13 files changed, 2126 insertions, 0 deletions

diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 00000000..acb0bb51
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,13 @@
+{
+  myids = ./myids.nix;
+  secrets = ./secrets.nix;
+
+  webstats = ./webapps/webstats;
+  diaspora = ./webapps/diaspora.nix;
+  etherpad-lite = ./webapps/etherpad-lite.nix;
+  mastodon = ./webapps/mastodon.nix;
+  mediagoblin = ./webapps/mediagoblin.nix;
+  peertube = ./webapps/peertube.nix;
+
+  websites = ./websites;
+} // (if builtins.pathExists ./private then import ./private else {})
diff --git a/modules/myids.nix b/modules/myids.nix
new file mode 100644
index 00000000..4fb26269
--- /dev/null
+++ b/modules/myids.nix
@@ -0,0 +1,22 @@
+{ ... }:
+{
+  # Check that there is no clash with nixos/modules/misc/ids.nix
+  config = {
+    ids.uids = {
+      peertube = 394;
+      redis = 395;
+      nullmailer = 396;
+      mediagoblin = 397;
+      diaspora = 398;
+      mastodon = 399;
+    };
+    ids.gids = {
+      peertube = 394;
+      redis = 395;
+      nullmailer = 396;
+      mediagoblin = 397;
+      diaspora = 398;
+      mastodon = 399;
+    };
+  };
+}
diff --git a/modules/secrets.nix b/modules/secrets.nix
new file mode 100644
index 00000000..b282e56e
--- /dev/null
+++ b/modules/secrets.nix
@@ -0,0 +1,61 @@
+{ lib, pkgs, config, ... }:
+{
+  options.secrets = {
+    keys = lib.mkOption {
+      type = lib.types.listOf lib.types.unspecified;
+      default = [];
+      description = "Keys to upload to server";
+    };
+    location = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/secrets";
+      description = "Location where to put the keys";
+    };
+  };
+  config = let
+    location = config.secrets.location;
+    keys = config.secrets.keys;
+    empty = pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out && touch $out/done";
+    dumpKey = v: ''
+        mkdir -p secrets/$(dirname ${v.dest})
+        echo -n ${lib.strings.escapeShellArg v.text} > secrets/${v.dest}
+        cat >> mods <<EOF
+        ${v.user or "root"} ${v.group or "root"} ${v.permissions or "0600"} secrets/${v.dest}
+        EOF
+        '';
+    secrets = pkgs.runCommand "secrets.tar" {} ''
+      touch mods
+      tar --format=ustar --mtime='1970-01-01' -P --transform="s@${empty}@secrets@" -cf $out ${empty}/done
+      ${builtins.concatStringsSep "\n" (map dumpKey keys)}
+      cat mods | while read u g p k; do
+      tar --format=ustar --mtime='1970-01-01' --owner="$u" --group="$g" --mode="$p" --append -f $out "$k"
+      done
+      '';
+  in lib.mkIf (builtins.length keys > 0) {
+    system.activationScripts.secrets = {
+      deps = [ "users" "wrappers" ];
+      text = ''
+        install -m0750 -o root -g keys -d ${location}
+        if [ -f /run/keys/secrets.tar ]; then
+          if [ ! -f ${location}/currentSecrets ] || ! sha512sum -c --status "${location}/currentSecrets"; then
+            echo "rebuilding secrets"
+            rm -rf ${location}
+            install -m0750 -o root -g keys -d ${location}
+            ${pkgs.gnutar}/bin/tar --strip-components 1 -C ${location} -xf /run/keys/secrets.tar
+            sha512sum /run/keys/secrets.tar > ${location}/currentSecrets
+            find ${location} -type d -exec chown root:keys {} \; -exec chmod o-rx {} \;
+          fi
+        fi
+        '';
+    };
+    deployment.keys."secrets.tar" = {
+      permissions = "0400";
+      # keyFile below is not evaluated at build time by nixops, so the
+      # `secrets` path doesn’t necessarily exist when uploading the
+      # keys, and nixops is unhappy.
+      user = "root${builtins.substring 10000 1 secrets}";
+      group = "root";
+      keyFile = "${secrets}";
+    };
+  };
+}
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix
new file mode 100644
index 00000000..65599b73
--- /dev/null
+++ b/modules/webapps/diaspora.nix
@@ -0,0 +1,171 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "diaspora";
+  cfg = config.services.diaspora;
+
+  uid = config.ids.uids.diaspora;
+  gid = config.ids.gids.diaspora;
+in
+{
+  options.services.diaspora = {
+    enable = lib.mkEnableOption "Enable Diaspora’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Diaspora runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Diaspora runs";
+    };
+    adminEmail = lib.mkOption {
+      type = lib.types.str;
+      example = "admin@example.com";
+      description = "Admin e-mail for Diaspora";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Diaspora stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Diaspora puts runtime files and sockets.
+        '';
+    };
+    configDir = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration path for Diaspora.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.diaspora;
+      description = ''
+        Diaspora package to use.
+        '';
+    };
+    # Output variables
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Diaspora data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Diaspora sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override {
+        varDir = cfg.dataDir;
+        podmin_email = cfg.adminEmail;
+        config_dir = cfg.configDir;
+      };
+      description = ''
+        Adjusted diaspora package with overriden values
+        '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        rails = "${cfg.socketsDir}/diaspora.sock";
+        eye   = "${cfg.socketsDir}/eye.sock";
+      };
+      readOnly = true;
+      description = ''
+        Diaspora sockets
+        '';
+    };
+    pids = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        eye   = "${cfg.socketsDir}/eye.pid";
+      };
+      readOnly = true;
+      description = ''
+        Diaspora pids
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Diaspora user";
+      home = cfg.dataDir;
+      packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.diaspora = {
+      description = "Diaspora";
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network.target" "redis.service" "postgresql.service"
+      ];
+      wants = [
+        "redis.service" "postgresql.service"
+      ];
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.EYE_SOCK = cfg.sockets.eye;
+      environment.EYE_PID = cfg.pids.eye;
+
+      path = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby pkgs.curl pkgs.which pkgs.gawk ];
+
+      preStart = ''
+        install -m 0755 -d ${cfg.dataDir}/uploads ${cfg.dataDir}/tmp ${cfg.dataDir}/log
+        install -m 0700 -d ${cfg.dataDir}/tmp/pids
+        if [ ! -f ${cfg.dataDir}/schedule.yml ]; then
+          echo "{}" > ${cfg.dataDir}/schedule.yml
+        fi
+        ./bin/bundle exec rails db:migrate
+      '';
+
+      script = ''
+        exec ${cfg.workdir}/script/server
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StandardInput = "null";
+        KillMode = "control-group";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
diff --git a/modules/webapps/etherpad-lite.nix b/modules/webapps/etherpad-lite.nix
new file mode 100644
index 00000000..7f0e2ed4
--- /dev/null
+++ b/modules/webapps/etherpad-lite.nix
@@ -0,0 +1,158 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "etherpad-lite";
+  cfg = config.services.etherpad-lite;
+
+  uid = config.ids.uids.etherpad-lite;
+  gid = config.ids.gids.etherpad-lite;
+in
+{
+  options.services.etherpad-lite = {
+    enable = lib.mkEnableOption "Enable Etherpad lite’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Etherpad lite runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Etherpad lite runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Etherpad lite stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Etherpad lite stores its sockets.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The config file path for Etherpad lite.
+        '';
+    };
+    sessionKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The Session key file path for Etherpad lite.
+        '';
+    };
+    apiKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The API key file path for Etherpad lite.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.etherpad-lite;
+      description = ''
+        Etherpad lite package to use.
+        '';
+    };
+    modules = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Etherpad lite modules to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withModules cfg.modules;
+      description = ''
+      Adjusted Etherpad lite package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Etherpad lite data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Etherpad lite sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        node  = "${cfg.socketsDir}/etherpad-lite.sock";
+      };
+      readOnly = true;
+      description = ''
+        Etherpad lite sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.etherpad-lite = {
+      description = "Etherpad-lite";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.workdir;
+
+      path = [ pkgs.nodejs ];
+
+      script = ''
+        exec ${pkgs.nodejs}/bin/node ${cfg.workdir}/src/node/server.js \
+          --sessionkey ${cfg.sessionKeyFile} \
+          --apikey ${cfg.apiKeyFile} \
+          --settings ${cfg.configFile}
+      '';
+
+      postStart = ''
+        while [ ! -S ${cfg.sockets.node} ]; do
+          sleep 0.5
+        done
+        chmod a+w ${cfg.sockets.node}
+        '';
+      serviceConfig = {
+        DynamicUser = true;
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.workdir;
+        PrivateTmp = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        ExecStartPre = [
+          "+${pkgs.coreutils}/bin/install -d -m 0755 -o ${cfg.user} -g ${cfg.group} ${cfg.dataDir}/ep_initialized"
+          "+${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir} ${cfg.configFile} ${cfg.sessionKeyFile} ${cfg.apiKeyFile}"
+        ];
+      };
+    };
+
+  };
+}
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
new file mode 100644
index 00000000..6255de91
--- /dev/null
+++ b/modules/webapps/mastodon.nix
@@ -0,0 +1,223 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "mastodon";
+  cfg = config.services.mastodon;
+
+  uid = config.ids.uids.mastodon;
+  gid = config.ids.gids.mastodon;
+in
+{
+  options.services.mastodon = {
+    enable = lib.mkEnableOption "Enable Mastodon’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Mastodon runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Mastodon runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Mastodon stores its data.
+      '';
+    };
+    socketsPrefix = lib.mkOption {
+      type = lib.types.string;
+      default = "live";
+      description = ''
+        The prefix to use for Mastodon sockets.
+        '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Mastodon puts runtime files and sockets.
+        '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Mastodon.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.mastodon;
+      description = ''
+        Mastodon package to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.override { varDir = cfg.dataDir; };
+      description = ''
+      Adjusted mastodon package with overriden varDir
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Mastodon data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Mastodon sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        node  = "${cfg.socketsDir}/${cfg.socketsPrefix}_node.sock";
+        rails = "${cfg.socketsDir}/${cfg.socketsPrefix}_puma.sock";
+      };
+      readOnly = true;
+      description = ''
+        Mastodon sockets
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Mastodon user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.mastodon-streaming = {
+      description = "Mastodon Streaming";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mastodon-web.service" ];
+
+      environment.NODE_ENV = "production";
+      environment.SOCKET = cfg.sockets.node;
+
+      path = [ pkgs.nodejs pkgs.bashInteractive ];
+
+      script = ''
+        exec npm run start
+      '';
+
+      postStart = ''
+        while [ ! -S $SOCKET ]; do
+          sleep 0.5
+        done
+        chmod a+w $SOCKET
+      '';
+
+      postStop = ''
+        rm $SOCKET
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mastodon-web = {
+      description = "Mastodon Web app";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      environment.RAILS_ENV = "production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.SOCKET = cfg.sockets.rails;
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.file ];
+
+      preStart = ''
+        install -m 0755 -d ${cfg.dataDir}/tmp/cache
+        ./bin/bundle exec rails db:migrate
+      '';
+
+      script = ''
+        exec ./bin/bundle exec puma -C config/puma.rb
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 60;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mastodon-sidekiq = {
+      description = "Mastodon Sidekiq";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mastodon-web.service" ];
+
+      environment.RAILS_ENV="production";
+      environment.BUNDLE_PATH = "${cfg.workdir.gems}/${cfg.workdir.gems.ruby.gemPath}";
+      environment.BUNDLE_GEMFILE = "${cfg.workdir.gems.confFiles}/Gemfile";
+      environment.DB_POOL="5";
+
+      path = [ cfg.workdir.gems cfg.workdir.gems.ruby pkgs.imagemagick pkgs.ffmpeg pkgs.file ];
+
+      script = ''
+        exec ./bin/bundle exec sidekiq -c 5 -q default -q mailers -q pull -q push
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        EnvironmentFile = cfg.configFile;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        StateDirectory = cfg.systemdStateDirectory;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        RuntimeDirectoryPreserve = "yes";
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+  };
+}
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
new file mode 100644
index 00000000..78bbef6f
--- /dev/null
+++ b/modules/webapps/mediagoblin.nix
@@ -0,0 +1,237 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "mediagoblin";
+  cfg = config.services.mediagoblin;
+
+  uid = config.ids.uids.mediagoblin;
+  gid = config.ids.gids.mediagoblin;
+
+  paste_local = pkgs.writeText "paste_local.ini" ''
+    [DEFAULT]
+    debug = false
+
+    [pipeline:main]
+    pipeline = mediagoblin
+
+    [app:mediagoblin]
+    use = egg:mediagoblin#app
+    config = ${cfg.configFile} ${cfg.workdir}/mediagoblin.ini
+    /mgoblin_static = ${cfg.workdir}/mediagoblin/static
+
+    [loggers]
+    keys = root
+
+    [handlers]
+    keys = console
+
+    [formatters]
+    keys = generic
+
+    [logger_root]
+    level = INFO
+    handlers = console
+
+    [handler_console]
+    class = StreamHandler
+    args = (sys.stderr,)
+    level = NOTSET
+    formatter = generic
+
+    [formatter_generic]
+    format = %(levelname)-7.7s [%(name)s] %(message)s
+
+    [filter:errors]
+    use = egg:mediagoblin#errors
+    debug = false
+
+    [server:main]
+    use = egg:waitress#main
+    unix_socket = ${cfg.sockets.paster}
+    unix_socket_perms = 777
+    url_scheme = https
+    '';
+in
+{
+  options.services.mediagoblin = {
+    enable = lib.mkEnableOption "Enable Mediagoblin’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Mediagoblin runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Mediagoblin runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Mediagoblin stores its data.
+      '';
+    };
+    socketsDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/run/${name}";
+      description = ''
+        The directory where Mediagoblin puts runtime files and sockets.
+        '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Mediagoblin.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.mediagoblin;
+      description = ''
+        Mediagoblin package to use.
+        '';
+    };
+    plugins = lib.mkOption {
+      type = lib.types.listOf lib.types.package;
+      default = [];
+      description = ''
+        Mediagoblin plugins to use.
+        '';
+    };
+    # Output variables
+    workdir = lib.mkOption {
+      type = lib.types.package;
+      default = cfg.package.withPlugins cfg.plugins;
+      description = ''
+      Adjusted Mediagoblin package with plugins
+      '';
+      readOnly = true;
+    };
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Mediagoblin data directory for systemd
+      '';
+      readOnly = true;
+    };
+    systemdRuntimeDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if socketsDir is outside of /run
+      default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir;
+        lib.strings.removePrefix "/run/" cfg.socketsDir;
+      description = ''
+      Adjusted Mediagoblin sockets directory for systemd
+      '';
+      readOnly = true;
+    };
+    sockets = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        paster = "${cfg.socketsDir}/mediagoblin.sock";
+      };
+      readOnly = true;
+      description = ''
+        Mediagoblin sockets
+        '';
+    };
+    pids = lib.mkOption {
+      type = lib.types.attrsOf lib.types.path;
+      default = {
+        paster = "${cfg.socketsDir}/mediagoblin.pid";
+        celery = "${cfg.socketsDir}/mediagoblin-celeryd.pid";
+      };
+      readOnly = true;
+      description = ''
+        Mediagoblin pid files
+        '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Mediagoblin user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.mediagoblin-web = {
+      description = "Mediagoblin service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      wants = [ "postgresql.service" "redis.service" ];
+
+      environment.SCRIPT_NAME = "/mediagoblin/";
+
+      script = ''
+        exec ./bin/paster serve \
+          ${paste_local} \
+          --pid-file=${cfg.pids.paster}
+        '';
+      preStop = ''
+        exec ./bin/paster serve \
+          --pid-file=${cfg.pids.paster} \
+          ${paste_local} stop
+        '';
+      preStart = ''
+        if [ -d ${cfg.dataDir}/plugin_static/ ]; then
+          rm ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+          ln -sf ${cfg.workdir}/mediagoblin/plugins/basic_auth/static ${cfg.dataDir}/plugin_static/coreplugin_basic_auth
+        fi
+        ./bin/gmg -cf ${cfg.configFile} dbupdate
+        '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 15;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        PIDFile = cfg.pids.paster;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+
+    systemd.services.mediagoblin-celeryd = {
+      description = "Mediagoblin service";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "mediagoblin-web.service" ];
+
+      environment.MEDIAGOBLIN_CONFIG = cfg.configFile;
+      environment.CELERY_CONFIG_MODULE = "mediagoblin.init.celery.from_celery";
+
+      script = ''
+        exec ./bin/celery worker \
+          --logfile=${cfg.dataDir}/celery.log \
+          --loglevel=INFO
+        '';
+
+      serviceConfig = {
+        User = cfg.user;
+        PrivateTmp = true;
+        Restart = "always";
+        TimeoutSec = 60;
+        Type = "simple";
+        WorkingDirectory = cfg.workdir;
+        RuntimeDirectory = cfg.systemdRuntimeDirectory;
+        StateDirectory= cfg.systemdStateDirectory;
+        PIDFile = cfg.pids.celery;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix
new file mode 100644
index 00000000..89dcc67a
--- /dev/null
+++ b/modules/webapps/peertube.nix
@@ -0,0 +1,105 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "peertube";
+  cfg = config.services.peertube;
+
+  uid = config.ids.uids.peertube;
+  gid = config.ids.gids.peertube;
+in
+{
+  options.services.peertube = {
+    enable = lib.mkEnableOption "Enable Peertube’s service";
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "User account under which Peertube runs";
+    };
+    group = lib.mkOption {
+      type = lib.types.str;
+      default = name;
+      description = "Group under which Peertube runs";
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Peertube stores its data.
+      '';
+    };
+    configFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''
+        The configuration file path for Peertube.
+        '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.webapps.peertube;
+      description = ''
+        Peertube package to use.
+        '';
+    };
+    # Output variables
+    systemdStateDirectory = lib.mkOption {
+      type = lib.types.str;
+      # Use ReadWritePaths= instead if varDir is outside of /var/lib
+      default = assert lib.strings.hasPrefix "/var/lib/" cfg.dataDir;
+        lib.strings.removePrefix "/var/lib/" cfg.dataDir;
+      description = ''
+      Adjusted Peertube data directory for systemd
+      '';
+      readOnly = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+      inherit name;
+      inherit uid;
+      group = cfg.group;
+      description = "Peertube user";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+    });
+    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+      inherit name;
+      inherit gid;
+    });
+
+    systemd.services.peertube = {
+      description = "Peertube";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "postgresql.service" ];
+      wants = [ "postgresql.service" ];
+
+      environment.NODE_CONFIG_DIR = "${cfg.dataDir}/config";
+      environment.NODE_ENV = "production";
+      environment.HOME = cfg.package;
+
+      path = [ pkgs.nodejs pkgs.bashInteractive pkgs.ffmpeg pkgs.openssl ];
+
+      script = ''
+        install -m 0750 -d ${cfg.dataDir}/config
+        ln -sf ${cfg.configFile} ${cfg.dataDir}/config/production.yaml
+        exec npm run start
+      '';
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.package;
+        StateDirectory = cfg.systemdStateDirectory;
+        StateDirectoryMode = 0750;
+        PrivateTmp = true;
+        ProtectHome = true;
+        ProtectControlGroups = true;
+        Restart = "always";
+        Type = "simple";
+        TimeoutSec = 60;
+      };
+
+      unitConfig.RequiresMountsFor = cfg.dataDir;
+    };
+  };
+}
+
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix
new file mode 100644
index 00000000..924d72de
--- /dev/null
+++ b/modules/webapps/webstats/default.nix
@@ -0,0 +1,81 @@
+{ lib, pkgs, config, ... }:
+let
+  name = "goaccess";
+  cfg = config.services.webstats;
+in {
+  options.services.webstats = {
+    dataDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/var/lib/${name}";
+      description = ''
+        The directory where Goaccess stores its data.
+      '';
+    };
+    sites = lib.mkOption {
+      type = lib.types.listOf (lib.types.submodule {
+        options = {
+          conf = lib.mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = ''
+              use custom goaccess configuration file instead of the
+              default one.
+              '';
+          };
+          name = lib.mkOption {
+            type = lib.types.string;
+            description  = ''
+              Domain name. Corresponds to the Apache file name and the
+              folder name in which the state will be saved.
+              '';
+          };
+        };
+      });
+      default = [];
+      description = "Sites to generate stats";
+    };
+  };
+
+  config = lib.mkIf (builtins.length cfg.sites > 0) {
+    users.users.root.packages = [
+      pkgs.goaccess
+    ];
+
+    services.cron = {
+      enable = true;
+      systemCronJobs = let
+        stats = domain: conf: let
+          config = if builtins.isNull conf
+            then pkgs.runCommand "goaccess.conf" {
+                dbPath = "${cfg.dataDir}/${domain}";
+              } "substituteAll ${./goaccess.conf} $out"
+            else conf;
+          d = pkgs.writeScriptBin "stats-${domain}" ''
+            #!${pkgs.stdenv.shell}
+            set -e
+            shopt -s nullglob
+            date_regex=$(LC_ALL=C date -d yesterday +'%d\/%b\/%Y')
+            TMPFILE=$(mktemp)
+            trap "rm -f $TMPFILE" EXIT
+
+            mkdir -p ${cfg.dataDir}/${domain}
+            cat /var/log/httpd/access-${domain}.log | sed -n "/\\[$date_regex/ p" > $TMPFILE
+            for i in /var/log/httpd/access-${domain}*.gz; do
+              zcat "$i" | sed -n "/\\[$date_regex/ p" >> $TMPFILE
+            done
+            ${pkgs.goaccess}/bin/goaccess $TMPFILE --no-progress -o ${cfg.dataDir}/${domain}/index.html -p ${config}
+            '';
+          in "${d}/bin/stats-${domain}";
+        allStats = sites: pkgs.writeScript "stats" ''
+          #!${pkgs.stdenv.shell}
+
+          mkdir -p ${cfg.dataDir}
+          ${builtins.concatStringsSep "\n" (map (v: stats v.name v.conf) sites)}
+          '';
+      in
+        [
+          "5 0 * * * root ${allStats cfg.sites}"
+        ];
+    };
+  };
+}
diff --git a/modules/webapps/webstats/goaccess.conf b/modules/webapps/webstats/goaccess.conf
new file mode 100644
index 00000000..49189883
--- /dev/null
+++ b/modules/webapps/webstats/goaccess.conf
@@ -0,0 +1,99 @@
+time-format %H:%M:%S
+date-format %d/%b/%Y
+
+#sur immae.eu
+#log-format %v %h %^[%d:%t %^] "%r" %s %b "%R" "%u" $^
+
+log-format VCOMBINED
+#= %v:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u"
+
+html-prefs {"theme":"bright","layout":"vertical"}
+
+exclude-ip 188.165.209.148
+exclude-ip 178.33.252.96
+exclude-ip 2001:41d0:2:9c94::1
+exclude-ip 2001:41d0:2:9c94::
+exclude-ip 176.9.151.89
+exclude-ip 2a01:4f8:160:3445::
+exclude-ip 82.255.56.72
+
+no-query-string true
+
+keep-db-files true
+load-from-disk true
+db-path @dbPath@
+
+ignore-panel REFERRERS
+ignore-panel KEYPHRASES
+
+static-file .css
+static-file .js
+static-file .jpg
+static-file .png
+static-file .gif
+static-file .ico
+static-file .jpeg
+static-file .pdf
+static-file .csv
+static-file .mpeg
+static-file .mpg
+static-file .swf
+static-file .woff
+static-file .woff2
+static-file .xls
+static-file .xlsx
+static-file .doc
+static-file .docx
+static-file .ppt
+static-file .pptx
+static-file .txt
+static-file .zip
+static-file .ogg
+static-file .mp3
+static-file .mp4
+static-file .exe
+static-file .iso
+static-file .gz
+static-file .rar
+static-file .svg
+static-file .bmp
+static-file .tar
+static-file .tgz
+static-file .tiff
+static-file .tif
+static-file .ttf
+static-file .flv
+#static-file .less
+#static-file .ac3
+#static-file .avi
+#static-file .bz2
+#static-file .class
+#static-file .cue
+#static-file .dae
+#static-file .dat
+#static-file .dts
+#static-file .ejs
+#static-file .eot
+#static-file .eps
+#static-file .img
+#static-file .jar
+#static-file .map
+#static-file .mid
+#static-file .midi
+#static-file .ogv
+#static-file .webm
+#static-file .mkv
+#static-file .odp
+#static-file .ods
+#static-file .odt
+#static-file .otf
+#static-file .pict
+#static-file .pls
+#static-file .ps
+#static-file .qt
+#static-file .rm
+#static-file .svgz
+#static-file .wav
+#static-file .webp
+
+
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
new file mode 100644
index 00000000..e57f505a
--- /dev/null
+++ b/modules/websites/default.nix
@@ -0,0 +1,199 @@
+{ lib, config, ... }: with lib;
+let
+  cfg = config.services.websites;
+in
+{
+  options.services.websitesCerts = mkOption {
+    description = "Default websites configuration for certificates as accepted by acme";
+  };
+  options.services.websites = with types; mkOption {
+    default = {};
+    description = "Each type of website to enable will target a distinct httpd server";
+    type = attrsOf (submodule {
+      options = {
+        enable = mkEnableOption "Enable websites of this type";
+        adminAddr = mkOption {
+          type = str;
+          description = "Admin e-mail address of the instance";
+        };
+        httpdName = mkOption {
+          type = str;
+          description = "Name of the httpd instance to assign this type to";
+        };
+        ips = mkOption {
+          type = listOf string;
+          default = [];
+          description = "ips to listen to";
+        };
+        modules = mkOption {
+          type = listOf str;
+          default = [];
+          description = "Additional modules to load in Apache";
+        };
+        extraConfig = mkOption {
+          type = listOf lines;
+          default = [];
+          description = "Additional configuration to append to Apache";
+        };
+        nosslVhost = mkOption {
+          description = "A default nossl vhost for captive portals";
+          default = {};
+          type = submodule {
+            options = {
+              enable = mkEnableOption "Add default no-ssl vhost for this instance";
+              host = mkOption {
+                type = string;
+                description = "The hostname to use for this vhost";
+              };
+              root = mkOption {
+                type = path;
+                default = ./nosslVhost;
+                description = "The root folder to serve";
+              };
+              indexFile = mkOption {
+                type = string;
+                default = "index.html";
+                description = "The index file to show.";
+              };
+            };
+          };
+        };
+        fallbackVhost = mkOption {
+          description = "The fallback vhost that will be defined as first vhost in Apache";
+          type = submodule {
+            options = {
+              certName = mkOption { type = string; };
+              hosts    = mkOption { type = listOf string; };
+              root     = mkOption { type = nullOr path; };
+              extraConfig = mkOption { type = listOf lines; default = []; };
+            };
+          };
+        };
+        vhostConfs = mkOption {
+          default = {};
+          description = "List of vhosts to define for Apache";
+          type = attrsOf (submodule {
+            options = {
+              certName = mkOption { type = string; };
+              addToCerts = mkOption {
+                type = bool;
+                default = false;
+                description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
+              };
+              certMainHost = mkOption {
+                type = nullOr string;
+                description = "Use that host as 'main host' for acme certs";
+                default = null;
+              };
+              hosts    = mkOption { type = listOf string; };
+              root     = mkOption { type = nullOr path; };
+              extraConfig = mkOption { type = listOf lines; default = []; };
+            };
+          });
+        };
+      };
+    });
+  };
+
+  config.services.httpd = let
+    redirectVhost = ips: { # Should go last, catchall http -> https redirect
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = "redirectSSL";
+      serverAliases = [ "*" ];
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = "${config.security.acme.directory}/acme-challenge";
+      extraConfig = ''
+        RewriteEngine on
+        RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
+        RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
+        # To redirect in specific "VirtualHost *:80", do
+        #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+        # rather than rewrite
+      '';
+    };
+    nosslVhost = ips: cfg: {
+      listen = map (ip: { inherit ip; port = 80; }) ips;
+      hostName = cfg.host;
+      enableSSL = false;
+      logFormat = "combinedVhost";
+      documentRoot = cfg.root;
+      extraConfig = ''
+        <Directory ${cfg.root}>
+          DirectoryIndex ${cfg.indexFile}
+          AllowOverride None
+          Require all granted
+
+          RewriteEngine on
+          RewriteRule ^/(.+)   /   [L]
+        </Directory>
+        '';
+    };
+    toVhost = ips: vhostConf: {
+      enableSSL = true;
+      sslServerCert = "${config.security.acme.directory}/${vhostConf.certName}/cert.pem";
+      sslServerKey = "${config.security.acme.directory}/${vhostConf.certName}/key.pem";
+      sslServerChain = "${config.security.acme.directory}/${vhostConf.certName}/chain.pem";
+      logFormat = "combinedVhost";
+      listen = map (ip: { inherit ip; port = 443; }) ips;
+      hostName = builtins.head vhostConf.hosts;
+      serverAliases = builtins.tail vhostConf.hosts or [];
+      documentRoot = vhostConf.root;
+      extraConfig = builtins.concatStringsSep "\n" vhostConf.extraConfig;
+    };
+  in attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
+    icfg.httpdName (mkIf icfg.enable {
+      enable = true;
+      listen = map (ip: { inherit ip; port = 443; }) icfg.ips;
+      stateDir = "/run/httpd_${name}";
+      logPerVirtualHost = true;
+      multiProcessingModule = "worker";
+      inherit (icfg) adminAddr;
+      logFormat = "combinedVhost";
+      extraModules = lists.unique icfg.modules;
+      extraConfig = builtins.concatStringsSep "\n" icfg.extraConfig;
+      virtualHosts = [ (toVhost icfg.ips icfg.fallbackVhost) ]
+        ++ optionals (icfg.nosslVhost.enable) [ (nosslVhost icfg.ips icfg.nosslVhost) ]
+        ++ (attrsets.mapAttrsToList (n: v: toVhost icfg.ips v) icfg.vhostConfs)
+        ++ [ (redirectVhost icfg.ips) ];
+    })
+  ) cfg;
+
+  config.security.acme.certs = let
+    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg;
+    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
+      attrValues v.vhostConfs
+    ) typesToManage);
+    groupedCerts = attrsets.filterAttrs
+      (_: group: builtins.any (v: v.addToCerts || !isNull v.certMainHost) group)
+      (lists.groupBy (v: v.certName) flatVhosts);
+    groupToDomain = group:
+      let
+        nonNull = builtins.filter (v: !isNull v.certMainHost) group;
+        domains = lists.unique (map (v: v.certMainHost) nonNull);
+      in
+        if builtins.length domains == 0
+          then null
+          else assert (builtins.length domains == 1); (elemAt domains 0);
+    extraDomains = group:
+      let
+        mainDomain = groupToDomain group;
+      in
+        lists.remove mainDomain (
+          lists.unique (
+            lists.flatten (map (c: optionals (c.addToCerts || !isNull c.certMainHost) c.hosts) group)
+          )
+        );
+  in attrsets.mapAttrs (k: g:
+    if (!isNull (groupToDomain g))
+    then config.services.websitesCerts // {
+      domain = groupToDomain g;
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+    else {
+      extraDomains = builtins.listToAttrs (
+        map (d: attrsets.nameValuePair d null) (extraDomains g));
+    }
+  ) groupedCerts;
+}
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
new file mode 100644
index 00000000..d049202c
--- /dev/null
+++ b/modules/websites/httpd-service-builder.nix
@@ -0,0 +1,746 @@
+# to help backporting this builder should stay as close as possible to
+# nixos/modules/services/web-servers/apache-httpd/default.nix
+{ httpdName, withUsers ? true }:
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  mainCfg = config.services.httpd."${httpdName}";
+
+  httpd = mainCfg.package.out;
+
+  version24 = !versionOlder httpd.version "2.4";
+
+  httpdConf = mainCfg.configFile;
+
+  php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
+
+  phpMajorVersion = head (splitString "." php.version);
+
+  mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { apacheHttpd = httpd; };
+
+  defaultListen = cfg: if cfg.enableSSL
+    then [{ip = "*"; port = 443;}]
+    else [{ip = "*"; port = 80;}];
+
+  getListen = cfg:
+    let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;
+    in if list == []
+        then defaultListen cfg
+        else list;
+
+  listenToString = l: "${l.ip}:${toString l.port}";
+
+  extraModules = attrByPath ["extraModules"] [] mainCfg;
+  extraForeignModules = filter isAttrs extraModules;
+  extraApacheModules = filter isString extraModules;
+
+
+  makeServerInfo = cfg: {
+    # Canonical name must not include a trailing slash.
+    canonicalNames =
+      let defaultPort = (head (defaultListen cfg)).port; in
+      map (port:
+        (if cfg.enableSSL then "https" else "http") + "://" +
+        cfg.hostName +
+        (if port != defaultPort then ":${toString port}" else "")
+        ) (map (x: x.port) (getListen cfg));
+
+    # Admin address: inherit from the main server if not specified for
+    # a virtual host.
+    adminAddr = if cfg.adminAddr != null then cfg.adminAddr else mainCfg.adminAddr;
+
+    vhostConfig = cfg;
+    serverConfig = mainCfg;
+    fullConfig = config; # machine config
+  };
+
+
+  allHosts = [mainCfg] ++ mainCfg.virtualHosts;
+
+
+  callSubservices = serverInfo: defs:
+    let f = svc:
+      let
+        svcFunction =
+          if svc ? function then svc.function
+          # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
+          else if svc ? serviceExpression then import (toString svc.serviceExpression)
+          else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
+        config = (evalModules
+          { modules = [ { options = res.options; config = svc.config or svc; } ];
+            check = false;
+          }).config;
+        defaults = {
+          extraConfig = "";
+          extraModules = [];
+          extraModulesPre = [];
+          extraPath = [];
+          extraServerPath = [];
+          globalEnvVars = [];
+          robotsEntries = "";
+          startupScript = "";
+          enablePHP = false;
+          enablePerl = false;
+          phpOptions = "";
+          options = {};
+          documentRoot = null;
+        };
+        res = defaults // svcFunction { inherit config lib pkgs serverInfo php; };
+      in res;
+    in map f defs;
+
+
+  # !!! callSubservices is expensive
+  subservicesFor = cfg: callSubservices (makeServerInfo cfg) cfg.extraSubservices;
+
+  mainSubservices = subservicesFor mainCfg;
+
+  allSubservices = mainSubservices ++ concatMap subservicesFor mainCfg.virtualHosts;
+
+
+  enableSSL = any (vhost: vhost.enableSSL) allHosts;
+
+
+  # Names of modules from ${httpd}/modules that we want to load.
+  apacheModules =
+    [ # HTTP authentication mechanisms: basic and digest.
+      "auth_basic" "auth_digest"
+
+      # Authentication: is the user who he claims to be?
+      "authn_file" "authn_dbm" "authn_anon"
+      (if version24 then "authn_core" else "authn_alias")
+
+      # Authorization: is the user allowed access?
+      "authz_user" "authz_groupfile" "authz_host"
+
+      # Other modules.
+      "ext_filter" "include" "log_config" "env" "mime_magic"
+      "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
+      "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
+      "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
+      "userdir" "alias" "rewrite" "proxy" "proxy_http"
+    ]
+    ++ optionals version24 [
+      "mpm_${mainCfg.multiProcessingModule}"
+      "authz_core"
+      "unixd"
+      "cache" "cache_disk"
+      "slotmem_shm"
+      "socache_shmcb"
+      # For compatibility with old configurations, the new module mod_access_compat is provided.
+      "access_compat"
+    ]
+    ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
+    ++ optional enableSSL "ssl"
+    ++ extraApacheModules;
+
+
+  allDenied = if version24 then ''
+    Require all denied
+  '' else ''
+    Order deny,allow
+    Deny from all
+  '';
+
+  allGranted = if version24 then ''
+    Require all granted
+  '' else ''
+    Order allow,deny
+    Allow from all
+  '';
+
+
+  loggingConf = (if mainCfg.logFormat != "none" then ''
+    ErrorLog ${mainCfg.logDir}/error.log
+
+    LogLevel notice
+
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+    LogFormat "%{Referer}i -> %U" referer
+    LogFormat "%{User-agent}i" agent
+
+    CustomLog ${mainCfg.logDir}/access.log ${mainCfg.logFormat}
+  '' else ''
+    ErrorLog /dev/null
+  '');
+
+
+  browserHacks = ''
+    BrowserMatch "Mozilla/2" nokeepalive
+    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
+    BrowserMatch "RealPlayer 4\.0" force-response-1.0
+    BrowserMatch "Java/1\.0" force-response-1.0
+    BrowserMatch "JDK/1\.0" force-response-1.0
+    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
+    BrowserMatch "^WebDrive" redirect-carefully
+    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
+    BrowserMatch "^gnome-vfs" redirect-carefully
+  '';
+
+
+  sslConf = ''
+    SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)
+
+    ${if version24 then "Mutex" else "SSLMutex"} posixsem
+
+    SSLRandomSeed startup builtin
+    SSLRandomSeed connect builtin
+
+    SSLProtocol ${mainCfg.sslProtocols}
+    SSLCipherSuite ${mainCfg.sslCiphers}
+    SSLHonorCipherOrder on
+  '';
+
+
+  mimeConf = ''
+    TypesConfig ${httpd}/conf/mime.types
+
+    AddType application/x-x509-ca-cert .crt
+    AddType application/x-pkcs7-crl    .crl
+    AddType application/x-httpd-php    .php .phtml
+
+    <IfModule mod_mime_magic.c>
+        MIMEMagicFile ${httpd}/conf/magic
+    </IfModule>
+  '';
+
+
+  perServerConf = isMainServer: cfg: let
+
+    serverInfo = makeServerInfo cfg;
+
+    subservices = callSubservices serverInfo cfg.extraSubservices;
+
+    maybeDocumentRoot = fold (svc: acc:
+      if acc == null then svc.documentRoot else assert svc.documentRoot == null; acc
+    ) null ([ cfg ] ++ subservices);
+
+    documentRoot = if maybeDocumentRoot != null then maybeDocumentRoot else
+      pkgs.runCommand "empty" { preferLocalBuild = true; } "mkdir -p $out";
+
+    documentRootConf = ''
+      DocumentRoot "${documentRoot}"
+
+      <Directory "${documentRoot}">
+          Options Indexes FollowSymLinks
+          AllowOverride None
+          ${allGranted}
+      </Directory>
+    '';
+
+    robotsTxt =
+      concatStringsSep "\n" (filter (x: x != "") (
+        # If this is a vhost, the include the entries for the main server as well.
+        (if isMainServer then [] else [mainCfg.robotsEntries] ++ map (svc: svc.robotsEntries) mainSubservices)
+        ++ [cfg.robotsEntries]
+        ++ (map (svc: svc.robotsEntries) subservices)));
+
+  in ''
+    ${concatStringsSep "\n" (map (n: "ServerName ${n}") serverInfo.canonicalNames)}
+
+    ${concatMapStrings (alias: "ServerAlias ${alias}\n") cfg.serverAliases}
+
+    ${if cfg.sslServerCert != null then ''
+      SSLCertificateFile ${cfg.sslServerCert}
+      SSLCertificateKeyFile ${cfg.sslServerKey}
+      ${if cfg.sslServerChain != null then ''
+        SSLCertificateChainFile ${cfg.sslServerChain}
+      '' else ""}
+    '' else ""}
+
+    ${if cfg.enableSSL then ''
+      SSLEngine on
+    '' else if enableSSL then /* i.e., SSL is enabled for some host, but not this one */
+    ''
+      SSLEngine off
+    '' else ""}
+
+    ${if isMainServer || cfg.adminAddr != null then ''
+      ServerAdmin ${cfg.adminAddr}
+    '' else ""}
+
+    ${if !isMainServer && mainCfg.logPerVirtualHost then ''
+      ErrorLog ${mainCfg.logDir}/error-${cfg.hostName}.log
+      CustomLog ${mainCfg.logDir}/access-${cfg.hostName}.log ${cfg.logFormat}
+    '' else ""}
+
+    ${optionalString (robotsTxt != "") ''
+      Alias /robots.txt ${pkgs.writeText "robots.txt" robotsTxt}
+    ''}
+
+    ${if isMainServer || maybeDocumentRoot != null then documentRootConf else ""}
+
+    ${if cfg.enableUserDir then ''
+
+      UserDir public_html
+      UserDir disabled root
+
+      <Directory "/home/*/public_html">
+          AllowOverride FileInfo AuthConfig Limit Indexes
+          Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+          <Limit GET POST OPTIONS>
+              ${allGranted}
+          </Limit>
+          <LimitExcept GET POST OPTIONS>
+              ${allDenied}
+          </LimitExcept>
+      </Directory>
+
+    '' else ""}
+
+    ${if cfg.globalRedirect != null && cfg.globalRedirect != "" then ''
+      RedirectPermanent / ${cfg.globalRedirect}
+    '' else ""}
+
+    ${
+      let makeFileConf = elem: ''
+            Alias ${elem.urlPath} ${elem.file}
+          '';
+      in concatMapStrings makeFileConf cfg.servedFiles
+    }
+
+    ${
+      let makeDirConf = elem: ''
+            Alias ${elem.urlPath} ${elem.dir}/
+            <Directory ${elem.dir}>
+                Options +Indexes
+                ${allGranted}
+                AllowOverride All
+            </Directory>
+          '';
+      in concatMapStrings makeDirConf cfg.servedDirs
+    }
+
+    ${concatMapStrings (svc: svc.extraConfig) subservices}
+
+    ${cfg.extraConfig}
+  '';
+
+
+  confFile = pkgs.writeText "httpd.conf" ''
+
+    ServerRoot ${httpd}
+
+    ${optionalString version24 ''
+      DefaultRuntimeDir ${mainCfg.stateDir}/runtime
+    ''}
+
+    PidFile ${mainCfg.stateDir}/httpd.pid
+
+    ${optionalString (mainCfg.multiProcessingModule != "prefork") ''
+      # mod_cgid requires this.
+      ScriptSock ${mainCfg.stateDir}/cgisock
+    ''}
+
+    <IfModule prefork.c>
+        MaxClients           ${toString mainCfg.maxClients}
+        MaxRequestsPerChild  ${toString mainCfg.maxRequestsPerChild}
+    </IfModule>
+
+    ${let
+        listen = concatMap getListen allHosts;
+        toStr = listen: "Listen ${listenToString listen}\n";
+        uniqueListen = uniqList {inputList = map toStr listen;};
+      in concatStrings uniqueListen
+    }
+
+    User ${mainCfg.user}
+    Group ${mainCfg.group}
+
+    ${let
+        load = {name, path}: "LoadModule ${name}_module ${path}\n";
+        allModules =
+          concatMap (svc: svc.extraModulesPre) allSubservices
+          ++ map (name: {inherit name; path = "${httpd}/modules/mod_${name}.so";}) apacheModules
+          ++ optional mainCfg.enableMellon { name = "auth_mellon"; path = "${pkgs.apacheHttpdPackages.mod_auth_mellon}/modules/mod_auth_mellon.so"; }
+          ++ optional enablePHP { name = "php${phpMajorVersion}"; path = "${php}/modules/libphp${phpMajorVersion}.so"; }
+          ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
+          ++ concatMap (svc: svc.extraModules) allSubservices
+          ++ extraForeignModules;
+      in concatMapStrings load allModules
+    }
+
+    AddHandler type-map var
+
+    <Files ~ "^\.ht">
+        ${allDenied}
+    </Files>
+
+    ${mimeConf}
+    ${loggingConf}
+    ${browserHacks}
+
+    Include ${httpd}/conf/extra/httpd-default.conf
+    Include ${httpd}/conf/extra/httpd-autoindex.conf
+    Include ${httpd}/conf/extra/httpd-multilang-errordoc.conf
+    Include ${httpd}/conf/extra/httpd-languages.conf
+
+    TraceEnable off
+
+    ${if enableSSL then sslConf else ""}
+
+    # Fascist default - deny access to everything.
+    <Directory />
+        Options FollowSymLinks
+        AllowOverride None
+        ${allDenied}
+    </Directory>
+
+    # Generate directives for the main server.
+    ${perServerConf true mainCfg}
+
+    # Always enable virtual hosts; it doesn't seem to hurt.
+    ${let
+        listen = concatMap getListen allHosts;
+        uniqueListen = uniqList {inputList = listen;};
+        directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
+      in optionalString (!version24) directives
+    }
+
+    ${let
+        makeVirtualHost = vhost: ''
+          <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
+              ${perServerConf false vhost}
+          </VirtualHost>
+        '';
+      in concatMapStrings makeVirtualHost mainCfg.virtualHosts
+    }
+  '';
+
+
+  enablePHP = mainCfg.enablePHP || any (svc: svc.enablePHP) allSubservices;
+
+  enablePerl = mainCfg.enablePerl || any (svc: svc.enablePerl) allSubservices;
+
+
+  # Generate the PHP configuration file.  Should probably be factored
+  # out into a separate module.
+  phpIni = pkgs.runCommand "php.ini"
+    { options = concatStringsSep "\n"
+        ([ mainCfg.phpOptions ] ++ (map (svc: svc.phpOptions) allSubservices));
+      preferLocalBuild = true;
+    }
+    ''
+      cat ${php}/etc/php.ini > $out
+      echo "$options" >> $out
+    '';
+
+in
+
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.httpd."${httpdName}" = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the Apache HTTP Server.";
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.apacheHttpd;
+        defaultText = "pkgs.apacheHttpd";
+        description = ''
+          Overridable attribute of the Apache HTTP Server package to use.
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        default = confFile;
+        defaultText = "confFile";
+        example = literalExample ''pkgs.writeText "httpd.conf" "# my custom config file ..."'';
+        description = ''
+          Override the configuration file used by Apache. By default,
+          NixOS generates one automatically.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Cnfiguration lines appended to the generated Apache
+          configuration file. Note that this mechanism may not work
+          when <option>configFile</option> is overridden.
+        '';
+      };
+
+      extraModules = mkOption {
+        type = types.listOf types.unspecified;
+        default = [];
+        example = literalExample ''[ "proxy_connect" { name = "php5"; path = "''${pkgs.php}/modules/libphp5.so"; } ]'';
+        description = ''
+          Additional Apache modules to be used.  These can be
+          specified as a string in the case of modules distributed
+          with Apache, or as an attribute set specifying the
+          <varname>name</varname> and <varname>path</varname> of the
+          module.
+        '';
+      };
+
+      logPerVirtualHost = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled, each virtual host gets its own
+          <filename>access.log</filename> and
+          <filename>error.log</filename>, namely suffixed by the
+          <option>hostName</option> of the virtual host.
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "wwwrun";
+        description = ''
+          User account under which httpd runs.  The account is created
+          automatically if it doesn't exist.
+        '';
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "wwwrun";
+        description = ''
+          Group under which httpd runs.  The account is created
+          automatically if it doesn't exist.
+        '';
+      };
+
+      logDir = mkOption {
+        type = types.path;
+        default = "/var/log/httpd";
+        description = ''
+          Directory for Apache's log files.  It is created automatically.
+        '';
+      };
+
+      stateDir = mkOption {
+        type = types.path;
+        default = "/run/httpd";
+        description = ''
+          Directory for Apache's transient runtime state (such as PID
+          files).  It is created automatically.  Note that the default,
+          <filename>/run/httpd</filename>, is deleted at boot time.
+        '';
+      };
+
+      virtualHosts = mkOption {
+        type = types.listOf (types.submodule (
+          { options = import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix> {
+              inherit lib;
+              forMainServer = false;
+            };
+          }));
+        default = [];
+        example = [
+          { hostName = "foo";
+            documentRoot = "/data/webroot-foo";
+          }
+          { hostName = "bar";
+            documentRoot = "/data/webroot-bar";
+          }
+        ];
+        description = ''
+          Specification of the virtual hosts served by Apache.  Each
+          element should be an attribute set specifying the
+          configuration of the virtual host.  The available options
+          are the non-global options permissible for the main host.
+        '';
+      };
+
+      enableMellon = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the mod_auth_mellon module.";
+      };
+
+      enablePHP = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the PHP module.";
+      };
+
+      phpPackage = mkOption {
+        type = types.package;
+        default = pkgs.php;
+        defaultText = "pkgs.php";
+        description = ''
+          Overridable attribute of the PHP package to use.
+        '';
+      };
+
+      enablePerl = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the Perl module (mod_perl).";
+      };
+
+      phpOptions = mkOption {
+        type = types.lines;
+        default = "";
+        example =
+          ''
+            date.timezone = "CET"
+          '';
+        description =
+          "Options appended to the PHP configuration file <filename>php.ini</filename>.";
+      };
+
+      multiProcessingModule = mkOption {
+        type = types.str;
+        default = "prefork";
+        example = "worker";
+        description =
+          ''
+            Multi-processing module to be used by Apache.  Available
+            modules are <literal>prefork</literal> (the default;
+            handles each request in a separate child process),
+            <literal>worker</literal> (hybrid approach that starts a
+            number of child processes each running a number of
+            threads) and <literal>event</literal> (a recent variant of
+            <literal>worker</literal> that handles persistent
+            connections more efficiently).
+          '';
+      };
+
+      maxClients = mkOption {
+        type = types.int;
+        default = 150;
+        example = 8;
+        description = "Maximum number of httpd processes (prefork)";
+      };
+
+      maxRequestsPerChild = mkOption {
+        type = types.int;
+        default = 0;
+        example = 500;
+        description =
+          "Maximum number of httpd requests answered per httpd child (prefork), 0 means unlimited";
+      };
+
+      sslCiphers = mkOption {
+        type = types.str;
+        default = "HIGH:!aNULL:!MD5:!EXP";
+        description = "Cipher Suite available for negotiation in SSL proxy handshake.";
+      };
+
+      sslProtocols = mkOption {
+        type = types.str;
+        default = "All -SSLv2 -SSLv3 -TLSv1";
+        example = "All -SSLv2 -SSLv3";
+        description = "Allowed SSL/TLS protocol versions.";
+      };
+    }
+
+    # Include the options shared between the main server and virtual hosts.
+    // (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/per-server-options.nix> {
+      inherit lib;
+      forMainServer = true;
+    });
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf config.services.httpd."${httpdName}".enable {
+
+    assertions = [ { assertion = mainCfg.enableSSL == true
+                               -> mainCfg.sslServerCert != null
+                                    && mainCfg.sslServerKey != null;
+                     message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
+                 ];
+
+    warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);
+
+    users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton
+      { name = "wwwrun";
+        group = mainCfg.group;
+        description = "Apache httpd user";
+        uid = config.ids.uids.wwwrun;
+      });
+
+    users.groups = optionalAttrs (withUsers && mainCfg.group == "wwwrun") (singleton
+      { name = "wwwrun";
+        gid = config.ids.gids.wwwrun;
+      });
+
+    environment.systemPackages = [httpd] ++ concatMap (svc: svc.extraPath) allSubservices;
+
+    services.httpd."${httpdName}".phpOptions =
+      ''
+        ; Needed for PHP's mail() function.
+        sendmail_path = sendmail -t -i
+
+        ; Don't advertise PHP
+        expose_php = off
+      '' + optionalString (!isNull config.time.timeZone) ''
+
+        ; Apparently PHP doesn't use $TZ.
+        date.timezone = "${config.time.timeZone}"
+      '';
+
+    systemd.services."httpd${httpdName}" =
+      { description = "Apache HTTPD";
+
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "keys.target" ];
+        after = [ "network.target" "fs.target" "postgresql.service" "keys.target" ];
+
+        path =
+          [ httpd pkgs.coreutils pkgs.gnugrep ]
+          ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function.
+          ++ concatMap (svc: svc.extraServerPath) allSubservices;
+
+        environment =
+          optionalAttrs enablePHP { PHPRC = phpIni; }
+          // optionalAttrs mainCfg.enableMellon { LD_LIBRARY_PATH  = "${pkgs.xmlsec}/lib"; }
+          // (listToAttrs (concatMap (svc: svc.globalEnvVars) allSubservices));
+
+        preStart =
+          ''
+            mkdir -m 0750 -p ${mainCfg.stateDir}
+            [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir}
+            ${optionalString version24 ''
+              mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
+              [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
+            ''}
+            mkdir -m 0700 -p ${mainCfg.logDir}
+
+            # Get rid of old semaphores.  These tend to accumulate across
+            # server restarts, eventually preventing it from restarting
+            # successfully.
+            for i in $(${pkgs.utillinux}/bin/ipcs -s | grep ' ${mainCfg.user} ' | cut -f2 -d ' '); do
+                ${pkgs.utillinux}/bin/ipcrm -s $i
+            done
+
+            # Run the startup hooks for the subservices.
+            for i in ${toString (map (svn: svn.startupScript) allSubservices)}; do
+                echo Running Apache startup hook $i...
+                $i
+            done
+          '';
+
+        serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
+        serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
+        serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
+        serviceConfig.Type = "forking";
+        serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
+        serviceConfig.Restart = "always";
+        serviceConfig.RestartSec = "5s";
+      };
+
+  };
+}
diff --git a/modules/websites/nosslVhost/index.html b/modules/websites/nosslVhost/index.html
new file mode 100644
index 00000000..4401a806
--- /dev/null
+++ b/modules/websites/nosslVhost/index.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>No SSL site</title>
+  </head>
+  <body>
+    <h1>No SSL on this site</h1>
+    <p>Use for wifi networks with login page that doesn't work well with
+    https.</p>
+  </body>
+</html>