From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 4 Oct 2023 01:35:06 +0200 Subject: Squash changes containing private information There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository --- modules/private/websites/default.nix | 324 ----------------------------------- 1 file changed, 324 deletions(-) delete mode 100644 modules/private/websites/default.nix (limited to 'modules/private/websites/default.nix') diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix deleted file mode 100644 index 4864034..0000000 --- a/modules/private/websites/default.nix +++ /dev/null @@ -1,324 +0,0 @@ -{ lib, pkgs, config, ... }: -let - www_root = ./_www; - theme_root = pkgs.webapps.apache-theme.theme; - apacheConfig = { - cache = { - # This setting permits to ignore time-based cache for files in the - # nix store: - # If a client requires an If-Modified-Since from timestamp 1, then - # this header is removed, and if the response contains a - # too old Last-Modified tag, then it is removed too - extraConfig = '' - - RequestHeader unset If-Modified-Since - - Header unset Last-Modified "expr=%{LAST_MODIFIED} < 19991231235959" - ''; - }; - gzip = { - modules = [ "deflate" "filter" ]; - extraConfig = '' - AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript - ''; - }; - macros = { - modules = [ "macro" ]; - }; - stats = { - extraConfig = '' - - Alias /webstats ${config.services.webstats.dataDir}/%{domain} - - DirectoryIndex index.html - AllowOverride None - Require all granted - - - Use LDAPConnect - Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu - - - ''; - }; - ldap = { - modules = [ "ldap" "authnz_ldap" ]; - extraConfig = '' - - LDAPSharedCacheSize 500000 - LDAPCacheEntries 1024 - LDAPCacheTTL 600 - LDAPOpCacheEntries 1024 - LDAPOpCacheTTL 600 - - - Include ${config.secrets.fullPaths."apache-ldap"} - ''; - }; - global = { - extraConfig = '' - ErrorDocument 500 /maintenance_immae.html - ErrorDocument 501 /maintenance_immae.html - ErrorDocument 502 /maintenance_immae.html - ErrorDocument 503 /maintenance_immae.html - ErrorDocument 504 /maintenance_immae.html - Alias /maintenance_immae.html ${www_root}/maintenance_immae.html - ProxyPass /maintenance_immae.html ! - - AliasMatch "(.*)/googleb6d69446ff4ca3e5.html" ${www_root}/googleb6d69446ff4ca3e5.html - - AllowOverride None - Require all granted - - ''; - }; - apaxy = { - extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig; - }; - http2 = { - modules = [ "http2" ]; - extraConfig = '' - Protocols h2 http/1.1 - ''; - }; - customLog = { - extraConfig = '' - LogFormat "%{Host}i:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost - ''; - }; - }; - makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig); - makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig)); - moomin = let - lines = lib.splitString "\n" (lib.fileContents ./moomin.txt); - pad = width: str: let - padWidth = width - lib.stringLength str; - padding = lib.concatStrings (lib.genList (lib.const "0") padWidth); - in lib.optionalString (padWidth > 0) padding + str; - in - lib.imap0 (i: e: ''Header always set "X-Moomin-${pad 2 (builtins.toString i)}" "${e}"'') lines; -in -{ - options.myServices.websites.enable = lib.mkEnableOption "enable websites"; - - config = lib.mkIf config.myServices.websites.enable { - users.users.wwwrun.extraGroups = [ "keys" ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - secrets.keys."apache-ldap" = { - user = "wwwrun"; - group = "wwwrun"; - permissions = "0400"; - text = '' - - - AuthLDAPURL ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS - AuthLDAPBindDN cn=httpd,ou=services,dc=immae,dc=eu - AuthLDAPBindPassword "${config.myEnv.httpd.ldap.password}" - AuthType Basic - AuthName "Authentification requise (Acces LDAP)" - AuthBasicProvider ldap - - - ''; - }; - - system.activationScripts = { - httpd = '' - install -d -m 0755 /var/lib/acme/acme-challenges - install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions - ''; - }; - - services.phpfpm = { - phpOptions = '' - session.save_path = "/var/lib/php/sessions" - post_max_size = 20M - ; 15 days (seconds) - session.gc_maxlifetime = 1296000 - ; 30 days (minutes) - session.cache_expire = 43200 - ''; - settings = { - log_level = "notice"; - }; - }; - - services.filesWatcher.httpdProd.paths = [ config.secrets.fullPaths."apache-ldap" ]; - services.filesWatcher.httpdInte.paths = [ config.secrets.fullPaths."apache-ldap" ]; - services.filesWatcher.httpdTools.paths = [ config.secrets.fullPaths."apache-ldap" ]; - - services.websites.env.production = { - enable = true; - adminAddr = "httpd@immae.eu"; - httpdName = "Prod"; - ips = - let ips = config.myEnv.servers.eldiron.ips.production; - in [ips.ip4] ++ (ips.ip6 or []); - modules = makeModules; - extraConfig = makeExtraConfig; - fallbackVhost = { - certName = "eldiron"; - hosts = ["eldiron.immae.eu" ]; - root = www_root; - extraConfig = [ "DirectoryIndex index.htm" ]; - }; - }; - - services.websites.env.integration = { - enable = true; - adminAddr = "httpd@immae.eu"; - httpdName = "Inte"; - ips = - let ips = config.myEnv.servers.eldiron.ips.integration; - in [ips.ip4] ++ (ips.ip6 or []); - modules = makeModules; - extraConfig = makeExtraConfig ++ moomin; - fallbackVhost = { - certName = "eldiron"; - hosts = ["eldiron.immae.eu" ]; - root = www_root; - extraConfig = [ "DirectoryIndex index.htm" ]; - }; - }; - - services.websites.env.tools = { - enable = true; - adminAddr = "httpd@immae.eu"; - httpdName = "Tools"; - ips = - let ips = config.myEnv.servers.eldiron.ips.main; - in [ips.ip4] ++ (ips.ip6 or []); - modules = makeModules; - extraConfig = makeExtraConfig ++ - [ '' - RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html - RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html - RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html - RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html - RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html - RedirectMatch ^/CGU$ https://www.immae.eu/CGU - '' - ]; - nosslVhost = { - enable = true; - host = "nossl.immae.eu"; - }; - fallbackVhost = { - certName = "eldiron"; - hosts = ["eldiron.immae.eu" ]; - root = www_root; - extraConfig = [ "DirectoryIndex index.htm" ]; - }; - }; - - myServices.websites = { - bakeer.cloud.enable = true; - capitaines.landing_pages.enable = true; - - chloe = { - integration.enable = true; - production.enable = true; - }; - - cip-ca = { - sympa.enable = true; - }; - - connexionswing = { - integration.enable = true; - production.enable = true; - }; - - denise = { - evariste.enable = true; - denisejerome.enable = true; - oms.enable = true; - bingo.enable = true; - aventuriers.enable = true; - production.enable = true; - }; - - emilia = { - moodle.enable = false; - atelierfringant.enable = true; - }; - - florian = { - app.enable = true; - integration.enable = true; - production.enable = true; - }; - - immae = { - production.enable = true; - release.enable = true; - temp.enable = true; - }; - - isabelle = { - aten_integration.enable = true; - aten_production.enable = true; - iridologie.enable = true; - }; - - jerome.naturaloutil.enable = true; - - leila.production.enable = true; - - ludivine = { - integration.enable = true; - production.enable = true; - }; - - nassime.production.enable = true; - - nath.villon.enable = true; - - papa = { - surveillance.enable = true; - maison_bbc.enable = true; - }; - - patrick_fodella = { - ecolyeu.enable = true; - altermondia.enable = true; - }; - - piedsjaloux = { - integration.enable = true; - production.enable = true; - }; - - ressourcerie_banon.production.enable = true; - ressourcerie_banon.cryptpad.enable = true; - ressourcerie_banon.cloud.enable = true; - - richie.production.enable = true; - - syden.peertube.enable = true; - - telio_tortay.production.enable = true; - - tools.assets.enable = true; - tools.cloud.enable = true; - tools.commento.enable = true; - tools.cryptpad.enable = true; - tools.dav.enable = true; - tools.db.enable = true; - tools.diaspora.enable = true; - tools.etherpad-lite.enable = true; - tools.git.enable = true; - tools.mastodon.enable = true; - tools.mediagoblin.enable = true; - tools.peertube.enable = true; - tools.performance.enable = true; - tools.tools.enable = true; - tools.email.enable = true; - tools.stats.enable = false; - - games.codenames.enable = true; - games.terraforming-mars.enable = true; - }; - }; -} -- cgit v1.2.3