37 files changed, 1981 insertions, 0 deletions

diff --git a/modules/private/websites/aten/builder.nix b/modules/private/websites/aten/builder.nix
new file mode 100644
index 0000000..9a2e1a7
--- /dev/null
+++ b/modules/private/websites/aten/builder.nix
@@ -0,0 +1,102 @@
+{ apacheUser, apacheGroup, aten, lib, config }: rec {
+  app = aten.override { inherit (config) environment; };
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-aten > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "postgresql.service" ];
+    socket = "/var/run/phpfpm/aten-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  keys = [{
+    dest = "webapps/${app.environment}-aten";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      SetEnv APP_ENV      "${app.environment}"
+      SetEnv APP_SECRET   "${config.secret}"
+      SetEnv DATABASE_URL "${config.psql_url}"
+      '';
+  }];
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "aten_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    Include /var/secrets/webapps/${app.environment}-aten
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+    </Location>
+
+    <Location /backend>
+      Use LDAPConnect
+      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+    </Location>
+    '' else ''
+    Use Stats aten.pro
+
+    <Location /backend>
+      Use LDAPConnect
+      Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+    </Location>
+    ''}
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+      DirectoryIndex index.php
+      FallbackResource /index.php
+    </Directory>
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
new file mode 100644
index 0000000..790c5a9
--- /dev/null
+++ b/modules/private/websites/aten/integration.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  aten = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) aten;
+    config = myconfig.env.websites.aten.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.aten.integration;
+in {
+  options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = aten.keys;
+    services.myPhpfpm.preStart.aten_dev = aten.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.aten_dev = aten.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.aten_dev = aten.phpFpm.pool;
+    system.activationScripts.aten_dev = aten.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName}
+      '';
+    services.websites.integration.modules = aten.apache.modules;
+    services.websites.integration.vhostConfs.aten = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "dev.aten.pro" ];
+      root        = aten.apache.root;
+      extraConfig = [ aten.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
new file mode 100644
index 0000000..697f1b8
--- /dev/null
+++ b/modules/private/websites/aten/production.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  aten = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) aten;
+    config = myconfig.env.websites.aten.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.aten.production;
+in {
+  options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = aten.keys;
+    services.webstats.sites = [ { name = "aten.pro"; } ];
+
+    services.myPhpfpm.preStart.aten_prod = aten.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.aten_prod = aten.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.aten_prod = aten.phpFpm.pool;
+    system.activationScripts.aten_prod = aten.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${aten.app.webRoot} $out/webapps/${aten.apache.webappName}
+      '';
+    services.websites.production.modules = aten.apache.modules;
+    services.websites.production.vhostConfs.aten = {
+      certName     = "aten";
+      certMainHost = "aten.pro";
+      hosts        = [ "aten.pro" "www.aten.pro" ];
+      root         = aten.apache.root;
+      extraConfig  = [ aten.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/capitaines/mastodon_static/index.html b/modules/private/websites/capitaines/mastodon_static/index.html
new file mode 100644
index 0000000..fae4152
--- /dev/null
+++ b/modules/private/websites/capitaines/mastodon_static/index.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang='en'>
+  <head>
+    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'>
+    <title>This instance is now closed - Mastodon</title>
+    <style>
+      body {
+        text-align: center;
+        background: #282c37;
+        font-family: sans-serif;
+      }
+      img {
+        max-width: 470px;
+        width: 100%;
+      }
+      h1 {
+        font-size: 20px;
+        font-weight: 400;
+        color: #9baec8;
+      }
+    </style>
+  </head>
+  <body>
+    <div>
+      <img alt='Mastodon' src='/oops.png'>
+      <h1>Sorry, this instance is closed now.</h1>
+    </div>
+  </body>
+</html>
diff --git a/modules/private/websites/capitaines/mastodon_static/oops.png b/modules/private/websites/capitaines/mastodon_static/oops.png
new file mode 100644
index 0000000..0abddad
--- /dev/null
+++ b/modules/private/websites/capitaines/mastodon_static/oops.png
diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix
new file mode 100644
index 0000000..fe9c619
--- /dev/null
+++ b/modules/private/websites/capitaines/production.nix
@@ -0,0 +1,47 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    cfg = config.myServices.websites.capitaines.production;
+    env = myconfig.env.websites.capitaines;
+    webappName = "capitaines_mastodon";
+    root = "/run/current-system/webapps/${webappName}";
+    siteDir = ./mastodon_static;
+in {
+  options.myServices.websites.capitaines.production.enable = lib.mkEnableOption "enable Capitaines's website";
+
+  config = lib.mkIf cfg.enable {
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${siteDir} $out/webapps/${webappName}
+      '';
+
+    services.websites.production.vhostConfs.capitaines_mastodon = {
+      certName     = "capitaines";
+      certMainHost = "mastodon.capitaines.fr";
+      hosts        = [ "mastodon.capitaines.fr" ];
+      root         = root;
+      extraConfig  = [
+        ''
+        ErrorDocument 404 /index.html
+        <Directory ${root}>
+          DirectoryIndex index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+
+    services.websites.production.vhostConfs.capitaines = {
+      certName   = "capitaines";
+      addToCerts = true;
+      hosts      = [ "capitaines.fr" ];
+      root       = "/run/current-system/webapps/_www";
+      extraConfig = [ ''
+        <Directory /run/current-system/webapps/_www>
+          DirectoryIndex index.htm
+          Require all granted
+        </Directory>
+        '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix
new file mode 100644
index 0000000..7b72b97
--- /dev/null
+++ b/modules/private/websites/chloe/builder.nix
@@ -0,0 +1,103 @@
+{ apacheUser, apacheGroup, chloe, config }:
+rec {
+  app = chloe.override { inherit (config) environment; };
+  phpFpm = rec {
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/chloe-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  keys = [{
+    dest = "webapps/${app.environment}-chloe";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      SetEnv SPIP_CONFIG_DIR     "${configDir}"
+      SetEnv SPIP_VAR_DIR        "${app.varDir}"
+      SetEnv SPIP_SITE           "chloe-${app.environment}"
+      SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+      SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+      SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
+      SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
+      SetEnv SPIP_LDAP_SEARCH    "${config.ldap.search}"
+      SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
+      SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
+      SetEnv SPIP_MYSQL_DB       "${config.mysql.name}"
+      SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
+      SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
+    '';
+  }];
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "chloe_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Include /var/secrets/webapps/${app.environment}-chloe
+
+      RewriteEngine On
+      ${if app.environment == "prod" then ''
+      RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
+      '' else ""}
+
+      <FilesMatch "\.php$">
+        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+      </FilesMatch>
+
+      <Directory ${root}>
+        DirectoryIndex index.php index.htm index.html
+        Options -Indexes +FollowSymLinks +MultiViews +Includes
+        Include ${root}/htaccess.txt
+
+        AllowOverride AuthConfig FileInfo Limit
+        Require all granted
+      </Directory>
+
+      <DirectoryMatch "${root}/squelettes">
+        Require all denied
+      </DirectoryMatch>
+
+      <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
+        Require all denied
+      </FilesMatch>
+
+      ${if app.environment == "dev" then ''
+      <Location />
+        Use LDAPConnect
+        Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
+      </Location>
+      '' else ''
+      Use Stats osteopathe-cc.fr
+      ''}
+      '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
+      install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+  configDir = ./config;
+}
diff --git a/modules/private/websites/chloe/config/chmod.php b/modules/private/websites/chloe/config/chmod.php
new file mode 100644
index 0000000..aae16cd
--- /dev/null
+++ b/modules/private/websites/chloe/config/chmod.php
@@ -0,0 +1,4 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+if (!defined('_SPIP_CHMOD')) define('_SPIP_CHMOD', 0777);
+?>
\ No newline at end of file
diff --git a/modules/private/websites/chloe/config/connect.php b/modules/private/websites/chloe/config/connect.php
new file mode 100644
index 0000000..18b0933
--- /dev/null
+++ b/modules/private/websites/chloe/config/connect.php
@@ -0,0 +1,15 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+define('_MYSQL_SET_SQL_MODE',true);
+$GLOBALS['spip_connect_version'] = 0.7;
+spip_connect_db(
+  getenv("SPIP_MYSQL_HOST"),
+  getenv("SPIP_MYSQL_PORT"),
+  getenv("SPIP_MYSQL_USER"),
+  getenv("SPIP_MYSQL_PASSWORD"),
+  getenv("SPIP_MYSQL_DB"),
+  'mysql',
+  'spip',
+  'ldap.php'
+);
+?>
diff --git a/modules/private/websites/chloe/config/ldap.php b/modules/private/websites/chloe/config/ldap.php
new file mode 100644
index 0000000..825b7ed
--- /dev/null
+++ b/modules/private/websites/chloe/config/ldap.php
@@ -0,0 +1,9 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+$GLOBALS['ldap_base'] = getenv("SPIP_LDAP_BASE");
+$GLOBALS['ldap_link'] = @ldap_connect(getenv("SPIP_LDAP_HOST"));
+@ldap_set_option($GLOBALS['ldap_link'],LDAP_OPT_PROTOCOL_VERSION,'3');
+@ldap_bind($GLOBALS['ldap_link'],getenv("SPIP_LDAP_SEARCH_DN"), getenv("SPIP_LDAP_SEARCH_PW"));
+$GLOBALS['ldap_champs'] = array('login' => array('sAMAccountName','uid','login','userid','cn','sn'),'nom' => 'cn','email' => 'mail','bio' => 'description',);
+$GLOBALS['ldap_search'] = getenv("SPIP_LDAP_SEARCH");
+?>
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
new file mode 100644
index 0000000..458e414
--- /dev/null
+++ b/modules/private/websites/chloe/integration.nix
@@ -0,0 +1,35 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  chloe  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) chloe;
+    config = myconfig.env.websites.chloe.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.chloe.integration;
+in {
+  options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = chloe.keys;
+    services.myPhpfpm.serviceDependencies.chloe_dev = chloe.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.chloe_dev = chloe.phpFpm.pool;
+    services.myPhpfpm.poolPhpConfigs.chloe_dev = ''
+      extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    system.activationScripts.chloe_dev = chloe.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName}
+      '';
+    services.websites.integration.modules = chloe.apache.modules;
+    services.websites.integration.vhostConfs.chloe = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["chloe.immae.eu" ];
+      root        = chloe.apache.root;
+      extraConfig = [ chloe.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
new file mode 100644
index 0000000..0eafebd
--- /dev/null
+++ b/modules/private/websites/chloe/production.nix
@@ -0,0 +1,37 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  chloe = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) chloe;
+    config = myconfig.env.websites.chloe.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.chloe.production;
+in {
+  options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = chloe.keys;
+    services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
+
+    services.myPhpfpm.serviceDependencies.chloe_prod = chloe.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.chloe_prod = chloe.phpFpm.pool;
+    services.myPhpfpm.poolPhpConfigs.chloe_prod = ''
+      extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    system.activationScripts.chloe_prod = chloe.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${chloe.app.webRoot} $out/webapps/${chloe.apache.webappName}
+      '';
+    services.websites.production.modules = chloe.apache.modules;
+    services.websites.production.vhostConfs.chloe = {
+      certName     = "chloe";
+      certMainHost = "osteopathe-cc.fr";
+      hosts        = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ];
+      root         = chloe.apache.root;
+      extraConfig  = [ chloe.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix
new file mode 100644
index 0000000..98ab461
--- /dev/null
+++ b/modules/private/websites/commons/adminer.nix
@@ -0,0 +1,21 @@
+{}:
+rec {
+  phpFpm = {
+    socket = "/var/run/phpfpm/adminer.sock";
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "_adminer";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /adminer ${root}
+      <Directory ${root}>
+        DirectoryIndex index.php
+        Require all granted
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+      '';
+  };
+}
diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix
new file mode 100644
index 0000000..1224420
--- /dev/null
+++ b/modules/private/websites/connexionswing/builder.nix
@@ -0,0 +1,164 @@
+{ apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, config }:
+rec {
+  app = connexionswing.override { inherit (config) environment; };
+  keys = [{
+    dest = "webapps/${app.environment}-connexionswing";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          database_server_version: ${pkgs.mariadb.mysqlVersion}
+          mailer_transport: sendmail
+          mailer_host: null
+          mailer_user: null
+          mailer_password: null
+          subscription_email: ${config.email}
+          allow_robots: true
+          secret: ${config.secret}
+      ${if app.environment == "prod" then ''
+      services:
+        swiftmailer.mailer.default.transport:
+            class:     Swift_SendmailTransport
+            arguments: ['/run/wrappers/bin/sendmail -bs']
+      '' else ""}
+    '';
+  }];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-connexionswing > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock";
+    phpConfig = ''
+      extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
+      '';
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "connexionswing_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    <Directory ${app.varDir}/medias>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+    </Directory>
+
+    <Directory ${app.varDir}/uploads>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+    </Directory>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://connexionswing.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    Use Stats connexionswing.com
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/medias \
+      ${app.varDir}/uploads \
+      ${app.varDir}/var
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
new file mode 100644
index 0000000..c3425bd
--- /dev/null
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -0,0 +1,35 @@
+{ lib, pkgs, config,  myconfig, ... }:
+let
+  connexionswing  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) connexionswing;
+    config = myconfig.env.websites.connexionswing.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.connexionswing.integration;
+in {
+  options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = connexionswing.keys;
+    services.myPhpfpm.preStart.connexionswing_dev = connexionswing.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.connexionswing_dev = connexionswing.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.connexionswing_dev = connexionswing.phpFpm.pool;
+    services.myPhpfpm.poolPhpConfigs.connexionswing_dev = connexionswing.phpFpm.phpConfig;
+    system.activationScripts.connexionswing_dev = connexionswing.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName}
+      '';
+    services.websites.integration.modules = connexionswing.apache.modules;
+    services.websites.integration.vhostConfs.connexionswing = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["connexionswing.immae.eu" "sandetludo.immae.eu" ];
+      root        = connexionswing.apache.root;
+      extraConfig = [ connexionswing.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
new file mode 100644
index 0000000..8f28f46
--- /dev/null
+++ b/modules/private/websites/connexionswing/production.nix
@@ -0,0 +1,37 @@
+{ lib, pkgs, config,  myconfig, ... }:
+let
+  connexionswing = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) connexionswing;
+    config = myconfig.env.websites.connexionswing.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.connexionswing.production;
+in {
+  options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = connexionswing.keys;
+    services.webstats.sites = [ { name = "connexionswing.com"; } ];
+
+    services.myPhpfpm.preStart.connexionswing_prod = connexionswing.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.connexionswing_prod = connexionswing.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.connexionswing_prod = connexionswing.phpFpm.pool;
+    services.myPhpfpm.poolPhpConfigs.connexionswing_prod = connexionswing.phpFpm.phpConfig;
+    system.activationScripts.connexionswing_prod = connexionswing.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${connexionswing.app.webRoot} $out/webapps/${connexionswing.apache.webappName}
+      '';
+    services.websites.production.modules = connexionswing.apache.modules;
+    services.websites.production.vhostConfs.connexionswing = {
+      certName     = "connexionswing";
+      certMainHost = "connexionswing.com";
+      hosts        = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
+      root         = connexionswing.apache.root;
+      extraConfig  = [ connexionswing.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
new file mode 100644
index 0000000..80d902e
--- /dev/null
+++ b/modules/private/websites/default.nix
@@ -0,0 +1,39 @@
+{ ... }:
+{
+  config.myServices.websites.aten.integration.enable = true;
+  config.myServices.websites.aten.production.enable = true;
+
+  config.myServices.websites.capitaines.production.enable = true;
+
+  config.myServices.websites.chloe.integration.enable = true;
+  config.myServices.websites.chloe.production.enable = true;
+
+  config.myServices.websites.connexionswing.integration.enable = true;
+  config.myServices.websites.connexionswing.production.enable = true;
+
+  config.myServices.websites.denisejerome.production.enable = true;
+
+  config.myServices.websites.emilia.production.enable = true;
+
+  config.myServices.websites.florian.app.enable = true;
+  config.myServices.websites.florian.integration.enable = true;
+  config.myServices.websites.florian.production.enable = true;
+
+  config.myServices.websites.immae.production.enable = true;
+  config.myServices.websites.immae.release.enable = true;
+  config.myServices.websites.immae.temp.enable = true;
+
+  config.myServices.websites.leila.production.enable = true;
+
+  config.myServices.websites.ludivinecassal.integration.enable = true;
+  config.myServices.websites.ludivinecassal.production.enable = true;
+
+  config.myServices.websites.nassime.production.enable = true;
+
+  config.myServices.websites.naturaloutil.production.enable = true;
+
+  config.myServices.websites.papa.surveillance.enable = true;
+
+  config.myServices.websites.piedsjaloux.integration.enable = true;
+  config.myServices.websites.piedsjaloux.production.enable = true;
+}
diff --git a/modules/private/websites/denisejerome/production.nix b/modules/private/websites/denisejerome/production.nix
new file mode 100644
index 0000000..b5aff94
--- /dev/null
+++ b/modules/private/websites/denisejerome/production.nix
@@ -0,0 +1,31 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.denisejerome.production;
+  varDir = "/var/lib/ftp/denisejerome";
+  env = myconfig.env.websites.denisejerome;
+in {
+  options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ];
+
+    services.websites.production.vhostConfs.denisejerome = {
+      certName     = "denisejerome";
+      certMainHost = "denisejerome.piedsjaloux.fr";
+      hosts        = ["denisejerome.piedsjaloux.fr" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Stats denisejerome.piedsjaloux.fr
+
+        <Directory ${varDir}>
+          DirectoryIndex index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride AuthConfig
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/emilia/moodle/pause.html b/modules/private/websites/emilia/moodle/pause.html
new file mode 100644
index 0000000..8b99c59
--- /dev/null
+++ b/modules/private/websites/emilia/moodle/pause.html
@@ -0,0 +1,48 @@
+<!doctype html>
+<html>
+  <head>
+    <title>Pause</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style>
+      body {
+        padding-left: 5px;
+        padding-right: 5px;
+        text-align: center;
+        margin: auto;
+        font: 20px Helvetica, sans-serif;
+        color: #333;
+      }
+      h1 {
+        margin: 0px;
+        font-size: 40px;
+      }
+      article {
+        display: block;
+        max-width: 650px;
+        margin: 0 auto;
+        padding-top: 30px;
+      }
+      article + article {
+        border-top: 1px solid lightgrey;
+      }
+      article div {
+        text-align: justify;
+      }
+      a {
+        color: #dc8100;
+        text-decoration: none;
+      }
+      a:hover {
+        color: #333;
+      }
+    </style>
+  </head>
+  <body>
+    <article>
+      <h1>Site web en pause&nbsp;!</h1>
+      <div>
+        <p>Le site et les cours de photographie sont actuellement en pause.</p>
+      </div>
+    </article>
+  </body>
+</html>
diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix
new file mode 100644
index 0000000..2e705a1
--- /dev/null
+++ b/modules/private/websites/emilia/production.nix
@@ -0,0 +1,69 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    cfg = config.myServices.websites.emilia.production;
+    env = myconfig.env.websites.emilia;
+    varDir = "/var/lib/moodle";
+    siteDir = ./moodle;
+    webappName = "emilia_moodle";
+    root = "/run/current-system/webapps/${webappName}";
+    # php_admin_value[upload_max_filesize] = 50000000
+    # php_admin_value[post_max_size] = 50000000
+    configFile = ''
+      <?php  // Moodle configuration file
+
+      unset($CFG);
+      global $CFG;
+      $CFG = new stdClass();
+
+      $CFG->dbtype    = 'pgsql';
+      $CFG->dblibrary = 'native';
+      $CFG->dbhost    = '${env.postgresql.host}';
+      $CFG->dbname    = '${env.postgresql.database}';
+      $CFG->dbuser    = '${env.postgresql.user}';
+      $CFG->dbpass    = '${env.postgresql.password}';
+      $CFG->prefix    = 'mdl_';
+      $CFG->dboptions = array (
+        'dbpersist' => 0,
+        'dbport' => '${env.postgreesql.port}',
+        'dbsocket' => '${env.postgresql.password}',
+      );
+
+      $CFG->wwwroot   = 'https://www.saison-photo.org';
+      $CFG->dataroot  = '${varDir}';
+      $CFG->admin     = 'admin';
+
+      $CFG->directorypermissions = 02777;
+
+      require_once(__DIR__ . '/lib/setup.php');
+
+      // There is no php closing tag in this file,
+      // it is intentional because it prevents trailing whitespace problems!
+      '';
+in {
+  options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website";
+
+  config = lib.mkIf cfg.enable {
+    system.activationScripts.emilia = ''
+      install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
+      '';
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${siteDir} $out/webapps/${webappName}
+      '';
+    services.websites.production.vhostConfs.emilia = {
+      certName     = "emilia";
+      certMainHost = "saison-photo.org";
+      hosts        = [ "saison-photo.org" "www.saison-photo.org" ];
+      root         = root;
+      extraConfig  = [
+        ''
+        <Directory ${root}>
+          DirectoryIndex pause.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
new file mode 100644
index 0000000..08506e1
--- /dev/null
+++ b/modules/private/websites/florian/app.nix
@@ -0,0 +1,38 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  adminer = pkgs.callPackage ../commons/adminer.nix {};
+
+  tellesflorian  = pkgs.callPackage ./builder_app.nix {
+    inherit (pkgs.webapps) tellesflorian;
+    config = myconfig.env.websites.tellesflorian.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.florian.app;
+in {
+  options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = tellesflorian.keys;
+    services.myPhpfpm.preStart.tellesflorian_dev = tellesflorian.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.tellesflorian_dev = tellesflorian.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.tellesflorian_dev = tellesflorian.phpFpm.pool;
+    system.activationScripts.tellesflorian_dev = tellesflorian.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${tellesflorian.app.webRoot} $out/webapps/${tellesflorian.apache.webappName}
+      '';
+    services.websites.integration.modules = adminer.apache.modules ++ tellesflorian.apache.modules;
+    services.websites.integration.vhostConfs.tellesflorian = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["app.tellesflorian.com" ];
+      root        = tellesflorian.apache.root;
+      extraConfig = [
+        tellesflorian.apache.vhostConf
+        adminer.apache.vhostConf
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/florian/builder_app.nix b/modules/private/websites/florian/builder_app.nix
new file mode 100644
index 0000000..e521f6e
--- /dev/null
+++ b/modules/private/websites/florian/builder_app.nix
@@ -0,0 +1,152 @@
+{ apacheUser, apacheGroup, tellesflorian, config }:
+rec {
+  app = tellesflorian.override { inherit (config) environment; };
+  keys = [
+    {
+      dest = "webapps/${app.environment}-tellesflorian-passwords";
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        invite:${config.invite_passwords}
+      '';
+    }
+    {
+      dest = "webapps/${app.environment}-tellesflorian";
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+      '';
+    }
+  ];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-tellesflorian > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/floriantelles-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-tellesflorian:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "florian_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      AuthBasicProvider file ldap
+      Use LDAPConnect
+      Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
+
+      AuthUserFile "/var/secrets/webapps/${app.environment}-tellesflorian-passwords"
+      Require user "invite"
+
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/var
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix
new file mode 100644
index 0000000..424ebd4
--- /dev/null
+++ b/modules/private/websites/florian/integration.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    adminer = pkgs.callPackage ../commons/adminer.nix {};
+    cfg = config.myServices.websites.florian.integration;
+    varDir = "/var/lib/ftp/florian";
+    env = myconfig.env.websites.florian;
+in {
+  options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration";
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."ftp".extraDomains."florian.immae.eu" = null;
+
+    services.websites.integration.modules = adminer.apache.modules;
+    services.websites.integration.vhostConfs.florian = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "florian.immae.eu" ];
+      root        = "${varDir}/florian.immae.eu";
+      extraConfig = [
+        adminer.apache.vhostConf
+        ''
+        ServerAdmin ${env.server_admin}
+
+        <Directory ${varDir}/florian.immae.eu>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix
new file mode 100644
index 0000000..9b310b8
--- /dev/null
+++ b/modules/private/websites/florian/production.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    adminer = pkgs.callPackage ../commons/adminer.nix {};
+    cfg = config.myServices.websites.florian.production;
+    varDir = "/var/lib/ftp/florian";
+    env = myconfig.env.websites.florian;
+in {
+  options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production";
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."ftp".extraDomains."tellesflorian.com" = null;
+
+    services.websites.production.modules = adminer.apache.modules;
+    services.websites.production.vhostConfs.florian = {
+      certName     = "florian";
+      certMainHost = "tellesflorian.com";
+      hosts        = [ "tellesflorian.com" "www.tellesflorian.com" ];
+      root         = "${varDir}/tellesflorian.com";
+      extraConfig  = [
+        adminer.apache.vhostConf
+        ''
+        ServerAdmin ${env.server_admin}
+
+        <Directory ${varDir}/tellesflorian.com>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/immae/production.nix b/modules/private/websites/immae/production.nix
new file mode 100644
index 0000000..58cf048
--- /dev/null
+++ b/modules/private/websites/immae/production.nix
@@ -0,0 +1,64 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.immae.production;
+  varDir = "/var/lib/ftp/immae";
+  env = myconfig.env.websites.immae;
+in {
+  options.myServices.websites.immae.production.enable = lib.mkEnableOption "enable Immae's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "www.immae.eu"; } ];
+
+    services.myPhpfpm.poolConfigs.immae = ''
+      listen = /run/phpfpm/immae.sock
+      user = wwwrun
+      group = wwwrun
+      listen.owner = wwwrun
+      listen.group = wwwrun
+
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+
+      php_admin_value[open_basedir] = "${varDir}:/tmp"
+      '';
+    services.websites.production.modules = [ "proxy_fcgi" ];
+    services.websites.production.vhostConfs.immae = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "www.immae.eu" ];
+      root        = varDir;
+      extraConfig = [
+        ''
+        Use Stats www.immae.eu
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:/run/phpfpm/immae.sock|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${varDir}>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+        </Directory>
+
+        <Location /blog_old/>
+          Use LDAPConnect
+          Require ldap-group cn=blog,cn=immae.eu,ou=services,dc=immae,dc=eu
+        </Location>
+        ''
+      ];
+    };
+
+    services.websites.production.vhostConfs.bouya = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "bouya.org" "www.bouya.org" ];
+      root        = null;
+      extraConfig = [ ''
+        RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://www.normalesup.org/~bouya/
+        '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/immae/release.nix b/modules/private/websites/immae/release.nix
new file mode 100644
index 0000000..68381a6
--- /dev/null
+++ b/modules/private/websites/immae/release.nix
@@ -0,0 +1,39 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.immae.release;
+  varDir = "/var/lib/ftp/release.immae.eu";
+  env = myconfig.env.websites.release;
+in {
+  options.myServices.websites.immae.release.enable = lib.mkEnableOption "enable Release' website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "release.immae.eu"; } ];
+
+    services.websites.production.vhostConfs.release = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "release.immae.eu" ];
+      root        = varDir;
+      extraConfig = [
+        ''
+        Use Stats release.immae.eu
+
+        Use Apaxy "${varDir}" "title .duplicity-ignore"
+        <Directory "${varDir}">
+          Use LDAPConnect
+          Options Indexes
+          AllowOverride All
+          Require all granted
+        </Directory>
+
+        <Directory "${varDir}/packages">
+          Use LDAPConnect
+          Options Indexes FollowSymlinks
+          AllowOverride None
+          Require all granted
+        </Directory>
+        ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix
new file mode 100644
index 0000000..0b2a3a3
--- /dev/null
+++ b/modules/private/websites/immae/temp.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.immae.temp;
+  varDir = "/var/lib/ftp/temp.immae.eu";
+  env = myconfig.env.websites.temp;
+in {
+  options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website";
+
+  config = lib.mkIf cfg.enable {
+    services.websites.production.modules = [ "headers" ];
+    services.websites.production.vhostConfs.temp = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "temp.immae.eu" ];
+      root        = varDir;
+      extraConfig = [
+        ''
+        Use Apaxy "${varDir}" "title .duplicity-ignore"
+        <FilesMatch ".+">
+          Header set Content-Disposition attachment
+        </FilesMatch>
+        <Directory "${varDir}">
+          Options -Indexes
+          AllowOverride None
+          Require all granted
+        </Directory>
+
+        <DirectoryMatch "${varDir}/(.+)">
+          Options Indexes
+        </DirectoryMatch>
+        ''
+      ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix
new file mode 100644
index 0000000..1ce8eea
--- /dev/null
+++ b/modules/private/websites/leila/production.nix
@@ -0,0 +1,82 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.websites.leila.production;
+  varDir = "/var/lib/ftp/leila";
+in {
+  options.myServices.websites.leila.production.enable = lib.mkEnableOption "enable Leila's website in production";
+
+  config = lib.mkIf cfg.enable {
+    services.myPhpfpm.poolConfigs.leila = ''
+      listen = /run/phpfpm/leila.sock
+      user = wwwrun
+      group = wwwrun
+      listen.owner = wwwrun
+      listen.group = wwwrun
+
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+
+      php_admin_value[open_basedir] = "${varDir}:/tmp"
+      '';
+
+    services.webstats.sites = [
+      { name = "leila.bouya.org"; }
+      { name = "chorale.leila.bouya.org"; }
+    ];
+
+    services.websites.production.modules = [ "proxy_fcgi" ];
+    services.websites.production.vhostConfs.leila_chorale = {
+      certName    = "leila";
+      addToCerts  = true;
+      hosts       = [ "chorale.leila.bouya.org" "chorale-vocanta.fr.nf" "www.chorale-vocanta.fr.nf" ];
+      root        = "${varDir}/Chorale";
+      extraConfig = [
+        ''
+        Use Stats chorale.leila.bouya.org
+        <Directory ${varDir}/Chorale>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+
+          Use LDAPConnect
+          Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu
+
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost"
+          </FilesMatch>
+        </Directory>
+          ''
+      ];
+    };
+    services.websites.production.vhostConfs.leila = {
+      certName     = "leila";
+      certMainHost = "leila.bouya.org";
+      hosts        = [ "leila.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Stats leila.bouya.org
+        <Directory ${varDir}/Chorale>
+          DirectoryIndex index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+
+          Use LDAPConnect
+          Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu
+
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost"
+          </FilesMatch>
+        </Directory>
+        <Directory ${varDir}>
+          DirectoryIndex index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/ludivinecassal/builder.nix b/modules/private/websites/ludivinecassal/builder.nix
new file mode 100644
index 0000000..3167bce
--- /dev/null
+++ b/modules/private/websites/ludivinecassal/builder.nix
@@ -0,0 +1,155 @@
+{ apacheUser, apacheGroup, config, ludivinecassal, pkgs, ruby, sass, imagemagick }:
+rec {
+  app = ludivinecassal.override { inherit (config) environment; };
+  varDir = "/var/lib/ludivinecassal_${app.environment}";
+  keys = [{
+    dest = "webapps/${app.environment}-ludivinecassal";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          database_server_version: ${pkgs.mariadb.mysqlVersion}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+          ldap_host: ldap.immae.eu
+          ldap_port: 636
+          ldap_version: 3
+          ldap_ssl: true
+          ldap_tls: false
+          ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
+          ldap_base_dn: 'dc=immae,dc=eu'
+          ldap_search_dn: '${config.ldap.dn}'
+          ldap_search_password: '${config.ldap.password}'
+          ldap_search_filter: '${config.ldap.search}'
+      leapt_im:
+          binary_path: ${imagemagick}/bin
+      assetic:
+          sass: ${sass}/bin/sass
+          ruby: ${ruby}/bin/ruby
+    '';
+  }];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-ludivinecassal > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/ludivinecassal-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-ludivinecassal:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "ludivine_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    Use Stats ludivinecassal.com
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/tmp
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix
new file mode 100644
index 0000000..0be067b
--- /dev/null
+++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  ludivinecassal  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) ludivinecassal;
+    config = myconfig.env.websites.ludivinecassal.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.ludivinecassal.integration;
+in {
+  options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = ludivinecassal.keys;
+
+    services.myPhpfpm.preStart.ludivinecassal_dev = ludivinecassal.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.ludivinecassal_dev = ludivinecassal.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal.phpFpm.pool;
+    system.activationScripts.ludivinecassal_dev = ludivinecassal.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName}
+      '';
+    services.websites.integration.modules = ludivinecassal.apache.modules;
+    services.websites.integration.vhostConfs.ludivine = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "ludivine.immae.eu" ];
+      root        = ludivinecassal.apache.root;
+      extraConfig = [ ludivinecassal.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
new file mode 100644
index 0000000..c5de698
--- /dev/null
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -0,0 +1,35 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  ludivinecassal = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) ludivinecassal;
+    config = myconfig.env.websites.ludivinecassal.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.ludivinecassal.production;
+in {
+  options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = ludivinecassal.keys;
+    services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
+
+    services.myPhpfpm.preStart.ludivinecassal_prod = ludivinecassal.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.ludivinecassal_prod = ludivinecassal.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal.phpFpm.pool;
+    system.activationScripts.ludivinecassal_prod = ludivinecassal.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${ludivinecassal.app.webRoot} $out/webapps/${ludivinecassal.apache.webappName}
+      '';
+    services.websites.production.modules = ludivinecassal.apache.modules;
+    services.websites.production.vhostConfs.ludivine = {
+      certName     = "ludivinecassal";
+      certMainHost = "ludivinecassal.com";
+      hosts        = ["ludivinecassal.com" "www.ludivinecassal.com" ];
+      root         = ludivinecassal.apache.root;
+      extraConfig  = [ ludivinecassal.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix
new file mode 100644
index 0000000..a109778
--- /dev/null
+++ b/modules/private/websites/nassime/production.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.nassime.production;
+  varDir = "/var/lib/ftp/nassime";
+  env = myconfig.env.websites.nassime;
+in {
+  options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "nassime.bouya.org"; } ];
+
+    security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null;
+
+    services.websites.production.vhostConfs.nassime = {
+      certName     = "nassime";
+      certMainHost = "nassime.bouya.org";
+      hosts        = ["nassime.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Stats nassime.bouya.org
+        ServerAdmin ${env.server_admin}
+
+        <Directory ${varDir}>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix
new file mode 100644
index 0000000..b6cf069
--- /dev/null
+++ b/modules/private/websites/naturaloutil/production.nix
@@ -0,0 +1,86 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  adminer = pkgs.callPackage ../commons/adminer.nix {};
+  cfg = config.myServices.websites.naturaloutil.production;
+  varDir = "/var/lib/ftp/jerome";
+  env = myconfig.env.websites.jerome;
+in {
+  options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ];
+
+    security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
+
+    secrets.keys = [{
+      dest = "webapps/prod-naturaloutil";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+        <?php
+        $mysql_user = '${env.mysql.user}' ;
+        $mysql_server = '${env.mysql.host}' ;
+        $mysql_base = '${env.mysql.name}' ;
+        $mysql_password = '${env.mysql.password}' ;
+        //connect to db
+        $db = mysqli_init();
+        ${if env.mysql.host != "localhost" then ''
+        mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
+        $db->ssl_set(NULL, NULL, "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt", NULL, NULL);
+        '' else ""}
+        $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
+        ?>
+      '';
+    }];
+    services.myPhpfpm.serviceDependencies.jerome = [ "mysql.service" ];
+    services.myPhpfpm.poolConfigs.jerome = ''
+      listen = /run/phpfpm/naturaloutil.sock
+      user = wwwrun
+      group = wwwrun
+      listen.owner = wwwrun
+      listen.group = wwwrun
+
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+
+      env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil"
+      php_admin_value[open_basedir] = "/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"
+      '';
+    services.myPhpfpm.poolPhpConfigs.jerome = ''
+      extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    services.websites.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ];
+    services.websites.production.vhostConfs.naturaloutil = {
+      certName     = "naturaloutil";
+      certMainHost = "naturaloutil.immae.eu";
+      hosts        = ["naturaloutil.immae.eu" ];
+      root         = varDir;
+      extraConfig  = [
+        adminer.apache.vhostConf
+        ''
+        Use Stats naturaloutil.immae.eu
+        ServerAdmin ${env.server_admin}
+        ErrorLog "${varDir}/logs/error_log"
+        CustomLog "${varDir}/logs/access_log" combined
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${varDir}/logs>
+          AllowOverride None
+          Require all denied
+        </Directory>
+        <Directory ${varDir}>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix
new file mode 100644
index 0000000..8e7cd9d
--- /dev/null
+++ b/modules/private/websites/papa/surveillance.nix
@@ -0,0 +1,49 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.papa.surveillance;
+  varDir = "/var/lib/ftp/papa";
+in {
+  options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website";
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null;
+
+    services.cron = {
+      systemCronJobs = let
+        script = pkgs.writeScript "cleanup-papa" ''
+          #!${pkgs.stdenv.shell}
+          d=$(date -d "7 days ago" +%Y%m%d)
+          for i in /var/lib/ftp/papa/*/20[0-9][0-9][0-9][0-9][0-9][0-9]; do
+            if [ "$d" -gt $(basename $i) ]; then
+              rm -rf "$i"
+            fi
+          done
+          '';
+      in
+        [
+        ''
+          0 6 * * * wwwrun ${script}
+        ''
+      ];
+    };
+
+    services.websites.production.vhostConfs.papa = {
+      certName     = "papa";
+      certMainHost = "surveillance.maison.bbc.bouya.org";
+      hosts        = [ "surveillance.maison.bbc.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Apaxy "${varDir}" "title .duplicity-ignore"
+        <Directory ${varDir}>
+          Use LDAPConnect
+          Options Indexes
+          AllowOverride None
+          Require ldap-group   cn=surveillance.maison.bbc.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/piedsjaloux/builder.nix b/modules/private/websites/piedsjaloux/builder.nix
new file mode 100644
index 0000000..9fcc8fb
--- /dev/null
+++ b/modules/private/websites/piedsjaloux/builder.nix
@@ -0,0 +1,144 @@
+{ apacheUser, apacheGroup, piedsjaloux, config, pkgs, lib, texlive, imagemagick }:
+rec {
+  app = piedsjaloux.override { inherit (config) environment; };
+  varDir = "/var/lib/piedsjaloux_${app.environment}";
+  keys = [{
+    dest = "webapps/${app.environment}-piedsjaloux";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          database_server_version: ${pkgs.mariadb.mysqlVersion}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+          pdflatex: "${texlive.combine { inherit (texlive) attachfile preprint scheme-small; }}/bin/pdflatex"
+      leapt_im:
+          binary_path: ${imagemagick}/bin
+    '';
+  }];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-piedsjaloux > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/piedsjaloux-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-piedsjaloux:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]}
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "piedsjaloux_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=piedsjaloux.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://piedsjaloux.fr\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    Use Stats piedsjaloux.fr
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/tmp
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
new file mode 100644
index 0000000..6249e85
--- /dev/null
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  piedsjaloux  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) piedsjaloux;
+    config = myconfig.env.websites.piedsjaloux.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.piedsjaloux.integration;
+in {
+  options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = piedsjaloux.keys;
+    services.myPhpfpm.preStart.piedsjaloux_dev = piedsjaloux.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.piedsjaloux_dev = piedsjaloux.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux.phpFpm.pool;
+    system.activationScripts.piedsjaloux_dev = piedsjaloux.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName}
+      '';
+    services.websites.integration.modules = piedsjaloux.apache.modules;
+    services.websites.integration.vhostConfs.piedsjaloux = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "piedsjaloux.immae.eu" ];
+      root        = piedsjaloux.apache.root;
+      extraConfig = [ piedsjaloux.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
new file mode 100644
index 0000000..afa1667
--- /dev/null
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  piedsjaloux = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) piedsjaloux;
+    config = myconfig.env.websites.piedsjaloux.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.piedsjaloux.production;
+in {
+  options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = piedsjaloux.keys;
+    services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
+
+    services.myPhpfpm.preStart.piedsjaloux_prod = piedsjaloux.phpFpm.preStart;
+    services.myPhpfpm.serviceDependencies.piedsjaloux_prod = piedsjaloux.phpFpm.serviceDeps;
+    services.myPhpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux.phpFpm.pool;
+    system.activationScripts.piedsjaloux_prod = piedsjaloux.activationScript;
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${piedsjaloux.app.webRoot} $out/webapps/${piedsjaloux.apache.webappName}
+      '';
+    services.websites.production.modules = piedsjaloux.apache.modules;
+    services.websites.production.vhostConfs.piedsjaloux = {
+      certName     = "piedsjaloux";
+      certMainHost = "piedsjaloux.fr";
+      hosts        = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ];
+      root         = piedsjaloux.apache.root;
+      extraConfig  = [ piedsjaloux.apache.vhostConf ];
+    };
+  };
+}
+