8 files changed, 119 insertions, 146 deletions

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index c9075cf..cefef70 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -29,7 +29,7 @@
     imports = [
       ./modules/certificates.nix
       ./modules/gitolite.nix
-      ./modules/gitweb.nix
+      ./modules/gitweb
       ./modules/databases.nix
       ./modules/websites
       ./modules/websites/phpfpm
@@ -155,114 +155,6 @@
       source = ldap_authorized_keys;
     };
 
-    services.gitDaemon = {
-      enable = true;
-      user = "gitolite";
-      group = "gitolite";
-      basePath = "${mypkgs.git.web.varDir}/repositories";
-    };
-
-    # FIXME: logrotate
-    services.httpd = let
-      withConf = domain: {
-        enableSSL = true;
-        sslServerCert = "/var/lib/acme/${domain}/cert.pem";
-        sslServerKey = "/var/lib/acme/${domain}/key.pem";
-        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
-        logFormat = "combinedVhost";
-        listen = [
-          { ip = "176.9.151.89";  port = 443; }
-        ];
-      };
-      apacheConfig = config.services.myWebsites.apacheConfig;
-    in rec {
-      enable = true;
-      logPerVirtualHost = true;
-      multiProcessingModule = "worker";
-      adminAddr = "httpd@immae.eu";
-      logFormat = "combinedVhost";
-      extraModules = pkgs.lib.lists.unique (
-        mypkgs.adminer.apache.modules ++
-        mypkgs.nextcloud.apache.modules ++
-        mypkgs.ympd.apache.modules ++
-        mypkgs.git.web.apache.modules ++
-        mypkgs.mantisbt.apache.modules ++
-        mypkgs.ttrss.apache.modules ++
-        mypkgs.roundcubemail.apache.modules ++
-        pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig));
-      extraConfig = builtins.concatStringsSep "\n"
-        (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
-      virtualHosts = [
-        (withConf "eldiron" // {
-          hostName = "eldiron.immae.eu";
-          documentRoot = ./www;
-          extraConfig = ''
-            DirectoryIndex index.htm
-            '';
-        })
-        (withConf "eldiron" // {
-          hostName = "db-1.immae.eu";
-          documentRoot = null;
-          extraConfig = builtins.concatStringsSep "\n" [
-            mypkgs.adminer.apache.vhostConf
-          ];
-        })
-        (withConf "eldiron" // {
-          hostName = "tools.immae.eu";
-          documentRoot = null;
-          extraConfig = builtins.concatStringsSep "\n" [
-            mypkgs.adminer.apache.vhostConf
-            mypkgs.ympd.apache.vhostConf
-            mypkgs.ttrss.apache.vhostConf
-            mypkgs.roundcubemail.apache.vhostConf
-          ];
-        })
-        (withConf "eldiron" // {
-          hostName = "dav.immae.eu";
-          documentRoot = null;
-          extraConfig = builtins.concatStringsSep "\n" [
-            mypkgs.infcloud.apache.vhostConf
-            mypkgs.davical.apache.vhostConf
-          ];
-        })
-        (withConf "eldiron" // {
-          hostName = "cloud.immae.eu";
-          documentRoot = mypkgs.nextcloud.webRoot;
-          extraConfig = builtins.concatStringsSep "\n" [
-            mypkgs.nextcloud.apache.vhostConf
-          ];
-        })
-        (withConf "eldiron" // {
-          hostName = "git.immae.eu";
-          documentRoot = mypkgs.git.web.webRoot;
-          extraConfig = builtins.concatStringsSep "\n" [
-            mypkgs.git.web.apache.vhostConf
-            mypkgs.mantisbt.apache.vhostConf
-          ] + ''
-            RewriteEngine on
-            RewriteCond %{REQUEST_URI}       ^/releases
-            RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
-            '';
-        })
-        { # Should go last, default fallback
-          listen = [ { ip = "*"; port = 80; } ];
-          hostName = "redirectSSL";
-          serverAliases = [ "*" ];
-          enableSSL = false;
-          logFormat = "combinedVhost";
-          documentRoot = "/var/lib/acme/acme-challenge";
-          extraConfig = ''
-            RewriteEngine on
-            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
-            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
-            # To redirect in specific "VirtualHost *:80", do
-            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
-            # rather than rewrite
-            '';
-        }
-      ];
-    };
-
     systemd.services.tt-rss = {
       description = "Tiny Tiny RSS feeds update daemon";
       serviceConfig = {
diff --git a/virtual/modules/gitolite.nix b/virtual/modules/gitolite.nix
index 85c7be1..d6b9c79 100644
--- a/virtual/modules/gitolite.nix
+++ b/virtual/modules/gitolite.nix
@@ -4,6 +4,10 @@ let
 in {
   options.services.myGitolite = {
     enable = lib.mkEnableOption "my gitolite service";
+    gitoliteDir = lib.mkOption {
+      type = lib.types.string;
+      default = "/var/lib/gitolite";
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -20,6 +24,13 @@ in {
       });
     };
 
+    services.gitDaemon = {
+      enable = true;
+      user = "gitolite";
+      group = "gitolite";
+      basePath = "${cfg.gitoliteDir}/repositories";
+    };
+
     system.activationScripts.gitolite =
       assert mylibs.checkEnv "NIXOPS_GITOLITE_LDAP_PASSWORD";
       let
@@ -34,12 +45,12 @@ in {
     in {
       deps = [ "users" ];
       text = ''
-        if [ -d /var/lib/gitolite ]; then
-          ln -sf ${gitolite_ldap_groups} /var/lib/gitolite/gitolite_ldap_groups.sh
-          chmod g+rx /var/lib/gitolite
+        if [ -d ${cfg.gitoliteDir} ]; then
+          ln -sf ${gitolite_ldap_groups} ${cfg.gitoliteDir}/gitolite_ldap_groups.sh
+          chmod g+rx ${cfg.gitoliteDir}
         fi
-        if [ -f /var/lib/gitolite/projects.list ]; then
-          chmod g+r /var/lib/gitolite/projects.list
+        if [ -f ${cfg.gitoliteDir}/projects.list ]; then
+          chmod g+r ${cfg.gitoliteDir}/projects.list
         fi
       '';
     };
diff --git a/virtual/modules/gitweb.nix b/virtual/modules/gitweb/default.nix
index f3ef1bd..2a860ba 100644
--- a/virtual/modules/gitweb.nix
+++ b/virtual/modules/gitweb/default.nix
@@ -1,5 +1,7 @@
 { lib, pkgs, config, mylibs, ... }:
 let
+    # FIXME: add buildbot
+    gitweb = pkgs.callPackage ./gitweb.nix { gitoliteDir = config.services.myGitolite.gitoliteDir; };
     cfg = config.services.myGitweb;
 in {
   options.services.myGitweb = {
@@ -12,10 +14,17 @@ in {
     nixpkgs.config.packageOverrides = oldpkgs: rec {
       gitweb = oldpkgs.gitweb.overrideAttrs(old: {
         installPhase = old.installPhase + ''
-          cp -r ${./gitweb/theme} $out/gitweb-theme;
+          cp -r ${./theme} $out/gitweb-theme;
           '';
       });
     };
 
+    services.myWebsites.tools.modules = gitweb.apache.modules;
+    services.myWebsites.tools.vhostConfs.git = {
+      certName    = "eldiron";
+      hosts       = ["git.immae.eu" ];
+      root        = gitweb.webRoot;
+      extraConfig = [ gitweb.apache.vhostConf ];
+    };
   };
 }
diff --git a/virtual/packages/gitweb.nix b/virtual/modules/gitweb/gitweb.nix
index 1c2430a..7b4dcac 100644
--- a/virtual/packages/gitweb.nix
+++ b/virtual/modules/gitweb/gitweb.nix
@@ -1,6 +1,6 @@
-{ gitweb, writeText, gitolite, git }:
+{ gitweb, writeText, gitolite, git, gitoliteDir }:
 rec {
-  varDir = "/var/lib/gitolite";
+  varDir = gitoliteDir;
   webRoot = gitweb;
   config = writeText "gitweb.conf" ''
     $git_temp = "/tmp";
diff --git a/virtual/modules/websites/default.nix b/virtual/modules/websites/default.nix
index a9e62a5..b027b81 100644
--- a/virtual/modules/websites/default.nix
+++ b/virtual/modules/websites/default.nix
@@ -1,5 +1,8 @@
 { lib, pkgs, config, mylibs, myconfig, ... }:
 let
+  mypkgs = pkgs.callPackage ../../packages.nix {
+    inherit (mylibs) checkEnv fetchedGit fetchedGithub;
+  };
   cfg = config.services.myWebsites;
   makeService = name: cfg: let
     toVhost = vhostConf: {
@@ -16,6 +19,28 @@ let
       documentRoot = vhostConf.root;
       extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
     };
+    redirectVhost = { # Should go last, catchall http -> https redirect
+      listen = [ { ip = cfg.ip; port = 80; } ];
+      hostName = "redirectSSL";
+      serverAliases = [ "*" ];
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = "/var/lib/acme/acme-challenge";
+      extraConfig = ''
+        RewriteEngine on
+        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
+        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
+        # To redirect in specific "VirtualHost *:80", do
+        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+        # rather than rewrite
+      '';
+    };
+    fallbackVhost = toVhost { # Should go first, default choice
+      certName    = "eldiron";
+      hosts       = ["eldiron.immae.eu" ];
+      root        = ../../www;
+      extraConfig = [ "DirectoryIndex index.htm" ];
+    };
   in rec {
     enable = true;
     listen = [
@@ -28,7 +53,9 @@ let
     logFormat = "combinedVhost";
     extraModules = pkgs.lib.lists.unique (pkgs.lib.lists.flatten cfg.modules);
     extraConfig = builtins.concatStringsSep "\n" cfg.extraConfig;
-    virtualHosts = pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs;
+    virtualHosts = [ fallbackVhost ]
+      ++ (pkgs.lib.attrsets.mapAttrsToList (n: v: toVhost v) cfg.vhostConfs)
+      ++ [ redirectVhost ];
   };
   makeServiceOptions = name: ip: {
     enable = lib.mkEnableOption "enable websites in ${name}";
@@ -74,6 +101,7 @@ in
   options.services.myWebsites = {
     production = makeServiceOptions "production" myconfig.ips.production;
     integration = makeServiceOptions "integration" myconfig.ips.integration;
+    tools = makeServiceOptions "tools" myconfig.ips.main;
 
     apacheConfig = lib.mkOption {
       type = lib.types.attrsOf (lib.types.submodule {
@@ -208,5 +236,65 @@ in
     services.httpdInte = makeService "integration" config.services.myWebsites.integration;
     services.myWebsites.integration.modules = pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
     services.myWebsites.integration.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
+
+    services.httpd = makeService "tools" config.services.myWebsites.tools;
+    services.myWebsites.tools.modules =
+      mypkgs.adminer.apache.modules ++
+      mypkgs.nextcloud.apache.modules ++
+      mypkgs.ympd.apache.modules ++
+      mypkgs.mantisbt.apache.modules ++
+      mypkgs.ttrss.apache.modules ++
+      mypkgs.roundcubemail.apache.modules ++
+      pkgs.lib.lists.flatten (pkgs.lib.attrsets.mapAttrsToList (n: v: v.modules or []) cfg.apacheConfig);
+    services.myWebsites.tools.extraConfig = (builtins.filter (x: x != null) (pkgs.lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) cfg.apacheConfig));
+    # FIXME: move them all to separate modules
+    services.myWebsites.tools.vhostConfs.eldiron = {
+      certName    = "eldiron";
+      hosts       = ["eldiron.immae.eu" ];
+      root        = ../../www;
+      extraConfig = [ "DirectoryIndex index.htm" ];
+    };
+    services.myWebsites.tools.vhostConfs.db-1 = {
+      certName    = "eldiron";
+      hosts       = ["db-1.immae.eu" ];
+      root        = null;
+      extraConfig = [ mypkgs.adminer.apache.vhostConf ];
+    };
+    services.myWebsites.tools.vhostConfs.tools = {
+      certName    = "eldiron";
+      hosts       = ["tools.immae.eu" ];
+      root        = null;
+      extraConfig = [
+        mypkgs.adminer.apache.vhostConf
+        mypkgs.ympd.apache.vhostConf
+        mypkgs.ttrss.apache.vhostConf
+        mypkgs.roundcubemail.apache.vhostConf
+      ];
+    };
+    services.myWebsites.tools.vhostConfs.dav = {
+      certName    = "eldiron";
+      hosts       = ["dav.immae.eu" ];
+      root        = null;
+      extraConfig = [
+        mypkgs.infcloud.apache.vhostConf
+        mypkgs.davical.apache.vhostConf
+      ];
+    };
+    services.myWebsites.tools.vhostConfs.cloud = {
+      certName    = "eldiron";
+      hosts       = ["cloud.immae.eu" ];
+      root        = mypkgs.nextcloud.webRoot;
+      extraConfig = [
+        mypkgs.nextcloud.apache.vhostConf
+      ];
+    };
+    services.myWebsites.tools.vhostConfs.git.extraConfig = [
+      mypkgs.mantisbt.apache.vhostConf
+      ''
+        RewriteEngine on
+        RewriteCond %{REQUEST_URI}       ^/releases
+        RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
+        ''
+    ];
   };
 }
diff --git a/virtual/packages.nix b/virtual/packages.nix
index fa1b666..1f01ba7 100644
--- a/virtual/packages.nix
+++ b/virtual/packages.nix
@@ -3,7 +3,6 @@ let
   nextcloud = callPackage ./packages/nextcloud.nix { inherit checkEnv; };
   adminer = callPackage ./packages/adminer.nix {};
   ympd = callPackage ./packages/ympd.nix {};
-  gitweb = callPackage ./packages/gitweb.nix {};
   mantisbt = callPackage ./packages/mantisbt.nix { inherit checkEnv fetchedGithub; };
   ttrss = callPackage ./packages/ttrss.nix { inherit checkEnv fetchedGithub fetchedGit; };
   roundcubemail = callPackage ./packages/roundcubemail.nix { inherit checkEnv; };
@@ -19,6 +18,4 @@ in
     inherit roundcubemail;
     inherit infcloud;
     inherit davical;
-    # FIXME: add buildbot
-    git = { web = gitweb; };
   }
diff --git a/virtual/packages/adminer.nix b/virtual/packages/adminer.nix
index d2800aa..7094e45 100644
--- a/virtual/packages/adminer.nix
+++ b/virtual/packages/adminer.nix
@@ -39,7 +39,7 @@ let
       vhostConf = ''
         Alias /adminer ${webRoot}
         <Directory ${webRoot}>
-          DirectoryIndex = index.php
+          DirectoryIndex index.php
           <FilesMatch "\.php$">
             SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
           </FilesMatch>
diff --git a/virtual/packages/gitweb.conf b/virtual/packages/gitweb.conf
deleted file mode 100644
index 0d5f50d..0000000
--- a/virtual/packages/gitweb.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-$git_temp = "/tmp";
-
-# The directories where your projects are. Must not end with a slash.
-$projectroot = "/srv/git/repositories"; 
-
-$projects_list = "/srv/git/projects.list";
-$strict_export = "true";
-
-# Base URLs for links displayed in the web interface.
-our @git_base_url_list = qw(ssh://gitolite@git.immae.eu https://git.immae.eu);
-
-$feature{'blame'}{'default'} = [1];
-$feature{'avatar'}{'default'} = ['gravatar'];
-$feature{'highlight'}{'default'} = [1];
-
-@stylesheets = ("gitweb-theme/gitweb.css");
-$logo = "gitweb-theme/git-logo.png";
-$favicon = "gitweb-theme/git-favicon.png";
-
-$javascript = "gitweb-theme/gitweb.js";
-$logo_url = "https://git.immae.eu/";
-$projects_list_group_categories = "true";
-$projects_list_description_width = 60;
-$project_list_default_category = "__Others__";