105 files changed, 10396 insertions, 0 deletions

diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 00000000..acb0bb51
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,13 @@
+{
+  myids = ./myids.nix;
+  secrets = ./secrets.nix;
+
+  webstats = ./webapps/webstats;
+  diaspora = ./webapps/diaspora.nix;
+  etherpad-lite = ./webapps/etherpad-lite.nix;
+  mastodon = ./webapps/mastodon.nix;
+  mediagoblin = ./webapps/mediagoblin.nix;
+  peertube = ./webapps/peertube.nix;
+
+  websites = ./websites;
+} // (if builtins.pathExists ./private then import ./private else {})
diff --git a/modules/myids.nix b/modules/myids.nix
new file mode 100644
index 00000000..4fb26269
--- /dev/null
+++ b/modules/myids.nix
@@ -0,0 +1,22 @@
+{ ... }:
+{
+  # Check that there is no clash with nixos/modules/misc/ids.nix
+  config = {
+    ids.uids = {
+      peertube = 394;
+      redis = 395;
+      nullmailer = 396;
+      mediagoblin = 397;
+      diaspora = 398;
+      mastodon = 399;
+    };
+    ids.gids = {
+      peertube = 394;
+      redis = 395;
+      nullmailer = 396;
+      mediagoblin = 397;
+      diaspora = 398;
+      mastodon = 399;
+    };
+  };
+}
diff --git a/modules/private/buildbot/common/build_helpers.py b/modules/private/buildbot/common/build_helpers.py
new file mode 100644
index 00000000..384b1ac3
--- /dev/null
+++ b/modules/private/buildbot/common/build_helpers.py
@@ -0,0 +1,256 @@
+from buildbot.plugins import util, steps, schedulers
+from buildbot_buildslist import BuildsList
+
+__all__ = [
+        "force_scheduler", "deploy_scheduler", "hook_scheduler",
+        "clean_branch", "package_and_upload", "SlackStatusPush",
+        "XMPPStatusPush"
+        ]
+
+# Small helpers"
+@util.renderer
+def clean_branch(props):
+    if props.hasProperty("branch") and len(props["branch"]) > 0:
+        return props["branch"].replace("/", "_")
+    else:
+        return "HEAD"
+
+def package_and_upload(package, package_dest, package_url):
+    return [
+            steps.ShellCommand(name="build package",
+                logEnviron=False, haltOnFailure=True, workdir="source",
+                command=["git", "archive", "HEAD", "-o", package]),
+
+            steps.FileUpload(name="upload package", workersrc=package,
+                workdir="source", masterdest=package_dest,
+                url=package_url, mode=0o644),
+
+            steps.ShellCommand(name="cleanup package", logEnviron=False,
+                haltOnFailure=True, workdir="source", alwaysRun=True,
+                command=["rm", "-f", package]),
+            ]
+
+# Schedulers
+def force_scheduler(name, builders):
+    return schedulers.ForceScheduler(name=name,
+        label="Force build", buttonName="Force build",
+        reason=util.StringParameter(name="reason", label="Reason", default="Force build"),
+        codebases=[
+            util.CodebaseParameter("",
+                branch=util.StringParameter(
+                    name="branch", label="Git reference (tag, branch)", required=True),
+                revision=util.FixedParameter(name="revision", default=""),
+                repository=util.FixedParameter(name="repository", default=""),
+                project=util.FixedParameter(name="project", default=""),
+                ),
+            ],
+        username=util.FixedParameter(name="username", default="Web button"),
+        builderNames=builders)
+
+def deploy_scheduler(name, builders):
+    return schedulers.ForceScheduler(name=name,
+        builderNames=builders,
+        label="Deploy built package", buttonName="Deploy",
+        username=util.FixedParameter(name="username", default="Web button"),
+        codebases=[
+            util.CodebaseParameter(codebase="",
+                branch=util.FixedParameter(name="branch", default=""),
+                revision=util.FixedParameter(name="revision", default=""),
+                repository=util.FixedParameter(name="repository", default=""),
+                project=util.FixedParameter(name="project", default=""))],
+        reason=util.FixedParameter(name="reason", default="Deploy"),
+        properties=[
+            util.ChoiceStringParameter(label="Environment",
+                name="environment", default="integration",
+                choices=["integration", "production"]),
+            BuildsList(label="Build to deploy", name="build"),
+            ]
+        )
+
+def hook_scheduler(project, timer=10):
+    return schedulers.AnyBranchScheduler(
+            change_filter=util.ChangeFilter(category="hooks", project=project),
+            name=project, treeStableTimer=timer, builderNames=["{}_build".format(project)])
+
+# Slack/XMPP status push
+from buildbot.reporters.http import HttpStatusPushBase
+from twisted.internet import defer
+from twisted.python import log
+from buildbot.util import httpclientservice
+from buildbot.reporters import utils
+from buildbot.process import results
+from twisted.words.protocols.jabber.jid import JID
+from wokkel import client, xmppim
+from functools import partial
+
+class SlackStatusPush(HttpStatusPushBase):
+    name = "SlackStatusPush"
+
+    @defer.inlineCallbacks
+    def reconfigService(self, serverUrl, **kwargs):
+        yield HttpStatusPushBase.reconfigService(self, **kwargs)
+        self._http = yield httpclientservice.HTTPClientService.getService(
+            self.master, serverUrl)
+
+    @defer.inlineCallbacks
+    def send(self, build):
+        yield utils.getDetailsForBuild(self.master, build, wantProperties=True)
+        response = yield self._http.post("", json=self.format(build))
+        if response.code != 200:
+            log.msg("%s: unable to upload status: %s" %
+                    (response.code, response.content))
+
+    def format(self, build):
+        colors = [
+                "#36A64F", # success
+                "#F1E903", # warnings
+                "#DA0505", # failure
+                "#FFFFFF", # skipped
+                "#000000", # exception
+                "#FFFFFF", # retry
+                "#D02CA9", # cancelled
+                ]
+
+        if "environment" in build["properties"]:
+            msg = "{} environment".format(build["properties"]["environment"][0])
+            if "build" in build["properties"]:
+                msg = "of archive {} in ".format(build["properties"]["build"][0]) + msg
+        elif len(build["buildset"]["sourcestamps"][0]["branch"]) > 0:
+            msg = "revision {}".format(build["buildset"]["sourcestamps"][0]["branch"])
+        else:
+            msg = "build"
+
+        if build["complete"]:
+            timedelta = int((build["complete_at"] - build["started_at"]).total_seconds())
+            hours, rest = divmod(timedelta, 3600)
+            minutes, seconds = divmod(rest, 60)
+            if hours > 0:
+                duration = "{}h {}min {}s".format(hours, minutes, seconds)
+            elif minutes > 0:
+                duration = "{}min {}s".format(minutes, seconds)
+            else:
+                duration = "{}s".format(seconds)
+
+            text = "Build <{}|{}> of {}'s {} was {} in {}.".format(
+                    build["url"], build["buildid"],
+                    build["builder"]["name"],
+                    msg,
+                    results.Results[build["results"]],
+                    duration,
+                    )
+            fields = [
+                    {
+                        "title": "Build",
+                        "value": "<{}|{}>".format(build["url"], build["buildid"]),
+                        "short": True,
+                        },
+                    {
+                        "title": "Project",
+                        "value": build["builder"]["name"],
+                        "short": True,
+                        },
+                    {
+                        "title": "Build status",
+                        "value": results.Results[build["results"]],
+                        "short": True,
+                        },
+                    {
+                        "title": "Build duration",
+                        "value": duration,
+                        "short": True,
+                        },
+                    ]
+            if "environment" in build["properties"]:
+                fields.append({
+                        "title": "Environment",
+                        "value": build["properties"]["environment"][0],
+                        "short": True,
+                    })
+            if "build" in build["properties"]:
+                fields.append({
+                        "title": "Archive",
+                        "value": build["properties"]["build"][0],
+                        "short": True,
+                    })
+            attachments = [{
+                    "fallback": "",
+                    "color": colors[build["results"]],
+                    "fields": fields
+                    }]
+        else:
+            text = "Build <{}|{}> of {}'s {} started.".format(
+                    build["url"], build["buildid"],
+                    build["builder"]["name"],
+                    msg,
+                    )
+            attachments = []
+
+        return {
+                "username": "Buildbot",
+                "icon_url": "http://docs.buildbot.net/current/_static/icon.png",
+                "text": text,
+                "attachments": attachments,
+                }
+
+class XMPPStatusPush(HttpStatusPushBase):
+    name = "XMPPStatusPush"
+
+    @defer.inlineCallbacks
+    def reconfigService(self, password, recipients, **kwargs):
+        yield HttpStatusPushBase.reconfigService(self, **kwargs)
+        self.password = password
+        self.recipients = recipients
+
+    @defer.inlineCallbacks
+    def send(self, build):
+        yield utils.getDetailsForBuild(self.master, build, wantProperties=True)
+        body = self.format(build)
+        factory = client.DeferredClientFactory(JID("notify_bot@immae.fr/buildbot"), self.password)
+        d = client.clientCreator(factory)
+        def send_message(recipient, stream):
+            message = xmppim.Message(recipient=JID(recipient), body=body)
+            message.stanzaType = 'chat'
+            stream.send(message.toElement())
+            # To allow chaining
+            return stream
+        for recipient in self.recipients:
+            d.addCallback(partial(send_message, recipient))
+        d.addCallback(lambda _: factory.streamManager.xmlstream.sendFooter())
+        d.addErrback(log.err)
+
+    def format(self, build):
+        if "environment" in build["properties"]:
+            msg = "{} environment".format(build["properties"]["environment"][0])
+            if "build" in build["properties"]:
+                msg = "of archive {} in ".format(build["properties"]["build"][0]) + msg
+        elif len(build["buildset"]["sourcestamps"][0]["branch"]) > 0:
+            msg = "revision {}".format(build["buildset"]["sourcestamps"][0]["branch"])
+        else:
+            msg = "build"
+
+        if build["complete"]:
+            timedelta = int((build["complete_at"] - build["started_at"]).total_seconds())
+            hours, rest = divmod(timedelta, 3600)
+            minutes, seconds = divmod(rest, 60)
+            if hours > 0:
+                duration = "{}h {}min {}s".format(hours, minutes, seconds)
+            elif minutes > 0:
+                duration = "{}min {}s".format(minutes, seconds)
+            else:
+                duration = "{}s".format(seconds)
+
+            text = "Build {} ( {} ) of {}'s {} was {} in {}.".format(
+                    build["buildid"], build["url"],
+                    build["builder"]["name"],
+                    msg,
+                    results.Results[build["results"]],
+                    duration,
+                    )
+        else:
+            text = "Build {} ( {} ) of {}'s {} started.".format(
+                    build["buildid"], build["url"],
+                    build["builder"]["name"],
+                    msg,
+                    )
+
+        return text
diff --git a/modules/private/buildbot/common/master.cfg b/modules/private/buildbot/common/master.cfg
new file mode 100644
index 00000000..abe08e0a
--- /dev/null
+++ b/modules/private/buildbot/common/master.cfg
@@ -0,0 +1,69 @@
+# -*- python -*-
+# ex: set filetype=python:
+
+from buildbot.plugins import secrets, util, webhooks
+from buildbot.util import bytes2unicode
+import re
+import os
+from buildbot_config import E, configure
+import json
+
+class CustomBase(webhooks.base):
+    def getChanges(self, request):
+        try:
+            content = request.content.read()
+            args = json.loads(bytes2unicode(content))
+        except Exception as e:
+            raise ValueError("Error loading JSON: " + str(e))
+
+        args.setdefault("comments", "")
+        args.setdefault("repository", "")
+        args.setdefault("author", args.get("who"))
+
+        return ([args], None)
+
+userInfoProvider = util.LdapUserInfo(
+        uri=E.LDAP_URL,
+        bindUser=E.LDAP_ADMIN_USER,
+        bindPw=open(E.SECRETS_FILE + "/ldap", "r").read().rstrip(),
+        accountBase=E.LDAP_BASE,
+        accountPattern=E.LDAP_PATTERN,
+        accountFullName='cn',
+        accountEmail='mail',
+        avatarData="jpegPhoto",
+        groupBase=E.LDAP_BASE,
+        groupName="cn",
+        groupMemberPattern=E.LDAP_GROUP_PATTERN,
+        )
+
+c = BuildmasterConfig = {
+        "title": E.TITLE,
+        "titleURL": E.TITLE_URL,
+        "db": {
+            "db_url": "sqlite:///state.sqlite"
+            },
+        "protocols": { "pb": { "port": E.PB_SOCKET } },
+        "workers": [],
+        "change_source": [],
+        "schedulers": [],
+        "builders": [],
+        "services": [],
+        "secretsProviders": [
+            secrets.SecretInAFile(E.SECRETS_FILE),
+            ],
+        "www": {
+            "change_hook_dialects": { "base": { "custom_class": CustomBase } },
+            "plugins": {
+                "waterfall_view": {},
+                "console_view": {},
+                "grid_view": {},
+                "buildslist": {},
+                },
+            "auth": util.RemoteUserAuth(
+                header=b"X-Remote-User",
+                userInfoProvider=userInfoProvider,
+                headerRegex=re.compile(br"(?P<username>[^ @]+)")),
+            }
+        }
+
+configure(c)
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix
new file mode 100644
index 00000000..fa6a6f20
--- /dev/null
+++ b/modules/private/buildbot/default.nix
@@ -0,0 +1,198 @@
+{ lib, pkgs, config, myconfig, ... }:
+let
+  varDir = "/var/lib/buildbot";
+  buildbot_common = pkgs.python3Packages.buildPythonPackage rec {
+    name = "buildbot_common";
+    src = ./common;
+    format = "other";
+    installPhase = ''
+      mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
+      cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common
+      '';
+  };
+  buildbot = pkgs.python3Packages.buildbot-full;
+in
+{
+  options = {
+    myServices.buildbot.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable buildbot.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.myServices.buildbot.enable {
+    ids.uids.buildbot = myconfig.env.buildbot.user.uid;
+    ids.gids.buildbot = myconfig.env.buildbot.user.gid;
+
+    users.groups.buildbot.gid = config.ids.gids.buildbot;
+    users.users.buildbot = {
+      name = "buildbot";
+      uid = config.ids.uids.buildbot;
+      group = "buildbot";
+      description = "Buildbot user";
+      home = varDir;
+      extraGroups = [ "keys" ];
+    };
+
+    services.websites.tools.vhostConfs.git.extraConfig = lib.attrsets.mapAttrsToList (k: project: ''
+        RedirectMatch permanent "^/buildbot/${project.name}$" "/buildbot/${project.name}/"
+        RewriteEngine On
+        RewriteRule ^/buildbot/${project.name}/ws(.*)$   unix:///run/buildbot/${project.name}.sock|ws://git.immae.eu/ws$1 [P,NE,QSA,L]
+        ProxyPass /buildbot/${project.name}/             unix:///run/buildbot/${project.name}.sock|http://${project.name}-git.immae.eu/
+        ProxyPassReverse /buildbot/${project.name}/      unix:///run/buildbot/${project.name}.sock|http://${project.name}-git.immae.eu/
+        <Location /buildbot/${project.name}/>
+          Use LDAPConnect
+          Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
+
+          SetEnvIf X-Url-Scheme https HTTPS=1
+          ProxyPreserveHost On
+        </Location>
+        <Location /buildbot/${project.name}/change_hook/base>
+          <RequireAny>
+            Require local
+            Require ldap-group cn=users,ou=${project.name},cn=buildbot,ou=services,dc=immae,dc=eu
+            Include /var/secrets/buildbot/${project.name}/webhook-httpd-include
+          </RequireAny>
+        </Location>
+        '') myconfig.env.buildbot.projects;
+
+    system.activationScripts = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
+      deps = [ "users" "wrappers" ];
+      text = project.activationScript;
+    }) myconfig.env.buildbot.projects;
+
+    secrets.keys = (
+      lib.lists.flatten (
+        lib.attrsets.mapAttrsToList (k: project:
+          lib.attrsets.mapAttrsToList (k: v:
+            {
+              permissions = "0600";
+              user = "buildbot";
+              group = "buildbot";
+              text = v;
+              dest = "buildbot/${project.name}/${k}";
+            }
+          ) project.secrets
+          ++ [
+            {
+              permissions = "0600";
+              user = "wwwrun";
+              group = "wwwrun";
+              text = lib.optionalString (lib.attrsets.hasAttr "webhookTokens" project) ''
+                Require expr "req('Access-Key') in { ${builtins.concatStringsSep ", " (map (x: "'${x}'") project.webhookTokens)} }"
+                '';
+              dest = "buildbot/${project.name}/webhook-httpd-include";
+            }
+          ]
+        ) myconfig.env.buildbot.projects
+      )
+    ) ++ [
+      {
+        permissions = "0600";
+        user = "buildbot";
+        group = "buildbot";
+        text = myconfig.env.buildbot.ldap.password;
+        dest = "buildbot/ldap";
+      }
+      {
+        permissions = "0600";
+        user = "buildbot";
+        group = "buildbot";
+        text = builtins.readFile "${myconfig.privateFiles}/buildbot_ssh_key";
+        dest = "buildbot/ssh_key";
+      }
+    ];
+
+    systemd.services = lib.attrsets.mapAttrs' (k: project: lib.attrsets.nameValuePair "buildbot-${project.name}" {
+      description = "Buildbot Continuous Integration Server ${project.name}.";
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = project.packages pkgs ++ (project.pythonPackages buildbot.pythonModule pkgs);
+      preStart = let
+        master-cfg = "${buildbot_common}/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_common/master.cfg";
+        tac_file = pkgs.writeText "buildbot.tac" ''
+            import os
+
+            from twisted.application import service
+            from buildbot.master import BuildMaster
+
+            basedir = '${varDir}/${project.name}'
+            rotateLength = 10000000
+            maxRotatedFiles = 10
+            configfile = '${master-cfg}'
+
+            # Default umask for server
+            umask = None
+
+            # if this is a relocatable tac file, get the directory containing the TAC
+            if basedir == '.':
+                import os
+                basedir = os.path.abspath(os.path.dirname(__file__))
+
+            # note: this line is matched against to check that this is a buildmaster
+            # directory; do not edit it.
+            application = service.Application('buildmaster')
+            from twisted.python.logfile import LogFile
+            from twisted.python.log import ILogObserver, FileLogObserver
+            logfile = LogFile.fromFullPath(os.path.join(basedir, "twistd.log"), rotateLength=rotateLength,
+                                            maxRotatedFiles=maxRotatedFiles)
+            application.setComponent(ILogObserver, FileLogObserver(logfile).emit)
+
+            m = BuildMaster(basedir, configfile, umask)
+            m.setServiceParent(application)
+            m.log_rotation.rotateLength = rotateLength
+            m.log_rotation.maxRotatedFiles = maxRotatedFiles
+          '';
+      in ''
+      if [ ! -f ${varDir}/${project.name}/buildbot.tac ]; then
+        ${buildbot}/bin/buildbot create-master -c "${master-cfg}" "${varDir}/${project.name}"
+        rm -f ${varDir}/${project.name}/master.cfg.sample
+        rm -f ${varDir}/${project.name}/buildbot.tac
+      fi
+      ln -sf ${tac_file} ${varDir}/${project.name}/buildbot.tac
+      # different buildbots may be trying that simultaneously, add the || true to avoid complaining in case of race
+      install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ssh_key ${varDir}/buildbot_key || true
+      buildbot_secrets=${varDir}/${project.name}/secrets
+      install -m 0700 -o buildbot -g buildbot -d $buildbot_secrets
+      install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/ldap $buildbot_secrets/ldap
+      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList
+        (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets
+      )}
+      '';
+      environment = let
+        project_env = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "BUILDBOT_${k}" v) project.environment;
+        buildbot_config = pkgs.python3Packages.buildPythonPackage (rec {
+          name = "buildbot_config-${project.name}";
+          src = ./projects + "/${project.name}";
+          format = "other";
+          installPhase = ''
+            mkdir -p $out/${pkgs.python3.pythonForBuild.sitePackages}
+            cp -a $src $out/${pkgs.python3.pythonForBuild.sitePackages}/buildbot_config
+            '';
+        });
+        HOME = "${varDir}/${project.name}";
+        PYTHONPATH = "${buildbot.pythonModule.withPackages (self: project.pythonPackages self pkgs ++ [
+          pkgs.python3Packages.wokkel
+          pkgs.python3Packages.treq pkgs.python3Packages.ldap3 buildbot
+          pkgs.python3Packages.buildbot-worker
+          buildbot_common buildbot_config
+        ])}/${buildbot.pythonModule.sitePackages}${if project.pythonPathHome then ":${varDir}/${project.name}/.local/${pkgs.python3.pythonForBuild.sitePackages}" else ""}";
+      in project_env // { inherit PYTHONPATH HOME; };
+
+      serviceConfig = {
+        Type = "forking";
+        User = "buildbot";
+        Group = "buildbot";
+        RuntimeDirectory = "buildbot";
+        RuntimeDirectoryPreserve = "yes";
+        StateDirectory = "buildbot";
+        SupplementaryGroups = "keys";
+        WorkingDirectory = "${varDir}/${project.name}";
+        ExecStart = "${buildbot}/bin/buildbot start";
+      };
+    }) myconfig.env.buildbot.projects;
+  };
+}
diff --git a/modules/private/buildbot/projects/caldance/__init__.py b/modules/private/buildbot/projects/caldance/__init__.py
new file mode 100644
index 00000000..2c0bad5b
--- /dev/null
+++ b/modules/private/buildbot/projects/caldance/__init__.py
@@ -0,0 +1,190 @@
+from buildbot.plugins import *
+from buildbot_common.build_helpers import *
+import os
+from buildbot.util import bytes2unicode
+import json
+
+__all__ = [ "configure", "E" ]
+
+class E():
+    PROJECT       = "caldance"
+    BUILDBOT_URL  = "https://git.immae.eu/buildbot/{}/".format(PROJECT)
+    SOCKET        = "unix:/run/buildbot/{}.sock".format(PROJECT)
+    PB_SOCKET     = "unix:address=/run/buildbot/{}_pb.sock".format(PROJECT)
+    RELEASE_PATH  = "/var/lib/ftp/release.immae.eu/{}".format(PROJECT)
+    RELEASE_URL   = "https://release.immae.eu/{}".format(PROJECT)
+    GIT_URL       = "gitolite@git.immae.eu:perso/simon_descarpentries/www.cal-dance.com"
+    SSH_KEY_PATH  = "/var/lib/buildbot/buildbot_key"
+    SSH_HOST_KEY  = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFbhFTl2A2RJn5L51yxJM4XfCS2ZaiSX/jo9jFSdghF"
+    LDAP_HOST     = "ldap.immae.eu"
+    LDAP_DN       = "cn=buildbot,ou=services,dc=immae,dc=eu"
+    LDAP_ROLES_BASE = "ou=roles,ou=hosts,dc=immae,dc=eu"
+    XMPP_RECIPIENTS = os.environ["BUILDBOT_XMPP_RECIPIENTS"].split(" ")
+
+    PUPPET_HOST = {
+            "integration": "root@caldance.immae.eu",
+            }
+
+    # master.cfg
+    SECRETS_FILE       = os.getcwd() + "/secrets"
+    LDAP_URL           = "ldaps://ldap.immae.eu:636"
+    LDAP_ADMIN_USER    = "cn=buildbot,ou=services,dc=immae,dc=eu"
+    LDAP_BASE          = "dc=immae,dc=eu"
+    LDAP_PATTERN       = "(uid=%(username)s)"
+    LDAP_GROUP_PATTERN = "(&(memberOf=cn=groups,ou=caldance,cn=buildbot,ou=services,dc=immae,dc=eu)(member=%(dn)s))"
+    TITLE_URL          = "https://caldance.immae.eu"
+    TITLE              = "Caldance"
+
+class CustomBase(webhooks.base):
+    def getChanges(self, request):
+        try:
+            content = request.content.read()
+            args = json.loads(bytes2unicode(content))
+        except Exception as e:
+            raise ValueError("Error loading JSON: " + str(e))
+
+        args.setdefault("comments", "")
+        args.setdefault("repository", "")
+        args.setdefault("author", args.get("who", "unknown"))
+
+        if args["category"] == "deploy_webhook":
+            args = {
+                    "category": "deploy_webhook",
+                    "comments": "",
+                    "repository": "",
+                    "author": "webhook",
+                    "project": "Caldance",
+                    "properties": {
+                        "environment": args.get("environment", "integration"),
+                        "build": "caldance_{}.tar.gz".format(args.get("build", "master"))
+                        }
+                    }
+
+        return ([args], None)
+
+def deploy_hook_scheduler(project, timer=1):
+    return schedulers.AnyBranchScheduler(
+            change_filter=util.ChangeFilter(category="deploy_webhook", project=project),
+            name="{}_deploy".format(project), treeStableTimer=timer, builderNames=["{}_deploy".format(project)])
+
+def configure(c):
+    c["buildbotURL"] = E.BUILDBOT_URL
+    c["www"]["port"] = E.SOCKET
+
+    c["www"]["change_hook_dialects"]["base"] = {
+            "custom_class": CustomBase
+            }
+    c['workers'].append(worker.LocalWorker("generic-worker"))
+    c['workers'].append(worker.LocalWorker("deploy-worker"))
+
+    c['schedulers'].append(hook_scheduler("Caldance", timer=1))
+    c['schedulers'].append(force_scheduler("force_caldance", ["Caldance_build"]))
+    c['schedulers'].append(deploy_scheduler("deploy_caldance", ["Caldance_deploy"]))
+    c['schedulers'].append(deploy_hook_scheduler("Caldance", timer=1))
+
+    c['builders'].append(factory("caldance"))
+
+    c['builders'].append(deploy_factory("caldance"))
+
+    c['services'].append(SlackStatusPush(
+        name="slack_status_caldance",
+        builders=["Caldance_build", "Caldance_deploy"],
+        serverUrl=open(E.SECRETS_FILE + "/slack_webhook", "r").read().rstrip()))
+    c['services'].append(XMPPStatusPush(
+        name="xmpp_status_caldance",
+        builders=["Caldance_build", "Caldance_deploy"],
+        recipients=E.XMPP_RECIPIENTS,
+        password=open(E.SECRETS_FILE + "/notify_xmpp_password", "r").read().rstrip()))
+
+def factory(project, ignore_fails=False):
+    release_file = "{1}/{0}_%(kw:clean_branch)s.tar.gz"
+
+    package = util.Interpolate("{0}_%(kw:clean_branch)s.tar.gz".format(project), clean_branch=clean_branch)
+    package_dest = util.Interpolate(release_file.format(project, E.RELEASE_PATH), clean_branch=clean_branch)
+    package_url = util.Interpolate(release_file.format(project, E.RELEASE_URL), clean_branch=clean_branch)
+
+    factory = util.BuildFactory()
+    factory.addStep(steps.Git(logEnviron=False, repourl=E.GIT_URL,
+        sshPrivateKey=open(E.SSH_KEY_PATH).read().rstrip(),
+        sshHostKey=E.SSH_HOST_KEY, mode="full", method="copy"))
+    factory.addSteps(package_and_upload(package, package_dest, package_url))
+
+    return util.BuilderConfig(
+            name="{}_build".format(project.capitalize()),
+            workernames=["generic-worker"], factory=factory)
+
+def compute_build_infos(project):
+    @util.renderer
+    def compute(props):
+        import re, hashlib
+        build_file = props.getProperty("build")
+        package_dest = "{1}/{0}".format(build_file, E.RELEASE_PATH)
+        version = re.match(r"{0}_(.*).tar.gz".format(project), build_file).group(1)
+        with open(package_dest, "rb") as f:
+            sha = hashlib.sha256(f.read()).hexdigest()
+        return {
+                "build_version": version,
+                "build_hash": sha,
+                }
+    return compute
+
+@util.renderer
+def puppet_host(props):
+    environment = props["environment"] if props.hasProperty("environment") else "integration"
+    return E.PUPPET_HOST.get(environment, "host.invalid")
+
+def deploy_factory(project):
+    package_dest = util.Interpolate("{0}/%(prop:build)s".format(E.RELEASE_PATH))
+
+    factory = util.BuildFactory()
+    factory.addStep(steps.MasterShellCommand(command=["test", "-f", package_dest]))
+    factory.addStep(steps.SetProperties(properties=compute_build_infos(project)))
+    factory.addStep(LdapPush(environment=util.Property("environment"),
+        project=project, build_version=util.Property("build_version"),
+        build_hash=util.Property("build_hash"), ldap_password=util.Secret("ldap")))
+    factory.addStep(steps.MasterShellCommand(command=[
+        "ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "CheckHostIP=no", "-i", E.SSH_KEY_PATH, puppet_host]))
+    return util.BuilderConfig(name="{}_deploy".format(project.capitalize()), workernames=["deploy-worker"], factory=factory)
+
+from twisted.internet import defer
+from buildbot.process.buildstep import FAILURE
+from buildbot.process.buildstep import SUCCESS
+from buildbot.process.buildstep import BuildStep
+
+class LdapPush(BuildStep):
+    name = "LdapPush"
+    renderables = ["environment", "project", "build_version", "build_hash", "ldap_password"]
+
+    def __init__(self, **kwargs):
+        self.environment = kwargs.pop("environment")
+        self.project = kwargs.pop("project")
+        self.build_version = kwargs.pop("build_version")
+        self.build_hash = kwargs.pop("build_hash")
+        self.ldap_password = kwargs.pop("ldap_password")
+        self.ldap_host = kwargs.pop("ldap_host", E.LDAP_HOST)
+        super().__init__(**kwargs)
+
+    def run(self):
+        import json
+        from ldap3 import Reader, Writer, Server, Connection, ObjectDef
+        server = Server(self.ldap_host)
+        conn = Connection(server,
+                user=E.LDAP_DN,
+                password=self.ldap_password)
+        conn.bind()
+        obj = ObjectDef("immaePuppetClass", conn)
+        r = Reader(conn, obj,
+                "cn=caldance.{},{}".format(self.environment, E.LDAP_ROLES_BASE))
+        r.search()
+        if len(r) > 0:
+            w = Writer.from_cursor(r)
+            for value in w[0].immaePuppetJson.values:
+                config = json.loads(value)
+                if "role::caldance::{}_version".format(self.project) in config:
+                    config["role::caldance::{}_version".format(self.project)] = self.build_version
+                    config["role::caldance::{}_sha256".format(self.project)] = self.build_hash
+                    w[0].immaePuppetJson -= value
+                    w[0].immaePuppetJson += json.dumps(config, indent="  ")
+                    w.commit()
+                    return defer.succeed(SUCCESS)
+        return defer.succeed(FAILURE)
diff --git a/modules/private/buildbot/projects/cryptoportfolio/__init__.py b/modules/private/buildbot/projects/cryptoportfolio/__init__.py
new file mode 100644
index 00000000..5d70f957
--- /dev/null
+++ b/modules/private/buildbot/projects/cryptoportfolio/__init__.py
@@ -0,0 +1,169 @@
+from buildbot.plugins import *
+from buildbot_common.build_helpers import *
+import os
+
+__all__ = [ "configure", "E" ]
+
+class E():
+    PROJECT       = "cryptoportfolio"
+    BUILDBOT_URL  = "https://git.immae.eu/buildbot/{}/".format(PROJECT)
+    SOCKET        = "unix:/run/buildbot/{}.sock".format(PROJECT)
+    PB_SOCKET     = "unix:address=/run/buildbot/{}_pb.sock".format(PROJECT)
+    RELEASE_PATH  = "/var/lib/ftp/release.immae.eu/{}".format(PROJECT)
+    RELEASE_URL   = "https://release.immae.eu/{}".format(PROJECT)
+    GIT_URL       = "https://git.immae.eu/perso/Immae/Projets/Cryptomonnaies/Cryptoportfolio/{0}.git"
+    SSH_KEY_PATH  = "/var/lib/buildbot/buildbot_key"
+    LDAP_HOST     = "ldap.immae.eu"
+    LDAP_DN       = "cn=buildbot,ou=services,dc=immae,dc=eu"
+    LDAP_ROLES_BASE = "ou=roles,ou=hosts,dc=immae,dc=eu"
+
+    PUPPET_HOST = {
+            "production": "root@cryptoportfolio.immae.eu",
+            "integration": "root@cryptoportfolio-dev.immae.eu"
+            }
+
+    # master.cfg
+    SECRETS_FILE       = os.getcwd() + "/secrets"
+    LDAP_URL           = "ldaps://ldap.immae.eu:636"
+    LDAP_ADMIN_USER    = "cn=buildbot,ou=services,dc=immae,dc=eu"
+    LDAP_BASE          = "dc=immae,dc=eu"
+    LDAP_PATTERN       = "(uid=%(username)s)"
+    LDAP_GROUP_PATTERN = "(&(memberOf=cn=groups,ou=cryptoportfolio,cn=buildbot,ou=services,dc=immae,dc=eu)(member=%(dn)s))"
+    TITLE_URL          = "https://git.immae.eu"
+    TITLE              = "Cryptoportfolio"
+
+# eval .. dans .zshrc_local
+# mkdir -p $BUILD/go
+# export GOPATH=$BUILD/go
+# go get -u github.com/golang/dep/cmd/dep
+# export PATH=$PATH:$BUILD/go/bin
+# go get git.immae.eu/Cryptoportfolio/Front.git
+# cd $BUILD/go/src/git.immae.eu/Cryptoportfolio/Front.git
+# git checkout dev
+# dep ensure
+def configure(c):
+    c["buildbotURL"] = E.BUILDBOT_URL
+    c["www"]["port"] = E.SOCKET
+
+    c['workers'].append(worker.LocalWorker("generic-worker"))
+    c['workers'].append(worker.LocalWorker("deploy-worker"))
+
+    c['schedulers'].append(hook_scheduler("Trader"))
+    c['schedulers'].append(hook_scheduler("Front"))
+    c['schedulers'].append(force_scheduler(
+        "force_cryptoportfolio", ["Trader_build", "Front_build"]))
+    c['schedulers'].append(deploy_scheduler("deploy_cryptoportfolio",
+        ["Trader_deploy", "Front_deploy"]))
+
+    c['builders'].append(factory("trader"))
+    c['builders'].append(factory("front", ignore_fails=True))
+
+    c['builders'].append(deploy_factory("trader"))
+    c['builders'].append(deploy_factory("front"))
+
+    c['services'].append(SlackStatusPush(
+        name="slack_status_cryptoportfolio",
+        builders=["Front_build", "Trader_build", "Front_deploy", "Trader_deploy"],
+        serverUrl=open(E.SECRETS_FILE + "/slack_webhook", "r").read().rstrip()))
+
+def factory(project, ignore_fails=False):
+    release_file = "{1}/{0}/{0}_%(kw:clean_branch)s.tar.gz"
+
+    url = E.GIT_URL.format(project.capitalize())
+
+    package = util.Interpolate("{0}_%(kw:clean_branch)s.tar.gz".format(project), clean_branch=clean_branch)
+    package_dest = util.Interpolate(release_file.format(project, E.RELEASE_PATH), clean_branch=clean_branch)
+    package_url = util.Interpolate(release_file.format(project, E.RELEASE_URL), clean_branch=clean_branch)
+
+    factory = util.BuildFactory()
+    factory.addStep(steps.Git(logEnviron=False, repourl=url,
+        mode="full", method="copy"))
+    factory.addStep(steps.ShellCommand(name="make install",
+        logEnviron=False, haltOnFailure=(not ignore_fails),
+        warnOnFailure=ignore_fails, flunkOnFailure=(not ignore_fails),
+        command=["make", "install"]))
+    factory.addStep(steps.ShellCommand(name="make test",
+        logEnviron=False, haltOnFailure=(not ignore_fails),
+        warnOnFailure=ignore_fails, flunkOnFailure=(not ignore_fails),
+        command=["make", "test"]))
+    factory.addSteps(package_and_upload(package, package_dest, package_url))
+
+    return util.BuilderConfig(
+            name="{}_build".format(project.capitalize()),
+            workernames=["generic-worker"], factory=factory)
+
+def compute_build_infos(project):
+    @util.renderer
+    def compute(props):
+        import re, hashlib
+        build_file = props.getProperty("build")
+        package_dest = "{2}/{0}/{1}".format(project, build_file, E.RELEASE_PATH)
+        version = re.match(r"{0}_(.*).tar.gz".format(project), build_file).group(1)
+        with open(package_dest, "rb") as f:
+            sha = hashlib.sha256(f.read()).hexdigest()
+        return {
+                "build_version": version,
+                "build_hash": sha,
+                }
+    return compute
+
+@util.renderer
+def puppet_host(props):
+    environment = props["environment"] if props.hasProperty("environment") else "integration"
+    return E.PUPPET_HOST.get(environment, "host.invalid")
+
+def deploy_factory(project):
+    package_dest = util.Interpolate("{1}/{0}/%(prop:build)s".format(project, E.RELEASE_PATH))
+
+    factory = util.BuildFactory()
+    factory.addStep(steps.MasterShellCommand(command=["test", "-f", package_dest]))
+    factory.addStep(steps.SetProperties(properties=compute_build_infos(project)))
+    factory.addStep(LdapPush(environment=util.Property("environment"),
+        project=project, build_version=util.Property("build_version"),
+        build_hash=util.Property("build_hash"), ldap_password=util.Secret("ldap")))
+    factory.addStep(steps.MasterShellCommand(command=[
+        "ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "CheckHostIP=no", "-i", E.SSH_KEY_PATH, puppet_host]))
+    return util.BuilderConfig(name="{}_deploy".format(project.capitalize()), workernames=["deploy-worker"], factory=factory)
+
+from twisted.internet import defer
+from buildbot.process.buildstep import FAILURE
+from buildbot.process.buildstep import SUCCESS
+from buildbot.process.buildstep import BuildStep
+
+class LdapPush(BuildStep):
+    name = "LdapPush"
+    renderables = ["environment", "project", "build_version", "build_hash", "ldap_password"]
+
+    def __init__(self, **kwargs):
+        self.environment = kwargs.pop("environment")
+        self.project = kwargs.pop("project")
+        self.build_version = kwargs.pop("build_version")
+        self.build_hash = kwargs.pop("build_hash")
+        self.ldap_password = kwargs.pop("ldap_password")
+        self.ldap_host = kwargs.pop("ldap_host", E.LDAP_HOST)
+        super().__init__(**kwargs)
+
+    def run(self):
+        import json
+        from ldap3 import Reader, Writer, Server, Connection, ObjectDef
+        server = Server(self.ldap_host)
+        conn = Connection(server,
+                user=E.LDAP_DN,
+                password=self.ldap_password)
+        conn.bind()
+        obj = ObjectDef("immaePuppetClass", conn)
+        r = Reader(conn, obj,
+                "cn=cryptoportfolio.{},{}".format(self.environment, E.LDAP_ROLES_BASE))
+        r.search()
+        if len(r) > 0:
+            w = Writer.from_cursor(r)
+            for value in w[0].immaePuppetJson.values:
+                config = json.loads(value)
+                if "role::cryptoportfolio::{}_version".format(self.project) in config:
+                    config["role::cryptoportfolio::{}_version".format(self.project)] = self.build_version
+                    config["role::cryptoportfolio::{}_sha256".format(self.project)] = self.build_hash
+                    w[0].immaePuppetJson -= value
+                    w[0].immaePuppetJson += json.dumps(config, indent="  ")
+                    w.commit()
+                    return defer.succeed(SUCCESS)
+        return defer.succeed(FAILURE)
diff --git a/modules/private/buildbot/projects/test/__init__.py b/modules/private/buildbot/projects/test/__init__.py
new file mode 100644
index 00000000..e6b8d514
--- /dev/null
+++ b/modules/private/buildbot/projects/test/__init__.py
@@ -0,0 +1,188 @@
+from buildbot.plugins import *
+from buildbot_common.build_helpers import *
+import os
+from buildbot.util import bytes2unicode
+import json
+
+__all__ = [ "configure", "E" ]
+
+class E():
+    PROJECT       = "test"
+    BUILDBOT_URL  = "https://git.immae.eu/buildbot/{}/".format(PROJECT)
+    SOCKET        = "unix:/run/buildbot/{}.sock".format(PROJECT)
+    PB_SOCKET     = "unix:address=/run/buildbot/{}_pb.sock".format(PROJECT)
+    RELEASE_PATH  = "/var/lib/ftp/release.immae.eu/{}".format(PROJECT)
+    RELEASE_URL   = "https://release.immae.eu/{}".format(PROJECT)
+    GIT_URL       = "https://git.immae.eu/perso/Immae/TestProject.git"
+    SSH_KEY_PATH  = "/var/lib/buildbot/buildbot_key"
+    PUPPET_HOST   = "root@backup-1.v.immae.eu"
+    LDAP_HOST     = "ldap.immae.eu"
+    LDAP_DN       = "cn=buildbot,ou=services,dc=immae,dc=eu"
+    LDAP_ROLES_BASE = "ou=roles,ou=hosts,dc=immae,dc=eu"
+    XMPP_RECIPIENTS = os.environ["BUILDBOT_XMPP_RECIPIENTS"].split(" ")
+
+    # master.cfg
+    SECRETS_FILE       = os.getcwd() + "/secrets"
+    LDAP_URL           = "ldaps://ldap.immae.eu:636"
+    LDAP_ADMIN_USER    = "cn=buildbot,ou=services,dc=immae,dc=eu"
+    LDAP_BASE          = "dc=immae,dc=eu"
+    LDAP_PATTERN       = "(uid=%(username)s)"
+    LDAP_GROUP_PATTERN = "(&(memberOf=cn=groups,ou=test,cn=buildbot,ou=services,dc=immae,dc=eu)(member=%(dn)s))"
+    TITLE_URL          = "https://git.immae.eu/?p=perso/Immae/TestProject.git;a=summary"
+    TITLE              = "Test project"
+
+class CustomBase(webhooks.base):
+    def getChanges(self, request):
+        try:
+            content = request.content.read()
+            args = json.loads(bytes2unicode(content))
+        except Exception as e:
+            raise ValueError("Error loading JSON: " + str(e))
+
+        args.setdefault("comments", "")
+        args.setdefault("repository", "")
+        args.setdefault("author", args.get("who", "unknown"))
+
+        if args["category"] == "deploy_webhook":
+            args = {
+                    "category": "deploy_webhook",
+                    "comments": "",
+                    "repository": "",
+                    "author": "unknown",
+                    "project": "TestProject",
+                    "properties": {
+                        "environment": args.get("environment", "integration"),
+                        "build": "test_{}.tar.gz".format(args.get("branch", "master"))
+                        }
+                    }
+
+        return ([args], None)
+
+def deploy_hook_scheduler(project, timer=1):
+    return schedulers.AnyBranchScheduler(
+            change_filter=util.ChangeFilter(category="deploy_webhook", project=project),
+            name="{}_deploy".format(project), treeStableTimer=timer, builderNames=["{}_deploy".format(project)])
+
+def configure(c):
+    c["buildbotURL"] = E.BUILDBOT_URL
+    c["www"]["port"] = E.SOCKET
+
+    c["www"]["change_hook_dialects"]["base"] = {
+            "custom_class": CustomBase
+            }
+    c['workers'].append(worker.LocalWorker("generic-worker-test"))
+    c['workers'].append(worker.LocalWorker("deploy-worker-test"))
+
+    c['schedulers'].append(hook_scheduler("TestProject", timer=1))
+    c['schedulers'].append(force_scheduler("force_test", ["TestProject_build"]))
+    c['schedulers'].append(deploy_scheduler("deploy_test", ["TestProject_deploy"]))
+    c['schedulers'].append(deploy_hook_scheduler("TestProject", timer=1))
+
+    c['builders'].append(factory())
+    c['builders'].append(deploy_factory())
+
+    c['services'].append(SlackStatusPush(
+        name="slack_status_test_project",
+        builders=["TestProject_build", "TestProject_deploy"],
+        serverUrl=open(E.SECRETS_FILE + "/slack_webhook", "r").read().rstrip()))
+    c['services'].append(XMPPStatusPush(
+        name="xmpp_status_test_project",
+        builders=["TestProject_build", "TestProject_deploy"],
+        recipients=E.XMPP_RECIPIENTS,
+        password=open(E.SECRETS_FILE + "/notify_xmpp_password", "r").read().rstrip()))
+
+def factory():
+    package = util.Interpolate("test_%(kw:clean_branch)s.tar.gz", clean_branch=clean_branch)
+    package_dest = util.Interpolate("{}/test_%(kw:clean_branch)s.tar.gz".format(E.RELEASE_PATH), clean_branch=clean_branch)
+    package_url = util.Interpolate("{}/test_%(kw:clean_branch)s.tar.gz".format(E.RELEASE_URL), clean_branch=clean_branch)
+
+    factory = util.BuildFactory()
+    factory.addStep(steps.Git(logEnviron=False,
+        repourl=E.GIT_URL, mode="full", method="copy"))
+    factory.addStep(steps.ShellCommand(name="env",
+        logEnviron=False, command=["env"]))
+    factory.addStep(steps.ShellCommand(name="pwd",
+        logEnviron=False, command=["pwd"]))
+    factory.addStep(steps.ShellCommand(name="true",
+        logEnviron=False, command=["true"]))
+    factory.addStep(steps.ShellCommand(name="echo",
+        logEnviron=False, command=["echo", package]))
+    factory.addSteps(package_and_upload(package, package_dest, package_url))
+
+    return util.BuilderConfig(name="TestProject_build", workernames=["generic-worker-test"], factory=factory)
+
+
+def compute_build_infos():
+    @util.renderer
+    def compute(props):
+        import re, hashlib
+        build_file = props.getProperty("build")
+        package_dest = "{}/{}".format(E.RELEASE_PATH, build_file)
+        version = re.match(r"{0}_(.*).tar.gz".format("test"), build_file).group(1)
+        with open(package_dest, "rb") as f:
+            sha = hashlib.sha256(f.read()).hexdigest()
+        return {
+                "build_version": version,
+                "build_hash": sha,
+                }
+    return compute
+
+@util.renderer
+def puppet_host(props):
+    return E.PUPPET_HOST
+
+def deploy_factory():
+    package_dest = util.Interpolate("{}/%(prop:build)s".format(E.RELEASE_PATH))
+
+    factory = util.BuildFactory()
+    factory.addStep(steps.MasterShellCommand(command=["test", "-f", package_dest]))
+    factory.addStep(steps.SetProperties(properties=compute_build_infos()))
+    factory.addStep(LdapPush(environment=util.Property("environment"),
+        build_version=util.Property("build_version"),
+        build_hash=util.Property("build_hash"),
+        ldap_password=util.Secret("ldap")))
+    factory.addStep(steps.MasterShellCommand(command=[
+        "ssh", "-o", "UserKnownHostsFile=/dev/null", "-o", "StrictHostKeyChecking=no", "-o", "CheckHostIP=no", "-i", E.SSH_KEY_PATH, puppet_host]))
+    return util.BuilderConfig(name="TestProject_deploy", workernames=["deploy-worker-test"], factory=factory)
+
+from twisted.internet import defer
+from buildbot.process.buildstep import FAILURE
+from buildbot.process.buildstep import SUCCESS
+from buildbot.process.buildstep import BuildStep
+
+class LdapPush(BuildStep):
+    name = "LdapPush"
+    renderables = ["environment", "build_version", "build_hash", "ldap_password"]
+
+    def __init__(self, **kwargs):
+        self.environment = kwargs.pop("environment")
+        self.build_version = kwargs.pop("build_version")
+        self.build_hash = kwargs.pop("build_hash")
+        self.ldap_password = kwargs.pop("ldap_password")
+        self.ldap_host = kwargs.pop("ldap_host", E.LDAP_HOST)
+        super().__init__(**kwargs)
+
+    def run(self):
+        import json
+        from ldap3 import Reader, Writer, Server, Connection, ObjectDef
+        server = Server(self.ldap_host)
+        conn = Connection(server,
+                user=E.LDAP_DN,
+                password=self.ldap_password)
+        conn.bind()
+        obj = ObjectDef("immaePuppetClass", conn)
+        r = Reader(conn, obj,
+                "cn=test.{},{}".format(self.environment, E.LDAP_ROLES_BASE))
+        r.search()
+        if len(r) > 0:
+            w = Writer.from_cursor(r)
+            for value in w[0].immaePuppetJson.values:
+                config = json.loads(value)
+                if "test_version" in config:
+                    config["test_version"] = self.build_version
+                    config["test_sha256"] = self.build_hash
+                    w[0].immaePuppetJson -= value
+                    w[0].immaePuppetJson += json.dumps(config, indent="  ")
+                    w.commit()
+                    return defer.succeed(SUCCESS)
+        return defer.succeed(FAILURE)
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
new file mode 100644
index 00000000..43f6a234
--- /dev/null
+++ b/modules/private/certificates.nix
@@ -0,0 +1,52 @@
+{ lib, pkgs, config,  ... }:
+{
+  options.services.myCertificates = {
+    certConfig = lib.mkOption {
+      default = {
+        webroot = "${config.security.acme.directory}/acme-challenge";
+        email = "ismael@bouya.org";
+        postRun = ''
+          systemctl reload httpdTools.service httpdInte.service httpdProd.service
+        '';
+        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" ];
+      };
+      description = "Default configuration for certificates";
+    };
+  };
+
+  config = {
+    services.websitesCerts = config.services.myCertificates.certConfig;
+    myServices.databasesCerts = config.services.myCertificates.certConfig;
+    myServices.ircCerts = config.services.myCertificates.certConfig;
+
+    security.acme.preliminarySelfsigned = true;
+
+    security.acme.certs = {
+      "eldiron" = config.services.myCertificates.certConfig // {
+        domain = "eldiron.immae.eu";
+      };
+    };
+
+    systemd.services = lib.attrsets.mapAttrs' (k: v:
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
+        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
+        cp $workdir/server.crt ${config.security.acme.directory}/${k}/cert.pem
+        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/cert.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/cert.pem
+        '') +
+        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
+        cp $workdir/ca.crt ${config.security.acme.directory}/${k}/chain.pem
+        chown '${v.user}:${v.group}' ${config.security.acme.directory}/${k}/chain.pem
+        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.directory}/${k}/chain.pem
+        '')
+      ; })
+    ) config.security.acme.certs // {
+      httpdProd.after = [ "acme-selfsigned-certificates.target" ];
+      httpdProd.wants = [ "acme-selfsigned-certificates.target" ];
+      httpdTools.after = [ "acme-selfsigned-certificates.target" ];
+      httpdTools.wants = [ "acme-selfsigned-certificates.target" ];
+      httpdInte.after = [ "acme-selfsigned-certificates.target" ];
+      httpdInte.wants = [ "acme-selfsigned-certificates.target" ];
+    };
+  };
+}
diff --git a/modules/private/databases/default.nix b/modules/private/databases/default.nix
new file mode 100644
index 00000000..3f7a44bf
--- /dev/null
+++ b/modules/private/databases/default.nix
@@ -0,0 +1,63 @@
+{ lib, config, myconfig, ... }:
+let
+  cfg = config.myServices.databases;
+in
+{
+  options.myServices = {
+    databases.enable = lib.mkEnableOption "my databases service";
+    databasesCerts = lib.mkOption {
+      description = "Default databases configurations for certificates as accepted by acme";
+    };
+  };
+
+  config.nixpkgs.overlays = lib.mkIf cfg.enable [ (self: super: {
+    postgresql = self.postgresql_11_custom;
+  }) ];
+
+  config.myServices.databases = lib.mkIf cfg.enable {
+    mariadb = {
+      enable = true;
+      ldapConfig = {
+        inherit (myconfig.env.ldap) host base;
+        inherit (myconfig.env.databases.mysql.pam) dn filter password;
+      };
+      credentials.root = myconfig.env.databases.mysql.systemUsers.root;
+    };
+
+    openldap = {
+      accessFile = "${myconfig.privateFiles}/ldap.conf";
+      baseDn = myconfig.env.ldap.base;
+      rootDn = myconfig.env.ldap.root_dn;
+      rootPw = myconfig.env.ldap.root_pw;
+      enable = true;
+    };
+
+    postgresql = {
+      ldapConfig = {
+        inherit (myconfig.env.ldap) host base;
+        inherit (myconfig.env.databases.postgresql.pam) dn filter password;
+      };
+      replicationLdapConfig = {
+        inherit (myconfig.env.ldap) host base password;
+        dn = myconfig.env.ldap.host_dn;
+      };
+      authorizedHosts = {
+        immaeEu = [{
+          ip4 = [
+            myconfig.env.servers.immaeEu.ips.main.ip4
+            myconfig.env.servers.immaeEu.ips.alt.ip4
+          ];
+        }];
+      };
+      replicationHosts = {
+        backup-1 = {
+          ip4 = [myconfig.env.servers.backup-1.ips.main.ip4];
+          ip6 = myconfig.env.servers.backup-1.ips.main.ip6;
+        };
+      };
+      enable = true;
+    };
+
+    redis.enable = true;
+  };
+}
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
new file mode 100644
index 00000000..a7239c0e
--- /dev/null
+++ b/modules/private/databases/mariadb.nix
@@ -0,0 +1,149 @@
+{ lib, pkgs, config, ... }:
+let
+    cfg = config.myServices.databases.mariadb;
+in {
+  options.myServices.databases = {
+    mariadb = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable mariadb database";
+        type = lib.types.bool;
+      };
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.mariadb;
+        description = ''
+          Mariadb package to use.
+          '';
+      };
+      credentials = lib.mkOption {
+        default = {};
+        description = "Credentials";
+        type = lib.types.attrsOf lib.types.str;
+      };
+      ldapConfig = lib.mkOption {
+        description = "LDAP configuration to allow PAM identification via LDAP";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+            filter = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/mysql";
+        description = ''
+          The directory where Mariadb stores its data.
+        '';
+      };
+      # Output variables
+      socketsDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/run/mysqld";
+        description = ''
+          The directory where Mariadb puts sockets.
+          '';
+      };
+      sockets = lib.mkOption {
+        type = lib.types.attrsOf lib.types.path;
+        default = {
+          mysqld  = "${cfg.socketsDir}/mysqld.sock";
+        };
+        readOnly = true;
+        description = ''
+          Mariadb sockets
+          '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 3306 ];
+
+    # for adminer, ssl is implemented with mysqli only, which is
+    # currently disabled because it’s not compatible with pam.
+    # Thus we need to generate two users for each 'remote': one remote
+    # with SSL, and one localhost without SSL.
+    # User identified by LDAP:
+    # CREATE USER foo@% IDENTIFIED VIA pam USING 'mysql' REQUIRE SSL;
+    # CREATE USER foo@localhost IDENTIFIED VIA pam USING 'mysql';
+    services.mysql = {
+      enable = true;
+      package = cfg.package;
+      dataDir = cfg.dataDir;
+      extraOptions = ''
+        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        ssl_key = ${config.security.acme.directory}/mysql/key.pem
+        ssl_cert = ${config.security.acme.directory}/mysql/fullchain.pem
+        '';
+    };
+
+    users.users.mysql.extraGroups = [ "keys" ];
+    security.acme.certs."mysql" = config.myServices.databasesCerts // {
+      user = "mysql";
+      group = "mysql";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl restart mysql.service
+      '';
+    };
+
+    secrets.keys = [
+      {
+        dest = "mysql/mysqldump";
+        permissions = "0400";
+        user = "root";
+        group = "root";
+        text = ''
+          [mysqldump]
+          user = root
+          password = ${cfg.credentials.root}
+        '';
+      }
+      {
+        dest = "mysql/pam";
+        permissions = "0400";
+        user = "mysql";
+        group = "mysql";
+        text =  with cfg.ldapConfig; ''
+          host ${host}
+          base ${base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
+        '';
+      }
+    ];
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = [
+        ''
+          30 1,13 * * * root ${cfg.package}/bin/mysqldump --defaults-file=${config.secrets.location}/mysql/mysqldump --all-databases > ${cfg.dataDir}/backup.sql
+        ''
+      ];
+    };
+
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+    in [
+      {
+        name = "mysql";
+        text = ''
+          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
+          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
+          '';
+      }
+    ];
+
+  };
+}
+
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
new file mode 100644
index 00000000..e048d565
--- /dev/null
+++ b/modules/private/databases/openldap/default.nix
@@ -0,0 +1,154 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.databases.openldap;
+  ldapConfig = let
+    kerberosSchema = pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema";
+      sha256 = "17fnkkf6s3lznsl7wp6914pqsc78d038rh38l638big8z608ksww";
+    };
+    puppetSchema = pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/puppetlabs/puppet/master/ext/ldap/puppet.schema";
+      sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh";
+    };
+  in ''
+    include         ${pkgs.openldap}/etc/schema/core.schema
+    include         ${pkgs.openldap}/etc/schema/cosine.schema
+    include         ${pkgs.openldap}/etc/schema/inetorgperson.schema
+    include         ${pkgs.openldap}/etc/schema/nis.schema
+    include         ${puppetSchema}
+    include         ${kerberosSchema}
+    include         ${./immae.schema}
+
+    pidfile         ${cfg.pids.pid}
+    argsfile        ${cfg.pids.args}
+
+    moduleload      back_hdb
+    backend         hdb
+
+    moduleload      memberof
+    database        hdb
+    suffix          "${cfg.baseDn}"
+    rootdn          "${cfg.rootDn}"
+    include         ${config.secrets.location}/ldap/password
+    directory       ${cfg.dataDir}
+    overlay         memberof
+
+    TLSCertificateFile    ${config.security.acme.directory}/ldap/cert.pem
+    TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
+    TLSCACertificateFile  ${config.security.acme.directory}/ldap/fullchain.pem
+    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
+    #This makes openldap crash
+    #TLSCipherSuite        DEFAULT
+
+    sasl-host kerberos.immae.eu
+    include ${config.secrets.location}/ldap/access
+    '';
+in
+{
+  options.myServices.databases = {
+    openldap = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable ldap";
+        type = lib.types.bool;
+      };
+      baseDn = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Base DN for LDAP
+        '';
+      };
+      rootDn = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Root DN
+        '';
+      };
+      rootPw = lib.mkOption {
+        type = lib.types.str;
+        description = ''
+          Root (Hashed) password
+        '';
+      };
+      accessFile = lib.mkOption {
+        type = lib.types.path;
+        description = ''
+          The file path that defines the access
+        '';
+      };
+      dataDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/var/lib/openldap";
+        description = ''
+          The directory where Openldap stores its data.
+        '';
+      };
+      socketsDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/run/slapd";
+        description = ''
+          The directory where Openldap puts sockets and pid files.
+          '';
+      };
+      # Output variables
+      pids = lib.mkOption {
+        type = lib.types.attrsOf lib.types.path;
+        default = {
+          pid  = "${cfg.socketsDir}/slapd.pid";
+          args = "${cfg.socketsDir}/slapd.args";
+        };
+        readOnly = true;
+        description = ''
+          Slapd pid files
+          '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [
+       {
+        dest = "ldap/password";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = "rootpw          ${cfg.rootPw}";
+      }
+      {
+        dest = "ldap/access";
+        permissions = "0400";
+        user = "openldap";
+        group = "openldap";
+        text = builtins.readFile "${cfg.accessFile}";
+      }
+    ];
+    users.users.openldap.extraGroups = [ "keys" ];
+    networking.firewall.allowedTCPPorts = [ 636 389 ];
+
+    services.cron = {
+      systemCronJobs = [
+        ''
+          35 1,13 * * * root ${pkgs.openldap}/bin/slapcat -v -b "dc=immae,dc=eu" -f ${pkgs.writeText "slapd.conf" ldapConfig} -l ${cfg.dataDir}/backup.ldif | ${pkgs.gnugrep}/bin/grep -v "^# id=[0-9a-f]*$"
+        ''
+      ];
+    };
+
+    security.acme.certs."ldap" = config.myServices.databasesCerts // {
+      user = "openldap";
+      group = "openldap";
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      domain = "ldap.immae.eu";
+      postRun = ''
+        systemctl restart openldap.service
+      '';
+    };
+
+    services.openldap = {
+      enable = true;
+      dataDir = cfg.dataDir;
+      urlList = [ "ldap://" "ldaps://" ];
+      extraConfig = ldapConfig;
+    };
+  };
+}
diff --git a/modules/private/databases/openldap/immae.schema b/modules/private/databases/openldap/immae.schema
new file mode 100644
index 00000000..f5ee5d54
--- /dev/null
+++ b/modules/private/databases/openldap/immae.schema
@@ -0,0 +1,167 @@
+# vim: set filetype=slapd:
+objectIdentifier Immaeroot 1.3.6.1.4.1.50071
+
+objectIdentifier Immae Immaeroot:2
+objectIdentifier ImmaeattributeType Immae:3
+objectIdentifier ImmaeobjectClass Immae:4
+
+# TT-RSS
+attributetype ( ImmaeattributeType:1 NAME 'immaeTtrssLogin'
+        DESC 'login for TTRSS'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+objectclass ( ImmaeobjectClass:1 NAME 'immaeTtrssClass'
+        DESC 'Expansion of the existing object classes for ttrss'
+        SUP top AUXILIARY
+        MUST ( immaeTtrssLogin ) )
+
+# FTP
+attributetype ( ImmaeattributeType:2 NAME 'immaeFtpDirectory'
+        DESC 'home directory for ftp'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( ImmaeattributeType:3 NAME 'immaeFtpUid'
+        DESC 'user id for ftp'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+attributetype ( ImmaeattributeType:4 NAME 'immaeFtpGid'
+        DESC 'group id for ftp'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+objectclass ( ImmaeobjectClass:2 NAME 'immaeFtpClass'
+        DESC 'Expansion of the existing object classes for ftp'
+        SUP top AUXILIARY
+        MUST ( immaeFtpDirectory $ immaeFtpGid $ immaeFtpUid ) )
+
+
+# SSH keys
+attributetype ( ImmaeattributeType:5 NAME 'immaeSshKey'
+        DESC 'OpenSSH Public key'
+        EQUALITY octetStringMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+objectClass ( ImmaeobjectClass:3 NAME 'immaeSshClass'
+        DESC 'OpenSSH class'
+        SUP top AUXILIARY
+        MAy ( immaeSSHKey ) )
+
+# Specific access
+attributetype (ImmaeattributeType:6 NAME 'immaeAccessDn'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype (ImmaeattributeType:17 NAME 'immaeAccessWriteDn'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+attributetype (ImmaeattributeType:18 NAME 'immaeAccessReadSubtree'
+        EQUALITY distinguishedNameMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
+
+objectClass ( ImmaeobjectClass:4 NAME 'immaeAccessClass'
+        DESC 'Access class'
+        SUP top AUXILIARY
+        MAY ( immaeAccessDn $ immaeAccessWriteDn $ immaeAccessReadSubtree ) )
+
+# Xmpp uid
+attributetype ( ImmaeattributeType:7 NAME 'immaeXmppUid'
+        DESC 'user part for Xmpp'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+objectclass ( ImmaeobjectClass:5 NAME 'immaeXmppClass'
+        DESC 'Expansion of the existing object classes for XMPP'
+        SUP top AUXILIARY
+        MUST ( immaeXmppUid ) )
+
+# Postfix accounts
+attributetype ( ImmaeattributeType:8 NAME 'immaePostfixAddress'
+        DESC 'the dovecot address to match as username'
+        EQUALITY caseIgnoreIA5Match
+        SUBSTR caseIgnoreIA5SubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+
+attributetype ( ImmaeattributeType:9 NAME 'immaePostfixHome'
+        DESC 'the postfix home directory'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( ImmaeattributeType:10 NAME 'immaePostfixMail'
+        DESC 'the dovecot mail location'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( ImmaeattributeType:11 NAME 'immaePostfixUid'
+        DESC 'the dovecot uid'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( ImmaeattributeType:12 NAME 'immaePostfixGid'
+        DESC 'the dovecot gid'
+        EQUALITY caseExactIA5Match
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+objectclass ( ImmaeobjectClass:6 NAME 'immaePostfixClass'
+        DESC 'Expansion of the existing object classes for Postfix'
+        SUP top AUXILIARY
+        MUST ( immaePostfixAddress $ immaePostfixHome $
+          immaePostfixMail $ immaePostfixUid $ immaePostfixGid )
+        )
+
+# Tinc informations
+# Domaine = une classe a part ou une partie du dn ?
+# attributetype ( ImmaeattributeType:13 NAME 'immaeTincIpSegment'
+#         DESC 'the internal ip segment in tinc'
+#         EQUALITY caseIgnoreIA5Match
+#         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# 
+# attributetype ( ImmaeattributeType:14 NAME 'immaeTincSubdomain'
+#         DESC 'the host subdomain'
+#         EQUALITY caseIgnoreIA5Match
+#         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# 
+# attributetype ( ImmaeattributeType:15 NAME 'immaeTincHostname'
+#         DESC 'the host name'
+#         EQUALITY caseIgnoreIA5Match
+#         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+# 
+# objectclass ( ImmaeobjectClass:7 NAME 'immaeTincHostClass'
+#       DESC 'Expansion of the existing object classes for Tinc'
+#       SUP top AUXILIARY
+#       MUST ( immaeTincInternalIp $ immaeTincSubdomain $
+#         immaeTincHostname )
+#         )
+
+attributetype (ImmaeattributeType:16 NAME 'immaePuppetJson'
+        DESC 'Puppet hiera json'
+        EQUALITY octetStringMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+
+objectclass ( ImmaeobjectClass:8 NAME 'immaePuppetClass'
+        DESC 'Expansion of the existing object classes for Puppet'
+        SUP top AUXILIARY
+        MUST ( immaePuppetJson )
+        )
+
+attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
+        DESC 'Taskwarrior server Org:Name:Key'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
+        DESC 'Expansion of the existing object classes for Task'
+        SUP top AUXILIARY
+        MUST ( immaeTaskId )
+        )
+
+# Last:
+# attributetype (ImmaeattributeType:19 NAME 'immaeTaskId'
+# objectclass ( ImmaeobjectClass:9 NAME 'immaeTaskClass'
+
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
new file mode 100644
index 00000000..911a6d1b
--- /dev/null
+++ b/modules/private/databases/postgresql.nix
@@ -0,0 +1,220 @@
+{ lib, pkgs, config, ... }:
+let
+    cfg = config.myServices.databases.postgresql;
+in {
+  options.myServices.databases = {
+    postgresql = {
+      enable = lib.mkOption {
+        default = cfg.enable;
+        example = true;
+        description = "Whether to enable postgresql database";
+        type = lib.types.bool;
+      };
+      package = lib.mkOption {
+        type = lib.types.package;
+        default = pkgs.postgresql;
+        description = ''
+          Postgresql package to use.
+          '';
+      };
+      ldapConfig = lib.mkOption {
+        description = "LDAP configuration to allow PAM identification via LDAP";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+            filter = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
+      replicationLdapConfig = lib.mkOption {
+        description = "LDAP configuration to allow replication";
+        type = lib.types.submodule {
+          options = {
+            host = lib.mkOption { type = lib.types.str; };
+            base = lib.mkOption { type = lib.types.str; };
+            dn = lib.mkOption { type = lib.types.str; };
+            password = lib.mkOption { type = lib.types.str; };
+          };
+        };
+      };
+      authorizedHosts = lib.mkOption {
+        default = {};
+        description = "Hosts to allow connections from";
+        type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule {
+          options = {
+            method = lib.mkOption {
+              default = "md5";
+              type = lib.types.str;
+            };
+            username = lib.mkOption {
+              default = "all";
+              type = lib.types.str;
+            };
+            database = lib.mkOption {
+              default = "all";
+              type = lib.types.str;
+            };
+            ip4 = lib.mkOption {
+              default = [];
+              type = lib.types.listOf lib.types.str;
+            };
+            ip6 = lib.mkOption {
+              default = [];
+              type = lib.types.listOf lib.types.str;
+            };
+          };
+        }));
+      };
+      replicationHosts = lib.mkOption {
+        default = {};
+        description = "Hosts to allow replication from";
+        type = lib.types.attrsOf (lib.types.submodule {
+          options = {
+            ip4 = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+            };
+            ip6 = lib.mkOption {
+              type = lib.types.listOf lib.types.str;
+            };
+          };
+        });
+      };
+      # Output variables
+      socketsDir = lib.mkOption {
+        type = lib.types.path;
+        default = "/run/postgresql";
+        description = ''
+          The directory where Postgresql puts sockets.
+          '';
+        readOnly = true;
+      };
+      systemdRuntimeDirectory = lib.mkOption {
+        type = lib.types.str;
+        # Use ReadWritePaths= instead if socketsDir is outside of /run
+        default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+          lib.strings.removePrefix "/run/" cfg.socketsDir;
+        description = ''
+        Adjusted Postgresql sockets directory for systemd
+        '';
+        readOnly = true;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 5432 ];
+
+    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
+      user = "postgres";
+      group = "postgres";
+      plugins = [ "fullchain.pem" "key.pem" "account_key.json" ];
+      domain = "db-1.immae.eu";
+      postRun = ''
+        systemctl reload postgresql.service
+      '';
+    };
+
+    systemd.services.postgresql.serviceConfig = {
+      SupplementaryGroups = "keys";
+      RuntimeDirectory = cfg.systemdRuntimeDirectory;
+    };
+    services.postgresql = {
+      enable = true;
+      package = cfg.package;
+      enableTCPIP = true;
+      extraConfig = ''
+        max_connections = 100
+        wal_level = logical
+        shared_buffers = 512MB
+        work_mem = 10MB
+        max_wal_size = 1GB
+        min_wal_size = 80MB
+        log_timezone = 'Europe/Paris'
+        datestyle = 'iso, mdy'
+        timezone = 'Europe/Paris'
+        lc_messages = 'en_US.UTF-8'
+        lc_monetary = 'en_US.UTF-8'
+        lc_numeric = 'en_US.UTF-8'
+        lc_time = 'en_US.UTF-8'
+        default_text_search_config = 'pg_catalog.english'
+        ssl = on
+        ssl_cert_file = '${config.security.acme.directory}/postgresql/fullchain.pem'
+        ssl_key_file = '${config.security.acme.directory}/postgresql/key.pem'
+        '';
+      authentication = let
+        hosts = builtins.concatStringsSep "\n" (
+          lib.lists.flatten (lib.mapAttrsToList (k: vs: map (v:
+            map (ip6: "hostssl  ${v.database}   ${v.username}   ${ip6}/128      ${v.method}") v.ip6
+            ++ map (ip4: "hostssl       ${v.database}   ${v.username}   ${ip4}/32               ${v.method}") v.ip4
+          ) vs) cfg.authorizedHosts
+        ));
+        replication = builtins.concatStringsSep "\n" (
+          lib.lists.flatten (lib.mapAttrsToList (k: v:
+          map (ip6: "hostssl    replication     ${k}    ${ip6}/128      pam pamservice=postgresql_replication") v.ip6
+          ++ map (ip4: "hostssl replication     ${k}    ${ip4}/32               pam pamservice=postgresql_replication") v.ip4
+          ) cfg.replicationHosts
+        ));
+      in ''
+        local   all     postgres                                ident
+        local   all     all                                     md5
+        ${hosts}
+        hostssl all     all     all                             pam
+        ${replication}
+      '';
+    };
+
+    secrets.keys = [
+      {
+        dest = "postgresql/pam";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text =  with cfg.ldapConfig; ''
+          host ${host}
+          base ${base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_filter ${filter}
+          ssl start_tls
+        '';
+      }
+      {
+        dest = "postgresql/pam_replication";
+        permissions = "0400";
+        group = "postgres";
+        user = "postgres";
+        text = with cfg.replicationLdapConfig; ''
+          host ${host}
+          base ${base}
+          binddn ${dn}
+          bindpw ${password}
+          pam_login_attribute cn
+          ssl start_tls
+        '';
+      }
+    ];
+
+    security.pam.services = let
+      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
+    in [
+      {
+        name = "postgresql";
+        text = ''
+          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
+          '';
+      }
+      {
+        name = "postgresql_replication";
+        text = ''
+          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
+          '';
+      }
+    ];
+  };
+}
+
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix
new file mode 100644
index 00000000..1ba6eed6
--- /dev/null
+++ b/modules/private/databases/redis.nix
@@ -0,0 +1,57 @@
+{ lib, config, ... }:
+let
+    cfg = config.myServices.databases.redis;
+in {
+  options.myServices.databases.redis = {
+    enable = lib.mkOption {
+      default = cfg.enable;
+      example = true;
+      description = "Whether to enable redis database";
+      type = lib.types.bool;
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/redis";
+      description = ''
+        The directory where Redis puts sockets.
+        '';
+    };
+    # Output variables
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted redis sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        redis  = "${cfg.socketsDir}/redis.sock";
+      };
+      readOnly = true;
+      description = ''
+        Redis sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.redis.uid = config.ids.uids.redis;
+    users.groups.redis.gid = config.ids.gids.redis;
+    services.redis = rec {
+      enable = true;
+      bind = "127.0.0.1";
+      unixSocket = cfg.sockets.redis;
+      extraConfig = ''
+        unixsocketperm 777
+        maxclients 1024
+        '';
+    };
+    systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory;
+  };
+}
+
diff --git a/modules/private/default.nix b/modules/private/default.nix
new file mode 100644
index 00000000..894efb76
--- /dev/null
+++ b/modules/private/default.nix
@@ -0,0 +1,65 @@
+let
+set = {
+  # adatped from nixpkgs/nixos/modules/services/web-servers/apache-httpd/default.nix
+  httpdInte  = import ../websites/httpd-service-builder.nix { httpdName = "Inte"; withUsers = false; };
+  httpdProd  = import ../websites/httpd-service-builder.nix { httpdName = "Prod"; withUsers = false; };
+  httpdTools = import ../websites/httpd-service-builder.nix { httpdName = "Tools"; withUsers = true; };
+
+  databases  = ./databases;
+  mariadb    = ./databases/mariadb.nix;
+  openldap   = ./databases/openldap;
+  postgresql = ./databases/postgresql.nix;
+  redis      = ./databases/redis.nix;
+
+  websites = ./websites;
+  atenInte = ./websites/aten/integration.nix;
+  atenProd = ./websites/aten/production.nix;
+  capitainesProd = ./websites/capitaines/production.nix;
+  chloeInte = ./websites/chloe/integration.nix;
+  chloeProd = ./websites/chloe/production.nix;
+  connexionswingInte = ./websites/connexionswing/integration.nix;
+  connexionswingProd = ./websites/connexionswing/production.nix;
+  denisejeromeProd = ./websites/denisejerome/production.nix;
+  emiliaProd = ./websites/emilia/production.nix;
+  florianApp = ./websites/florian/app.nix;
+  florianInte = ./websites/florian/integration.nix;
+  florianProd = ./websites/florian/production.nix;
+  immaeProd = ./websites/immae/production.nix;
+  immaeRelease = ./websites/immae/release.nix;
+  immaeTemp = ./websites/immae/temp.nix;
+  leilaProd = ./websites/leila/production.nix;
+  ludivinecassalInte = ./websites/ludivinecassal/integration.nix;
+  ludivinecassalProd = ./websites/ludivinecassal/production.nix;
+  nassimeProd = ./websites/nassime/production.nix;
+  naturaloutilProd = ./websites/naturaloutil/production.nix;
+  papaSurveillance = ./websites/papa/surveillance.nix;
+  piedsjalouxInte = ./websites/piedsjaloux/integration.nix;
+  piedsjalouxProd = ./websites/piedsjaloux/production.nix;
+
+  cloudTool = ./websites/tools/cloud;
+  davTool = ./websites/tools/dav;
+  dbTool = ./websites/tools/db;
+  diasporaTool = ./websites/tools/diaspora;
+  etherTool = ./websites/tools/ether;
+  gitTool = ./websites/tools/git;
+  mastodonTool = ./websites/tools/mastodon;
+  mgoblinTool = ./websites/tools/mgoblin;
+  peertubeTool = ./websites/tools/peertube;
+  toolsTool = ./websites/tools/tools;
+
+  buildbot = ./buildbot;
+  certificates = ./certificates.nix;
+  gitolite = ./gitolite;
+  irc = ./irc.nix;
+  pub = ./pub;
+  tasks = ./tasks;
+  dns = ./dns.nix;
+  ftp = ./ftp.nix;
+  mail = ./mail.nix;
+  mpd = ./mpd.nix;
+  ssh = ./ssh;
+
+  system = ./system.nix;
+};
+in
+builtins.listToAttrs (map (attr: { name = "priv${attr}"; value = set.${attr}; }) (builtins.attrNames set))
diff --git a/modules/private/dns.nix b/modules/private/dns.nix
new file mode 100644
index 00000000..ced8d9b0
--- /dev/null
+++ b/modules/private/dns.nix
@@ -0,0 +1,132 @@
+{ lib, pkgs, config, myconfig,  ... }:
+{
+  config = let
+    cfg = config.services.bind;
+    configFile = pkgs.writeText "named.conf" ''
+      include "/etc/bind/rndc.key";
+      controls {
+        inet 127.0.0.1 allow {localhost;} keys {"rndc-key";};
+      };
+
+      acl cachenetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.cacheNetworks} };
+      acl badnetworks { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.blockedNetworks} };
+
+      options {
+        listen-on { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn} };
+        listen-on-v6 { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6} };
+        allow-query { cachenetworks; };
+        blackhole { badnetworks; };
+        forward first;
+        forwarders { ${lib.concatMapStrings (entry: " ${entry}; ") cfg.forwarders} };
+        directory "/var/run/named";
+        pid-file "/var/run/named/named.pid";
+        ${cfg.extraOptions}
+      };
+
+      ${cfg.extraConfig}
+
+      ${ lib.concatMapStrings
+          ({ name, file, master ? true, extra ? "", slaves ? [], masters ? [] }:
+            ''
+              zone "${name}" {
+                type ${if master then "master" else "slave"};
+                file "${file}";
+                ${ if lib.lists.length slaves > 0 then
+                  ''
+                    allow-transfer {
+                      ${lib.concatMapStrings (ip: "${ip};\n") slaves}
+                    };
+                  '' else ""}
+                ${ if lib.lists.length masters > 0 then
+                  ''
+                    masters {
+                      ${lib.concatMapStrings (ip: "${ip};\n") masters}
+                    };
+                  '' else ""}
+                allow-query { any; };
+                ${extra}
+              };
+            '')
+          cfg.zones }
+    '';
+  in
+    {
+    networking.firewall.allowedUDPPorts = [ 53 ];
+    networking.firewall.allowedTCPPorts = [ 53 ];
+    services.bind = {
+      enable = true;
+      cacheNetworks = ["any"];
+      configFile = configFile;
+      extraOptions = ''
+        allow-recursion { 127.0.0.1; };
+        allow-transfer  { none; };
+
+        notify-source    ${myconfig.env.servers.eldiron.ips.main.ip4};
+        notify-source-v6 ${lib.head myconfig.env.servers.eldiron.ips.main.ip6};
+        version   none;
+        hostname  none;
+        server-id none;
+        '';
+      zones = with myconfig.env.dns;
+        assert (builtins.substring ((builtins.stringLength soa.email)-1) 1 soa.email) != ".";
+        assert (builtins.substring ((builtins.stringLength soa.primary)-1) 1 soa.primary) != ".";
+        (map (conf: {
+          name = conf.name;
+          master = false;
+          file = "/var/run/named/${conf.name}.zone";
+          masters = if lib.attrsets.hasAttr "masters" conf
+            then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.masters)
+            else [];
+        }) slaveZones)
+        ++ (map (conf: {
+          name = conf.name;
+          master = true;
+          extra = if lib.attrsets.hasAttr "extra" conf then conf.extra else "";
+          slaves = if lib.attrsets.hasAttr "slaves" conf
+            then lib.lists.flatten (map (n: lib.attrsets.attrValues ns.${n}) conf.slaves)
+            else [];
+          file = pkgs.writeText "${conf.name}.zone" ''
+              $TTL 10800
+              @ IN SOA ${soa.primary}. ${builtins.replaceStrings ["@"] ["."] soa.email}. ${soa.serial} ${soa.refresh} ${soa.retry} ${soa.expire} ${soa.ttl}
+
+              ${lib.concatStringsSep "\n" (map (x: "@ IN NS ${x}.") (lib.concatMap (n: lib.attrsets.mapAttrsToList (k: v: k) ns.${n}) conf.ns))}
+
+              ${conf.entries}
+
+              ${if lib.attrsets.hasAttr "withEmail" conf && lib.lists.length conf.withEmail > 0 then ''
+              mail IN A     ${myconfig.env.servers.immaeEu.ips.main.ip4}
+              mx-1 IN A     ${myconfig.env.servers.eldiron.ips.main.ip4}
+              ${builtins.concatStringsSep "\n" (map (i: "mail IN AAAA  ${i}") myconfig.env.servers.immaeEu.ips.main.ip6)}
+              ${builtins.concatStringsSep "\n" (map (i: "mx-1 IN AAAA  ${i}") myconfig.env.servers.eldiron.ips.main.ip6)}
+              ${lib.concatStringsSep "\n\n" (map (e:
+              let
+                n = if e.domain == "" then "@" else "${e.domain}  ";
+                suffix = if e.domain == "" then "" else ".${e.domain}";
+              in
+              ''
+              ; ------------------ mail: ${n} ---------------------------
+              ${if e.receive then "${n} IN MX 10 mail.${conf.name}." else ""}
+              ;${if e.receive then "${n} IN MX 50 mx-1.${conf.name}." else ""}
+
+              ; Mail sender authentications
+              ${n}                   IN TXT  "v=spf1 mx ~all"
+              _dmarc${suffix}              IN TXT  "v=DMARC1; p=none; adkim=r; aspf=r; fo=1; rua=mailto:postmaster+rua@immae.eu; ruf=mailto:postmaster+ruf@immae.eu;"
+              ${if e.send then ''
+              immae_eu._domainkey${suffix} IN TXT  ( "v=DKIM1; k=rsa; s=email; "
+                        "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzl3vLd8W5YAuumC5+ZT9OV7/14Pmh5JYtwyqKI3cfe9NnAqInt3xO4bZ7oqIxRKWN4SD39vm7O/QOvFdBt00ENOOzdP90s5gKw6eIP/4+vPTh0IWltAsmu9B2agzdtWUE7t2xFKIzEn8l9niRE2QYbVaqZv4sub98vY55fIgFoHtjkmNC7325S8fjDJGp6OPbyhAs6Xl5/adjF"
+                        "0ko4Y2p6RaxLQfjlS0bxmK4Qg6C14pIXHtzVeqOuWrwApqt5+AULSn97iUtqV/IJlEEjC6DUR44t3C/G0G/k46iFclCqRRi0hdPrOHCtZDbtMubnTN9eaUiNpkXh1WnCflHwtjQwIDAQAB" )
+              '' else ""}
+              '') conf.withEmail)}
+              '' + (if conf.name == "immae.eu" then ''
+              ; ----------------- Accept DMARC reports -------------------
+              ${lib.concatStringsSep "\n" (
+                lib.flatten (
+                  map (z: map (e: "${e.domain}${if builtins.stringLength e.domain > 0 then "." else ""}${z.name}._report._dmarc IN TXT \"v=DMARC1;\"") (z.withEmail or [])) masterZones
+                )
+              )}
+              '' else "") else ""}
+            '';
+          }) masterZones);
+    };
+  };
+}
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
new file mode 100644
index 00000000..842d2d65
--- /dev/null
+++ b/modules/private/ftp.nix
@@ -0,0 +1,118 @@
+{ lib, pkgs, config, myconfig, ... }:
+{
+  options = {
+    services.pure-ftpd.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable pure-ftpd.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.services.pure-ftpd.enable {
+    security.acme.certs."ftp" = config.services.myCertificates.certConfig // {
+      domain = "eldiron.immae.eu";
+      postRun = ''
+        systemctl restart pure-ftpd.service
+      '';
+      extraDomains = { "ftp.immae.eu" = null; };
+    };
+
+    networking = {
+      firewall = {
+        allowedTCPPorts = [ 21 ];
+        allowedTCPPortRanges = [ { from = 40000; to = 50000; } ];
+      };
+    };
+
+    users.users = [
+      {
+        name = "ftp";
+        uid = config.ids.uids.ftp; # 8
+        group = "ftp";
+        description = "Anonymous FTP user";
+        home = "/homeless-shelter";
+        extraGroups = [ "keys" ];
+      }
+    ];
+
+    users.groups.ftp.gid = config.ids.gids.ftp;
+
+    system.activationScripts.pure-ftpd = ''
+      install -m 0755 -o ftp -g ftp -d /var/lib/ftp
+      '';
+
+    secrets.keys = [{
+      dest = "pure-ftpd-ldap";
+      permissions = "0400";
+      user = "ftp";
+      group = "ftp";
+      text = ''
+        LDAPServer          ${myconfig.env.ftp.ldap.host}
+        LDAPPort            389
+        LDAPUseTLS          True
+        LDAPBaseDN          ${myconfig.env.ftp.ldap.base}
+        LDAPBindDN          ${myconfig.env.ftp.ldap.dn}
+        LDAPBindPW          ${myconfig.env.ftp.ldap.password}
+        LDAPDefaultUID      500
+        LDAPForceDefaultUID False
+        LDAPDefaultGID      100
+        LDAPForceDefaultGID False
+        LDAPFilter          ${myconfig.env.ftp.ldap.filter}
+
+        LDAPAuthMethod      BIND
+
+        # Pas de possibilite de donner l'Uid/Gid !
+        # Compile dans pure-ftpd directement avec immaeFtpUid / immaeFtpGid
+        LDAPHomeDir         immaeFtpDirectory
+        '';
+    }];
+
+    systemd.services.pure-ftpd = let
+      configFile = pkgs.writeText "pure-ftpd.conf" ''
+        PassivePortRange             40000 50000
+        ChrootEveryone               yes
+        CreateHomeDir                yes
+        BrokenClientsCompatibility   yes
+        MaxClientsNumber             50
+        Daemonize                    yes
+        MaxClientsPerIP              8
+        VerboseLog                   no
+        DisplayDotFiles              yes
+        AnonymousOnly                no
+        NoAnonymous                  no
+        SyslogFacility               ftp
+        DontResolve                  yes
+        MaxIdleTime                  15
+        LDAPConfigFile               /var/secrets/pure-ftpd-ldap
+        LimitRecursion               10000 8
+        AnonymousCanCreateDirs       no
+        MaxLoad                      4
+        AntiWarez                    yes
+        Umask                        133:022
+        # ftp
+        MinUID                       8
+        AllowUserFXP                 no
+        AllowAnonymousFXP            no
+        ProhibitDotFilesWrite        no
+        ProhibitDotFilesRead         no
+        AutoRename                   no
+        AnonymousCantUpload          no
+        MaxDiskUsage                 99
+        CustomerProof                yes
+        TLS                          1
+        CertFile                     ${config.security.acme.directory}/ftp/full.pem
+        '';
+    in {
+      description = "Pure-FTPd server";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig.ExecStart = "${pkgs.pure-ftpd}/bin/pure-ftpd ${configFile}";
+      serviceConfig.Type = "forking";
+      serviceConfig.PIDFile = "/run/pure-ftpd.pid";
+    };
+  };
+
+}
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix
new file mode 100644
index 00000000..b9914a16
--- /dev/null
+++ b/modules/private/gitolite/default.nix
@@ -0,0 +1,63 @@
+{ lib, pkgs, config, myconfig, ... }:
+let
+    cfg = config.myServices.gitolite;
+in {
+  options.myServices.gitolite = {
+    enable = lib.mkEnableOption "my gitolite service";
+    gitoliteDir = lib.mkOption {
+      type = lib.types.string;
+      default = "/var/lib/gitolite";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 9418 ];
+
+    services.gitDaemon = {
+      enable = true;
+      user = "gitolite";
+      group = "gitolite";
+      basePath = "${cfg.gitoliteDir}/repositories";
+    };
+
+    system.activationScripts.gitolite = let
+      gitolite_ldap_groups = pkgs.mylibs.wrap {
+        name = "gitolite_ldap_groups.sh";
+        file = ./gitolite_ldap_groups.sh;
+        vars = {
+          LDAP_PASS = myconfig.env.tools.gitolite.ldap.password;
+        };
+        paths = [ pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.coreutils ];
+      };
+    in {
+      deps = [ "users" ];
+      text = ''
+        if [ -d ${cfg.gitoliteDir} ]; then
+          ln -sf ${gitolite_ldap_groups} ${cfg.gitoliteDir}/gitolite_ldap_groups.sh
+          chmod g+rx ${cfg.gitoliteDir}
+        fi
+        if [ -f ${cfg.gitoliteDir}/projects.list ]; then
+          chmod g+r ${cfg.gitoliteDir}/projects.list
+        fi
+      '';
+    };
+
+    users.users.wwwrun.extraGroups = [ "gitolite" ];
+
+    users.users.gitolite.packages = let
+      python-packages = python-packages: with python-packages; [
+        simplejson
+        urllib3
+        sleekxmpp
+      ];
+    in
+      [
+        (pkgs.python3.withPackages python-packages)
+      ];
+    # Installation: https://git.immae.eu/mantisbt/view.php?id=93
+    services.gitolite = {
+      enable = true;
+      adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXqRbiHw7QoHADNIEuo4nUT9fSOIEBMdJZH0bkQAxXyJFyCM1IMz0pxsHV0wu9tdkkr36bPEUj2aV5bkYLBN6nxcV2Y49X8bjOSCPfx3n6Own1h+NeZVBj4ZByrFmqCbTxUJIZ2bZKcWOFncML39VmWdsVhNjg0X4NBBehqXRIKr2gt3E/ESAxTYJFm0BnU0baciw9cN0bsRGqvFgf5h2P48CIAfwhVcGmPQnnAwabnosYQzRWxR0OygH5Kd8mePh6FheIRIigfXsDO8f/jdxwut8buvNIf3m5EBr3tUbTsvM+eV3M5vKGt7sk8T64DVtepTSdOOWtp+47ktsnHOMh immae@immae.eu";
+    };
+  };
+}
diff --git a/modules/private/gitolite/gitolite_ldap_groups.sh b/modules/private/gitolite/gitolite_ldap_groups.sh
new file mode 100755
index 00000000..7db0da40
--- /dev/null
+++ b/modules/private/gitolite/gitolite_ldap_groups.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+uid_param="$1"
+ldap_host="ldap.immae.eu"
+ldap_binddn="cn=gitolite,ou=services,dc=immae,dc=eu"
+ldap_bindpw="$LDAP_PASS"
+ldap_searchbase="dc=immae,dc=eu"
+ldap_scope="subtree"
+
+ldap_options="-h ${ldap_host} -ZZ -x -D ${ldap_binddn} -w ${ldap_bindpw} -b ${ldap_searchbase} -s ${ldap_scope}"
+
+ldap_filter="(&(memberOf=cn=groups,cn=gitolite,ou=services,dc=immae,dc=eu)(|(member=uid=${uid_param},ou=users,dc=immae,dc=eu)(member=uid=${uid_param},ou=group_users,dc=immae,dc=eu)))"
+ldap_result=$(ldapsearch ${ldap_options} -LLL "${ldap_filter}" cn | grep 'cn:' | cut -d' ' -f2)
+
+echo "$ldap_result"
diff --git a/modules/private/irc.nix b/modules/private/irc.nix
new file mode 100644
index 00000000..b3fe91f4
--- /dev/null
+++ b/modules/private/irc.nix
@@ -0,0 +1,54 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.irc;
+in
+{
+  options.myServices = {
+    ircCerts = lib.mkOption {
+      description = "Default ircconfigurations for certificates as accepted by acme";
+    };
+    irc.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable irc stuff.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."irc" = config.myServices.ircCerts // {
+      domain = "irc.immae.eu";
+      postRun = ''
+        systemctl restart stunnel.service
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = [ 6697 ];
+    services.bitlbee = with pkgs; {
+      enable = true;
+      authMode = "Registered";
+      libpurple_plugins = [
+        purple-hangouts
+        purple-matrix
+      ];
+      plugins = [
+        bitlbee-mastodon
+        bitlbee-facebook
+        bitlbee-discord
+        bitlbee-steam
+      ];
+    };
+
+    services.stunnel = {
+      enable = true;
+      servers = {
+        bitlbee = {
+          accept = 6697;
+          connect = 6667;
+          cert = "${config.security.acme.directory}/irc/full.pem";
+        };
+      };
+    };
+  };
+}
diff --git a/modules/private/mail.nix b/modules/private/mail.nix
new file mode 100644
index 00000000..611c8b41
--- /dev/null
+++ b/modules/private/mail.nix
@@ -0,0 +1,13 @@
+{ lib, pkgs, config, myconfig,  ... }:
+{
+  config.users.users.nullmailer.uid = config.ids.uids.nullmailer;
+  config.users.groups.nullmailer.gid = config.ids.gids.nullmailer;
+
+  config.services.nullmailer = {
+    enable = true;
+    config = {
+      me = myconfig.env.mail.host;
+      remotes = "${myconfig.env.mail.relay} smtp";
+    };
+  };
+}
diff --git a/modules/private/mpd.nix b/modules/private/mpd.nix
new file mode 100644
index 00000000..9903bdf0
--- /dev/null
+++ b/modules/private/mpd.nix
@@ -0,0 +1,56 @@
+{ lib, pkgs, config, myconfig,  ... }:
+{
+  config = {
+    secrets.keys = [
+      {
+        dest = "mpd";
+        permissions = "0400";
+        text = myconfig.env.mpd.password;
+      }
+      {
+        dest = "mpd-config";
+        permissions = "0400";
+        user = "mpd";
+        group = "mpd";
+        text = ''
+          password "${myconfig.env.mpd.password}@read,add,control,admin"
+        '';
+      }
+    ];
+    networking.firewall.allowedTCPPorts = [ 6600 ];
+    users.users.mpd.extraGroups = [ "wwwrun" "keys" ];
+    systemd.services.mpd.serviceConfig.RuntimeDirectory = "mpd";
+    services.mpd = {
+      enable = true;
+      network.listenAddress = "any";
+      musicDirectory = myconfig.env.mpd.folder;
+      extraConfig = ''
+        include "/var/secrets/mpd-config"
+        audio_output {
+          type            "null"
+          name            "No Output"
+          mixer_type      "none"
+        }
+        audio_output {
+          type            "httpd"
+          name            "OGG"
+          encoder         "vorbis"
+          bind_to_address "/run/mpd/ogg.sock"
+          quality         "5.0"
+          format          "44100:16:1"
+        }
+        audio_output {
+          type            "httpd"
+          name            "MP3"
+          encoder         "lame"
+          bind_to_address "/run/mpd/mp3.sock"
+          quality         "5.0"
+          format          "44100:16:1"
+        }
+
+
+        '';
+    };
+  };
+}
+
diff --git a/modules/private/pub/default.nix b/modules/private/pub/default.nix
new file mode 100644
index 00000000..c31c8eb0
--- /dev/null
+++ b/modules/private/pub/default.nix
@@ -0,0 +1,52 @@
+{ lib, pkgs, config, myconfig,  ... }:
+{
+  options = {
+    myServices.pub.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable pub user.
+      '';
+    };
+  };
+
+  config = lib.mkIf config.myServices.pub.enable {
+    users.users.pub = let
+      restrict = pkgs.runCommand "restrict" { 
+        file = ./restrict;
+        buildInputs = [ pkgs.makeWrapper ];
+      } ''
+        mkdir -p $out/bin
+        cp $file $out/bin/restrict
+        chmod a+x $out/bin/restrict
+        patchShebangs $out/bin/restrict
+        wrapProgram $out/bin/restrict \
+          --prefix PATH : ${lib.makeBinPath [ pkgs.bubblewrap pkgs.rrsync ]} \
+          --set TMUX_RESTRICT ${./tmux.restrict.conf}
+      '';
+      purple-hangouts = pkgs.purple-hangouts.overrideAttrs(old: {
+        installPhase = ''
+          install -Dm755 -t $out/lib/purple-2/ libhangouts.so
+          for size in 16 22 24 48; do
+            install -TDm644 hangouts$size.png $out/share/pixmaps/pidgin/protocols/$size/hangouts.png
+          done
+          '';
+      });
+    in {
+      createHome = true;
+      description = "Restricted shell user";
+      home = "/var/lib/pub";
+      uid = myconfig.env.users.pub.uid;
+      useDefaultShell = true;
+      packages = [
+        restrict
+        pkgs.tmux
+        (pkgs.pidgin.override { plugins = [
+          pkgs.purple-plugin-pack purple-hangouts
+          pkgs.purple-discord pkgs.purple-facebook
+          pkgs.telegram-purple
+        ]; })
+        ];
+    };
+  };
+}
diff --git a/modules/private/pub/restrict b/modules/private/pub/restrict
new file mode 100644
index 00000000..b2f3be36
--- /dev/null
+++ b/modules/private/pub/restrict
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+user="$1"
+rootuser="$HOME/$user/"
+mkdir -p $rootuser
+
+orig="$SSH_ORIGINAL_COMMAND"
+if [ -z "$orig" ]; then
+  orig="/bin/bash -l"
+fi
+if [ "${orig:0:7}" = "command" ]; then
+  orig="${orig:8}"
+fi
+
+case "$orig" in
+rsync*)
+        rrsync $HOME/$user/
+        ;;
+*)
+        nix_store_paths() {
+          nix-store -q -R \
+               /run/current-system/sw \
+               /etc/profiles/per-user/pub \
+               /etc/ssl/certs/ca-bundle.crt \
+               | while read i; do
+            printf '%s--ro-bind\0'$i'\0'$i'\0' ''
+          done
+        }
+
+        set -euo pipefail
+        (exec -c bwrap --ro-bind /usr /usr \
+              --args 10 \
+              --dir /tmp \
+              --dir /var \
+              --symlink ../tmp var/tmp \
+              --proc /proc \
+              --dev /dev \
+              --ro-bind /etc/resolv.conf /etc/resolv.conf \
+              --ro-bind /etc/zoneinfo /etc/zoneinfo \
+              --ro-bind /etc/ssl /etc/ssl \
+              --ro-bind /etc/static/ssl/certs /etc/static/ssl/certs \
+              --ro-bind /run/current-system/sw/lib/locale/locale-archive /etc/locale-archive \
+              --ro-bind /run/current-system/sw/bin /bin \
+              --ro-bind /etc/profiles/per-user/pub/bin /bin-pub \
+              --bind /var/lib/pub/$user /var/lib/pub \
+              --dir /var/lib/commons \
+              --ro-bind $TMUX_RESTRICT /var/lib/commons/tmux.restrict.conf \
+              --chdir /var/lib/pub \
+              --unshare-all \
+              --share-net \
+              --dir /run/user/$(id -u) \
+              --setenv TERM "$TERM" \
+              --setenv LOCALE_ARCHIVE "/etc/locale-archive" \
+              --setenv XDG_RUNTIME_DIR "/run/user/`id -u`" \
+              --setenv PS1 "$user@pub $ " \
+              --setenv PATH "/bin:/bin-pub" \
+              --setenv HOME "/var/lib/pub" \
+              --file 11 /etc/passwd \
+              --file 12 /etc/group \
+              -- $orig) \
+              10< <(nix_store_paths) \
+              11< <(getent passwd $UID 65534) \
+              12< <(getent group $(id -g) 65534)
+        ;;
+esac
diff --git a/modules/private/pub/tmux.restrict.conf b/modules/private/pub/tmux.restrict.conf
new file mode 100644
index 00000000..5aefd1c7
--- /dev/null
+++ b/modules/private/pub/tmux.restrict.conf
@@ -0,0 +1,43 @@
+# Pour les nostalgiques de screen
+# comme les raccourcis ne sont pas les mêmes, j'évite
+set -g prefix C-a
+unbind-key C-b
+
+unbind-key -a
+bind-key -n C-h list-keys
+bind-key    C-d detach
+bind-key      & confirm-before -p "kill-window #W? (y/n)" kill-window
+
+# même hack que sur screen lorsqu'on veut profiter du scroll du terminal
+# (xterm ...)
+set -g terminal-overrides 'xterm*:smcup@:rmcup@'
+
+#Pour les ctrl+arrow
+set-option -g xterm-keys on
+
+# c'est un minimum (defaut 2000)
+set-option -g history-limit 10000
+
+# lorsque j'ai encore un tmux ailleurs seule
+# sa fenetre active réduit la taille de ma fenetre locale
+setw -g aggressive-resize on
+
+# Pour etre alerté sur un changement dans une autre fenêtre
+setw -g monitor-activity on
+#set -g visual-activity on
+#set -g visual-bell on
+
+set -g base-index 1
+
+# repercuter le contenu de la fenetre dans la barre de titre
+# reference des string : man tmux (status-left)
+set -g set-titles on
+set -g set-titles-string '#H #W #T' # host window command
+
+#Dans les valeurs par defaut deja, avec le ssh-agent
+set -g update-environment "DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PATH"
+
+set -g status off
+set -g status-left ''
+set -g status-right ''
+
diff --git a/modules/private/ssh/default.nix b/modules/private/ssh/default.nix
new file mode 100644
index 00000000..beedaff5
--- /dev/null
+++ b/modules/private/ssh/default.nix
@@ -0,0 +1,40 @@
+{ lib, pkgs, config, myconfig, ... }:
+{
+  config = {
+    networking.firewall.allowedTCPPorts = [ 22 ];
+
+    services.openssh.extraConfig = ''
+      AuthorizedKeysCommand     /etc/ssh/ldap_authorized_keys
+      AuthorizedKeysCommandUser nobody
+      '';
+
+    secrets.keys = [{
+      dest = "ssh-ldap";
+      user = "nobody";
+      group = "nogroup";
+      permissions = "0400";
+      text = myconfig.env.sshd.ldap.password;
+    }];
+    system.activationScripts.sshd = {
+      deps = [ "secrets" ];
+      text = ''
+      install -Dm400 -o nobody -g nogroup -T /var/secrets/ssh-ldap /etc/ssh/ldap_password
+      '';
+    };
+    # ssh is strict about parent directory having correct rights, don't
+    # move it in the nix store.
+    environment.etc."ssh/ldap_authorized_keys" = let
+      ldap_authorized_keys =
+        pkgs.mylibs.wrap {
+          name = "ldap_authorized_keys";
+          file = ./ldap_authorized_keys.sh;
+          paths = [ pkgs.which pkgs.gitolite pkgs.openldap pkgs.stdenv.shellPackage pkgs.gnugrep pkgs.gnused pkgs.coreutils ];
+        };
+    in {
+      enable = true;
+      mode = "0755";
+      user = "root";
+      source = ldap_authorized_keys;
+    };
+  };
+}
diff --git a/modules/private/ssh/ldap_authorized_keys.sh b/modules/private/ssh/ldap_authorized_keys.sh
new file mode 100755
index 00000000..d556452d
--- /dev/null
+++ b/modules/private/ssh/ldap_authorized_keys.sh
@@ -0,0 +1,152 @@
+#!/usr/bin/env bash
+
+LDAPSEARCH=ldapsearch
+KEY="immaeSshKey"
+LDAP_BIND="cn=ssh,ou=services,dc=immae,dc=eu"
+LDAP_PASS=$(cat /etc/ssh/ldap_password)
+LDAP_HOST="ldap.immae.eu"
+LDAP_MEMBER="cn=users,cn=ssh,ou=services,dc=immae,dc=eu"
+LDAP_GITOLITE_MEMBER="cn=users,cn=gitolite,ou=services,dc=immae,dc=eu"
+LDAP_PUB_RESTRICT_MEMBER="cn=restrict,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_PUB_FORWARD_MEMBER="cn=forward,cn=pub,ou=services,dc=immae,dc=eu"
+LDAP_BASE="dc=immae,dc=eu"
+GITOLITE_SHELL=$(which gitolite-shell)
+ECHO=$(which echo)
+
+suitable_for() {
+  type_for="$1"
+  key="$2"
+
+  if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+    echo "$key"
+  else
+    key_type=$(cut -d " " -f 1 <<< "$key")
+
+    if grep -q "\b-$type_for\b" <<< "$key_type"; then
+      echo ""
+    elif grep -q "\b$type_for\b" <<< "$key_type"; then
+      echo $(sed -e "s/^[^ ]* //g" <<< "$key")
+    else
+      echo ""
+    fi
+  fi
+}
+
+clean_key_line() {
+  type_for="$1"
+  line="$2"
+
+  if [[ "$line" == $KEY::* ]]; then
+    # base64 keys should't happen, unless wrong copy-pasting
+    key=""
+  else
+    key=$(sed -e "s/^$KEY: *//" -e "s/ *$//" <<< "$line")
+  fi
+
+  suitable_for "$type_for" "$key"
+}
+
+ldap_search() {
+  $LDAPSEARCH -h $LDAP_HOST -ZZ -b $LDAP_BASE -D $LDAP_BIND -w "$LDAP_PASS" -x -o ldif-wrap=no -LLL "$@"
+}
+
+ldap_keys() {
+  user=$1;
+  if [[ $user == gitolite ]]; then
+    ldap_search '(&(memberOf='$LDAP_GITOLITE_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            if [ -n "$user" ]; then
+              if [[ $user == "immae" ]] || [[ $user == "denise" ]]; then
+                # Capitalize first letter (backward compatibility)
+                user=$(sed -r 's/^([a-z])/\U\1/' <<< "$user")
+              fi
+            else
+              # Service fake user
+              user=$(sed -n 's/.*cn=\([^,]*\).*/\1/p' <<< "$line")
+            fi
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line git "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'command="'$GITOLITE_SHELL' '$user'",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty '
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+    exit 0
+  elif [[ $user == pub ]]; then
+    ldap_search '(&(memberOf='$LDAP_PUB_RESTRICT_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            echo ""
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            echo "# $user"
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line pub "$line")
+            key_forward=$(clean_key_line forward "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'command="/etc/profiles/per-user/pub/bin/restrict '$user'" '
+                echo $key
+              fi
+            elif [ ! -z "$key_forward" ]; then
+              if [[ $key_forward != *$'\n'* ]] && [[ $key_forward == ssh-* ]]; then
+                echo "# forward only"
+                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+                echo $key_forward
+              fi
+            fi
+          fi
+        fi
+      done
+
+    echo ""
+    ldap_search '(&(memberOf='$LDAP_PUB_FORWARD_MEMBER')('$KEY'=*))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            echo ""
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+            echo "# $user"
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line forward "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo -n 'no-pty,no-X11-forwarding,command="'$ECHO' forward only" '
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+    exit 0
+  else
+    ldap_search '(&(memberOf='$LDAP_MEMBER')('$KEY'=*)(uid='$user'))' $KEY | \
+      while read line ;
+      do
+        if [ ! -z "$line" ]; then
+          if [[ $line == dn* ]]; then
+            user=$(sed -n 's/.*uid=\([^,]*\).*/\1/p' <<< "$line")
+          elif [[ $line == $KEY* ]]; then
+            key=$(clean_key_line ssh "$line")
+            if [ ! -z "$key" ]; then
+              if [[ $key != *$'\n'* ]] && [[ $key == ssh-* ]]; then
+                echo $key
+              fi
+            fi
+          fi
+        fi
+      done
+  fi
+}
+
+ldap_keys $@
diff --git a/modules/private/system.nix b/modules/private/system.nix
new file mode 100644
index 00000000..fba504e9
--- /dev/null
+++ b/modules/private/system.nix
@@ -0,0 +1,30 @@
+{ pkgs, privateFiles, ... }:
+{
+  config = {
+    nixpkgs.overlays = builtins.attrValues (import ../../overlays);
+    _module.args = {
+      pkgsNext = import <nixpkgsNext> {};
+      pkgsPrevious = import <nixpkgsPrevious> {};
+      myconfig = {
+        inherit privateFiles;
+        env = import "${privateFiles}/environment.nix";
+      };
+    };
+
+    services.journald.extraConfig = ''
+      MaxLevelStore="warning"
+      MaxRetentionSec="1year"
+      '';
+
+    users.users.root.packages = [
+      pkgs.telnet
+      pkgs.htop
+      pkgs.iftop
+    ];
+
+    environment.systemPackages = [
+      pkgs.vim
+    ];
+
+  };
+}
diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix
new file mode 100644
index 00000000..b71df33d
--- /dev/null
+++ b/modules/private/system/eldiron.nix
@@ -0,0 +1,63 @@
+{ privateFiles }:
+{ config, pkgs, myconfig, ... }:
+{
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  _module.args.privateFiles = privateFiles;
+
+  networking = {
+    firewall.enable = true;
+    # 176.9.151.89 declared in nixops -> infra / tools
+    interfaces."eth0".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
+      (n: ips: { address = ips.ip4; prefixLength = 32; })
+      (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") myconfig.env.servers.eldiron.ips);
+    interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
+      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
+      myconfig.env.servers.eldiron.ips);
+  };
+
+  imports = builtins.attrValues (import ../..);
+
+  myServices.buildbot.enable = true;
+  myServices.databases.enable = true;
+  myServices.gitolite.enable = true;
+  myServices.irc.enable = true;
+  myServices.pub.enable = true;
+  myServices.tasks.enable = true;
+  services.pure-ftpd.enable = true;
+
+  deployment = {
+    targetEnv = "hetzner";
+    hetzner = {
+      robotUser = myconfig.env.hetzner.user;
+      robotPass = myconfig.env.hetzner.pass;
+      mainIPv4 = myconfig.env.servers.eldiron.ips.main.ip4;
+      partitions = ''
+        clearpart --all --initlabel --drives=sda,sdb
+
+        part swap1 --recommended --label=swap1 --fstype=swap --ondisk=sda
+        part swap2 --recommended --label=swap2 --fstype=swap --ondisk=sdb
+
+        part raid.1 --grow --ondisk=sda
+        part raid.2 --grow --ondisk=sdb
+
+        raid / --level=1 --device=md0 --fstype=ext4 --label=root raid.1 raid.2
+      '';
+    };
+  };
+
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      ''
+        # The star after /var/lib/* avoids deleting all folders in case of problem
+        0 3,9,15,21 * * * root rsync -e "ssh -i /root/.ssh/id_charon_vpn" -aAXvz --delete --numeric-ids --super --rsync-path="sudo rsync" /var/lib/* immae@immae.eu: > /dev/null
+      ''
+    ];
+  };
+
+  # This value determines the NixOS release with which your system is
+  # to be compatible, in order to avoid breaking some software such as
+  # database servers. You should change this only after NixOS release
+  # notes say you should.
+  system.stateVersion = "18.09"; # Did you read the comment?
+}
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
new file mode 100644
index 00000000..30f49ee9
--- /dev/null
+++ b/modules/private/tasks/default.nix
@@ -0,0 +1,327 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.tasks;
+  server_vardir = config.services.taskserver.dataDir;
+  fqdn = "task.immae.eu";
+  user = config.services.taskserver.user;
+  env = myconfig.env.tools.task;
+  group = config.services.taskserver.group;
+  taskserver-user-certs = pkgs.runCommand "taskserver-user-certs" {} ''
+    mkdir -p $out/bin
+    cat > $out/bin/taskserver-user-certs <<"EOF"
+    #!/usr/bin/env bash
+
+    user=$1
+
+    silent_certtool() {
+      if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+        echo "GNUTLS certtool invocation failed with output:" >&2
+        echo "$output" >&2
+      fi
+    }
+
+    silent_certtool -p \
+      --bits 4096 \
+      --outfile "${server_vardir}/userkeys/$user.key.pem"
+    ${pkgs.gnused}/bin/sed -i -n -e '/^-----BEGIN RSA PRIVATE KEY-----$/,$p' "${server_vardir}/userkeys/$user.key.pem"
+
+    silent_certtool -c \
+      --template "${pkgs.writeText "taskserver-ca.template" ''
+        tls_www_client
+        encryption_key
+        signing_key
+        expiration_days = 3650
+      ''}" \
+      --load-ca-certificate "${server_vardir}/keys/ca.cert" \
+      --load-ca-privkey "${server_vardir}/keys/ca.key" \
+      --load-privkey "${server_vardir}/userkeys/$user.key.pem" \
+      --outfile "${server_vardir}/userkeys/$user.cert.pem"
+    EOF
+    chmod a+x $out/bin/taskserver-user-certs
+    patchShebangs $out/bin/taskserver-user-certs
+    '';
+  taskwarrior-web = pkgs.webapps.taskwarrior-web;
+  socketsDir = "/run/taskwarrior-web";
+  varDir = "/var/lib/taskwarrior-web";
+  taskwebPages = let
+    uidPages = lib.attrsets.zipAttrs (
+      lib.lists.flatten
+        (lib.attrsets.mapAttrsToList (k: c: map (v: { "${v}" = k; }) c.uid) env.taskwarrior-web)
+      );
+    pages = lib.attrsets.mapAttrs (uid: items:
+      if lib.lists.length items == 1 then
+      ''
+        <html>
+        <head>
+          <meta http-equiv="refresh" content="0; url=/taskweb/${lib.lists.head items}/" />
+        </head>
+        <body></body>
+        </html>
+        ''
+      else
+      ''
+        <html>
+        <head>
+        <title>To-do list disponibles</title>
+        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        </head>
+        <body>
+          <ul>
+            ${builtins.concatStringsSep "\n" (map (item: "<li><a href='/taskweb/${item}'>${item}</a></li>") items)}
+          </ul>
+        </body>
+        </html>
+        ''
+    ) uidPages;
+  in
+    pkgs.runCommand "taskwerver-pages" {} ''
+      mkdir -p $out/
+      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "cp ${pkgs.writeText k v} $out/${k}.html") pages)}
+      echo "Please login" > $out/index.html
+      '';
+in {
+  options.myServices.tasks = {
+    enable = lib.mkEnableOption "my tasks service";
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [{
+      dest = "webapps/tools-taskwarrior-web";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+          SetEnv TASKD_HOST          "${fqdn}:${toString config.services.taskserver.listenPort}"
+          SetEnv TASKD_VARDIR        "${server_vardir}"
+          SetEnv TASKD_LDAP_HOST     "ldaps://${env.ldap.host}"
+          SetEnv TASKD_LDAP_DN       "${env.ldap.dn}"
+          SetEnv TASKD_LDAP_PASSWORD "${env.ldap.password}"
+          SetEnv TASKD_LDAP_BASE     "${env.ldap.base}"
+          SetEnv TASKD_LDAP_FILTER   "${env.ldap.search}"
+        '';
+    }];
+    services.websites.tools.modules = [ "proxy_fcgi" "sed" ];
+    services.websites.tools.vhostConfs.task = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "task.immae.eu" ];
+      root        = "/run/current-system/webapps/_task";
+      extraConfig = [ ''
+        <Directory /run/current-system/webapps/_task>
+          DirectoryIndex index.php
+          Use LDAPConnect
+          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost"
+          </FilesMatch>
+          Include /var/secrets/webapps/tools-taskwarrior-web
+        </Directory>
+        ''
+        ''
+        <Macro Taskwarrior %{folderName}>
+          ProxyPass        "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
+          ProxyPassReverse "unix://${socketsDir}/%{folderName}.sock|http://localhost-%{folderName}/"
+          ProxyPassReverse http://${fqdn}/
+
+          SetOutputFilter Sed
+          OutputSed   "s|/ajax|/taskweb/%{folderName}/ajax|g"
+          OutputSed   "s|\([^x]\)/tasks|\1/taskweb/%{folderName}/tasks|g"
+          OutputSed   "s|\([^x]\)/projects|\1/taskweb/%{folderName}/projects|g"
+          OutputSed   "s|http://${fqdn}/|/taskweb/%{folderName}/|g"
+          OutputSed   "s|/img/relax.jpg|/taskweb/%{folderName}/img/relax.jpg|g"
+        </Macro>
+        ''
+        ''
+        Alias /taskweb ${taskwebPages}
+        <Directory "${taskwebPages}">
+          DirectoryIndex index.html
+          Require all granted
+        </Directory>
+
+        RewriteEngine on
+        RewriteRule ^/taskweb$ /taskweb/ [R=301,L]
+        RedirectMatch permanent ^/taskweb/([^/]+)$ /taskweb/$1/
+
+        RewriteCond %{LA-U:REMOTE_USER} !=""
+        RewriteCond ${taskwebPages}/%{LA-U:REMOTE_USER}.html -f
+        RewriteRule ^/taskweb/?$ ${taskwebPages}/%{LA-U:REMOTE_USER}.html [L]
+
+        <Location /taskweb/>
+          Use LDAPConnect
+          Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu
+        </Location>
+        ''
+      ] ++ (lib.attrsets.mapAttrsToList (k: v: ''
+        <Location /taskweb/${k}/>
+          ${builtins.concatStringsSep "\n" (map (uid: "Require ldap-attribute   uid=${uid}") v.uid)}
+
+          Use Taskwarrior ${k}
+        </Location>
+        '') env.taskwarrior-web);
+    };
+    services.phpfpm.poolConfigs = {
+      tasks = ''
+        listen = /var/run/phpfpm/task.sock
+        user = ${user}
+        group = ${group}
+        listen.owner = wwwrun
+        listen.group = wwwrun
+        pm = dynamic
+        pm.max_children = 60
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 10
+
+        ; Needed to avoid clashes in browser cookies (same domain)
+        env[PATH] = "/etc/profiles/per-user/${user}/bin"
+        php_value[session.name] = TaskPHPSESSID
+        php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"
+      '';
+    };
+
+    myServices.websites.webappDirs._task = ./www;
+
+    security.acme.certs."task" = config.services.myCertificates.certConfig // {
+      inherit user group;
+      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
+      domain = fqdn;
+      postRun = ''
+        systemctl restart taskserver.service
+      '';
+    };
+
+    users.users.${user}.packages = [ taskserver-user-certs ];
+
+    system.activationScripts.taskserver = {
+      deps = [ "users" ];
+      text = ''
+        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}
+        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/userkeys
+        install -m 0750 -o ${user} -g ${group} -d ${server_vardir}/keys
+
+        if [ ! -e "${server_vardir}/keys/ca.key" ]; then
+          silent_certtool() {
+            if ! output="$("${pkgs.gnutls.bin}/bin/certtool" "$@" 2>&1)"; then
+              echo "GNUTLS certtool invocation failed with output:" >&2
+              echo "$output" >&2
+            fi
+          }
+
+          silent_certtool -p \
+            --bits 4096 \
+            --outfile "${server_vardir}/keys/ca.key"
+
+          silent_certtool -s \
+            --template "${pkgs.writeText "taskserver-ca.template" ''
+              cn = ${fqdn}
+              expiration_days = -1
+              cert_signing_key
+              ca
+            ''}" \
+            --load-privkey "${server_vardir}/keys/ca.key" \
+            --outfile "${server_vardir}/keys/ca.cert"
+
+          chown :${group} "${server_vardir}/keys/ca.key"
+          chmod g+r "${server_vardir}/keys/ca.key"
+        fi
+      '';
+    };
+
+    services.taskserver = {
+      enable = true;
+      allowedClientIDs = [ "^task [2-9]" "^Mirakel [1-9]" ];
+      inherit fqdn;
+      listenHost = "::";
+      pki.manual.ca.cert = "${server_vardir}/keys/ca.cert";
+      pki.manual.server.cert = "${config.security.acme.directory}/task/fullchain.pem";
+      pki.manual.server.crl = "${config.security.acme.directory}/task/invalid.crl";
+      pki.manual.server.key = "${config.security.acme.directory}/task/key.pem";
+      requestLimit = 104857600;
+    };
+
+    system.activationScripts.taskwarrior-web = {
+      deps = [ "users" ];
+      text = ''
+        if [ ! -f ${server_vardir}/userkeys/taskwarrior-web.cert.pem ]; then
+          ${taskserver-user-certs}/bin/taskserver-user-certs taskwarrior-web
+          chown taskd:taskd ${server_vardir}/userkeys/taskwarrior-web.cert.pem ${server_vardir}/userkeys/taskwarrior-web.key.pem
+        fi
+      '';
+    };
+
+    systemd.services = (lib.attrsets.mapAttrs' (name: userConfig:
+      let
+        credentials = "${userConfig.org}/${name}/${userConfig.key}";
+        dateFormat = userConfig.date;
+        taskrc = pkgs.writeText "taskrc" ''
+          data.location=${varDir}/${name}
+          taskd.certificate=${server_vardir}/userkeys/taskwarrior-web.cert.pem
+          taskd.key=${server_vardir}/userkeys/taskwarrior-web.key.pem
+          # IdenTrust DST Root CA X3
+          # obtained here: https://letsencrypt.org/fr/certificates/
+          taskd.ca=${pkgs.writeText "ca.cert" ''
+            -----BEGIN CERTIFICATE-----
+            MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+            MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+            DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+            PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+            Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+            AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+            rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+            OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+            xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+            7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+            aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+            HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+            SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+            ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+            AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+            R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+            JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+            Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+            -----END CERTIFICATE-----''}
+          taskd.server=${fqdn}:${toString config.services.taskserver.listenPort}
+          taskd.credentials=${credentials}
+          dateformat=${dateFormat}
+          '';
+      in lib.attrsets.nameValuePair "taskwarrior-web-${name}" {
+        description = "Taskwarrior webapp for ${name}";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        path = [ pkgs.taskwarrior ];
+
+        environment.TASKRC = taskrc;
+        environment.BUNDLE_PATH = "${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}";
+        environment.BUNDLE_GEMFILE = "${taskwarrior-web.gems.confFiles}/Gemfile";
+        environment.LC_ALL = "fr_FR.UTF-8";
+
+        script = ''
+          exec ${taskwarrior-web.gems}/${taskwarrior-web.gems.ruby.gemPath}/bin/bundle exec thin start -R config.ru -S ${socketsDir}/${name}.sock
+        '';
+
+        serviceConfig = {
+          User = user;
+          PrivateTmp = true;
+          Restart = "always";
+          TimeoutSec = 60;
+          Type = "simple";
+          WorkingDirectory = taskwarrior-web;
+          StateDirectoryMode = 0750;
+          StateDirectory = assert lib.strings.hasPrefix "/var/lib/" varDir;
+            (lib.strings.removePrefix "/var/lib/" varDir + "/${name}");
+          RuntimeDirectoryPreserve = "yes";
+          RuntimeDirectory = assert lib.strings.hasPrefix "/run/" socketsDir;
+            lib.strings.removePrefix "/run/" socketsDir;
+        };
+
+        unitConfig.RequiresMountsFor = varDir;
+      }) env.taskwarrior-web) // {
+        taskserver-ca.postStart = ''
+          chown :${group} "${server_vardir}/keys/ca.key"
+          chmod g+r "${server_vardir}/keys/ca.key"
+        '';
+      };
+
+  };
+}
diff --git a/modules/private/tasks/www/index.php b/modules/private/tasks/www/index.php
new file mode 100644
index 00000000..deaf8af1
--- /dev/null
+++ b/modules/private/tasks/www/index.php
@@ -0,0 +1,157 @@
+<?php
+if (!isset($_SERVER["REMOTE_USER"])) {
+  die("please login");
+}
+$ldap_user = $_SERVER["REMOTE_USER"];
+$ldap_host = getenv("TASKD_LDAP_HOST");
+$ldap_dn = getenv('TASKD_LDAP_DN');
+$ldap_password = getenv('TASKD_LDAP_PASSWORD');
+$ldap_base = getenv('TASKD_LDAP_BASE');
+$ldap_filter = getenv('TASKD_LDAP_FILTER');
+$host   = getenv('TASKD_HOST');
+$vardir = getenv('TASKD_VARDIR');
+
+$connect = ldap_connect($ldap_host);
+ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
+if (!$connect || !ldap_bind($connect, $ldap_dn, $ldap_password)) {
+  die("impossible to connect to LDAP");
+}
+
+$search_query = str_replace('%login%', ldap_escape($ldap_user), $ldap_filter);
+
+$search = ldap_search($connect, $ldap_base, $search_query);
+$info = ldap_get_entries($connect, $search);
+
+if (ldap_count_entries($connect, $search) != 1) {
+  die("Impossible to find user in LDAP");
+}
+
+$entries = [];
+foreach($info[0]["immaetaskid"] as $key => $value) {
+  if ($key !== "count") {
+    $entries[] = explode(":", $value);
+  }
+}
+
+if (isset($_GET["file"])) {
+  $basecert = $vardir . "/userkeys/" . $ldap_user;
+  if (!file_exists($basecert . ".cert.pem")) {
+    exec("taskserver-user-certs $ldap_user");
+  }
+  $certificate = file_get_contents($basecert . ".cert.pem");
+  $cert_key    = file_get_contents($basecert . ".key.pem");
+
+  // IdenTrust DST Root CA X3
+  // obtained here: https://letsencrypt.org/fr/certificates/
+  $server_cert = "-----BEGIN CERTIFICATE-----
+MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
+PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
+Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
+rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
+OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
+xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
+7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
+aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
+SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
+ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
+AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
+R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
+JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
+Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
+-----END CERTIFICATE-----";
+
+  $file = $_GET["file"];
+  switch($file) {
+  case "ca.cert.pem":
+    $content = $server_cert;
+    $name    = "ca.cert.pem";
+    $type    = "application/x-x509-ca-cert";
+    break;
+  case "cert.pem":
+    $content = $certificate;
+    $name    = $ldap_user . ".cert.pem";
+    $type    = "application/x-x509-ca-cert";
+    break;
+  case "key.pem":
+    $content = $cert_key;
+    $name    = $ldap_user . ".key.pem";
+    $type    = "application/x-x509-ca-cert";
+    break;
+  case "mirakel";
+    foreach ($entries as $entry) {
+      list($org, $user, $key) = $entry;
+      if ($key == $_GET["key"]) { break; }
+    }
+    $name    = $user . ".mirakel";
+    $type    = "text/plain";
+    $content = "username: $user
+org: $org
+user key: $key
+server: $host
+client.cert:
+$certificate
+Client.key:
+$cert_key
+ca.cert:
+$server_cert
+";
+    break;
+  default:
+    die("invalid file name");
+    break;
+  }
+
+  header("Content-Type: $type");
+  header('Content-Disposition: attachment; filename="' . $name . '"');
+  header('Content-Transfer-Encoding: binary');
+  header('Accept-Ranges: bytes');
+  header('Cache-Control: private');
+  header('Pragma: private');
+  echo $content;
+  exit;
+}
+?>
+<html>
+<header>
+  <title>Taskwarrior configuration</title>
+</header>
+<body>
+<ul>
+  <li><a href="?file=ca.cert.pem">ca.cert.pem</a></li>
+  <li><a href="?file=cert.pem"><?php echo $ldap_user; ?>.cert.pem</a></li>
+  <li><a href="?file=key.pem"><?php echo $ldap_user; ?>.key.pem</a></li>
+</ul>
+For command line interface, download the files, put them near your Taskwarrior
+configuration files, and add that to your Taskwarrior configuration:
+<pre>
+taskd.certificate=/path/to/<?php echo $ldap_user; ?>.cert.pem
+taskd.key=/path/to/<?php echo $ldap_user; ?>.key.pem
+taskd.server=<?php echo $host ."\n"; ?>
+<?php if (count($entries) > 1) {
+  echo "# Chose one of them\n";
+  foreach($entries as $entry) {
+    list($org, $user, $key) = $entry;
+    echo "# taskd.credentials=$org/$user/$key\n";
+  }
+} else { ?>
+taskd.credentials=<?php echo $entries[0][0]; ?>/<?php echo $entries[0][1]; ?>/<?php echo $entries[0][2]; ?>
+<?php } ?>
+taskd.ca=/path/to/ca.cert.pem
+</pre>
+For Mirakel, download and import the file:
+<ul>
+<?php
+foreach ($entries as $entry) {
+  list($org, $user, $key) = $entry;
+  echo '<li><a href="?file=mirakel&key='.$key.'">' . $user . '.mirakel</a></li>';
+}
+?>
+</ul>
+For Android Taskwarrior app, see instructions <a href="https://bitbucket.org/kvorobyev/taskwarriorandroid/wiki/Configuration">here</a>.
+</body>
+</html>
+
diff --git a/modules/private/websites/aten/builder.nix b/modules/private/websites/aten/builder.nix
new file mode 100644
index 00000000..9a2e1a7d
--- /dev/null
+++ b/modules/private/websites/aten/builder.nix
@@ -0,0 +1,102 @@
+{ apacheUser, apacheGroup, aten, lib, config }: rec {
+  app = aten.override { inherit (config) environment; };
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-aten > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "postgresql.service" ];
+    socket = "/var/run/phpfpm/aten-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  keys = [{
+    dest = "webapps/${app.environment}-aten";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      SetEnv APP_ENV      "${app.environment}"
+      SetEnv APP_SECRET   "${config.secret}"
+      SetEnv DATABASE_URL "${config.psql_url}"
+      '';
+  }];
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "aten_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    Include /var/secrets/webapps/${app.environment}-aten
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+    </Location>
+
+    <Location /backend>
+      Use LDAPConnect
+      Require ldap-group   cn=dev.aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+    </Location>
+    '' else ''
+    Use Stats aten.pro
+
+    <Location /backend>
+      Use LDAPConnect
+      Require ldap-group   cn=aten.pro,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://aten.pro\"></html>"
+    </Location>
+    ''}
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+      DirectoryIndex index.php
+      FallbackResource /index.php
+    </Directory>
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/aten/integration.nix b/modules/private/websites/aten/integration.nix
new file mode 100644
index 00000000..748e3885
--- /dev/null
+++ b/modules/private/websites/aten/integration.nix
@@ -0,0 +1,32 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  aten = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) aten;
+    config = myconfig.env.websites.aten.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.aten.integration;
+in {
+  options.myServices.websites.aten.integration.enable = lib.mkEnableOption "enable Aten's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = aten.keys;
+    systemd.services.phpfpm-aten_dev.preStart = lib.mkAfter aten.phpFpm.preStart;
+    systemd.services.phpfpm-aten_dev.after = lib.mkAfter aten.phpFpm.serviceDeps;
+    systemd.services.phpfpm-aten_dev.wants = aten.phpFpm.serviceDeps;
+    services.phpfpm.poolConfigs.aten_dev = aten.phpFpm.pool;
+    system.activationScripts.aten_dev = aten.activationScript;
+    myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot;
+    services.websites.integration.modules = aten.apache.modules;
+    services.websites.integration.vhostConfs.aten = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "dev.aten.pro" ];
+      root        = aten.apache.root;
+      extraConfig = [ aten.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/aten/production.nix b/modules/private/websites/aten/production.nix
new file mode 100644
index 00000000..7a4adb5a
--- /dev/null
+++ b/modules/private/websites/aten/production.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  aten = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) aten;
+    config = myconfig.env.websites.aten.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.aten.production;
+in {
+  options.myServices.websites.aten.production.enable = lib.mkEnableOption "enable Aten's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = aten.keys;
+    services.webstats.sites = [ { name = "aten.pro"; } ];
+
+    systemd.services.phpfpm-aten_prod.preStart = lib.mkAfter aten.phpFpm.preStart;
+    systemd.services.phpfpm-aten_prod.after = lib.mkAfter aten.phpFpm.serviceDeps;
+    systemd.services.phpfpm-aten_prod.wants = aten.phpFpm.serviceDeps;
+    services.phpfpm.poolConfigs.aten_prod = aten.phpFpm.pool;
+    system.activationScripts.aten_prod = aten.activationScript;
+    myServices.websites.webappDirs."${aten.apache.webappName}" = aten.app.webRoot;
+    services.websites.production.modules = aten.apache.modules;
+    services.websites.production.vhostConfs.aten = {
+      certName     = "aten";
+      certMainHost = "aten.pro";
+      hosts        = [ "aten.pro" "www.aten.pro" ];
+      root         = aten.apache.root;
+      extraConfig  = [ aten.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/capitaines/mastodon_static/index.html b/modules/private/websites/capitaines/mastodon_static/index.html
new file mode 100644
index 00000000..fae4152d
--- /dev/null
+++ b/modules/private/websites/capitaines/mastodon_static/index.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang='en'>
+  <head>
+    <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'>
+    <title>This instance is now closed - Mastodon</title>
+    <style>
+      body {
+        text-align: center;
+        background: #282c37;
+        font-family: sans-serif;
+      }
+      img {
+        max-width: 470px;
+        width: 100%;
+      }
+      h1 {
+        font-size: 20px;
+        font-weight: 400;
+        color: #9baec8;
+      }
+    </style>
+  </head>
+  <body>
+    <div>
+      <img alt='Mastodon' src='/oops.png'>
+      <h1>Sorry, this instance is closed now.</h1>
+    </div>
+  </body>
+</html>
diff --git a/modules/private/websites/capitaines/mastodon_static/oops.png b/modules/private/websites/capitaines/mastodon_static/oops.png
new file mode 100644
index 00000000..0abddad3
--- /dev/null
+++ b/modules/private/websites/capitaines/mastodon_static/oops.png
diff --git a/modules/private/websites/capitaines/production.nix b/modules/private/websites/capitaines/production.nix
new file mode 100644
index 00000000..57d87873
--- /dev/null
+++ b/modules/private/websites/capitaines/production.nix
@@ -0,0 +1,44 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    cfg = config.myServices.websites.capitaines.production;
+    env = myconfig.env.websites.capitaines;
+    webappName = "capitaines_mastodon";
+    root = "/run/current-system/webapps/${webappName}";
+    siteDir = ./mastodon_static;
+in {
+  options.myServices.websites.capitaines.production.enable = lib.mkEnableOption "enable Capitaines's website";
+
+  config = lib.mkIf cfg.enable {
+    myServices.websites.webappDirs."${webappName}" = siteDir;
+
+    services.websites.production.vhostConfs.capitaines_mastodon = {
+      certName     = "capitaines";
+      certMainHost = "mastodon.capitaines.fr";
+      hosts        = [ "mastodon.capitaines.fr" ];
+      root         = root;
+      extraConfig  = [
+        ''
+        ErrorDocument 404 /index.html
+        <Directory ${root}>
+          DirectoryIndex index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+
+    services.websites.production.vhostConfs.capitaines = {
+      certName   = "capitaines";
+      addToCerts = true;
+      hosts      = [ "capitaines.fr" ];
+      root       = "/run/current-system/webapps/_www";
+      extraConfig = [ ''
+        <Directory /run/current-system/webapps/_www>
+          DirectoryIndex index.htm
+          Require all granted
+        </Directory>
+        '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix
new file mode 100644
index 00000000..f65e9a95
--- /dev/null
+++ b/modules/private/websites/chloe/builder.nix
@@ -0,0 +1,102 @@
+{ apacheUser, apacheGroup, chloe, config }:
+rec {
+  app = chloe.override { inherit (config) environment; };
+  phpFpm = rec {
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/chloe-${app.environment}.sock";
+    pool = ''
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  keys = [{
+    dest = "webapps/${app.environment}-chloe";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      SetEnv SPIP_CONFIG_DIR     "${configDir}"
+      SetEnv SPIP_VAR_DIR        "${app.varDir}"
+      SetEnv SPIP_SITE           "chloe-${app.environment}"
+      SetEnv SPIP_LDAP_BASE      "dc=immae,dc=eu"
+      SetEnv SPIP_LDAP_HOST      "ldaps://ldap.immae.eu"
+      SetEnv SPIP_LDAP_SEARCH_DN "${config.ldap.dn}"
+      SetEnv SPIP_LDAP_SEARCH_PW "${config.ldap.password}"
+      SetEnv SPIP_LDAP_SEARCH    "${config.ldap.search}"
+      SetEnv SPIP_MYSQL_HOST     "${config.mysql.host}"
+      SetEnv SPIP_MYSQL_PORT     "${config.mysql.port}"
+      SetEnv SPIP_MYSQL_DB       "${config.mysql.name}"
+      SetEnv SPIP_MYSQL_USER     "${config.mysql.user}"
+      SetEnv SPIP_MYSQL_PASSWORD "${config.mysql.password}"
+    '';
+  }];
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "chloe_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Include /var/secrets/webapps/${app.environment}-chloe
+
+      RewriteEngine On
+      ${if app.environment == "prod" then ''
+      RewriteRule ^/news.rss  /spip.php?page=backend&id_rubrique=1
+      '' else ""}
+
+      <FilesMatch "\.php$">
+        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+      </FilesMatch>
+
+      <Directory ${root}>
+        DirectoryIndex index.php index.htm index.html
+        Options -Indexes +FollowSymLinks +MultiViews +Includes
+        Include ${root}/htaccess.txt
+
+        AllowOverride AuthConfig FileInfo Limit
+        Require all granted
+      </Directory>
+
+      <DirectoryMatch "${root}/squelettes">
+        Require all denied
+      </DirectoryMatch>
+
+      <FilesMatch "(.htaccess|rewrite-rules|.gitignore)$">
+        Require all denied
+      </FilesMatch>
+
+      ${if app.environment == "dev" then ''
+      <Location />
+        Use LDAPConnect
+        Require ldap-group cn=chloe.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://osteopathe-cc.fr\"></html>"
+      </Location>
+      '' else ''
+      Use Stats osteopathe-cc.fr
+      ''}
+      '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} ${app.varDir}/IMG ${app.varDir}/tmp ${app.varDir}/local
+      install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+  configDir = ./config;
+}
diff --git a/modules/private/websites/chloe/config/chmod.php b/modules/private/websites/chloe/config/chmod.php
new file mode 100644
index 00000000..aae16cdf
--- /dev/null
+++ b/modules/private/websites/chloe/config/chmod.php
@@ -0,0 +1,4 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+if (!defined('_SPIP_CHMOD')) define('_SPIP_CHMOD', 0777);
+?>
\ No newline at end of file
diff --git a/modules/private/websites/chloe/config/connect.php b/modules/private/websites/chloe/config/connect.php
new file mode 100644
index 00000000..18b09330
--- /dev/null
+++ b/modules/private/websites/chloe/config/connect.php
@@ -0,0 +1,15 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+define('_MYSQL_SET_SQL_MODE',true);
+$GLOBALS['spip_connect_version'] = 0.7;
+spip_connect_db(
+  getenv("SPIP_MYSQL_HOST"),
+  getenv("SPIP_MYSQL_PORT"),
+  getenv("SPIP_MYSQL_USER"),
+  getenv("SPIP_MYSQL_PASSWORD"),
+  getenv("SPIP_MYSQL_DB"),
+  'mysql',
+  'spip',
+  'ldap.php'
+);
+?>
diff --git a/modules/private/websites/chloe/config/ldap.php b/modules/private/websites/chloe/config/ldap.php
new file mode 100644
index 00000000..825b7edb
--- /dev/null
+++ b/modules/private/websites/chloe/config/ldap.php
@@ -0,0 +1,9 @@
+<?php
+if (!defined("_ECRIRE_INC_VERSION")) return;
+$GLOBALS['ldap_base'] = getenv("SPIP_LDAP_BASE");
+$GLOBALS['ldap_link'] = @ldap_connect(getenv("SPIP_LDAP_HOST"));
+@ldap_set_option($GLOBALS['ldap_link'],LDAP_OPT_PROTOCOL_VERSION,'3');
+@ldap_bind($GLOBALS['ldap_link'],getenv("SPIP_LDAP_SEARCH_DN"), getenv("SPIP_LDAP_SEARCH_PW"));
+$GLOBALS['ldap_champs'] = array('login' => array('sAMAccountName','uid','login','userid','cn','sn'),'nom' => 'cn','email' => 'mail','bio' => 'description',);
+$GLOBALS['ldap_search'] = getenv("SPIP_LDAP_SEARCH");
+?>
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix
new file mode 100644
index 00000000..c42a4282
--- /dev/null
+++ b/modules/private/websites/chloe/integration.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  chloe  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) chloe;
+    config = myconfig.env.websites.chloe.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.chloe.integration;
+in {
+  options.myServices.websites.chloe.integration.enable = lib.mkEnableOption "enable Chloe's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = chloe.keys;
+    systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps;
+    systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps;
+    services.phpfpm.pools.chloe_dev = {
+      listen = chloe.phpFpm.socket;
+      extraConfig = chloe.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    };
+    system.activationScripts.chloe_dev = chloe.activationScript;
+    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
+    services.websites.integration.modules = chloe.apache.modules;
+    services.websites.integration.vhostConfs.chloe = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["chloe.immae.eu" ];
+      root        = chloe.apache.root;
+      extraConfig = [ chloe.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix
new file mode 100644
index 00000000..0bf2d8fd
--- /dev/null
+++ b/modules/private/websites/chloe/production.nix
@@ -0,0 +1,38 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  chloe = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) chloe;
+    config = myconfig.env.websites.chloe.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.chloe.production;
+in {
+  options.myServices.websites.chloe.production.enable = lib.mkEnableOption "enable Chloe's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = chloe.keys;
+    services.webstats.sites = [ { name = "osteopathe-cc.fr"; } ];
+
+    systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps;
+    systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps;
+    services.phpfpm.pools.chloe_prod = {
+      listen = chloe.phpFpm.socket;
+      extraConfig = chloe.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        extension=${pkgs.php}/lib/php/extensions/mysqli.so
+      '';
+    };
+    system.activationScripts.chloe_prod = chloe.activationScript;
+    myServices.websites.webappDirs."${chloe.apache.webappName}" = chloe.app.webRoot;
+    services.websites.production.modules = chloe.apache.modules;
+    services.websites.production.vhostConfs.chloe = {
+      certName     = "chloe";
+      certMainHost = "osteopathe-cc.fr";
+      hosts        = ["osteopathe-cc.fr" "www.osteopathe-cc.fr" ];
+      root         = chloe.apache.root;
+      extraConfig  = [ chloe.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix
new file mode 100644
index 00000000..98ab4619
--- /dev/null
+++ b/modules/private/websites/commons/adminer.nix
@@ -0,0 +1,21 @@
+{}:
+rec {
+  phpFpm = {
+    socket = "/var/run/phpfpm/adminer.sock";
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "_adminer";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /adminer ${root}
+      <Directory ${root}>
+        DirectoryIndex index.php
+        Require all granted
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+      '';
+  };
+}
diff --git a/modules/private/websites/connexionswing/builder.nix b/modules/private/websites/connexionswing/builder.nix
new file mode 100644
index 00000000..b4b04cb2
--- /dev/null
+++ b/modules/private/websites/connexionswing/builder.nix
@@ -0,0 +1,163 @@
+{ apacheUser, apacheGroup, connexionswing, pkgs, phpPackages, config }:
+rec {
+  app = connexionswing.override { inherit (config) environment; };
+  keys = [{
+    dest = "webapps/${app.environment}-connexionswing";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          database_server_version: ${pkgs.mariadb.mysqlVersion}
+          mailer_transport: sendmail
+          mailer_host: null
+          mailer_user: null
+          mailer_password: null
+          subscription_email: ${config.email}
+          allow_robots: true
+          secret: ${config.secret}
+      ${if app.environment == "prod" then ''
+      services:
+        swiftmailer.mailer.default.transport:
+            class:     Swift_SendmailTransport
+            arguments: ['/run/wrappers/bin/sendmail -bs']
+      '' else ""}
+    '';
+  }];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-connexionswing > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/connexionswing-${app.environment}.sock";
+    phpConfig = ''
+      extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
+      '';
+    pool = ''
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/secrets/webapps/${app.environment}-connexionswing:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "connexionswing_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    <Directory ${app.varDir}/medias>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+    </Directory>
+
+    <Directory ${app.varDir}/uploads>
+      Options FollowSymLinks
+      AllowOverride None
+      Require all granted
+    </Directory>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=connexionswing.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://connexionswing.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    Use Stats connexionswing.com
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/medias \
+      ${app.varDir}/uploads \
+      ${app.varDir}/var
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix
new file mode 100644
index 00000000..1d8488a9
--- /dev/null
+++ b/modules/private/websites/connexionswing/integration.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config,  myconfig, ... }:
+let
+  connexionswing  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) connexionswing;
+    config = myconfig.env.websites.connexionswing.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.connexionswing.integration;
+in {
+  options.myServices.websites.connexionswing.integration.enable = lib.mkEnableOption "enable Connexionswing's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = connexionswing.keys;
+    systemd.services.phpfpm-connexionswing_dev.after = lib.mkAfter connexionswing.phpFpm.serviceDeps;
+    systemd.services.phpfpm-connexionswing_dev.wants = connexionswing.phpFpm.serviceDeps;
+    systemd.services.phpfpm-connexionswing_dev.preStart = lib.mkAfter connexionswing.phpFpm.preStart;
+    services.phpfpm.pools.connexionswing_dev = {
+      listen = connexionswing.phpFpm.socket;
+      extraConfig = connexionswing.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig;
+    };
+    system.activationScripts.connexionswing_dev = connexionswing.activationScript;
+    myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot;
+    services.websites.integration.modules = connexionswing.apache.modules;
+    services.websites.integration.vhostConfs.connexionswing = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["connexionswing.immae.eu" "sandetludo.immae.eu" ];
+      root        = connexionswing.apache.root;
+      extraConfig = [ connexionswing.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix
new file mode 100644
index 00000000..555f129f
--- /dev/null
+++ b/modules/private/websites/connexionswing/production.nix
@@ -0,0 +1,38 @@
+{ lib, pkgs, config,  myconfig, ... }:
+let
+  connexionswing = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) connexionswing;
+    config = myconfig.env.websites.connexionswing.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.connexionswing.production;
+in {
+  options.myServices.websites.connexionswing.production.enable = lib.mkEnableOption "enable Connexionswing's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = connexionswing.keys;
+    services.webstats.sites = [ { name = "connexionswing.com"; } ];
+
+    systemd.services.phpfpm-connexionswing_prod.after = lib.mkAfter connexionswing.phpFpm.serviceDeps;
+    systemd.services.phpfpm-connexionswing_prod.wants = connexionswing.phpFpm.serviceDeps;
+    systemd.services.phpfpm-connexionswing_prod.preStart = lib.mkAfter connexionswing.phpFpm.preStart;
+    services.phpfpm.pools.connexionswing_prod = {
+      listen = connexionswing.phpFpm.socket;
+      extraConfig = connexionswing.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + connexionswing.phpFpm.phpConfig;
+    };
+    system.activationScripts.connexionswing_prod = connexionswing.activationScript;
+    myServices.websites.webappDirs."${connexionswing.apache.webappName}" = connexionswing.app.webRoot;
+    services.websites.production.modules = connexionswing.apache.modules;
+    services.websites.production.vhostConfs.connexionswing = {
+      certName     = "connexionswing";
+      certMainHost = "connexionswing.com";
+      hosts        = ["connexionswing.com" "sandetludo.com" "www.connexionswing.com" "www.sandetludo.com" ];
+      root         = connexionswing.apache.root;
+      extraConfig  = [ connexionswing.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix
new file mode 100644
index 00000000..8b02977c
--- /dev/null
+++ b/modules/private/websites/default.nix
@@ -0,0 +1,265 @@
+{ lib, pkgs, config, myconfig, ... }:
+let
+  www_root = "/run/current-system/webapps/_www";
+  theme_root = "/run/current-system/webapps/_theme";
+  apacheConfig = {
+    gzip = {
+      modules = [ "deflate" "filter" ];
+      extraConfig = ''
+        AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
+      '';
+    };
+    macros = {
+      modules = [ "macro" ];
+    };
+    stats = {
+      extraConfig = ''
+        <Macro Stats %{domain}>
+          Alias /webstats ${config.services.webstats.dataDir}/%{domain}
+          <Directory ${config.services.webstats.dataDir}/%{domain}>
+            DirectoryIndex index.html
+            AllowOverride None
+            Require all granted
+          </Directory>
+          <Location /webstats>
+            Use LDAPConnect
+            Require ldap-group cn=%{domain},ou=stats,cn=httpd,ou=services,dc=immae,dc=eu
+          </Location>
+        </Macro>
+      '';
+    };
+    ldap = {
+      modules = [ "ldap" "authnz_ldap" ];
+      extraConfig = ''
+        <IfModule ldap_module>
+          LDAPSharedCacheSize 500000
+          LDAPCacheEntries 1024
+          LDAPCacheTTL 600
+          LDAPOpCacheEntries 1024
+          LDAPOpCacheTTL 600
+        </IfModule>
+
+        Include /var/secrets/apache-ldap
+      '';
+    };
+    global = {
+      extraConfig = (pkgs.webapps.apache-default.override { inherit www_root;}).apacheConfig;
+    };
+    apaxy = {
+      extraConfig = (pkgs.webapps.apache-theme.override { inherit theme_root; }).apacheConfig;
+    };
+    http2 = {
+      modules = [ "http2" ];
+      extraConfig = ''
+        Protocols h2 http/1.1
+      '';
+    };
+    customLog = {
+      extraConfig = ''
+        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost
+      '';
+    };
+  };
+  makeModules = lib.lists.flatten (lib.attrsets.mapAttrsToList (n: v: v.modules or []) apacheConfig);
+  makeExtraConfig = (builtins.filter (x: x != null) (lib.attrsets.mapAttrsToList (n: v: v.extraConfig or null) apacheConfig));
+in
+{
+  options.myServices.websites.webappDirs = lib.mkOption {
+    type = lib.types.attrsOf lib.types.path;
+    description = ''
+      Webapp paths to create in /run/current-system/webapps
+      '';
+    default = {};
+  };
+
+  config = {
+    users.users.wwwrun.extraGroups = [ "keys" ];
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    nixpkgs.overlays = [ (self: super: rec {
+      #openssl = self.openssl_1_1;
+      php = php72;
+      php72 = (super.php72.override {
+        mysql.connector-c = self.mariadb;
+        config.php.mysqlnd = false;
+        config.php.mysqli = false;
+      }).overrideAttrs(old: rec {
+        # Didn't manage to build with mysqli + mysql_config connector
+        configureFlags = old.configureFlags ++ [
+          "--with-mysqli=shared,mysqlnd"
+          ];
+        # preConfigure = (old.preConfigure or "") + ''
+        #   export CPPFLAGS="$CPPFLAGS -I${pkgs.mariadb}/include/mysql/server";
+        #   sed -i -e 's/#include "mysqli_priv.h"/#include "mysqli_priv.h"\n#include <mysql_version.h>/' \
+        #     ext/mysqli/mysqli.c ext/mysqli/mysqli_prop.c
+        #   '';
+      });
+      phpPackages = super.php72Packages.override { inherit php; };
+    }) ];
+
+    secrets.keys = [{
+      dest = "apache-ldap";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+        <Macro LDAPConnect>
+          <IfModule authnz_ldap_module>
+            AuthLDAPURL          ldap://ldap.immae.eu:389/dc=immae,dc=eu STARTTLS
+            AuthLDAPBindDN       cn=httpd,ou=services,dc=immae,dc=eu
+            AuthLDAPBindPassword "${myconfig.env.httpd.ldap.password}"
+            AuthType             Basic
+            AuthName             "Authentification requise (Acces LDAP)"
+            AuthBasicProvider    ldap
+          </IfModule>
+        </Macro>
+        '';
+    }];
+
+    system.activationScripts = {
+      httpd = ''
+        install -d -m 0755 ${config.security.acme.directory}/acme-challenge
+        install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions
+        '';
+    };
+
+    services.phpfpm = {
+      phpPackage = pkgs.php;
+      phpOptions = ''
+        session.save_path = "/var/lib/php/sessions"
+        post_max_size = 20M
+        ; 15 days (seconds)
+        session.gc_maxlifetime = 1296000
+        ; 30 days (minutes)
+        session.cache_expire = 43200
+        '';
+      extraConfig = ''
+        log_level = notice
+        '';
+    };
+
+    services.websites.production = {
+      enable = true;
+      adminAddr = "httpd@immae.eu";
+      httpdName = "Prod";
+      ips =
+        let ips = myconfig.env.servers.eldiron.ips.production;
+        in [ips.ip4] ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig;
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+
+    services.websites.integration = {
+      enable = true;
+      adminAddr = "httpd@immae.eu";
+      httpdName = "Inte";
+      ips =
+        let ips = myconfig.env.servers.eldiron.ips.integration;
+        in [ips.ip4] ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig;
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+
+    services.websites.tools = {
+      enable = true;
+      adminAddr = "httpd@immae.eu";
+      httpdName = "Tools";
+      ips =
+        let ips = myconfig.env.servers.eldiron.ips.main;
+        in [ips.ip4] ++ (ips.ip6 or []);
+      modules = makeModules;
+      extraConfig = makeExtraConfig ++
+        [ ''
+            RedirectMatch ^/licen[cs]es?_et_tip(ping)?$ https://www.immae.eu/licences_et_tip.html
+            RedirectMatch ^/licen[cs]es?_and_tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/licen[cs]es?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/tip(ping)?$ https://www.immae.eu/licenses_and_tipping.html
+            RedirectMatch ^/(mentions|mentions_legales|legal)$ https://www.immae.eu/mentions.html
+            RedirectMatch ^/CGU$ https://www.immae.eu/CGU
+          ''
+          ];
+      nosslVhost = {
+        enable = true;
+        host = "nossl.immae.eu";
+      };
+      fallbackVhost = {
+        certName    = "eldiron";
+        hosts       = ["eldiron.immae.eu" ];
+        root        = www_root;
+        extraConfig = [ "DirectoryIndex index.htm" ];
+      };
+    };
+
+    system.extraSystemBuilderCmds = lib.mkIf (builtins.length (builtins.attrValues config.myServices.websites.webappDirs) > 0) ''
+    mkdir -p $out/webapps
+    ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (name: path: "ln -s ${path} $out/webapps/${name}") config.myServices.websites.webappDirs)}
+    '';
+
+    myServices.websites = {
+      webappDirs = {
+        _www = pkgs.webapps.apache-default.www;
+        _theme = pkgs.webapps.apache-theme.theme;
+      };
+
+      aten.integration.enable = true;
+      aten.production.enable = true;
+
+      capitaines.production.enable = true;
+
+      chloe.integration.enable = true;
+      chloe.production.enable = true;
+
+      connexionswing.integration.enable = true;
+      connexionswing.production.enable = true;
+
+      denisejerome.production.enable = true;
+
+      emilia.production.enable = true;
+
+      florian.app.enable = true;
+      florian.integration.enable = true;
+      florian.production.enable = true;
+
+      immae.production.enable = true;
+      immae.release.enable = true;
+      immae.temp.enable = true;
+
+      leila.production.enable = true;
+
+      ludivinecassal.integration.enable = true;
+      ludivinecassal.production.enable = true;
+
+      nassime.production.enable = true;
+
+      naturaloutil.production.enable = true;
+
+      papa.surveillance.enable = true;
+
+      piedsjaloux.integration.enable = true;
+      piedsjaloux.production.enable = true;
+
+      tools.cloud.enable = true;
+      tools.dav.enable = true;
+      tools.db.enable = true;
+      tools.diaspora.enable = true;
+      tools.etherpad-lite.enable = true;
+      tools.git.enable = true;
+      tools.mastodon.enable = true;
+      tools.mediagoblin.enable = true;
+      tools.peertube.enable = true;
+      tools.tools.enable = true;
+    };
+  };
+}
diff --git a/modules/private/websites/denisejerome/production.nix b/modules/private/websites/denisejerome/production.nix
new file mode 100644
index 00000000..b5aff942
--- /dev/null
+++ b/modules/private/websites/denisejerome/production.nix
@@ -0,0 +1,31 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.denisejerome.production;
+  varDir = "/var/lib/ftp/denisejerome";
+  env = myconfig.env.websites.denisejerome;
+in {
+  options.myServices.websites.denisejerome.production.enable = lib.mkEnableOption "enable Denise Jerome's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "denisejerome.piedsjaloux.fr"; } ];
+
+    services.websites.production.vhostConfs.denisejerome = {
+      certName     = "denisejerome";
+      certMainHost = "denisejerome.piedsjaloux.fr";
+      hosts        = ["denisejerome.piedsjaloux.fr" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Stats denisejerome.piedsjaloux.fr
+
+        <Directory ${varDir}>
+          DirectoryIndex index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride AuthConfig
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/emilia/moodle/pause.html b/modules/private/websites/emilia/moodle/pause.html
new file mode 100644
index 00000000..8b99c59f
--- /dev/null
+++ b/modules/private/websites/emilia/moodle/pause.html
@@ -0,0 +1,48 @@
+<!doctype html>
+<html>
+  <head>
+    <title>Pause</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style>
+      body {
+        padding-left: 5px;
+        padding-right: 5px;
+        text-align: center;
+        margin: auto;
+        font: 20px Helvetica, sans-serif;
+        color: #333;
+      }
+      h1 {
+        margin: 0px;
+        font-size: 40px;
+      }
+      article {
+        display: block;
+        max-width: 650px;
+        margin: 0 auto;
+        padding-top: 30px;
+      }
+      article + article {
+        border-top: 1px solid lightgrey;
+      }
+      article div {
+        text-align: justify;
+      }
+      a {
+        color: #dc8100;
+        text-decoration: none;
+      }
+      a:hover {
+        color: #333;
+      }
+    </style>
+  </head>
+  <body>
+    <article>
+      <h1>Site web en pause&nbsp;!</h1>
+      <div>
+        <p>Le site et les cours de photographie sont actuellement en pause.</p>
+      </div>
+    </article>
+  </body>
+</html>
diff --git a/modules/private/websites/emilia/production.nix b/modules/private/websites/emilia/production.nix
new file mode 100644
index 00000000..13f008f7
--- /dev/null
+++ b/modules/private/websites/emilia/production.nix
@@ -0,0 +1,66 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    cfg = config.myServices.websites.emilia.production;
+    env = myconfig.env.websites.emilia;
+    varDir = "/var/lib/moodle";
+    siteDir = ./moodle;
+    webappName = "emilia_moodle";
+    root = "/run/current-system/webapps/${webappName}";
+    # php_admin_value[upload_max_filesize] = 50000000
+    # php_admin_value[post_max_size] = 50000000
+    configFile = ''
+      <?php  // Moodle configuration file
+
+      unset($CFG);
+      global $CFG;
+      $CFG = new stdClass();
+
+      $CFG->dbtype    = 'pgsql';
+      $CFG->dblibrary = 'native';
+      $CFG->dbhost    = '${env.postgresql.host}';
+      $CFG->dbname    = '${env.postgresql.database}';
+      $CFG->dbuser    = '${env.postgresql.user}';
+      $CFG->dbpass    = '${env.postgresql.password}';
+      $CFG->prefix    = 'mdl_';
+      $CFG->dboptions = array (
+        'dbpersist' => 0,
+        'dbport' => '${env.postgreesql.port}',
+        'dbsocket' => '${env.postgresql.password}',
+      );
+
+      $CFG->wwwroot   = 'https://www.saison-photo.org';
+      $CFG->dataroot  = '${varDir}';
+      $CFG->admin     = 'admin';
+
+      $CFG->directorypermissions = 02777;
+
+      require_once(__DIR__ . '/lib/setup.php');
+
+      // There is no php closing tag in this file,
+      // it is intentional because it prevents trailing whitespace problems!
+      '';
+in {
+  options.myServices.websites.emilia.production.enable = lib.mkEnableOption "enable Emilia's website";
+
+  config = lib.mkIf cfg.enable {
+    system.activationScripts.emilia = ''
+      install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
+      '';
+    myServices.websites.webappDirs."${webappName}" = siteDir;
+    services.websites.production.vhostConfs.emilia = {
+      certName     = "emilia";
+      certMainHost = "saison-photo.org";
+      hosts        = [ "saison-photo.org" "www.saison-photo.org" ];
+      root         = root;
+      extraConfig  = [
+        ''
+        <Directory ${root}>
+          DirectoryIndex pause.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix
new file mode 100644
index 00000000..3a6d1522
--- /dev/null
+++ b/modules/private/websites/florian/app.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  adminer = pkgs.callPackage ../commons/adminer.nix {};
+
+  tellesflorian  = pkgs.callPackage ./builder_app.nix {
+    inherit (pkgs.webapps) tellesflorian;
+    config = myconfig.env.websites.tellesflorian.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.florian.app;
+in {
+  options.myServices.websites.florian.app.enable = lib.mkEnableOption "enable Florian's app in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = tellesflorian.keys;
+    systemd.services.phpfpm-tellesflorian_dev.after = lib.mkAfter tellesflorian.phpFpm.serviceDeps;
+    systemd.services.phpfpm-tellesflorian_dev.wants = tellesflorian.phpFpm.serviceDeps;
+    systemd.services.phpfpm-tellesflorian_dev.preStart = lib.mkAfter tellesflorian.phpFpm.preStart;
+    services.phpfpm.poolConfigs.tellesflorian_dev = tellesflorian.phpFpm.pool;
+    system.activationScripts.tellesflorian_dev = tellesflorian.activationScript;
+    myServices.websites.webappDirs."${tellesflorian.apache.webappName}" = tellesflorian.app.webRoot;
+    services.websites.integration.modules = adminer.apache.modules ++ tellesflorian.apache.modules;
+    services.websites.integration.vhostConfs.tellesflorian = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["app.tellesflorian.com" ];
+      root        = tellesflorian.apache.root;
+      extraConfig = [
+        tellesflorian.apache.vhostConf
+        adminer.apache.vhostConf
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/florian/builder_app.nix b/modules/private/websites/florian/builder_app.nix
new file mode 100644
index 00000000..e521f6eb
--- /dev/null
+++ b/modules/private/websites/florian/builder_app.nix
@@ -0,0 +1,152 @@
+{ apacheUser, apacheGroup, tellesflorian, config }:
+rec {
+  app = tellesflorian.override { inherit (config) environment; };
+  keys = [
+    {
+      dest = "webapps/${app.environment}-tellesflorian-passwords";
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        invite:${config.invite_passwords}
+      '';
+    }
+    {
+      dest = "webapps/${app.environment}-tellesflorian";
+      user = apacheUser;
+      group = apacheGroup;
+      permissions = "0400";
+      text = ''
+        # This file is auto-generated during the composer install
+        parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+      '';
+    }
+  ];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-tellesflorian > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/floriantelles-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-tellesflorian:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "florian_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      AuthBasicProvider file ldap
+      Use LDAPConnect
+      Require ldap-group   cn=app.tellesflorian.com,cn=httpd,ou=services,dc=immae,dc=eu
+
+      AuthUserFile "/var/secrets/webapps/${app.environment}-tellesflorian-passwords"
+      Require user "invite"
+
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://tellesflorian.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/var
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix
new file mode 100644
index 00000000..424ebd48
--- /dev/null
+++ b/modules/private/websites/florian/integration.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    adminer = pkgs.callPackage ../commons/adminer.nix {};
+    cfg = config.myServices.websites.florian.integration;
+    varDir = "/var/lib/ftp/florian";
+    env = myconfig.env.websites.florian;
+in {
+  options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration";
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."ftp".extraDomains."florian.immae.eu" = null;
+
+    services.websites.integration.modules = adminer.apache.modules;
+    services.websites.integration.vhostConfs.florian = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "florian.immae.eu" ];
+      root        = "${varDir}/florian.immae.eu";
+      extraConfig = [
+        adminer.apache.vhostConf
+        ''
+        ServerAdmin ${env.server_admin}
+
+        <Directory ${varDir}/florian.immae.eu>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix
new file mode 100644
index 00000000..9b310b8b
--- /dev/null
+++ b/modules/private/websites/florian/production.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    adminer = pkgs.callPackage ../commons/adminer.nix {};
+    cfg = config.myServices.websites.florian.production;
+    varDir = "/var/lib/ftp/florian";
+    env = myconfig.env.websites.florian;
+in {
+  options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production";
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."ftp".extraDomains."tellesflorian.com" = null;
+
+    services.websites.production.modules = adminer.apache.modules;
+    services.websites.production.vhostConfs.florian = {
+      certName     = "florian";
+      certMainHost = "tellesflorian.com";
+      hosts        = [ "tellesflorian.com" "www.tellesflorian.com" ];
+      root         = "${varDir}/tellesflorian.com";
+      extraConfig  = [
+        adminer.apache.vhostConf
+        ''
+        ServerAdmin ${env.server_admin}
+
+        <Directory ${varDir}/tellesflorian.com>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/immae/production.nix b/modules/private/websites/immae/production.nix
new file mode 100644
index 00000000..c3cabb6a
--- /dev/null
+++ b/modules/private/websites/immae/production.nix
@@ -0,0 +1,64 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.immae.production;
+  varDir = "/var/lib/ftp/immae";
+  env = myconfig.env.websites.immae;
+in {
+  options.myServices.websites.immae.production.enable = lib.mkEnableOption "enable Immae's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "www.immae.eu"; } ];
+
+    services.phpfpm.poolConfigs.immae = ''
+      listen = /run/phpfpm/immae.sock
+      user = wwwrun
+      group = wwwrun
+      listen.owner = wwwrun
+      listen.group = wwwrun
+
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+
+      php_admin_value[open_basedir] = "${varDir}:/tmp"
+      '';
+    services.websites.production.modules = [ "proxy_fcgi" ];
+    services.websites.production.vhostConfs.immae = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "www.immae.eu" ];
+      root        = varDir;
+      extraConfig = [
+        ''
+        Use Stats www.immae.eu
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:/run/phpfpm/immae.sock|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${varDir}>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride All
+          Require all granted
+        </Directory>
+
+        <Location /blog_old/>
+          Use LDAPConnect
+          Require ldap-group cn=blog,cn=immae.eu,ou=services,dc=immae,dc=eu
+        </Location>
+        ''
+      ];
+    };
+
+    services.websites.production.vhostConfs.bouya = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "bouya.org" "www.bouya.org" ];
+      root        = null;
+      extraConfig = [ ''
+        RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://www.normalesup.org/~bouya/
+        '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/immae/release.nix b/modules/private/websites/immae/release.nix
new file mode 100644
index 00000000..68381a6a
--- /dev/null
+++ b/modules/private/websites/immae/release.nix
@@ -0,0 +1,39 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.immae.release;
+  varDir = "/var/lib/ftp/release.immae.eu";
+  env = myconfig.env.websites.release;
+in {
+  options.myServices.websites.immae.release.enable = lib.mkEnableOption "enable Release' website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "release.immae.eu"; } ];
+
+    services.websites.production.vhostConfs.release = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "release.immae.eu" ];
+      root        = varDir;
+      extraConfig = [
+        ''
+        Use Stats release.immae.eu
+
+        Use Apaxy "${varDir}" "title .duplicity-ignore"
+        <Directory "${varDir}">
+          Use LDAPConnect
+          Options Indexes
+          AllowOverride All
+          Require all granted
+        </Directory>
+
+        <Directory "${varDir}/packages">
+          Use LDAPConnect
+          Options Indexes FollowSymlinks
+          AllowOverride None
+          Require all granted
+        </Directory>
+        ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/immae/temp.nix b/modules/private/websites/immae/temp.nix
new file mode 100644
index 00000000..0b2a3a3e
--- /dev/null
+++ b/modules/private/websites/immae/temp.nix
@@ -0,0 +1,36 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.immae.temp;
+  varDir = "/var/lib/ftp/temp.immae.eu";
+  env = myconfig.env.websites.temp;
+in {
+  options.myServices.websites.immae.temp.enable = lib.mkEnableOption "enable Temp' website";
+
+  config = lib.mkIf cfg.enable {
+    services.websites.production.modules = [ "headers" ];
+    services.websites.production.vhostConfs.temp = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "temp.immae.eu" ];
+      root        = varDir;
+      extraConfig = [
+        ''
+        Use Apaxy "${varDir}" "title .duplicity-ignore"
+        <FilesMatch ".+">
+          Header set Content-Disposition attachment
+        </FilesMatch>
+        <Directory "${varDir}">
+          Options -Indexes
+          AllowOverride None
+          Require all granted
+        </Directory>
+
+        <DirectoryMatch "${varDir}/(.+)">
+          Options Indexes
+        </DirectoryMatch>
+        ''
+      ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix
new file mode 100644
index 00000000..69c8c497
--- /dev/null
+++ b/modules/private/websites/leila/production.nix
@@ -0,0 +1,82 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.websites.leila.production;
+  varDir = "/var/lib/ftp/leila";
+in {
+  options.myServices.websites.leila.production.enable = lib.mkEnableOption "enable Leila's website in production";
+
+  config = lib.mkIf cfg.enable {
+    services.phpfpm.poolConfigs.leila = ''
+      listen = /run/phpfpm/leila.sock
+      user = wwwrun
+      group = wwwrun
+      listen.owner = wwwrun
+      listen.group = wwwrun
+
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+
+      php_admin_value[open_basedir] = "${varDir}:/tmp"
+      '';
+
+    services.webstats.sites = [
+      { name = "leila.bouya.org"; }
+      { name = "chorale.leila.bouya.org"; }
+    ];
+
+    services.websites.production.modules = [ "proxy_fcgi" ];
+    services.websites.production.vhostConfs.leila_chorale = {
+      certName    = "leila";
+      addToCerts  = true;
+      hosts       = [ "chorale.leila.bouya.org" "chorale-vocanta.fr.nf" "www.chorale-vocanta.fr.nf" ];
+      root        = "${varDir}/Chorale";
+      extraConfig = [
+        ''
+        Use Stats chorale.leila.bouya.org
+        <Directory ${varDir}/Chorale>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+
+          Use LDAPConnect
+          Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu
+
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost"
+          </FilesMatch>
+        </Directory>
+          ''
+      ];
+    };
+    services.websites.production.vhostConfs.leila = {
+      certName     = "leila";
+      certMainHost = "leila.bouya.org";
+      hosts        = [ "leila.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Stats leila.bouya.org
+        <Directory ${varDir}/Chorale>
+          DirectoryIndex index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+
+          Use LDAPConnect
+          Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu
+
+          <FilesMatch "\.php$">
+            SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost"
+          </FilesMatch>
+        </Directory>
+        <Directory ${varDir}>
+          DirectoryIndex index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/ludivinecassal/builder.nix b/modules/private/websites/ludivinecassal/builder.nix
new file mode 100644
index 00000000..3167bce7
--- /dev/null
+++ b/modules/private/websites/ludivinecassal/builder.nix
@@ -0,0 +1,155 @@
+{ apacheUser, apacheGroup, config, ludivinecassal, pkgs, ruby, sass, imagemagick }:
+rec {
+  app = ludivinecassal.override { inherit (config) environment; };
+  varDir = "/var/lib/ludivinecassal_${app.environment}";
+  keys = [{
+    dest = "webapps/${app.environment}-ludivinecassal";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          database_server_version: ${pkgs.mariadb.mysqlVersion}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+          ldap_host: ldap.immae.eu
+          ldap_port: 636
+          ldap_version: 3
+          ldap_ssl: true
+          ldap_tls: false
+          ldap_user_bind: 'uid={username},ou=users,dc=immae,dc=eu'
+          ldap_base_dn: 'dc=immae,dc=eu'
+          ldap_search_dn: '${config.ldap.dn}'
+          ldap_search_password: '${config.ldap.password}'
+          ldap_search_filter: '${config.ldap.search}'
+      leapt_im:
+          binary_path: ${imagemagick}/bin
+      assetic:
+          sass: ${sass}/bin/sass
+          ruby: ${ruby}/bin/ruby
+    '';
+  }];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-ludivinecassal > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/ludivinecassal-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-ludivinecassal:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "ludivine_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=ludivine.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://ludivinecassal.com\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    Use Stats ludivinecassal.com
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/tmp
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix
new file mode 100644
index 00000000..ed0dc9fe
--- /dev/null
+++ b/modules/private/websites/ludivinecassal/integration.nix
@@ -0,0 +1,32 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  ludivinecassal  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) ludivinecassal;
+    config = myconfig.env.websites.ludivinecassal.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.ludivinecassal.integration;
+in {
+  options.myServices.websites.ludivinecassal.integration.enable = lib.mkEnableOption "enable Ludivine's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = ludivinecassal.keys;
+
+    systemd.services.phpfpm-ludivinecassal_dev.after = lib.mkAfter ludivinecassal.phpFpm.serviceDeps;
+    systemd.services.phpfpm-ludivinecassal_dev.wants = ludivinecassal.phpFpm.serviceDeps;
+    systemd.services.phpfpm-ludivinecassal_dev.preStart = lib.mkAfter ludivinecassal.phpFpm.preStart;
+    services.phpfpm.poolConfigs.ludivinecassal_dev = ludivinecassal.phpFpm.pool;
+    system.activationScripts.ludivinecassal_dev = ludivinecassal.activationScript;
+    myServices.websites.webappDirs."${ludivinecassal.apache.webappName}" = ludivinecassal.app.webRoot;
+    services.websites.integration.modules = ludivinecassal.apache.modules;
+    services.websites.integration.vhostConfs.ludivine = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "ludivine.immae.eu" ];
+      root        = ludivinecassal.apache.root;
+      extraConfig = [ ludivinecassal.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix
new file mode 100644
index 00000000..3df5613f
--- /dev/null
+++ b/modules/private/websites/ludivinecassal/production.nix
@@ -0,0 +1,33 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  ludivinecassal = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) ludivinecassal;
+    config = myconfig.env.websites.ludivinecassal.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.ludivinecassal.production;
+in {
+  options.myServices.websites.ludivinecassal.production.enable = lib.mkEnableOption "enable Ludivine's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = ludivinecassal.keys;
+    services.webstats.sites = [ { name = "ludivinecassal.com"; } ];
+
+    systemd.services.phpfpm-ludivinecassal_prod.after = lib.mkAfter ludivinecassal.phpFpm.serviceDeps;
+    systemd.services.phpfpm-ludivinecassal_prod.wants = ludivinecassal.phpFpm.serviceDeps;
+    systemd.services.phpfpm-ludivinecassal_prod.preStart = lib.mkAfter ludivinecassal.phpFpm.preStart;
+    services.phpfpm.poolConfigs.ludivinecassal_prod = ludivinecassal.phpFpm.pool;
+    system.activationScripts.ludivinecassal_prod = ludivinecassal.activationScript;
+    myServices.websites.webappDirs."${ludivinecassal.apache.webappName}" = ludivinecassal.app.webRoot;
+    services.websites.production.modules = ludivinecassal.apache.modules;
+    services.websites.production.vhostConfs.ludivine = {
+      certName     = "ludivinecassal";
+      certMainHost = "ludivinecassal.com";
+      hosts        = ["ludivinecassal.com" "www.ludivinecassal.com" ];
+      root         = ludivinecassal.apache.root;
+      extraConfig  = [ ludivinecassal.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix
new file mode 100644
index 00000000..a1097784
--- /dev/null
+++ b/modules/private/websites/nassime/production.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.nassime.production;
+  varDir = "/var/lib/ftp/nassime";
+  env = myconfig.env.websites.nassime;
+in {
+  options.myServices.websites.nassime.production.enable = lib.mkEnableOption "enable Nassime's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "nassime.bouya.org"; } ];
+
+    security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null;
+
+    services.websites.production.vhostConfs.nassime = {
+      certName     = "nassime";
+      certMainHost = "nassime.bouya.org";
+      hosts        = ["nassime.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Stats nassime.bouya.org
+        ServerAdmin ${env.server_admin}
+
+        <Directory ${varDir}>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix
new file mode 100644
index 00000000..f59957da
--- /dev/null
+++ b/modules/private/websites/naturaloutil/production.nix
@@ -0,0 +1,96 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  adminer = pkgs.callPackage ../commons/adminer.nix {};
+  cfg = config.myServices.websites.naturaloutil.production;
+  varDir = "/var/lib/ftp/jerome";
+  env = myconfig.env.websites.jerome;
+in {
+  options.myServices.websites.naturaloutil.production.enable = lib.mkEnableOption "enable Naturaloutil's website";
+
+  config = lib.mkIf cfg.enable {
+    services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ];
+
+    security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null;
+
+    secrets.keys = [{
+      dest = "webapps/prod-naturaloutil";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0400";
+      text = ''
+        <?php
+        $mysql_user = '${env.mysql.user}' ;
+        $mysql_server = '${env.mysql.host}' ;
+        $mysql_base = '${env.mysql.name}' ;
+        $mysql_password = '${env.mysql.password}' ;
+        //connect to db
+        $db = mysqli_init();
+        ${if env.mysql.host != "localhost" then ''
+        mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
+        $db->ssl_set(NULL, NULL, "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt", NULL, NULL);
+        '' else ""}
+        $database = connect_db($db, $mysql_server, $mysql_base, $mysql_user, $mysql_password);
+        ?>
+      '';
+    }];
+    system.activationScripts.naturaloutil = {
+      deps = [ "httpd" ];
+      text = ''
+        install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/naturaloutil
+        '';
+    };
+    systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ];
+    systemd.services.phpfpm-jerome.wants = [ "mysql.service" ];
+    services.phpfpm.pools.jerome = {
+      listen = "/run/phpfpm/naturaloutil.sock";
+      extraConfig = ''
+        user = wwwrun
+        group = wwwrun
+        listen.owner = wwwrun
+        listen.group = wwwrun
+
+        pm = ondemand
+        pm.max_children = 5
+        pm.process_idle_timeout = 60
+
+        env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil"
+        php_admin_value[open_basedir] = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"
+        php_admin_value[session.save_path] = "/var/lib/php/sessions/naturaloutil"
+        '';
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        extension=${pkgs.php}/lib/php/extensions/mysqli.so
+        '';
+    };
+    services.websites.production.modules = adminer.apache.modules ++ [ "proxy_fcgi" ];
+    services.websites.production.vhostConfs.naturaloutil = {
+      certName     = "naturaloutil";
+      certMainHost = "naturaloutil.immae.eu";
+      hosts        = ["naturaloutil.immae.eu" ];
+      root         = varDir;
+      extraConfig  = [
+        adminer.apache.vhostConf
+        ''
+        Use Stats naturaloutil.immae.eu
+        ServerAdmin ${env.server_admin}
+        ErrorLog "${varDir}/logs/error_log"
+        CustomLog "${varDir}/logs/access_log" combined
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost"
+        </FilesMatch>
+
+        <Directory ${varDir}/logs>
+          AllowOverride None
+          Require all denied
+        </Directory>
+        <Directory ${varDir}>
+          DirectoryIndex index.php index.htm index.html
+          Options Indexes FollowSymLinks MultiViews Includes
+          AllowOverride None
+          Require all granted
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix
new file mode 100644
index 00000000..8e7cd9db
--- /dev/null
+++ b/modules/private/websites/papa/surveillance.nix
@@ -0,0 +1,49 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  cfg = config.myServices.websites.papa.surveillance;
+  varDir = "/var/lib/ftp/papa";
+in {
+  options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website";
+
+  config = lib.mkIf cfg.enable {
+    security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null;
+
+    services.cron = {
+      systemCronJobs = let
+        script = pkgs.writeScript "cleanup-papa" ''
+          #!${pkgs.stdenv.shell}
+          d=$(date -d "7 days ago" +%Y%m%d)
+          for i in /var/lib/ftp/papa/*/20[0-9][0-9][0-9][0-9][0-9][0-9]; do
+            if [ "$d" -gt $(basename $i) ]; then
+              rm -rf "$i"
+            fi
+          done
+          '';
+      in
+        [
+        ''
+          0 6 * * * wwwrun ${script}
+        ''
+      ];
+    };
+
+    services.websites.production.vhostConfs.papa = {
+      certName     = "papa";
+      certMainHost = "surveillance.maison.bbc.bouya.org";
+      hosts        = [ "surveillance.maison.bbc.bouya.org" ];
+      root         = varDir;
+      extraConfig  = [
+        ''
+        Use Apaxy "${varDir}" "title .duplicity-ignore"
+        <Directory ${varDir}>
+          Use LDAPConnect
+          Options Indexes
+          AllowOverride None
+          Require ldap-group   cn=surveillance.maison.bbc.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu
+        </Directory>
+          ''
+      ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/piedsjaloux/builder.nix b/modules/private/websites/piedsjaloux/builder.nix
new file mode 100644
index 00000000..9fcc8fb6
--- /dev/null
+++ b/modules/private/websites/piedsjaloux/builder.nix
@@ -0,0 +1,144 @@
+{ apacheUser, apacheGroup, piedsjaloux, config, pkgs, lib, texlive, imagemagick }:
+rec {
+  app = piedsjaloux.override { inherit (config) environment; };
+  varDir = "/var/lib/piedsjaloux_${app.environment}";
+  keys = [{
+    dest = "webapps/${app.environment}-piedsjaloux";
+    user = apacheUser;
+    group = apacheGroup;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_host: ${config.mysql.host}
+          database_port: ${config.mysql.port}
+          database_name: ${config.mysql.name}
+          database_user: ${config.mysql.user}
+          database_password: ${config.mysql.password}
+          database_server_version: ${pkgs.mariadb.mysqlVersion}
+          mailer_transport: smtp
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          secret: ${config.secret}
+          pdflatex: "${texlive.combine { inherit (texlive) attachfile preprint scheme-small; }}/bin/pdflatex"
+      leapt_im:
+          binary_path: ${imagemagick}/bin
+    '';
+  }];
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${app.varDir}/currentWebappDir" -o \
+          ! -f "${app.varDir}/currentKey" -o \
+          "${app}" != "$(cat ${app.varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${app.varDir}/currentKey; then
+        pushd ${app} > /dev/null
+        /run/wrappers/bin/sudo -u ${apacheUser} ./bin/console --env=${app.environment} cache:clear --no-warmup
+        popd > /dev/null
+        echo -n "${app}" > ${app.varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/${app.environment}-piedsjaloux > ${app.varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "mysql.service" ];
+    socket = "/var/run/phpfpm/piedsjaloux-${app.environment}.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apacheUser}
+      group = ${apacheGroup}
+      listen.owner = ${apacheUser}
+      listen.group = ${apacheGroup}
+      php_admin_value[upload_max_filesize] = 20M
+      php_admin_value[post_max_size] = 20M
+      ;php_admin_flag[log_errors] = on
+      php_admin_value[open_basedir] = "/var/secrets/webapps/${app.environment}-piedsjaloux:${app}:${app.varDir}:/tmp"
+      php_admin_value[session.save_path] = "${app.varDir}/phpSessions"
+      env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]}
+      ${if app.environment == "dev" then ''
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      env[SYMFONY_DEBUG_MODE] = "yes"
+      '' else ''
+      pm = dynamic
+      pm.max_children = 20
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      ''}'';
+  };
+  apache = rec {
+    modules = [ "proxy_fcgi" ];
+    webappName = "piedsjaloux_${app.environment}";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    <FilesMatch "\.php$">
+      SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+    </FilesMatch>
+
+    ${if app.environment == "dev" then ''
+    <Location />
+      Use LDAPConnect
+      Require ldap-group   cn=piedsjaloux.immae.eu,cn=httpd,ou=services,dc=immae,dc=eu
+      ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=https://piedsjaloux.fr\"></html>"
+    </Location>
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride None
+      Require all granted
+
+      DirectoryIndex app_dev.php
+
+      <IfModule mod_negotiation.c>
+      Options -MultiViews
+      </IfModule>
+
+      <IfModule mod_rewrite.c>
+        RewriteEngine On
+
+        RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
+        RewriteRule ^(.*) - [E=BASE:%1]
+
+        # Maintenance script
+        RewriteCond %{DOCUMENT_ROOT}/maintenance.php -f
+        RewriteCond %{SCRIPT_FILENAME} !maintenance.php
+        RewriteRule ^.*$ %{ENV:BASE}/maintenance.php [R=503,L]
+        ErrorDocument 503 /maintenance.php
+
+        # Sets the HTTP_AUTHORIZATION header removed by Apache
+        RewriteCond %{HTTP:Authorization} .
+        RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+        RewriteCond %{ENV:REDIRECT_STATUS} ^$
+        RewriteRule ^app_dev\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
+
+        # If the requested filename exists, simply serve it.
+        # We only want to let Apache serve files and not directories.
+        RewriteCond %{REQUEST_FILENAME} -f
+        RewriteRule ^ - [L]
+
+        # Rewrite all other queries to the front controller.
+        RewriteRule ^ %{ENV:BASE}/app_dev.php [L]
+      </IfModule>
+
+    </Directory>
+    '' else ''
+    Use Stats piedsjaloux.fr
+
+    <Directory ${root}>
+      Options Indexes FollowSymLinks MultiViews Includes
+      AllowOverride All
+      Require all granted
+    </Directory>
+    ''}
+    '';
+  };
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+    install -m 0755 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir} \
+      ${app.varDir}/tmp
+    install -m 0750 -o ${apacheUser} -g ${apacheGroup} -d ${app.varDir}/phpSessions
+    '';
+  };
+}
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix
new file mode 100644
index 00000000..5f574e1a
--- /dev/null
+++ b/modules/private/websites/piedsjaloux/integration.nix
@@ -0,0 +1,32 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  piedsjaloux  = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) piedsjaloux;
+    config = myconfig.env.websites.piedsjaloux.integration;
+    apacheUser = config.services.httpd.Inte.user;
+    apacheGroup = config.services.httpd.Inte.group;
+  };
+
+  cfg = config.myServices.websites.piedsjaloux.integration;
+in {
+  options.myServices.websites.piedsjaloux.integration.enable = lib.mkEnableOption "enable PiedsJaloux's website in integration";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = piedsjaloux.keys;
+    systemd.services.phpfpm-piedsjaloux_dev.after = lib.mkAfter piedsjaloux.phpFpm.serviceDeps;
+    systemd.services.phpfpm-piedsjaloux_dev.wants = piedsjaloux.phpFpm.serviceDeps;
+    systemd.services.phpfpm-piedsjaloux_dev.preStart = lib.mkAfter piedsjaloux.phpFpm.preStart;
+    services.phpfpm.poolConfigs.piedsjaloux_dev = piedsjaloux.phpFpm.pool;
+    system.activationScripts.piedsjaloux_dev = piedsjaloux.activationScript;
+    myServices.websites.webappDirs."${piedsjaloux.apache.webappName}" = piedsjaloux.app.webRoot;
+    services.websites.integration.modules = piedsjaloux.apache.modules;
+    services.websites.integration.vhostConfs.piedsjaloux = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "piedsjaloux.immae.eu" ];
+      root        = piedsjaloux.apache.root;
+      extraConfig = [ piedsjaloux.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix
new file mode 100644
index 00000000..e3bd2ddc
--- /dev/null
+++ b/modules/private/websites/piedsjaloux/production.nix
@@ -0,0 +1,34 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  piedsjaloux = pkgs.callPackage ./builder.nix {
+    inherit (pkgs.webapps) piedsjaloux;
+    config = myconfig.env.websites.piedsjaloux.production;
+    apacheUser = config.services.httpd.Prod.user;
+    apacheGroup = config.services.httpd.Prod.group;
+  };
+
+  cfg = config.myServices.websites.piedsjaloux.production;
+in {
+  options.myServices.websites.piedsjaloux.production.enable = lib.mkEnableOption "enable PiedsJaloux's website in production";
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = piedsjaloux.keys;
+    services.webstats.sites = [ { name = "piedsjaloux.fr"; } ];
+
+    systemd.services.phpfpm-piedsjaloux_prod.after = lib.mkAfter piedsjaloux.phpFpm.serviceDeps;
+    systemd.services.phpfpm-piedsjaloux_prod.wants = piedsjaloux.phpFpm.serviceDeps;
+    systemd.services.phpfpm-piedsjaloux_prod.preStart = lib.mkAfter piedsjaloux.phpFpm.preStart;
+    services.phpfpm.poolConfigs.piedsjaloux_prod = piedsjaloux.phpFpm.pool;
+    system.activationScripts.piedsjaloux_prod = piedsjaloux.activationScript;
+    myServices.websites.webappDirs."${piedsjaloux.apache.webappName}" = piedsjaloux.app.webRoot;
+    services.websites.production.modules = piedsjaloux.apache.modules;
+    services.websites.production.vhostConfs.piedsjaloux = {
+      certName     = "piedsjaloux";
+      certMainHost = "piedsjaloux.fr";
+      hosts        = [ "piedsjaloux.fr" "www.piedsjaloux.fr" ];
+      root         = piedsjaloux.apache.root;
+      extraConfig  = [ piedsjaloux.apache.vhostConf ];
+    };
+  };
+}
+
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix
new file mode 100644
index 00000000..ceb8f772
--- /dev/null
+++ b/modules/private/websites/tools/cloud/default.nix
@@ -0,0 +1,188 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  nextcloud = pkgs.webapps.nextcloud.withApps (builtins.attrValues pkgs.webapps.nextcloud-apps);
+  env = myconfig.env.tools.nextcloud;
+  varDir = "/var/lib/nextcloud";
+  webappName = "tools_nextcloud";
+  apacheRoot = "/run/current-system/webapps/${webappName}";
+  cfg = config.myServices.websites.tools.cloud;
+  phpFpm = rec {
+    basedir = builtins.concatStringsSep ":" (
+      [ nextcloud varDir ]
+      ++ builtins.attrValues pkgs.webapps.nextcloud-apps);
+    socket = "/var/run/phpfpm/nextcloud.sock";
+    phpConfig = ''
+      extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
+      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+      zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
+      '';
+    pool = ''
+      user = wwwrun
+      group = wwwrun
+      listen.owner = wwwrun
+      listen.group = wwwrun
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      php_admin_value[output_buffering] = 0
+      php_admin_value[max_execution_time] = 1800
+      php_admin_value[zend_extension] = "opcache"
+      ;already enabled by default?
+      ;php_value[opcache.enable] = 1
+      php_value[opcache.enable_cli] = 1
+      php_value[opcache.interned_strings_buffer] = 8
+      php_value[opcache.max_accelerated_files] = 10000
+      php_value[opcache.memory_consumption] = 128
+      php_value[opcache.save_comments] = 1
+      php_value[opcache.revalidate_freq] = 1
+      php_admin_value[memory_limit] = 512M
+
+      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      '';
+  };
+in {
+  options.myServices.websites.tools.cloud = {
+    enable = lib.mkEnableOption "enable cloud website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.websites.tools.modules = [ "proxy_fcgi" ];
+
+    services.websites.tools.vhostConfs.cloud = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["cloud.immae.eu" ];
+      root        = apacheRoot;
+      extraConfig = [
+        ''
+          SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
+          <Directory ${apacheRoot}>
+            AcceptPathInfo On
+            DirectoryIndex index.php
+            Options FollowSymlinks
+            Require all granted
+            AllowOverride all
+
+            <IfModule mod_headers.c>
+              Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
+            </IfModule>
+            <FilesMatch "\.php$">
+              CGIPassAuth on
+              SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+            </FilesMatch>
+
+          </Directory>
+        ''
+      ];
+    };
+
+    secrets.keys = [{
+      dest = "webapps/tools-nextcloud";
+      user = "wwwrun";
+      group = "wwwrun";
+      permissions = "0600";
+      text = ''
+        <?php
+        $CONFIG = array (
+          // FIXME: change this value when nextcloud starts getting slow
+          'instanceid' => '${env.instance_id}1',
+          'datadirectory' => '/var/lib/nextcloud/',
+          'passwordsalt' => '${env.password_salt}',
+          'debug' => false,
+          'dbtype' => 'pgsql',
+          'version' => '16.0.0.9',
+          'dbname' => '${env.postgresql.database}',
+          'dbhost' => '${env.postgresql.socket}',
+          'dbtableprefix' => 'oc_',
+          'dbuser' => '${env.postgresql.user}',
+          'dbpassword' => '${env.postgresql.password}',
+          'installed' => true,
+          'maxZipInputSize' => 0,
+          'allowZipDownload' => true,
+          'forcessl' => true,
+          'theme' => ${"''"},
+          'maintenance' => false,
+          'trusted_domains' => 
+          array (
+            0 => 'cloud.immae.eu',
+          ),
+          'secret' => '${env.secret}',
+          'appstoreenabled' => false,
+          'appstore.experimental.enabled' => true,
+          'loglevel' => 2,
+          'trashbin_retention_obligation' => 'auto',
+          'htaccess.RewriteBase' => '/',
+          'mail_smtpmode' => 'sendmail',
+          'mail_smtphost' => '127.0.0.1',
+          'mail_smtpname' => ''',
+          'mail_smtppassword' => ''',
+          'mail_from_address' => 'nextcloud',
+          'mail_smtpauth' => false,
+          'mail_domain' => 'tools.immae.eu',
+          'memcache.local' => '\\OC\\Memcache\\APCu',
+          'memcache.locking' => '\\OC\\Memcache\\Redis',
+          'filelocking.enabled' => true,
+          'redis' => 
+          array (
+            'host' => '${env.redis.socket}',
+            'port' => 0,
+            'dbindex' => ${env.redis.db_index},
+          ),
+          'overwrite.cli.url' => 'https://cloud.immae.eu',
+          'ldapIgnoreNamingRules' => false,
+          'ldapProviderFactory' => '\\OCA\\User_LDAP\\LDAPProviderFactory',
+          'has_rebuilt_cache' => true,
+        );
+      '';
+    }];
+    users.users.root.packages = let
+      occ = pkgs.writeScriptBin "nextcloud-occ" ''
+        #! ${pkgs.stdenv.shell}
+        cd ${nextcloud}
+        NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \
+          exec \
+          sudo -u wwwrun ${pkgs.php}/bin/php \
+          -c ${pkgs.php}/etc/php.ini \
+          occ $*
+        '';
+    in [ occ ];
+
+    system.activationScripts.nextcloud = {
+      deps = [ "secrets" ];
+      text = let
+        confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig;
+      in
+        ''
+        install -m 0755 -o wwwrun -g wwwrun -d ${varDir}
+        install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions
+        ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v:
+          "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json"
+          ) confs)}
+        install -D -m 0600 -o wwwrun -g wwwrun -T /var/secrets/webapps/tools-nextcloud ${varDir}/config/config.php
+      '';
+    };
+    # FIXME: add a warning when config.php changes
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${nextcloud} $out/webapps/${webappName}
+      '';
+
+    services.phpfpm.pools.nextcloud = {
+      listen = phpFpm.socket;
+      extraConfig = phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig;
+    };
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = [
+        ''
+          LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive
+          */15 * * * * wwwrun ${pkgs.php}/bin/php -f ${nextcloud}/cron.php
+        ''
+      ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix
new file mode 100644
index 00000000..98cebee9
--- /dev/null
+++ b/modules/private/websites/tools/dav/davical.nix
@@ -0,0 +1,139 @@
+{ stdenv, fetchurl, gettext, writeText, env, awl, davical }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/davical
+      '';
+  };
+  keys = [{
+    dest = "webapps/dav-davical";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $c->pg_connect[] = "dbname=${env.postgresql.database} user=${env.postgresql.user} host=${env.postgresql.socket} password=${env.postgresql.password}";
+
+      $c->readonly_webdav_collections = false;
+
+      $c->admin_email ='davical@tools.immae.eu';
+
+      $c->restrict_setup_to_admin = true;
+
+      $c->collections_always_exist = false;
+
+      $c->external_refresh = 60;
+
+      $c->enable_scheduling = true;
+
+      $c->iMIP = (object) array("send_email" => true);
+
+      $c->authenticate_hook['optional'] = false;
+      $c->authenticate_hook['call'] = 'LDAP_check';
+      $c->authenticate_hook['config'] = array(
+          'host' => 'ldap.immae.eu',
+          'port' => '389',
+          'startTLS' => 'yes',
+          'bindDN'=> 'cn=davical,ou=services,dc=immae,dc=eu',
+          'passDN'=> '${env.ldap.password}',
+          'protocolVersion' => '3',
+          'baseDNUsers'=> array('ou=users,dc=immae,dc=eu', 'ou=group_users,dc=immae,dc=eu'),
+          'filterUsers' => 'memberOf=cn=users,cn=davical,ou=services,dc=immae,dc=eu',
+          'baseDNGroups' => 'ou=groups,dc=immae,dc=eu',
+          'filterGroups' => 'memberOf=cn=groups,cn=davical,ou=services,dc=immae,dc=eu',
+          'mapping_field' => array(
+            "username" => "uid",
+            "fullname" => "cn",
+            "email"    => "mail",
+            "modified" => "modifyTimestamp",
+          ),
+          'format_updated'=> array('Y' => array(0,4),'m' => array(4,2),'d'=> array(6,2),'H' => array(8,2),'M'=>array(10,2),'S' => array(12,2)),
+            /** used to set default value for all users, will be overcharged by ldap if defined also in mapping_field **/
+      //    'default_value' => array("date_format_type" => "E","locale" => "fr_FR"),
+          'group_mapping_field' => array(
+            "username"    => "cn",
+            "updated"     => "modifyTimestamp",
+            "fullname"    => "givenName",
+            "displayname" => "givenName",
+            "members"     => "memberUid",
+            "email"       => "mail",
+          ),
+        );
+
+      $c->do_not_sync_from_ldap = array('admin' => true);
+      include('drivers_ldap.php');
+    '';
+  }];
+  webapp = davical.override { davical_config = "/var/secrets/webapps/dav-davical"; };
+  webRoot = "${webapp}/htdocs";
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_davical";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /davical "${root}"
+      Alias /caldav.php  "${root}/caldav.php"
+      <Directory "${root}">
+        DirectoryIndex index.php index.html
+        AcceptPathInfo On
+        AllowOverride None
+        Require all granted
+
+        <FilesMatch "\.php$">
+          CGIPassAuth on
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        RewriteEngine On
+        <IfModule mod_headers.c>
+                Header unset Access-Control-Allow-Origin
+                Header unset Access-Control-Allow-Methods
+                Header unset Access-Control-Allow-Headers
+                Header unset Access-Control-Allow-Credentials
+                Header unset Access-Control-Expose-Headers
+
+                Header always set Access-Control-Allow-Origin "*"
+                Header always set Access-Control-Allow-Methods "GET,POST,OPTIONS,PROPFIND,PROPPATCH,REPORT,PUT,MOVE,DELETE,LOCK,UNLOCK"
+                Header always set Access-Control-Allow-Headers "User-Agent,Authorization,Content-type,Depth,If-match,If-None-Match,Lock-Token,Timeout,Destination,Overwrite,Prefer,X-client,X-Requested-With"
+                Header always set Access-Control-Allow-Credentials false
+                Header always set Access-Control-Expose-Headers "Etag,Preference-Applied"
+
+                RewriteCond %{HTTP:Access-Control-Request-Method} !^$
+                RewriteCond %{REQUEST_METHOD} OPTIONS
+                RewriteRule ^(.*)$ $1 [R=200,L]
+        </IfModule>
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ];
+    socket = "/var/run/phpfpm/davical.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = dynamic
+      pm.max_children = 60
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 10
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = DavicalPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical"
+      php_admin_value[include_path] = "${awl}/inc:${webapp}/inc"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/davical"
+      php_flag[magic_quotes_gpc] = Off
+      php_flag[register_globals] = Off
+      php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE"
+      php_admin_value[default_charset] = "utf-8"
+      php_flag[magic_quotes_runtime] = Off
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix
new file mode 100644
index 00000000..fb0baaec
--- /dev/null
+++ b/modules/private/websites/tools/dav/default.nix
@@ -0,0 +1,53 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+    infcloud = rec {
+      webappName = "tools_infcloud";
+      root = "/run/current-system/webapps/${webappName}";
+      vhostConf = ''
+          Alias /carddavmate ${root}
+          Alias /caldavzap ${root}
+          Alias /infcloud ${root}
+          <Directory ${root}>
+            AllowOverride All
+            Options FollowSymlinks
+            Require all granted
+            DirectoryIndex index.html
+          </Directory>
+      '';
+    };
+    davical = pkgs.callPackage ./davical.nix {
+      env = myconfig.env.tools.davical;
+      inherit (pkgs.webapps) davical awl;
+    };
+
+    cfg = config.myServices.websites.tools.dav;
+in {
+  options.myServices.websites.tools.dav = {
+    enable = lib.mkEnableOption "enable dav website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    system.activationScripts.davical = davical.activationScript;
+    secrets.keys = davical.keys;
+    services.websites.tools.modules = davical.apache.modules;
+
+    services.websites.tools.vhostConfs.dav = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["dav.immae.eu" ];
+      root        = null;
+      extraConfig = [
+        infcloud.vhostConf
+        davical.apache.vhostConf
+      ];
+    };
+
+    services.phpfpm.poolConfigs = {
+      davical = davical.phpFpm.pool;
+    };
+
+    myServices.websites.webappDirs."${davical.apache.webappName}" = davical.webRoot;
+    myServices.websites.webappDirs."${infcloud.webappName}" = pkgs.webapps.infcloud;
+  };
+}
+
diff --git a/modules/private/websites/tools/db/default.nix b/modules/private/websites/tools/db/default.nix
new file mode 100644
index 00000000..361e204d
--- /dev/null
+++ b/modules/private/websites/tools/db/default.nix
@@ -0,0 +1,21 @@
+{ lib, pkgs, config,  ... }:
+let
+    adminer = pkgs.callPackage ../../commons/adminer.nix {};
+
+    cfg = config.myServices.websites.tools.db;
+in {
+  options.myServices.websites.tools.db = {
+    enable = lib.mkEnableOption "enable database's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.websites.tools.modules = adminer.apache.modules;
+    services.websites.tools.vhostConfs.db-1 = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["db-1.immae.eu" ];
+      root        = null;
+      extraConfig = [ adminer.apache.vhostConf ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/diaspora/default.nix b/modules/private/websites/tools/diaspora/default.nix
new file mode 100644
index 00000000..efa1fabb
--- /dev/null
+++ b/modules/private/websites/tools/diaspora/default.nix
@@ -0,0 +1,181 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  env = myconfig.env.tools.diaspora;
+  root = "/run/current-system/webapps/tools_diaspora";
+  cfg = config.myServices.websites.tools.diaspora;
+  dcfg = config.services.diaspora;
+in {
+  options.myServices.websites.tools.diaspora = {
+    enable = lib.mkEnableOption "enable diaspora's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.diaspora.extraGroups = [ "keys" ];
+
+    secrets.keys = [
+      {
+        dest = "webapps/diaspora/diaspora.yml";
+        user = "diaspora";
+        group = "diaspora";
+        permissions = "0400";
+        text = ''
+        configuration:
+          environment:
+            url: "https://diaspora.immae.eu/"
+            certificate_authorities: '${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt'
+            redis: '${env.redis_url}'
+            sidekiq:
+            s3:
+            assets:
+            logging:
+              logrotate:
+              debug:
+          server:
+            listen: '${dcfg.sockets.rails}'
+            rails_environment: 'production'
+          chat:
+            server:
+              bosh:
+              log:
+          map:
+            mapbox:
+          privacy:
+            piwik:
+            statistics:
+            camo:
+          settings:
+            enable_registrations: false
+            welcome_message:
+            invitations:
+              open: false
+            paypal_donations:
+            community_spotlight:
+            captcha:
+              enable: false
+            terms:
+            maintenance:
+              remove_old_users:
+            default_metas:
+            csp:
+          services:
+            twitter:
+            tumblr:
+            wordpress:
+          mail:
+            enable: true
+            sender_address: 'diaspora@tools.immae.eu'
+            method: 'sendmail'
+            smtp:
+            sendmail:
+              location: '/run/wrappers/bin/sendmail'
+          admins:
+            account: "ismael"
+            podmin_email: 'diaspora@tools.immae.eu'
+          relay:
+            outbound:
+            inbound:
+          ldap:
+              enable: true
+              host: ldap.immae.eu
+              port: 636
+              only_ldap: true
+              mail_attribute: mail
+              skip_email_confirmation: true
+              use_bind_dn: true
+              bind_dn: "cn=diaspora,ou=services,dc=immae,dc=eu"
+              bind_pw: "${env.ldap.password}"
+              search_base: "dc=immae,dc=eu"
+              search_filter: "(&(memberOf=cn=users,cn=diaspora,ou=services,dc=immae,dc=eu)(uid=%{username}))"
+        production:
+          environment:
+        development:
+          environment:
+        '';
+      }
+      {
+        dest = "webapps/diaspora/database.yml";
+        user = "diaspora";
+        group = "diaspora";
+        permissions = "0400";
+        text = ''
+        postgresql: &postgresql
+          adapter: postgresql
+          host: "${env.postgresql.socket}"
+          port: "${env.postgresql.port}"
+          username: "${env.postgresql.user}"
+          password: "${env.postgresql.password}"
+          encoding: unicode
+        common: &common
+          <<: *postgresql
+        combined: &combined
+          <<: *common
+        development:
+          <<: *combined
+          database: diaspora_development
+        production:
+          <<: *combined
+          database: ${env.postgresql.database}
+        test:
+          <<: *combined
+          database: "diaspora_test"
+        integration1:
+          <<: *combined
+          database: diaspora_integration1
+        integration2:
+          <<: *combined
+          database: diaspora_integration2
+        '';
+      }
+      {
+        dest = "webapps/diaspora/secret_token.rb";
+        user = "diaspora";
+        group = "diaspora";
+        permissions = "0400";
+        text = ''
+          Diaspora::Application.config.secret_key_base = '${env.secret_token}'
+        '';
+      }
+    ];
+
+    services.diaspora = {
+      enable = true;
+      package = pkgs.webapps.diaspora.override { ldap = true; };
+      dataDir = "/var/lib/diaspora_immae";
+      adminEmail = "diaspora@tools.immae.eu";
+      configDir = "/var/secrets/webapps/diaspora";
+    };
+
+    services.websites.tools.modules = [
+      "headers" "proxy" "proxy_http"
+    ];
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${dcfg.workdir}/public/ $out/webapps/tools_diaspora
+      '';
+    services.websites.tools.vhostConfs.diaspora = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "diaspora.immae.eu" ];
+      root        = root;
+      extraConfig = [ ''
+        RewriteEngine On
+        RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
+        RewriteRule ^/(.*)$ unix://${dcfg.sockets.rails}|http://diaspora.immae.eu/%{REQUEST_URI} [P,NE,QSA,L]
+
+        ProxyRequests Off
+        ProxyVia On
+        ProxyPreserveHost On
+        RequestHeader set X_FORWARDED_PROTO https
+
+        <Proxy *>
+            Require all granted
+        </Proxy>
+
+        <Directory ${root}>
+            Require all granted
+            Options -MultiViews
+        </Directory>
+      '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/ether/default.nix b/modules/private/websites/tools/ether/default.nix
new file mode 100644
index 00000000..ebcbf618
--- /dev/null
+++ b/modules/private/websites/tools/ether/default.nix
@@ -0,0 +1,175 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  env = myconfig.env.tools.etherpad-lite;
+  cfg = config.myServices.websites.tools.etherpad-lite;
+  # Make sure we’re not rebuilding whole libreoffice just because of a
+  # dependency
+  libreoffice = (import <nixpkgs> { overlays = []; }).libreoffice-fresh;
+  ecfg = config.services.etherpad-lite;
+in {
+  options.myServices.websites.tools.etherpad-lite = {
+    enable = lib.mkEnableOption "enable etherpad's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [
+      {
+        dest = "webapps/tools-etherpad-apikey";
+        permissions = "0400";
+        text = env.api_key;
+      }
+      {
+        dest = "webapps/tools-etherpad-sessionkey";
+        permissions = "0400";
+        text = env.session_key;
+      }
+      {
+        dest = "webapps/tools-etherpad";
+        permissions = "0400";
+        text = ''
+          {
+            "title": "Etherpad",
+            "favicon": "favicon.ico",
+
+            "ip": "",
+            "port" : "${ecfg.sockets.node}",
+            "showSettingsInAdminPage" : false,
+            "dbType" : "postgres",
+            "dbSettings" : {
+              "user"    : "${env.postgresql.user}",
+              "host"    : "${env.postgresql.socket}",
+              "password": "${env.postgresql.password}",
+              "database": "${env.postgresql.database}",
+              "charset" : "utf8mb4"
+            },
+
+            "defaultPadText" : "Welcome to Etherpad!\n\nThis pad text is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents!\n\nGet involved with Etherpad at http:\/\/etherpad.org\n",
+            "padOptions": {
+              "noColors": false,
+              "showControls": true,
+              "showChat": true,
+              "showLineNumbers": true,
+              "useMonospaceFont": false,
+              "userName": false,
+              "userColor": false,
+              "rtl": false,
+              "alwaysShowChat": false,
+              "chatAndUsers": false,
+              "lang": "en-gb"
+            },
+
+            "suppressErrorsInPadText" : false,
+            "requireSession" : false,
+            "editOnly" : false,
+            "sessionNoPassword" : false,
+            "minify" : true,
+            "maxAge" : 21600,
+            "abiword" : null,
+            "soffice" : "${libreoffice}/bin/soffice",
+            "tidyHtml" : "${pkgs.html-tidy}/bin/tidy",
+            "allowUnknownFileEnds" : true,
+            "requireAuthentication" : false,
+            "requireAuthorization" : false,
+            "trustProxy" : false,
+            "disableIPlogging" : false,
+            "automaticReconnectionTimeout" : 0,
+            "scrollWhenFocusLineIsOutOfViewport": {
+              "percentage": {
+                "editionAboveViewport": 0,
+                "editionBelowViewport": 0
+              },
+              "duration": 0,
+              "scrollWhenCaretIsInTheLastLineOfViewport": false,
+              "percentageToScrollWhenUserPressesArrowUp": 0
+            },
+            "users": {
+              "ldapauth": {
+                "url": "ldaps://${env.ldap.host}",
+                "accountBase": "${env.ldap.base}",
+                "accountPattern": "(&(memberOf=cn=users,cn=etherpad,ou=services,dc=immae,dc=eu)(uid={{username}}))",
+                "displayNameAttribute": "cn",
+                "searchDN": "cn=etherpad,ou=services,dc=immae,dc=eu",
+                "searchPWD": "${env.ldap.password}",
+                "groupSearchBase": "${env.ldap.base}",
+                "groupAttribute": "member",
+                "groupAttributeIsDN": true,
+                "searchScope": "sub",
+                "groupSearch": "(memberOf=cn=groups,cn=etherpad,ou=services,dc=immae,dc=eu)",
+                "anonymousReadonly": false
+              }
+            },
+            "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
+            "loadTest": false,
+            "indentationOnNewLine": false,
+            "toolbar": {
+              "left": [
+                ["bold", "italic", "underline", "strikethrough"],
+                ["orderedlist", "unorderedlist", "indent", "outdent"],
+                ["undo", "redo"],
+                ["clearauthorship"]
+              ],
+              "right": [
+                ["importexport", "timeslider", "savedrevision"],
+                ["settings", "embed"],
+                ["showusers"]
+              ],
+              "timeslider": [
+                ["timeslider_export", "timeslider_returnToPad"]
+              ]
+            },
+            "loglevel": "INFO",
+            "logconfig" : { "appenders": [ { "type": "console" } ] }
+          }
+        '';
+      }
+    ];
+    services.etherpad-lite = {
+      enable = true;
+      modules = builtins.attrValues pkgs.webapps.etherpad-lite-modules;
+      sessionKeyFile = "/var/secrets/webapps/tools-etherpad-sessionkey";
+      apiKeyFile = "/var/secrets/webapps/tools-etherpad-apikey";
+      configFile = "/var/secrets/webapps/tools-etherpad";
+    };
+
+    systemd.services.etherpad-lite.serviceConfig.SupplementaryGroups = "keys";
+
+    services.websites.tools.modules = [
+      "headers" "proxy" "proxy_http" "proxy_wstunnel"
+    ];
+    services.websites.tools.vhostConfs.etherpad-lite = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "ether.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
+        RequestHeader set X-Forwarded-Proto "https"
+
+        RewriteEngine On
+
+        RewriteMap  redirects "txt:${pkgs.writeText "redirects.txt" myconfig.env.tools.etherpad-lite.redirects}"
+        RewriteCond %{QUERY_STRING}         "!noredirect"
+        RewriteCond %{REQUEST_URI}          "^(.*)$"
+        RewriteCond ''${redirects:$1|Unknown} "!Unknown"
+        RewriteRule "^(.*)$"                ''${redirects:$1}  [L,NE,R=301,QSD]
+
+        RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
+        RewriteCond %{QUERY_STRING} transport=websocket    [NC]
+        RewriteRule /(.*)           unix://${ecfg.sockets.node}|ws://ether.immae.eu/$1 [P,NE,QSA,L]
+
+        <IfModule mod_proxy.c>
+          ProxyVia On
+          ProxyRequests Off
+          ProxyPreserveHost On
+          ProxyPass         / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          ProxyPassReverse  / unix://${ecfg.sockets.node}|http://ether.immae.eu/
+          <Proxy *>
+            Options FollowSymLinks MultiViews
+            AllowOverride None
+            Require all granted
+          </Proxy>
+        </IfModule>
+      '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix
new file mode 100644
index 00000000..75d02402
--- /dev/null
+++ b/modules/private/websites/tools/git/default.nix
@@ -0,0 +1,45 @@
+{ lib, pkgs, config, myconfig, ... }:
+let
+    mantisbt = pkgs.callPackage ./mantisbt.nix {
+      inherit (pkgs.webapps) mantisbt_2 mantisbt_2-plugins;
+      env = myconfig.env.tools.mantisbt;
+    };
+    gitweb = pkgs.callPackage ./gitweb.nix {
+      gitoliteDir = config.myServices.gitolite.gitoliteDir;
+    };
+
+    cfg = config.myServices.websites.tools.git;
+in {
+  options.myServices.websites.tools.git = {
+    enable = lib.mkEnableOption "enable git's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = mantisbt.keys;
+    services.websites.tools.modules =
+      gitweb.apache.modules ++
+      mantisbt.apache.modules;
+    myServices.websites.webappDirs."${gitweb.apache.webappName}" = gitweb.webRoot;
+    myServices.websites.webappDirs."${mantisbt.apache.webappName}" = mantisbt.webRoot;
+
+    system.activationScripts.mantisbt = mantisbt.activationScript;
+    services.websites.tools.vhostConfs.git = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["git.immae.eu" ];
+      root        = gitweb.apache.root;
+      extraConfig = [
+        gitweb.apache.vhostConf
+        mantisbt.apache.vhostConf
+        ''
+          RewriteEngine on
+          RewriteCond %{REQUEST_URI}       ^/releases
+          RewriteRule /releases(.*)        https://release.immae.eu$1 [P,L]
+          ''
+      ];
+    };
+    services.phpfpm.poolConfigs = {
+      mantisbt = mantisbt.phpFpm.pool;
+    };
+  };
+}
diff --git a/modules/private/websites/tools/git/gitweb.nix b/modules/private/websites/tools/git/gitweb.nix
new file mode 100644
index 00000000..2ee7a63a
--- /dev/null
+++ b/modules/private/websites/tools/git/gitweb.nix
@@ -0,0 +1,64 @@
+{ gitweb, writeText, gitolite, git, gitoliteDir, highlight }:
+rec {
+  varDir = gitoliteDir;
+  webRoot = gitweb;
+  config = writeText "gitweb.conf" ''
+    $git_temp = "/tmp";
+
+    # The directories where your projects are. Must not end with a
+    # slash.
+    $projectroot = "${varDir}/repositories";
+
+    $projects_list = "${varDir}/projects.list";
+    $strict_export = "true";
+
+    # Base URLs for links displayed in the web interface.
+    our @git_base_url_list = qw(ssh://gitolite@git.immae.eu https://git.immae.eu);
+
+    $feature{'blame'}{'default'} = [1];
+    $feature{'avatar'}{'default'} = ['gravatar'];
+    $feature{'highlight'}{'default'} = [1];
+
+    @stylesheets = ("gitweb-theme/gitweb.css");
+    $logo = "gitweb-theme/git-logo.png";
+    $favicon = "gitweb-theme/git-favicon.png";
+    $javascript = "gitweb-theme/gitweb.js";
+    $logo_url = "https://git.immae.eu/";
+    $projects_list_group_categories = "true";
+    $projects_list_description_width = 60;
+    $project_list_default_category = "__Others__";
+    $highlight_bin = "${highlight}/bin/highlight";
+    '';
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "cgid" ];
+    webappName = "tools_gitweb";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      SetEnv GIT_PROJECT_ROOT ${varDir}/repositories/
+      ScriptAliasMatch \
+                  "(?x)^/(.*/(HEAD | \
+                                  info/refs | \
+                                  objects/(info/[^/]+ | \
+                                          [0-9a-f]{2}/[0-9a-f]{38} | \
+                                          pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
+                                  git-(upload|receive)-pack))$" \
+                  ${git}/libexec/git-core/git-http-backend/$1
+
+      <Directory "${git}/libexec/git-core">
+        Require all granted
+      </Directory>
+      <Directory "${root}">
+        DirectoryIndex gitweb.cgi
+        Require all granted
+        AllowOverride None
+        Options ExecCGI FollowSymLinks
+        <Files gitweb.cgi>
+          SetHandler cgi-script
+          SetEnv  GITWEB_CONFIG  "${config}"
+        </Files>
+      </Directory>
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix
new file mode 100644
index 00000000..a1b830eb
--- /dev/null
+++ b/modules/private/websites/tools/git/mantisbt.nix
@@ -0,0 +1,96 @@
+{ env, mantisbt_2, mantisbt_2-plugins }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/mantisbt
+    '';
+  };
+  keys = [{
+    dest = "webapps/tools-mantisbt";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $g_hostname              = '${env.postgresql.socket}';
+      $g_db_username           = '${env.postgresql.user}';
+      $g_db_password           = '${env.postgresql.password}';
+      $g_database_name         = '${env.postgresql.database}';
+      $g_db_type               = 'pgsql';
+      $g_crypto_master_salt    = '${env.master_salt}';
+      $g_allow_signup          = OFF;
+      $g_allow_anonymous_login = ON;
+      $g_anonymous_account     = 'anonymous';
+
+      $g_phpMailer_method       = PHPMAILER_METHOD_SENDMAIL;
+      $g_smtp_host              = 'localhost';
+      $g_smtp_username          = ''';
+      $g_smtp_password          = ''';
+      $g_webmaster_email        = 'mantisbt@tools.immae.eu';
+      $g_from_email             = 'mantisbt@tools.immae.eu';
+      $g_return_path_email      = 'mantisbt@tools.immae.eu';
+      $g_from_name              = 'Mantis Bug Tracker at git.immae.eu';
+      $g_email_receive_own      = OFF;
+      # --- LDAP ---
+      $g_login_method = LDAP;
+      $g_ldap_protocol_version = 3;
+      $g_ldap_server = 'ldaps://ldap.immae.eu:636';
+      $g_ldap_root_dn = 'ou=users,dc=immae,dc=eu';
+      $g_ldap_bind_dn = 'cn=mantisbt,ou=services,dc=immae,dc=eu';
+      $g_ldap_bind_passwd = '${env.ldap.password}';
+      $g_use_ldap_email = ON;
+      $g_use_ldap_realname = ON;
+      $g_ldap_uid_field = 'uid';
+      $g_ldap_realname_field = 'cn';
+      $g_ldap_organization = '(memberOf=cn=users,cn=mantisbt,ou=services,dc=immae,dc=eu)';
+    '';
+  }];
+  webRoot = (mantisbt_2.override { mantis_config = "/var/secrets/webapps/tools-mantisbt"; }).withPlugins (builtins.attrValues mantisbt_2-plugins);
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_mantisbt";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /mantisbt "${root}"
+      <Directory "${root}">
+        DirectoryIndex index.php
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        AllowOverride All
+        Options FollowSymlinks
+        Require all granted
+      </Directory>
+      <Directory "${root}/admin">
+        #Reenable during upgrade
+        Require all denied
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" (
+      [ webRoot "/var/secrets/webapps/tools-mantisbt" ]
+      ++ webRoot.plugins);
+    socket = "/var/run/phpfpm/mantisbt.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      php_admin_value[upload_max_filesize] = 5000000
+
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/mastodon/default.nix b/modules/private/websites/tools/mastodon/default.nix
new file mode 100644
index 00000000..d742a33a
--- /dev/null
+++ b/modules/private/websites/tools/mastodon/default.nix
@@ -0,0 +1,128 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  env = myconfig.env.tools.mastodon;
+  root = "/run/current-system/webapps/tools_mastodon";
+  cfg = config.myServices.websites.tools.mastodon;
+  mcfg = config.services.mastodon;
+in {
+  options.myServices.websites.tools.mastodon = {
+    enable = lib.mkEnableOption "enable mastodon's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [{
+      dest = "webapps/tools-mastodon";
+      user = "mastodon";
+      group = "mastodon";
+      permissions = "0400";
+      text = ''
+        REDIS_HOST=${env.redis.host}
+        REDIS_PORT=${env.redis.port}
+        REDIS_DB=${env.redis.db}
+        DB_HOST=${env.postgresql.socket}
+        DB_USER=${env.postgresql.user}
+        DB_NAME=${env.postgresql.database}
+        DB_PASS=${env.postgresql.password}
+        DB_PORT=${env.postgresql.port}
+
+        LOCAL_DOMAIN=mastodon.immae.eu
+        LOCAL_HTTPS=true
+        ALTERNATE_DOMAINS=immae.eu
+
+        PAPERCLIP_SECRET=${env.paperclip_secret}
+        SECRET_KEY_BASE=${env.secret_key_base}
+        OTP_SECRET=${env.otp_secret}
+
+        VAPID_PRIVATE_KEY=${env.vapid.private}
+        VAPID_PUBLIC_KEY=${env.vapid.public}
+
+        SMTP_DELIVERY_METHOD=sendmail
+        SMTP_FROM_ADDRESS=mastodon@tools.immae.eu
+        SENDMAIL_LOCATION="/run/wrappers/bin/sendmail"
+        PAPERCLIP_ROOT_PATH=${mcfg.dataDir}
+
+        STREAMING_CLUSTER_NUM=1
+
+        RAILS_LOG_LEVEL=warn
+
+        # LDAP authentication (optional)
+        LDAP_ENABLED=true
+        LDAP_HOST=ldap.immae.eu
+        LDAP_PORT=636
+        LDAP_METHOD=simple_tls
+        LDAP_BASE="dc=immae,dc=eu"
+        LDAP_BIND_DN="cn=mastodon,ou=services,dc=immae,dc=eu"
+        LDAP_PASSWORD="${env.ldap.password}"
+        LDAP_UID="uid"
+        LDAP_SEARCH_FILTER="(&(%{uid}=%{email})(memberOf=cn=users,cn=mastodon,ou=services,dc=immae,dc=eu))"
+      '';
+    }];
+    services.mastodon = {
+      enable = true;
+      configFile = "/var/secrets/webapps/tools-mastodon";
+      socketsPrefix = "live_immae";
+      dataDir = "/var/lib/mastodon_immae";
+    };
+
+    services.websites.tools.modules = [
+      "headers" "proxy" "proxy_wstunnel" "proxy_http"
+    ];
+    system.extraSystemBuilderCmds = ''
+      mkdir -p $out/webapps
+      ln -s ${mcfg.workdir}/public/ $out/webapps/tools_mastodon
+      '';
+    services.websites.tools.vhostConfs.mastodon = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["mastodon.immae.eu" ];
+      root        = root;
+      extraConfig = [ ''
+        Header always set Referrer-Policy "strict-origin-when-cross-origin"
+        Header always set Strict-Transport-Security "max-age=31536000"
+
+        <LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
+          Header always set Cache-Control "public, max-age=31536000, immutable"
+          Require all granted
+        </LocationMatch>
+
+        ProxyPreserveHost On
+        RequestHeader set X-Forwarded-Proto "https"
+
+        RewriteEngine On
+
+        ProxyPass /500.html !
+        ProxyPass /sw.js !
+        ProxyPass /embed.js !
+        ProxyPass /robots.txt !
+        ProxyPass /manifest.json !
+        ProxyPass /browserconfig.xml !
+        ProxyPass /mask-icon.svg !
+        ProxyPassMatch ^(/.*\.(png|ico|gif)$) !
+        ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
+
+        RewriteRule ^/api/v1/streaming/(.+)$ unix://${mcfg.sockets.node}|http://mastodon.immae.eu/api/v1/streaming/$1 [P,NE,QSA,L]
+        RewriteRule ^/api/v1/streaming/$ unix://${mcfg.sockets.node}|ws://mastodon.immae.eu/ [P,NE,QSA,L]
+        ProxyPass / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+        ProxyPassReverse / unix://${mcfg.sockets.rails}|http://mastodon.immae.eu/
+
+        Alias /system ${mcfg.dataDir}
+
+        <Directory ${mcfg.dataDir}>
+          Require all granted
+          Options -MultiViews
+        </Directory>
+
+        <Directory ${root}>
+          Require all granted
+          Options -MultiViews +FollowSymlinks
+        </Directory>
+
+        ErrorDocument 500 /500.html
+        ErrorDocument 501 /500.html
+        ErrorDocument 502 /500.html
+        ErrorDocument 503 /500.html
+        ErrorDocument 504 /500.html
+      '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/mgoblin/default.nix b/modules/private/websites/tools/mgoblin/default.nix
new file mode 100644
index 00000000..5da81f68
--- /dev/null
+++ b/modules/private/websites/tools/mgoblin/default.nix
@@ -0,0 +1,122 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  env = myconfig.env.tools.mediagoblin;
+  cfg = config.myServices.websites.tools.mediagoblin;
+  mcfg = config.services.mediagoblin;
+in {
+  options.myServices.websites.tools.mediagoblin = {
+    enable = lib.mkEnableOption "enable mediagoblin's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys = [{
+      dest = "webapps/tools-mediagoblin";
+      user = "mediagoblin";
+      group = "mediagoblin";
+      permissions = "0400";
+      text = ''
+        [DEFAULT]
+        data_basedir = "${mcfg.dataDir}"
+
+        [mediagoblin]
+        direct_remote_path = /mgoblin_static/
+        email_sender_address = "mediagoblin@tools.immae.eu"
+
+        #sql_engine = sqlite:///%(data_basedir)s/mediagoblin.db
+        sql_engine = ${env.psql_url}
+
+        email_debug_mode = false
+        allow_registration = false
+        allow_reporting = true
+
+        theme = airymodified
+
+        user_privilege_scheme = "uploader,commenter,reporter"
+
+        # We need to redefine them here since we override data_basedir
+        # cf /usr/share/webapps/mediagoblin/mediagoblin/config_spec.ini
+        workbench_path = %(data_basedir)s/media/workbench
+        crypto_path = %(data_basedir)s/crypto
+        theme_install_dir = %(data_basedir)s/themes/
+        theme_linked_assets_dir = %(data_basedir)s/theme_static/
+        plugin_linked_assets_dir = %(data_basedir)s/plugin_static/
+
+        [storage:queuestore]
+        base_dir = %(data_basedir)s/media/queue
+
+        [storage:publicstore]
+        base_dir = %(data_basedir)s/media/public
+        base_url = /mgoblin_media/
+
+        [celery]
+        CELERY_RESULT_DBURI = ${env.redis_url}
+        BROKER_URL = ${env.redis_url}
+        CELERYD_CONCURRENCY = 1
+
+        [plugins]
+          [[mediagoblin.plugins.geolocation]]
+          [[mediagoblin.plugins.ldap]]
+            [[[immae.eu]]]
+              LDAP_SERVER_URI = 'ldaps://ldap.immae.eu:636'
+              LDAP_SEARCH_BASE = 'dc=immae,dc=eu'
+              LDAP_BIND_DN = 'cn=mediagoblin,ou=services,dc=immae,dc=eu'
+              LDAP_BIND_PW = '${env.ldap.password}'
+              LDAP_SEARCH_FILTER = '(&(memberOf=cn=users,cn=mediagoblin,ou=services,dc=immae,dc=eu)(uid={username}))'
+              EMAIL_SEARCH_FIELD = 'mail'
+          [[mediagoblin.plugins.basicsearch]]
+          [[mediagoblin.plugins.piwigo]]
+          [[mediagoblin.plugins.processing_info]]
+          [[mediagoblin.media_types.image]]
+          [[mediagoblin.media_types.video]]
+        '';
+    }];
+
+    users.users.mediagoblin.extraGroups = [ "keys" ];
+
+    services.mediagoblin = {
+      enable     = true;
+      plugins    = builtins.attrValues pkgs.webapps.mediagoblin-plugins;
+      configFile = "/var/secrets/webapps/tools-mediagoblin";
+    };
+
+    services.websites.tools.modules = [
+      "proxy" "proxy_http"
+    ];
+    users.users.wwwrun.extraGroups = [ "mediagoblin" ];
+    services.websites.tools.vhostConfs.mgoblin = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["mgoblin.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+        Alias /mgoblin_media ${mcfg.dataDir}/media/public
+        <Directory ${mcfg.dataDir}/media/public>
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Require all granted
+        </Directory>
+
+        Alias /theme_static ${mcfg.dataDir}/theme_static
+        <Directory ${mcfg.dataDir}/theme_static>
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Require all granted
+        </Directory>
+
+        Alias /plugin_static ${mcfg.dataDir}/plugin_static
+        <Directory ${mcfg.dataDir}/plugin_static>
+          Options -Indexes +FollowSymLinks +MultiViews +Includes
+          Require all granted
+        </Directory>
+
+        ProxyPreserveHost on
+        ProxyVia On
+        ProxyRequests Off
+        ProxyPass /mgoblin_media !
+        ProxyPass /theme_static !
+        ProxyPass /plugin_static !
+        ProxyPassMatch ^/.well-known/acme-challenge !
+        ProxyPass / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
+        ProxyPassReverse / unix://${mcfg.sockets.paster}|http://mgoblin.immae.eu/
+      '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/peertube/default.nix b/modules/private/websites/tools/peertube/default.nix
new file mode 100644
index 00000000..dee1b81d
--- /dev/null
+++ b/modules/private/websites/tools/peertube/default.nix
@@ -0,0 +1,179 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  env = myconfig.env.tools.peertube;
+  cfg = config.myServices.websites.tools.peertube;
+  pcfg = config.services.peertube;
+in {
+  options.myServices.websites.tools.peertube = {
+    enable = lib.mkEnableOption "enable Peertube's website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.peertube = {
+      enable = true;
+      configFile = "/var/secrets/webapps/tools-peertube";
+      package = pkgs.webapps.peertube.override { ldap = true; };
+    };
+    users.users.peertube.extraGroups = [ "keys" ];
+
+    secrets.keys = [{
+      dest = "webapps/tools-peertube";
+      user = "peertube";
+      group = "peertube";
+      permissions = "0640";
+      text = ''
+        listen:
+          hostname: 'localhost'
+          port: ${env.listenPort}
+        webserver:
+          https: true
+          hostname: 'peertube.immae.eu'
+          port: 443
+        trust_proxy:
+          - 'loopback'
+        database:
+          hostname: '${env.postgresql.socket}'
+          port: 5432
+          suffix: '_prod'
+          username: '${env.postgresql.user}'
+          password: '${env.postgresql.password}'
+          pool:
+            max: 5
+        redis:
+          socket: '${env.redis.socket}'
+          auth: null
+          db: ${env.redis.db_index}
+        ldap:
+          enable: true
+          ldap_only: false
+          url: ldaps://${env.ldap.host}/${env.ldap.base}
+          bind_dn: ${env.ldap.dn}
+          bind_password: ${env.ldap.password}
+          base: ${env.ldap.base}
+          mail_entry: "mail"
+          user_filter: "${env.ldap.filter}"
+        smtp:
+          transport: sendmail
+          sendmail: '/run/wrappers/bin/sendmail'
+          hostname: null
+          port: 465 # If you use StartTLS: 587
+          username: null
+          password: null
+          tls: true # If you use StartTLS: false
+          disable_starttls: false
+          ca_file: null # Used for self signed certificates
+          from_address: 'peertube@tools.immae.eu'
+        storage:
+          tmp: '${pcfg.dataDir}/storage/tmp/'
+          avatars: '${pcfg.dataDir}/storage/avatars/'
+          videos: '${pcfg.dataDir}/storage/videos/'
+          redundancy: '${pcfg.dataDir}/storage/videos/'
+          logs: '${pcfg.dataDir}/storage/logs/'
+          previews: '${pcfg.dataDir}/storage/previews/'
+          thumbnails: '${pcfg.dataDir}/storage/thumbnails/'
+          torrents: '${pcfg.dataDir}/storage/torrents/'
+          captions: '${pcfg.dataDir}/storage/captions/'
+          cache: '${pcfg.dataDir}/storage/cache/'
+        log:
+          level: 'info'
+        search:
+          remote_uri:
+            users: true
+            anonymous: false
+        trending:
+          videos:
+            interval_days: 7
+        redundancy:
+          videos:
+            check_interval: '1 hour' # How often you want to check new videos to cache
+            strategies: # Just uncomment strategies you want
+        # Following are saved in local-production.json
+        cache:
+          previews:
+            size: 500 # Max number of previews you want to cache
+          captions:
+            size: 500 # Max number of video captions/subtitles you want to cache
+        admin:
+          email: 'peertube@tools.immae.eu'
+        contact_form:
+          enabled: true
+        signup:
+          enabled: false
+          limit: 10
+          requires_email_verification: false
+          filters:
+            cidr:
+              whitelist: []
+              blacklist: []
+        user:
+          video_quota: -1
+          video_quota_daily: -1
+        transcoding:
+          enabled: false
+          allow_additional_extensions: true
+          threads: 1
+          resolutions:
+            240p: false
+            360p: false
+            480p: true
+            720p: true
+            1080p: true
+          hls:
+            enabled: false
+        import:
+          videos:
+            http:
+              enabled: true
+            torrent:
+              enabled: false
+        instance:
+          name: 'Immae&#x2019;s PeerTube'
+          short_description: 'PeerTube, a federated (ActivityPub) video streaming platform using P2P (BitTorrent) directly in the web browser with WebTorrent and Angular.'
+          description: '''
+          terms: '''
+          default_client_route: '/videos/trending'
+          default_nsfw_policy: 'blur'
+          customizations:
+            javascript: '''
+            css: '''
+          robots: |
+            User-agent: *
+            Disallow:
+          securitytxt:
+            "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
+        services:
+          # You can provide a reporting endpoint for Content Security Policy violations
+          csp-logger:
+          twitter:
+            username: '@_immae'
+            whitelisted: false
+        '';
+    }];
+
+    services.websites.tools.modules = [
+      "headers" "proxy" "proxy_http" "proxy_wstunnel"
+    ];
+    services.websites.tools.vhostConfs.peertube = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = [ "peertube.immae.eu" ];
+      root        = null;
+      extraConfig = [ ''
+          RewriteEngine On
+
+          RewriteCond %{REQUEST_URI}  ^/socket.io            [NC]
+          RewriteCond %{QUERY_STRING} transport=websocket    [NC]
+          RewriteRule /(.*)           ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
+
+          RewriteCond %{REQUEST_URI}  ^/tracker/socket       [NC]
+          RewriteRule /(.*)           ws://localhost:${env.listenPort}/$1 [P,NE,QSA,L]
+
+          ProxyPass /        http://localhost:${env.listenPort}/
+          ProxyPassReverse / http://localhost:${env.listenPort}/
+
+          ProxyPreserveHost On
+          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+      '' ];
+    };
+  };
+}
diff --git a/modules/private/websites/tools/tools/adminer.nix b/modules/private/websites/tools/tools/adminer.nix
new file mode 100644
index 00000000..cd51e7fe
--- /dev/null
+++ b/modules/private/websites/tools/tools/adminer.nix
@@ -0,0 +1,47 @@
+{ adminer }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/adminer
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/tmp/adminer
+      '';
+  };
+  webRoot = adminer;
+  phpFpm = rec {
+    socket = "/var/run/phpfpm/adminer.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 5
+      pm.process_idle_timeout = 60
+      ;php_admin_flag[log_errors] = on
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = AdminerPHPSESSID
+      php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer"
+      php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer"
+      '';
+  };
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "_adminer";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /adminer ${root}
+      <Directory ${root}>
+        DirectoryIndex index.php
+        Require all granted
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix
new file mode 100644
index 00000000..94a2be16
--- /dev/null
+++ b/modules/private/websites/tools/tools/default.nix
@@ -0,0 +1,302 @@
+{ lib, pkgs, config, myconfig,  ... }:
+let
+  adminer = pkgs.callPackage ./adminer.nix {
+    inherit (pkgs.webapps) adminer;
+  };
+  ympd = pkgs.callPackage ./ympd.nix {
+    env = myconfig.env.tools.ympd;
+  };
+  ttrss = pkgs.callPackage ./ttrss.nix {
+    inherit (pkgs.webapps) ttrss ttrss-plugins;
+    env = myconfig.env.tools.ttrss;
+  };
+  roundcubemail = pkgs.callPackage ./roundcubemail.nix {
+    inherit (pkgs.webapps) roundcubemail roundcubemail-plugins roundcubemail-skins;
+    env = myconfig.env.tools.roundcubemail;
+  };
+  rainloop = pkgs.callPackage ./rainloop.nix  {};
+  kanboard = pkgs.callPackage ./kanboard.nix  {
+    env = myconfig.env.tools.kanboard;
+  };
+  wallabag = pkgs.callPackage ./wallabag.nix {
+    inherit (pkgs.webapps) wallabag;
+    env = myconfig.env.tools.wallabag;
+  };
+  yourls = pkgs.callPackage ./yourls.nix {
+    inherit (pkgs.webapps) yourls yourls-plugins;
+    env = myconfig.env.tools.yourls;
+  };
+  rompr = pkgs.callPackage ./rompr.nix {
+    inherit (pkgs.webapps) rompr;
+    env = myconfig.env.tools.rompr;
+  };
+  shaarli = pkgs.callPackage ./shaarli.nix {
+    env = myconfig.env.tools.shaarli;
+  };
+  dokuwiki = pkgs.callPackage ./dokuwiki.nix {
+    inherit (pkgs.webapps) dokuwiki dokuwiki-plugins;
+  };
+  ldap = pkgs.callPackage ./ldap.nix {
+    inherit (pkgs.webapps) phpldapadmin;
+    env = myconfig.env.tools.phpldapadmin;
+  };
+
+  cfg = config.myServices.websites.tools.tools;
+in {
+  options.myServices.websites.tools.tools = {
+    enable = lib.mkEnableOption "enable tools website";
+  };
+
+  config = lib.mkIf cfg.enable {
+    secrets.keys =
+      kanboard.keys
+      ++ ldap.keys
+      ++ roundcubemail.keys
+      ++ shaarli.keys
+      ++ ttrss.keys
+      ++ wallabag.keys
+      ++ yourls.keys;
+
+    services.websites.integration.modules =
+      rainloop.apache.modules;
+
+    services.websites.tools.modules =
+      [ "proxy_fcgi" ]
+      ++ adminer.apache.modules
+      ++ ympd.apache.modules
+      ++ ttrss.apache.modules
+      ++ roundcubemail.apache.modules
+      ++ wallabag.apache.modules
+      ++ yourls.apache.modules
+      ++ rompr.apache.modules
+      ++ shaarli.apache.modules
+      ++ dokuwiki.apache.modules
+      ++ ldap.apache.modules
+      ++ kanboard.apache.modules;
+
+    services.websites.integration.vhostConfs.devtools = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["devtools.immae.eu" ];
+      root        = "/var/lib/ftp/devtools.immae.eu";
+      extraConfig = [
+        ''
+          <Directory "/var/lib/ftp/devtools.immae.eu">
+            DirectoryIndex index.php index.htm index.html
+            AllowOverride all
+            Require all granted
+            <FilesMatch "\.php$">
+              SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost"
+            </FilesMatch>
+          </Directory>
+          ''
+        rainloop.apache.vhostConf
+      ];
+    };
+
+    services.websites.tools.vhostConfs.tools = {
+      certName    = "eldiron";
+      addToCerts  = true;
+      hosts       = ["tools.immae.eu" ];
+      root        = "/var/lib/ftp/tools.immae.eu";
+      extraConfig = [
+        ''
+          <Directory "/var/lib/ftp/tools.immae.eu">
+            DirectoryIndex index.php index.htm index.html
+            AllowOverride all
+            Require all granted
+            <FilesMatch "\.php$">
+              SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost"
+            </FilesMatch>
+          </Directory>
+          ''
+        adminer.apache.vhostConf
+        ympd.apache.vhostConf
+        ttrss.apache.vhostConf
+        roundcubemail.apache.vhostConf
+        wallabag.apache.vhostConf
+        yourls.apache.vhostConf
+        rompr.apache.vhostConf
+        shaarli.apache.vhostConf
+        dokuwiki.apache.vhostConf
+        ldap.apache.vhostConf
+        kanboard.apache.vhostConf
+      ];
+    };
+
+    services.websites.tools.vhostConfs.outils = {
+      certName   = "eldiron";
+      addToCerts = true;
+      hosts      = [ "outils.immae.eu" ];
+      root       = null;
+      extraConfig = [
+        ''
+        RedirectMatch 301 ^/mediagoblin(.*)$ https://mgoblin.immae.eu$1
+
+        RedirectMatch 301 ^/ether(.*)$       https://ether.immae.eu$1
+
+        RedirectMatch 301 ^/nextcloud(.*)$   https://cloud.immae.eu$1
+        RedirectMatch 301 ^/owncloud(.*)$    https://cloud.immae.eu$1
+
+        RedirectMatch 301 ^/carddavmate(.*)$ https://dav.immae.eu/infcloud$1
+        RedirectMatch 301 ^/caldavzap(.*)$   https://dav.immae.eu/infcloud$1
+        RedirectMatch 301 ^/caldav.php(.*)$  https://dav.immae.eu/caldav.php$1
+        RedirectMatch 301 ^/davical(.*)$     https://dav.immae.eu/davical$1
+
+        RedirectMatch 301 ^/taskweb(.*)$     https://task.immae.eu/taskweb$1
+
+        RedirectMatch 301 ^/(.*)$            https://tools.immae.eu/$1
+        ''
+      ];
+    };
+
+    systemd.services = {
+      phpfpm-dokuwiki = {
+        after = lib.mkAfter dokuwiki.phpFpm.serviceDeps;
+        wants = dokuwiki.phpFpm.serviceDeps;
+      };
+      phpfpm-kanboard = {
+        after = lib.mkAfter kanboard.phpFpm.serviceDeps;
+        wants = kanboard.phpFpm.serviceDeps;
+      };
+      phpfpm-ldap = {
+        after = lib.mkAfter ldap.phpFpm.serviceDeps;
+        wants = ldap.phpFpm.serviceDeps;
+      };
+      phpfpm-rainloop = {
+        after = lib.mkAfter rainloop.phpFpm.serviceDeps;
+        wants = rainloop.phpFpm.serviceDeps;
+      };
+      phpfpm-roundcubemail = {
+        after = lib.mkAfter roundcubemail.phpFpm.serviceDeps;
+        wants = roundcubemail.phpFpm.serviceDeps;
+      };
+      phpfpm-shaarli = {
+        after = lib.mkAfter shaarli.phpFpm.serviceDeps;
+        wants = shaarli.phpFpm.serviceDeps;
+      };
+      phpfpm-ttrss = {
+        after = lib.mkAfter ttrss.phpFpm.serviceDeps;
+        wants = ttrss.phpFpm.serviceDeps;
+      };
+      phpfpm-wallabag = {
+        after = lib.mkAfter wallabag.phpFpm.serviceDeps;
+        wants = wallabag.phpFpm.serviceDeps;
+        preStart = lib.mkAfter wallabag.phpFpm.preStart;
+      };
+      phpfpm-yourls = {
+        after = lib.mkAfter yourls.phpFpm.serviceDeps;
+        wants = yourls.phpFpm.serviceDeps;
+      };
+      ympd = {
+        description = "Standalone MPD Web GUI written in C";
+        wantedBy = [ "multi-user.target" ];
+        script = ''
+          export MPD_PASSWORD=$(cat /var/secrets/mpd)
+          ${pkgs.ympd}/bin/ympd --host ${ympd.config.host} --port ${toString ympd.config.port} --webport ${ympd.config.webPort} --user nobody
+          '';
+      };
+      tt-rss = {
+        description = "Tiny Tiny RSS feeds update daemon";
+        serviceConfig = {
+          User = "wwwrun";
+          ExecStart = "${pkgs.php}/bin/php ${ttrss.webRoot}/update.php --daemon";
+          StandardOutput = "syslog";
+          StandardError = "syslog";
+          PermissionsStartOnly = true;
+        };
+
+        wantedBy = [ "multi-user.target" ];
+        requires = ["postgresql.service"];
+        after = ["network.target" "postgresql.service"];
+      };
+    };
+
+    services.phpfpm.pools.roundcubemail = {
+      listen = roundcubemail.phpFpm.socket;
+      extraConfig = roundcubemail.phpFpm.pool;
+      phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig;
+    };
+
+    services.phpfpm.pools.devtools = {
+      listen = "/var/run/phpfpm/devtools.sock";
+      extraConfig = ''
+        user = wwwrun
+        group = wwwrun
+        listen.owner = wwwrun
+        listen.group = wwwrun
+        pm = dynamic
+        pm.max_children = 60
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 10
+
+        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"
+        '';
+      phpOptions = config.services.phpfpm.phpOptions + ''
+        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
+        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so
+        '';
+    };
+
+    services.phpfpm.poolConfigs = {
+      adminer = adminer.phpFpm.pool;
+      ttrss = ttrss.phpFpm.pool;
+      wallabag = wallabag.phpFpm.pool;
+      yourls = yourls.phpFpm.pool;
+      rompr = rompr.phpFpm.pool;
+      shaarli = shaarli.phpFpm.pool;
+      dokuwiki = dokuwiki.phpFpm.pool;
+      ldap = ldap.phpFpm.pool;
+      rainloop = rainloop.phpFpm.pool;
+      kanboard = kanboard.phpFpm.pool;
+      tools = ''
+        listen = /var/run/phpfpm/tools.sock
+        user = wwwrun
+        group = wwwrun
+        listen.owner = wwwrun
+        listen.group = wwwrun
+        pm = dynamic
+        pm.max_children = 60
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 10
+
+        ; Needed to avoid clashes in browser cookies (same domain)
+        php_value[session.name] = ToolsPHPSESSID
+        php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"
+        '';
+    };
+
+    system.activationScripts = {
+      adminer = adminer.activationScript;
+      ttrss = ttrss.activationScript;
+      roundcubemail = roundcubemail.activationScript;
+      wallabag = wallabag.activationScript;
+      yourls = yourls.activationScript;
+      rompr = rompr.activationScript;
+      shaarli = shaarli.activationScript;
+      dokuwiki = dokuwiki.activationScript;
+      rainloop = rainloop.activationScript;
+      kanboard = kanboard.activationScript;
+      ldap = ldap.activationScript;
+    };
+
+    myServices.websites.webappDirs = {
+      _adminer = adminer.webRoot;
+      "${dokuwiki.apache.webappName}" = dokuwiki.webRoot;
+      "${ldap.apache.webappName}" = "${ldap.webRoot}/htdocs";
+      "${rompr.apache.webappName}" = rompr.webRoot;
+      "${roundcubemail.apache.webappName}" = roundcubemail.webRoot;
+      "${shaarli.apache.webappName}" = shaarli.webRoot;
+      "${ttrss.apache.webappName}" = ttrss.webRoot;
+      "${wallabag.apache.webappName}" = wallabag.webRoot;
+      "${yourls.apache.webappName}" = yourls.webRoot;
+      "${rainloop.apache.webappName}" = rainloop.webRoot;
+      "${kanboard.apache.webappName}" = kanboard.webRoot;
+    };
+
+  };
+}
+
diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix
new file mode 100644
index 00000000..c61d15f2
--- /dev/null
+++ b/modules/private/websites/tools/tools/dokuwiki.nix
@@ -0,0 +1,61 @@
+{ lib, stdenv, dokuwiki, dokuwiki-plugins }:
+rec {
+  varDir = "/var/lib/dokuwiki";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      if [ ! -d ${varDir} ]; then
+        install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+          ${varDir}/animals
+        cp -a ${webRoot}/conf.dist ${varDir}/conf
+        cp -a ${webRoot}/data.dist ${varDir}/data
+        cp -a ${webRoot}/
+        chown -R ${apache.user}:${apache.user} ${varDir}/config ${varDir}/data
+        chmod -R 755 ${varDir}/config ${varDir}/data
+      fi
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+    '';
+  };
+  webRoot = dokuwiki.withPlugins (builtins.attrValues dokuwiki-plugins);
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_dokuwiki";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /dokuwiki "${root}"
+      <Directory "${root}">
+        DirectoryIndex index.php
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        AllowOverride All
+        Options +FollowSymlinks
+        Require all granted
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" (
+      [ webRoot varDir ] ++ webRoot.plugins);
+    socket = "/var/run/phpfpm/dokuwiki.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = DokuwikiPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix
new file mode 100644
index 00000000..68f92b81
--- /dev/null
+++ b/modules/private/websites/tools/tools/kanboard.nix
@@ -0,0 +1,86 @@
+{ env, kanboard }:
+rec {
+  varDir = "/var/lib/kanboard";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+      install -TDm644 ${webRoot}/dataold/.htaccess ${varDir}/data/.htaccess
+      install -TDm644 ${webRoot}/dataold/web.config ${varDir}/data/web.config
+    '';
+  };
+  keys = [{
+    dest = "webapps/tools-kanboard";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      define('MAIL_FROM', 'kanboard@tools.immae.eu');
+
+      define('DB_DRIVER', 'postgres');
+      define('DB_USERNAME', '${env.postgresql.user}');
+      define('DB_PASSWORD', '${env.postgresql.password}');
+      define('DB_HOSTNAME', '${env.postgresql.socket}');
+      define('DB_NAME', '${env.postgresql.database}');
+
+      define('DATA_DIR', '${varDir}');
+      define('LDAP_AUTH', true);
+      define('LDAP_SERVER', '${env.ldap.host}');
+      define('LDAP_START_TLS', true);
+
+      define('LDAP_BIND_TYPE', 'proxy');
+      define('LDAP_USERNAME', '${env.ldap.dn}');
+      define('LDAP_PASSWORD', '${env.ldap.password}');
+      define('LDAP_USER_BASE_DN', '${env.ldap.base}');
+      define('LDAP_USER_FILTER', '(&(memberOf=cn=users,cn=kanboard,ou=services,dc=immae,dc=eu)(uid=%s))');
+      define('LDAP_GROUP_ADMIN_DN', 'cn=admins,cn=kanboard,ou=services,dc=immae,dc=eu');
+      ?>
+      '';
+  }];
+  webRoot = kanboard { kanboard_config = "/var/secrets/webapps/tools-kanboard"; };
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_kanboard";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    Alias /kanboard "${root}"
+    <Directory "${root}">
+      DirectoryIndex index.php
+      AllowOverride All
+      Options FollowSymlinks
+      Require all granted
+
+      <FilesMatch "\.php$">
+        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+      </FilesMatch>
+    </Directory>
+    <DirectoryMatch "${root}/data">
+      Require all denied
+    </DirectoryMatch>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ];
+    socket = "/var/run/phpfpm/kanboard.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = KanboardPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix
new file mode 100644
index 00000000..4585ee3c
--- /dev/null
+++ b/modules/private/websites/tools/tools/ldap.nix
@@ -0,0 +1,74 @@
+{ lib, php, env, writeText, phpldapadmin }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/phpldapadmin
+      '';
+  };
+  keys = [{
+    dest = "webapps/tools-ldap";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      $config->custom->appearance['show_clear_password'] = true;
+      $config->custom->appearance['hide_template_warning'] = true;
+      $config->custom->appearance['theme'] = "tango";
+      $config->custom->appearance['minimalMode'] = true;
+
+      $servers = new Datastore();
+
+      $servers->newServer('ldap_pla');
+      $servers->setValue('server','name','Immae&#x2019;s LDAP');
+      $servers->setValue('server','host','ldaps://${env.ldap.host}');
+      $servers->setValue('login','auth_type','cookie');
+      $servers->setValue('login','bind_id','${env.ldap.dn}');
+      $servers->setValue('login','bind_pass','${env.ldap.password}');
+      $servers->setValue('appearance','password_hash','ssha');
+      $servers->setValue('login','attr','uid');
+      $servers->setValue('login','fallback_dn',true);
+      '';
+  }];
+  webRoot = phpldapadmin.override { config = "/var/secrets/webapps/tools-ldap"; };
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_ldap";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /ldap "${root}"
+      <Directory "${root}">
+        DirectoryIndex index.php
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        AllowOverride None
+        Require all granted
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ];
+    socket = "/var/run/phpfpm/ldap.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = LdapPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/rainloop.nix b/modules/private/websites/tools/tools/rainloop.nix
new file mode 100644
index 00000000..dbf0f248
--- /dev/null
+++ b/modules/private/websites/tools/tools/rainloop.nix
@@ -0,0 +1,59 @@
+{ lib, pkgs, writeText, stdenv, fetchurl }:
+rec {
+  varDir = "/var/lib/rainloop";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/data
+    '';
+  };
+  webRoot = pkgs.rainloop-community.override { dataPath = "${varDir}/data"; };
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_rainloop";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    Alias /rainloop "${root}"
+    <Directory "${root}">
+      DirectoryIndex index.php
+      AllowOverride All
+      Options -FollowSymlinks
+      Require all granted
+
+      <FilesMatch "\.php$">
+        SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+      </FilesMatch>
+    </Directory>
+
+    <DirectoryMatch "${root}/data">
+      Require all denied
+    </DirectoryMatch>
+    '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
+    socket = "/var/run/phpfpm/rainloop.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = RainloopPHPSESSID
+      php_admin_value[upload_max_filesize] = 200M
+      php_admin_value[post_max_size] = 200M
+      php_admin_value[open_basedir] = "${basedir}:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix
new file mode 100644
index 00000000..fea59fc9
--- /dev/null
+++ b/modules/private/websites/tools/tools/rompr.nix
@@ -0,0 +1,77 @@
+{ lib, env, rompr }:
+rec {
+  varDir = "/var/lib/rompr";
+  activationScript = ''
+    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+      ${varDir}/prefs ${varDir}/albumart ${varDir}/phpSessions
+  '';
+  webRoot = rompr;
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "headers" "mime" "proxy_fcgi" ];
+    webappName = "tools_rompr";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /rompr ${root}
+
+      <Directory ${root}>
+        Options Indexes FollowSymLinks
+        DirectoryIndex index.php
+        AllowOverride all
+        Require all granted
+        Order allow,deny
+        Allow from all
+        ErrorDocument 404 /rompr/404.php
+        AddType image/x-icon .ico
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+
+      <Directory ${root}/albumart/small>
+          Header Set Cache-Control "max-age=0, no-store"
+          Header Set Cache-Control "no-cache, must-revalidate"
+      </Directory>
+
+      <Directory ${root}/albumart/asdownloaded>
+          Header Set Cache-Control "max-age=0, no-store"
+          Header Set Cache-Control "no-cache, must-revalidate"
+      </Directory>
+
+      <LocationMatch "^/rompr">
+        Use LDAPConnect
+        Require ldap-group   cn=users,cn=mpd,ou=services,dc=immae,dc=eu
+      </LocationMatch>
+      '';
+  };
+  phpFpm = rec {
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
+    socket = "/var/run/phpfpm/rompr.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = RomprPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      php_flag[magic_quotes_gpc] = Off
+      php_flag[track_vars] = On
+      php_flag[register_globals] = Off
+      php_admin_flag[allow_url_fopen] = On
+      php_value[include_path] = ${webRoot}
+      php_admin_value[upload_tmp_dir] = "${varDir}/prefs"
+      php_admin_value[post_max_size] = 32M
+      php_admin_value[upload_max_filesize] = 32M
+      php_admin_value[memory_limit] = 256M
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/roundcubemail.nix b/modules/private/websites/tools/tools/roundcubemail.nix
new file mode 100644
index 00000000..8974d1bb
--- /dev/null
+++ b/modules/private/websites/tools/tools/roundcubemail.nix
@@ -0,0 +1,121 @@
+{ env, roundcubemail, roundcubemail-plugins, roundcubemail-skins, phpPackages, apacheHttpd }:
+rec {
+  varDir = "/var/lib/roundcubemail";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+        ${varDir}/cache ${varDir}/logs
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+    '';
+  };
+  keys = [{
+    dest = "webapps/tools-roundcube";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+        $config['db_dsnw'] = '${env.psql_url}';
+        $config['default_host'] = 'ssl://mail.immae.eu';
+        $config['imap_conn_options'] = array("ssl" => array("verify_peer" => false));
+        $config['smtp_server'] = 'tls://mail.immae.eu';
+        $config['smtp_port'] = '25';
+        $config['managesieve_host'] = 'mail.immae.eu';
+        $config['managesieve_port'] = '4190';
+        $config['managesieve_usetls'] = true;
+        $config['managesieve_conn_options'] = array("ssl" => array("verify_peer" => false));
+
+        $config['imap_cache'] = 'db';
+        $config['messages_cache'] = 'db';
+
+        $config['support_url'] = ''';
+
+        $config['des_key'] = '${env.secret}';
+
+        $config['skin'] = 'elastic';
+        $config['plugins'] = array(
+          'attachment_reminder',
+          'emoticons',
+          'filesystem_attachments',
+          'hide_blockquote',
+          'identicon',
+          'identity_select',
+          'jqueryui',
+          'managesieve',
+          'newmail_notifier',
+          'vcard_attachments',
+          'zipdownload',
+
+          'automatic_addressbook',
+          'message_highlight',
+          'carddav',
+          // Ne marche pas ?: 'ident_switch',
+          // Ne marche pas ?: 'thunderbird_labels',
+        );
+
+        $config['language'] = 'fr_FR';
+
+        $config['drafts_mbox'] = 'Mail/Drafts';
+        $config['junk_mbox'] = 'Mail/Spam';
+        $config['sent_mbox'] = 'Mail/sent';
+        $config['trash_mbox'] = ''';
+        $config['default_folders'] = array('INBOX', 'Mail/Drafts', 'Mail/sent', 'Mail/Spam', ''');
+        $config['draft_autosave'] = 60;
+        $config['enable_installer'] = false;
+        $config['log_driver'] = 'file';
+        $config['temp_dir'] = '${varDir}/cache';
+        $config['mime_types'] = '${apacheHttpd}/conf/mime.types';
+    '';
+  }];
+  webRoot = (roundcubemail.override { roundcube_config = "/var/secrets/webapps/tools-roundcube"; }).withPlugins
+    (builtins.attrValues roundcubemail-plugins) (builtins.attrValues roundcubemail-skins);
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_roundcubemail";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+    Alias /roundcube "${root}"
+    <Directory "${root}">
+        DirectoryIndex index.php
+        AllowOverride All
+        Options FollowSymlinks
+        Require all granted
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" ];
+    basedir = builtins.concatStringsSep ":" (
+      [ webRoot "/var/secrets/webapps/tools-roundcube" varDir ]
+      ++ webRoot.plugins
+      ++ webRoot.skins);
+    phpConfig = ''
+      date.timezone = 'CET'
+      extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
+      '';
+    socket = "/var/run/phpfpm/roundcubemail.sock";
+    pool = ''
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = RoundcubemailPHPSESSID
+      php_admin_value[upload_max_filesize] = 200M
+      php_admin_value[post_max_size] = 200M
+      php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix
new file mode 100644
index 00000000..2e89a473
--- /dev/null
+++ b/modules/private/websites/tools/tools/shaarli.nix
@@ -0,0 +1,65 @@
+{ lib, env, stdenv, fetchurl, shaarli }:
+let
+  varDir = "/var/lib/shaarli";
+in rec {
+  activationScript = ''
+    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+      ${varDir}/cache ${varDir}/pagecache ${varDir}/tmp ${varDir}/data \
+      ${varDir}/phpSessions
+    '';
+  webRoot = shaarli varDir;
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules =  [ "proxy_fcgi" "rewrite" "env" ];
+    webappName = "tools_shaarli";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /Shaarli "${root}"
+
+      Include /var/secrets/webapps/tools-shaarli
+      <Directory "${root}">
+        DirectoryIndex index.php index.htm index.html
+        Options Indexes FollowSymLinks MultiViews Includes
+        AllowOverride All
+        Require all granted
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+      </Directory>
+      '';
+  };
+  keys = [{
+    dest = "webapps/tools-shaarli";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      SetEnv SHAARLI_LDAP_PASSWORD "${env.ldap.password}"
+      SetEnv SHAARLI_LDAP_DN       "${env.ldap.dn}"
+      SetEnv SHAARLI_LDAP_HOST     "ldaps://${env.ldap.host}"
+      SetEnv SHAARLI_LDAP_BASE     "${env.ldap.base}"
+      SetEnv SHAARLI_LDAP_FILTER   "${env.ldap.search}"
+      '';
+  }];
+  phpFpm = rec {
+    serviceDeps = [ "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webRoot varDir ];
+    socket = "/var/run/phpfpm/shaarli.sock";
+    pool = ''
+        listen = ${socket}
+        user = ${apache.user}
+        group = ${apache.group}
+        listen.owner = ${apache.user}
+        listen.group = ${apache.group}
+        pm = ondemand
+        pm.max_children = 60
+        pm.process_idle_timeout = 60
+
+        ; Needed to avoid clashes in browser cookies (same domain)
+        php_value[session.name] = ShaarliPHPSESSID
+        php_admin_value[open_basedir] = "${basedir}:/tmp"
+        php_admin_value[session.save_path] = "${varDir}/phpSessions"
+    '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix
new file mode 100644
index 00000000..05c8cab0
--- /dev/null
+++ b/modules/private/websites/tools/tools/ttrss.nix
@@ -0,0 +1,131 @@
+{ php, env, ttrss, ttrss-plugins }:
+rec {
+  varDir = "/var/lib/ttrss";
+  activationScript = {
+    deps = [ "wrappers" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+        ${varDir}/lock ${varDir}/cache ${varDir}/feed-icons
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir}/cache/export/ \
+        ${varDir}/cache/feeds/ \
+        ${varDir}/cache/images/ \
+        ${varDir}/cache/js/ \
+        ${varDir}/cache/simplepie/ \
+        ${varDir}/cache/upload/
+      touch ${varDir}/feed-icons/index.html
+      install -m 0750 -o ${apache.user} -g ${apache.group} -d ${varDir}/phpSessions
+    '';
+  };
+  keys = [{
+    dest = "webapps/tools-ttrss";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+
+        define('PHP_EXECUTABLE', '${php}/bin/php');
+
+        define('LOCK_DIRECTORY', 'lock');
+        define('CACHE_DIR', 'cache');
+        define('ICONS_DIR', 'feed-icons');
+        define('ICONS_URL', 'feed-icons');
+        define('SELF_URL_PATH', 'https://tools.immae.eu/ttrss/');
+
+        define('MYSQL_CHARSET', 'UTF8');
+
+        define('DB_TYPE', 'pgsql');
+        define('DB_HOST', '${env.postgresql.socket}');
+        define('DB_USER', '${env.postgresql.user}');
+        define('DB_NAME', '${env.postgresql.database}');
+        define('DB_PASS', '${env.postgresql.password}');
+        define('DB_PORT', '${env.postgresql.port}');
+
+        define('AUTH_AUTO_CREATE', true);
+        define('AUTH_AUTO_LOGIN', true);
+
+        define('SINGLE_USER_MODE', false);
+
+        define('SIMPLE_UPDATE_MODE', false);
+        define('CHECK_FOR_UPDATES', true);
+
+        define('FORCE_ARTICLE_PURGE', 0);
+        define('SESSION_COOKIE_LIFETIME', 60*60*24*120);
+        define('ENABLE_GZIP_OUTPUT', false);
+
+        define('PLUGINS', 'auth_ldap, note, instances');
+
+        define('LOG_DESTINATION', ''');
+        define('CONFIG_VERSION', 26);
+
+
+        define('SPHINX_SERVER', 'localhost:9312');
+        define('SPHINX_INDEX', 'ttrss, delta');
+
+        define('ENABLE_REGISTRATION', false);
+        define('REG_NOTIFY_ADDRESS', 'ttrss@tools.immae.eu');
+        define('REG_MAX_USERS', 10);
+
+        define('SMTP_FROM_NAME', 'Tiny Tiny RSS');
+        define('SMTP_FROM_ADDRESS', 'ttrss@tools.immae.eu');
+        define('DIGEST_SUBJECT', '[tt-rss] New headlines for last 24 hours');
+
+        define('LDAP_AUTH_SERVER_URI', 'ldap://ldap.immae.eu:389/');
+        define('LDAP_AUTH_USETLS', TRUE);
+        define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE);
+        define('LDAP_AUTH_BASEDN', 'dc=immae,dc=eu');
+        define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
+        define('LDAP_AUTH_SEARCHFILTER', '(&(memberOf=cn=users,cn=ttrss,ou=services,dc=immae,dc=eu)(|(cn=???)(uid=???)(&(uid:dn:=???)(ou=ttrss))))');
+
+        define('LDAP_AUTH_BINDDN', 'cn=ttrss,ou=services,dc=immae,dc=eu');
+        define('LDAP_AUTH_BINDPW', '${env.ldap.password}');
+        define('LDAP_AUTH_LOGIN_ATTRIB', 'immaeTtrssLogin');
+
+        define('LDAP_AUTH_LOG_ATTEMPTS', FALSE);
+        define('LDAP_AUTH_DEBUG', FALSE);
+      '';
+  }];
+  webRoot = (ttrss.override { ttrss_config = "/var/secrets/webapps/tools-ttrss"; }).withPlugins (builtins.attrValues ttrss-plugins);
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_ttrss";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /ttrss "${root}"
+      <Directory "${root}">
+        DirectoryIndex index.php
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        AllowOverride All
+        Options FollowSymlinks
+        Require all granted
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" (
+      [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ]
+      ++ webRoot.plugins);
+    socket = "/var/run/phpfpm/ttrss.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = TtrssPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp"
+      php_admin_value[session.save_path] = "${varDir}/phpSessions"
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix
new file mode 100644
index 00000000..d6e58828
--- /dev/null
+++ b/modules/private/websites/tools/tools/wallabag.nix
@@ -0,0 +1,148 @@
+{ env, wallabag }:
+rec {
+  varDir = "/var/lib/wallabag";
+  keys = [{
+    dest = "webapps/tools-wallabag";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      # This file is auto-generated during the composer install
+      parameters:
+          database_driver: pdo_pgsql
+          database_driver_class: Wallabag\CoreBundle\Doctrine\DBAL\Driver\CustomPostgreSQLDriver
+          database_host: ${env.postgresql.socket}
+          database_port: ${env.postgresql.port}
+          database_name: ${env.postgresql.database}
+          database_user: ${env.postgresql.user}
+          database_password: ${env.postgresql.password}
+          database_path: null
+          database_table_prefix: wallabag_
+          database_socket: null
+          database_charset: utf8
+          domain_name: https://tools.immae.eu/wallabag
+          mailer_transport: sendmail
+          mailer_host: 127.0.0.1
+          mailer_user: null
+          mailer_password: null
+          locale: fr
+          secret: ${env.secret}
+          twofactor_auth: true
+          twofactor_sender: wallabag@tools.immae.eu
+          fosuser_registration: false
+          fosuser_confirmation: true
+          from_email: wallabag@tools.immae.eu
+          rss_limit: 50
+          rabbitmq_host: localhost
+          rabbitmq_port: 5672
+          rabbitmq_user: guest
+          rabbitmq_password: guest
+          rabbitmq_prefetch_count: 10
+          redis_scheme: unix
+          redis_host: null
+          redis_port: null
+          redis_path: ${env.redis.socket}
+          redis_password: null
+          sites_credentials: {  }
+          ldap_enabled: true
+          ldap_host: ldap.immae.eu
+          ldap_port: 636
+          ldap_tls: false
+          ldap_ssl: true
+          ldap_bind_requires_dn: true
+          ldap_base: 'dc=immae,dc=eu'
+          ldap_manager_dn: 'cn=wallabag,ou=services,dc=immae,dc=eu'
+          ldap_manager_pw: ${env.ldap.password}
+          ldap_filter: '(&(memberOf=cn=users,cn=wallabag,ou=services,dc=immae,dc=eu))'
+          ldap_admin_filter: '(&(memberOf=cn=admins,cn=wallabag,ou=services,dc=immae,dc=eu)(uid=%s))'
+          ldap_username_attribute: uid
+          ldap_email_attribute: mail
+          ldap_name_attribute: cn
+          ldap_enabled_attribute: null
+      services:
+          swiftmailer.mailer.default.transport:
+              class:     Swift_SendmailTransport
+              arguments: ['/run/wrappers/bin/sendmail -bs']
+      '';
+  }];
+  webappDir = wallabag.override { ldap = true; wallabag_config = "/var/secrets/webapps/tools-wallabag"; };
+  activationScript = ''
+    install -m 0755 -o ${apache.user} -g ${apache.group} -d ${varDir} \
+      ${varDir}/var ${varDir}/data/db ${varDir}/assets/images
+    '';
+  webRoot = "${webappDir}/web";
+  # Domain migration: Table wallabag_entry contains whole
+  # https://tools.immae.eu/wallabag domain name in preview_picture
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_wallabag";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /wallabag "${root}"
+      <Directory "${root}">
+        AllowOverride None
+        Require all granted
+        # For OAuth (apps)
+        CGIPassAuth On
+
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        <IfModule mod_rewrite.c>
+          Options -MultiViews
+          RewriteEngine On
+          RewriteCond %{REQUEST_FILENAME} !-f
+          RewriteRule ^(.*)$ app.php [QSA,L]
+        </IfModule>
+      </Directory>
+      <Directory "${root}/bundles">
+        <IfModule mod_rewrite.c>
+          RewriteEngine Off
+        </IfModule>
+      </Directory>
+      <Directory "${varDir}/assets">
+        AllowOverride None
+        Require all granted
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    preStart = ''
+      if [ ! -f "${varDir}/currentWebappDir" -o \
+          ! -f "${varDir}/currentKey" -o \
+          "${webappDir}" != "$(cat ${varDir}/currentWebappDir 2>/dev/null)" ] \
+          || ! sha512sum -c --status ${varDir}/currentKey; then
+        pushd ${webappDir} > /dev/null
+        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod cache:clear
+        rm -rf /var/lib/wallabag/var/cache/pro_
+        /run/wrappers/bin/sudo -u wwwrun ./bin/console --env=prod doctrine:migrations:migrate --no-interaction
+        popd > /dev/null
+        echo -n "${webappDir}" > ${varDir}/currentWebappDir
+        sha512sum /var/secrets/webapps/tools-wallabag > ${varDir}/currentKey
+      fi
+      '';
+    serviceDeps = [ "postgresql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ];
+    socket = "/var/run/phpfpm/wallabag.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = dynamic
+      pm.max_children = 60
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 10
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = WallabagPHPSESSID
+      php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp"
+      php_value[max_execution_time] = 300
+      '';
+  };
+}
diff --git a/modules/private/websites/tools/tools/ympd.nix b/modules/private/websites/tools/tools/ympd.nix
new file mode 100644
index 00000000..b54c4866
--- /dev/null
+++ b/modules/private/websites/tools/tools/ympd.nix
@@ -0,0 +1,40 @@
+{ env }:
+let
+  ympd = rec {
+    config = {
+      webPort = "localhost:${env.listenPort}";
+      host = env.mpd.host;
+      port = env.mpd.port;
+    };
+    apache = {
+      modules = [
+        "proxy_wstunnel"
+        ];
+      vhostConf = ''
+        <LocationMatch "^/mpd(?!/music.(mp3|ogg))">
+          Use LDAPConnect
+          Require ldap-group   cn=users,cn=mpd,ou=services,dc=immae,dc=eu
+        </LocationMatch>
+
+        RedirectMatch permanent "^/mpd$" "/mpd/"
+        <Location "/mpd/">
+          ProxyPass http://${config.webPort}/
+          ProxyPassReverse http://${config.webPort}/
+          ProxyPreserveHost on
+        </Location>
+        <Location "/mpd/ws">
+          ProxyPass ws://${config.webPort}/ws
+        </Location>
+        <Location "/mpd/music.mp3">
+          ProxyPass unix:///run/mpd/mp3.sock|http://tools.immae.eu/
+          ProxyPassReverse unix:///run/mpd/mp3.sock|http://tools.immae.eu/
+        </Location>
+        <Location "/mpd/music.ogg">
+          ProxyPass unix:///run/mpd/ogg.sock|http://tools.immae.eu/
+          ProxyPassReverse unix:///run/mpd/ogg.sock|http://tools.immae.eu/
+        </Location>
+      '';
+    };
+  };
+in
+  ympd
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix
new file mode 100644
index 00000000..0a8e8377
--- /dev/null
+++ b/modules/private/websites/tools/tools/yourls.nix
@@ -0,0 +1,93 @@
+{ env, yourls, yourls-plugins }:
+rec {
+  activationScript = {
+    deps = [ "httpd" ];
+    text = ''
+      install -m 0755 -o ${apache.user} -g ${apache.group} -d /var/lib/php/sessions/yourls
+    '';
+  };
+  keys = [{
+    dest = "webapps/tools-yourls";
+    user = apache.user;
+    group = apache.group;
+    permissions = "0400";
+    text = ''
+      <?php
+      define( 'YOURLS_DB_USER', '${env.mysql.user}' );
+      define( 'YOURLS_DB_PASS', '${env.mysql.password}' );
+      define( 'YOURLS_DB_NAME', '${env.mysql.database}' );
+      define( 'YOURLS_DB_HOST', '${env.mysql.host}' );
+      define( 'YOURLS_DB_PREFIX', 'yourls_' );
+      define( 'YOURLS_SITE', 'https://tools.immae.eu/url' );
+      define( 'YOURLS_HOURS_OFFSET', 0 ); 
+      define( 'YOURLS_LANG', ''' ); 
+      define( 'YOURLS_UNIQUE_URLS', true );
+      define( 'YOURLS_PRIVATE', true );
+      define( 'YOURLS_COOKIEKEY', '${env.cookieKey}' );
+      $yourls_user_passwords = array();
+      define( 'YOURLS_DEBUG', false );
+      define( 'YOURLS_URL_CONVERT', 36 );
+      $yourls_reserved_URL = array();
+      define( 'LDAPAUTH_HOST', 'ldaps://ldap.immae.eu' );
+      define( 'LDAPAUTH_PORT', '636' );
+      define( 'LDAPAUTH_BASE', 'dc=immae,dc=eu' );
+      define( 'LDAPAUTH_SEARCH_USER', 'cn=yourls,ou=services,dc=immae,dc=eu' );
+      define( 'LDAPAUTH_SEARCH_PASS', '${env.ldap.password}' );
+
+      define( 'LDAPAUTH_GROUP_ATTR', 'memberof' );
+      define( 'LDAPAUTH_GROUP_REQ', 'cn=admin,cn=yourls,ou=services,dc=immae,dc=eu');
+
+      define( 'LDAPAUTH_USERCACHE_TYPE', 0);
+    '';
+  }];
+  webRoot = (yourls.override { yourls_config = "/var/secrets/webapps/tools-yourls"; }).withPlugins
+    (builtins.attrValues yourls-plugins);
+  apache = rec {
+    user = "wwwrun";
+    group = "wwwrun";
+    modules = [ "proxy_fcgi" ];
+    webappName = "tools_yourls";
+    root = "/run/current-system/webapps/${webappName}";
+    vhostConf = ''
+      Alias /url "${root}"
+      <Directory "${root}">
+        <FilesMatch "\.php$">
+          SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost"
+        </FilesMatch>
+
+        AllowOverride None
+        Require all granted
+        <IfModule mod_rewrite.c>
+          RewriteEngine On
+          RewriteBase /url/
+          RewriteCond %{REQUEST_FILENAME} !-f
+          RewriteCond %{REQUEST_FILENAME} !-d
+          RewriteRule ^.*$ /url/yourls-loader.php [L]
+        </IfModule>
+        DirectoryIndex index.php
+      </Directory>
+      '';
+  };
+  phpFpm = rec {
+    serviceDeps = [ "mysql.service" "openldap.service" ];
+    basedir = builtins.concatStringsSep ":" (
+      [ webRoot "/var/secrets/webapps/tools-yourls" ]
+      ++ webRoot.plugins);
+    socket = "/var/run/phpfpm/yourls.sock";
+    pool = ''
+      listen = ${socket}
+      user = ${apache.user}
+      group = ${apache.group}
+      listen.owner = ${apache.user}
+      listen.group = ${apache.group}
+      pm = ondemand
+      pm.max_children = 60
+      pm.process_idle_timeout = 60
+
+      ; Needed to avoid clashes in browser cookies (same domain)
+      php_value[session.name] = YourlsPHPSESSID
+      php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls"
+      php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls"
+      '';
+  };
+}
diff --git a/modules/secrets.nix b/modules/secrets.nix
new file mode 100644
index 00000000..b282e56e
--- /dev/null
+++ b/modules/secrets.nix
@@ -0,0 +1,61 @@
+{ lib, pkgs, config, ... }:
+{
+  options.secrets = {
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.unspecified;
+      default = [];
+      description = "Keys to upload to server";
+    };
+    location = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/secrets";
+      description = "Location where to put the keys";
+    };
+  };
+  config = let
+    location = config.secrets.location;
+    keys = config.secrets.keys;
+    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    dumpKey = v: ''
+        mkdir -p secrets/$(dirname ${v.dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        EOF
+        '';
+    secrets = pkgs.runCommand "secrets.tar" {} ''
+      touch mods
+      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
+      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
+      cat mods | while read u g p k; do
+      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
+      done
+      '';
+  in lib.mkIf (builtins.length keys > 0) {
+    system.activationScripts.secrets = {
+      deps = [ "users" "wrappers" ];
+      text = ''
+        install -m0750 -o root -g keys -d ${location}
+        if [ -f /run/keys/secrets.tar ]; then
+          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
+            echo "rebuilding secrets"
+            rm -rf ${location}
+            install -m0750 -o root -g keys -d ${location}
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+          fi
+        fi
+        '';
+    };
+    deployment.keys."secrets.tar" = {
+      permissions = "0400";
+      # keyFile below is not evaluated at build time by nixops, so the
+      # `secrets` path doesn’t necessarily exist when uploading the
+      # keys, and nixops is unhappy.
+      user = "root${builtins.substring 10000 1 secrets}";
+      group = "root";
+      keyFile = "${secrets}";
+    };
+  };
+}
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix
new file mode 100644
index 00000000..65599b73
--- /dev/null
+++ b/modules/webapps/diaspora.nix
@@ -0,0 +1,171 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "diaspora";
+  cfg = config.services.diaspora;
+
+  uid = config.ids.uids.diaspora;
+  gid = config.ids.gids.diaspora;
+in
+{
+  options.services.diaspora = {
+    enable = lib.mkEnableOption "Enable Diaspora’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Diaspora runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Diaspora runs";
+    };
+    adminEmail = lib.mkOption {
+      type = lib.types.str;
+      example = "admin@example.com";
+      description = "Admin e-mail for Diaspora";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Diaspora stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Diaspora puts runtime files and sockets.
+        '';
+    };
+    configDir = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration path for Diaspora.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.diaspora;
+      description = ''
+        Diaspora package to use.
+        '';
+    };
+    # Output variables
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Diaspora data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Diaspora sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override {
+        varDir = cfg.dataDir;
+        podmin_email = cfg.adminEmail;
+        config_dir = cfg.configDir;
+      };
+      description = ''
+        Adjusted diaspora package with overriden values
+        '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        rails = "${cfg.socketsDir}/diaspora.sock";
+        eye   = "${cfg.socketsDir}/eye.sock";
+      };
+      readOnly = true;
+      description = ''
+        Diaspora sockets
+        '';
+    };
+    pids = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        eye   = "${cfg.socketsDir}/eye.pid";
+      };
+      readOnly = true;
+      description = ''
+        Diaspora pids
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Diaspora user";
+      home = cfg.dataDir;
+      packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.diaspora = {
+      description = "Diaspora";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network.target" "redis.service" "postgresql.service"
+      ];
+      wants = [
+        "redis.service" "postgresql.service"
+      ];
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.EYE_SOCK = cfg.sockets.eye;
+      environment.EYE_PID = cfg.pids.eye;
+
+      path = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby pkgs.curl pkgs.which pkgs.gawk ];
+
+      preStart = ''
+        install -m 0755 -d ${cfg.dataDir}/uploads ${cfg.dataDir}/tmp ${cfg.dataDir}/log
+        install -m 0700 -d ${cfg.dataDir}/tmp/pids
+        if [ ! -f ${cfg.dataDir}/schedule.yml ]; then
+          echo "{}" > ${cfg.dataDir}/schedule.yml
+        fi
+        ./bin/bundle exec rails db:migrate
+      '';
+
+      script = ''
+        exec ${cfg.workdir}/script/server
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StandardInput = "null";
+        KillMode = "control-group";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix
new file mode 100644
index 00000000..7f0e2ed4
--- /dev/null
+++ b/modules/webapps/etherpad-lite.nix
@@ -0,0 +1,158 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "etherpad-lite";
+  cfg = config.services.etherpad-lite;
+
+  uid = config.ids.uids.etherpad-lite;
+  gid = config.ids.gids.etherpad-lite;
+in
+{
+  options.services.etherpad-lite = {
+    enable = lib.mkEnableOption "Enable Etherpad lite’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Etherpad lite runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Etherpad lite runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Etherpad lite stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Etherpad lite stores its sockets.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The config file path for Etherpad lite.
+        '';
+    };
+    sessionKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The Session key file path for Etherpad lite.
+        '';
+    };
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The API key file path for Etherpad lite.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.etherpad-lite;
+      description = ''
+        Etherpad lite package to use.
+        '';
+    };
+    modules = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Etherpad lite modules to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withModules cfg.modules;
+      description = ''
+      Adjusted Etherpad lite package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Etherpad lite data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Etherpad lite sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        node  = "${cfg.socketsDir}/etherpad-lite.sock";
+      };
+      readOnly = true;
+      description = ''
+        Etherpad lite sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.etherpad-lite = {
+      description = "Etherpad-lite";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.workdir;
+
+      path = [ pkgs.nodejs ];
+
+      script = ''
+        exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \
+          --sessionkey ${cfg.sessionKeyFile} \
+          --apikey ${cfg.apiKeyFile} \
+          --settings ${cfg.configFile}
+      '';
+
+      postStart = ''
+        while [ ! -S ${cfg.sockets.node} ]; do
+          sleep 0.5
+        done
+        chmod a+w ${cfg.sockets.node}
+        '';
+      serviceConfig = {
+        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.workdir;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        ExecStartPre = [
+          "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized"
+          "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}"
+        ];
+      };
+    };
+
+  };
+}
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
new file mode 100644
index 00000000..6255de91
--- /dev/null
+++ b/modules/webapps/mastodon.nix
@@ -0,0 +1,223 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "mastodon";
+  cfg = config.services.mastodon;
+
+  uid = config.ids.uids.mastodon;
+  gid = config.ids.gids.mastodon;
+in
+{
+  options.services.mastodon = {
+    enable = lib.mkEnableOption "Enable Mastodon’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Mastodon runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Mastodon runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Mastodon stores its data.
+      '';
+    };
+    socketsPrefix = lib.mkOption {
+      type = lib.types.string;
+      default = "live";
+      description = ''
+        The prefix to use for Mastodon sockets.
+        '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Mastodon puts runtime files and sockets.
+        '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Mastodon.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.mastodon;
+      description = ''
+        Mastodon package to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override { varDir = cfg.dataDir; };
+      description = ''
+      Adjusted mastodon package with overriden varDir
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Mastodon data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Mastodon sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        node  = "${cfg.socketsDir}/${cfg.socketsPrefix}_node.sock";
+        rails = "${cfg.socketsDir}/${cfg.socketsPrefix}_puma.sock";
+      };
+      readOnly = true;
+      description = ''
+        Mastodon sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Mastodon user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.mastodon-streaming = {
+      description = "Mastodon Streaming";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mastodon-web.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.SOCKET = cfg.sockets.node;
+
+      path = [ pkgs.nodejs pkgs.bashInteractive ];
+
+      script = ''
+        exec npm run start
+      '';
+
+      postStart = ''
+        while [ ! -S $SOCKET ]; do
+          sleep 0.5
+        done
+        chmod a+w $SOCKET
+      '';
+
+      postStop = ''
+        rm $SOCKET
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mastodon-web = {
+      description = "Mastodon Web app";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.SOCKET = cfg.sockets.rails;
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+
+      preStart = ''
+        install -m 0755 -d ${cfg.dataDir}/tmp/cache
+        ./bin/bundle exec rails db:migrate
+      '';
+
+      script = ''
+        exec ./bin/bundle exec puma -C config/puma.rb
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 60;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mastodon-sidekiq = {
+      description = "Mastodon Sidekiq";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mastodon-web.service" ];
+
+      environment.RAILS_ENV="production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.DB_POOL="5";
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.imagemagick pkgs.ffmpeg pkgs.file ];
+
+      script = ''
+        exec ./bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+  };
+}
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
new file mode 100644
index 00000000..78bbef6f
--- /dev/null
+++ b/modules/webapps/mediagoblin.nix
@@ -0,0 +1,237 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "mediagoblin";
+  cfg = config.services.mediagoblin;
+
+  uid = config.ids.uids.mediagoblin;
+  gid = config.ids.gids.mediagoblin;
+
+  paste_local = pkgs.writeText "paste_local.ini" ''
+    [DEFAULT]
+    debug = false
+
+    [pipeline:main]
+    pipeline = mediagoblin
+
+    [app:mediagoblin]
+    use = egg:mediagoblin#app
+    config = ${cfg.configFile} ${cfg.workdir}/mediagoblin.ini
+    /mgoblin_static = ${cfg.workdir}/mediagoblin/static
+
+    [loggers]
+    keys = root
+
+    [handlers]
+    keys = console
+
+    [formatters]
+    keys = generic
+
+    [logger_root]
+    level = INFO
+    handlers = console
+
+    [handler_console]
+    class = StreamHandler
+    args = (sys.stderr,)
+    level = NOTSET
+    formatter = generic
+
+    [formatter_generic]
+    format = %(levelname)-7.7s [%(name)s] %(message)s
+
+    [filter:errors]
+    use = egg:mediagoblin#errors
+    debug = false
+
+    [server:main]
+    use = egg:waitress#main
+    unix_socket = ${cfg.sockets.paster}
+    unix_socket_perms = 777
+    url_scheme = https
+    '';
+in
+{
+  options.services.mediagoblin = {
+    enable = lib.mkEnableOption "Enable Mediagoblin’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Mediagoblin runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Mediagoblin runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Mediagoblin stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Mediagoblin puts runtime files and sockets.
+        '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Mediagoblin.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.mediagoblin;
+      description = ''
+        Mediagoblin package to use.
+        '';
+    };
+    plugins = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Mediagoblin plugins to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withPlugins cfg.plugins;
+      description = ''
+      Adjusted Mediagoblin package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Mediagoblin data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Mediagoblin sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        paster = "${cfg.socketsDir}/mediagoblin.sock";
+      };
+      readOnly = true;
+      description = ''
+        Mediagoblin sockets
+        '';
+    };
+    pids = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        paster = "${cfg.socketsDir}/mediagoblin.pid";
+        celery = "${cfg.socketsDir}/mediagoblin-celeryd.pid";
+      };
+      readOnly = true;
+      description = ''
+        Mediagoblin pid files
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Mediagoblin user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.mediagoblin-web = {
+      description = "Mediagoblin service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      wants = [ "postgresql.service" "redis.service" ];
+
+      environment.SCRIPT_NAME = "/mediagoblin/";
+
+      script = ''
+        exec ./bin/paster serve \
+          ${paste_local} \
+          --pid-file=${cfg.pids.paster}
+        '';
+      preStop = ''
+        exec ./bin/paster serve \
+          --pid-file=${cfg.pids.paster} \
+          ${paste_local} stop
+        '';
+      preStart = ''
+        if [ -d ${cfg.dataDir}/plugin_static/ ]; then
+          rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+          ln -sf ${cfg.workdir}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+        fi
+        ./bin/gmg -cf ${cfg.configFile} dbupdate
+        '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        PIDFile = cfg.pids.paster;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mediagoblin-celeryd = {
+      description = "Mediagoblin service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mediagoblin-web.service" ];
+
+      environment.MEDIAGOBLIN_CONFIG = cfg.configFile;
+      environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
+
+      script = ''
+        exec ./bin/celery worker \
+          --logfile=${cfg.dataDir}/celery.log \
+          --loglevel=INFO
+        '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 60;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        PIDFile = cfg.pids.celery;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix
new file mode 100644
index 00000000..89dcc67a
--- /dev/null
+++ b/modules/webapps/peertube.nix
@@ -0,0 +1,105 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "peertube";
+  cfg = config.services.peertube;
+
+  uid = config.ids.uids.peertube;
+  gid = config.ids.gids.peertube;
+in
+{
+  options.services.peertube = {
+    enable = lib.mkEnableOption "Enable Peertube’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Peertube runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Peertube runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Peertube stores its data.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Peertube.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.peertube;
+      description = ''
+        Peertube package to use.
+        '';
+    };
+    # Output variables
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Peertube data directory for systemd
+      '';
+      readOnly = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Peertube user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.peertube = {
+      description = "Peertube";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_CONFIG_DIR = "${cfg.dataDir}/config";
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.package;
+
+      path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];
+
+      script = ''
+        install -m 0750 -d ${cfg.dataDir}/config
+        ln -sf ${cfg.configFile} ${cfg.dataDir}/config/production.yaml
+        exec npm run start
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.package;
+        StateDirectory = cfg.systemdStateDirectory;
+        StateDirectoryMode = 0750;
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
+
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
new file mode 100644
index 00000000..924d72de
--- /dev/null
+++ b/modules/webapps/webstats/default.nix
@@ -0,0 +1,81 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "goaccess";
+  cfg = config.services.webstats;
+in {
+  options.services.webstats = {
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Goaccess stores its data.
+      '';
+    };
+    sites = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          conf = lib.mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = ''
+              use custom goaccess configuration file instead of the
+              default one.
+              '';
+          };
+          name = lib.mkOption {
+            type = lib.types.string;
+            description  = ''
+              Domain name. Corresponds to the Apache file name and the
+              folder name in which the state will be saved.
+              '';
+          };
+        };
+      });
+      default = [];
+      description = "Sites to generate stats";
+    };
+  };
+
+  config = lib.mkIf (builtins.length cfg.sites > 0) {
+    users.users.root.packages = [
+      pkgs.goaccess
+    ];
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        stats = domain: conf: let
+          config = if builtins.isNull conf
+            then pkgs.runCommand "goaccess.conf" {
+                dbPath = "${cfg.dataDir}/${domain}";
+              } "substituteAll ${./goaccess.conf} $out"
+            else conf;
+          d = pkgs.writeScriptBin "stats-${domain}" ''
+            #!${pkgs.stdenv.shell}
+            set -e
+            shopt -s nullglob
+            date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
+            TMPFILE=$(mktemp)
+            trap "rm -f $TMPFILE" EXIT
+
+            mkdir -p ${cfg.dataDir}/${domain}
+            cat /var/log/httpd/access-${domain}.log | sed -n "/\\[$date_regex/ p" > $TMPFILE
+            for i in /var/log/httpd/access-${domain}*.gz; do
+              zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE
+            done
+            ${pkgs.goaccess}/bin/goaccess $TMPFILE --no-progress -o ${cfg.dataDir}/${domain}/index.html -p ${config}
+            '';
+          in "${d}/bin/stats-${domain}";
+        allStats = sites: pkgs.writeScript "stats" ''
+          #!${pkgs.stdenv.shell}
+
+          mkdir -p ${cfg.dataDir}
+          ${builtins.concatStringsSep "\n" (map (v: stats v.name v.conf) sites)}
+          '';
+      in
+        [
+          "5 0 * * * root ${allStats cfg.sites}"
+        ];
+    };
+  };
+}
diff --git a/modules/webapps/webstats/goaccess.conf b/modules/webapps/webstats/goaccess.conf
new file mode 100644
index 00000000..49189883
--- /dev/null
+++ b/modules/webapps/webstats/goaccess.conf
@@ -0,0 +1,99 @@
+time-format %H:%M:%S
+date-format %d/%b/%Y
+
+#sur immae.eu
+#log-format %v %h %^[%d:%t %^] "%r" %s %b "%R" "%u" $^
+
+log-format VCOMBINED
+#= %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
+
+html-prefs {"theme":"bright","layout":"vertical"}
+
+exclude-ip 188.165.209.148
+exclude-ip 178.33.252.96
+exclude-ip 2001:41d0:2:9c94::1
+exclude-ip 2001:41d0:2:9c94::
+exclude-ip 176.9.151.89
+exclude-ip 2a01:4f8:160:3445::
+exclude-ip 82.255.56.72
+
+no-query-string true
+
+keep-db-files true
+load-from-disk true
+db-path @dbPath@
+
+ignore-panel REFERRERS
+ignore-panel KEYPHRASES
+
+static-file .css
+static-file .js
+static-file .jpg
+static-file .png
+static-file .gif
+static-file .ico
+static-file .jpeg
+static-file .pdf
+static-file .csv
+static-file .mpeg
+static-file .mpg
+static-file .swf
+static-file .woff
+static-file .woff2
+static-file .xls
+static-file .xlsx
+static-file .doc
+static-file .docx
+static-file .ppt
+static-file .pptx
+static-file .txt
+static-file .zip
+static-file .ogg
+static-file .mp3
+static-file .mp4
+static-file .exe
+static-file .iso
+static-file .gz
+static-file .rar
+static-file .svg
+static-file .bmp
+static-file .tar
+static-file .tgz
+static-file .tiff
+static-file .tif
+static-file .ttf
+static-file .flv
+#static-file .less
+#static-file .ac3
+#static-file .avi
+#static-file .bz2
+#static-file .class
+#static-file .cue
+#static-file .dae
+#static-file .dat
+#static-file .dts
+#static-file .ejs
+#static-file .eot
+#static-file .eps
+#static-file .img
+#static-file .jar
+#static-file .map
+#static-file .mid
+#static-file .midi
+#static-file .ogv
+#static-file .webm
+#static-file .mkv
+#static-file .odp
+#static-file .ods
+#static-file .odt
+#static-file .otf
+#static-file .pict
+#static-file .pls
+#static-file .ps
+#static-file .qt
+#static-file .rm
+#static-file .svgz
+#static-file .wav
+#static-file .webp
+
+
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
new file mode 100644
index 00000000..e57f505a
--- /dev/null
+++ b/modules/websites/default.nix
@@ -0,0 +1,199 @@
+{ lib, config, ... }: with lib;
+let
+  cfg = config.services.websites;
+in
+{
+  options.services.websitesCerts = mkOption {
+    description = "Default websites configuration for certificates as accepted by acme";
+  };
+  options.services.websites = with types; mkOption {
+    default = {};
+    description = "Each type of website to enable will target a distinct httpd server";
+    type = attrsOf (submodule {
+      options = {
+        enable = mkEnableOption "Enable websites of this type";
+        adminAddr = mkOption {
+          type = str;
+          description = "Admin e-mail address of the instance";
+        };
+        httpdName = mkOption {
+          type = str;
+          description = "Name of the httpd instance to assign this type to";
+        };
+        ips = mkOption {
+          type = listOf string;
+          default = [];
+          description = "ips to listen to";
+        };
+        modules = mkOption {
+          type = listOf str;
+          default = [];
+          description = "Additional modules to load in Apache";
+        };
+        extraConfig = mkOption {
+          type = listOf lines;
+          default = [];
+          description = "Additional configuration to append to Apache";
+        };
+        nosslVhost = mkOption {
+          description = "A default nossl vhost for captive portals";
+          default = {};
+          type = submodule {
+            options = {
+              enable = mkEnableOption "Add default no-ssl vhost for this instance";
+              host = mkOption {
+                type = string;
+                description = "The hostname to use for this vhost";
+              };
+              root = mkOption {
+                type = path;
+                default = ./nosslVhost;
+                description = "The root folder to serve";
+              };
+              indexFile = mkOption {
+                type = string;
+                default = "index.html";
+                description = "The index file to show.";
+              };
+            };
+          };
+        };
+        fallbackVhost = mkOption {
+          description = "The fallback vhost that will be defined as first vhost in Apache";
+          type = submodule {
+            options = {
+              certName = mkOption { type = string; };
+              hosts    = mkOption { type = listOf string; };
+              root     = mkOption { type = nullOr path; };
+              extraConfig = mkOption { type = listOf lines; default = []; };
+            };
+          };
+        };
+        vhostConfs = mkOption {
+          default = {};
+          description = "List of vhosts to define for Apache";
+          type = attrsOf (submodule {
+            options = {
+              certName = mkOption { type = string; };
+              addToCerts = mkOption {
+                type = bool;
+                default = false;
+                description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
+              };
+              certMainHost = mkOption {
+                type = nullOr string;
+                description = "Use that host as 'main host' for acme certs";
+                default = null;
+              };
+              hosts    = mkOption { type = listOf string; };
+              root     = mkOption { type = nullOr path; };
+              extraConfig = mkOption { type = listOf lines; default = []; };
+            };
+          });
+        };
+      };
+    });
+  };
+
+  config.services.httpd = let
+    redirectVhost = ips: { # Should go last, catchall http -> https redirect
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = "redirectSSL";
+      serverAliases = [ "*" ];
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = "${config.security.acme.directory}/acme-challenge";
+      extraConfig = ''
+        RewriteEngine on
+        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
+        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
+        # To redirect in specific "VirtualHost *:80", do
+        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+        # rather than rewrite
+      '';
+    };
+    nosslVhost = ips: cfg: {
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = cfg.host;
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = cfg.root;
+      extraConfig = ''
+        <Directory ${cfg.root}>
+          DirectoryIndex ${cfg.indexFile}
+          AllowOverride None
+          Require all granted
+
+          RewriteEngine on
+          RewriteRule ^/(.+)   /   [L]
+        </Directory>
+        '';
+    };
+    toVhost = ips: vhostConf: {
+      enableSSL = true;
+      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
+      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
+      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+      logFormat = "combinedVhost";
+      listen = map (ip: { inherit ip; port = 443; }) ips;
+      hostName = builtins.head vhostConf.hosts;
+      serverAliases = builtins.tail vhostConf.hosts or [];
+      documentRoot = vhostConf.root;
+      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
+    };
+  in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+    icfg.httpdName (mkIf icfg.enable {
+      enable = true;
+      listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
+      stateDir = "/run/httpd_${name}";
+      logPerVirtualHost = true;
+      multiProcessingModule = "worker";
+      inherit (icfg) adminAddr;
+      logFormat = "combinedVhost";
+      extraModules = lists.unique icfg.modules;
+      extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
+      virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
+        ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+        ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
+        ++ [ (redirectVhost icfg.ips) ];
+    })
+  ) cfg;
+
+  config.security.acme.certs = let
+    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
+    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
+      attrValues v.vhostConfs
+    ) typesToManage);
+    groupedCerts = attrsets.filterAttrs
+      (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
+      (lists.groupBy (v: v.certName) flatVhosts);
+    groupToDomain = group:
+      let
+        nonNull = builtins.filter (v: !isNull v.certMainHost) group;
+        domains = lists.unique (map (v: v.certMainHost) nonNull);
+      in
+        if builtins.length domains == 0
+          then null
+          else assert (builtins.length domains == 1); (elemAt domains 0);
+    extraDomains = group:
+      let
+        mainDomain = groupToDomain group;
+      in
+        lists.remove mainDomain (
+          lists.unique (
+            lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
+          )
+        );
+  in attrsets.mapAttrs (k: g:
+    if (!isNull (groupToDomain g))
+    then config.services.websitesCerts // {
+      domain = groupToDomain g;
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+    else {
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+  ) groupedCerts;
+}
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
new file mode 100644
index 00000000..d049202c
--- /dev/null
+++ b/modules/websites/httpd-service-builder.nix
@@ -0,0 +1,746 @@
+# to help backporting this builder should stay as close as possible to
+# nixos/modules/services/web-servers/apache-httpd/default.nix
+{ httpdName, withUsers ? true }:
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  mainCfg = config.services.httpd."${httpdName}";
+
+  httpd = mainCfg.package.out;
+
+  version24 = !versionOlder httpd.version "2.4";
+
+  httpdConf = mainCfg.configFile;
+
+  php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
+
+  phpMajorVersion = head (splitString "." php.version);
+
+  mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; };
+
+  defaultListen = cfg: if cfg.enableSSL
+    then [{ip = "*"; port = 443;}]
+    else [{ip = "*"; port = 80;}];
+
+  getListen = cfg:
+    let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;
+    in if list == []
+        then defaultListen cfg
+        else list;
+
+  listenToString = l: "${l.ip}:${toString l.port}";
+
+  extraModules = attrByPath ["extraModules"] [] mainCfg;
+  extraForeignModules = filter isAttrs extraModules;
+  extraApacheModules = filter isString extraModules;
+
+
+  makeServerInfo = cfg: {
+    # Canonical name must not include a trailing slash.
+    canonicalNames =
+      let defaultPort = (head (defaultListen cfg)).port; in
+      map (port:
+        (if cfg.enableSSL then "https" else "http") + "://" +
+        cfg.hostName +
+        (if port != defaultPort then ":${toString port}" else "")
+        ) (map (x: x.port) (getListen cfg));
+
+    # Admin address: inherit from the main server if not specified for
+    # a virtual host.
+    adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr;
+
+    vhostConfig = cfg;
+    serverConfig = mainCfg;
+    fullConfig = config; # machine config
+  };
+
+
+  allHosts = [mainCfg] ++ mainCfg.virtualHosts;
+
+
+  callSubservices = serverInfo: defs:
+    let f = svc:
+      let
+        svcFunction =
+          if svc ? function then svc.function
+          # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
+          else if svc ? serviceExpression then import (toString svc.serviceExpression)
+          else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
+        config = (evalModules
+          { modules = [ { options = res.options; config = svc.config or svc; } ];
+            check = false;
+          }).config;
+        defaults = {
+          extraConfig = "";
+          extraModules = [];
+          extraModulesPre = [];
+          extraPath = [];
+          extraServerPath = [];
+          globalEnvVars = [];
+          robotsEntries = "";
+          startupScript = "";
+          enablePHP = false;
+          enablePerl = false;
+          phpOptions = "";
+          options = {};
+          documentRoot = null;
+        };
+        res = defaults // svcFunction { inherit config lib pkgs serverInfo php; };
+      in res;
+    in map f defs;
+
+
+  # !!! callSubservices is expensive
+  subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices;
+
+  mainSubservices = subservicesFor mainCfg;
+
+  allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts;
+
+
+  enableSSL = any (vhost: vhost.enableSSL) allHosts;
+
+
+  # Names of modules from ${httpd}/modules that we want to load.
+  apacheModules =
+    [ # HTTP authentication mechanisms: basic and digest.
+      "auth_basic" "auth_digest"
+
+      # Authentication: is the user who he claims to be?
+      "authn_file" "authn_dbm" "authn_anon"
+      (if version24 then "authn_core" else "authn_alias")
+
+      # Authorization: is the user allowed access?
+      "authz_user" "authz_groupfile" "authz_host"
+
+      # Other modules.
+      "ext_filter" "include" "log_config" "env" "mime_magic"
+      "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
+      "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
+      "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
+      "userdir" "alias" "rewrite" "proxy" "proxy_http"
+    ]
+    ++ optionals version24 [
+      "mpm_${mainCfg.multiProcessingModule}"
+      "authz_core"
+      "unixd"
+      "cache" "cache_disk"
+      "slotmem_shm"
+      "socache_shmcb"
+      # For compatibility with old configurations, the new module mod_access_compat is provided.
+      "access_compat"
+    ]
+    ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
+    ++ optional enableSSL "ssl"
+    ++ extraApacheModules;
+
+
+  allDenied = if version24 then ''
+    Require all denied
+  '' else ''
+    Order deny,allow
+    Deny from all
+  '';
+
+  allGranted = if version24 then ''
+    Require all granted
+  '' else ''
+    Order allow,deny
+    Allow from all
+  '';
+
+
+  loggingConf = (if mainCfg.logFormat != "none" then ''
+    ErrorLog ${mainCfg.logDir}/error.log
+
+    LogLevel notice
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+    LogFormat "%{Referer}i -> %U" referer
+    LogFormat "%{User-agent}i" agent
+
+    CustomLog ${mainCfg.logDir}/access.log ${mainCfg.logFormat}
+  '' else ''
+    ErrorLog /dev/null
+  '');
+
+
+  browserHacks = ''
+    BrowserMatch "Mozilla/2" nokeepalive
+    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+    BrowserMatch "RealPlayer 4\.0" force-response-1.0
+    BrowserMatch "Java/1\.0" force-response-1.0
+    BrowserMatch "JDK/1\.0" force-response-1.0
+    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+    BrowserMatch "^WebDrive" redirect-carefully
+    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+    BrowserMatch "^gnome-vfs" redirect-carefully
+  '';
+
+
+  sslConf = ''
+    SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)
+
+    ${if version24 then "Mutex" else "SSLMutex"} posixsem
+
+    SSLRandomSeed startup builtin
+    SSLRandomSeed connect builtin
+
+    SSLProtocol ${mainCfg.sslProtocols}
+    SSLCipherSuite ${mainCfg.sslCiphers}
+    SSLHonorCipherOrder on
+  '';
+
+
+  mimeConf = ''
+    TypesConfig ${httpd}/conf/mime.types
+
+    AddType application/x-x509-ca-cert .crt
+    AddType application/x-pkcs7-crl    .crl
+    AddType application/x-httpd-php    .php .phtml
+
+    <IfModule mod_mime_magic.c>
+        MIMEMagicFile ${httpd}/conf/magic
+    </IfModule>
+  '';
+
+
+  perServerConf = isMainServer: cfg: let
+
+    serverInfo = makeServerInfo cfg;
+
+    subservices = callSubservices serverInfo cfg.extraSubservices;
+
+    maybeDocumentRoot = fold (svc: acc:
+      if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc
+    ) null ([ cfg ] ++ subservices);
+
+    documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
+      pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
+
+    documentRootConf = ''
+      DocumentRoot "${documentRoot}"
+
+      <Directory "${documentRoot}">
+          Options Indexes FollowSymLinks
+          AllowOverride None
+          ${allGranted}
+      </Directory>
+    '';
+
+    robotsTxt =
+      concatStringsSep "\n" (filter (x: x != "") (
+        # If this is a vhost, the include the entries for the main server as well.
+        (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices)
+        ++ [cfg.robotsEntries]
+        ++ (map (svc: svc.robotsEntries) subservices)));
+
+  in ''
+    ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)}
+
+    ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases}
+
+    ${if cfg.sslServerCert != null then ''
+      SSLCertificateFile ${cfg.sslServerCert}
+      SSLCertificateKeyFile ${cfg.sslServerKey}
+      ${if cfg.sslServerChain != null then ''
+        SSLCertificateChainFile ${cfg.sslServerChain}
+      '' else ""}
+    '' else ""}
+
+    ${if cfg.enableSSL then ''
+      SSLEngine on
+    '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */
+    ''
+      SSLEngine off
+    '' else ""}
+
+    ${if isMainServer || cfg.adminAddr != null then ''
+      ServerAdmin ${cfg.adminAddr}
+    '' else ""}
+
+    ${if !isMainServer && mainCfg.logPerVirtualHost then ''
+      ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log
+      CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat}
+    '' else ""}
+
+    ${optionalString (robotsTxt != "") ''
+      Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt}
+    ''}
+
+    ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""}
+
+    ${if cfg.enableUserDir then ''
+
+      UserDir public_html
+      UserDir disabled root
+
+      <Directory "/home/*/public_html">
+          AllowOverride FileInfo AuthConfig Limit Indexes
+          Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+          <Limit GET POST OPTIONS>
+              ${allGranted}
+          </Limit>
+          <LimitExcept GET POST OPTIONS>
+              ${allDenied}
+          </LimitExcept>
+      </Directory>
+
+    '' else ""}
+
+    ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then ''
+      RedirectPermanent / ${cfg.globalRedirect}
+    '' else ""}
+
+    ${
+      let makeFileConf = elem: ''
+            Alias ${elem.urlPath} ${elem.file}
+          '';
+      in concatMapStrings makeFileConf cfg.servedFiles
+    }
+
+    ${
+      let makeDirConf = elem: ''
+            Alias ${elem.urlPath} ${elem.dir}/
+            <Directory ${elem.dir}>
+                Options +Indexes
+                ${allGranted}
+                AllowOverride All
+            </Directory>
+          '';
+      in concatMapStrings makeDirConf cfg.servedDirs
+    }
+
+    ${concatMapStrings (svc: svc.extraConfig) subservices}
+
+    ${cfg.extraConfig}
+  '';
+
+
+  confFile = pkgs.writeText "httpd.conf" ''
+
+    ServerRoot ${httpd}
+
+    ${optionalString version24 ''
+      DefaultRuntimeDir ${mainCfg.stateDir}/runtime
+    ''}
+
+    PidFile ${mainCfg.stateDir}/httpd.pid
+
+    ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
+      # mod_cgid requires this.
+      ScriptSock ${mainCfg.stateDir}/cgisock
+    ''}
+
+    <IfModule prefork.c>
+        MaxClients           ${toString mainCfg.maxClients}
+        MaxRequestsPerChild  ${toString mainCfg.maxRequestsPerChild}
+    </IfModule>
+
+    ${let
+        listen = concatMap getListen allHosts;
+        toStr = listen: "Listen ${listenToString listen}\n";
+        uniqueListen = uniqList {inputList = map toStr listen;};
+      in concatStrings uniqueListen
+    }
+
+    User ${mainCfg.user}
+    Group ${mainCfg.group}
+
+    ${let
+        load = {name, path}: "LoadModule ${name}_module ${path}\n";
+        allModules =
+          concatMap (svc: svc.extraModulesPre) allSubservices
+          ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
+          ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
+          ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
+          ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
+          ++ concatMap (svc: svc.extraModules) allSubservices
+          ++ extraForeignModules;
+      in concatMapStrings load allModules
+    }
+
+    AddHandler type-map var
+
+    <Files ~ "^\.ht">
+        ${allDenied}
+    </Files>
+
+    ${mimeConf}
+    ${loggingConf}
+    ${browserHacks}
+
+    Include ${httpd}/conf/extra/httpd-default.conf
+    Include ${httpd}/conf/extra/httpd-autoindex.conf
+    Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
+    Include ${httpd}/conf/extra/httpd-languages.conf
+
+    TraceEnable off
+
+    ${if enableSSL then sslConf else ""}
+
+    # Fascist default - deny access to everything.
+    <Directory />
+        Options FollowSymLinks
+        AllowOverride None
+        ${allDenied}
+    </Directory>
+
+    # Generate directives for the main server.
+    ${perServerConf true mainCfg}
+
+    # Always enable virtual hosts; it doesn't seem to hurt.
+    ${let
+        listen = concatMap getListen allHosts;
+        uniqueListen = uniqList {inputList = listen;};
+        directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
+      in optionalString (!version24) directives
+    }
+
+    ${let
+        makeVirtualHost = vhost: ''
+          <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
+              ${perServerConf false vhost}
+          </VirtualHost>
+        '';
+      in concatMapStrings makeVirtualHost mainCfg.virtualHosts
+    }
+  '';
+
+
+  enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices;
+
+  enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices;
+
+
+  # Generate the PHP configuration file.  Should probably be factored
+  # out into a separate module.
+  phpIni = pkgs.runCommand "php.ini"
+    { options = concatStringsSep "\n"
+        ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
+      preferLocalBuild = true;
+    }
+    ''
+      cat ${php}/etc/php.ini > $out
+      echo "$options" >> $out
+    '';
+
+in
+
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.httpd."${httpdName}" = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the Apache HTTP Server.";
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.apacheHttpd;
+        defaultText = "pkgs.apacheHttpd";
+        description = ''
+          Overridable attribute of the Apache HTTP Server package to use.
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        default = confFile;
+        defaultText = "confFile";
+        example = literalExample ''pkgs.writeText "httpd.conf" "# my custom config file ..."'';
+        description = ''
+          Override the configuration file used by Apache. By default,
+          NixOS generates one automatically.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Cnfiguration lines appended to the generated Apache
+          configuration file. Note that this mechanism may not work
+          when <option>configFile</option> is overridden.
+        '';
+      };
+
+      extraModules = mkOption {
+        type = types.listOf types.unspecified;
+        default = [];
+        example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]'';
+        description = ''
+          Additional Apache modules to be used.  These can be
+          specified as a string in the case of modules distributed
+          with Apache, or as an attribute set specifying the
+          <varname>name</varname> and <varname>path</varname> of the
+          module.
+        '';
+      };
+
+      logPerVirtualHost = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled, each virtual host gets its own
+          <filename>access.log</filename> and
+          <filename>error.log</filename>, namely suffixed by the
+          <option>hostName</option> of the virtual host.
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "wwwrun";
+        description = ''
+          User account under which httpd runs.  The account is created
+          automatically if it doesn't exist.
+        '';
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "wwwrun";
+        description = ''
+          Group under which httpd runs.  The account is created
+          automatically if it doesn't exist.
+        '';
+      };
+
+      logDir = mkOption {
+        type = types.path;
+        default = "/var/log/httpd";
+        description = ''
+          Directory for Apache's log files.  It is created automatically.
+        '';
+      };
+
+      stateDir = mkOption {
+        type = types.path;
+        default = "/run/httpd";
+        description = ''
+          Directory for Apache's transient runtime state (such as PID
+          files).  It is created automatically.  Note that the default,
+          <filename>/run/httpd</filename>, is deleted at boot time.
+        '';
+      };
+
+      virtualHosts = mkOption {
+        type = types.listOf (types.submodule (
+          { options = import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix> {
+              inherit lib;
+              forMainServer = false;
+            };
+          }));
+        default = [];
+        example = [
+          { hostName = "foo";
+            documentRoot = "/data/webroot-foo";
+          }
+          { hostName = "bar";
+            documentRoot = "/data/webroot-bar";
+          }
+        ];
+        description = ''
+          Specification of the virtual hosts served by Apache.  Each
+          element should be an attribute set specifying the
+          configuration of the virtual host.  The available options
+          are the non-global options permissible for the main host.
+        '';
+      };
+
+      enableMellon = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the mod_auth_mellon module.";
+      };
+
+      enablePHP = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the PHP module.";
+      };
+
+      phpPackage = mkOption {
+        type = types.package;
+        default = pkgs.php;
+        defaultText = "pkgs.php";
+        description = ''
+          Overridable attribute of the PHP package to use.
+        '';
+      };
+
+      enablePerl = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the Perl module (mod_perl).";
+      };
+
+      phpOptions = mkOption {
+        type = types.lines;
+        default = "";
+        example =
+          ''
+            date.timezone = "CET"
+          '';
+        description =
+          "Options appended to the PHP configuration file <filename>php.ini</filename>.";
+      };
+
+      multiProcessingModule = mkOption {
+        type = types.str;
+        default = "prefork";
+        example = "worker";
+        description =
+          ''
+            Multi-processing module to be used by Apache.  Available
+            modules are <literal>prefork</literal> (the default;
+            handles each request in a separate child process),
+            <literal>worker</literal> (hybrid approach that starts a
+            number of child processes each running a number of
+            threads) and <literal>event</literal> (a recent variant of
+            <literal>worker</literal> that handles persistent
+            connections more efficiently).
+          '';
+      };
+
+      maxClients = mkOption {
+        type = types.int;
+        default = 150;
+        example = 8;
+        description = "Maximum number of httpd processes (prefork)";
+      };
+
+      maxRequestsPerChild = mkOption {
+        type = types.int;
+        default = 0;
+        example = 500;
+        description =
+          "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
+      };
+
+      sslCiphers = mkOption {
+        type = types.str;
+        default = "HIGH:!aNULL:!MD5:!EXP";
+        description = "Cipher Suite available for negotiation in SSL proxy handshake.";
+      };
+
+      sslProtocols = mkOption {
+        type = types.str;
+        default = "All -SSLv2 -SSLv3 -TLSv1";
+        example = "All -SSLv2 -SSLv3";
+        description = "Allowed SSL/TLS protocol versions.";
+      };
+    }
+
+    # Include the options shared between the main server and virtual hosts.
+    // (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix> {
+      inherit lib;
+      forMainServer = true;
+    });
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.httpd."${httpdName}".enable {
+
+    assertions = [ { assertion = mainCfg.enableSSL == true
+                               -> mainCfg.sslServerCert != null
+                                    && mainCfg.sslServerKey != null;
+                     message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
+                 ];
+
+    warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);
+
+    users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton
+      { name = "wwwrun";
+        group = mainCfg.group;
+        description = "Apache httpd user";
+        uid = config.ids.uids.wwwrun;
+      });
+
+    users.groups = optionalAttrs (withUsers && mainCfg.group == "wwwrun") (singleton
+      { name = "wwwrun";
+        gid = config.ids.gids.wwwrun;
+      });
+
+    environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;
+
+    services.httpd."${httpdName}".phpOptions =
+      ''
+        ; Needed for PHP's mail() function.
+        sendmail_path = sendmail -t -i
+
+        ; Don't advertise PHP
+        expose_php = off
+      '' + optionalString (!isNull config.time.timeZone) ''
+
+        ; Apparently PHP doesn't use $TZ.
+        date.timezone = "${config.time.timeZone}"
+      '';
+
+    systemd.services."httpd${httpdName}" =
+      { description = "Apache HTTPD";
+
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "keys.target" ];
+        after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ];
+
+        path =
+          [ httpd pkgs.coreutils pkgs.gnugrep ]
+          ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function.
+          ++ concatMap (svc: svc.extraServerPath) allSubservices;
+
+        environment =
+          optionalAttrs enablePHP { PHPRC = phpIni; }
+          // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH  = "${pkgs.xmlsec}/lib"; }
+          // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));
+
+        preStart =
+          ''
+            mkdir -m 0750 -p ${mainCfg.stateDir}
+            [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir}
+            ${optionalString version24 ''
+              mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
+              [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
+            ''}
+            mkdir -m 0700 -p ${mainCfg.logDir}
+
+            # Get rid of old semaphores.  These tend to accumulate across
+            # server restarts, eventually preventing it from restarting
+            # successfully.
+            for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do
+                ${pkgs.utillinux}/bin/ipcrm -s $i
+            done
+
+            # Run the startup hooks for the subservices.
+            for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do
+                echo Running Apache startup hook $i...
+                $i
+            done
+          '';
+
+        serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
+        serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
+        serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
+        serviceConfig.Type = "forking";
+        serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
+        serviceConfig.Restart = "always";
+        serviceConfig.RestartSec = "5s";
+      };
+
+  };
+}
diff --git a/modules/websites/nosslVhost/index.html b/modules/websites/nosslVhost/index.html
new file mode 100644
index 00000000..4401a806
--- /dev/null
+++ b/modules/websites/nosslVhost/index.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>No SSL site</title>
+  </head>
+  <body>
+    <h1>No SSL on this site</h1>
+    <p>Use for wifi networks with login page that doesn't work well with
+    https.</p>
+  </body>
+</html>