Add php configuration and switch to httpd instead of nginx

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-12-28 17:02:01 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-12-28 17:02:01 +0100
commit: 58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9 (patch)
tree: bd585fc6e83727af065007249600187083d88ae1
parent: ab5d04b8aea9bf0d4e4f3b86bc0fa86407290a46 (diff)
download: Nix-58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9.tar.gz
Nix-58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9.tar.zst
Nix-58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9.zip
1 files changed, 115 insertions, 1 deletions
diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix
index 1c2fca6..55b0bf7 100644
--- a/virtual/eldiron.nix
+++ b/virtual/eldiron.nix
@@ -47,8 +47,96 @@
      };
    };
-    services.nginx = rec {
+    # FIXME: open_basedir
+    services.phpfpm = {
+      extraConfig = ''
+        log_level = notice
+        '';
+      poolConfigs = {
+        adminer = ''
+          listen = /var/run/phpfpm/adminer.sock
+          user = wwwrun
+          group = wwwrun
+          listen.owner = wwwrun
+          listen.group = wwwrun
+          pm = ondemand
+          pm.max_children = 5
+          pm.process_idle_timeout = 60
+          ;php_admin_flag[log_errors] = on
+          php_admin_value[open_basedir] = "${mypkgs.adminer}:/tmp"
+          '';
+        www = ''
+          listen = /var/run/phpfpm/www.sock
+          user = wwwrun
+          group = wwwrun
+          listen.owner = wwwrun
+          listen.group = wwwrun
+          pm = ondemand
+          pm.max_children = 5
+          pm.process_idle_timeout = 60
+          ;php_admin_flag[log_errors] = on
+          php_admin_value[open_basedir] = "/var/www"
+          '';
+      };
+    };
+    services.httpd = let
+      withSSL = domain: {
+        enableSSL = true;
+        sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only?
+        sslServerKey = "/var/lib/acme/${domain}/key.pem";
+        sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
+      };
+    in rec {
      enable = true;
+      logPerVirtualHost = true;
+      multiProcessingModule = "worker";
+      adminAddr = "httpd@immae.eu";
+      extraModules = [
+        "proxy_fcgi" # for PHP
+      ];
+      virtualHosts = [
+        (withSSL "eldiron" // {
+          listen = [ { ip = "*"; port = 443; } ];
+          hostName = "eldiron.immae.eu";
+          # FIXME: directory needs to exist
+          documentRoot = "/var/www";
+        })
+        (withSSL "eldiron" // {
+          listen = [ { ip = "*"; port = 443; } ];
+          hostName = "db-1.immae.eu";
+          documentRoot = null;
+          extraConfig = ''
+            Alias /adminer ${mypkgs.adminer}
+            <Directory ${mypkgs.adminer}>
+              DirectoryIndex = index.php
+              <FilesMatch "\.php$">
+                SetHandler "proxy:unix:/var/run/phpfpm/adminer.sock|fcgi://localhost"
+              </FilesMatch>
+            </Directory>
+            '';
+        })
+        { # Should go last, default fallback
+          listen = [ { ip = "*"; port = 80; } ];
+          hostName = "redirectSSL";
+          serverAliases = [ "*" ];
+          enableSSL = false;
+          # FIXME: directory needs to exist
+          documentRoot = "/var/lib/acme/acme-challenge";
+          extraConfig = ''
+            RewriteEngine on
+            RewriteCond "%{REQUEST_URI}"   "!^/\.well-known"
+            RewriteRule ^(.+)              https://%{HTTP_HOST}$1  [R=301]
+            # To redirect in specific "VirtualHost *:80", do
+            #   RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
+            # rather than rewrite
+            '';
+        }
+        ];
+    };
+    services.nginx = rec {
+      enable = false;
      virtualHosts = {
        "_" = {
          serverName = "_";
@@ -60,6 +148,32 @@
          locations."/" = {
            # FIXME: directory needs to exist
            root = "/var/www";
+            extraConfig = ''
+              include ${pkgs.nginx}/conf/fastcgi.conf;
+              fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+              fastcgi_param HTTP_PROXY "";
+              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+              fastcgi_pass unix:/var/run/phpfpm/www.sock;
+              fastcgi_index index.php;
+              fastcgi_intercept_errors on;
+              '';
+          };
+        };
+        "db-1.immae.eu" = {
+          forceSSL = true;
+          useACMEHost = "eldiron";
+          locations."/adminer" = {
+            alias = mypkgs.adminer;
+            index = "index.php";
+            extraConfig = ''
+              include ${pkgs.nginx}/conf/fastcgi.conf;
+              fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+              fastcgi_param HTTP_PROXY "";
+              fastcgi_param SCRIPT_FILENAME ${mypkgs.adminer}/index.php;
+              fastcgi_pass unix:/var/run/phpfpm/adminer.sock;
+              fastcgi_index index.php;
+              fastcgi_intercept_errors on;
+              '';
          };
        };
      };
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-12-28 17:02:01 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-12-28 17:02:01 +0100
commit	58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9 (patch)
tree	bd585fc6e83727af065007249600187083d88ae1
parent	ab5d04b8aea9bf0d4e4f3b86bc0fa86407290a46 (diff)
download	Nix-58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9.tar.gz Nix-58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9.tar.zst Nix-58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9.zip

diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 1c2fca6..55b0bf7 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix
@@ -47,8 +47,96 @@
47	};	47	};
48	};	48	};
49		49
50	services.nginx = rec {	50	# FIXME: open_basedir
		51	services.phpfpm = {
		52	extraConfig = ''
		53	log_level = notice
		54	'';
		55	poolConfigs = {
		56	adminer = ''
		57	listen = /var/run/phpfpm/adminer.sock
		58	user = wwwrun
		59	group = wwwrun
		60	listen.owner = wwwrun
		61	listen.group = wwwrun
		62	pm = ondemand
		63	pm.max_children = 5
		64	pm.process_idle_timeout = 60
		65	;php_admin_flag[log_errors] = on
		66	php_admin_value[open_basedir] = "${mypkgs.adminer}:/tmp"
		67	'';
		68	www = ''
		69	listen = /var/run/phpfpm/www.sock
		70	user = wwwrun
		71	group = wwwrun
		72	listen.owner = wwwrun
		73	listen.group = wwwrun
		74	pm = ondemand
		75	pm.max_children = 5
		76	pm.process_idle_timeout = 60
		77	;php_admin_flag[log_errors] = on
		78	php_admin_value[open_basedir] = "/var/www"
		79	'';
		80	};
		81	};
		82
		83	services.httpd = let
		84	withSSL = domain: {
		85	enableSSL = true;
		86	sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only?
		87	sslServerKey = "/var/lib/acme/${domain}/key.pem";
		88	sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
		89	};
		90	in rec {
51	enable = true;	91	enable = true;
		92	logPerVirtualHost = true;
		93	multiProcessingModule = "worker";
		94	adminAddr = "httpd@immae.eu";
		95	extraModules = [
		96	"proxy_fcgi" # for PHP
		97	];
		98	virtualHosts = [
		99	(withSSL "eldiron" // {
		100	listen = [ { ip = "*"; port = 443; } ];
		101	hostName = "eldiron.immae.eu";
		102	# FIXME: directory needs to exist
		103	documentRoot = "/var/www";
		104	})
		105	(withSSL "eldiron" // {
		106	listen = [ { ip = "*"; port = 443; } ];
		107	hostName = "db-1.immae.eu";
		108	documentRoot = null;
		109	extraConfig = ''
		110	Alias /adminer ${mypkgs.adminer}
		111	<Directory ${mypkgs.adminer}>
		112	DirectoryIndex = index.php
		113	<FilesMatch "\.php$">
		114	SetHandler "proxy:unix:/var/run/phpfpm/adminer.sock\|fcgi://localhost"
		115	</FilesMatch>
		116	</Directory>
		117	'';
		118	})
		119	{ # Should go last, default fallback
		120	listen = [ { ip = "*"; port = 80; } ];
		121	hostName = "redirectSSL";
		122	serverAliases = [ "*" ];
		123	enableSSL = false;
		124	# FIXME: directory needs to exist
		125	documentRoot = "/var/lib/acme/acme-challenge";
		126	extraConfig = ''
		127	RewriteEngine on
		128	RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
		129	RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
		130	# To redirect in specific "VirtualHost *:80", do
		131	# RedirectMatch 301 ^/((?!\.well-known.$).)$ https://host/$1
		132	# rather than rewrite
		133	'';
		134	}
		135	];
		136	};
		137
		138	services.nginx = rec {
		139	enable = false;
52	virtualHosts = {	140	virtualHosts = {
53	"_" = {	141	"_" = {
54	serverName = "_";	142	serverName = "_";
@@ -60,6 +148,32 @@
60	locations."/" = {	148	locations."/" = {
61	# FIXME: directory needs to exist	149	# FIXME: directory needs to exist
62	root = "/var/www";	150	root = "/var/www";
		151	extraConfig = ''
		152	include ${pkgs.nginx}/conf/fastcgi.conf;
		153	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		154	fastcgi_param HTTP_PROXY "";
		155	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		156	fastcgi_pass unix:/var/run/phpfpm/www.sock;
		157	fastcgi_index index.php;
		158	fastcgi_intercept_errors on;
		159	'';
		160	};
		161	};
		162	"db-1.immae.eu" = {
		163	forceSSL = true;
		164	useACMEHost = "eldiron";
		165	locations."/adminer" = {
		166	alias = mypkgs.adminer;
		167	index = "index.php";
		168	extraConfig = ''
		169	include ${pkgs.nginx}/conf/fastcgi.conf;
		170	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		171	fastcgi_param HTTP_PROXY "";
		172	fastcgi_param SCRIPT_FILENAME ${mypkgs.adminer}/index.php;
		173	fastcgi_pass unix:/var/run/phpfpm/adminer.sock;
		174	fastcgi_index index.php;
		175	fastcgi_intercept_errors on;
		176	'';
63	};	177	};
64	};	178	};
65	};	179	};