1 files changed, 319 insertions, 0 deletions
diff --git a/systems/eldiron/websites/default.nix b/systems/eldiron/websites/default.nix
new file mode 100644
index 0000000..68205de
--- /dev/null
+++ b/systems/eldiron/websites/default.nix
@@ -0,0 +1,319 @@
+{ lib, pkgs, config, mypackages-lib, ... }:
+let
+  www_root = ./_www;
+  theme_root = (mypackages-lib.apache-theme {}).theme;
+  apacheConfig = {
+    shutdownconfig = {
+      # Only give 5 seconds to workers to finish their work
+      extraConfig = ''
+        GracefulShutdownTimeout 5
+      '';
+    };
+    cache = {
+      # This setting permits to ignore time-based cache for files in the
+      # nix store:
+      # If a client requires an If-Modified-Since from timestamp 1, then
+      # this header is removed, and if the response contains a
+      # too old Last-Modified tag, then it is removed too
+      extraConfig = ''
+        <If "%{HTTP:If-Modified-Since} =~ /01 Jan 1970 00:00:01/" >
+          RequestHeader unset If-Modified-Since
+        </If>
+        Header unset Last-Modified "expr=%{LAST_MODIFIED} < 19991231235959"
+      '';
+    };
+    gzip = {
+      modules = [ "deflate" "filter" ];
+      extraConfig = ''
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+      '';
+    };
+    macros = {
+      modules = [ "macro" ];
+    };
+    stats = {
+      extraConfig = ''
+        <Macro Stats %{domain}>
+          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
+          <Directory ${config.services.webstats.dataDir}/%{domain}>
+            DirectoryIndex index.html
+            AllowOverride None
+            Require all granted
+          </Directory>
+          <Location /webstats>
+            Use LDAPConnect
+            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
+          </Location>
+        </Macro>
+      '';
+    };
+    ldap = {
+      modules = [ "ldap" "authnz_ldap" ];
+      extraConfig = ''
+        <IfModule ldap_module>
+          LDAPSharedCacheSize 500000
+          LDAPCacheEntries 1024
+          LDAPCacheTTL 600
+          LDAPOpCacheEntries 1024
+          LDAPOpCacheTTL 600
+        </IfModule>
+        Include ${config.secrets.fullPaths."apache-ldap"}
+      '';
+    };
+    global = {
+      extraConfig = ''
+        ErrorDocument 500 /maintenance_immae.html
+        ErrorDocument 501 /maintenance_immae.html
+        ErrorDocument 502 /maintenance_immae.html
+        ErrorDocument 503 /maintenance_immae.html
+        ErrorDocument 504 /maintenance_immae.html
+        Alias /maintenance_immae.html ${www_root}/maintenance_immae.html
+        ProxyPass /maintenance_immae.html !
+        AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html
+        <Directory ${www_root}>
+          AllowOverride None
+          Require all granted
+        </Directory>
+      '';
+    };
+    apaxy = {
+      extraConfig = (mypackages-lib.apache-theme { inherit theme_root; }).apacheConfig;
+    };
+    http2 = {
+      modules = [ "http2" ];
+      extraConfig = ''
+        Protocols h2 http/1.1
+      '';
+    };
+    customLog = {
+      extraConfig = ''
+        LogFormat "%{Host}i:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
+      '';
+    };
+  };
+  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
+  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
+  moomin = let
+    lines = lib.splitString "\n" (lib.fileContents ./moomin.txt);
+    pad = width: str: let
+        padWidth = width - lib.stringLength str;
+        padding = lib.concatStrings (lib.genList (lib.const "0") padWidth);
+      in lib.optionalString (padWidth > 0) padding + str;
+  in
+    lib.imap0 (i: e: ''Header always set "X-Moomin-${pad 2 (builtins.toString i)}" "${e}"'') lines;
+in
+{
+  imports = [
+    ./immae/production.nix
+    ./immae/release.nix
+    # Tools
+    ./assets
+    ./cloud
+    ./cloud/farm.nix
+    ./cryptpad
+    ./cryptpad/farm.nix
+    ./commento
+    ./dav
+    ./vpn
+    ./db
+    ./diaspora
+    ./ether
+    ./git
+    ./im
+    ./mastodon
+    ./mgoblin
+    ./peertube
+    ./performance
+    ./tools
+    ./mail
+    ./stats
+    ./visio
+    ./kanboard/farm.nix
+    # Games
+    ./games/codenames
+    ./games/terraforming-mars
+  ];
+  options.myServices.websites.enable = lib.mkEnableOption "enable websites";
+  config = lib.mkIf config.myServices.websites.enable {
+    myServices.dns.zones."immae.eu".subdomains = with config.myServices.dns.helpers;
+      {
+        games = ips servers.eldiron.ips.main;
+        nossl = ips servers.eldiron.ips.main;
+      };
+    myServices.chatonsProperties.hostings.web = {
+      file.datetime = "2022-08-22T01:30:00";
+      hosting = {
+        name = "Hébergement Web";
+        description = "Service d'hébergement web avec php/mysql/postgresql";
+        website = "https://www.immae.eu";
+        status.level = "OK";
+        status.description = "OK";
+        registration.load = "OPEN";
+        install.type = "PACKAGE";
+      };
+      software = {
+        name = "Apache Httpd";
+        website = "https://httpd.apache.org/";
+        license.url = "https://www.apache.org/licenses/";
+        license.name = "Apache License Version 2";
+        version = pkgs.apacheHttpd.version;
+        source.url = "https://httpd.apache.org/download.cgi";
+        modules = "openssh,pure-ftpd";
+      };
+    };
+    users.users.wwwrun.extraGroups = [ "keys" ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    secrets.keys."apache-ldap" = {
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+        <Macro LDAPConnect>
+          <IfModule authnz_ldap_module>
+            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
+            AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}"
+            AuthType             Basic
+            AuthName             "Authentification requise (Acces LDAP)"
+            AuthBasicProvider    ldap
+          </IfModule>
+        </Macro>
+        '';
+    };
+    system.activationScripts = {
+      httpd = ''
+        install -d -m 0755 /var/lib/acme/acme-challenges
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+        '';
+    };
+    services.phpfpm = {
+      phpOptions = ''
+        session.save_path = "/var/lib/php/sessions"
+        post_max_size = 20M
+        ; 15 days (seconds)
+        session.gc_maxlifetime = 1296000
+        ; 30 days (minutes)
+        session.cache_expire = 43200
+        '';
+      settings = {
+        log_level = "notice";
+      };
+    };
+    services.websites.env.production = {
+      enable = true;
+      moduleType = "container";
+      adminAddr = "httpd@immae.eu";
+      bindMounts."/var/lib/ftp" = {};
+      # FIXME: Bind directly the needed files
+      bindMounts."/var/secrets" = {};
+      bindMounts."/var/lib/goaccess" = {};
+      bindMounts."/var/lib/acme" = {};
+      bindMounts."/run/phpfpm" = {};
+      ips =
+        let ips = config.myEnv.servers.eldiron.ips.production;
+        in (ips.ip4 or []) ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig;
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+    services.websites.env.integration = {
+      enable = true;
+      moduleType = "container";
+      adminAddr = "httpd@immae.eu";
+      bindMounts."/var/lib/ftp" = {};
+      bindMounts."/var/secrets" = {};
+      bindMounts."/var/lib/goaccess" = {};
+      bindMounts."/var/lib/acme" = {};
+      bindMounts."/run/phpfpm" = {};
+      ips =
+        let ips = config.myEnv.servers.eldiron.ips.integration;
+        in (ips.ip4 or []) ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig ++ moomin;
+      fallbackVhost = {
+        certName    = "integration";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+      watchPaths = [ config.secrets.fullPaths."apache-ldap" ];
+    };
+    services.websites.env.tools = {
+      enable = true;
+      moduleType = "main";
+      adminAddr = "httpd@immae.eu";
+      ips =
+        let ips = config.myEnv.servers.eldiron.ips.main;
+        in (ips.ip4 or []) ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig ++
+        [ ''
+            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
+            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
+            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
+          ''
+          ];
+      nosslVhost = {
+        enable = true;
+        host = "nossl.immae.eu";
+        root = ./nossl;
+      };
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+      watchPaths = [ config.secrets.fullPaths."apache-ldap" ];
+    };
+    myServices.websites = {
+      immae = {
+        production.enable = true;
+        release.enable = true;
+      };
+      tools.assets.enable = true;
+      tools.cloud.enable = true;
+      tools.commento.enable = true;
+      tools.cryptpad.enable = true;
+      tools.dav.enable = true;
+      tools.db.enable = true;
+      tools.diaspora.enable = true;
+      tools.etherpad-lite.enable = true;
+      tools.git.enable = true;
+      tools.mastodon.enable = true;
+      tools.mediagoblin.enable = true;
+      tools.peertube.enable = true;
+      tools.performance.enable = true;
+      tools.tools.enable = true;
+      tools.email.enable = true;
+      tools.stats.enable = false;
+      tools.visio.enable = true;
+      games.codenames.enable = true;
+      games.terraforming-mars.enable = true;
+    };
+  };
+}

diff --git a/systems/eldiron/websites/default.nix b/systems/eldiron/websites/default.nix new file mode 100644 index 0000000..68205de --- /dev/null +++ b/systems/eldiron/websites/default.nix
@@ -0,0 +1,319 @@
	1	{ lib, pkgs, config, mypackages-lib, ... }:
	2	let
	3	www_root = ./_www;
	4	theme_root = (mypackages-lib.apache-theme {}).theme;
	5	apacheConfig = {
	6	shutdownconfig = {
	7	# Only give 5 seconds to workers to finish their work
	8	extraConfig = ''
	9	GracefulShutdownTimeout 5
	10	'';
	11	};
	12	cache = {
	13	# This setting permits to ignore time-based cache for files in the
	14	# nix store:
	15	# If a client requires an If-Modified-Since from timestamp 1, then
	16	# this header is removed, and if the response contains a
	17	# too old Last-Modified tag, then it is removed too
	18	extraConfig = ''
	19	<If "%{HTTP:If-Modified-Since} =~ /01 Jan 1970 00:00:01/" >
	20	RequestHeader unset If-Modified-Since
	21	</If>
	22	Header unset Last-Modified "expr=%{LAST_MODIFIED} < 19991231235959"
	23	'';
	24	};
	25	gzip = {
	26	modules = [ "deflate" "filter" ];
	27	extraConfig = ''
	28	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
	29	'';
	30	};
	31	macros = {
	32	modules = [ "macro" ];
	33	};
	34	stats = {
	35	extraConfig = ''
	36	<Macro Stats %{domain}>
	37	Alias /webstats ${config.services.webstats.dataDir}/%{domain}
	38	<Directory ${config.services.webstats.dataDir}/%{domain}>
	39	DirectoryIndex index.html
	40	AllowOverride None
	41	Require all granted
	42	</Directory>
	43	<Location /webstats>
	44	Use LDAPConnect
	45	Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
	46	</Location>
	47	</Macro>
	48	'';
	49	};
	50	ldap = {
	51	modules = [ "ldap" "authnz_ldap" ];
	52	extraConfig = ''
	53	<IfModule ldap_module>
	54	LDAPSharedCacheSize 500000
	55	LDAPCacheEntries 1024
	56	LDAPCacheTTL 600
	57	LDAPOpCacheEntries 1024
	58	LDAPOpCacheTTL 600
	59	</IfModule>
	60
	61	Include ${config.secrets.fullPaths."apache-ldap"}
	62	'';
	63	};
	64	global = {
	65	extraConfig = ''
	66	ErrorDocument 500 /maintenance_immae.html
	67	ErrorDocument 501 /maintenance_immae.html
	68	ErrorDocument 502 /maintenance_immae.html
	69	ErrorDocument 503 /maintenance_immae.html
	70	ErrorDocument 504 /maintenance_immae.html
	71	Alias /maintenance_immae.html ${www_root}/maintenance_immae.html
	72	ProxyPass /maintenance_immae.html !
	73
	74	AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html
	75	<Directory ${www_root}>
	76	AllowOverride None
	77	Require all granted
	78	</Directory>
	79	'';
	80	};
	81	apaxy = {
	82	extraConfig = (mypackages-lib.apache-theme { inherit theme_root; }).apacheConfig;
	83	};
	84	http2 = {
	85	modules = [ "http2" ];
	86	extraConfig = ''
	87	Protocols h2 http/1.1
	88	'';
	89	};
	90	customLog = {
	91	extraConfig = ''
	92	LogFormat "%{Host}i:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
	93	'';
	94	};
	95	};
	96	makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
	97	makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
	98	moomin = let
	99	lines = lib.splitString "\n" (lib.fileContents ./moomin.txt);
	100	pad = width: str: let
	101	padWidth = width - lib.stringLength str;
	102	padding = lib.concatStrings (lib.genList (lib.const "0") padWidth);
	103	in lib.optionalString (padWidth > 0) padding + str;
	104	in
	105	lib.imap0 (i: e: ''Header always set "X-Moomin-${pad 2 (builtins.toString i)}" "${e}"'') lines;
	106	in
	107	{
	108	imports = [
	109	./immae/production.nix
	110	./immae/release.nix
	111
	112	# Tools
	113	./assets
	114	./cloud
	115	./cloud/farm.nix
	116	./cryptpad
	117	./cryptpad/farm.nix
	118	./commento
	119	./dav
	120	./vpn
	121	./db
	122	./diaspora
	123	./ether
	124	./git
	125	./im
	126	./mastodon
	127	./mgoblin
	128	./peertube
	129	./performance
	130	./tools
	131	./mail
	132	./stats
	133	./visio
	134	./kanboard/farm.nix
	135
	136	# Games
	137	./games/codenames
	138	./games/terraforming-mars
	139	];
	140
	141	options.myServices.websites.enable = lib.mkEnableOption "enable websites";
	142
	143	config = lib.mkIf config.myServices.websites.enable {
	144	myServices.dns.zones."immae.eu".subdomains = with config.myServices.dns.helpers;
	145	{
	146	games = ips servers.eldiron.ips.main;
	147	nossl = ips servers.eldiron.ips.main;
	148	};
	149
	150	myServices.chatonsProperties.hostings.web = {
	151	file.datetime = "2022-08-22T01:30:00";
	152	hosting = {
	153	name = "Hébergement Web";
	154	description = "Service d'hébergement web avec php/mysql/postgresql";
	155	website = "https://www.immae.eu";
	156	status.level = "OK";
	157	status.description = "OK";
	158	registration.load = "OPEN";
	159	install.type = "PACKAGE";
	160	};
	161	software = {
	162	name = "Apache Httpd";
	163	website = "https://httpd.apache.org/";
	164	license.url = "https://www.apache.org/licenses/";
	165	license.name = "Apache License Version 2";
	166	version = pkgs.apacheHttpd.version;
	167	source.url = "https://httpd.apache.org/download.cgi";
	168	modules = "openssh,pure-ftpd";
	169	};
	170	};
	171	users.users.wwwrun.extraGroups = [ "keys" ];
	172	networking.firewall.allowedTCPPorts = [ 80 443 ];
	173
	174	secrets.keys."apache-ldap" = {
	175	user = "wwwrun";
	176	group = "wwwrun";
	177	permissions = "0400";
	178	text = ''
	179	<Macro LDAPConnect>
	180	<IfModule authnz_ldap_module>
	181	AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
	182	AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu
	183	AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}"
	184	AuthType Basic
	185	AuthName "Authentification requise (Acces LDAP)"
	186	AuthBasicProvider ldap
	187	</IfModule>
	188	</Macro>
	189	'';
	190	};
	191
	192	system.activationScripts = {
	193	httpd = ''
	194	install -d -m 0755 /var/lib/acme/acme-challenges
	195	install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
	196	'';
	197	};
	198
	199	services.phpfpm = {
	200	phpOptions = ''
	201	session.save_path = "/var/lib/php/sessions"
	202	post_max_size = 20M
	203	; 15 days (seconds)
	204	session.gc_maxlifetime = 1296000
	205	; 30 days (minutes)
	206	session.cache_expire = 43200
	207	'';
	208	settings = {
	209	log_level = "notice";
	210	};
	211	};
	212
	213	services.websites.env.production = {
	214	enable = true;
	215	moduleType = "container";
	216	adminAddr = "httpd@immae.eu";
	217	bindMounts."/var/lib/ftp" = {};
	218	# FIXME: Bind directly the needed files
	219	bindMounts."/var/secrets" = {};
	220	bindMounts."/var/lib/goaccess" = {};
	221	bindMounts."/var/lib/acme" = {};
	222	bindMounts."/run/phpfpm" = {};
	223	ips =
	224	let ips = config.myEnv.servers.eldiron.ips.production;
	225	in (ips.ip4 or []) ++ (ips.ip6 or []);
	226	modules = makeModules;
	227	extraConfig = makeExtraConfig;
	228	fallbackVhost = {
	229	certName = "eldiron";
	230	hosts = ["eldiron.immae.eu" ];
	231	root = www_root;
	232	extraConfig = [ "DirectoryIndex index.htm" ];
	233	};
	234	};
	235
	236	services.websites.env.integration = {
	237	enable = true;
	238	moduleType = "container";
	239	adminAddr = "httpd@immae.eu";
	240	bindMounts."/var/lib/ftp" = {};
	241	bindMounts."/var/secrets" = {};
	242	bindMounts."/var/lib/goaccess" = {};
	243	bindMounts."/var/lib/acme" = {};
	244	bindMounts."/run/phpfpm" = {};
	245	ips =
	246	let ips = config.myEnv.servers.eldiron.ips.integration;
	247	in (ips.ip4 or []) ++ (ips.ip6 or []);
	248	modules = makeModules;
	249	extraConfig = makeExtraConfig ++ moomin;
	250	fallbackVhost = {
	251	certName = "integration";
	252	hosts = ["eldiron.immae.eu" ];
	253	root = www_root;
	254	extraConfig = [ "DirectoryIndex index.htm" ];
	255	};
	256	watchPaths = [ config.secrets.fullPaths."apache-ldap" ];
	257	};
	258
	259	services.websites.env.tools = {
	260	enable = true;
	261	moduleType = "main";
	262	adminAddr = "httpd@immae.eu";
	263	ips =
	264	let ips = config.myEnv.servers.eldiron.ips.main;
	265	in (ips.ip4 or []) ++ (ips.ip6 or []);
	266	modules = makeModules;
	267	extraConfig = makeExtraConfig ++
	268	[ ''
	269	RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
	270	RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
	271	RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
	272	RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
	273	RedirectMatch ^/(mentions\|mentions_legales\|legal)$ https://www.immae.eu/mentions.html
	274	RedirectMatch ^/CGU$ https://www.immae.eu/CGU
	275	''
	276	];
	277	nosslVhost = {
	278	enable = true;
	279	host = "nossl.immae.eu";
	280	root = ./nossl;
	281	};
	282	fallbackVhost = {
	283	certName = "eldiron";
	284	hosts = ["eldiron.immae.eu" ];
	285	root = www_root;
	286	extraConfig = [ "DirectoryIndex index.htm" ];
	287	};
	288	watchPaths = [ config.secrets.fullPaths."apache-ldap" ];
	289	};
	290
	291	myServices.websites = {
	292	immae = {
	293	production.enable = true;
	294	release.enable = true;
	295	};
	296
	297	tools.assets.enable = true;
	298	tools.cloud.enable = true;
	299	tools.commento.enable = true;
	300	tools.cryptpad.enable = true;
	301	tools.dav.enable = true;
	302	tools.db.enable = true;
	303	tools.diaspora.enable = true;
	304	tools.etherpad-lite.enable = true;
	305	tools.git.enable = true;
	306	tools.mastodon.enable = true;
	307	tools.mediagoblin.enable = true;
	308	tools.peertube.enable = true;
	309	tools.performance.enable = true;
	310	tools.tools.enable = true;
	311	tools.email.enable = true;
	312	tools.stats.enable = false;
	313	tools.visio.enable = true;
	314
	315	games.codenames.enable = true;
	316	games.terraforming-mars.enable = true;
	317	};
	318	};
	319	}