diff options
Diffstat (limited to 'modules/private/websites/default.nix')
-rw-r--r-- | modules/private/websites/default.nix | 324 |
1 files changed, 0 insertions, 324 deletions
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix deleted file mode 100644 index 4864034..0000000 --- a/modules/private/websites/default.nix +++ /dev/null | |||
@@ -1,324 +0,0 @@ | |||
1 | { lib, pkgs, config, ... }: | ||
2 | let | ||
3 | www_root = ./_www; | ||
4 | theme_root = pkgs.webapps.apache-theme.theme; | ||
5 | apacheConfig = { | ||
6 | cache = { | ||
7 | # This setting permits to ignore time-based cache for files in the | ||
8 | # nix store: | ||
9 | # If a client requires an If-Modified-Since from timestamp 1, then | ||
10 | # this header is removed, and if the response contains a | ||
11 | # too old Last-Modified tag, then it is removed too | ||
12 | extraConfig = '' | ||
13 | <If "%{HTTP:If-Modified-Since} =~ /01 Jan 1970 00:00:01/" > | ||
14 | RequestHeader unset If-Modified-Since | ||
15 | </If> | ||
16 | Header unset Last-Modified "expr=%{LAST_MODIFIED} < 19991231235959" | ||
17 | ''; | ||
18 | }; | ||
19 | gzip = { | ||
20 | modules = [ "deflate" "filter" ]; | ||
21 | extraConfig = '' | ||
22 | AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript | ||
23 | ''; | ||
24 | }; | ||
25 | macros = { | ||
26 | modules = [ "macro" ]; | ||
27 | }; | ||
28 | stats = { | ||
29 | extraConfig = '' | ||
30 | <Macro Stats %{domain}> | ||
31 | Alias /webstats ${config.services.webstats.dataDir}/%{domain} | ||
32 | <Directory ${config.services.webstats.dataDir}/%{domain}> | ||
33 | DirectoryIndex index.html | ||
34 | AllowOverride None | ||
35 | Require all granted | ||
36 | </Directory> | ||
37 | <Location /webstats> | ||
38 | Use LDAPConnect | ||
39 | Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu | ||
40 | </Location> | ||
41 | </Macro> | ||
42 | ''; | ||
43 | }; | ||
44 | ldap = { | ||
45 | modules = [ "ldap" "authnz_ldap" ]; | ||
46 | extraConfig = '' | ||
47 | <IfModule ldap_module> | ||
48 | LDAPSharedCacheSize 500000 | ||
49 | LDAPCacheEntries 1024 | ||
50 | LDAPCacheTTL 600 | ||
51 | LDAPOpCacheEntries 1024 | ||
52 | LDAPOpCacheTTL 600 | ||
53 | </IfModule> | ||
54 | |||
55 | Include ${config.secrets.fullPaths."apache-ldap"} | ||
56 | ''; | ||
57 | }; | ||
58 | global = { | ||
59 | extraConfig = '' | ||
60 | ErrorDocument 500 /maintenance_immae.html | ||
61 | ErrorDocument 501 /maintenance_immae.html | ||
62 | ErrorDocument 502 /maintenance_immae.html | ||
63 | ErrorDocument 503 /maintenance_immae.html | ||
64 | ErrorDocument 504 /maintenance_immae.html | ||
65 | Alias /maintenance_immae.html ${www_root}/maintenance_immae.html | ||
66 | ProxyPass /maintenance_immae.html ! | ||
67 | |||
68 | AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html | ||
69 | <Directory ${www_root}> | ||
70 | AllowOverride None | ||
71 | Require all granted | ||
72 | </Directory> | ||
73 | ''; | ||
74 | }; | ||
75 | apaxy = { | ||
76 | extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig; | ||
77 | }; | ||
78 | http2 = { | ||
79 | modules = [ "http2" ]; | ||
80 | extraConfig = '' | ||
81 | Protocols h2 http/1.1 | ||
82 | ''; | ||
83 | }; | ||
84 | customLog = { | ||
85 | extraConfig = '' | ||
86 | LogFormat "%{Host}i:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost | ||
87 | ''; | ||
88 | }; | ||
89 | }; | ||
90 | makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig); | ||
91 | makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); | ||
92 | moomin = let | ||
93 | lines = lib.splitString "\n" (lib.fileContents ./moomin.txt); | ||
94 | pad = width: str: let | ||
95 | padWidth = width - lib.stringLength str; | ||
96 | padding = lib.concatStrings (lib.genList (lib.const "0") padWidth); | ||
97 | in lib.optionalString (padWidth > 0) padding + str; | ||
98 | in | ||
99 | lib.imap0 (i: e: ''Header always set "X-Moomin-${pad 2 (builtins.toString i)}" "${e}"'') lines; | ||
100 | in | ||
101 | { | ||
102 | options.myServices.websites.enable = lib.mkEnableOption "enable websites"; | ||
103 | |||
104 | config = lib.mkIf config.myServices.websites.enable { | ||
105 | users.users.wwwrun.extraGroups = [ "keys" ]; | ||
106 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | ||
107 | |||
108 | secrets.keys."apache-ldap" = { | ||
109 | user = "wwwrun"; | ||
110 | group = "wwwrun"; | ||
111 | permissions = "0400"; | ||
112 | text = '' | ||
113 | <Macro LDAPConnect> | ||
114 | <IfModule authnz_ldap_module> | ||
115 | AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS | ||
116 | AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu | ||
117 | AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}" | ||
118 | AuthType Basic | ||
119 | AuthName "Authentification requise (Acces LDAP)" | ||
120 | AuthBasicProvider ldap | ||
121 | </IfModule> | ||
122 | </Macro> | ||
123 | ''; | ||
124 | }; | ||
125 | |||
126 | system.activationScripts = { | ||
127 | httpd = '' | ||
128 | install -d -m 0755 /var/lib/acme/acme-challenges | ||
129 | install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions | ||
130 | ''; | ||
131 | }; | ||
132 | |||
133 | services.phpfpm = { | ||
134 | phpOptions = '' | ||
135 | session.save_path = "/var/lib/php/sessions" | ||
136 | post_max_size = 20M | ||
137 | ; 15 days (seconds) | ||
138 | session.gc_maxlifetime = 1296000 | ||
139 | ; 30 days (minutes) | ||
140 | session.cache_expire = 43200 | ||
141 | ''; | ||
142 | settings = { | ||
143 | log_level = "notice"; | ||
144 | }; | ||
145 | }; | ||
146 | |||
147 | services.filesWatcher.httpdProd.paths = [ config.secrets.fullPaths."apache-ldap" ]; | ||
148 | services.filesWatcher.httpdInte.paths = [ config.secrets.fullPaths."apache-ldap" ]; | ||
149 | services.filesWatcher.httpdTools.paths = [ config.secrets.fullPaths."apache-ldap" ]; | ||
150 | |||
151 | services.websites.env.production = { | ||
152 | enable = true; | ||
153 | adminAddr = "httpd@immae.eu"; | ||
154 | httpdName = "Prod"; | ||
155 | ips = | ||
156 | let ips = config.myEnv.servers.eldiron.ips.production; | ||
157 | in [ips.ip4] ++ (ips.ip6 or []); | ||
158 | modules = makeModules; | ||
159 | extraConfig = makeExtraConfig; | ||
160 | fallbackVhost = { | ||
161 | certName = "eldiron"; | ||
162 | hosts = ["eldiron.immae.eu" ]; | ||
163 | root = www_root; | ||
164 | extraConfig = [ "DirectoryIndex index.htm" ]; | ||
165 | }; | ||
166 | }; | ||
167 | |||
168 | services.websites.env.integration = { | ||
169 | enable = true; | ||
170 | adminAddr = "httpd@immae.eu"; | ||
171 | httpdName = "Inte"; | ||
172 | ips = | ||
173 | let ips = config.myEnv.servers.eldiron.ips.integration; | ||
174 | in [ips.ip4] ++ (ips.ip6 or []); | ||
175 | modules = makeModules; | ||
176 | extraConfig = makeExtraConfig ++ moomin; | ||
177 | fallbackVhost = { | ||
178 | certName = "eldiron"; | ||
179 | hosts = ["eldiron.immae.eu" ]; | ||
180 | root = www_root; | ||
181 | extraConfig = [ "DirectoryIndex index.htm" ]; | ||
182 | }; | ||
183 | }; | ||
184 | |||
185 | services.websites.env.tools = { | ||
186 | enable = true; | ||
187 | adminAddr = "httpd@immae.eu"; | ||
188 | httpdName = "Tools"; | ||
189 | ips = | ||
190 | let ips = config.myEnv.servers.eldiron.ips.main; | ||
191 | in [ips.ip4] ++ (ips.ip6 or []); | ||
192 | modules = makeModules; | ||
193 | extraConfig = makeExtraConfig ++ | ||
194 | [ '' | ||
195 | RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html | ||
196 | RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html | ||
197 | RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html | ||
198 | RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html | ||
199 | RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html | ||
200 | RedirectMatch ^/CGU$ https://www.immae.eu/CGU | ||
201 | '' | ||
202 | ]; | ||
203 | nosslVhost = { | ||
204 | enable = true; | ||
205 | host = "nossl.immae.eu"; | ||
206 | }; | ||
207 | fallbackVhost = { | ||
208 | certName = "eldiron"; | ||
209 | hosts = ["eldiron.immae.eu" ]; | ||
210 | root = www_root; | ||
211 | extraConfig = [ "DirectoryIndex index.htm" ]; | ||
212 | }; | ||
213 | }; | ||
214 | |||
215 | myServices.websites = { | ||
216 | bakeer.cloud.enable = true; | ||
217 | capitaines.landing_pages.enable = true; | ||
218 | |||
219 | chloe = { | ||
220 | integration.enable = true; | ||
221 | production.enable = true; | ||
222 | }; | ||
223 | |||
224 | cip-ca = { | ||
225 | sympa.enable = true; | ||
226 | }; | ||
227 | |||
228 | connexionswing = { | ||
229 | integration.enable = true; | ||
230 | production.enable = true; | ||
231 | }; | ||
232 | |||
233 | denise = { | ||
234 | evariste.enable = true; | ||
235 | denisejerome.enable = true; | ||
236 | oms.enable = true; | ||
237 | bingo.enable = true; | ||
238 | aventuriers.enable = true; | ||
239 | production.enable = true; | ||
240 | }; | ||
241 | |||
242 | emilia = { | ||
243 | moodle.enable = false; | ||
244 | atelierfringant.enable = true; | ||
245 | }; | ||
246 | |||
247 | florian = { | ||
248 | app.enable = true; | ||
249 | integration.enable = true; | ||
250 | production.enable = true; | ||
251 | }; | ||
252 | |||
253 | immae = { | ||
254 | production.enable = true; | ||
255 | release.enable = true; | ||
256 | temp.enable = true; | ||
257 | }; | ||
258 | |||
259 | isabelle = { | ||
260 | aten_integration.enable = true; | ||
261 | aten_production.enable = true; | ||
262 | iridologie.enable = true; | ||
263 | }; | ||
264 | |||
265 | jerome.naturaloutil.enable = true; | ||
266 | |||
267 | leila.production.enable = true; | ||
268 | |||
269 | ludivine = { | ||
270 | integration.enable = true; | ||
271 | production.enable = true; | ||
272 | }; | ||
273 | |||
274 | nassime.production.enable = true; | ||
275 | |||
276 | nath.villon.enable = true; | ||
277 | |||
278 | papa = { | ||
279 | surveillance.enable = true; | ||
280 | maison_bbc.enable = true; | ||
281 | }; | ||
282 | |||
283 | patrick_fodella = { | ||
284 | ecolyeu.enable = true; | ||
285 | altermondia.enable = true; | ||
286 | }; | ||
287 | |||
288 | piedsjaloux = { | ||
289 | integration.enable = true; | ||
290 | production.enable = true; | ||
291 | }; | ||
292 | |||
293 | ressourcerie_banon.production.enable = true; | ||
294 | ressourcerie_banon.cryptpad.enable = true; | ||
295 | ressourcerie_banon.cloud.enable = true; | ||
296 | |||
297 | richie.production.enable = true; | ||
298 | |||
299 | syden.peertube.enable = true; | ||
300 | |||
301 | telio_tortay.production.enable = true; | ||
302 | |||
303 | tools.assets.enable = true; | ||
304 | tools.cloud.enable = true; | ||
305 | tools.commento.enable = true; | ||
306 | tools.cryptpad.enable = true; | ||
307 | tools.dav.enable = true; | ||
308 | tools.db.enable = true; | ||
309 | tools.diaspora.enable = true; | ||
310 | tools.etherpad-lite.enable = true; | ||
311 | tools.git.enable = true; | ||
312 | tools.mastodon.enable = true; | ||
313 | tools.mediagoblin.enable = true; | ||
314 | tools.peertube.enable = true; | ||
315 | tools.performance.enable = true; | ||
316 | tools.tools.enable = true; | ||
317 | tools.email.enable = true; | ||
318 | tools.stats.enable = false; | ||
319 | |||
320 | games.codenames.enable = true; | ||
321 | games.terraforming-mars.enable = true; | ||
322 | }; | ||
323 | }; | ||
324 | } | ||