44 files changed, 398 insertions, 404 deletions

diff --git a/modules/private/default.nix b/modules/private/default.nix
index 16258e4..242eeb9 100644
--- a/modules/private/default.nix
+++ b/modules/private/default.nix
@@ -36,6 +36,17 @@ set = {
   piedsjalouxInte = ./websites/piedsjaloux/integration.nix;
   piedsjalouxProd = ./websites/piedsjaloux/production.nix;
 
+  cloudTool = ./websites/tools/cloud;
+  davTool = ./websites/tools/dav;
+  dbTool = ./websites/tools/db;
+  diasporaTool = ./websites/tools/diaspora;
+  etherTool = ./websites/tools/ether;
+  gitTool = ./websites/tools/git;
+  mastodonTool = ./websites/tools/mastodon;
+  mgoblinTool = ./websites/tools/mgoblin;
+  peertubeTool = ./websites/tools/peertube;
+  toolsTool = ./websites/tools/tools;
+
   irc = ./irc.nix;
 };
 in
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
index 5ccc0c1..748e388 100644
--- a/modules/private/websites/aten/integration.nix
+++ b/modules/private/websites/aten/integration.nix
@@ -18,10 +18,7 @@ in {
     systemd.services.phpfpm-aten_dev.wants = aten.phpFpm.serviceDeps;
     services.phpfpm.poolConfigs.aten_dev = aten.phpFpm.pool;
     system.activationScripts.aten_dev = aten.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot;
     services.websites.integration.modules = aten.apache.modules;
     services.websites.integration.vhostConfs.aten = {
       certName    = "eldiron";
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
index 7938241..7a4adb5 100644
--- a/modules/private/websites/aten/production.nix
+++ b/modules/private/websites/aten/production.nix
@@ -20,10 +20,7 @@ in {
     systemd.services.phpfpm-aten_prod.wants = aten.phpFpm.serviceDeps;
     services.phpfpm.poolConfigs.aten_prod = aten.phpFpm.pool;
     system.activationScripts.aten_prod = aten.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot;
     services.websites.production.modules = aten.apache.modules;
     services.websites.production.vhostConfs.aten = {
       certName     = "aten";
diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix
index fe9c619..57d8787 100644
--- a/modules/private/websites/capitaines/production.nix
+++ b/modules/private/websites/capitaines/production.nix
@@ -9,10 +9,7 @@ in {
   options.myServices.websites.capitaines.production.enable = lib.mkEnableOption "enable Capitaines's website";
 
   config = lib.mkIf cfg.enable {
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${siteDir} $out/webapps/${webappName}
-      '';
+    myServices.websites.webappDirs."${webappName}" = siteDir;
 
     services.websites.production.vhostConfs.capitaines_mastodon = {
       certName     = "capitaines";
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
index d49a85c..c42a428 100644
--- a/modules/private/websites/chloe/integration.nix
+++ b/modules/private/websites/chloe/integration.nix
@@ -23,10 +23,7 @@ in {
       '';
     };
     system.activationScripts.chloe_dev = chloe.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
     services.websites.integration.modules = chloe.apache.modules;
     services.websites.integration.vhostConfs.chloe = {
       certName    = "eldiron";
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
index d4b2299..0bf2d8f 100644
--- a/modules/private/websites/chloe/production.nix
+++ b/modules/private/websites/chloe/production.nix
@@ -25,10 +25,7 @@ in {
       '';
     };
     system.activationScripts.chloe_prod = chloe.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
     services.websites.production.modules = chloe.apache.modules;
     services.websites.production.vhostConfs.chloe = {
       certName     = "chloe";
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
index 6570977..1d8488a 100644
--- a/modules/private/websites/connexionswing/integration.nix
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -22,10 +22,7 @@ in {
       phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig;
     };
     system.activationScripts.connexionswing_dev = connexionswing.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot;
     services.websites.integration.modules = connexionswing.apache.modules;
     services.websites.integration.vhostConfs.connexionswing = {
       certName    = "eldiron";
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
index b51c549..555f129 100644
--- a/modules/private/websites/connexionswing/production.nix
+++ b/modules/private/websites/connexionswing/production.nix
@@ -24,10 +24,7 @@ in {
       phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig;
     };
     system.activationScripts.connexionswing_prod = connexionswing.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot;
     services.websites.production.modules = connexionswing.apache.modules;
     services.websites.production.vhostConfs.connexionswing = {
       certName     = "connexionswing";
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
index 80d902e..8b02977 100644
--- a/modules/private/websites/default.nix
+++ b/modules/private/websites/default.nix
@@ -1,39 +1,265 @@
-{ ... }:
+{ lib, pkgs, config, myconfig, ... }:
+let
+  www_root = "/run/current-system/webapps/_www";
+  theme_root = "/run/current-system/webapps/_theme";
+  apacheConfig = {
+    gzip = {
+      modules = [ "deflate" "filter" ];
+      extraConfig = ''
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+      '';
+    };
+    macros = {
+      modules = [ "macro" ];
+    };
+    stats = {
+      extraConfig = ''
+        <Macro Stats %{domain}>
+          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
+          <Directory ${config.services.webstats.dataDir}/%{domain}>
+            DirectoryIndex index.html
+            AllowOverride None
+            Require all granted
+          </Directory>
+          <Location /webstats>
+            Use LDAPConnect
+            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
+          </Location>
+        </Macro>
+      '';
+    };
+    ldap = {
+      modules = [ "ldap" "authnz_ldap" ];
+      extraConfig = ''
+        <IfModule ldap_module>
+          LDAPSharedCacheSize 500000
+          LDAPCacheEntries 1024
+          LDAPCacheTTL 600
+          LDAPOpCacheEntries 1024
+          LDAPOpCacheTTL 600
+        </IfModule>
+
+        Include /var/secrets/apache-ldap
+      '';
+    };
+    global = {
+      extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
+    };
+    apaxy = {
+      extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
+    };
+    http2 = {
+      modules = [ "http2" ];
+      extraConfig = ''
+        Protocols h2 http/1.1
+      '';
+    };
+    customLog = {
+      extraConfig = ''
+        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
+      '';
+    };
+  };
+  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
+  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
+in
 {
-  config.myServices.websites.aten.integration.enable = true;
-  config.myServices.websites.aten.production.enable = true;
+  options.myServices.websites.webappDirs = lib.mkOption {
+    type = lib.types.attrsOf lib.types.path;
+    description = ''
+      Webapp paths to create in /run/current-system/webapps
+      '';
+    default = {};
+  };
+
+  config = {
+    users.users.wwwrun.extraGroups = [ "keys" ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    nixpkgs.overlays = [ (self: super: rec {
+      #openssl = self.openssl_1_1;
+      php = php72;
+      php72 = (super.php72.override {
+        mysql.connector-c = self.mariadb;
+        config.php.mysqlnd = false;
+        config.php.mysqli = false;
+      }).overrideAttrs(old: rec {
+        # Didn't manage to build with mysqli + mysql_config connector
+        configureFlags = old.configureFlags ++ [
+          "--with-mysqli=shared,mysqlnd"
+          ];
+        # preConfigure = (old.preConfigure or "") + ''
+        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
+        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
+        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
+        #   '';
+      });
+      phpPackages = super.php72Packages.override { inherit php; };
+    }) ];
+
+    secrets.keys = [{
+      dest = "apache-ldap";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+        <Macro LDAPConnect>
+          <IfModule authnz_ldap_module>
+            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
+            AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+            AuthType             Basic
+            AuthName             "Authentification requise (Acces LDAP)"
+            AuthBasicProvider    ldap
+          </IfModule>
+        </Macro>
+        '';
+    }];
+
+    system.activationScripts = {
+      httpd = ''
+        install -d -m 0755 ${config.security.acme.directory}/acme-challenge
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+        '';
+    };
+
+    services.phpfpm = {
+      phpPackage = pkgs.php;
+      phpOptions = ''
+        session.save_path = "/var/lib/php/sessions"
+        post_max_size = 20M
+        ; 15 days (seconds)
+        session.gc_maxlifetime = 1296000
+        ; 30 days (minutes)
+        session.cache_expire = 43200
+        '';
+      extraConfig = ''
+        log_level = notice
+        '';
+    };
+
+    services.websites.production = {
+      enable = true;
+      adminAddr = "httpd@immae.eu";
+      httpdName = "Prod";
+      ips =
+        let ips = myconfig.env.servers.eldiron.ips.production;
+        in [ips.ip4] ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig;
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+
+    services.websites.integration = {
+      enable = true;
+      adminAddr = "httpd@immae.eu";
+      httpdName = "Inte";
+      ips =
+        let ips = myconfig.env.servers.eldiron.ips.integration;
+        in [ips.ip4] ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig;
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+
+    services.websites.tools = {
+      enable = true;
+      adminAddr = "httpd@immae.eu";
+      httpdName = "Tools";
+      ips =
+        let ips = myconfig.env.servers.eldiron.ips.main;
+        in [ips.ip4] ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig ++
+        [ ''
+            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
+            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
+            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
+          ''
+          ];
+      nosslVhost = {
+        enable = true;
+        host = "nossl.immae.eu";
+      };
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+
+    system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues config.myServices.websites.webappDirs) > 0) ''
+    mkdir -p $out/webapps
+    ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (name: path: "ln -s ${path} $out/webapps/${name}") config.myServices.websites.webappDirs)}
+    '';
+
+    myServices.websites = {
+      webappDirs = {
+        _www = pkgs.webapps.apache-default.www;
+        _theme = pkgs.webapps.apache-theme.theme;
+      };
+
+      aten.integration.enable = true;
+      aten.production.enable = true;
+
+      capitaines.production.enable = true;
 
-  config.myServices.websites.capitaines.production.enable = true;
+      chloe.integration.enable = true;
+      chloe.production.enable = true;
 
-  config.myServices.websites.chloe.integration.enable = true;
-  config.myServices.websites.chloe.production.enable = true;
+      connexionswing.integration.enable = true;
+      connexionswing.production.enable = true;
 
-  config.myServices.websites.connexionswing.integration.enable = true;
-  config.myServices.websites.connexionswing.production.enable = true;
+      denisejerome.production.enable = true;
 
-  config.myServices.websites.denisejerome.production.enable = true;
+      emilia.production.enable = true;
 
-  config.myServices.websites.emilia.production.enable = true;
+      florian.app.enable = true;
+      florian.integration.enable = true;
+      florian.production.enable = true;
 
-  config.myServices.websites.florian.app.enable = true;
-  config.myServices.websites.florian.integration.enable = true;
-  config.myServices.websites.florian.production.enable = true;
+      immae.production.enable = true;
+      immae.release.enable = true;
+      immae.temp.enable = true;
 
-  config.myServices.websites.immae.production.enable = true;
-  config.myServices.websites.immae.release.enable = true;
-  config.myServices.websites.immae.temp.enable = true;
+      leila.production.enable = true;
 
-  config.myServices.websites.leila.production.enable = true;
+      ludivinecassal.integration.enable = true;
+      ludivinecassal.production.enable = true;
 
-  config.myServices.websites.ludivinecassal.integration.enable = true;
-  config.myServices.websites.ludivinecassal.production.enable = true;
+      nassime.production.enable = true;
 
-  config.myServices.websites.nassime.production.enable = true;
+      naturaloutil.production.enable = true;
 
-  config.myServices.websites.naturaloutil.production.enable = true;
+      papa.surveillance.enable = true;
 
-  config.myServices.websites.papa.surveillance.enable = true;
+      piedsjaloux.integration.enable = true;
+      piedsjaloux.production.enable = true;
 
-  config.myServices.websites.piedsjaloux.integration.enable = true;
-  config.myServices.websites.piedsjaloux.production.enable = true;
+      tools.cloud.enable = true;
+      tools.dav.enable = true;
+      tools.db.enable = true;
+      tools.diaspora.enable = true;
+      tools.etherpad-lite.enable = true;
+      tools.git.enable = true;
+      tools.mastodon.enable = true;
+      tools.mediagoblin.enable = true;
+      tools.peertube.enable = true;
+      tools.tools.enable = true;
+    };
+  };
 }
diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix
index 2e705a1..13f008f 100644
--- a/modules/private/websites/emilia/production.nix
+++ b/modules/private/websites/emilia/production.nix
@@ -46,10 +46,7 @@ in {
     system.activationScripts.emilia = ''
       install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
       '';
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${siteDir} $out/webapps/${webappName}
-      '';
+    myServices.websites.webappDirs."${webappName}" = siteDir;
     services.websites.production.vhostConfs.emilia = {
       certName     = "emilia";
       certMainHost = "saison-photo.org";
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
index 905c66a..3a6d152 100644
--- a/modules/private/websites/florian/app.nix
+++ b/modules/private/websites/florian/app.nix
@@ -20,10 +20,7 @@ in {
     systemd.services.phpfpm-tellesflorian_dev.preStart = lib.mkAfter tellesflorian.phpFpm.preStart;
     services.phpfpm.poolConfigs.tellesflorian_dev = tellesflorian.phpFpm.pool;
     system.activationScripts.tellesflorian_dev = tellesflorian.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${tellesflorian.app.webRoot} $out/webapps/${tellesflorian.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${tellesflorian.apache.webappName}" = tellesflorian.app.webRoot;
     services.websites.integration.modules = adminer.apache.modules ++ tellesflorian.apache.modules;
     services.websites.integration.vhostConfs.tellesflorian = {
       certName    = "eldiron";
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix
index a53f1fe..ed0dc9f 100644
--- a/modules/private/websites/ludivinecassal/integration.nix
+++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -19,10 +19,7 @@ in {
     systemd.services.phpfpm-ludivinecassal_dev.preStart = lib.mkAfter ludivinecassal.phpFpm.preStart;
     services.phpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal.phpFpm.pool;
     system.activationScripts.ludivinecassal_dev = ludivinecassal.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${ludivinecassal.apache.webappName}" = ludivinecassal.app.webRoot;
     services.websites.integration.modules = ludivinecassal.apache.modules;
     services.websites.integration.vhostConfs.ludivine = {
       certName    = "eldiron";
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
index 8fe6812..3df5613 100644
--- a/modules/private/websites/ludivinecassal/production.nix
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -20,10 +20,7 @@ in {
     systemd.services.phpfpm-ludivinecassal_prod.preStart = lib.mkAfter ludivinecassal.phpFpm.preStart;
     services.phpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal.phpFpm.pool;
     system.activationScripts.ludivinecassal_prod = ludivinecassal.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${ludivinecassal.apache.webappName}" = ludivinecassal.app.webRoot;
     services.websites.production.modules = ludivinecassal.apache.modules;
     services.websites.production.vhostConfs.ludivine = {
       certName     = "ludivinecassal";
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix
index 2315b30..f59957d 100644
--- a/modules/private/websites/naturaloutil/production.nix
+++ b/modules/private/websites/naturaloutil/production.nix
@@ -33,6 +33,12 @@ in {
         ?>
       '';
     }];
+    system.activationScripts.naturaloutil = {
+      deps = [ "httpd" ];
+      text = ''
+        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/naturaloutil
+        '';
+    };
     systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ];
     systemd.services.phpfpm-jerome.wants = [ "mysql.service" ];
     services.phpfpm.pools.jerome = {
@@ -48,7 +54,8 @@ in {
         pm.process_idle_timeout = 60
 
         env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil"
-        php_admin_value[open_basedir] = "/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"
+        php_admin_value[open_basedir] = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"
+        php_admin_value[session.save_path] = "/var/lib/php/sessions/naturaloutil"
         '';
       phpOptions = config.services.phpfpm.phpOptions + ''
         extension=${pkgs.php}/lib/php/extensions/mysqli.so
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
index 83b428a..5f574e1 100644
--- a/modules/private/websites/piedsjaloux/integration.nix
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -18,10 +18,7 @@ in {
     systemd.services.phpfpm-piedsjaloux_dev.preStart = lib.mkAfter piedsjaloux.phpFpm.preStart;
     services.phpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux.phpFpm.pool;
     system.activationScripts.piedsjaloux_dev = piedsjaloux.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${piedsjaloux.apache.webappName}" = piedsjaloux.app.webRoot;
     services.websites.integration.modules = piedsjaloux.apache.modules;
     services.websites.integration.vhostConfs.piedsjaloux = {
       certName    = "eldiron";
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
index 0efd56b..e3bd2dd 100644
--- a/modules/private/websites/piedsjaloux/production.nix
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -20,10 +20,7 @@ in {
     systemd.services.phpfpm-piedsjaloux_prod.preStart = lib.mkAfter piedsjaloux.phpFpm.preStart;
     services.phpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux.phpFpm.pool;
     system.activationScripts.piedsjaloux_prod = piedsjaloux.activationScript;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${piedsjaloux.apache.webappName}" = piedsjaloux.app.webRoot;
     services.websites.production.modules = piedsjaloux.apache.modules;
     services.websites.production.vhostConfs.piedsjaloux = {
       certName     = "piedsjaloux";
diff --git a/nixops/modules/websites/tools/cloud.nix b/modules/private/websites/tools/cloud/default.nix
index 5d2ca40..ceb8f77 100644
--- a/nixops/modules/websites/tools/cloud.nix
+++ b/modules/private/websites/tools/cloud/default.nix
@@ -5,7 +5,7 @@ let
   varDir = "/var/lib/nextcloud";
   webappName = "tools_nextcloud";
   apacheRoot = "/run/current-system/webapps/${webappName}";
-  cfg = config.services.myWebsites.tools.cloud;
+  cfg = config.myServices.websites.tools.cloud;
   phpFpm = rec {
     basedir = builtins.concatStringsSep ":" (
       [ nextcloud varDir ]
@@ -43,7 +43,7 @@ let
       '';
   };
 in {
-  options.services.myWebsites.tools.cloud = {
+  options.myServices.websites.tools.cloud = {
     enable = lib.mkEnableOption "enable cloud website";
   };
 
diff --git a/nixops/modules/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix
index 634359d..98cebee 100644
--- a/nixops/modules/websites/tools/dav/davical.nix
+++ b/modules/private/websites/tools/dav/davical.nix
@@ -1,5 +1,11 @@
 { stdenv, fetchurl, gettext, writeText, env, awl, davical }:
 rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
+      '';
+  };
   keys = [{
     dest = "webapps/dav-davical";
     user = apache.user;
diff --git a/nixops/modules/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix
index 78e0ba3..fb0baae 100644
--- a/nixops/modules/websites/tools/dav/default.nix
+++ b/modules/private/websites/tools/dav/default.nix
@@ -20,13 +20,14 @@ let
       inherit (pkgs.webapps) davical awl;
     };
 
-    cfg = config.services.myWebsites.tools.dav;
+    cfg = config.myServices.websites.tools.dav;
 in {
-  options.services.myWebsites.tools.dav = {
+  options.myServices.websites.tools.dav = {
     enable = lib.mkEnableOption "enable dav website";
   };
 
   config = lib.mkIf cfg.enable {
+    system.activationScripts.davical = davical.activationScript;
     secrets.keys = davical.keys;
     services.websites.tools.modules = davical.apache.modules;
 
@@ -45,11 +46,8 @@ in {
       davical = davical.phpFpm.pool;
     };
 
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${davical.webRoot} $out/webapps/${davical.apache.webappName}
-      ln -s ${pkgs.webapps.infcloud} $out/webapps/${infcloud.webappName}
-      '';
+    myServices.websites.webappDirs."${davical.apache.webappName}" = davical.webRoot;
+    myServices.websites.webappDirs."${infcloud.webappName}" = pkgs.webapps.infcloud;
   };
 }
 
diff --git a/nixops/modules/websites/tools/db.nix b/modules/private/websites/tools/db/default.nix
index 7c15c23..361e204 100644
--- a/nixops/modules/websites/tools/db.nix
+++ b/modules/private/websites/tools/db/default.nix
@@ -1,10 +1,10 @@
 { lib, pkgs, config,  ... }:
 let
-    adminer = pkgs.callPackage ../commons/adminer.nix {};
+    adminer = pkgs.callPackage ../../commons/adminer.nix {};
 
-    cfg = config.services.myWebsites.tools.databases;
+    cfg = config.myServices.websites.tools.db;
 in {
-  options.services.myWebsites.tools.databases = {
+  options.myServices.websites.tools.db = {
     enable = lib.mkEnableOption "enable database's website";
   };
 
diff --git a/nixops/modules/websites/tools/diaspora.nix b/modules/private/websites/tools/diaspora/default.nix
index ee5507d..efa1fab 100644
--- a/nixops/modules/websites/tools/diaspora.nix
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -2,10 +2,10 @@
 let
   env = myconfig.env.tools.diaspora;
   root = "/run/current-system/webapps/tools_diaspora";
-  cfg = config.services.myWebsites.tools.diaspora;
+  cfg = config.myServices.websites.tools.diaspora;
   dcfg = config.services.diaspora;
 in {
-  options.services.myWebsites.tools.diaspora = {
+  options.myServices.websites.tools.diaspora = {
     enable = lib.mkEnableOption "enable diaspora's website";
   };
 
diff --git a/nixops/modules/websites/tools/ether.nix b/modules/private/websites/tools/ether/default.nix
index 8c9bbb1..ebcbf61 100644
--- a/nixops/modules/websites/tools/ether.nix
+++ b/modules/private/websites/tools/ether/default.nix
@@ -1,13 +1,13 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
   env = myconfig.env.tools.etherpad-lite;
-  cfg = config.services.myWebsites.tools.etherpad-lite;
+  cfg = config.myServices.websites.tools.etherpad-lite;
   # Make sure we’re not rebuilding whole libreoffice just because of a
   # dependency
   libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
   ecfg = config.services.etherpad-lite;
 in {
-  options.services.myWebsites.tools.etherpad-lite = {
+  options.myServices.websites.tools.etherpad-lite = {
     enable = lib.mkEnableOption "enable etherpad's website";
   };
 
diff --git a/nixops/modules/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix
index 495c5ea..3e8b605 100644
--- a/nixops/modules/websites/tools/git/default.nix
+++ b/modules/private/websites/tools/git/default.nix
@@ -6,9 +6,9 @@ let
     };
     gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
 
-    cfg = config.services.myWebsites.tools.git;
+    cfg = config.myServices.websites.tools.git;
 in {
-  options.services.myWebsites.tools.git = {
+  options.myServices.websites.tools.git = {
     enable = lib.mkEnableOption "enable git's website";
   };
 
@@ -17,12 +17,10 @@ in {
     services.websites.tools.modules =
       gitweb.apache.modules ++
       mantisbt.apache.modules;
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${gitweb.webRoot} $out/webapps/${gitweb.apache.webappName}
-      ln -s ${mantisbt.webRoot} $out/webapps/${mantisbt.apache.webappName}
-      '';
+    myServices.websites.webappDirs."${gitweb.apache.webappName}" = gitweb.webRoot;
+    myServices.websites.webappDirs."${mantisbt.apache.webappName}" = mantisbt.webRoot;
 
+    system.activationScripts.mantisbt = mantisbt.activationScript;
     services.websites.tools.vhostConfs.git = {
       certName    = "eldiron";
       addToCerts  = true;
diff --git a/nixops/modules/websites/tools/git/gitweb.nix b/modules/private/websites/tools/git/gitweb.nix
index 2ee7a63..2ee7a63 100644
--- a/nixops/modules/websites/tools/git/gitweb.nix
+++ b/modules/private/websites/tools/git/gitweb.nix
diff --git a/nixops/modules/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix
index 0c459a7..a1b830e 100644
--- a/nixops/modules/websites/tools/git/mantisbt.nix
+++ b/modules/private/websites/tools/git/mantisbt.nix
@@ -1,5 +1,11 @@
 { env, mantisbt_2, mantisbt_2-plugins }:
 rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt
+    '';
+  };
   keys = [{
     dest = "webapps/tools-mantisbt";
     user = apache.user;
diff --git a/nixops/modules/websites/tools/mastodon.nix b/modules/private/websites/tools/mastodon/default.nix
index ffd59dd..d742a33 100644
--- a/nixops/modules/websites/tools/mastodon.nix
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -2,10 +2,10 @@
 let
   env = myconfig.env.tools.mastodon;
   root = "/run/current-system/webapps/tools_mastodon";
-  cfg = config.services.myWebsites.tools.mastodon;
+  cfg = config.myServices.websites.tools.mastodon;
   mcfg = config.services.mastodon;
 in {
-  options.services.myWebsites.tools.mastodon = {
+  options.myServices.websites.tools.mastodon = {
     enable = lib.mkEnableOption "enable mastodon's website";
   };
 
diff --git a/nixops/modules/websites/tools/mediagoblin.nix b/modules/private/websites/tools/mgoblin/default.nix
index eb56b35..5da81f6 100644
--- a/nixops/modules/websites/tools/mediagoblin.nix
+++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -1,10 +1,10 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
   env = myconfig.env.tools.mediagoblin;
-  cfg = config.services.myWebsites.tools.mediagoblin;
+  cfg = config.myServices.websites.tools.mediagoblin;
   mcfg = config.services.mediagoblin;
 in {
-  options.services.myWebsites.tools.mediagoblin = {
+  options.myServices.websites.tools.mediagoblin = {
     enable = lib.mkEnableOption "enable mediagoblin's website";
   };
 
diff --git a/nixops/modules/websites/tools/peertube.nix b/modules/private/websites/tools/peertube/default.nix
index 12ab3c4..dee1b81 100644
--- a/nixops/modules/websites/tools/peertube.nix
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -1,10 +1,10 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
   env = myconfig.env.tools.peertube;
-  cfg = config.services.myWebsites.tools.peertube;
+  cfg = config.myServices.websites.tools.peertube;
   pcfg = config.services.peertube;
 in {
-  options.services.myWebsites.tools.peertube = {
+  options.myServices.websites.tools.peertube = {
     enable = lib.mkEnableOption "enable Peertube's website";
   };
 
diff --git a/nixops/modules/websites/commons/adminer.nix b/modules/private/websites/tools/tools/adminer.nix
index e911347..cd51e7f 100644
--- a/nixops/modules/websites/commons/adminer.nix
+++ b/modules/private/websites/tools/tools/adminer.nix
@@ -1,6 +1,13 @@
-{ stdenv, fetchurl, webapps }:
+{ adminer }:
 rec {
-  webRoot = webapps.adminer;
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/adminer
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/tmp/adminer
+      '';
+  };
+  webRoot = adminer;
   phpFpm = rec {
     socket = "/var/run/phpfpm/adminer.sock";
     pool = ''
diff --git a/nixops/modules/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
index 642755f..94a2be1 100644
--- a/nixops/modules/websites/tools/tools/default.nix
+++ b/modules/private/websites/tools/tools/default.nix
@@ -1,47 +1,49 @@
 { lib, pkgs, config, myconfig,  ... }:
 let
-    adminer = pkgs.callPackage ../../commons/adminer.nix {};
-    ympd = pkgs.callPackage ./ympd.nix {
-      env = myconfig.env.tools.ympd;
-    };
-    ttrss = pkgs.callPackage ./ttrss.nix {
-      inherit (pkgs.webapps) ttrss ttrss-plugins;
-      env = myconfig.env.tools.ttrss;
-    };
-    roundcubemail = pkgs.callPackage ./roundcubemail.nix {
-      inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins;
-      env = myconfig.env.tools.roundcubemail;
-    };
-    rainloop = pkgs.callPackage ./rainloop.nix  {};
-    kanboard = pkgs.callPackage ./kanboard.nix  {
-      env = myconfig.env.tools.kanboard;
-    };
-    wallabag = pkgs.callPackage ./wallabag.nix {
-      inherit (pkgs.webapps) wallabag;
-      env = myconfig.env.tools.wallabag;
-    };
-    yourls = pkgs.callPackage ./yourls.nix {
-      inherit (pkgs.webapps) yourls yourls-plugins;
-      env = myconfig.env.tools.yourls;
-    };
-    rompr = pkgs.callPackage ./rompr.nix {
-      inherit (pkgs.webapps) rompr;
-      env = myconfig.env.tools.rompr;
-    };
-    shaarli = pkgs.callPackage ./shaarli.nix {
-      env = myconfig.env.tools.shaarli;
-    };
-    dokuwiki = pkgs.callPackage ./dokuwiki.nix {
-      inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
-    };
-    ldap = pkgs.callPackage ./ldap.nix {
-      inherit (pkgs.webapps) phpldapadmin;
-      env = myconfig.env.tools.phpldapadmin;
-    };
+  adminer = pkgs.callPackage ./adminer.nix {
+    inherit (pkgs.webapps) adminer;
+  };
+  ympd = pkgs.callPackage ./ympd.nix {
+    env = myconfig.env.tools.ympd;
+  };
+  ttrss = pkgs.callPackage ./ttrss.nix {
+    inherit (pkgs.webapps) ttrss ttrss-plugins;
+    env = myconfig.env.tools.ttrss;
+  };
+  roundcubemail = pkgs.callPackage ./roundcubemail.nix {
+    inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins;
+    env = myconfig.env.tools.roundcubemail;
+  };
+  rainloop = pkgs.callPackage ./rainloop.nix  {};
+  kanboard = pkgs.callPackage ./kanboard.nix  {
+    env = myconfig.env.tools.kanboard;
+  };
+  wallabag = pkgs.callPackage ./wallabag.nix {
+    inherit (pkgs.webapps) wallabag;
+    env = myconfig.env.tools.wallabag;
+  };
+  yourls = pkgs.callPackage ./yourls.nix {
+    inherit (pkgs.webapps) yourls yourls-plugins;
+    env = myconfig.env.tools.yourls;
+  };
+  rompr = pkgs.callPackage ./rompr.nix {
+    inherit (pkgs.webapps) rompr;
+    env = myconfig.env.tools.rompr;
+  };
+  shaarli = pkgs.callPackage ./shaarli.nix {
+    env = myconfig.env.tools.shaarli;
+  };
+  dokuwiki = pkgs.callPackage ./dokuwiki.nix {
+    inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
+  };
+  ldap = pkgs.callPackage ./ldap.nix {
+    inherit (pkgs.webapps) phpldapadmin;
+    env = myconfig.env.tools.phpldapadmin;
+  };
 
-    cfg = config.services.myWebsites.tools.tools;
+  cfg = config.myServices.websites.tools.tools;
 in {
-  options.services.myWebsites.tools.tools = {
+  options.myServices.websites.tools.tools = {
     enable = lib.mkEnableOption "enable tools website";
   };
 
@@ -268,6 +270,7 @@ in {
     };
 
     system.activationScripts = {
+      adminer = adminer.activationScript;
       ttrss = ttrss.activationScript;
       roundcubemail = roundcubemail.activationScript;
       wallabag = wallabag.activationScript;
@@ -277,21 +280,22 @@ in {
       dokuwiki = dokuwiki.activationScript;
       rainloop = rainloop.activationScript;
       kanboard = kanboard.activationScript;
+      ldap = ldap.activationScript;
     };
 
-    system.extraSystemBuilderCmds = ''
-      mkdir -p $out/webapps
-      ln -s ${dokuwiki.webRoot} $out/webapps/${dokuwiki.apache.webappName}
-      ln -s ${ldap.webRoot}/htdocs $out/webapps/${ldap.apache.webappName}
-      ln -s ${rompr.webRoot} $out/webapps/${rompr.apache.webappName}
-      ln -s ${roundcubemail.webRoot} $out/webapps/${roundcubemail.apache.webappName}
-      ln -s ${shaarli.webRoot} $out/webapps/${shaarli.apache.webappName}
-      ln -s ${ttrss.webRoot} $out/webapps/${ttrss.apache.webappName}
-      ln -s ${wallabag.webRoot} $out/webapps/${wallabag.apache.webappName}
-      ln -s ${yourls.webRoot} $out/webapps/${yourls.apache.webappName}
-      ln -s ${rainloop.webRoot} $out/webapps/${rainloop.apache.webappName}
-      ln -s ${kanboard.webRoot} $out/webapps/${kanboard.apache.webappName}
-      '';
+    myServices.websites.webappDirs = {
+      _adminer = adminer.webRoot;
+      "${dokuwiki.apache.webappName}" = dokuwiki.webRoot;
+      "${ldap.apache.webappName}" = "${ldap.webRoot}/htdocs";
+      "${rompr.apache.webappName}" = rompr.webRoot;
+      "${roundcubemail.apache.webappName}" = roundcubemail.webRoot;
+      "${shaarli.apache.webappName}" = shaarli.webRoot;
+      "${ttrss.apache.webappName}" = ttrss.webRoot;
+      "${wallabag.apache.webappName}" = wallabag.webRoot;
+      "${yourls.apache.webappName}" = yourls.webRoot;
+      "${rainloop.apache.webappName}" = rainloop.webRoot;
+      "${kanboard.apache.webappName}" = kanboard.webRoot;
+    };
 
   };
 }
diff --git a/nixops/modules/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix
index c61d15f..c61d15f 100644
--- a/nixops/modules/websites/tools/tools/dokuwiki.nix
+++ b/modules/private/websites/tools/tools/dokuwiki.nix
diff --git a/nixops/modules/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix
index 68f92b8..68f92b8 100644
--- a/nixops/modules/websites/tools/tools/kanboard.nix
+++ b/modules/private/websites/tools/tools/kanboard.nix
diff --git a/nixops/modules/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix
index 8ee39f6..4585ee3 100644
--- a/nixops/modules/websites/tools/tools/ldap.nix
+++ b/modules/private/websites/tools/tools/ldap.nix
@@ -1,5 +1,11 @@
 { lib, php, env, writeText, phpldapadmin }:
 rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin
+      '';
+  };
   keys = [{
     dest = "webapps/tools-ldap";
     user = apache.user;
diff --git a/nixops/modules/websites/tools/tools/rainloop.nix b/modules/private/websites/tools/tools/rainloop.nix
index dbf0f24..dbf0f24 100644
--- a/nixops/modules/websites/tools/tools/rainloop.nix
+++ b/modules/private/websites/tools/tools/rainloop.nix
diff --git a/nixops/modules/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix
index fea59fc..fea59fc 100644
--- a/nixops/modules/websites/tools/tools/rompr.nix
+++ b/modules/private/websites/tools/tools/rompr.nix
diff --git a/nixops/modules/websites/tools/tools/roundcubemail.nix b/modules/private/websites/tools/tools/roundcubemail.nix
index 8974d1b..8974d1b 100644
--- a/nixops/modules/websites/tools/tools/roundcubemail.nix
+++ b/modules/private/websites/tools/tools/roundcubemail.nix
diff --git a/nixops/modules/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix
index 2e89a47..2e89a47 100644
--- a/nixops/modules/websites/tools/tools/shaarli.nix
+++ b/modules/private/websites/tools/tools/shaarli.nix
diff --git a/nixops/modules/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix
index 05c8cab..05c8cab 100644
--- a/nixops/modules/websites/tools/tools/ttrss.nix
+++ b/modules/private/websites/tools/tools/ttrss.nix
diff --git a/nixops/modules/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix
index d6e5882..d6e5882 100644
--- a/nixops/modules/websites/tools/tools/wallabag.nix
+++ b/modules/private/websites/tools/tools/wallabag.nix
diff --git a/nixops/modules/websites/tools/tools/ympd.nix b/modules/private/websites/tools/tools/ympd.nix
index b54c486..b54c486 100644
--- a/nixops/modules/websites/tools/tools/ympd.nix
+++ b/modules/private/websites/tools/tools/ympd.nix
diff --git a/nixops/modules/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix
index df1b3a2..0a8e837 100644
--- a/nixops/modules/websites/tools/tools/yourls.nix
+++ b/modules/private/websites/tools/tools/yourls.nix
@@ -1,8 +1,11 @@
 { env, yourls, yourls-plugins }:
 rec {
-  activationScript = ''
-    install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
-  '';
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
+    '';
+  };
   keys = [{
     dest = "webapps/tools-yourls";
     user = apache.user;
diff --git a/nixops/eldiron.nix b/nixops/eldiron.nix
index a0c5c7c..59ff85a 100644
--- a/nixops/eldiron.nix
+++ b/nixops/eldiron.nix
@@ -36,7 +36,6 @@
       ./modules/certificates.nix
       ./modules/gitolite
       ./modules/mpd.nix
-      ./modules/websites
       ./modules/mail.nix
       ./modules/ftp.nix
       ./modules/pub
diff --git a/nixops/modules/task/default.nix b/nixops/modules/task/default.nix
index e620318..9aeaa3f 100644
--- a/nixops/modules/task/default.nix
+++ b/nixops/modules/task/default.nix
@@ -180,9 +180,7 @@ in {
       '';
     };
 
-    system.extraSystemBuilderCmds = ''
-      ln -s ${./www} $out/webapps/_task
-      '';
+    myServices.websites.webappDirs._task = ./www;
 
     security.acme.certs."task" = config.services.myCertificates.certConfig // {
       inherit user group;
diff --git a/nixops/modules/websites/default.nix b/nixops/modules/websites/default.nix
deleted file mode 100644
index 1948fe9..0000000
--- a/nixops/modules/websites/default.nix
+++ /dev/null
@@ -1,236 +0,0 @@
-{ lib, pkgs, config,  myconfig, ... }:
-let
-  cfg = config.services.myWebsites;
-  www_root = "/run/current-system/webapps/_www";
-  theme_root = "/run/current-system/webapps/_theme";
-  apacheConfig = {
-    gzip = {
-      modules = [ "deflate" "filter" ];
-      extraConfig = ''
-        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
-      '';
-    };
-    macros = {
-      modules = [ "macro" ];
-    };
-    stats = {
-      extraConfig = ''
-        <Macro Stats %{domain}>
-          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
-          <Directory ${config.services.webstats.dataDir}/%{domain}>
-            DirectoryIndex index.html
-            AllowOverride None
-            Require all granted
-          </Directory>
-          <Location /webstats>
-            Use LDAPConnect
-            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
-          </Location>
-        </Macro>
-      '';
-    };
-    ldap = {
-      modules = [ "ldap" "authnz_ldap" ];
-      extraConfig = ''
-        <IfModule ldap_module>
-          LDAPSharedCacheSize 500000
-          LDAPCacheEntries 1024
-          LDAPCacheTTL 600
-          LDAPOpCacheEntries 1024
-          LDAPOpCacheTTL 600
-        </IfModule>
-
-        Include /var/secrets/apache-ldap
-      '';
-    };
-    global = {
-      extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
-    };
-    apaxy = {
-      extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
-    };
-    http2 = {
-      modules = [ "http2" ];
-      extraConfig = ''
-        Protocols h2 http/1.1
-      '';
-    };
-    customLog = {
-      extraConfig = ''
-        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
-      '';
-    };
-  };
-  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
-  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
-in
-{
-  imports = [
-    ./tools/db.nix
-    ./tools/tools
-    ./tools/dav
-    ./tools/cloud.nix
-    ./tools/git
-    ./tools/mastodon.nix
-    ./tools/mediagoblin.nix
-    ./tools/diaspora.nix
-    ./tools/ether.nix
-    ./tools/peertube.nix
-  ];
-
-  config = {
-    users.users.wwwrun.extraGroups = [ "keys" ];
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-    nixpkgs.overlays = [ (self: super: rec {
-      #openssl = self.openssl_1_1;
-      php = php72;
-      php72 = (super.php72.override {
-        mysql.connector-c = self.mariadb;
-        config.php.mysqlnd = false;
-        config.php.mysqli = false;
-      }).overrideAttrs(old: rec {
-        # Didn't manage to build with mysqli + mysql_config connector
-        configureFlags = old.configureFlags ++ [
-          "--with-mysqli=shared,mysqlnd"
-          ];
-        # preConfigure = (old.preConfigure or "") + ''
-        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
-        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
-        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
-        #   '';
-      });
-      phpPackages = super.php72Packages.override { inherit php; };
-    }) ];
-
-    services.myWebsites.tools.databases.enable = true;
-    services.myWebsites.tools.tools.enable = true;
-    services.myWebsites.tools.dav.enable = true;
-    services.myWebsites.tools.cloud.enable = true;
-    services.myWebsites.tools.git.enable = true;
-    services.myWebsites.tools.mastodon.enable = true;
-    services.myWebsites.tools.mediagoblin.enable = true;
-    services.myWebsites.tools.diaspora.enable = true;
-    services.myWebsites.tools.etherpad-lite.enable = true;
-    services.myWebsites.tools.peertube.enable = true;
-
-    secrets.keys = [{
-      dest = "apache-ldap";
-      user = "wwwrun";
-      group = "wwwrun";
-      permissions = "0400";
-      text = ''
-        <Macro LDAPConnect>
-          <IfModule authnz_ldap_module>
-            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
-            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
-            AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
-            AuthType             Basic
-            AuthName             "Authentification requise (Acces LDAP)"
-            AuthBasicProvider    ldap
-          </IfModule>
-        </Macro>
-        '';
-    }];
-
-    system.activationScripts = {
-      httpd = ''
-        install -d -m 0755 ${config.security.acme.directory}/acme-challenge
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/adminer
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/tmp/adminer
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/mantisbt
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/davical
-        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions/phpldapadmin
-        '';
-    };
-
-    system.extraSystemBuilderCmds = let
-      adminer = pkgs.callPackage ./commons/adminer.nix {};
-    in ''
-      mkdir -p $out/webapps
-      ln -s ${pkgs.webapps.apache-default.www} $out/webapps/_www
-      ln -s ${pkgs.webapps.apache-theme.theme} $out/webapps/_theme
-      ln -s ${adminer.webRoot} $out/webapps/${adminer.apache.webappName}
-      '';
-
-    services.phpfpm = {
-      phpPackage = pkgs.php;
-      phpOptions = ''
-        session.save_path = "/var/lib/php/sessions"
-        post_max_size = 20M
-        ; 15 days (seconds)
-        session.gc_maxlifetime = 1296000
-        ; 30 days (minutes)
-        session.cache_expire = 43200
-        '';
-      extraConfig = ''
-        log_level = notice
-        '';
-    };
-
-    services.websites.production = {
-      enable = true;
-      adminAddr = "httpd@immae.eu";
-      httpdName = "Prod";
-      ips =
-        let ips = myconfig.env.servers.eldiron.ips.production;
-        in [ips.ip4] ++ (ips.ip6 or []);
-      modules = makeModules;
-      extraConfig = makeExtraConfig;
-      fallbackVhost = {
-        certName    = "eldiron";
-        hosts       = ["eldiron.immae.eu" ];
-        root        = www_root;
-        extraConfig = [ "DirectoryIndex index.htm" ];
-      };
-    };
-
-    services.websites.integration = {
-      enable = true;
-      adminAddr = "httpd@immae.eu";
-      httpdName = "Inte";
-      ips =
-        let ips = myconfig.env.servers.eldiron.ips.integration;
-        in [ips.ip4] ++ (ips.ip6 or []);
-      modules = makeModules;
-      extraConfig = makeExtraConfig;
-      fallbackVhost = {
-        certName    = "eldiron";
-        hosts       = ["eldiron.immae.eu" ];
-        root        = www_root;
-        extraConfig = [ "DirectoryIndex index.htm" ];
-      };
-    };
-
-    services.websites.tools = {
-      enable = true;
-      adminAddr = "httpd@immae.eu";
-      httpdName = "Tools";
-      ips =
-        let ips = myconfig.env.servers.eldiron.ips.main;
-        in [ips.ip4] ++ (ips.ip6 or []);
-      modules = makeModules;
-      extraConfig = makeExtraConfig ++
-        [ ''
-            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
-            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
-            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
-            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
-            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
-            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
-          ''
-          ];
-      nosslVhost = {
-        enable = true;
-        host = "nossl.immae.eu";
-      };
-      fallbackVhost = {
-        certName    = "eldiron";
-        hosts       = ["eldiron.immae.eu" ];
-        root        = www_root;
-        extraConfig = [ "DirectoryIndex index.htm" ];
-      };
-    };
-  };
-}