Initial commit published for NUR

7 files changed, 1074 insertions, 0 deletions

diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix
new file mode 100644
index 00000000..65599b73
--- /dev/null
+++ b/modules/webapps/diaspora.nix
@@ -0,0 +1,171 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "diaspora";
+  cfg = config.services.diaspora;
+
+  uid = config.ids.uids.diaspora;
+  gid = config.ids.gids.diaspora;
+in
+{
+  options.services.diaspora = {
+    enable = lib.mkEnableOption "Enable Diaspora’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Diaspora runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Diaspora runs";
+    };
+    adminEmail = lib.mkOption {
+      type = lib.types.str;
+      example = "admin@example.com";
+      description = "Admin e-mail for Diaspora";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Diaspora stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Diaspora puts runtime files and sockets.
+        '';
+    };
+    configDir = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration path for Diaspora.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.diaspora;
+      description = ''
+        Diaspora package to use.
+        '';
+    };
+    # Output variables
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Diaspora data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Diaspora sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override {
+        varDir = cfg.dataDir;
+        podmin_email = cfg.adminEmail;
+        config_dir = cfg.configDir;
+      };
+      description = ''
+        Adjusted diaspora package with overriden values
+        '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        rails = "${cfg.socketsDir}/diaspora.sock";
+        eye   = "${cfg.socketsDir}/eye.sock";
+      };
+      readOnly = true;
+      description = ''
+        Diaspora sockets
+        '';
+    };
+    pids = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        eye   = "${cfg.socketsDir}/eye.pid";
+      };
+      readOnly = true;
+      description = ''
+        Diaspora pids
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Diaspora user";
+      home = cfg.dataDir;
+      packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.diaspora = {
+      description = "Diaspora";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network.target" "redis.service" "postgresql.service"
+      ];
+      wants = [
+        "redis.service" "postgresql.service"
+      ];
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.EYE_SOCK = cfg.sockets.eye;
+      environment.EYE_PID = cfg.pids.eye;
+
+      path = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby pkgs.curl pkgs.which pkgs.gawk ];
+
+      preStart = ''
+        install -m 0755 -d ${cfg.dataDir}/uploads ${cfg.dataDir}/tmp ${cfg.dataDir}/log
+        install -m 0700 -d ${cfg.dataDir}/tmp/pids
+        if [ ! -f ${cfg.dataDir}/schedule.yml ]; then
+          echo "{}" > ${cfg.dataDir}/schedule.yml
+        fi
+        ./bin/bundle exec rails db:migrate
+      '';
+
+      script = ''
+        exec ${cfg.workdir}/script/server
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StandardInput = "null";
+        KillMode = "control-group";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix
new file mode 100644
index 00000000..7f0e2ed4
--- /dev/null
+++ b/modules/webapps/etherpad-lite.nix
@@ -0,0 +1,158 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "etherpad-lite";
+  cfg = config.services.etherpad-lite;
+
+  uid = config.ids.uids.etherpad-lite;
+  gid = config.ids.gids.etherpad-lite;
+in
+{
+  options.services.etherpad-lite = {
+    enable = lib.mkEnableOption "Enable Etherpad lite’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Etherpad lite runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Etherpad lite runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Etherpad lite stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Etherpad lite stores its sockets.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The config file path for Etherpad lite.
+        '';
+    };
+    sessionKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The Session key file path for Etherpad lite.
+        '';
+    };
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The API key file path for Etherpad lite.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.etherpad-lite;
+      description = ''
+        Etherpad lite package to use.
+        '';
+    };
+    modules = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Etherpad lite modules to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withModules cfg.modules;
+      description = ''
+      Adjusted Etherpad lite package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Etherpad lite data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Etherpad lite sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        node  = "${cfg.socketsDir}/etherpad-lite.sock";
+      };
+      readOnly = true;
+      description = ''
+        Etherpad lite sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.etherpad-lite = {
+      description = "Etherpad-lite";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.workdir;
+
+      path = [ pkgs.nodejs ];
+
+      script = ''
+        exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \
+          --sessionkey ${cfg.sessionKeyFile} \
+          --apikey ${cfg.apiKeyFile} \
+          --settings ${cfg.configFile}
+      '';
+
+      postStart = ''
+        while [ ! -S ${cfg.sockets.node} ]; do
+          sleep 0.5
+        done
+        chmod a+w ${cfg.sockets.node}
+        '';
+      serviceConfig = {
+        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.workdir;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        ExecStartPre = [
+          "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized"
+          "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}"
+        ];
+      };
+    };
+
+  };
+}
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
new file mode 100644
index 00000000..6255de91
--- /dev/null
+++ b/modules/webapps/mastodon.nix
@@ -0,0 +1,223 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "mastodon";
+  cfg = config.services.mastodon;
+
+  uid = config.ids.uids.mastodon;
+  gid = config.ids.gids.mastodon;
+in
+{
+  options.services.mastodon = {
+    enable = lib.mkEnableOption "Enable Mastodon’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Mastodon runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Mastodon runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Mastodon stores its data.
+      '';
+    };
+    socketsPrefix = lib.mkOption {
+      type = lib.types.string;
+      default = "live";
+      description = ''
+        The prefix to use for Mastodon sockets.
+        '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Mastodon puts runtime files and sockets.
+        '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Mastodon.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.mastodon;
+      description = ''
+        Mastodon package to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override { varDir = cfg.dataDir; };
+      description = ''
+      Adjusted mastodon package with overriden varDir
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Mastodon data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Mastodon sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        node  = "${cfg.socketsDir}/${cfg.socketsPrefix}_node.sock";
+        rails = "${cfg.socketsDir}/${cfg.socketsPrefix}_puma.sock";
+      };
+      readOnly = true;
+      description = ''
+        Mastodon sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Mastodon user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.mastodon-streaming = {
+      description = "Mastodon Streaming";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mastodon-web.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.SOCKET = cfg.sockets.node;
+
+      path = [ pkgs.nodejs pkgs.bashInteractive ];
+
+      script = ''
+        exec npm run start
+      '';
+
+      postStart = ''
+        while [ ! -S $SOCKET ]; do
+          sleep 0.5
+        done
+        chmod a+w $SOCKET
+      '';
+
+      postStop = ''
+        rm $SOCKET
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mastodon-web = {
+      description = "Mastodon Web app";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.SOCKET = cfg.sockets.rails;
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+
+      preStart = ''
+        install -m 0755 -d ${cfg.dataDir}/tmp/cache
+        ./bin/bundle exec rails db:migrate
+      '';
+
+      script = ''
+        exec ./bin/bundle exec puma -C config/puma.rb
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 60;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mastodon-sidekiq = {
+      description = "Mastodon Sidekiq";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mastodon-web.service" ];
+
+      environment.RAILS_ENV="production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.DB_POOL="5";
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.imagemagick pkgs.ffmpeg pkgs.file ];
+
+      script = ''
+        exec ./bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+  };
+}
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
new file mode 100644
index 00000000..78bbef6f
--- /dev/null
+++ b/modules/webapps/mediagoblin.nix
@@ -0,0 +1,237 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "mediagoblin";
+  cfg = config.services.mediagoblin;
+
+  uid = config.ids.uids.mediagoblin;
+  gid = config.ids.gids.mediagoblin;
+
+  paste_local = pkgs.writeText "paste_local.ini" ''
+    [DEFAULT]
+    debug = false
+
+    [pipeline:main]
+    pipeline = mediagoblin
+
+    [app:mediagoblin]
+    use = egg:mediagoblin#app
+    config = ${cfg.configFile} ${cfg.workdir}/mediagoblin.ini
+    /mgoblin_static = ${cfg.workdir}/mediagoblin/static
+
+    [loggers]
+    keys = root
+
+    [handlers]
+    keys = console
+
+    [formatters]
+    keys = generic
+
+    [logger_root]
+    level = INFO
+    handlers = console
+
+    [handler_console]
+    class = StreamHandler
+    args = (sys.stderr,)
+    level = NOTSET
+    formatter = generic
+
+    [formatter_generic]
+    format = %(levelname)-7.7s [%(name)s] %(message)s
+
+    [filter:errors]
+    use = egg:mediagoblin#errors
+    debug = false
+
+    [server:main]
+    use = egg:waitress#main
+    unix_socket = ${cfg.sockets.paster}
+    unix_socket_perms = 777
+    url_scheme = https
+    '';
+in
+{
+  options.services.mediagoblin = {
+    enable = lib.mkEnableOption "Enable Mediagoblin’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Mediagoblin runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Mediagoblin runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Mediagoblin stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Mediagoblin puts runtime files and sockets.
+        '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Mediagoblin.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.mediagoblin;
+      description = ''
+        Mediagoblin package to use.
+        '';
+    };
+    plugins = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Mediagoblin plugins to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withPlugins cfg.plugins;
+      description = ''
+      Adjusted Mediagoblin package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Mediagoblin data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Mediagoblin sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        paster = "${cfg.socketsDir}/mediagoblin.sock";
+      };
+      readOnly = true;
+      description = ''
+        Mediagoblin sockets
+        '';
+    };
+    pids = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        paster = "${cfg.socketsDir}/mediagoblin.pid";
+        celery = "${cfg.socketsDir}/mediagoblin-celeryd.pid";
+      };
+      readOnly = true;
+      description = ''
+        Mediagoblin pid files
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Mediagoblin user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.mediagoblin-web = {
+      description = "Mediagoblin service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      wants = [ "postgresql.service" "redis.service" ];
+
+      environment.SCRIPT_NAME = "/mediagoblin/";
+
+      script = ''
+        exec ./bin/paster serve \
+          ${paste_local} \
+          --pid-file=${cfg.pids.paster}
+        '';
+      preStop = ''
+        exec ./bin/paster serve \
+          --pid-file=${cfg.pids.paster} \
+          ${paste_local} stop
+        '';
+      preStart = ''
+        if [ -d ${cfg.dataDir}/plugin_static/ ]; then
+          rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+          ln -sf ${cfg.workdir}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+        fi
+        ./bin/gmg -cf ${cfg.configFile} dbupdate
+        '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        PIDFile = cfg.pids.paster;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mediagoblin-celeryd = {
+      description = "Mediagoblin service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mediagoblin-web.service" ];
+
+      environment.MEDIAGOBLIN_CONFIG = cfg.configFile;
+      environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
+
+      script = ''
+        exec ./bin/celery worker \
+          --logfile=${cfg.dataDir}/celery.log \
+          --loglevel=INFO
+        '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 60;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        PIDFile = cfg.pids.celery;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix
new file mode 100644
index 00000000..89dcc67a
--- /dev/null
+++ b/modules/webapps/peertube.nix
@@ -0,0 +1,105 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "peertube";
+  cfg = config.services.peertube;
+
+  uid = config.ids.uids.peertube;
+  gid = config.ids.gids.peertube;
+in
+{
+  options.services.peertube = {
+    enable = lib.mkEnableOption "Enable Peertube’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Peertube runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Peertube runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Peertube stores its data.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Peertube.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.peertube;
+      description = ''
+        Peertube package to use.
+        '';
+    };
+    # Output variables
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Peertube data directory for systemd
+      '';
+      readOnly = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Peertube user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.peertube = {
+      description = "Peertube";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_CONFIG_DIR = "${cfg.dataDir}/config";
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.package;
+
+      path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];
+
+      script = ''
+        install -m 0750 -d ${cfg.dataDir}/config
+        ln -sf ${cfg.configFile} ${cfg.dataDir}/config/production.yaml
+        exec npm run start
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.package;
+        StateDirectory = cfg.systemdStateDirectory;
+        StateDirectoryMode = 0750;
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
+
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
new file mode 100644
index 00000000..924d72de
--- /dev/null
+++ b/modules/webapps/webstats/default.nix
@@ -0,0 +1,81 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "goaccess";
+  cfg = config.services.webstats;
+in {
+  options.services.webstats = {
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Goaccess stores its data.
+      '';
+    };
+    sites = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          conf = lib.mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = ''
+              use custom goaccess configuration file instead of the
+              default one.
+              '';
+          };
+          name = lib.mkOption {
+            type = lib.types.string;
+            description  = ''
+              Domain name. Corresponds to the Apache file name and the
+              folder name in which the state will be saved.
+              '';
+          };
+        };
+      });
+      default = [];
+      description = "Sites to generate stats";
+    };
+  };
+
+  config = lib.mkIf (builtins.length cfg.sites > 0) {
+    users.users.root.packages = [
+      pkgs.goaccess
+    ];
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        stats = domain: conf: let
+          config = if builtins.isNull conf
+            then pkgs.runCommand "goaccess.conf" {
+                dbPath = "${cfg.dataDir}/${domain}";
+              } "substituteAll ${./goaccess.conf} $out"
+            else conf;
+          d = pkgs.writeScriptBin "stats-${domain}" ''
+            #!${pkgs.stdenv.shell}
+            set -e
+            shopt -s nullglob
+            date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
+            TMPFILE=$(mktemp)
+            trap "rm -f $TMPFILE" EXIT
+
+            mkdir -p ${cfg.dataDir}/${domain}
+            cat /var/log/httpd/access-${domain}.log | sed -n "/\\[$date_regex/ p" > $TMPFILE
+            for i in /var/log/httpd/access-${domain}*.gz; do
+              zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE
+            done
+            ${pkgs.goaccess}/bin/goaccess $TMPFILE --no-progress -o ${cfg.dataDir}/${domain}/index.html -p ${config}
+            '';
+          in "${d}/bin/stats-${domain}";
+        allStats = sites: pkgs.writeScript "stats" ''
+          #!${pkgs.stdenv.shell}
+
+          mkdir -p ${cfg.dataDir}
+          ${builtins.concatStringsSep "\n" (map (v: stats v.name v.conf) sites)}
+          '';
+      in
+        [
+          "5 0 * * * root ${allStats cfg.sites}"
+        ];
+    };
+  };
+}
diff --git a/modules/webapps/webstats/goaccess.conf b/modules/webapps/webstats/goaccess.conf
new file mode 100644
index 00000000..49189883
--- /dev/null
+++ b/modules/webapps/webstats/goaccess.conf
@@ -0,0 +1,99 @@
+time-format %H:%M:%S
+date-format %d/%b/%Y
+
+#sur immae.eu
+#log-format %v %h %^[%d:%t %^] "%r" %s %b "%R" "%u" $^
+
+log-format VCOMBINED
+#= %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
+
+html-prefs {"theme":"bright","layout":"vertical"}
+
+exclude-ip 188.165.209.148
+exclude-ip 178.33.252.96
+exclude-ip 2001:41d0:2:9c94::1
+exclude-ip 2001:41d0:2:9c94::
+exclude-ip 176.9.151.89
+exclude-ip 2a01:4f8:160:3445::
+exclude-ip 82.255.56.72
+
+no-query-string true
+
+keep-db-files true
+load-from-disk true
+db-path @dbPath@
+
+ignore-panel REFERRERS
+ignore-panel KEYPHRASES
+
+static-file .css
+static-file .js
+static-file .jpg
+static-file .png
+static-file .gif
+static-file .ico
+static-file .jpeg
+static-file .pdf
+static-file .csv
+static-file .mpeg
+static-file .mpg
+static-file .swf
+static-file .woff
+static-file .woff2
+static-file .xls
+static-file .xlsx
+static-file .doc
+static-file .docx
+static-file .ppt
+static-file .pptx
+static-file .txt
+static-file .zip
+static-file .ogg
+static-file .mp3
+static-file .mp4
+static-file .exe
+static-file .iso
+static-file .gz
+static-file .rar
+static-file .svg
+static-file .bmp
+static-file .tar
+static-file .tgz
+static-file .tiff
+static-file .tif
+static-file .ttf
+static-file .flv
+#static-file .less
+#static-file .ac3
+#static-file .avi
+#static-file .bz2
+#static-file .class
+#static-file .cue
+#static-file .dae
+#static-file .dat
+#static-file .dts
+#static-file .ejs
+#static-file .eot
+#static-file .eps
+#static-file .img
+#static-file .jar
+#static-file .map
+#static-file .mid
+#static-file .midi
+#static-file .ogv
+#static-file .webm
+#static-file .mkv
+#static-file .odp
+#static-file .ods
+#static-file .odt
+#static-file .otf
+#static-file .pict
+#static-file .pls
+#static-file .ps
+#static-file .qt
+#static-file .rm
+#static-file .svgz
+#static-file .wav
+#static-file .webp
+
+