn’t contain the version
+      # number in it, sha256 needs to be recomputed
+      audioplayer = buildApp rec {
+        appName = "audioplayer";
+        version = "2.5.0";
+        url = "https://github.com/Rello/${appName}/releases/download/${version}/${appName}-${version}.tar.gz";
+        sha256 = "1pg4y51cv3agy28n4gfc8i7x1ya1yijxrmhpblm1n846vhmwdcm8";
+      };
+      bookmarks = buildApp rec {
+        appName = "bookmarks";
+        version = "0.14.3";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}-${version}.tar.gz";
+        sha256 = "0s7lkcl70izlkihnml1par0cac0wvckllyyga3jkb7k9vdg7d40c";
+      };
+      calendar = buildApp rec {
+        appName = "calendar";
+        version = "1.6.4";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}.tar.gz";
+        sha256 = "00dijvcvy7snsjslfbyzvpp9anhms22zp1f0zkj89ln33jmana63";
+      };
+      contacts = buildApp rec {
+        appName = "contacts";
+        version = "3.0.0";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}.tar.gz";
+        sha256 = "0fafy5kgzr5ldr3hxxxgmnw4y3qpjnv5ha1f1dlmqbc65s8frw7s";
+      };
+      deck = buildApp rec {
+        appName = "deck";
+        version = "0.5.2";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}.tar.gz";
+        sha256 = "1kygzixxdkp3dbma009p3pw0fj8wgcqcv39n7pay78lh6zi3nic7";
+      };
+      files_markdown = buildApp rec {
+        appName = "files_markdown";
+        version = "2.0.5";
+        url = "https://github.com/icewind1991/${appName}/releases/download/v${version}/${appName}.tar.gz";
+        sha256 = "1dzvy4c6vff2qmkwqw13dx92xdkafaxgnipswjw44mh0ncc2n9ym";
+      };
+      gpxedit = buildApp rec {
+        appName = "gpxedit";
+        version = "0.0.10";
+        url = "https://gitlab.com/eneiluj/gpxedit-oc/wikis/uploads/33d187268c5f6f6a55350d656305701c/${appName}-${version}.tar.gz";
+        sha256 = "0ynpaxm0xhvcj8xax6rm1w0p6j57wbqidhi7bhn268n483gwl2sw";
+      };
+      gpxpod = buildApp rec {
+        appName = "gpxpod";
+        version = "3.0.0";
+        url = "https://gitlab.com/eneiluj/gpxpod-oc/-/archive/v${version}/${appName}-oc-v${version}.tar.gz";
+        sha256 = "0smpi4r3z7zfl1612fb30cwm1xmpiq95c81zzqiwzjf288iys74k";
+      };
+      keeweb = buildApp rec {
+        appName = "keeweb";
+        version = "0.4.0";
+        url = "https://github.com/jhass/nextcloud-keeweb/releases/download/v${version}/${appName}-${version}.tar.gz";
+        sha256 = "0453kkb0a8vfivmibpwpx4bvhyn64jhns6cdfjacmnvbm6d75nj1";
+      };
+      notes = buildApp rec {
+        appName = "notes";
+        version = "2.5.1";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}.tar.gz";
+        sha256 = "1albzqqsdirzyw8vhvs7r0qm2wqp8vm9vmxm4crhncd85bk01hmh";
+      };
+      ocsms = buildApp rec {
+        appName = "ocsms";
+        version = "2.1.0";
+        url = "https://github.com/nextcloud/${appName}/releases/download/${version}/${appName}-${version}.tar.gz";
+        sha256 = "19xgs82js4sdf6j9478vg9li7za7csvcaa1hbq9nmrq441sbxk9c";
+      };
+      spreed = buildApp rec {
+        appName = "spreed";
+        version = "5.0.0";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}-${version}.tar.gz";
+        sha256 = "1d48mak1fnf1b28r2687yqamm4pxfg3qyxcj9ny31a6xg2cm0xa7";
+      };
+      tasks = buildApp rec {
+        appName = "tasks";
+        version = "0.9.8";
+        url = "https://github.com/nextcloud/${appName}/releases/download/v${version}/${appName}.tar.gz";
+        sha256 = "089m124lfsfk09fqj50x9n7zndq97jp5afgb8s001rpmzym4g6ny";
+      };
+    };
+  in rec {
+    varDir = "/var/lib/nextcloud";
+    config_php =
+      assert checkEnv "NIXOPS_NEXTCLOUD_PASSWORD_SALT";
+      assert checkEnv "NIXOPS_NEXTCLOUD_DB_USER";
+      assert checkEnv "NIXOPS_NEXTCLOUD_DB_PASSWORD";
+      assert checkEnv "NIXOPS_NEXTCLOUD_INSTANCE_ID";
+      assert checkEnv "NIXOPS_NEXTCLOUD_SECRET";
+      assert checkEnv "NIXOPS_NEXTCLOUD_REDIS_DB_INDEX";
+      writeText "config.php" ''
+      <?php
+      $CONFIG = array (
+        'instanceid' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_INSTANCE_ID"}',
+        'datadirectory' => '/var/lib/nextcloud/',
+        'passwordsalt' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_PASSWORD_SALT"}',
+        'debug' => false,
+        'dbtype' => 'pgsql',
+        'version' => '15.0.0.10',
+        'dbname' => 'webapps',
+        'dbhost' => '/run/postgresql',
+        'dbtableprefix' => 'oc_',
+        'dbuser' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_USER"}',
+        'dbpassword' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_DB_PASSWORD"}',
+        'installed' => true,
+        'maxZipInputSize' => 0,
+        'allowZipDownload' => true,
+        'forcessl' => true,
+        'theme' => ${"''"},
+        'maintenance' => false,
+        'trusted_domains' =>
+        array (
+          0 => 'cloud.immae.eu',
+        ),
+        'secret' => '${builtins.getEnv "NIXOPS_NEXTCLOUD_SECRET"}',
+        'appstoreenabled' => false,
+        'appstore.experimental.enabled' => true,
+        'loglevel' => 0,
+        'trashbin_retention_obligation' => 'auto',
+        'htaccess.RewriteBase' => '/',
+        'mail_smtpmode' => 'smtp',
+        'mail_smtphost' => 'mail.immae.eu',
+        'mail_smtpname' => ${"''"},
+        'mail_smtppassword' => ${"''"},
+        'mail_from_address' => 'owncloud',
+        'mail_smtpauth' => false,
+        'mail_domain' => 'immae.eu',
+        'memcache.local' => '\\OC\\Memcache\\APCu',
+        'memcache.locking' => '\\OC\\Memcache\\Redis',
+        'filelocking.enabled' => true,
+        'redis' =>
+        array (
+          'host' => 'localhost',
+          'port' => 6379,
+          'dbindex' => ${builtins.getEnv "NIXOPS_NEXTCLOUD_REDIS_DB_INDEX"},
+        ),
+        'overwrite.cli.url' => 'https://cloud.immae.eu',
+        'ldapIgnoreNamingRules' => false,
+        'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
+        'config_is_read_only' => true,
+      );
+      '';
+    config = stdenv.mkDerivation rec {
+      name = "nextcloud-config";
+      src = ./nextcloud-config;
+      phases = "installPhase";
+      installPhase = ''
+        mkdir -p $out
+        cp -r $src/* $out
+        cp ${config_php} $out/config.php
+      '';
+    };
+    webRoot = stdenv.mkDerivation rec {
+      name = "nextcloud-${version}";
+      version = "15.0.0";
+
+      src = fetchurl {
+        url = "https://download.nextcloud.com/server/releases/${name}.tar.bz2";
+        sha256 = "0y7bk1588n5rmmranmmrkajh50074460hr4v052ahg9mf60wbc2v";
+      };
+
+      installPhase = ''
+        mkdir -p $out/
+        cp -R . $out/
+        rm -r $out/config
+        ln -sf ${config} $out/config
+        ${builtins.concatStringsSep "\n" (
+          lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/apps/${name}") apps
+        )}
+      '';
+
+      meta = {
+        description = "Sharing solution for files, calendars, contacts and more";
+        homepage = https://nextcloud.com;
+        maintainers = with lib.maintainers; [ schneefux bachp globin fpletz ];
+        license = lib.licenses.agpl3Plus;
+        platforms = with lib.platforms; unix;
+      };
+    };
+    activationScript = {
+      deps = [ ];
+      text = ''
+        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
+        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+      '';
+    };
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      modules = [ "proxy_fcgi" ];
+      vhostConf = ''
+        SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+        <Directory ${webRoot}>
+          AcceptPathInfo On
+          DirectoryIndex index.php
+          Options FollowSymlinks
+          Require all granted
+          AllowOverride all
+
+          <IfModule mod_headers.c>
+            Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
+          </IfModule>
+          <FilesMatch "\.php$">
+            CGIPassAuth on
+            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+          </FilesMatch>
+
+        </Directory>
+
+        '';
+    };
+    phpFpm = rec {
+      basedir = builtins.concatStringsSep ":" (
+        [ webRoot varDir config ]
+        ++ lib.attrsets.mapAttrsToList (name: value: value) apps);
+      socket = "/var/run/phpfpm/nextcloud.sock";
+      phpConfig = ''
+        extension=${phpPackages.redis}/lib/php/extensions/redis.so
+        extension=${phpPackages.apcu}/lib/php/extensions/apcu.so
+        zend_extension=${php}/lib/php/extensions/opcache.so
+        '';
+      pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = ondemand
+        pm.max_children = 60
+        pm.process_idle_timeout = 60
+
+        php_admin_value[output_buffering] = 0
+        php_admin_value[max_execution_time] = 1800
+        php_admin_value[zend_extension] = "opcache"
+        php_value[opcache.enable] = 1
+        php_value[opcache.enable_cli] = 1
+        php_value[opcache.interned_strings_buffer] = 8
+        php_value[opcache.max_accelerated_files] = 10000
+        php_value[opcache.memory_consumption] = 128
+        php_value[opcache.save_comments] = 1
+        php_value[opcache.revalidate_freq] = 1
+        php_admin_value[memory_limit] = 512M
+
+        php_admin_value[open_basedir] = "${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"
+        php_admin_value[session.save_path] = "${varDir}/phpSessions"
+        '';
+    };
+  };
+in
+  nextcloud
diff --git a/virtual/modules/websites/tools/dav/davical.nix b/virtual/modules/websites/tools/dav/davical.nix
new file mode 100644
index 0000000..697bd60
--- /dev/null
+++ b/virtual/modules/websites/tools/dav/davical.nix
@@ -0,0 +1,164 @@
+{ stdenv, fetchurl, gettext, writeText, checkEnv }:
+let
+  awl = stdenv.mkDerivation rec {
+    version = "0.59";
+    name = "awl-${version}";
+    src = fetchurl {
+      url = "https://www.davical.org/downloads/awl_${version}.orig.tar.xz";
+      sha256 = "01b7km7ga3ggbpp8axkc55nizgk5c35fl2z93iydb3hwbxmsvnjp";
+    };
+    unpackCmd = ''
+      tar --one-top-level -xf $curSrc
+    '';
+    installPhase = ''
+      mkdir -p $out
+      cp -ra dba docs inc scripts tests $out
+    '';
+  };
+  # FIXME: e-mail sending
+  davical = rec {
+    config =
+      assert checkEnv "NIXOPS_DAVICAL_DB_PASSWORD";
+      assert checkEnv "NIXOPS_DAVICAL_LDAP_PASSWORD";
+      writeText "davical_config.php" ''
+        <?php
+        $c->pg_connect[] = "dbname=davical user=davical_app host=db-1.immae.eu password=${builtins.getEnv "NIXOPS_DAVICAL_DB_PASSWORD"}";
+
+        $c->readonly_webdav_collections = false;
+
+        $c->admin_email ='davical@immae.eu';
+
+        $c->restrict_setup_to_admin = true;
+
+        $c->collections_always_exist = false;
+
+        $c->external_refresh = 60;
+
+        $c->enable_scheduling = true;
+
+        $c->iMIP = (object) array("send_email" => true);
+
+        $c->authenticate_hook['optional'] = false;
+        $c->authenticate_hook['call'] = 'LDAP_check';
+        $c->authenticate_hook['config'] = array(
+            'host' => 'ldap.immae.eu',
+            'port' => '389',
+            'startTLS' => 'yes',
+            'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu',
+            'passDN'=> '${builtins.getEnv "NIXOPS_DAVICAL_LDAP_PASSWORD"}',
+            'protocolVersion' => '3',
+            'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'),
+            'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu',
+            'baseDNGroups' => 'ou=groups,dc=immae,dc=eu',
+            'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu',
+            'mapping_field' => array(
+              "username" => "uid",
+              "fullname" => "cn",
+              "email"    => "mail",
+              "modified" => "modifyTimestamp",
+            ),
+            'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
+              /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
+        //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
+            'group_mapping_field' => array(
+              "username"    => "cn",
+              "updated"     => "modifyTimestamp",
+              "fullname"    => "givenName",
+              "displayname" => "givenName",
+              "members"     => "memberUid",
+              "email"       => "mail",
+            ),
+          );
+
+        $c->do_not_sync_from_ldap = array('admin' => true);
+        include('drivers_ldap.php');
+      '';
+    webapp = stdenv.mkDerivation rec {
+      version = "1.1.7";
+      name = "davical-${version}";
+      src = fetchurl {
+        url = "https://www.davical.org/downloads/davical_${version}.orig.tar.xz";
+        sha256 = "1ar5m2dxr92b204wkdi8z33ir9vz2jbh5k1p74icpv9ywifvjjp9";
+      };
+      unpackCmd = ''
+        tar --one-top-level -xf $curSrc
+      '';
+      makeFlags = "all";
+      patches = [ ./davical_19eb79ebf9250e5f339675319902458c40ed1755.patch ];
+      installPhase = ''
+        mkdir -p $out
+        cp -ra config dba docs htdocs inc locale po scripts testing zonedb $out
+        ln -s ${config} $out/config/config.php
+      '';
+      buildInputs = [ gettext ];
+    };
+    webRoot = "${webapp}/htdocs";
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      modules = [ "proxy_fcgi" ];
+      vhostConf = ''
+        Alias /davical "${webRoot}"
+        Alias /caldav.php  "${webRoot}/caldav.php"
+        <Directory "${webRoot}">
+          DirectoryIndex index.php index.html
+          AcceptPathInfo On
+          AllowOverride None
+          Require all granted
+
+          <FilesMatch "\.php$">
+            CGIPassAuth on
+            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+          </FilesMatch>
+
+          RewriteEngine On
+          <IfModule mod_headers.c>
+                  Header unset Access-Control-Allow-Origin
+                  Header unset Access-Control-Allow-Methods
+                  Header unset Access-Control-Allow-Headers
+                  Header unset Access-Control-Allow-Credentials
+                  Header unset Access-Control-Expose-Headers
+
+                  Header always set Access-Control-Allow-Origin "*"
+                  Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
+                  Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
+                  Header always set Access-Control-Allow-Credentials false
+                  Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
+
+                  RewriteCond %{HTTP:Access-Control-Request-Method} !^$
+                  RewriteCond %{REQUEST_METHOD} OPTIONS
+                  RewriteRule ^(.*)$ $1 [R=200,L]
+          </IfModule>
+        </Directory>
+        '';
+    };
+    phpFpm = rec {
+      basedir = builtins.concatStringsSep ":" [ webapp config awl ];
+      socket = "/var/run/phpfpm/davical.sock";
+      pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = dynamic
+        pm.max_children = 60
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 10
+
+        ; Needed to avoid clashes in browser cookies (same domain)
+        php_value[session.name] = DavicalPHPSESSID
+        php_admin_value[open_basedir] = "${basedir}:/tmp"
+        php_admin_value[include_path] = "${awl}/inc:${webapp}/inc"
+        php_admin_value[session.save_path] = "/var/lib/php/sessions/davical"
+        php_flag[magic_quotes_gpc] = Off
+        php_flag[register_globals] = Off
+        php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE"
+        php_admin_value[default_charset] = "utf-8"
+        php_flag[magic_quotes_runtime] = Off
+        '';
+    };
+  };
+in
+  davical
diff --git a/virtual/modules/websites/tools/dav/davical_19eb79ebf9250e5f339675319902458c40ed1755.patch b/virtual/modules/websites/tools/dav/davical_19eb79ebf9250e5f339675319902458c40ed1755.patch
new file mode 100644
index 0000000..2a08a5c
--- /dev/null
+++ b/virtual/modules/websites/tools/dav/davical_19eb79ebf9250e5f339675319902458c40ed1755.patch
@@ -0,0 +1,26 @@
+diff --git a/inc/ui/collection-edit.php b/inc/ui/collection-edit.php
+index 3af9edd3b8c4ad9074113273175098841af6a28e..8c1d84012b035f7bc7faedcb24916581a02a5d3e 100644
+--- a/inc/ui/collection-edit.php
++++ b/inc/ui/collection-edit.php
+@@ -190,7 +190,7 @@ $privilege_xlate = array(
+ * @param dbrow $row The row object we read from the database.
+ * @return string The formatted privileges.
+ */
+-function collection_privilege_format_function( $value, $column, $row ) {
++function collection_privilege_format_function( $value, $column = NULL, $row = NULL ) {
+   global $privilege_xlate;
+ 
+   $privs = bits_to_privilege($value, 'calendar');
+diff --git a/inc/ui/principal-edit.php b/inc/ui/principal-edit.php
+index 20dee7fa4ca2235ff2f74be0dfb52cbe937ef822..2e37cd596b597bcce1e59d7c02a1c5fc2a7f88ce 100644
+--- a/inc/ui/principal-edit.php
++++ b/inc/ui/principal-edit.php
+@@ -454,7 +454,7 @@ EOTEMPLATE;
+ * @param dbrow $row The row object we read from the database.
+ * @return string The formatted privileges.
+ */
+-function principal_privilege_format_function( $value, $column, $row ) {
++function principal_privilege_format_function( $value, $column = NULL, $row = NULL ) {
+   global $privilege_xlate;
+ 
+   $privs = bits_to_privilege($value,'*');
diff --git a/virtual/modules/websites/tools/dav/default.nix b/virtual/modules/websites/tools/dav/default.nix
new file mode 100644
index 0000000..201da38
--- /dev/null
+++ b/virtual/modules/websites/tools/dav/default.nix
@@ -0,0 +1,33 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    infcloud = pkgs.callPackage ./infcloud.nix {};
+    davical = pkgs.callPackage ./davical.nix { inherit (mylibs) checkEnv; };
+
+    cfg = config.services.myWebsites.tools.dav;
+in {
+  options.services.myWebsites.tools.dav = {
+    enable = lib.mkEnableOption "enable dav website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."eldiron".extraDomains."dav.immae.eu" = null;
+
+    services.myWebsites.tools.modules = davical.apache.modules;
+
+    services.myWebsites.tools.vhostConfs.dav = {
+      certName    = "eldiron";
+      hosts       = ["dav.immae.eu" ];
+      root        = null;
+      extraConfig = [
+        infcloud.apache.vhostConf
+        davical.apache.vhostConf
+      ];
+    };
+
+    services.myPhpfpm.poolConfigs = {
+      davical = davical.phpFpm.pool;
+    };
+
+  };
+}
+
diff --git a/virtual/modules/websites/tools/dav/infcloud.nix b/virtual/modules/websites/tools/dav/infcloud.nix
new file mode 100644
index 0000000..876578b
--- /dev/null
+++ b/virtual/modules/websites/tools/dav/infcloud.nix
@@ -0,0 +1,38 @@
+{ stdenv, fetchzip, ed }:
+let
+  infcloud = rec {
+    webRoot = stdenv.mkDerivation rec {
+      version = "0.13.1";
+      name = "InfCloud-${version}";
+      src = fetchzip {
+        url = "https://www.inf-it.com/InfCloud_${version}.zip";
+        sha256 = "1fjhs0cj0b9fhf5ysfz281mknmmg1z551bas143sxfcqlpa5aiiq";
+      };
+      buildPhase = ''
+        ./cache_update.sh
+        rm config.js
+      '';
+      installPhase = ''
+        cp -a . $out
+        ln -s ${./infcloud_config.js} $out/config.js
+      '';
+      buildInputs = [ ed ];
+    };
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      vhostConf = ''
+        Alias /carddavmate ${webRoot}
+        Alias /caldavzap ${webRoot}
+        Alias /infcloud ${webRoot}
+        <Directory ${webRoot}>
+          AllowOverride All
+          Options FollowSymlinks
+          Require all granted
+          DirectoryIndex index.html
+        </Directory>
+        '';
+    };
+  };
+in
+  infcloud
diff --git a/virtual/modules/websites/tools/dav/infcloud_config.js b/virtual/modules/websites/tools/dav/infcloud_config.js
new file mode 100644
index 0000000..ba73860
--- /dev/null
+++ b/virtual/modules/websites/tools/dav/infcloud_config.js
@@ -0,0 +1,1446 @@
+/*
+InfCloud - the open source CalDAV/CardDAV Web Client
+Copyright (C) 2011-2015
+    Jan Mate <jan.mate@inf-it.com>
+    Andrej Lezo <andrej.lezo@inf-it.com>
+    Matej Mihalik <matej.mihalik@inf-it.com>
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+// NOTE: see readme.txt before you start to configure this client!
+
+
+// NOTE: do not forget to execute the cache_update.sh script every time you
+// update this configuration file or any other files (otherwise your browser
+// will use the previous version of files stored in HTML5 cache). Alternatively
+// you can update the cache.manifest manually - edit the second line beginning
+// with "#V 20" to anything else (this file simple needs "some" change)
+
+
+// Supported setup types (use ONE of them):
+//   a.) globalAccountSettings => username and password is hardcoded
+//       in config.js, automatic login without the login screen
+//       - advantages: fast login process = no username/password is required
+//       - disadvantages: username/password is visible in your config.js, so
+//         this type of setup is recommended ONLY for intranet/home users
+//   b.) globalNetworkCheckSettings => standard setup with login screen
+//       - advantages: username/password is required (no visible
+//         username/password in config.js)
+//       - disadvantages: if a user enters wrong username/password then
+//         the browser will show authentication popup window (it is NOT
+//         possible to disable it in JavaScript; see the next option)
+//   c.) globalNetworkAccountSettings => advanced setup with login screen
+//       - advantages: no authentication popup if you enter wrong username/
+//         password, dynamic XML configuration generator (you can generate
+//         different configurations for your users /by modifying the "auth"
+//         module configuration or the PHP code itself/)
+//       - disadvantages: requires PHP >= 5.3 and additional configuration,
+//         only basic http authentication is supported => always use https!
+//
+//
+// What is a "principal URL"? => Check you server documentation!
+//   - "principal URL" is NOT "collection URL"
+//   - this client automatically detects collections for "principal URL"
+//   - PROPER "principal URL" looks like:
+//     https://server.com:8443/principals/users/USER/
+//     https://server.com:8443/caldav.php/USER/
+//   - INVALID principal URL looks like:
+//     https://server.com:8443/principals/users/USER/collection/
+//       => this is a collection URL
+//     https://server.com:8443/caldav.php/USER/collection/
+//       => this is a collection URL
+//     https://server.com:8443/principals/users/USER
+//       => missing trailing '/'
+//     https://server.com:8443/caldav.php/USER
+//       => missing trailing '/'
+//     /caldav.php/USER/
+//       => relative URL instead of full URL
+//
+//
+// List of properties used in globalAccountSettings, globalNetworkCheckSettings
+// and globalNetworkAccountSettings variables (+ in the "auth" module):
+// - href
+//   Depending on the setup type set the value to:
+//   a.) globalAccountSettings: full "principal URL"
+//   b.) globalNetworkCheckSettings: "principal URL" WITHOUT the "USER/" part
+//   c.) globalNetworkAccountSettings: "full URL" to the "auth" directory
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings
+// - userAuth
+//   - userName
+//     Set the username you want to login.
+//   - userPassword
+//     Set the password for the given username.
+//   This property is supported in:
+//     globalAccountSettings
+// - timeOut
+//   This option sets the timeout for jQuery .ajax call (in miliseconds).
+//   Example:
+//     timeOut: 90000
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings
+// - lockTimeOut 
+//   NOTE: used only if server supports LOCK requests
+//   This option sets the LOCK timeout value if resource locking
+//   is used (in miliseconds).
+//   Example:
+//     lockTimeOut: 10000
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only)
+// - checkContentType
+//   This option enables a content-type checking for server response.
+//   If enabled then only objects with proper content-type are inserted
+//   into the interface.
+//   If you cannot see data in the interface you may try to disable it (useful
+//   if your server returns wrong value in "propstat/prop/getcontenttype").
+//   If undefined then content-type checking is enabled.
+//   Examples:
+//     checkContentType: true
+//     checkContentType: false
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only)
+// - settingsAccount
+//   NOTE: server support for custom DAV properties is REQUIRED!
+//   This option sets the account where the client properties such as:
+//   loaded collections, enabled collections, ... are saved during
+//   the logout and resource/collection synchronisation
+//   NOTE: set it to true ONLY for ONE account!
+//   Examples:
+//     settingsAccount: true
+//     settingsAccount: false
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only)
+// - delegation
+//   NOTE: server support for this functionality is REQUIRED!
+//   This option allows you to load delegated (shared) collections.
+//   If set to true (default) then delegation functionality is enabled,
+//   and the interface allows you to load delegated collections.
+//   If false then delegation functionality is completely disabled.
+//   Examples:
+//     delegation: true
+//     delegation: false
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only)
+// - additionalResources
+//   This options sets the list of additional resources (e.g. shared resources
+//   accessible by all users). If the server supports delegation (see
+//   the delegation option above) there is no reason to use this option!
+//   Supported values:
+//   - array of URL encoded resource names (not collections), such as:
+//     'company'
+//     'shared_resource'
+//   If empty (default) or undefined then shared resources are not loaded
+//   using this option, but may be loaded using the delegation option.
+//   Examples:
+//     additionalResources=[]
+//     additionalResources=['public', 'shared_resource']
+//   This property is supported in:
+//     globalNetworkCheckSettings
+// - hrefLabel
+//   This option sets the server name in the resource header (useful if
+//   you want to see custom resource header above the collections).
+//   You can use the following variables in the value:
+//     %H = full hostname (including the port number)
+//     %h = full hostname (without the port number)
+//     %D = full domain name
+//     %d = only the first and second level domain
+//     %P = principal name
+//     %p = principal name without the @domain.com part (if present)
+//     %U = logged user name
+//     %u = logged user name without the @domain.com part (if present)
+//   If undefined, empty or or null then '%d/%p [%u]' is used.
+//   Examples: 
+//     hrefLabel: '%d/%p [%u]'
+//     hrefLabel: '%D/%u'
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only)
+// - forceReadOnly
+//   This option sets the list of collections as "read-only".
+//   Supported values:
+//   - true
+//     all collections will be "read-only"
+//   - array of URL encoded
+//     - collections, such as: 
+//       '/caldav.php/user/calendar/'
+//       '/caldav.php/user%40domain.com/calendar/'
+//     - regexes, such as:
+//       new RegExp('^/caldav.php/user/calendar[0-9]/$', 'i')
+//     specifies the list of collections marked as "read-only"
+//   If null (default) or undefined then server detected privileges are used.
+//   Examples:
+//     forceReadOnly: null
+//     forceReadOnly: true
+//     forceReadOnly: ['/caldav.php/user/calendar/', 
+//                     '/caldav.php/user/calendar2/']
+//     forceReadOnly: [new RegExp('^/.*/user/calendar[0-9]/$', 'i')]
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only, with
+//       different syntax for regexes)
+// - ignoreAlarms
+//   This option sets list of calendar collections with disabled
+//   alarm functionality.
+//   Supported values:
+//   - true
+//     alarm functionality is disabled for all collections
+//   - array of URL encoded
+//     - collections, such as: 
+//       '/caldav.php/user/calendar/'
+//       '/caldav.php/user%40domain.com/calendar/'
+//     - regexes, such as:
+//       new RegExp('^/caldav.php/user/calendar[0-9]/$', 'i')
+//     specifies the list of collections with disabled alarm functionality.
+//   If false (default) or undefined then alarm functionality is enabled
+//   for all collections.
+//   Examples:
+//     ignoreAlarms: true
+//     ignoreAlarms: ['/caldav.php/user/calendar/', 
+//                    '/caldav.php/user/calendar2/']
+//     ignoreAlarms: [new RegExp('^/.*/user/calendar[0-9]/$', 'i')]
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only, with
+//       different syntax for regexes)
+// - backgroundCalendars
+//   This options defines a list of background calendars. If there is
+//   at least one event defined for the given day in a background calendar,
+//   the background color for that day will be pink/light-red.
+//   Supported values:
+//   - array of URL encoded
+//     - collections, such as: 
+//       '/caldav.php/user/calendar/'
+//       '/caldav.php/user%40domain.com/calendar/'
+//     - regexes, such as:
+//       new RegExp('^/caldav.php/user/calendar[0-9]/$', 'i')
+//     specifies the list of background calendar collections.
+//   Examples:
+//     backgroundCalendars: ['/caldav.php/user/calendar/', 
+//                           '/caldav.php/user/calendar2/']
+//     backgroundCalendars: [new RegExp('^/.*/user/calendar[0-9]/$', 'i')]
+//   This property is supported in:
+//     globalAccountSettings
+//     globalNetworkCheckSettings
+//     globalNetworkAccountSettings (available in auth module only, with
+//       different syntax for regexes)
+// Special options not present in configuration examples:
+// NOTE: use ONLY if you know what are you doing!
+// - crossDomain
+//   This option sets the crossDomain for jQuery .ajax call. If null (default)
+//   then the value is autodetected /and the result is shown in the console/
+// - withCredentials
+//   This option sets the withCredentials for jQuery .ajax call. The default
+//   value is false and there is NO REASON to change it to true!
+//   NOTE: if true, Access-Control-Allow-Origin "*" (CORS header) not works!
+
+
+// globalAccountSettings
+// Use this option if you want to use automatic login (without a login
+// screen) with hardcoded username/password in config.js. Otherwise use
+// globalNetworkCheckSettings or globalNetworkAccountSettings (see below).
+// NOTE: if this option is used the value must be an array of object(s).
+// List of properties used in globalAccountSettings variable:
+// - href
+//   Set this option to the full "principal URL".
+//   NOTE: the last character in the value must be '/'
+// - userAuth
+//   - userName
+//     Set the username you want to login.
+//   - userPassword
+//     Set the password for the given username.
+// NOTE: for description of other properties see comments at the beginning
+// of this file.
+// NOTE: for minimal/fast setup you need to set only the href and userAuth
+// options. It is safe/recommended to keep the remaining options unchanged!
+// Example:
+//var globalAccountSettings=[
+//      {
+//              href: 'https://server1.com:8443/caldav.php/USERNAME1/',
+//              userAuth:
+//              {
+//                      userName: 'USERNAME1',
+//                      userPassword: 'PASSWORD1'
+//              },
+//              timeOut: 90000,
+//              lockTimeOut: 10000,
+//              checkContentType: true,
+//              settingsAccount: true,
+//              delegation: true,
+//              hrefLabel: null,
+//              forceReadOnly: null,
+//              ignoreAlarms: false,
+//              backgroundCalendars: []
+//      },
+//      {
+//              href: 'https://server2.com:8443/caldav.php/USERNAME2/',
+//              ...
+//              ...
+//      }
+//];
+
+
+// globalNetworkCheckSettings
+// Use this option if you want to use standard login screen without
+// hardcoded username/password in config.js (used by globalAccountSettings).
+// NOTE: if this option is used the value must be an object.
+// List of properties used in globalAccountSettings variable:
+// - href
+//   Set this option to the "principal URL" WITHOUT the "USERNAME/"
+//   part (this options uses the username from the login screen).
+//   NOTE: the last character in the value must be '/'
+// NOTE: for description of other properties see comments at the beginning
+// of this file.
+// NOTE: for minimal/fast setup you need to set only the href option. It is
+// safe/recommended to keep the remaining options unchanged!
+// Example href values:
+// OS X server http example (see misc/readme_osx.txt for server setup):
+//   href: 'http://osx.server.com:8008/principals/users/'
+// OS X server https example (see misc/readme_osx.txt for server setup):
+//   href: 'https://osx.server.com:8443/principals/users/'
+// Cyrus server https example:
+//   href: 'https://cyrus.server.com/dav/principals/user/'
+// Example:
+// Davical example which automatically detects the protocol, server name,
+// port, ... (client installed into Davical "htdocs" subdirectory;
+// works "out of the box", no additional setup required):
+var globalNetworkCheckSettings={
+        href: location.protocol+'//'+location.hostname+
+                (location.port ? ':'+location.port: '')+
+                location.pathname.replace(RegExp('/+[^/]+/*(index\.html)?$'),'')+
+                '/caldav.php/',
+        timeOut: 90000,
+        lockTimeOut: 10000,
+        checkContentType: true,
+        settingsAccount: true,
+        delegation: true,
+        additionalResources: [],
+        hrefLabel: null,
+        forceReadOnly: null,
+        ignoreAlarms: false,
+        backgroundCalendars: []
+}
+
+
+// globalNetworkAccountSettings
+// Try this option ONLY if you have working setup using
+// globalNetworkCheckSettings and want to fix the authentication popup
+// window problem (if invalid username/password is entered)!
+// If you use this option then your browser sends username/password to the PHP
+// "auth" module ("auth" directory) instead of the DAV server itself.
+// The "auth" module then validates your username/password against your server,
+// and if the authentication is successful, then it sends back a configuration
+// XML (requires additional configuration). The resulting XML is handled
+// IDENTICALLY as the globalAccountSettings configuration option.
+// NOTE: for the "auth" module configuration see readme.txt!
+// NOTE: this option invokes a login screen and disallows access until
+// the client gets correct XML configuration file from the server!
+// List of properties used in globalNetworkAccountSettings variable:
+// - href
+//   Set this option to the "full URL" of the "auth" directory
+//   NOTE: the last character in the value must be '/'
+// NOTE: for description of other properties see comments at the beginning
+// of this file.
+// Example href values:
+//   href: 'https://server.com/client/auth/'
+// Example:
+// Use this configuration if the "auth" module is located in the client
+// installation subdirectory (default):
+//var globalNetworkAccountSettings={
+//      href: location.protocol+'//'+location.hostname+
+//              (location.port ? ':'+location.port : '')+
+//              location.pathname.replace(RegExp('index\.html$'),'')+
+//              'auth/',
+//      timeOut: 30000
+//};
+
+
+// globalUseJqueryAuth
+// Use jQuery .ajax() auth or custom header for HTTP basic auth (default).
+// Set this option to true if your server uses digest auth (note: you may
+// experience auth popups on some browsers).
+// If undefined (or empty), custom header for HTTP basic auth is used.
+// Example:
+//var globalUseJqueryAuth=false;
+
+
+// globalBackgroundSync
+// Enable background synchronization even if the browser window/tab has no
+// focus.
+// If false, synchronization is performed only if the browser window/tab
+// is focused. If undefined or not false, then background sync is enabled.
+// Example:
+var globalBackgroundSync=true;
+
+
+// globalSyncResourcesInterval
+// This option defines how often (in miliseconds) are resources/collections
+// asynchronously synchronized.
+// Example:
+var globalSyncResourcesInterval=120000;
+
+
+// globalEnableRefresh
+// This option enables or disables the manual synchronization button in
+// the interface. If this option is enabled then users can perform server
+// synchronization manually. Enabling this option may cause high server
+// load (even DDOS) if users will try to manually synchronize data too
+// often (instead of waiting for the automatic synchronization).
+// If undefined or false, the synchronization button is disabled.
+// NOTE: enable this option only if you really know what are you doing!
+// Example:
+var globalEnableRefresh=false;
+
+
+// globalEnableKbNavigation
+// Enable basic keyboard navigation using arrow keys?
+// If undefined or not false, keyboard navigation is enabled.
+// Example:
+var globalEnableKbNavigation=true;
+
+
+// globalSettingsType
+// Where to store user settings such as: active view, enabled/selected
+// collections, ... (the client store them into DAV property on the server).
+// NOTE: not all servers support storing DAV properties (some servers support
+// only subset /or none/ of these URLs).
+// Supported values:
+// - 'principal-URL', '', null or undefined (default) => settings are stored
+//   to principal-URL (recommended for most servers)
+// - 'addressbook-home-set' => settings are are stored to addressbook-home-set
+// - 'calendar-home-set' => settings are stored to calendar-home-set
+// Example:
+//var globalSettingsType='';
+
+
+// globalCrossServerSettingsURL
+// Settings such as enabled/selected collections are stored on the server
+// (see the previous option) in form of full URL
+// (e.g.: https://user@server:port/principal/collection/), but even if this
+// approach is "correct" (you can use the same principal URL with multiple
+// different logins, ...) it causes a problem if your server is accessible
+// from multiple URLs (e.g. http://server/ and https://server/). If you want
+// to store only the "principal/collection/" part of the URL (instead of the
+// full URL) then enable this option.
+// Example:
+//var globalCrossServerSettingsURL=false;
+
+
+// globalInterfaceLanguage
+// Default interface language (note: this option is case sensitive):
+//   cs_CZ (Čeština [Czech])
+//   da_DK (Dansk [Danish]; thanks Niels Bo Andersen)
+//   de_DE (Deutsch [German]; thanks Marten Gajda and Thomas Scheel)
+//   en_US (English [English/US])
+//   es_ES (Español [Spanish]; thanks Damián Vila)
+//   fr_FR (Français [French]; thanks John Fischer)
+//   it_IT (Italiano [Italian]; thanks Luca Ferrario)
+//   ja_JP (日本語 [Japan]; thanks Muimu Nakayama)
+//   hu_HU (Magyar [Hungarian])
+//   nl_NL (Nederlands [Dutch]; thanks Johan Vromans)
+//   sk_SK (Slovenčina [Slovak])
+//   tr_TR (Türkçe [Turkish]; thanks Selcuk Pultar)
+//   ru_RU (Русский [Russian]; thanks Александр Симонов)
+//   uk_UA (Українська [Ukrainian]; thanks Serge Yakimchuck)
+//   zh_CN (中国 [Chinese]; thanks Fandy)
+// Example:
+var globalInterfaceLanguage='fr_FR';
+
+
+// globalInterfaceCustomLanguages
+// If defined and not empty then only languages listed here are shown
+// at the login screen, otherwise (default) all languages are shown
+// NOTE: values in the array must refer to an existing localization
+// (see the option above)
+// Example:
+//   globalInterfaceCustomLanguages=['en_US', 'sk_SK'];
+var globalInterfaceCustomLanguages=[];
+
+
+// globalSortAlphabet
+// Use JavaScript localeCompare() or custom alphabet for data sorting.
+// Custom alphabet is used by default because JavaScript localeCompare()
+// not supports collation and often returns "wrong" result. If set to null
+// then localeCompare() is used.
+// Example:
+//   var globalSortAlphabet=null;
+var globalSortAlphabet=' 0123456789'+
+        'AÀÁÂÄÆÃÅĀBCÇĆČDĎEÈÉÊËĒĖĘĚFGĞHIÌÍÎİÏĪĮJKLŁĹĽMNŃÑŇOÒÓÔÖŐŒØÕŌ'+
+        'PQRŔŘSŚŠȘșŞşẞTŤȚțŢţUÙÚÛÜŰŮŪVWXYÝŸZŹŻŽ'+
+        'aàáâäæãåābcçćčdďeèéêëēėęěfgğhiìíîïīįıjklłĺľmnńñňoòóôöőœøõō'+
+        'pqrŕřsśšßtťuùúûüűůūvwxyýÿzźżžАБВГҐДЕЄЖЗИІЇЙКЛМНОПРСТУФХЦЧШЩЮЯ'+
+        'Ьабвгґдеєжзиіїйклмнопрстуфхцчшщюяь';
+
+
+// globalSearchTransformAlphabet
+// To support search without diacritics (e.g. search for 'd' will find: 'Ď', 'ď')
+// it is required to define something like "character equivalence".
+// key = regex text, value = search character
+// Example:
+var globalSearchTransformAlphabet={
+        '[ÀàÁáÂâÄäÆæÃãÅåĀā]': 'a', '[ÇçĆćČč]': 'c', '[Ďď]': 'd',
+        '[ÈèÉéÊêËëĒēĖėĘęĚě]': 'e', '[Ğğ]': 'g', '[ÌìÍíÎîİıÏïĪīĮį]': 'i',
+        '[ŁłĹ弾]': 'l', '[ŃńÑñŇň]': 'n', '[ÒòÓóÔôÖöŐőŒœØøÕõŌō]': 'o',
+        '[ŔŕŘř]': 'r', '[ŚśŠšȘșŞşẞß]': 's', '[ŤťȚțŢţ]': 't',
+        '[ÙùÚúÛûÜüŰűŮůŪū]': 'u', '[ÝýŸÿ]': 'y', '[ŹźŻżŽž]': 'z'
+};
+
+// globalResourceAlphabetSorting
+// If more than one resource (server account) is configured, sort the
+// resources alphabetically?
+// Example:
+var globalResourceAlphabetSorting=true;
+
+
+// globalNewVersionNotifyUsers
+// Update notification will be shown only to users with login names defined
+// in this array.
+// If undefined (or empty), update notifications will be shown to all users.
+// Example:
+//   globalNewVersionNotifyUsers=['admin', 'peter'];
+var globalNewVersionNotifyUsers=[];
+
+
+// globalDatepickerFormat
+// Set the datepicker format (see 
+// http://docs.jquery.com/UI/Datepicker/formatDate for valid values).
+// NOTE: date format is predefined for each localization - use this option
+// ONLY if you want to use custom date format (instead of the localization
+// predefined one).
+// Example:
+//var globalDatepickerFormat='dd.mm.yy';
+var globalDatepickerFormat='yy-mm-dd';
+
+
+// globalDatepickerFirstDayOfWeek
+// Set the datepicker first day of the week: Sunday is 0, Monday is 1, etc.
+// Example:
+var globalDatepickerFirstDayOfWeek=1;
+
+
+// globalHideInfoMessageAfter
+// How long are information messages (such as: success, error) displayed
+// (in miliseconds).
+// Example:
+var globalHideInfoMessageAfter=1800;
+
+
+// globalEditorFadeAnimation
+// Set the editor fade in/out animation duration when editing or saving data
+// (in miliseconds).
+// Example:
+var globalEditorFadeAnimation=666;
+
+
+
+
+// ******* CalDAV (CalDavZAP) related settings ******* //
+
+// globalEventStartPastLimit, globalEventStartFutureLimit, globalTodoPastLimit
+// Number of months pre-loaded from past/future in advance for calendars
+// and todo lists (if null then date range synchronization is disabled).
+// NOTE: interval synchronization is used only if your server supports
+// sync-collection REPORT (e.g. DAViCal).
+// NOTE: if you experience problems with data loading and your server has
+// no time-range filtering support set these variables to null.
+// Example:
+var globalEventStartPastLimit=3;
+var globalEventStartFutureLimit=3;
+var globalTodoPastLimit=1;
+
+
+// globalLoadedCalendarCollections
+// This option sets the list of calendar collections (down)loaded after login.
+// If empty then all calendar collections for the currently logged user are
+// loaded.
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalLoadedCalendarCollections=[];
+
+
+// globalLoadedTodoCollections
+// This option sets the list of todo collections (down)loaded after login.
+// If empty then all todo collections for the currently logged user are loaded.
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalLoadedTodoCollections=[];
+
+
+// globalActiveCalendarCollections
+// This options sets the list of calendar collections checked (enabled
+// checkbox => data visible in the interface) by default after login.
+// If empty then all loaded calendar collections for the currently logged
+// user are checked.
+// NOTE: only already (down)loaded collections can be checked (see 
+// the globalLoadedCalendarCollections option).
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalActiveCalendarCollections=[];
+
+
+// globalActiveTodoCollections
+// This options sets the list of todo collections checked (enabled
+// checkbox => data visible in the interface) by default after login.
+// If empty then all loaded todo collections for the currently logged
+// user are checked.
+// NOTE: only already (down)loaded collections can be checked (see 
+// the globalLoadedTodoCollections option).
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalActiveTodoCollections=[];
+
+
+// globalCalendarSelected
+// This option sets which calendar collection will be pre-selected
+// (if you create a new event) by default after login.
+// The value must be URL encoded path to a calendar collection,
+// for example: 'USER/calendar/'
+// If empty or undefined then the first available calendar collection
+// is selected automatically.
+// NOTE: only already (down)loaded collections can be pre-selected (see
+// the globalLoadedCalendarCollections option).
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+//var globalCalendarSelected='';
+
+
+// globalTodoCalendarSelected
+// This option sets which todo collection will be pre-selected
+// (if you create a new todo) by default after login.
+// The value must be URL encoded path to a todo collection,
+// for example: 'USER/todo_calendar/'
+// If empty or undefined then the first available todo collection
+// is selected automatically.
+// NOTE: only already (down)loaded collections can be pre-selected (see 
+// the globalLoadedTodoCollections option).
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+//var globalTodoCalendarSelected='';
+
+
+// globalActiveView
+// This options sets the default fullcalendar view option (the default calendar
+// view after the first login).
+// Supported values:
+// - 'month'
+// - 'multiWeek'
+// - 'agendaWeek'
+// - 'agendaDay'
+// NOTE: we use custom and enhanced version of fullcalendar!
+// Example:
+var globalActiveView='multiWeek';
+
+
+// globalOpenFormMode
+// Open new event form on 'single' or 'double' click.
+// If undefined or not 'double', then 'single' is used.
+// Example:
+var globalOpenFormMode='double';
+
+
+// globalTodoListFilterSelected
+// This options sets the list of filters in todo list that are selected
+// after login.
+// Supported options:
+// - 'filterAction'
+// - 'filterProgress' (available only if globalAppleRemindersMode is disabled)
+// - 'filterCompleted'
+// - 'filterCanceled' (available only if globalAppleRemindersMode is disabled)
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalTodoListFilterSelected=['filterAction', 'filterProgress'];
+
+
+// globalCalendarStartOfBusiness, globalCalendarEndOfBusiness
+// These options set the start and end of business hours with 0.5 hour
+// precision. Non-business hours are faded out in the calendar interface.
+// If both variables are set to the same value then no fade out occurs.
+// Example:
+var globalCalendarStartOfBusiness=8;
+var globalCalendarEndOfBusiness=17;
+
+
+// globalDefaultEventDuration
+// This option sets the default duration (in minutes) for newly created events.
+// If undefined or null, globalCalendarEndOfBusiness value will be taken as
+// a default end time instead.
+// Example:
+var globalDefaultEventDuration=120;
+
+
+// globalAMPMFormat
+// This option enables to use 12 hours format (AM/PM) for displaying time.
+// NOTE: time format is predefined for each localization - use this option
+// ONLY if you want to use custom time format (instead of the localization
+// predefined one).
+// Example:
+//var globalAMPMFormat=false;
+
+
+// globalTimeFormatBasic
+// This option defines the time format information for events in month and
+// multiweek views. If undefined or null then default value is used.
+// If defined as empty string no time information is shown in these views.
+// See http://arshaw.com/fullcalendar/docs/utilities/formatDate/ for exact
+// formating rules.
+// Example:
+//var globalTimeFormatBasic='';
+
+
+// globalTimeFormatAgenda
+// This option defines the time format information for events in day and
+// week views. If undefined or null then default value is used.
+// If defined as empty string no time information is shown in these views.
+// See http://arshaw.com/fullcalendar/docs/utilities/formatDate/ for exact
+// formating rules.
+// Example:
+//var globalTimeFormatAgenda='';
+
+
+// globalDisplayHiddenEvents
+// This option defined whether events from unechecked calendars are displayed
+// with certain transparency (true) or completely hidden (false).
+// Example:
+var globalDisplayHiddenEvents=false;
+
+
+// globalTimeZoneSupport
+// This option enables timezone support in the client.
+// NOTE: timezone cannot be specified for all-day events because these don't
+// have start and end time.
+// If this option is disabled then local time is used.
+// Example:
+var globalTimeZoneSupport=true;
+
+
+// globalTimeZone
+// If timezone support is enabled, this option sets the default timezone.
+// See timezones.js or use the following command to get the list of supported
+// timezones (defined in timezones.js):
+// grep "'[^']\+': {" timezones.js | sed -Ee "s#(\s*'|':\s*\{)##g"
+// Example:
+var globalTimeZone='Europe/Paris';
+
+
+// globalTimeZonesEnabled
+// This option sets the list of available timezones in the interface (for the 
+// list of supported timezones see the comment for the previous configuration
+// option).
+// NOTE: if there is at least one event/todo with a certain timezone defined,
+// that timezone is enabled (even if it is not present in this list).
+// Example:
+//   var globalTimeZonesEnabled=['America/New_York', 'Europe/Berlin'];  
+var globalTimeZonesEnabled=[];
+
+
+// globalRewriteTimezoneComponent
+// This options sets whether the client will enhance/replace (if you edit an
+// event or todo) the timezone information using the official IANA timezone
+// database information (recommended).
+// Example:
+var globalRewriteTimezoneComponent=true;
+
+
+// globalRemoveUnknownTimezone
+// This options sets whether the client will remove all non-standard timezone
+// names from events and todos (if you edit an event or todo)
+// (e.g.: /freeassociation.sourceforge.net/Tzfile/Europe/Vienna)
+// Example:
+var globalRemoveUnknownTimezone=false;
+
+
+// globalShowHiddenAlarms
+// This option sets whether the client will show alarm notifications for
+// unchecked calendars. If this option is enabled and you uncheck a calendar
+// in the calendar list, alarm notifications will be temporary disabled for
+// unchecked calendar(s).
+// Example:
+var globalShowHiddenAlarms=false;
+
+
+// globalIgnoreCompletedOrCancelledAlarms
+// This options sets whether the client will show alarm notifications for
+// already completed or cancelled todos. If enabled then alarm notification
+// for completed and cancelled todos are disabled.
+// Example:
+var globalIgnoreCompletedOrCancelledAlarms=true;
+
+
+// globalMozillaSupport
+// Mozilla automatically treats custom repeating event calculations as if
+// the start day of the week is Monday, despite what day is chosen in settings.
+// Set this variable to true to use the same approach, ensuring compatible
+// event rendering in special cases.
+// Example:
+var globalMozillaSupport=false;
+
+
+// globalCalendarColorPropertyXmlns
+// This options sets the namespace used for storing the "calendar-color"
+// property by the client.
+// If true, undefined (or empty) "http://apple.com/ns/ical/" is used (Apple
+// compatible). If false, then the calendar color modification functionality
+// is completely disabled.
+// Example:
+//var globalCalendarColorPropertyXmlns=true;
+
+
+// globalWeekendDays
+// This option sets the list of days considered as weekend days (these
+// are faded out in the calendar interface). Non-weekend days are automatically
+// considered as business days.
+// Sunday is 0, Monday is 1, etc.
+// Example:
+var globalWeekendDays=[0, 6];
+
+
+// globalAppleRemindersMode
+// If this option is enabled then then client will use the same approach
+// for handling repeating reminders (todos) as Apple. It is STRONGLY
+// recommended to enabled this option if you use any Apple clients for
+// reminders (todos).
+// Supported options:
+// - 'iOS6'
+// - 'iOS7'
+// - true (support of the latest iOS version - 'iOS8')
+// - false
+// If this option is enabled:
+// - RFC todo support is SEVERELY limited and the client mimics the behaviour
+//   of Apple Reminders.app (to ensure maximum compatibility)
+// - when a single instance of repeating todo is edited, it becomes an
+//   autonomous non-repeating todo with NO relation to the original repeating
+//   todo
+// - capabilities of repeating todos are limited - only the first instance
+//   is ever visible in the interface
+// - support for todo DTSTART attribute is disabled
+// - support for todo STATUS attribute other than COMPLETED and NEEDS-ACTION
+//   is disabled
+// - [iOS6 only] support for LOCATION and URL attributes is disabled
+// Example:
+var globalAppleRemindersMode=true;
+
+
+// globalSubscribedCalendars
+// This option specifies a list of remote URLs to ics files (e.g.: used
+// for distributing holidays information). Subscribed calendars are
+// ALWAYS read-only. Remote servers where ics files are hosted MUST
+// return proper CORS headers (see readme.txt) otherwise this functionality
+// will not work!
+// NOTE: subsribed calendars are NOT "shared" calendars. For "shared"
+// calendars see the delegation option in globalAccountSettings,
+// globalNetworkCheckSettings and globalNetworkAccountSettings.
+// List of properties used in globalSubscribedCalendars variable:
+// - hrefLabel
+//   This options defines the header string above the subcsribed calendars.
+// - calendars
+//   This option specifies an array of remote calendar objects with the
+//   following properties:
+//   - href
+//     Set this option to the "full URL" of the remote calendar
+//   - userAuth
+//     NOTE: keep empty if remote authentication is not required!
+//     - userName
+//       Set the username you want to login.
+//     - userPassword
+//       Set the password for the given username.
+//   - typeList
+//     Set the list of objects you want to process from remote calendars;
+//     two options are available:
+//     - 'vevent' (show remote events in the interface) 
+//     - 'vtodo' (show remote todos in the interface) 
+//   - ignoreAlarm
+//     Set this option to true if you want to disable alarm notifications
+//     from the remote calendar.
+//   - displayName
+//     Set this option to the name of the calendar you want to see
+//     in the interface.
+//   - color
+//     Set the calendar color you want to see in the interface.
+// Example:
+//var globalSubscribedCalendars={
+//      hrefLabel: 'Subscribed',
+//      calendars: [
+//              {
+//                      href: 'http://something.com/calendar.ics',
+//                      userAuth: {
+//                              userName: '',
+//                              userPassword: ''
+//                      },
+//                      typeList: ['vevent', 'vtodo'],
+//                      ignoreAlarm: true,
+//                      displayName: 'Remote Calendar 1',
+//                      color: '#ff0000'
+//              },
+//              {
+//                      href: 'http://calendar.com/calendar2.ics',
+//                      ...
+//                      ...
+//              }
+//      ]
+//};
+
+
+
+// ******* CardDAV (CardDavMATE) related settings ******* //
+
+
+// globalLoadedAddressbookCollections
+// This option sets the list of addressbook collections (down)loaded after
+// login. If empty then all addressbook collections for the currently logged
+// user are loaded.
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalLoadedAddressbookCollections=[];
+
+
+// globalActiveAddressbookCollections
+// This options sets the list of addressbook collections checked (enabled
+// checkbox => data visible in the interface) by default after login.
+// If empty then all loaded addressbook collections for the currently logged
+// user are checked.
+// NOTE: only already (down)loaded collections can be checked (see
+// the globalLoadedAddressbookCollections option).
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+var globalActiveAddressbookCollections=[];
+
+
+// globalAddressbookSelected
+// This option sets which addressbook collection will be pre-selected
+// (if you create a new contact) by default after login.
+// The value must be URL encoded path to an addressbook collection,
+// for example: 'USER/addressbook/'
+// If empty or undefined then the first available addressbook collection
+// is selected automatically.
+// NOTE: only already (down)loaded collections can be pre-selected (see
+// the globalLoadedAddressbookCollections option).
+// NOTE: settings stored on the server (see settingsAccount) overwrite this
+// option.
+// Example:
+//var globalAddressbookSelected='';
+
+
+// globalCompatibility
+// This options is reserved for various compatibility settings.
+// NOTE: if this option is used the value must be an object.
+// Currently there is only one supported option:
+// - anniversaryOutputFormat
+//   Different clients use different (and incompatible) approach
+//   to store anniversary date in vCards. Apple stores this attribute as:
+//     itemX.X-ABDATE;TYPE=pref:2000-01-01\r\n
+//     itemX.X-ABLabel:_$!<Anniversary>!$_\r\n'
+//   other clients store this attribute as:
+//     X-ANNIVERSARY:2000-01-01\r\n
+//   Choose 'apple' or 'other' (lower case) for your 3rd party client
+//   compatibility. You can chose both: ['apple', 'other'], but it may
+//   cause many problems in the future, for example: duplicate anniversary
+//   dates, invalid/old anniversary date in your clients, ...)
+//   Examples:
+//     anniversaryOutputFormat: ['other']
+//     anniversaryOutputFormat: ['apple', 'other']
+// Example:
+var globalCompatibility={anniversaryOutputFormat: ['apple']};
+
+
+// globalUriHandler{Tel,Email,Url,Profile}
+// These options set the URI handlers for TEL, EMAIL, URL and X-SOCIALPROFILE
+// vCard attributes. Set them to null (or comment out) to disable.
+// NOTE: for globalUriHandlerTel is recommended to use 'tel:', 'callto:'
+// or 'skype:'. The globalUriHandlerUrl value is used only if no URI handler
+// is defined in the URL.
+// NOTE: it is safe to keep these values unchanged!
+// Example:
+var globalUriHandlerTel='tel:';
+var globalUriHandlerEmail='mailto:';
+var globalUriHandlerUrl='http://';
+var globalUriHandlerProfile={
+        'twitter': 'http://twitter.com/%u',
+        'facebook': 'http://www.facebook.com/%u',
+        'flickr': 'http://www.flickr.com/photos/%u',
+        'linkedin': 'http://www.linkedin.com/in/%u',
+        'myspace': 'http://www.myspace.com/%u',
+        'sinaweibo': 'http://weibo.com/n/%u'
+};
+
+
+// globalDefaultAddressCountry
+// This option sets the default country for new address fields.
+// See common.js or use the following command to get the list of
+// all supported country codes (defined in common.js):
+// grep -E "'[a-z]{2}':\s+\[" common.js | sed -Ee 's#^\s+|\s+\[\s+# #g'
+// Example:
+var globalDefaultAddressCountry='fr';
+
+
+// globalAddressCountryEquivalence
+// This option sets the processing of the country field specified
+// in the vCard ADR attribute.
+// By default the address field in vCard looks like:
+//   ADR;TYPE=WORK:;;1 Waters Edge;Baytown;LA;30314;USA\r\n
+// what cause a problem, because the country field is a plain
+// text and can contain any value, e.g.:
+//   USA
+//   United States of America
+//   US
+// and because the address format can be completely different for
+// each country, e.g.:
+//   China address example:
+//     [China]
+//     [Province] [City]
+//     [Street]
+//     [Postal]
+//   Japan address example:
+//     [Postal]
+//     [Prefecture] [County/City]
+//     [Further Divisions]
+//     [Japan]
+// the client needs to correctly detect the country from the ADR
+// attribute. Apple solved this problem by using:
+//   item1.ADR;TYPE=WORK:;;1 Waters Edge;Baytown;LA;30314;USA\r\n
+//   item1.X-ABADR:us\r\n
+// where the second "related" attribute defines the country code
+// for the ADR attribute. This client uses the same approach, but
+// if the vCard is created by 3rd party clients and the X-ABADR
+// is missing, it is possible to define additional "rules" for
+// country matching. These rules are specied by the country code
+// (for full list of country codes see the comment for pre previous
+// option) and a case insensitive regular expression (which matches
+// the plain text value in the country field).
+// NOTE: if X-ABADR is not present and the country not matches any
+// country defined in this option, then globalDefaultAddressCountry
+// is used by default.
+// Example:
+var globalAddressCountryEquivalence=[
+        {country: 'de', regex: '^\\W*Deutschland\\W*$'},
+        {country: 'sk', regex: '^\\W*Slovensko\\W*$'}
+];
+
+
+// globalAddressCountryFavorites
+// This option defines the list of countries which are shown at the top
+// of the country list in the interface (for full list of country codes
+// see the comment for pre globalDefaultAddressCountry option).
+// Example:
+//   var globalAddressCountryFavorites=['de','sk'];
+var globalAddressCountryFavorites=[];
+
+
+// globalAddrColorPropertyXmlns
+// This options sets the namespace used for storing the "addressbook-color"
+// property by the client.
+// If true, undefined (or empty) "http://inf-it.com/ns/ab/" is used.
+// If false, then the addressbook color modification functionality
+// is completely disabled, and addressbook colors in the interface are
+// generated automatically.
+// Example:
+//var globalAddrColorPropertyXmlns=true;
+
+
+// globalContactStoreFN
+// This option specifies how the FN (formatted name) is stored into vCard.
+// The value for this options must be an array of strings, that can contain
+// the following variables:
+//   prefix
+//   last
+//   middle
+//   first
+//   suffix
+// The string element of the array can contain any other characters (usually
+// space or colon). Elements are added into FN only if the there is
+// a variable match, for example if:
+//     last='Lastname'
+//     first='Firstname'
+//     middle='' (empty)
+//   and this option is set to:
+//     ['last', ' middle', ' first'] (space in the second and third element)
+//   the resulting value for FN will be: 'Lastname Firstname' and not
+//   'Lastname  Firstname' (two spaces), because the middle name is empty (so
+//   the second element is completely ignored /not added into FN/).
+// NOTE: this attribute is NOT used by this client, and it is also NOT
+// possible to directly edit it in the interface.
+// Examples:
+//   var globalContactStoreFN=[' last', ' middle', ' first'];
+//   var globalContactStoreFN=['last', ', middle', ' ,first'];
+var globalContactStoreFN=['prefix',' last',' middle',' first',' suffix'];
+
+
+// globalGroupContactsByCompanies
+// This options specifies how contacts are grouped in the interface.
+// By default the interface looks like (very simple example):
+//   A
+//    Adams Adam
+//    Anderson Peter
+//   B
+//    Brown John
+//    Baker Josh
+// if grouped by company/deparment the result is:
+//   Company A [Department X]
+//    Adams Adam
+//    Brown John
+//   Company B [Department Y]
+//    Anderson Peter
+//    Baker Josh
+// If this option is set to true contacts are grouped by company/department,
+// otherwise (default) contacts are grouped by letters of the alphabet.
+// If undefined or not true, grouping by alphabet letters is used.
+// NOTE: see also the globalCollectionDisplay option below.
+var globalGroupContactsByCompanies=false;
+
+
+// globalCollectionDisplay
+// This options specifies how data columns in the contact list are displayed.
+//
+// NOTE: columns are displayed ONLY if there is enought horizontal place in
+// the browser window (e.g. if you define 5 columns here, but your browser
+// window is not wide enough, you will see only first 3 columns instead of 5).
+//
+// NOTE: see the globalContactDataMinVisiblePercentage option which defines the
+// width for columns.
+//
+// The value must be an array of columns, where each column is represented by
+// an object with the following properties:
+//   label => the value of this option is a string used as column header
+//     You can use the following localized variables in the label string:
+//     - {Name}
+//     - {FirstName}
+//     - {LastName}
+//     - {MiddleName}
+//     - {NickName}
+//     - {Prefix}
+//     - {Suffix}
+//     - {BirthDay}
+//     - {PhoneticLastName}
+//     - {PhoneticFirstName}
+//     - {JobTitle}
+//     - {Company}
+//     - {Department}
+//     - {Categories}
+//     - {NoteText}
+//     - {Address}, {AddressWork}, {AddressHome}, {AddressOther}
+//     - {Phone}, {PhoneWork}, {PhoneHome}, {PhoneCell}, {PhoneMain},
+//       {PhonePager}, {PhoneFax}, {PhoneIphone}, {PhoneOther}
+//     - {Email}, {EmailWork}, {EmailHome}, {EmailMobileme}, {EmailOther}
+//     - {URL}, {URLWork}, {URLHome}, {URLHomepage}, {URLOther}
+//     - {Dates}, {DatesAnniversary}, {DatesOther}
+//     - {Related}, {RelatedManager}, {RelatedAssistant}, {RelatedFather},
+//       {RelatedMother}, {RelatedParent}, {RelatedBrother}, {RelatedSister},
+//       {RelatedChild}, {RelatedFriend}, {RelatedSpouse}, {RelatedPartner},
+//       {RelatedOther}
+//     - {Profile}, {ProfileTwitter}, {ProfileFacebook}, {ProfileFlickr},
+//       {ProfileLinkedin}, {ProfileMyspace}, {ProfileSinaweibo}
+//     - {IM}, {IMWork}, {IMHome}, {IMMobileme}, {IMOther}, {IMAim}, {IMIcq},
+//       {IMIrc}, {IMJabber}, {IMMsn}, {IMYahoo}, {IMFacebook}, {IMGadugadu},
+//       {IMGoogletalk}, {IMQq}, {IMSkype}
+//   value => the value of this option is an array of format strings, or
+//     an object with the following properties:
+//     - company (used for company contacts)
+//     - personal (used for user contacts)
+//     where the value of these properties is an array of format strings used
+//     for company or user contacts (you can have different values in the same
+//     column for personal and company contacts).
+//     You can use the following simple variables in the format string:
+//     - {FirstName}
+//     - {LastName}
+//     - {MiddleName}
+//     - {NickName}
+//     - {Prefix}
+//     - {Suffix}
+//     - {BirthDay}
+//     - {PhoneticLastName}
+//     - {PhoneticFirstName}
+//     - {JobTitle}
+//     - {Company}
+//     - {Department}
+//     - {Categories}
+//     - {NoteText}
+//     You can also use parametrized variables, where the parameter is enclosed
+//     in square bracket. Paramatrized variables are useful to extract data
+//     such as home phone {Phone[type=home]}, extract the second phone number
+//     {Phone[:1]} (zero based indexing) or extract the third home phone number
+//     {Phone[type=home][:2]} from the vCard.
+//     NOTE: if the parametrized variable matches multiple items, e.g.:
+//     {Phone[type=work]} (if the contact has multiple work phones) then the
+//     first one is used!
+//
+//     The following parametrized variables are supported (note: you can use
+//     all of them also without parameters /the first one will be used/):
+//     - {Address[type=XXX]} or {Address[:NUM]} or {Address[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - work
+//       - home
+//       - other
+//       - any other custom value
+//     - {Phone[type=XXX]} or {Phone[:NUM]} or {Phone[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - work
+//       - home
+//       - cell
+//       - main
+//       - pager
+//       - fax
+//       - iphone
+//       - other
+//       - any other custom value
+//     - {Email[type=XXX]} or {Email[:NUM]} or {Email[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - work
+//       - home
+//       - mobileme
+//       - other
+//       - any other custom value
+//     - {URL[type=XXX]} or {URL[:NUM]} or {URL[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - work
+//       - home
+//       - homepage
+//       - other
+//       - any other custom value
+//     - {Dates[type=XXX]} or {Dates[:NUM]} or {Dates[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - anniversary
+//       - other
+//       - any other custom value
+//     - {Related[type=XXX]} or {Related[:NUM]} or {Related[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - manager
+//       - assistant
+//       - father
+//       - mother
+//       - parent
+//       - brother
+//       - sister
+//       - child
+//       - friend
+//       - spouse
+//       - partner
+//       - other
+//       - any other custom value
+//     - {Profile[type=XXX]} or {Profile[:NUM]} or {Profile[type=XXX][:NUM]}
+//       where supported values for XXX are:
+//       - twitter
+//       - facebook
+//       - flickr
+//       - linkedin
+//       - myspace
+//       - sinaweibo
+//       - any other custom value
+//     - {IM[type=XXX]} or {IM[service-type=YYY]} or {IM[:NUM]}
+//       where supported values for XXX are:
+//       - work
+//       - home
+//       - mobileme
+//       - other
+//       - any other custom value
+//       and supported values for YYY are:
+//       - aim
+//       - icq
+//       - irc
+//       - jabber
+//       - msn
+//       - yahoo
+//       - facebook
+//       - gadugadu
+//       - googletalk
+//       - qq
+//       - skype
+//       - any other custom value
+//
+//   NOTE: if you want to use the "any other custom value" option (for XXX
+//   or YYY above) you MUST double escape the following characters:
+//     =[]{}\
+//   for example:
+//   - for profile type "=XXX=" use: '{Profile[type=\\=XXX\\=]}'
+//   - for profile type "\XXX\" use: '{Profile[type=\\\\XXX\\\\]}'
+//
+//   NOTE: if you want to use curly brackets in the format string you must
+//   double escape it, e.g.: ['{Company}', '\\{{Department}\\}']
+//
+//   The format string (for the value option) is an array to allow full
+//   customization of the interface. For example if:
+//     value: ['{LastName} {MiddleName} {FirstName}']
+//   and the person has no middle name, then the result in the column
+//   will be (without quotes):
+//     "Parker  Peter" (note: two space characters)
+//   but if you use:
+//     value: ['{LastName}', ' {MiddleName}', ' {FirstName}']
+//   then the result will be (without quotes):
+//     "Parker Peter" (note: only one space character)
+//   The reason is that only those elements of the array are appended
+//   into the result where non-empty substitution was performed (so the
+//   ' {MiddleName}' element in this case is ignored, because the person
+//   in the example above has no /more precisely has empty/ middle name).
+//
+// Examples:
+// To specify two columns (named "Company" and "Department / LastName"),
+// where the first will display the company name, and the second will display
+// department for company contacts (with "Dep -" prefix), and lastname for
+// personal contacts (with "Name -" prefix) use:
+// var globalCollectionDisplay=[
+//      {
+//              label: 'Company',
+//              value: ['{Company}']
+//      },
+//      {
+//              label: 'Department / LastName',
+//              value: {
+//                      company: ['Dep - {Department}'],
+//                      personal: ['Name - {LastName}']
+//              }
+//      }
+// ];
+// To specify 3 columns (named "Categories", "URL" and "IM"), where the first
+// will display categories, second will display the third work URL, and third
+// will display ICQ IM use:
+// var globalCollectionDisplay=[
+//      {
+//              label: 'Categories',
+//              value: ['{Categories}']
+//      },
+//      {
+//              label: 'URL',
+//              value: ['{URL[type=WORK][:2]}']
+//      },
+//      {
+//              label: 'IM',
+//              value: ['{IM[service-type=ICQ]}']
+//      }
+// ];
+//
+// Recommended settings if globalGroupContactsByCompanies
+// is set to false:
+// var globalCollectionDisplay=[
+//      {
+//              label: '{Name}',
+//              value: ['{LastName}', ' {MiddleName}', ' {FirstName}']
+//      },
+//      {
+//              label: '{Company} [{Department}]',
+//              value: ['{Company}', ' [{Department}]']
+//      },
+//      {
+//              label: '{JobTitle}',
+//              value: ['{JobTitle}']
+//      },
+//      {
+//              label: '{Email}',
+//              value: ['{Email[:0]}']
+//      },
+//      {
+//              label: '{Phone} 1',
+//              value: ['{Phone[:0]}']
+//      },
+//      {
+//              label: '{Phone} 2',
+//              value: ['{Phone[:1]}']
+//      },
+//      {
+//              label: '{NoteText}',
+//              value: ['{NoteText}']
+//      }
+// ];
+//
+// Recommended settings if globalGroupContactsByCompanies
+// is set to true:
+// var globalCollectionDisplay=[
+//      {
+//              label: '{Name}',
+//              value: {
+//                      personal: ['{LastName}', ' {MiddleName}', ' {FirstName}'],
+//                      company: ['{Company}', ' [{Department}]']
+//              }
+//      },
+//      {
+//              label: '{JobTitle}',
+//              value: ['{JobTitle}']
+//      },
+//      {
+//              label: '{Email}',
+//              value: ['{Email[:0]}']
+//      },
+//      {
+//              label: '{Phone} 1',
+//              value: ['{Phone[:0]}']
+//      },
+//      {
+//              label: '{Phone} 2',
+//              value: ['{Phone[:1]}']
+//      },
+//      {
+//              label: '{NoteText}',
+//              value: ['{NoteText}']
+//      }
+// ];
+//
+// NOTE: if left undefined, the recommended settings will be used.
+
+
+// globalCollectionSort
+// This options sets the ordering of contacts in the interface. In general
+// contacts are ordered alphabetically by an internal "sort string" which
+// is created for each contact. Here you can specify how this internal string
+// is created. The value is a simple array holding only the values from the
+// value property defined in the globalCollectionDisplay option.
+// If undefined, the definition from globalCollectionDisplay is used.
+// Example:
+// var globalCollectionSort = [
+//      ['{LastName}'],
+//      ['{FirstName}'],
+//      ['{MiddleName}'],
+//      {
+//              company: ['{Categories}'],
+//              personal: ['{Company}']
+//      }
+// ];
+var globalCollectionSort=[
+  ['{LastName}'],
+  ['{FirstName}'],
+  ['{MiddleName}']
+];
+
+
+// globalContactDataMinVisiblePercentage
+// This option defines how the width for columns are computed. If you set
+// it to 1 then 100% of all data in the column will be visible (the column
+// width is determined by the longest string in the column). If you set it
+// to 0.95 then 95% of data will fit into the column width, and the remaining
+// 5% will be truncated (" ...").
+// Example:
+var globalContactDataMinVisiblePercentage=0.95;
+
+
diff --git a/virtual/modules/websites/tools/db/default.nix b/virtual/modules/websites/tools/db/default.nix
new file mode 100644
index 0000000..20f77c7
--- /dev/null
+++ b/virtual/modules/websites/tools/db/default.nix
@@ -0,0 +1,23 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    adminer = pkgs.callPackage ../../commons/adminer.nix {};
+
+    cfg = config.services.myWebsites.tools.databases;
+in {
+  options.services.myWebsites.tools.databases = {
+    enable = lib.mkEnableOption "enable database's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # FIXME: include it in vhostConf ?
+    security.acme.certs."eldiron".extraDomains."db-1.immae.eu" = null;
+
+    services.myWebsites.tools.modules = adminer.apache.modules;
+    services.myWebsites.tools.vhostConfs.db-1 = {
+      certName    = "eldiron";
+      hosts       = ["db-1.immae.eu" ];
+      root        = null;
+      extraConfig = [ adminer.apache.vhostConf ];
+    };
+  };
+}
diff --git a/virtual/modules/websites/tools/git/default.nix b/virtual/modules/websites/tools/git/default.nix
new file mode 100644
index 0000000..0a63013
--- /dev/null
+++ b/virtual/modules/websites/tools/git/default.nix
@@ -0,0 +1,46 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    mantisbt = pkgs.callPackage ./mantisbt/mantisbt.nix { inherit (mylibs) checkEnv fetchedGithub; };
+    gitweb = pkgs.callPackage ./gitweb/gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
+
+    cfg = config.services.myWebsites.tools.git;
+in {
+  options.services.myWebsites.tools.git = {
+    enable = lib.mkEnableOption "enable git's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    # FIXME: include it in vhostConf ?
+    security.acme.certs."eldiron".extraDomains."git.immae.eu" = null;
+
+    nixpkgs.config.packageOverrides = oldpkgs: rec {
+      gitweb = oldpkgs.gitweb.overrideAttrs(old: {
+        installPhase = old.installPhase + ''
+          cp -r ${./gitweb/theme} $out/gitweb-theme;
+          '';
+      });
+    };
+
+    services.myWebsites.tools.modules =
+      gitweb.apache.modules ++
+      mantisbt.apache.modules;
+
+    services.myWebsites.tools.vhostConfs.git = {
+      certName    = "eldiron";
+      hosts       = ["git.immae.eu" ];
+      root        = gitweb.webRoot;
+      extraConfig = [
+        gitweb.apache.vhostConf
+        mantisbt.apache.vhostConf
+        ''
+          RewriteEngine on
+          RewriteCond %{REQUEST_URI}       ^/releases
+          RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
+          ''
+      ];
+    };
+    services.myPhpfpm.poolConfigs = {
+      mantisbt = mantisbt.phpFpm.pool;
+    };
+  };
+}
diff --git a/virtual/modules/gitweb/gitweb.nix b/virtual/modules/websites/tools/git/gitweb/gitweb.nix
index 7b4dcac..7b4dcac 100644
--- a/virtual/modules/gitweb/gitweb.nix
+++ b/virtual/modules/websites/tools/git/gitweb/gitweb.nix
diff --git a/virtual/modules/gitweb/theme/git-favicon.png b/virtual/modules/websites/tools/git/gitweb/theme/git-favicon.png
index 4fa44bb..4fa44bb 100644
--- a/virtual/modules/gitweb/theme/git-favicon.png
+++ b/virtual/modules/websites/tools/git/gitweb/theme/git-favicon.png
diff --git a/virtual/modules/gitweb/theme/git-logo.png b/virtual/modules/websites/tools/git/gitweb/theme/git-logo.png
index fdaf7b7..fdaf7b7 100644
--- a/virtual/modules/gitweb/theme/git-logo.png
+++ b/virtual/modules/websites/tools/git/gitweb/theme/git-logo.png
diff --git a/virtual/modules/gitweb/theme/gitweb.css b/virtual/modules/websites/tools/git/gitweb/theme/gitweb.css
index 83e0742..83e0742 100644
--- a/virtual/modules/gitweb/theme/gitweb.css
+++ b/virtual/modules/websites/tools/git/gitweb/theme/gitweb.css
diff --git a/virtual/modules/gitweb/theme/gitweb.js b/virtual/modules/websites/tools/git/gitweb/theme/gitweb.js
index 72f3cfa..72f3cfa 100644
--- a/virtual/modules/gitweb/theme/gitweb.js
+++ b/virtual/modules/websites/tools/git/gitweb/theme/gitweb.js
diff --git a/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-slack.json b/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-slack.json
new file mode 100644
index 0000000..54ea38b
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-slack.json
@@ -0,0 +1,15 @@
+{
+  "tag": "9286d2e-master",
+  "meta": {
+    "name": "mantisbt-plugin-slack",
+    "url": "https://github.com/mantisbt-plugins/Slack",
+    "branch": "master"
+  },
+  "github": {
+    "owner": "mantisbt-plugins",
+    "repo": "Slack",
+    "rev": "9286d2eeeb8a986ed949e378711fef5f0bf182dc",
+    "sha256": "0nn0v4jc967giilkzrppi5svd04m2hnals75xxp0iabcdjnih0mn",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-source-integration.json b/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-source-integration.json
new file mode 100644
index 0000000..e36a68c
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-source-integration.json
@@ -0,0 +1,15 @@
+{
+  "tag": "v2.1.5",
+  "meta": {
+    "name": "mantisbt-plugin-source-integration",
+    "url": "https://github.com/mantisbt-plugins/source-integration",
+    "branch": "refs/tags/v2.1.5"
+  },
+  "github": {
+    "owner": "mantisbt-plugins",
+    "repo": "source-integration",
+    "rev": "a48039a20abc50864e0e68c0c843b27058404386",
+    "sha256": "07g6q3hivmnd94r47pp0snk5bv4pa3piwclc9qhj612i4wnsazsk",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-source-integration_Source.API.php.diff b/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-source-integration_Source.API.php.diff
new file mode 100644
index 0000000..c355144
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/mantisbt-plugin-source-integration_Source.API.php.diff
@@ -0,0 +1,12 @@
+--- b/Source/Source.API.php     2017-09-18 00:50:32.000000000 +0200
++++ a/Source/Source.API.php     2018-03-04 19:00:25.578889039 +0100
+@@ -452,6 +452,9 @@
+        # Allow other plugins to post-process commit data
+        event_signal( 'EVENT_SOURCE_COMMITS', array( $p_changesets ) );
+        event_signal( 'EVENT_SOURCE_FIXED', array( $t_fixed_bugs ) );
++       foreach( $t_fixed_bugs as $t_bug_id => $t_changeset ) {
++          event_signal( 'EVENT_BUG_ACTION', array('RESOLVE', $t_bug_id) );
++        }
+ }
+ 
+ /**
diff --git a/virtual/modules/websites/tools/git/mantisbt/mantisbt.nix b/virtual/modules/websites/tools/git/mantisbt/mantisbt.nix
new file mode 100644
index 0000000..009c902
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/mantisbt.nix
@@ -0,0 +1,124 @@
+{ lib, checkEnv, writeText, stdenv, fetchurl, fetchedGithub }:
+let
+  # FIXME: check that source-integration and slack still work
+  mantisbt = let
+    plugins = {
+      slack = stdenv.mkDerivation (fetchedGithub ./mantisbt-plugin-slack.json // rec {
+        installPhase = ''
+          sed -i -e "s/return '@' . \\\$username;/return \\\$username;/" Slack.php
+          cp -a . $out
+          '';
+      });
+      source-integration = stdenv.mkDerivation (fetchedGithub ./mantisbt-plugin-source-integration.json // rec {
+        installPhase = ''
+          mkdir $out
+          patch -p1 < ${./mantisbt-plugin-source-integration_Source.API.php.diff}
+          cp -a Source* $out/
+        '';
+      });
+    };
+  in rec {
+    config = 
+      assert checkEnv "NIXOPS_MANTISBT_DB_PASSWORD";
+      assert checkEnv "NIXOPS_MANTISBT_MASTER_SALT";
+      assert checkEnv "NIXOPS_MANTISBT_LDAP_PASSWORD";
+      writeText "config_inc.php" ''
+      <?php
+      $g_hostname              = 'db-1.immae.eu';
+      $g_db_username           = 'mantisbt';
+      $g_db_password           = '${builtins.getEnv "NIXOPS_MANTISBT_DB_PASSWORD"}';
+      $g_database_name         = 'mantisbt';
+      $g_db_type               = 'pgsql';
+      $g_crypto_master_salt    = '${builtins.getEnv "NIXOPS_MANTISBT_MASTER_SALT"}';
+      $g_allow_signup          = OFF;
+      $g_allow_anonymous_login = ON;
+      $g_anonymous_account     = 'anonymous';
+
+      $g_phpMailer_method       = PHPMAILER_METHOD_SMTP;
+      $g_smtp_host              = 'mail.immae.eu';
+      $g_smtp_username          = ''';
+      $g_smtp_password          = ''';
+      $g_webmaster_email        = 'webmaster@immae.eu';
+      $g_from_email             = 'noreply@immae.eu';
+      $g_return_path_email      = 'webmaster@immae.eu';
+      $g_from_name              = 'Mantis Bug Tracker at immae.eu';
+      $g_email_receive_own      = OFF;
+      # --- LDAP ---
+      $g_login_method = LDAP;
+      $g_ldap_protocol_version = 3;
+      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
+      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
+      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
+      $g_ldap_bind_passwd = '${builtins.getEnv "NIXOPS_MANTISBT_LDAP_PASSWORD"}';
+      $g_use_ldap_email = ON;
+      $g_use_ldap_realname = ON;
+      $g_ldap_uid_field = 'uid'; 
+      $g_ldap_realname_field = 'cn';
+      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
+      '';
+    webRoot = stdenv.mkDerivation rec {
+      name = "mantisbt-${version}";
+      version = "2.11.1";
+      src = fetchurl {
+        url = "https://downloads.sourceforge.net/project/mantisbt/mantis-stable/${version}/${name}.tar.gz";
+        sha256 = "0jnrqz6r2hf53v0k1lh3il7hlfiphn61r9wgg6mzyywkjxwq07md";
+      };
+      patches = [
+        ./patches/bug_report.php.diff
+        ./patches/bug_report_page.php.diff
+        ./patches/bugnote_add.php.diff
+        ./patches/bugnote_add_inc.php.diff
+        ];
+      installPhase = ''
+        cp -a . $out
+        ln -s ${config} $out/config/config_inc.php
+        ln -s ${plugins.slack} $out/plugins/Slack
+        ln -s ${plugins.source-integration}/Source* $out/plugins/
+      '';
+    };
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      modules = [ "proxy_fcgi" ];
+      vhostConf = ''
+        Alias /mantisbt "${webRoot}"
+        <Directory "${webRoot}">
+          DirectoryIndex index.php
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+          </FilesMatch>
+
+          AllowOverride All
+          Options FollowSymlinks
+          Require all granted
+        </Directory>
+        <Directory "${webRoot}/admin">
+          #Reenable during upgrade
+          Require all denied
+        </Directory>
+        '';
+    };
+    phpFpm = rec {
+      basedir = builtins.concatStringsSep ":" (
+        [ webRoot config ]
+        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
+      socket = "/var/run/phpfpm/mantisbt.sock";
+      pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = ondemand
+        pm.max_children = 60
+        pm.process_idle_timeout = 60
+
+        php_admin_value[upload_max_filesize] = 5000000
+
+        php_admin_value[open_basedir] = "${basedir}:/tmp"
+        php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt"
+        '';
+    };
+  };
+in 
+  mantisbt
diff --git a/virtual/modules/websites/tools/git/mantisbt/patches/bug_report.php.diff b/virtual/modules/websites/tools/git/mantisbt/patches/bug_report.php.diff
new file mode 100644
index 0000000..a520043
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/patches/bug_report.php.diff
@@ -0,0 +1,20 @@
+--- a/bug_report.php    2018-02-10 21:29:27.000000000 +0100
++++ b/bug_report.php    2018-03-03 15:04:19.622499678 +0100
+@@ -149,6 +149,17 @@
+        access_ensure_project_level( config_get( 'update_bug_assign_threshold' ) );
+ }
+ 
++# begin captcha check for anon user
++if ( current_user_is_anonymous() && get_gd_version() > 0 ) {
++  $f_captcha = gpc_get_string( 'captcha', '' );
++  $f_captcha = utf8_strtolower( trim( $f_captcha ) );
++
++  $t_securimage = new Securimage();
++  if( $t_securimage->check( $f_captcha ) == false ) {
++    trigger_error( ERROR_SIGNUP_NOT_MATCHING_CAPTCHA, ERROR );
++  }
++}
++
+ # if a profile was selected then let's use that information
+ if( 0 != $t_bug_data->profile_id ) {
+        if( profile_is_global( $t_bug_data->profile_id ) ) {
diff --git a/virtual/modules/websites/tools/git/mantisbt/patches/bug_report_page.php.diff b/virtual/modules/websites/tools/git/mantisbt/patches/bug_report_page.php.diff
new file mode 100644
index 0000000..80dea91
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/patches/bug_report_page.php.diff
@@ -0,0 +1,53 @@
+--- a/bug_report_page.php       2018-02-10 21:29:27.000000000 +0100
++++ b/bug_report_page.php       2018-03-03 15:04:19.622499678 +0100
+@@ -708,7 +708,50 @@
+                                <span class="lbl padding-6"><?php echo lang_get( 'check_report_more_bugs' ) ?></span>
+                        </label>
+                </td>
+        </tr>
++<?php
++       # captcha image requires GD library and related option to ON
++       if( current_user_is_anonymous() && get_gd_version() > 0 ) {
++               $t_securimage_path = 'vendor/dapphp/securimage';
++               $t_securimage_show = $t_securimage_path . '/securimage_show.php';
++               $t_securimage_play = $t_securimage_path . '/securimage_play.swf?'
++                       . http_build_query( array(
++                               'audio_file' => $t_securimage_path . '/securimage_play.php',
++                               'bgColor1=' => '#fff',
++                               'bgColor2=' => '#fff',
++                               'iconColor=' => '#777',
++                               'borderWidth=' => 1,
++                               'borderColor=' => '#000',
++                       ) );
++?>
++       <tr>
++               <th class="category">CAPTCHA</th>
++               <td>
++
++                               <label for="captcha-field" class="block clearfix">
++                                       <strong><?php echo lang_get( 'signup_captcha_request_label' ); ?></strong>
++                               </label>
++                               <span id="captcha-input" class="input">
++                                       <?php print_captcha_input( 'captcha' ); ?>
++
++                                       <span id="captcha-image" class="captcha-image" style="padding-right:3px;">
++                                               <img src="<?php echo $t_securimage_show; ?>" alt="visual captcha" />
++                                               <ul id="captcha-refresh"><li><a href="#"><?php
++                                                       echo lang_get( 'signup_captcha_refresh' );
++                                               ?></a></li></ul>
++                                       </span>
++
++                                       <object type="application/x-shockwave-flash" width="19" height="19"
++                                               data="<?php echo $t_securimage_play; ?>">
++                                               <param name="movie" value="<?php echo $t_securimage_play; ?>" />
++                                       </object>
++                               </span>
++                </td>
++        </tr>
++<?php
++                       }
++?>
++
+ </table>
+ </div>
+ </div>
diff --git a/virtual/modules/websites/tools/git/mantisbt/patches/bugnote_add.php.diff b/virtual/modules/websites/tools/git/mantisbt/patches/bugnote_add.php.diff
new file mode 100644
index 0000000..4509f0a
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/patches/bugnote_add.php.diff
@@ -0,0 +1,20 @@
+--- a/bugnote_add.php   2018-02-10 21:29:27.000000000 +0100
++++ b/bugnote_add.php   2018-03-03 15:13:12.439919511 +0100
+@@ -44,6 +44,17 @@
+ 
+ $t_query = array( 'issue_id' => $f_bug_id );
+ 
++# begin captcha check for anon user
++if ( current_user_is_anonymous() && get_gd_version() > 0 ) {
++  $f_captcha = gpc_get_string( 'captcha', '' );
++  $f_captcha = utf8_strtolower( trim( $f_captcha ) );
++
++  $t_securimage = new Securimage();
++  if( $t_securimage->check( $f_captcha ) == false ) {
++    trigger_error( ERROR_SIGNUP_NOT_MATCHING_CAPTCHA, ERROR );
++  }
++}
++
+ if( count( $f_files ) > 0 && is_blank( $f_text ) && helper_duration_to_minutes( $f_duration ) == 0 ) {
+        $t_payload = array(
+                'files' => helper_array_transpose( $f_files )
diff --git a/virtual/modules/websites/tools/git/mantisbt/patches/bugnote_add_inc.php.diff b/virtual/modules/websites/tools/git/mantisbt/patches/bugnote_add_inc.php.diff
new file mode 100644
index 0000000..a8589c7
--- /dev/null
+++ b/virtual/modules/websites/tools/git/mantisbt/patches/bugnote_add_inc.php.diff
@@ -0,0 +1,52 @@
+--- a/bugnote_add_inc.php       2018-02-10 21:29:27.000000000 +0100
++++ b/bugnote_add_inc.php       2018-03-03 15:14:27.332428557 +0100
+@@ -119,6 +119,49 @@
+                                        <textarea name="bugnote_text" id="bugnote_text" class="<?php echo $t_bugnote_class ?>" rows="7"></textarea>
+                                </td>
+                        </tr>
++<?php
++       # captcha image requires GD library and related option to ON
++       if( current_user_is_anonymous() && get_gd_version() > 0 ) {
++               $t_securimage_path = 'vendor/dapphp/securimage';
++               $t_securimage_show = $t_securimage_path . '/securimage_show.php';
++               $t_securimage_play = $t_securimage_path . '/securimage_play.swf?'
++                       . http_build_query( array(
++                               'audio_file' => $t_securimage_path . '/securimage_play.php',
++                               'bgColor1=' => '#fff',
++                               'bgColor2=' => '#fff',
++                               'iconColor=' => '#777',
++                               'borderWidth=' => 1,
++                               'borderColor=' => '#000',
++                       ) );
++?>
++       <tr>
++               <th class="category">CAPTCHA</th>
++               <td>
++
++                               <label for="captcha-field" class="block clearfix">
++                                       <strong><?php echo lang_get( 'signup_captcha_request_label' ); ?></strong>
++                               </label>
++                               <span id="captcha-input" class="input">
++                                       <?php print_captcha_input( 'captcha' ); ?>
++
++                                       <span id="captcha-image" class="captcha-image" style="padding-right:3px;">
++                                               <img src="<?php echo $t_securimage_show; ?>" alt="visual captcha" />
++                                               <ul id="captcha-refresh"><li><a href="#"><?php
++                                                       echo lang_get( 'signup_captcha_refresh' );
++                                               ?></a></li></ul>
++                                       </span>
++
++                                       <object type="application/x-shockwave-flash" width="19" height="19"
++                                               data="<?php echo $t_securimage_play; ?>">
++                                               <param name="movie" value="<?php echo $t_securimage_play; ?>" />
++                                       </object>
++                               </span>
++                </td>
++        </tr>
++<?php
++                       }
++?>
++
+ 
+ <?php
+        if( config_get( 'time_tracking_enabled' ) ) {
diff --git a/virtual/modules/websites/tools/tools/default.nix b/virtual/modules/websites/tools/tools/default.nix
new file mode 100644
index 0000000..f29ac11
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/default.nix
@@ -0,0 +1,65 @@
+{ lib, pkgs, config, mylibs, ... }:
+let
+    adminer = pkgs.callPackage ../../commons/adminer.nix {};
+    ympd = pkgs.callPackage ./ympd.nix {};
+    ttrss = pkgs.callPackage ./ttrss.nix { inherit (mylibs) checkEnv fetchedGithub fetchedGit; };
+    roundcubemail = pkgs.callPackage ./roundcubemail.nix { inherit (mylibs) checkEnv; };
+
+    cfg = config.services.myWebsites.tools.tools;
+in {
+  options.services.myWebsites.tools.tools = {
+    enable = lib.mkEnableOption "enable tools website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."eldiron".extraDomains."tools.immae.eu" = null;
+
+    services.myWebsites.tools.modules =
+      adminer.apache.modules
+      ++ ympd.apache.modules
+      ++ ttrss.apache.modules
+      ++ roundcubemail.apache.modules;
+
+    services.ympd = ympd.config // { enable = false; };
+
+    services.myWebsites.tools.vhostConfs.tools = {
+      certName    = "eldiron";
+      hosts       = ["tools.immae.eu" ];
+      root        = null;
+      extraConfig = [
+        adminer.apache.vhostConf
+        ympd.apache.vhostConf
+        ttrss.apache.vhostConf
+        roundcubemail.apache.vhostConf
+      ];
+    };
+
+    services.myPhpfpm.poolConfigs = {
+      adminer = adminer.phpFpm.pool;
+      ttrss = ttrss.phpFpm.pool;
+      roundcubemail = roundcubemail.phpFpm.pool;
+    };
+
+    system.activationScripts = {
+      ttrss = ttrss.activationScript;
+      roundcubemail = roundcubemail.activationScript;
+    };
+
+    systemd.services.tt-rss = {
+      description = "Tiny Tiny RSS feeds update daemon";
+      serviceConfig = {
+        User = "wwwrun";
+        ExecStart = "${pkgs.php}/bin/php ${ttrss.webRoot}/update.php --daemon";
+        StandardOutput = "syslog";
+        StandardError = "syslog";
+        PermissionsStartOnly = true;
+      };
+
+      wantedBy = [ "multi-user.target" ];
+      requires = ["postgresql.service"];
+      after = ["network.target" "postgresql.service"];
+    };
+
+  };
+}
+
diff --git a/virtual/modules/websites/tools/tools/roundcubemail.nix b/virtual/modules/websites/tools/tools/roundcubemail.nix
new file mode 100644
index 0000000..1aa2d87
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/roundcubemail.nix
@@ -0,0 +1,110 @@
+{ lib, checkEnv, writeText, stdenv, fetchurl }:
+let
+  roundcubemail = let
+    plugins = {};
+  in rec {
+    varDir = "/var/lib/roundcubemail";
+    # FIXME: initial sync
+    activationScript = {
+      deps = [ "wrappers" ];
+      text = ''
+        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+          ${varDir}/cache
+        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+      '';
+    };
+    config =
+      # FIXME: LOG_DESTINATION syslog?
+      assert checkEnv "NIXOPS_ROUNDCUBEMAIL_PSQL_URL";
+      assert checkEnv "NIXOPS_ROUNDCUBEMAIL_SECRET";
+      writeText "config.php" ''
+      <?php
+        $config['db_dsnw'] = '${builtins.getEnv "NIXOPS_ROUNDCUBEMAIL_PSQL_URL"}';
+        $config['default_host'] = 'ssl://mail.immae.eu';
+        $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
+        $config['smtp_server'] = 'tls://mail.immae.eu';
+
+        $config['imap_cache'] = 'db';
+        $config['messages_cache'] = 'db';
+
+        $config['support_url'] = ''';
+
+        $config['des_key'] = '${builtins.getEnv "NIXOPS_ROUNDCUBEMAIL_SECRET"}';
+
+        $config['plugins'] = array();
+
+        $config['language'] = 'fr_FR';
+
+        $config['drafts_mbox'] = 'Mail/Drafts';
+        $config['junk_mbox'] = 'Mail/Spam';
+        $config['sent_mbox'] = 'Mail/sent';
+        $config['trash_mbox'] = ''';
+        $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
+        $config['draft_autosave'] = 60;
+        $config['enable_installer'] = false;
+        $config['log_driver'] = 'stdout';
+        $config['temp_dir'] = '${varDir}/cache';
+        $config['debug_level'] = 1;
+      '';
+    webRoot = stdenv.mkDerivation rec {
+      version = "1.3.8";
+      name = "roundcubemail-${version}";
+      src= fetchurl {
+        url = "https://github.com/roundcube/roundcubemail/releases/download/${version}/${name}-complete.tar.gz";
+        sha256 = "018djad7ygfl9c9f2l2j42qkg31ml3hs2f01f0dk361zckwk77n4";
+      };
+      buildPhase = ''
+        sed -i \
+          -e "s|RCUBE_INSTALL_PATH . 'temp.*|'${varDir}/cache';|" \
+          config/defaults.inc.php
+      '';
+      installPhase = ''
+        cp -a . $out
+        ln -s ${config} $out/config/config.inc.php
+        ${builtins.concatStringsSep "\n" (
+          lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
+        )}
+      '';
+    };
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      modules = [ "proxy_fcgi" ];
+      vhostConf = ''
+      Alias /roundcube "${webRoot}"
+      <Directory "${webRoot}">
+          DirectoryIndex index.php
+          AllowOverride All
+          Options FollowSymlinks
+          Require all granted
+
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+          </FilesMatch>
+        </Directory>
+        '';
+    };
+    phpFpm = rec {
+      basedir = builtins.concatStringsSep ":" (
+        [ webRoot config varDir ]
+        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
+      socket = "/var/run/phpfpm/roundcubemail.sock";
+      pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = ondemand
+        pm.max_children = 60
+        pm.process_idle_timeout = 60
+
+        ; Needed to avoid clashes in browser cookies (same domain)
+        php_value[session.name] = RoundcubemailPHPSESSID
+        php_admin_value[open_basedir] = "${basedir}:/tmp"
+        php_admin_value[session.save_path] = "${varDir}/phpSessions"
+        '';
+    };
+  };
+in 
+  roundcubemail
diff --git a/virtual/modules/websites/tools/tools/tt-rss.json b/virtual/modules/websites/tools/tools/tt-rss.json
new file mode 100644
index 0000000..e2731b0
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/tt-rss.json
@@ -0,0 +1,14 @@
+{
+  "tag": "986ca25-master",
+  "meta": {
+    "name": "tt-rss",
+    "url": "https://git.tt-rss.org/fox/tt-rss.git",
+    "branch": "master"
+  },
+  "git": {
+    "url": "https://git.tt-rss.org/fox/tt-rss.git",
+    "rev": "986ca251f995f7754a0470d3e0c44538a545081f",
+    "sha256": "0xkafkh7l9zazm5d6snlq03kdfxfhkb4c8fdsb32wn8b9bhdzf5s",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/tools/ttrss-af-feedmod_type_replace.patch b/virtual/modules/websites/tools/tools/ttrss-af-feedmod_type_replace.patch
new file mode 100644
index 0000000..d622577
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-af-feedmod_type_replace.patch
@@ -0,0 +1,12 @@
+--- a/init.php  2014-06-16 14:21:06.995480038 +0200
++++ b/init.php  2014-06-16 14:22:00.151027654 +0200
+@@ -147,6 +147,9 @@
+                         }
+                     }
+                     break;
++                case 'replace':
++                    $article['content'] = preg_replace("/".$config['pattern']."/",$config['replacement'],$article['content']);
++                    break;
+ 
+                 default:
+                     // unknown type or invalid config
diff --git a/virtual/modules/websites/tools/tools/ttrss-af_feedmod.json b/virtual/modules/websites/tools/tools/ttrss-af_feedmod.json
new file mode 100644
index 0000000..e57fcce
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-af_feedmod.json
@@ -0,0 +1,15 @@
+{
+  "tag": "0ea2092-master",
+  "meta": {
+    "name": "ttrss-af_feedmod",
+    "url": "https://github.com/mbirth/ttrss_plugin-af_feedmod",
+    "branch": "master"
+  },
+  "github": {
+    "owner": "mbirth",
+    "repo": "ttrss_plugin-af_feedmod",
+    "rev": "0ea2092dd34067ecd898802cfca3570023d1ecfe",
+    "sha256": "02ibf47zcrsc2rr45wsix8gxyyf371davj8n8i0gj1zdq95klvnv",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/tools/ttrss-auth-ldap.json b/virtual/modules/websites/tools/tools/ttrss-auth-ldap.json
new file mode 100644
index 0000000..c8aaab5
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-auth-ldap.json
@@ -0,0 +1,15 @@
+{
+  "tag": "4d751b0-master",
+  "meta": {
+    "name": "ttrss-auth-ldap",
+    "url": "https://github.com/hydrian/TTRSS-Auth-LDAP",
+    "branch": "master"
+  },
+  "github": {
+    "owner": "hydrian",
+    "repo": "TTRSS-Auth-LDAP",
+    "rev": "4d751b095c29a8dbe2dc7bb07777742956136e94",
+    "sha256": "0b9fl86acrzpcv41r7pj3bl8b3n72hpkdywzx9zjyfqv5pskxyim",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/tools/ttrss-feediron.json b/virtual/modules/websites/tools/tools/ttrss-feediron.json
new file mode 100644
index 0000000..5dbec92
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-feediron.json
@@ -0,0 +1,15 @@
+{
+  "tag": "407168c-master",
+  "meta": {
+    "name": "ttrss-feediron",
+    "url": "https://github.com/m42e/ttrss_plugin-feediron",
+    "branch": "master"
+  },
+  "github": {
+    "owner": "m42e",
+    "repo": "ttrss_plugin-feediron",
+    "rev": "407168c628880b5ced572cc549db6d50e866d3c8",
+    "sha256": "17b95ifpcph6m03hjd1mhi8gi1hw9yd3fnffmw66fqr5c9l3zd9r",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/tools/ttrss-feediron_json_reformat.patch b/virtual/modules/websites/tools/tools/ttrss-feediron_json_reformat.patch
new file mode 100644
index 0000000..e1c44d9
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-feediron_json_reformat.patch
@@ -0,0 +1,18 @@
+diff --git a/init.php b/init.php
+index 3c0f2f9..1aad146 100644
+--- a/init.php
++++ b/init.php
+@@ -600,10 +600,11 @@ class Feediron extends Plugin implements IHandler
+                        return false;
+                }
+ 
+-               $this->host->set($this, 'json_conf', Feediron_Json::format($json_conf));
++                $new_conf = json_encode(json_decode($json_conf), JSON_PRETTY_PRINT);
++                $this->host->set($this, 'json_conf', $new_conf);
+                $json_reply['success'] = true;
+                $json_reply['message'] = __('Configuration saved.');
+-               $json_reply['json_conf'] = Feediron_Json::format($json_conf);
++                $json_reply['json_conf'] = $new_conf;
+                echo json_encode($json_reply);
+        }
+ 
diff --git a/virtual/modules/websites/tools/tools/ttrss-ff_instagram.json b/virtual/modules/websites/tools/tools/ttrss-ff_instagram.json
new file mode 100644
index 0000000..1f241b9
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-ff_instagram.json
@@ -0,0 +1,15 @@
+{
+  "tag": "0366ffb-master",
+  "meta": {
+    "name": "ttrss-ff_instagram",
+    "url": "https://github.com/wltb/ff_instagram",
+    "branch": "master"
+  },
+  "github": {
+    "owner": "wltb",
+    "repo": "ff_instagram",
+    "rev": "0366ffb18c4d490c8fbfba2f5f3367a5af23cfe8",
+    "sha256": "0vvzl6wi6jmrqknsfddvckjgsgfizz1d923d1nyrpzjfn6bda1vk",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/tools/ttrss-tumblr_gdpr_ua.json b/virtual/modules/websites/tools/tools/ttrss-tumblr_gdpr_ua.json
new file mode 100644
index 0000000..eafbcfe
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss-tumblr_gdpr_ua.json
@@ -0,0 +1,15 @@
+{
+  "tag": "287c584-master",
+  "meta": {
+    "name": "ttrss-tumblr_gdpr_ua",
+    "url": "https://github.com/hkockerbeck/ttrss-tumblr-gdpr-ua",
+    "branch": "master"
+  },
+  "github": {
+    "owner": "hkockerbeck",
+    "repo": "ttrss-tumblr-gdpr-ua",
+    "rev": "287c584e68845d524f920156bff0b2eaa6f65117",
+    "sha256": "1fviawgcclqky4k4xv1sqzvpb8i74w9f0pclm09m78s8l85wh9py",
+    "fetchSubmodules": true
+  }
+}
diff --git a/virtual/modules/websites/tools/tools/ttrss.nix b/virtual/modules/websites/tools/tools/ttrss.nix
new file mode 100644
index 0000000..f7b0f61
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ttrss.nix
@@ -0,0 +1,182 @@
+{ lib, php, checkEnv, writeText, stdenv, fetchedGit, fetchedGithub }:
+let
+  ttrss = let
+    plugins = {
+      auth_ldap = stdenv.mkDerivation (fetchedGithub ./ttrss-auth-ldap.json // rec {
+        installPhase = ''
+          mkdir $out
+          cp plugins/auth_ldap/init.php $out
+        '';
+      });
+      af_feedmod = stdenv.mkDerivation (fetchedGithub ./ttrss-af_feedmod.json // rec {
+        patches = [ ./ttrss-af-feedmod_type_replace.patch ];
+        installPhase = ''
+          mkdir $out
+          cp init.php $out
+        '';
+      });
+      feediron = stdenv.mkDerivation (fetchedGithub ./ttrss-feediron.json // rec {
+        patches = [ ./ttrss-feediron_json_reformat.patch ];
+        installPhase = ''
+          mkdir $out
+          cp -a . $out
+        '';
+      });
+      ff_instagram = stdenv.mkDerivation (fetchedGithub ./ttrss-ff_instagram.json // rec {
+        installPhase = ''
+          mkdir $out
+          cp -a . $out
+        '';
+      });
+      tumblr_gdpr_ua = stdenv.mkDerivation (fetchedGithub ./ttrss-tumblr_gdpr_ua.json // rec {
+        installPhase = ''
+          mkdir $out
+          cp -a . $out
+        '';
+      });
+    };
+  in rec {
+    varDir = "/var/lib/ttrss";
+    # FIXME: initial sync
+    activationScript = {
+      deps = [ "wrappers" ];
+      text = ''
+        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+          ${varDir}/lock ${varDir}/cache ${varDir}/feed-icons
+        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/cache/export/ \
+          ${varDir}/cache/feeds/ \
+          ${varDir}/cache/images/ \
+          ${varDir}/cache/js/ \
+          ${varDir}/cache/simplepie/ \
+          ${varDir}/cache/upload/
+        touch ${varDir}/feed-icons/index.html
+        install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+      '';
+    };
+    config =
+      # FIXME: LOG_DESTINATION syslog?
+      assert checkEnv "NIXOPS_TTRSS_DB_PASSWORD";
+      assert checkEnv "NIXOPS_TTRSS_LDAP_PASSWORD";
+      writeText "config.php" ''
+      <?php
+
+        define('PHP_EXECUTABLE', '${php}/bin/php');
+
+        define('LOCK_DIRECTORY', 'lock');
+        define('CACHE_DIR', 'cache');
+        define('ICONS_DIR', 'feed-icons');
+        define('ICONS_URL', 'feed-icons');
+        define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/');
+
+        define('MYSQL_CHARSET', 'UTF8');
+
+        define('DB_TYPE', 'pgsql');
+        define('DB_HOST', 'db-1.immae.eu');
+        define('DB_USER', 'ttrss');
+        define('DB_NAME', 'ttrss');
+        define('DB_PASS', '${builtins.getEnv "NIXOPS_TTRSS_DB_PASSWORD"}');
+        define('DB_PORT', '5432');
+
+        define('AUTH_AUTO_CREATE', true);
+        define('AUTH_AUTO_LOGIN', true);
+
+        define('SINGLE_USER_MODE', false);
+
+        define('SIMPLE_UPDATE_MODE', false);
+        define('CHECK_FOR_UPDATES', true);
+
+        define('FORCE_ARTICLE_PURGE', 0);
+        define('SESSION_COOKIE_LIFETIME', 60*60*24*120);
+        define('ENABLE_GZIP_OUTPUT', false);
+
+        define('PLUGINS', 'auth_ldap, note, instances');
+
+        define('LOG_DESTINATION', ''');
+        define('CONFIG_VERSION', 26);
+
+
+        define('SPHINX_SERVER', 'localhost:9312');
+        define('SPHINX_INDEX', 'ttrss, delta');
+
+        define('ENABLE_REGISTRATION', false);
+        define('REG_NOTIFY_ADDRESS', 'outils@immae.eu');
+        define('REG_MAX_USERS', 10);
+
+        define('SMTP_SERVER', 'mail.immae.eu:25');
+        define('SMTP_LOGIN', ''');
+        define('SMTP_PASSWORD', ''');
+        define('SMTP_SECURE', 'tls');
+
+        define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
+        define('SMTP_FROM_ADDRESS', 'outils@immae.eu');
+        define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
+
+        define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
+        define('LDAP_AUTH_USETLS', TRUE);
+        define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
+        define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
+        define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
+        define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
+
+        define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
+        define('LDAP_AUTH_BINDPW', '${builtins.getEnv "NIXOPS_TTRSS_LDAP_PASSWORD"}');
+        define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
+
+        define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
+        define('LDAP_AUTH_DEBUG', FALSE);
+      '';
+    webRoot = stdenv.mkDerivation (fetchedGit ./tt-rss.json // rec {
+      buildPhase = ''
+        rm -rf lock feed-icons cache
+        ln -sf ../../../../../${varDir}/{lock,feed-icons,cache} .
+      '';
+      installPhase = ''
+        cp -a . $out
+        ln -s ${config} $out/config.php
+        ${builtins.concatStringsSep "\n" (
+          lib.attrsets.mapAttrsToList (name: value: "ln -sf ${value} $out/plugins/${name}") plugins
+        )}
+      '';
+    });
+    apache = {
+      user = "wwwrun";
+      group = "wwwrun";
+      modules = [ "proxy_fcgi" ];
+      vhostConf = ''
+        Alias /ttrss "${webRoot}"
+        <Directory "${webRoot}">
+          DirectoryIndex index.php
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+          </FilesMatch>
+
+          AllowOverride All
+          Options FollowSymlinks
+          Require all granted
+        </Directory>
+        '';
+    };
+    phpFpm = rec {
+      basedir = builtins.concatStringsSep ":" (
+        [ webRoot config varDir ]
+        ++ lib.attrsets.mapAttrsToList (name: value: value) plugins);
+      socket = "/var/run/phpfpm/ttrss.sock";
+      pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = ondemand
+        pm.max_children = 60
+        pm.process_idle_timeout = 60
+
+        ; Needed to avoid clashes in browser cookies (same domain)
+        php_value[session.name] = TtrssPHPSESSID
+        php_admin_value[open_basedir] = "${basedir}:/tmp"
+        php_admin_value[session.save_path] = "${varDir}/phpSessions"
+        '';
+    };
+  };
+in 
+  ttrss
diff --git a/virtual/modules/websites/tools/tools/ympd.nix b/virtual/modules/websites/tools/tools/ympd.nix
new file mode 100644
index 0000000..74bf2e5
--- /dev/null
+++ b/virtual/modules/websites/tools/tools/ympd.nix
@@ -0,0 +1,35 @@
+{}:
+let
+  ympd = rec {
+    config = {
+      webPort = "localhost:18001";
+      mpd = {
+        host = "malige.home.immae.eu";
+        port = 6600;
+      };
+    };
+    apache = {
+      modules = [
+        "proxy_wstunnel"
+        ];
+      vhostConf = ''
+        <LocationMatch "^/mpd">
+          Use LDAPConnect
+          Require ldap-group   cn=users,cn=mpd,ou=services,dc=immae,dc=eu
+          Require local
+        </LocationMatch>
+
+        RedirectMatch permanent "^/mpd$" "/mpd/"
+        <Location "/mpd/">
+          ProxyPass http://${config.webPort}/
+          ProxyPassReverse http://${config.webPort}/
+          ProxyPreserveHost on
+        </Location>
+        <Location "/mpd/ws">
+          ProxyPass ws://${config.webPort}/ws
+        </Location>
+      '';
+    };
+  };
+in
+  ympd