diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-03-25 11:57:48 +0100 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-03 16:25:07 +0200 |
commit | 5400b9b6f65451d41a9106fae6fc00f97d83f4ef (patch) | |
tree | 6ed072da7b1f17ac3994ffea052aa0c0822f8446 /modules | |
parent | 441da8aac378f401625e82caf281fa0e26128310 (diff) | |
download | Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.gz Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.zst Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.zip |
Upgrade nixos
Diffstat (limited to 'modules')
74 files changed, 763 insertions, 1170 deletions
diff --git a/modules/acme2.nix b/modules/acme2.nix deleted file mode 100644 index b22e4cc..0000000 --- a/modules/acme2.nix +++ /dev/null | |||
@@ -1,353 +0,0 @@ | |||
1 | { config, lib, pkgs, ... }: | ||
2 | |||
3 | with lib; | ||
4 | |||
5 | let | ||
6 | |||
7 | cfg = config.security.acme2; | ||
8 | |||
9 | certOpts = { name, ... }: { | ||
10 | options = { | ||
11 | webroot = mkOption { | ||
12 | type = types.str; | ||
13 | example = "/var/lib/acme/acme-challenges"; | ||
14 | description = '' | ||
15 | Where the webroot of the HTTP vhost is located. | ||
16 | <filename>.well-known/acme-challenge/</filename> directory | ||
17 | will be created below the webroot if it doesn't exist. | ||
18 | <literal>http://example.org/.well-known/acme-challenge/</literal> must also | ||
19 | be available (notice unencrypted HTTP). | ||
20 | ''; | ||
21 | }; | ||
22 | |||
23 | server = mkOption { | ||
24 | type = types.nullOr types.str; | ||
25 | default = null; | ||
26 | description = '' | ||
27 | ACME Directory Resource URI. Defaults to let's encrypt | ||
28 | production endpoint, | ||
29 | https://acme-v02.api.letsencrypt.org/directory, if unset. | ||
30 | ''; | ||
31 | }; | ||
32 | |||
33 | domain = mkOption { | ||
34 | type = types.str; | ||
35 | default = name; | ||
36 | description = "Domain to fetch certificate for (defaults to the entry name)"; | ||
37 | }; | ||
38 | |||
39 | email = mkOption { | ||
40 | type = types.nullOr types.str; | ||
41 | default = null; | ||
42 | description = "Contact email address for the CA to be able to reach you."; | ||
43 | }; | ||
44 | |||
45 | user = mkOption { | ||
46 | type = types.str; | ||
47 | default = "root"; | ||
48 | description = "User running the ACME client."; | ||
49 | }; | ||
50 | |||
51 | group = mkOption { | ||
52 | type = types.str; | ||
53 | default = "root"; | ||
54 | description = "Group running the ACME client."; | ||
55 | }; | ||
56 | |||
57 | allowKeysForGroup = mkOption { | ||
58 | type = types.bool; | ||
59 | default = false; | ||
60 | description = '' | ||
61 | Give read permissions to the specified group | ||
62 | (<option>security.acme2.cert.<name>.group</option>) to read SSL private certificates. | ||
63 | ''; | ||
64 | }; | ||
65 | |||
66 | postRun = mkOption { | ||
67 | type = types.lines; | ||
68 | default = ""; | ||
69 | example = "systemctl reload nginx.service"; | ||
70 | description = '' | ||
71 | Commands to run after new certificates go live. Typically | ||
72 | the web server and other servers using certificates need to | ||
73 | be reloaded. | ||
74 | |||
75 | Executed in the same directory with the new certificate. | ||
76 | ''; | ||
77 | }; | ||
78 | |||
79 | plugins = mkOption { | ||
80 | type = types.listOf (types.enum [ | ||
81 | "cert.der" "cert.pem" "chain.pem" "external.sh" | ||
82 | "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json" | ||
83 | ]); | ||
84 | default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
85 | description = '' | ||
86 | Plugins to enable. With default settings simp_le will | ||
87 | store public certificate bundle in <filename>fullchain.pem</filename>, | ||
88 | private key in <filename>key.pem</filename> and those two previous | ||
89 | files combined in <filename>full.pem</filename> in its state directory. | ||
90 | ''; | ||
91 | }; | ||
92 | |||
93 | directory = mkOption { | ||
94 | type = types.str; | ||
95 | readOnly = true; | ||
96 | default = "/var/lib/acme/${name}"; | ||
97 | description = "Directory where certificate and other state is stored."; | ||
98 | }; | ||
99 | |||
100 | extraDomains = mkOption { | ||
101 | type = types.attrsOf (types.nullOr types.str); | ||
102 | default = {}; | ||
103 | example = literalExample '' | ||
104 | { | ||
105 | "example.org" = "/srv/http/nginx"; | ||
106 | "mydomain.org" = null; | ||
107 | } | ||
108 | ''; | ||
109 | description = '' | ||
110 | A list of extra domain names, which are included in the one certificate to be issued, with their | ||
111 | own server roots if needed. | ||
112 | ''; | ||
113 | }; | ||
114 | }; | ||
115 | }; | ||
116 | |||
117 | in | ||
118 | |||
119 | { | ||
120 | |||
121 | ###### interface | ||
122 | imports = [ | ||
123 | (mkRemovedOptionModule [ "security" "acme2" "production" ] '' | ||
124 | Use security.acme2.server to define your staging ACME server URL instead. | ||
125 | |||
126 | To use the let's encrypt staging server, use security.acme2.server = | ||
127 | "https://acme-staging-v02.api.letsencrypt.org/directory". | ||
128 | '' | ||
129 | ) | ||
130 | (mkRemovedOptionModule [ "security" "acme2" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") | ||
131 | (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") | ||
132 | (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") | ||
133 | ]; | ||
134 | options = { | ||
135 | security.acme2 = { | ||
136 | |||
137 | validMin = mkOption { | ||
138 | type = types.int; | ||
139 | default = 30 * 24 * 3600; | ||
140 | description = "Minimum remaining validity before renewal in seconds."; | ||
141 | }; | ||
142 | |||
143 | renewInterval = mkOption { | ||
144 | type = types.str; | ||
145 | default = "weekly"; | ||
146 | description = '' | ||
147 | Systemd calendar expression when to check for renewal. See | ||
148 | <citerefentry><refentrytitle>systemd.time</refentrytitle> | ||
149 | <manvolnum>7</manvolnum></citerefentry>. | ||
150 | ''; | ||
151 | }; | ||
152 | |||
153 | server = mkOption { | ||
154 | type = types.nullOr types.str; | ||
155 | default = null; | ||
156 | description = '' | ||
157 | ACME Directory Resource URI. Defaults to let's encrypt | ||
158 | production endpoint, | ||
159 | <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset. | ||
160 | ''; | ||
161 | }; | ||
162 | |||
163 | preliminarySelfsigned = mkOption { | ||
164 | type = types.bool; | ||
165 | default = true; | ||
166 | description = '' | ||
167 | Whether a preliminary self-signed certificate should be generated before | ||
168 | doing ACME requests. This can be useful when certificates are required in | ||
169 | a webserver, but ACME needs the webserver to make its requests. | ||
170 | |||
171 | With preliminary self-signed certificate the webserver can be started and | ||
172 | can later reload the correct ACME certificates. | ||
173 | ''; | ||
174 | }; | ||
175 | |||
176 | certs = mkOption { | ||
177 | default = { }; | ||
178 | type = with types; attrsOf (submodule certOpts); | ||
179 | description = '' | ||
180 | Attribute set of certificates to get signed and renewed. Creates | ||
181 | <literal>acme-''${cert}.{service,timer}</literal> systemd units for | ||
182 | each certificate defined here. Other services can add dependencies | ||
183 | to those units if they rely on the certificates being present, | ||
184 | or trigger restarts of the service if certificates get renewed. | ||
185 | ''; | ||
186 | example = literalExample '' | ||
187 | { | ||
188 | "example.com" = { | ||
189 | webroot = "/var/www/challenges/"; | ||
190 | email = "foo@example.com"; | ||
191 | extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; | ||
192 | }; | ||
193 | "bar.example.com" = { | ||
194 | webroot = "/var/www/challenges/"; | ||
195 | email = "bar@example.com"; | ||
196 | }; | ||
197 | } | ||
198 | ''; | ||
199 | }; | ||
200 | }; | ||
201 | }; | ||
202 | |||
203 | ###### implementation | ||
204 | config = mkMerge [ | ||
205 | (mkIf (cfg.certs != { }) { | ||
206 | |||
207 | systemd.services = let | ||
208 | services = concatLists servicesLists; | ||
209 | servicesLists = mapAttrsToList certToServices cfg.certs; | ||
210 | certToServices = cert: data: | ||
211 | let | ||
212 | lpath = "acme/${cert}"; | ||
213 | rights = if data.allowKeysForGroup then "750" else "700"; | ||
214 | cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] | ||
215 | ++ optionals (data.email != null) [ "--email" data.email ] | ||
216 | ++ concatMap (p: [ "-f" p ]) data.plugins | ||
217 | ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) | ||
218 | ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; | ||
219 | acmeService = { | ||
220 | description = "Renew ACME Certificate for ${cert}"; | ||
221 | after = [ "network.target" "network-online.target" ]; | ||
222 | wants = [ "network-online.target" ]; | ||
223 | # simp_le uses requests, which uses certifi under the hood, | ||
224 | # which doesn't respect the system trust store. | ||
225 | # At least in the acme test, we provision a fake CA, impersonating the LE endpoint. | ||
226 | # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else | ||
227 | environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; | ||
228 | serviceConfig = { | ||
229 | Type = "oneshot"; | ||
230 | # With RemainAfterExit the service is considered active even | ||
231 | # after the main process having exited, which means when it | ||
232 | # gets changed, the activation phase restarts it, meaning | ||
233 | # the permissions of the StateDirectory get adjusted | ||
234 | # according to the specified group | ||
235 | # Edit: Timers will never run because of this | ||
236 | # RemainAfterExit = true; | ||
237 | SuccessExitStatus = [ "0" "1" ]; | ||
238 | User = data.user; | ||
239 | Group = data.group; | ||
240 | PrivateTmp = true; | ||
241 | StateDirectory = lpath; | ||
242 | StateDirectoryMode = rights; | ||
243 | ExecStartPre = | ||
244 | let | ||
245 | script = pkgs.writeScript "acme-pre-start" '' | ||
246 | #!${pkgs.runtimeShell} -e | ||
247 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
248 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
249 | #doesn't work for multiple concurrent runs | ||
250 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
251 | ''; | ||
252 | in | ||
253 | "+${script}"; | ||
254 | WorkingDirectory = "/var/lib/${lpath}"; | ||
255 | ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; | ||
256 | ExecStartPost = | ||
257 | let | ||
258 | script = pkgs.writeScript "acme-post-start" '' | ||
259 | #!${pkgs.runtimeShell} -e | ||
260 | ${data.postRun} | ||
261 | ''; | ||
262 | in | ||
263 | "+${script}"; | ||
264 | }; | ||
265 | |||
266 | }; | ||
267 | selfsignedService = { | ||
268 | description = "Create preliminary self-signed certificate for ${cert}"; | ||
269 | path = [ pkgs.openssl ]; | ||
270 | script = | ||
271 | '' | ||
272 | workdir="$(mktemp -d)" | ||
273 | |||
274 | # Create CA | ||
275 | openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048 | ||
276 | openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key | ||
277 | openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \ | ||
278 | -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com" | ||
279 | openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt | ||
280 | |||
281 | # Create key | ||
282 | openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048 | ||
283 | openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key | ||
284 | openssl req -new -key $workdir/server.key -out $workdir/server.csr \ | ||
285 | -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" | ||
286 | openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \ | ||
287 | -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \ | ||
288 | -out $workdir/server.crt | ||
289 | |||
290 | # Copy key to destination | ||
291 | cp $workdir/server.key /var/lib/${lpath}/key.pem | ||
292 | |||
293 | # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) | ||
294 | cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem" | ||
295 | |||
296 | # Create full.pem for e.g. lighttpd | ||
297 | cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem" | ||
298 | |||
299 | # Give key acme permissions | ||
300 | chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem | ||
301 | chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem | ||
302 | ''; | ||
303 | serviceConfig = { | ||
304 | Type = "oneshot"; | ||
305 | PrivateTmp = true; | ||
306 | StateDirectory = lpath; | ||
307 | User = data.user; | ||
308 | Group = data.group; | ||
309 | }; | ||
310 | unitConfig = { | ||
311 | # Do not create self-signed key when key already exists | ||
312 | ConditionPathExists = "!/var/lib/${lpath}/key.pem"; | ||
313 | }; | ||
314 | }; | ||
315 | in ( | ||
316 | [ { name = "acme-${cert}"; value = acmeService; } ] | ||
317 | ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } | ||
318 | ); | ||
319 | servicesAttr = listToAttrs services; | ||
320 | in | ||
321 | servicesAttr; | ||
322 | |||
323 | # FIXME: this doesn't work for multiple users | ||
324 | systemd.tmpfiles.rules = | ||
325 | flip mapAttrsToList cfg.certs | ||
326 | (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); | ||
327 | |||
328 | systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair | ||
329 | ("acme-${cert}") | ||
330 | ({ | ||
331 | description = "Renew ACME Certificate for ${cert}"; | ||
332 | wantedBy = [ "timers.target" ]; | ||
333 | timerConfig = { | ||
334 | OnCalendar = cfg.renewInterval; | ||
335 | Unit = "acme-${cert}.service"; | ||
336 | Persistent = "yes"; | ||
337 | AccuracySec = "5m"; | ||
338 | RandomizedDelaySec = "1h"; | ||
339 | }; | ||
340 | }) | ||
341 | ); | ||
342 | |||
343 | systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {}; | ||
344 | systemd.targets.acme-certificates = {}; | ||
345 | }) | ||
346 | |||
347 | ]; | ||
348 | |||
349 | meta = { | ||
350 | maintainers = with lib.maintainers; [ abbradar fpletz globin ]; | ||
351 | #doc = ./acme.xml; | ||
352 | }; | ||
353 | } | ||
diff --git a/modules/default.nix b/modules/default.nix index 98dc77d..9ff6ea6 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
@@ -19,5 +19,4 @@ | |||
19 | 19 | ||
20 | php-application = ./websites/php-application.nix; | 20 | php-application = ./websites/php-application.nix; |
21 | websites = ./websites; | 21 | websites = ./websites; |
22 | acme2 = ./acme2.nix; | ||
23 | } // (if builtins.pathExists ./private then import ./private else {}) | 22 | } // (if builtins.pathExists ./private then import ./private else {}) |
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 47e30fc..c8ee48e 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix | |||
@@ -180,6 +180,7 @@ in | |||
180 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | 180 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList |
181 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets | 181 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets |
182 | )} | 182 | )} |
183 | ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} | ||
183 | ''; | 184 | ''; |
184 | environment = let | 185 | environment = let |
185 | project_env = with lib.attrsets; | 186 | project_env = with lib.attrsets; |
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -30,9 +30,9 @@ | |||
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
32 | 32 | ||
33 | security.acme2.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
34 | 34 | ||
35 | security.acme2.certs = { | 35 | security.acme.certs = { |
36 | "${name}" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
37 | domain = config.hostEnv.fqdn; | 37 | domain = config.hostEnv.fqdn; |
38 | }; | 38 | }; |
@@ -41,17 +41,33 @@ | |||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' |
44 | cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem | 44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
45 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem | 45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem | 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
47 | '') + | 47 | '') + |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' |
49 | cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem | 49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
50 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem | 50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem | 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
52 | '') | 52 | '') |
53 | ; }) | 53 | ; }) |
54 | ) config.security.acme2.certs // { | 54 | ) config.security.acme.certs // |
55 | lib.attrsets.mapAttrs' (k: data: | ||
56 | lib.attrsets.nameValuePair "acme-${k}" { | ||
57 | serviceConfig.ExecStartPre = | ||
58 | let | ||
59 | script = pkgs.writeScript "acme-pre-start" '' | ||
60 | #!${pkgs.runtimeShell} -e | ||
61 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
62 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
63 | #doesn't work for multiple concurrent runs | ||
64 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
65 | ''; | ||
66 | in | ||
67 | "+${script}"; | ||
68 | } | ||
69 | ) config.security.acme.certs // | ||
70 | { | ||
55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | 71 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | 72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | 73 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index ed647ea..04e4bd6 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
@@ -96,8 +96,8 @@ in { | |||
96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
97 | extraOptions = '' | 97 | extraOptions = '' |
98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt |
99 | ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem | 99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem |
100 | ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem | 100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem |
101 | 101 | ||
102 | # for replication | 102 | # for replication |
103 | log-bin=mariadb-bin | 103 | log-bin=mariadb-bin |
@@ -110,7 +110,7 @@ in { | |||
110 | }; | 110 | }; |
111 | 111 | ||
112 | users.users.mysql.extraGroups = [ "keys" ]; | 112 | users.users.mysql.extraGroups = [ "keys" ]; |
113 | security.acme2.certs."mysql" = config.myServices.databasesCerts // { | 113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
114 | user = "mysql"; | 114 | user = "mysql"; |
115 | group = "mysql"; | 115 | group = "mysql"; |
116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index d7d61db..efe9379 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
@@ -12,27 +12,14 @@ let | |||
12 | moduleload back_hdb | 12 | moduleload back_hdb |
13 | backend hdb | 13 | backend hdb |
14 | 14 | ||
15 | moduleload memberof | 15 | TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem |
16 | database hdb | 16 | TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem |
17 | suffix "${cfg.baseDn}" | 17 | TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem |
18 | rootdn "${cfg.rootDn}" | ||
19 | include ${config.secrets.location}/ldap/password | ||
20 | directory ${cfg.dataDir} | ||
21 | overlay memberof | ||
22 | |||
23 | moduleload syncprov | ||
24 | overlay syncprov | ||
25 | syncprov-checkpoint 100 10 | ||
26 | |||
27 | TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem | ||
28 | TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem | ||
29 | TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem | ||
30 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | 18 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ |
31 | #This makes openldap crash | 19 | #This makes openldap crash |
32 | #TLSCipherSuite DEFAULT | 20 | #TLSCipherSuite DEFAULT |
33 | 21 | ||
34 | sasl-host kerberos.immae.eu | 22 | sasl-host kerberos.immae.eu |
35 | include ${config.secrets.location}/ldap/access | ||
36 | ''; | 23 | ''; |
37 | in | 24 | in |
38 | { | 25 | { |
@@ -117,7 +104,7 @@ in | |||
117 | users.users.openldap.extraGroups = [ "keys" ]; | 104 | users.users.openldap.extraGroups = [ "keys" ]; |
118 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 105 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
119 | 106 | ||
120 | security.acme2.certs."ldap" = config.myServices.databasesCerts // { | 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
121 | user = "openldap"; | 108 | user = "openldap"; |
122 | group = "openldap"; | 109 | group = "openldap"; |
123 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 110 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
@@ -137,6 +124,20 @@ in | |||
137 | dataDir = cfg.dataDir; | 124 | dataDir = cfg.dataDir; |
138 | urlList = [ "ldap://" "ldaps://" ]; | 125 | urlList = [ "ldap://" "ldaps://" ]; |
139 | extraConfig = ldapConfig; | 126 | extraConfig = ldapConfig; |
127 | extraDatabaseConfig = '' | ||
128 | moduleload memberof | ||
129 | overlay memberof | ||
130 | |||
131 | moduleload syncprov | ||
132 | overlay syncprov | ||
133 | syncprov-checkpoint 100 10 | ||
134 | |||
135 | include ${config.secrets.location}/ldap/access | ||
136 | ''; | ||
137 | rootpwFile = "${config.secrets.location}/ldap/password"; | ||
138 | suffix = cfg.baseDn; | ||
139 | rootdn = cfg.rootDn; | ||
140 | database = "hdb"; | ||
140 | }; | 141 | }; |
141 | }; | 142 | }; |
142 | } | 143 | } |
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix index fc686dd..cf45ebe 100644 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ b/modules/private/databases/openldap/eldiron_schemas.nix | |||
@@ -9,10 +9,10 @@ let | |||
9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; |
10 | }; | 10 | }; |
11 | schemas = [ | 11 | schemas = [ |
12 | "${openldap}/etc/schema/core.schema" | 12 | #"${openldap}/etc/schema/core.schema" |
13 | "${openldap}/etc/schema/cosine.schema" | 13 | #"${openldap}/etc/schema/cosine.schema" |
14 | "${openldap}/etc/schema/inetorgperson.schema" | 14 | #"${openldap}/etc/schema/inetorgperson.schema" |
15 | "${openldap}/etc/schema/nis.schema" | 15 | #"${openldap}/etc/schema/nis.schema" |
16 | puppetSchema | 16 | puppetSchema |
17 | kerberosSchema | 17 | kerberosSchema |
18 | ./immae.schema | 18 | ./immae.schema |
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 2980c97..df4101b 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix | |||
@@ -3,6 +3,10 @@ let | |||
3 | cfg = config.myServices.databasesReplication.openldap; | 3 | cfg = config.myServices.databasesReplication.openldap; |
4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; | 4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; |
5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' | 5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' |
6 | include ${pkgs.openldap}/etc/schema/core.schema | ||
7 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
8 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
9 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
6 | ${eldiron_schemas} | 10 | ${eldiron_schemas} |
7 | pidfile /run/slapd_${name}/slapd.pid | 11 | pidfile /run/slapd_${name}/slapd.pid |
8 | argsfile /run/slapd_${name}/slapd.args | 12 | argsfile /run/slapd_${name}/slapd.args |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 27ea59c..d0b1a75 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
@@ -91,23 +91,13 @@ in { | |||
91 | ''; | 91 | ''; |
92 | readOnly = true; | 92 | readOnly = true; |
93 | }; | 93 | }; |
94 | systemdRuntimeDirectory = lib.mkOption { | ||
95 | type = lib.types.str; | ||
96 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
97 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
98 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
99 | description = '' | ||
100 | Adjusted Postgresql sockets directory for systemd | ||
101 | ''; | ||
102 | readOnly = true; | ||
103 | }; | ||
104 | }; | 94 | }; |
105 | }; | 95 | }; |
106 | 96 | ||
107 | config = lib.mkIf cfg.enable { | 97 | config = lib.mkIf cfg.enable { |
108 | networking.firewall.allowedTCPPorts = [ 5432 ]; | 98 | networking.firewall.allowedTCPPorts = [ 5432 ]; |
109 | 99 | ||
110 | security.acme2.certs."postgresql" = config.myServices.databasesCerts // { | 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { |
111 | user = "postgres"; | 101 | user = "postgres"; |
112 | group = "postgres"; | 102 | group = "postgres"; |
113 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 103 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
@@ -119,7 +109,6 @@ in { | |||
119 | 109 | ||
120 | systemd.services.postgresql.serviceConfig = { | 110 | systemd.services.postgresql.serviceConfig = { |
121 | SupplementaryGroups = "keys"; | 111 | SupplementaryGroups = "keys"; |
122 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
123 | }; | 112 | }; |
124 | systemd.services.postgresql.postStart = lib.mkAfter '' | 113 | systemd.services.postgresql.postStart = lib.mkAfter '' |
125 | # This line is already defined in 19.09 | 114 | # This line is already defined in 19.09 |
@@ -165,8 +154,8 @@ in { | |||
165 | # makes it order of magnitudes quicker | 154 | # makes it order of magnitudes quicker |
166 | synchronous_commit = off | 155 | synchronous_commit = off |
167 | ssl = on | 156 | ssl = on |
168 | ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem' | 157 | ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem' |
169 | ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem' | 158 | ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem' |
170 | ''; | 159 | ''; |
171 | authentication = let | 160 | authentication = let |
172 | hosts = builtins.concatStringsSep "\n" ( | 161 | hosts = builtins.concatStringsSep "\n" ( |
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4b26283..4602510 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
@@ -17,16 +17,6 @@ in { | |||
17 | ''; | 17 | ''; |
18 | }; | 18 | }; |
19 | # Output variables | 19 | # Output variables |
20 | systemdRuntimeDirectory = lib.mkOption { | ||
21 | type = lib.types.str; | ||
22 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
23 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
24 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
25 | description = '' | ||
26 | Adjusted redis sockets directory for systemd | ||
27 | ''; | ||
28 | readOnly = true; | ||
29 | }; | ||
30 | sockets = lib.mkOption { | 20 | sockets = lib.mkOption { |
31 | type = lib.types.attrsOf lib.types.path; | 21 | type = lib.types.attrsOf lib.types.path; |
32 | default = { | 22 | default = { |
@@ -51,7 +41,6 @@ in { | |||
51 | maxclients 1024 | 41 | maxclients 1024 |
52 | ''; | 42 | ''; |
53 | }; | 43 | }; |
54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
55 | 44 | ||
56 | services.spiped = { | 45 | services.spiped = { |
57 | enable = true; | 46 | enable = true; |
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix index 3537c24..382b42d 100644 --- a/modules/private/ejabberd/default.nix +++ b/modules/private/ejabberd/default.nix | |||
@@ -14,7 +14,7 @@ in | |||
14 | }; | 14 | }; |
15 | 15 | ||
16 | config = lib.mkIf cfg.enable { | 16 | config = lib.mkIf cfg.enable { |
17 | security.acme2.certs = { | 17 | security.acme.certs = { |
18 | "ejabberd" = config.myServices.certificates.certConfig // { | 18 | "ejabberd" = config.myServices.certificates.certConfig // { |
19 | user = "ejabberd"; | 19 | user = "ejabberd"; |
20 | group = "ejabberd"; | 20 | group = "ejabberd"; |
@@ -58,7 +58,7 @@ in | |||
58 | text = '' | 58 | text = '' |
59 | host_config: | 59 | host_config: |
60 | "immae.fr": | 60 | "immae.fr": |
61 | domain_certfile: "${config.security.acme2.certs.ejabberd.directory}/full.pem" | 61 | domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem" |
62 | auth_method: [ldap] | 62 | auth_method: [ldap] |
63 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] | 63 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] |
64 | ldap_encrypt: tls | 64 | ldap_encrypt: tls |
@@ -66,8 +66,8 @@ in | |||
66 | ldap_password: "${config.myEnv.jabber.ldap.password}" | 66 | ldap_password: "${config.myEnv.jabber.ldap.password}" |
67 | ldap_base: "${config.myEnv.jabber.ldap.base}" | 67 | ldap_base: "${config.myEnv.jabber.ldap.base}" |
68 | ldap_uids: | 68 | ldap_uids: |
69 | - "uid": "%u" | 69 | uid: "%u" |
70 | - "immaeXmppUid": "%u" | 70 | immaeXmppUid: "%u" |
71 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" | 71 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" |
72 | ''; | 72 | ''; |
73 | } | 73 | } |
@@ -81,7 +81,7 @@ in | |||
81 | ERLANG_NODE=ejabberd@localhost | 81 | ERLANG_NODE=ejabberd@localhost |
82 | ''; | 82 | ''; |
83 | configFile = pkgs.runCommand "ejabberd.yml" { | 83 | configFile = pkgs.runCommand "ejabberd.yml" { |
84 | certificatePrivateKeyAndFullChain = "${config.security.acme2.certs.ejabberd.directory}/full.pem"; | 84 | certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem"; |
85 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; | 85 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
86 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; | 86 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; |
87 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; | 87 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; |
diff --git a/modules/private/ejabberd/ejabberd.yml b/modules/private/ejabberd/ejabberd.yml index 0f678b6..82ac35b 100644 --- a/modules/private/ejabberd/ejabberd.yml +++ b/modules/private/ejabberd/ejabberd.yml | |||
@@ -69,7 +69,6 @@ s2s_use_starttls: optional | |||
69 | s2s_cafile: "@certificateCA@" | 69 | s2s_cafile: "@certificateCA@" |
70 | 70 | ||
71 | default_db: sql | 71 | default_db: sql |
72 | sql_type: pgsql | ||
73 | include_config_file: @sql_config_file@ | 72 | include_config_file: @sql_config_file@ |
74 | include_config_file: @host_config_file@ | 73 | include_config_file: @host_config_file@ |
75 | new_sql_schema: true | 74 | new_sql_schema: true |
@@ -193,7 +192,6 @@ modules: | |||
193 | access_createnode: pubsub_createnode | 192 | access_createnode: pubsub_createnode |
194 | plugins: | 193 | plugins: |
195 | - "flat" | 194 | - "flat" |
196 | - "hometree" | ||
197 | - "pep" | 195 | - "pep" |
198 | force_node_config: | 196 | force_node_config: |
199 | ## Change from "whitelist" to "open" to enable OMEMO support | 197 | ## Change from "whitelist" to "open" to enable OMEMO support |
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index b7589eb..77e9c8d 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -133,8 +133,8 @@ let | |||
133 | ''; | 133 | ''; |
134 | type = submodule { | 134 | type = submodule { |
135 | options = { | 135 | options = { |
136 | password = mkOption { type = string; description = "Password for the LDAP connection"; }; | 136 | password = mkOption { type = str; description = "Password for the LDAP connection"; }; |
137 | dn = mkOption { type = string; description = "DN for the LDAP connection"; }; | 137 | dn = mkOption { type = str; description = "DN for the LDAP connection"; }; |
138 | }; | 138 | }; |
139 | }; | 139 | }; |
140 | }; | 140 | }; |
@@ -156,13 +156,13 @@ let | |||
156 | type = attrsOf (submodule { | 156 | type = attrsOf (submodule { |
157 | options = { | 157 | options = { |
158 | ip4 = mkOption { | 158 | ip4 = mkOption { |
159 | type = string; | 159 | type = str; |
160 | description = '' | 160 | description = '' |
161 | ip4 address of the host | 161 | ip4 address of the host |
162 | ''; | 162 | ''; |
163 | }; | 163 | }; |
164 | ip6 = mkOption { | 164 | ip6 = mkOption { |
165 | type = listOf string; | 165 | type = listOf str; |
166 | default = []; | 166 | default = []; |
167 | description = '' | 167 | description = '' |
168 | ip6 addresses of the host | 168 | ip6 addresses of the host |
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 585fe63..417af87 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix | |||
@@ -17,7 +17,7 @@ in | |||
17 | services.duplyBackup.profiles.ftp = { | 17 | services.duplyBackup.profiles.ftp = { |
18 | rootDir = "/var/lib/ftp"; | 18 | rootDir = "/var/lib/ftp"; |
19 | }; | 19 | }; |
20 | security.acme2.certs."ftp" = config.myServices.certificates.certConfig // { | 20 | security.acme.certs."ftp" = config.myServices.certificates.certConfig // { |
21 | domain = "eldiron.immae.eu"; | 21 | domain = "eldiron.immae.eu"; |
22 | postRun = '' | 22 | postRun = '' |
23 | systemctl restart pure-ftpd.service | 23 | systemctl restart pure-ftpd.service |
@@ -113,7 +113,7 @@ in | |||
113 | MaxDiskUsage 99 | 113 | MaxDiskUsage 99 |
114 | CustomerProof yes | 114 | CustomerProof yes |
115 | TLS 1 | 115 | TLS 1 |
116 | CertFile ${config.security.acme2.certs.ftp.directory}/full.pem | 116 | CertFile ${config.security.acme.certs.ftp.directory}/full.pem |
117 | ''; | 117 | ''; |
118 | in { | 118 | in { |
119 | description = "Pure-FTPd server"; | 119 | description = "Pure-FTPd server"; |
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 9dfa04d..9f5c179 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix | |||
@@ -5,7 +5,7 @@ in { | |||
5 | options.myServices.gitolite = { | 5 | options.myServices.gitolite = { |
6 | enable = lib.mkEnableOption "my gitolite service"; | 6 | enable = lib.mkEnableOption "my gitolite service"; |
7 | gitoliteDir = lib.mkOption { | 7 | gitoliteDir = lib.mkOption { |
8 | type = lib.types.string; | 8 | type = lib.types.str; |
9 | default = "/var/lib/gitolite"; | 9 | default = "/var/lib/gitolite"; |
10 | }; | 10 | }; |
11 | }; | 11 | }; |
diff --git a/modules/private/irc.nix b/modules/private/irc.nix index 1054b96..9871508 100644 --- a/modules/private/irc.nix +++ b/modules/private/irc.nix | |||
@@ -20,7 +20,7 @@ in | |||
20 | services.duplyBackup.profiles.irc = { | 20 | services.duplyBackup.profiles.irc = { |
21 | rootDir = "/var/lib/bitlbee"; | 21 | rootDir = "/var/lib/bitlbee"; |
22 | }; | 22 | }; |
23 | security.acme2.certs."irc" = config.myServices.ircCerts // { | 23 | security.acme.certs."irc" = config.myServices.ircCerts // { |
24 | domain = "irc.immae.eu"; | 24 | domain = "irc.immae.eu"; |
25 | postRun = '' | 25 | postRun = '' |
26 | systemctl restart stunnel.service | 26 | systemctl restart stunnel.service |
@@ -49,7 +49,7 @@ in | |||
49 | bitlbee = { | 49 | bitlbee = { |
50 | accept = 6697; | 50 | accept = 6697; |
51 | connect = 6667; | 51 | connect = 6667; |
52 | cert = "${config.security.acme2.certs.irc.directory}/full.pem"; | 52 | cert = "${config.security.acme.certs.irc.directory}/full.pem"; |
53 | }; | 53 | }; |
54 | }; | 54 | }; |
55 | }; | 55 | }; |
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 1c64e15..b50e346 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix | |||
@@ -13,7 +13,7 @@ | |||
13 | options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; | 13 | options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; |
14 | 14 | ||
15 | config = lib.mkIf config.myServices.mail.enable { | 15 | config = lib.mkIf config.myServices.mail.enable { |
16 | security.acme2.certs."mail" = config.myServices.certificates.certConfig // { | 16 | security.acme.certs."mail" = config.myServices.certificates.certConfig // { |
17 | domain = config.hostEnv.fqdn; | 17 | domain = config.hostEnv.fqdn; |
18 | extraDomains = let | 18 | extraDomains = let |
19 | zonesWithMx = builtins.filter (zone: | 19 | zonesWithMx = builtins.filter (zone: |
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 9836f78..77f9bd7 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix | |||
@@ -269,7 +269,7 @@ in | |||
269 | [ | 269 | [ |
270 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" | 270 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" |
271 | ]; | 271 | ]; |
272 | security.acme2.certs."mail" = { | 272 | security.acme.certs."mail" = { |
273 | postRun = '' | 273 | postRun = '' |
274 | systemctl restart dovecot2.service | 274 | systemctl restart dovecot2.service |
275 | ''; | 275 | ''; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index e0347ec..4791b41 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -428,7 +428,7 @@ | |||
428 | }; | 428 | }; |
429 | }; | 429 | }; |
430 | }; | 430 | }; |
431 | security.acme2.certs."mail" = { | 431 | security.acme.certs."mail" = { |
432 | postRun = '' | 432 | postRun = '' |
433 | systemctl restart postfix.service | 433 | systemctl restart postfix.service |
434 | ''; | 434 | ''; |
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 18d6bc3..c6231aa 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix | |||
@@ -1,7 +1,7 @@ | |||
1 | { lib, pkgs, config, nodes, name, ... }: | 1 | { lib, pkgs, config, nodes, name, ... }: |
2 | { | 2 | { |
3 | config = lib.mkIf config.myServices.mailBackup.enable { | 3 | config = lib.mkIf config.myServices.mailBackup.enable { |
4 | security.acme2.certs."mail" = config.myServices.certificates.certConfig // { | 4 | security.acme.certs."mail" = config.myServices.certificates.certConfig // { |
5 | postRun = '' | 5 | postRun = '' |
6 | systemctl restart postfix.service | 6 | systemctl restart postfix.service |
7 | ''; | 7 | ''; |
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index cc8e36b..4cdf59a 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix | |||
@@ -79,6 +79,10 @@ in | |||
79 | base = config.myServices.databasesReplication.openldap.base; | 79 | base = config.myServices.databasesReplication.openldap.base; |
80 | eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; | 80 | eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; |
81 | ldapConfig = pkgs.writeText "slapd.conf" '' | 81 | ldapConfig = pkgs.writeText "slapd.conf" '' |
82 | include ${pkgs.openldap}/etc/schema/core.schema | ||
83 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
84 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
85 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
82 | ${eldiron_schemas} | 86 | ${eldiron_schemas} |
83 | moduleload back_hdb | 87 | moduleload back_hdb |
84 | backend hdb | 88 | backend hdb |
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index 2860e96..d25d934 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix | |||
@@ -34,7 +34,7 @@ | |||
34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; | 34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; |
35 | }; | 35 | }; |
36 | }; | 36 | }; |
37 | security.acme2.certs."${name}".extraDomains."status.immae.eu" = null; | 37 | security.acme.certs."${name}".extraDomains."status.immae.eu" = null; |
38 | 38 | ||
39 | myServices.certificates.enable = true; | 39 | myServices.certificates.enable = true; |
40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | 40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 78e07c1..42cc8d2 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix | |||
@@ -123,7 +123,7 @@ in { | |||
123 | Use LDAPConnect | 123 | Use LDAPConnect |
124 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | 124 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu |
125 | <FilesMatch "\.php$"> | 125 | <FilesMatch "\.php$"> |
126 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" | 126 | SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" |
127 | </FilesMatch> | 127 | </FilesMatch> |
128 | Include /var/secrets/webapps/tools-taskwarrior-web | 128 | Include /var/secrets/webapps/tools-taskwarrior-web |
129 | </Directory> | 129 | </Directory> |
@@ -172,29 +172,30 @@ in { | |||
172 | }; | 172 | }; |
173 | services.phpfpm.pools = { | 173 | services.phpfpm.pools = { |
174 | tasks = { | 174 | tasks = { |
175 | listen = "/var/run/phpfpm/task.sock"; | 175 | user = user; |
176 | extraConfig = '' | 176 | group = group; |
177 | user = ${user} | 177 | settings = { |
178 | group = ${group} | 178 | "listen.owner" = "wwwrun"; |
179 | listen.owner = wwwrun | 179 | "listen.group" = "wwwrun"; |
180 | listen.group = wwwrun | 180 | "pm" = "dynamic"; |
181 | pm = dynamic | 181 | "pm.max_children" = "60"; |
182 | pm.max_children = 60 | 182 | "pm.start_servers" = "2"; |
183 | pm.start_servers = 2 | 183 | "pm.min_spare_servers" = "1"; |
184 | pm.min_spare_servers = 1 | 184 | "pm.max_spare_servers" = "10"; |
185 | pm.max_spare_servers = 10 | ||
186 | 185 | ||
187 | ; Needed to avoid clashes in browser cookies (same domain) | 186 | # Needed to avoid clashes in browser cookies (same domain) |
188 | env[PATH] = "/etc/profiles/per-user/${user}/bin" | 187 | "php_value[session.name]" = "TaskPHPSESSID"; |
189 | php_value[session.name] = TaskPHPSESSID | 188 | "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"; |
190 | php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/" | 189 | }; |
191 | ''; | 190 | phpEnv = { |
191 | PATH = "/etc/profiles/per-user/${user}/bin"; | ||
192 | }; | ||
192 | }; | 193 | }; |
193 | }; | 194 | }; |
194 | 195 | ||
195 | myServices.websites.webappDirs._task = ./www; | 196 | myServices.websites.webappDirs._task = ./www; |
196 | 197 | ||
197 | security.acme2.certs."task" = config.myServices.certificates.certConfig // { | 198 | security.acme.certs."task" = config.myServices.certificates.certConfig // { |
198 | inherit user group; | 199 | inherit user group; |
199 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 200 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
200 | domain = fqdn; | 201 | domain = fqdn; |
@@ -246,9 +247,9 @@ in { | |||
246 | inherit fqdn; | 247 | inherit fqdn; |
247 | listenHost = "::"; | 248 | listenHost = "::"; |
248 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; | 249 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; |
249 | pki.manual.server.cert = "${config.security.acme2.certs.task.directory}/fullchain.pem"; | 250 | pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem"; |
250 | pki.manual.server.crl = "${config.security.acme2.certs.task.directory}/invalid.crl"; | 251 | pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl"; |
251 | pki.manual.server.key = "${config.security.acme2.certs.task.directory}/key.pem"; | 252 | pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem"; |
252 | requestLimit = 104857600; | 253 | requestLimit = 104857600; |
253 | }; | 254 | }; |
254 | 255 | ||
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix index f21caeb..bce2b4d 100644 --- a/modules/private/websites/chloe/builder.nix +++ b/modules/private/websites/chloe/builder.nix | |||
@@ -3,28 +3,25 @@ rec { | |||
3 | app = chloe.override { inherit (config) environment; }; | 3 | app = chloe.override { inherit (config) environment; }; |
4 | phpFpm = rec { | 4 | phpFpm = rec { |
5 | serviceDeps = [ "mysql.service" ]; | 5 | serviceDeps = [ "mysql.service" ]; |
6 | socket = "/var/run/phpfpm/chloe-${app.environment}.sock"; | 6 | pool = { |
7 | pool = '' | 7 | "listen.owner" = apacheUser; |
8 | user = ${apacheUser} | 8 | "listen.group" = apacheGroup; |
9 | group = ${apacheGroup} | 9 | "php_admin_value[upload_max_filesize]" = "20M"; |
10 | listen.owner = ${apacheUser} | 10 | "php_admin_value[post_max_size]" = "20M"; |
11 | listen.group = ${apacheGroup} | 11 | # "php_admin_flag[log_errors]" = "on"; |
12 | php_admin_value[upload_max_filesize] = 20M | 12 | "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; |
13 | php_admin_value[post_max_size] = 20M | 13 | "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; |
14 | ;php_admin_flag[log_errors] = on | 14 | } // (if app.environment == "dev" then { |
15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | 15 | "pm" = "ondemand"; |
16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | 16 | "pm.max_children" = "5"; |
17 | ${if app.environment == "dev" then '' | 17 | "pm.process_idle_timeout" = "60"; |
18 | pm = ondemand | 18 | } else { |
19 | pm.max_children = 5 | 19 | "pm" = "dynamic"; |
20 | pm.process_idle_timeout = 60 | 20 | "pm.max_children" = "20"; |
21 | '' else '' | 21 | "pm.start_servers" = "2"; |
22 | pm = dynamic | 22 | "pm.min_spare_servers" = "1"; |
23 | pm.max_children = 20 | 23 | "pm.max_spare_servers" = "3"; |
24 | pm.start_servers = 2 | 24 | }); |
25 | pm.min_spare_servers = 1 | ||
26 | pm.max_spare_servers = 3 | ||
27 | ''}''; | ||
28 | }; | 25 | }; |
29 | keys = [{ | 26 | keys = [{ |
30 | dest = "webapps/${app.environment}-chloe"; | 27 | dest = "webapps/${app.environment}-chloe"; |
@@ -51,7 +48,7 @@ rec { | |||
51 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
52 | webappName = "chloe_${app.environment}"; | 49 | webappName = "chloe_${app.environment}"; |
53 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
54 | vhostConf = '' | 51 | vhostConf = socket: '' |
55 | Include /var/secrets/webapps/${app.environment}-chloe | 52 | Include /var/secrets/webapps/${app.environment}-chloe |
56 | 53 | ||
57 | RewriteEngine On | 54 | RewriteEngine On |
@@ -60,7 +57,7 @@ rec { | |||
60 | '' else ""} | 57 | '' else ""} |
61 | 58 | ||
62 | <FilesMatch "\.php$"> | 59 | <FilesMatch "\.php$"> |
63 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 60 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
64 | </FilesMatch> | 61 | </FilesMatch> |
65 | 62 | ||
66 | <Directory ${root}> | 63 | <Directory ${root}> |
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index 6276eb7..caf6548 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix | |||
@@ -17,8 +17,9 @@ in { | |||
17 | systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; | 17 | systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; |
18 | systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; | 18 | systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; |
19 | services.phpfpm.pools.chloe_dev = { | 19 | services.phpfpm.pools.chloe_dev = { |
20 | listen = chloe.phpFpm.socket; | 20 | user = config.services.httpd.Inte.user; |
21 | extraConfig = chloe.phpFpm.pool; | 21 | group = config.services.httpd.Inte.group; |
22 | settings = chloe.phpFpm.pool; | ||
22 | phpOptions = config.services.phpfpm.phpOptions + '' | 23 | phpOptions = config.services.phpfpm.phpOptions + '' |
23 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 24 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
24 | ''; | 25 | ''; |
@@ -31,7 +32,9 @@ in { | |||
31 | addToCerts = true; | 32 | addToCerts = true; |
32 | hosts = ["chloe.immae.eu" ]; | 33 | hosts = ["chloe.immae.eu" ]; |
33 | root = chloe.apache.root; | 34 | root = chloe.apache.root; |
34 | extraConfig = [ chloe.apache.vhostConf ]; | 35 | extraConfig = [ |
36 | (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_dev.socket) | ||
37 | ]; | ||
35 | }; | 38 | }; |
36 | services.websites.env.integration.watchPaths = [ | 39 | services.websites.env.integration.watchPaths = [ |
37 | "/var/secrets/webapps/${chloe.app.environment}-chloe" | 40 | "/var/secrets/webapps/${chloe.app.environment}-chloe" |
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 578bf91..83f6c9b 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix | |||
@@ -19,8 +19,9 @@ in { | |||
19 | systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; | 19 | systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; |
20 | systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; | 20 | systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; |
21 | services.phpfpm.pools.chloe_prod = { | 21 | services.phpfpm.pools.chloe_prod = { |
22 | listen = chloe.phpFpm.socket; | 22 | user = config.services.httpd.Prod.user; |
23 | extraConfig = chloe.phpFpm.pool; | 23 | group = config.services.httpd.Prod.group; |
24 | settings = chloe.phpFpm.pool; | ||
24 | phpOptions = config.services.phpfpm.phpOptions + '' | 25 | phpOptions = config.services.phpfpm.phpOptions + '' |
25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
26 | ''; | 27 | ''; |
@@ -39,7 +40,7 @@ in { | |||
39 | RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] | 40 | RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] |
40 | RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] | 41 | RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] |
41 | '' | 42 | '' |
42 | chloe.apache.vhostConf | 43 | (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_prod.socket) |
43 | ]; | 44 | ]; |
44 | }; | 45 | }; |
45 | services.websites.env.production.watchPaths = [ | 46 | services.websites.env.production.watchPaths = [ |
diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix index d591c90..1803468 100644 --- a/modules/private/websites/commons/adminer.nix +++ b/modules/private/websites/commons/adminer.nix | |||
@@ -1,24 +1,5 @@ | |||
1 | {}: | 1 | { config, callPackage }: |
2 | rec { | 2 | callPackage ../tools/tools/adminer.nix { |
3 | phpFpm = { | 3 | adminer = null; |
4 | socket = "/var/run/phpfpm/adminer.sock"; | 4 | forcePhpSocket = config.services.phpfpm.pools.adminer.socket; |
5 | }; | ||
6 | apache = rec { | ||
7 | modules = [ "proxy_fcgi" ]; | ||
8 | webappName = "_adminer"; | ||
9 | root = "/run/current-system/webapps/${webappName}"; | ||
10 | vhostConf = '' | ||
11 | Alias /adminer ${root} | ||
12 | <Directory ${root}> | ||
13 | DirectoryIndex index.php | ||
14 | <FilesMatch "\.php$"> | ||
15 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
16 | </FilesMatch> | ||
17 | |||
18 | Use LDAPConnect | ||
19 | Require ldap-group cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | ||
20 | Require ldap-group cn=users,cn=postgresql,cn=pam,ou=services,dc=immae,dc=eu | ||
21 | </Directory> | ||
22 | ''; | ||
23 | }; | ||
24 | } | 5 | } |
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 81cff8f..4f7b72d 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix | |||
@@ -25,15 +25,17 @@ in { | |||
25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
26 | ]; | 26 | ]; |
27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | 27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; |
28 | phpPool = '' | 28 | phpPool = { |
29 | php_admin_value[upload_max_filesize] = 20M | 29 | "php_admin_value[upload_max_filesize]" = "20M"; |
30 | php_admin_value[post_max_size] = 20M | 30 | "php_admin_value[post_max_size]" = "20M"; |
31 | ;php_admin_flag[log_errors] = on | 31 | #"php_admin_flag[log_errors]" = "on"; |
32 | pm = ondemand | 32 | "pm" = "ondemand"; |
33 | pm.max_children = 5 | 33 | "pm.max_children" = "5"; |
34 | pm.process_idle_timeout = 60 | 34 | "pm.process_idle_timeout" = "60"; |
35 | env[SYMFONY_DEBUG_MODE] = "yes" | 35 | }; |
36 | ''; | 36 | phpEnv = { |
37 | SYMFONY_DEBUG_MODE = "yes"; | ||
38 | }; | ||
37 | phpWatchFiles = [ | 39 | phpWatchFiles = [ |
38 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" |
39 | ]; | 41 | ]; |
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index fa31931..0b52af1 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix | |||
@@ -26,16 +26,16 @@ in { | |||
26 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 26 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
27 | ]; | 27 | ]; |
28 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | 28 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; |
29 | phpPool = '' | 29 | phpPool = { |
30 | php_admin_value[upload_max_filesize] = 20M | 30 | "php_admin_value[upload_max_filesize]" = "20M"; |
31 | php_admin_value[post_max_size] = 20M | 31 | "php_admin_value[post_max_size]" = "20M"; |
32 | ;php_admin_flag[log_errors] = on | 32 | #"php_admin_flag[log_errors]" = "on"; |
33 | pm = dynamic | 33 | "pm" = "dynamic"; |
34 | pm.max_children = 20 | 34 | "pm.max_children" = "20"; |
35 | pm.start_servers = 2 | 35 | "pm.start_servers" = "2"; |
36 | pm.min_spare_servers = 1 | 36 | "pm.min_spare_servers" = "1"; |
37 | pm.max_spare_servers = 3 | 37 | "pm.max_spare_servers" = "3"; |
38 | ''; | 38 | }; |
39 | phpWatchFiles = [ | 39 | phpWatchFiles = [ |
40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" |
41 | ]; | 41 | ]; |
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 5c0e655..529ec5c 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix | |||
@@ -87,9 +87,9 @@ in | |||
87 | #openssl = self.openssl_1_1; | 87 | #openssl = self.openssl_1_1; |
88 | php = php72; | 88 | php = php72; |
89 | php72 = (super.php72.override { | 89 | php72 = (super.php72.override { |
90 | mysql.connector-c = self.mariadb; | 90 | config.php.mysqlnd = true; |
91 | config.php.mysqlnd = false; | ||
92 | config.php.mysqli = false; | 91 | config.php.mysqli = false; |
92 | config.php.mhash = true; # Is it needed? | ||
93 | }).overrideAttrs(old: rec { | 93 | }).overrideAttrs(old: rec { |
94 | # Didn't manage to build with mysqli + mysql_config connector | 94 | # Didn't manage to build with mysqli + mysql_config connector |
95 | configureFlags = old.configureFlags ++ [ | 95 | configureFlags = old.configureFlags ++ [ |
@@ -140,9 +140,9 @@ in | |||
140 | ; 30 days (minutes) | 140 | ; 30 days (minutes) |
141 | session.cache_expire = 43200 | 141 | session.cache_expire = 43200 |
142 | ''; | 142 | ''; |
143 | extraConfig = '' | 143 | settings = { |
144 | log_level = notice | 144 | log_level = "notice"; |
145 | ''; | 145 | }; |
146 | }; | 146 | }; |
147 | 147 | ||
148 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; | 148 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; |
diff --git a/modules/private/websites/emilia/richie.nix b/modules/private/websites/emilia/richie.nix index f7b4f8d..98ab1cd 100644 --- a/modules/private/websites/emilia/richie.nix +++ b/modules/private/websites/emilia/richie.nix | |||
@@ -49,22 +49,23 @@ in | |||
49 | ''; | 49 | ''; |
50 | }; | 50 | }; |
51 | services.phpfpm.pools.richie_production = { | 51 | services.phpfpm.pools.richie_production = { |
52 | listen = "/run/phpfpm/richie_production.sock"; | 52 | user = "wwwrun"; |
53 | extraConfig = '' | 53 | group = "wwwrun"; |
54 | user = wwwrun | 54 | settings = { |
55 | group = wwwrun | 55 | "listen.owner" = "wwwrun"; |
56 | listen.owner = wwwrun | 56 | "listen.group" = "wwwrun"; |
57 | listen.group = wwwrun | ||
58 | 57 | ||
59 | pm = ondemand | 58 | "pm" = "ondemand"; |
60 | pm.max_children = 5 | 59 | "pm.max_children" = "5"; |
61 | pm.process_idle_timeout = 60 | 60 | "pm.process_idle_timeout" = "60"; |
62 | 61 | ||
63 | env[PATH] = /run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]} | 62 | "php_admin_value[open_basedir]" = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp"; |
64 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-richie" | 63 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/richie_production"; |
65 | php_admin_value[open_basedir] = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp" | 64 | }; |
66 | php_admin_value[session.save_path] = "/var/lib/php/sessions/richie_production" | 65 | phpEnv = { |
67 | ''; | 66 | PATH = "/run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]}"; |
67 | BDD_CONNECT = "/var/secrets/webapps/prod-richie"; | ||
68 | }; | ||
68 | phpOptions = config.services.phpfpm.phpOptions + '' | 69 | phpOptions = config.services.phpfpm.phpOptions + '' |
69 | date.timezone = 'Europe/Paris' | 70 | date.timezone = 'Europe/Paris' |
70 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 71 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -91,7 +92,7 @@ in | |||
91 | Require all granted | 92 | Require all granted |
92 | 93 | ||
93 | <FilesMatch "\.php$"> | 94 | <FilesMatch "\.php$"> |
94 | SetHandler "proxy:unix:/run/phpfpm/richie_production.sock|fcgi://localhost" | 95 | SetHandler "proxy:unix:${config.services.phpfpm.pools.richie_production.socket}|fcgi://localhost" |
95 | </FilesMatch> | 96 | </FilesMatch> |
96 | </Directory> | 97 | </Directory> |
97 | '' | 98 | '' |
diff --git a/modules/private/websites/evariste/production.nix b/modules/private/websites/evariste/production.nix index 00e6fe1..43b26c8 100644 --- a/modules/private/websites/evariste/production.nix +++ b/modules/private/websites/evariste/production.nix | |||
@@ -21,20 +21,19 @@ in { | |||
21 | ''; | 21 | ''; |
22 | }; | 22 | }; |
23 | services.phpfpm.pools.nsievariste = { | 23 | services.phpfpm.pools.nsievariste = { |
24 | listen = "/run/phpfpm/nsievariste.sock"; | 24 | user = "wwwrun"; |
25 | extraConfig = '' | 25 | group = "wwwrun"; |
26 | user = wwwrun | 26 | settings = { |
27 | group = wwwrun | 27 | "listen.owner" = "wwwrun"; |
28 | listen.owner = wwwrun | 28 | "listen.group" = "wwwrun"; |
29 | listen.group = wwwrun | ||
30 | 29 | ||
31 | pm = ondemand | 30 | "pm" = "ondemand"; |
32 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
33 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
34 | 33 | ||
35 | php_admin_value[open_basedir] = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp" | 34 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp"; |
36 | php_admin_value[session.save_path] = "/var/lib/php/sessions/nsievariste" | 35 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/nsievariste"; |
37 | ''; | 36 | }; |
38 | }; | 37 | }; |
39 | services.websites.env.production.vhostConfs.nsievariste = { | 38 | services.websites.env.production.vhostConfs.nsievariste = { |
40 | certName = "eldiron"; | 39 | certName = "eldiron"; |
@@ -46,7 +45,7 @@ in { | |||
46 | Use Stats nsievariste.immae.eu | 45 | Use Stats nsievariste.immae.eu |
47 | 46 | ||
48 | <FilesMatch "\.php$"> | 47 | <FilesMatch "\.php$"> |
49 | SetHandler "proxy:unix:/run/phpfpm/nsievariste.sock|fcgi://localhost" | 48 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nsievariste.socket}|fcgi://localhost" |
50 | </FilesMatch> | 49 | </FilesMatch> |
51 | 50 | ||
52 | <Directory ${nsiVarDir}> | 51 | <Directory ${nsiVarDir}> |
@@ -60,20 +59,19 @@ in { | |||
60 | }; | 59 | }; |
61 | 60 | ||
62 | services.phpfpm.pools.stmgevariste = { | 61 | services.phpfpm.pools.stmgevariste = { |
63 | listen = "/run/phpfpm/stmgevariste.sock"; | 62 | user = "wwwrun"; |
64 | extraConfig = '' | 63 | group = "wwwrun"; |
65 | user = wwwrun | 64 | settings = { |
66 | group = wwwrun | 65 | "listen.owner" = "wwwrun"; |
67 | listen.owner = wwwrun | 66 | "listen.group" = "wwwrun"; |
68 | listen.group = wwwrun | ||
69 | 67 | ||
70 | pm = ondemand | 68 | "pm" = "ondemand"; |
71 | pm.max_children = 5 | 69 | "pm.max_children" = "5"; |
72 | pm.process_idle_timeout = 60 | 70 | "pm.process_idle_timeout" = "60"; |
73 | 71 | ||
74 | php_admin_value[open_basedir] = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp" | 72 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp"; |
75 | php_admin_value[session.save_path] = "/var/lib/php/sessions/stmgevariste" | 73 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/stmgevariste"; |
76 | ''; | 74 | }; |
77 | }; | 75 | }; |
78 | services.websites.env.production.vhostConfs.stmgevariste = { | 76 | services.websites.env.production.vhostConfs.stmgevariste = { |
79 | certName = "eldiron"; | 77 | certName = "eldiron"; |
@@ -85,7 +83,7 @@ in { | |||
85 | Use Stats stmgevariste.immae.eu | 83 | Use Stats stmgevariste.immae.eu |
86 | 84 | ||
87 | <FilesMatch "\.php$"> | 85 | <FilesMatch "\.php$"> |
88 | SetHandler "proxy:unix:/run/phpfpm/stmgevariste.sock|fcgi://localhost" | 86 | SetHandler "proxy:unix:${config.services.phpfpm.pools.stmgevariste.socket}|fcgi://localhost" |
89 | </FilesMatch> | 87 | </FilesMatch> |
90 | 88 | ||
91 | <Directory ${stmgVarDir}> | 89 | <Directory ${stmgVarDir}> |
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index e262c59..c65c26f 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | secrets = config.myEnv.websites.tellesflorian.integration; | 4 | secrets = config.myEnv.websites.tellesflorian.integration; |
5 | app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; | 5 | app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; |
6 | cfg = config.myServices.websites.florian.app; | 6 | cfg = config.myServices.websites.florian.app; |
@@ -24,15 +24,17 @@ in { | |||
24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | pm = ondemand | 31 | "pm" = "ondemand"; |
32 | pm.max_children = 5 | 32 | "pm.max_children" = "5"; |
33 | pm.process_idle_timeout = 60 | 33 | "pm.process_idle_timeout" = "60"; |
34 | env[SYMFONY_DEBUG_MODE] = "yes" | 34 | }; |
35 | ''; | 35 | phpEnv = { |
36 | SYMFONY_DEBUG_MODE = "yes"; | ||
37 | }; | ||
36 | phpWatchFiles = [ | 38 | phpWatchFiles = [ |
37 | config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" | 39 | config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" |
38 | ]; | 40 | ]; |
@@ -134,7 +136,7 @@ in { | |||
134 | 136 | ||
135 | </Directory> | 137 | </Directory> |
136 | '' | 138 | '' |
137 | adminer.apache.vhostConf | 139 | (adminer.apache.vhostConf null) |
138 | ]; | 140 | ]; |
139 | }; | 141 | }; |
140 | }; | 142 | }; |
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix index 57c4006..4ee160a 100644 --- a/modules/private/websites/florian/integration.nix +++ b/modules/private/websites/florian/integration.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.florian.integration; | 4 | cfg = config.myServices.websites.florian.integration; |
5 | varDir = "/var/lib/ftp/florian"; | 5 | varDir = "/var/lib/ftp/florian"; |
6 | env = config.myEnv.websites.florian; | 6 | env = config.myEnv.websites.florian; |
@@ -8,7 +8,7 @@ in { | |||
8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; | 8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; |
9 | 9 | ||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | security.acme2.certs."ftp".extraDomains."florian.immae.eu" = null; | 11 | security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; |
12 | 12 | ||
13 | services.websites.env.integration.modules = adminer.apache.modules; | 13 | services.websites.env.integration.modules = adminer.apache.modules; |
14 | services.websites.env.integration.vhostConfs.florian = { | 14 | services.websites.env.integration.vhostConfs.florian = { |
@@ -17,7 +17,7 @@ in { | |||
17 | hosts = [ "florian.immae.eu" ]; | 17 | hosts = [ "florian.immae.eu" ]; |
18 | root = "${varDir}/florian.immae.eu"; | 18 | root = "${varDir}/florian.immae.eu"; |
19 | extraConfig = [ | 19 | extraConfig = [ |
20 | adminer.apache.vhostConf | 20 | (adminer.apache.vhostConf null) |
21 | '' | 21 | '' |
22 | ServerAdmin ${env.server_admin} | 22 | ServerAdmin ${env.server_admin} |
23 | 23 | ||
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix index 1abc715..16c6022 100644 --- a/modules/private/websites/florian/production.nix +++ b/modules/private/websites/florian/production.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.florian.production; | 4 | cfg = config.myServices.websites.florian.production; |
5 | varDir = "/var/lib/ftp/florian"; | 5 | varDir = "/var/lib/ftp/florian"; |
6 | env = config.myEnv.websites.florian; | 6 | env = config.myEnv.websites.florian; |
@@ -8,7 +8,7 @@ in { | |||
8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; | 8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; |
9 | 9 | ||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | security.acme2.certs."ftp".extraDomains."tellesflorian.com" = null; | 11 | security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; |
12 | 12 | ||
13 | services.websites.env.production.modules = adminer.apache.modules; | 13 | services.websites.env.production.modules = adminer.apache.modules; |
14 | services.websites.env.production.vhostConfs.florian = { | 14 | services.websites.env.production.vhostConfs.florian = { |
@@ -17,7 +17,7 @@ in { | |||
17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; | 17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; |
18 | root = "${varDir}/tellesflorian.com"; | 18 | root = "${varDir}/tellesflorian.com"; |
19 | extraConfig = [ | 19 | extraConfig = [ |
20 | adminer.apache.vhostConf | 20 | (adminer.apache.vhostConf null) |
21 | '' | 21 | '' |
22 | ServerAdmin ${env.server_admin} | 22 | ServerAdmin ${env.server_admin} |
23 | 23 | ||
diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix index a2a087c..fb6eda9 100644 --- a/modules/private/websites/isabelle/aten_integration.nix +++ b/modules/private/websites/isabelle/aten_integration.nix | |||
@@ -23,15 +23,17 @@ in { | |||
23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" |
24 | ]; | 24 | ]; |
25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
26 | phpPool = '' | 26 | phpPool = { |
27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
30 | pm = ondemand | 30 | "pm" = "ondemand"; |
31 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
32 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
33 | env[SYMFONY_DEBUG_MODE] = "yes" | 33 | }; |
34 | ''; | 34 | phpEnv = { |
35 | SYMFONY_DEBUG_MODE = "yes"; | ||
36 | }; | ||
35 | }; | 37 | }; |
36 | 38 | ||
37 | secrets.keys = [{ | 39 | secrets.keys = [{ |
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index 8e33f0f..cf7e4a2 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix | |||
@@ -24,16 +24,16 @@ in { | |||
24 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | pm = dynamic | 31 | "pm" = "dynamic"; |
32 | pm.max_children = 20 | 32 | "pm.max_children" = "20"; |
33 | pm.start_servers = 2 | 33 | "pm.start_servers" = "2"; |
34 | pm.min_spare_servers = 1 | 34 | "pm.min_spare_servers" = "1"; |
35 | pm.max_spare_servers = 3 | 35 | "pm.max_spare_servers" = "3"; |
36 | ''; | 36 | }; |
37 | }; | 37 | }; |
38 | 38 | ||
39 | secrets.keys = [{ | 39 | secrets.keys = [{ |
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index 460bd2a..ffbf259 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix | |||
@@ -19,8 +19,9 @@ in { | |||
19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; | 19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; |
20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; | 20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; |
21 | services.phpfpm.pools.iridologie = { | 21 | services.phpfpm.pools.iridologie = { |
22 | listen = iridologie.phpFpm.socket; | 22 | user = config.services.httpd.Prod.user; |
23 | extraConfig = iridologie.phpFpm.pool; | 23 | group = config.services.httpd.Prod.group; |
24 | settings = iridologie.phpFpm.pool; | ||
24 | phpOptions = config.services.phpfpm.phpOptions + '' | 25 | phpOptions = config.services.phpfpm.phpOptions + '' |
25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
26 | ''; | 27 | ''; |
@@ -39,7 +40,7 @@ in { | |||
39 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] | 40 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] |
40 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] | 41 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] |
41 | '' | 42 | '' |
42 | iridologie.apache.vhostConf | 43 | (iridologie.apache.vhostConf config.services.phpfpm.pools.iridologie.socket) |
43 | ]; | 44 | ]; |
44 | }; | 45 | }; |
45 | services.websites.env.production.watchPaths = [ | 46 | services.websites.env.production.watchPaths = [ |
diff --git a/modules/private/websites/isabelle/spip_builder.nix b/modules/private/websites/isabelle/spip_builder.nix index 2ab5394..e1130d1 100644 --- a/modules/private/websites/isabelle/spip_builder.nix +++ b/modules/private/websites/isabelle/spip_builder.nix | |||
@@ -3,28 +3,25 @@ rec { | |||
3 | app = iridologie.override { inherit (config) environment; }; | 3 | app = iridologie.override { inherit (config) environment; }; |
4 | phpFpm = rec { | 4 | phpFpm = rec { |
5 | serviceDeps = [ "mysql.service" ]; | 5 | serviceDeps = [ "mysql.service" ]; |
6 | socket = "/var/run/phpfpm/iridologie-${app.environment}.sock"; | 6 | pool = { |
7 | pool = '' | 7 | "listen.owner" = "${apacheUser}"; |
8 | user = ${apacheUser} | 8 | "listen.group" = "${apacheGroup}"; |
9 | group = ${apacheGroup} | 9 | "php_admin_value[upload_max_filesize]" = "20M"; |
10 | listen.owner = ${apacheUser} | 10 | "php_admin_value[post_max_size]" = "20M"; |
11 | listen.group = ${apacheGroup} | 11 | #"php_admin_flag[log_errors]" = "on"; |
12 | php_admin_value[upload_max_filesize] = 20M | 12 | "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; |
13 | php_admin_value[post_max_size] = 20M | 13 | "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; |
14 | ;php_admin_flag[log_errors] = on | 14 | } // (if app.environment == "dev" then { |
15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | 15 | "pm" = "ondemand"; |
16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | 16 | "pm.max_children" = "5"; |
17 | ${if app.environment == "dev" then '' | 17 | "pm.process_idle_timeout" = "60"; |
18 | pm = ondemand | 18 | } else { |
19 | pm.max_children = 5 | 19 | "pm" = "dynamic"; |
20 | pm.process_idle_timeout = 60 | 20 | "pm.max_children" = "20"; |
21 | '' else '' | 21 | "pm.start_servers" = "2"; |
22 | pm = dynamic | 22 | "pm.min_spare_servers" = "1"; |
23 | pm.max_children = 20 | 23 | "pm.max_spare_servers" = "3"; |
24 | pm.start_servers = 2 | 24 | }); |
25 | pm.min_spare_servers = 1 | ||
26 | pm.max_spare_servers = 3 | ||
27 | ''}''; | ||
28 | }; | 25 | }; |
29 | keys = [{ | 26 | keys = [{ |
30 | dest = "webapps/${app.environment}-iridologie"; | 27 | dest = "webapps/${app.environment}-iridologie"; |
@@ -51,13 +48,13 @@ rec { | |||
51 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
52 | webappName = "iridologie_${app.environment}"; | 49 | webappName = "iridologie_${app.environment}"; |
53 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
54 | vhostConf = '' | 51 | vhostConf = socket: '' |
55 | Include /var/secrets/webapps/${app.environment}-iridologie | 52 | Include /var/secrets/webapps/${app.environment}-iridologie |
56 | 53 | ||
57 | RewriteEngine On | 54 | RewriteEngine On |
58 | 55 | ||
59 | <FilesMatch "\.php$"> | 56 | <FilesMatch "\.php$"> |
60 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 57 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
61 | </FilesMatch> | 58 | </FilesMatch> |
62 | 59 | ||
63 | <Directory ${root}> | 60 | <Directory ${root}> |
diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix index e8591c8..3b289cf 100644 --- a/modules/private/websites/leila/production.nix +++ b/modules/private/websites/leila/production.nix | |||
@@ -7,19 +7,18 @@ in { | |||
7 | 7 | ||
8 | config = lib.mkIf cfg.enable { | 8 | config = lib.mkIf cfg.enable { |
9 | services.phpfpm.pools.leila = { | 9 | services.phpfpm.pools.leila = { |
10 | listen = "/run/phpfpm/leila.sock"; | 10 | user = "wwwrun"; |
11 | extraConfig = '' | 11 | group = "wwwrun"; |
12 | user = wwwrun | 12 | settings = { |
13 | group = wwwrun | 13 | "listen.owner" = "wwwrun"; |
14 | listen.owner = wwwrun | 14 | "listen.group" = "wwwrun"; |
15 | listen.group = wwwrun | ||
16 | 15 | ||
17 | pm = ondemand | 16 | "pm" = "ondemand"; |
18 | pm.max_children = 5 | 17 | "pm.max_children" = "5"; |
19 | pm.process_idle_timeout = 60 | 18 | "pm.process_idle_timeout" = "60"; |
20 | 19 | ||
21 | php_admin_value[open_basedir] = "${varDir}:/tmp" | 20 | "php_admin_value[open_basedir]" = "${varDir}:/tmp"; |
22 | ''; | 21 | }; |
23 | }; | 22 | }; |
24 | 23 | ||
25 | services.webstats.sites = [ | 24 | services.webstats.sites = [ |
@@ -46,7 +45,7 @@ in { | |||
46 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | 45 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu |
47 | 46 | ||
48 | <FilesMatch "\.php$"> | 47 | <FilesMatch "\.php$"> |
49 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 48 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
50 | </FilesMatch> | 49 | </FilesMatch> |
51 | </Directory> | 50 | </Directory> |
52 | '' | 51 | '' |
@@ -66,7 +65,7 @@ in { | |||
66 | AllowOverride None | 65 | AllowOverride None |
67 | 66 | ||
68 | <FilesMatch "\.php$"> | 67 | <FilesMatch "\.php$"> |
69 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 68 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
70 | </FilesMatch> | 69 | </FilesMatch> |
71 | </Directory> | 70 | </Directory> |
72 | '' | 71 | '' |
@@ -89,7 +88,7 @@ in { | |||
89 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | 88 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu |
90 | 89 | ||
91 | <FilesMatch "\.php$"> | 90 | <FilesMatch "\.php$"> |
92 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 91 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
93 | </FilesMatch> | 92 | </FilesMatch> |
94 | </Directory> | 93 | </Directory> |
95 | <Directory ${varDir}> | 94 | <Directory ${varDir}> |
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index 1cbfd12..d304fdf 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix | |||
@@ -23,15 +23,17 @@ in { | |||
23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
24 | ]; | 24 | ]; |
25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
26 | phpPool = '' | 26 | phpPool = { |
27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
30 | pm = ondemand | 30 | "pm" = "ondemand"; |
31 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
32 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
33 | env[SYMFONY_DEBUG_MODE] = "yes" | 33 | }; |
34 | ''; | 34 | phpEnv = { |
35 | SYMFONY_DEBUG_MODE = "yes"; | ||
36 | }; | ||
35 | phpWatchFiles = [ | 37 | phpWatchFiles = [ |
36 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" | 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" |
37 | ]; | 39 | ]; |
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 7cf00f0..5761be7 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix | |||
@@ -24,16 +24,16 @@ in { | |||
24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | pm = dynamic | 31 | "pm" = "dynamic"; |
32 | pm.max_children = 20 | 32 | "pm.max_children" = "20"; |
33 | pm.start_servers = 2 | 33 | "pm.start_servers" = "2"; |
34 | pm.min_spare_servers = 1 | 34 | "pm.min_spare_servers" = "1"; |
35 | pm.max_spare_servers = 3 | 35 | "pm.max_spare_servers" = "3"; |
36 | ''; | 36 | }; |
37 | phpWatchFiles = [ | 37 | phpWatchFiles = [ |
38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" | 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" |
39 | ]; | 39 | ]; |
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix index 293519f..f9468f9 100644 --- a/modules/private/websites/nassime/production.nix +++ b/modules/private/websites/nassime/production.nix | |||
@@ -9,7 +9,7 @@ in { | |||
9 | config = lib.mkIf cfg.enable { | 9 | config = lib.mkIf cfg.enable { |
10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; | 10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; |
11 | 11 | ||
12 | security.acme2.certs."ftp".extraDomains."nassime.bouya.org" = null; | 12 | security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; |
13 | 13 | ||
14 | services.websites.env.production.vhostConfs.nassime = { | 14 | services.websites.env.production.vhostConfs.nassime = { |
15 | certName = "nassime"; | 15 | certName = "nassime"; |
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix index a276c47..1e79141 100644 --- a/modules/private/websites/naturaloutil/production.nix +++ b/modules/private/websites/naturaloutil/production.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.naturaloutil.production; | 4 | cfg = config.myServices.websites.naturaloutil.production; |
5 | varDir = "/var/lib/ftp/jerome"; | 5 | varDir = "/var/lib/ftp/jerome"; |
6 | env = config.myEnv.websites.jerome; | 6 | env = config.myEnv.websites.jerome; |
@@ -10,7 +10,7 @@ in { | |||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; | 11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; |
12 | 12 | ||
13 | security.acme2.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; | 13 | security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; |
14 | 14 | ||
15 | secrets.keys = [{ | 15 | secrets.keys = [{ |
16 | dest = "webapps/prod-naturaloutil"; | 16 | dest = "webapps/prod-naturaloutil"; |
@@ -42,21 +42,22 @@ in { | |||
42 | systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; | 42 | systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; |
43 | systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; | 43 | systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; |
44 | services.phpfpm.pools.jerome = { | 44 | services.phpfpm.pools.jerome = { |
45 | listen = "/run/phpfpm/naturaloutil.sock"; | 45 | user = "wwwrun"; |
46 | extraConfig = '' | 46 | group = "wwwrun"; |
47 | user = wwwrun | 47 | settings = { |
48 | group = wwwrun | 48 | "listen.owner" = "wwwrun"; |
49 | listen.owner = wwwrun | 49 | "listen.group" = "wwwrun"; |
50 | listen.group = wwwrun | ||
51 | 50 | ||
52 | pm = ondemand | 51 | "pm" = "ondemand"; |
53 | pm.max_children = 5 | 52 | "pm.max_children" = "5"; |
54 | pm.process_idle_timeout = 60 | 53 | "pm.process_idle_timeout" = "60"; |
55 | 54 | ||
56 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" | 55 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"; |
57 | php_admin_value[open_basedir] = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" | 56 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/naturaloutil"; |
58 | php_admin_value[session.save_path] = "/var/lib/php/sessions/naturaloutil" | 57 | }; |
59 | ''; | 58 | phpEnv = { |
59 | BDD_CONNECT = "/var/secrets/webapps/prod-naturaloutil"; | ||
60 | }; | ||
60 | phpOptions = config.services.phpfpm.phpOptions + '' | 61 | phpOptions = config.services.phpfpm.phpOptions + '' |
61 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 62 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
62 | ''; | 63 | ''; |
@@ -68,7 +69,7 @@ in { | |||
68 | hosts = ["naturaloutil.immae.eu" ]; | 69 | hosts = ["naturaloutil.immae.eu" ]; |
69 | root = varDir; | 70 | root = varDir; |
70 | extraConfig = [ | 71 | extraConfig = [ |
71 | adminer.apache.vhostConf | 72 | (adminer.apache.vhostConf null) |
72 | '' | 73 | '' |
73 | Use Stats naturaloutil.immae.eu | 74 | Use Stats naturaloutil.immae.eu |
74 | ServerAdmin ${env.server_admin} | 75 | ServerAdmin ${env.server_admin} |
@@ -76,7 +77,7 @@ in { | |||
76 | CustomLog "${varDir}/logs/access_log" combined | 77 | CustomLog "${varDir}/logs/access_log" combined |
77 | 78 | ||
78 | <FilesMatch "\.php$"> | 79 | <FilesMatch "\.php$"> |
79 | SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost" | 80 | SetHandler "proxy:unix:${config.services.phpfpm.pools.jerome.socket}|fcgi://localhost" |
80 | </FilesMatch> | 81 | </FilesMatch> |
81 | 82 | ||
82 | <Directory ${varDir}/logs> | 83 | <Directory ${varDir}/logs> |
diff --git a/modules/private/websites/papa/maison_bbc.nix b/modules/private/websites/papa/maison_bbc.nix index eb61b6d..11e7937 100644 --- a/modules/private/websites/papa/maison_bbc.nix +++ b/modules/private/websites/papa/maison_bbc.nix | |||
@@ -9,19 +9,18 @@ in { | |||
9 | services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; | 9 | services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; |
10 | services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; | 10 | services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; |
11 | services.phpfpm.pools.papa_maison_bbc = { | 11 | services.phpfpm.pools.papa_maison_bbc = { |
12 | listen = "/run/phpfpm/papa_maison_bbc.sock"; | 12 | user = "wwwrun"; |
13 | extraConfig = '' | 13 | group = "wwwrun"; |
14 | user = wwwrun | 14 | settings = { |
15 | group = wwwrun | 15 | "listen.owner" = "wwwrun"; |
16 | listen.owner = wwwrun | 16 | "listen.group" = "wwwrun"; |
17 | listen.group = wwwrun | ||
18 | 17 | ||
19 | pm = ondemand | 18 | "pm" = "ondemand"; |
20 | pm.max_children = 5 | 19 | "pm.max_children" = "5"; |
21 | pm.process_idle_timeout = 60 | 20 | "pm.process_idle_timeout" = "60"; |
22 | 21 | ||
23 | php_admin_value[open_basedir] = "${varDir}" | 22 | "php_admin_value[open_basedir]" = varDir; |
24 | ''; | 23 | }; |
25 | phpOptions = config.services.phpfpm.phpOptions + '' | 24 | phpOptions = config.services.phpfpm.phpOptions + '' |
26 | date.timezone = 'Europe/Paris' | 25 | date.timezone = 'Europe/Paris' |
27 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -34,17 +33,17 @@ in { | |||
34 | root = varDir; | 33 | root = varDir; |
35 | extraConfig = [ | 34 | extraConfig = [ |
36 | '' | 35 | '' |
37 | Alias /.well-known/acme-challenge ${config.security.acme2.certs.papa.webroot}/.well-known/acme-challenge | 36 | Alias /.well-known/acme-challenge ${config.security.acme.certs.papa.webroot}/.well-known/acme-challenge |
38 | RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 | 37 | RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 |
39 | <Directory ${varDir}> | 38 | <Directory ${varDir}> |
40 | DirectoryIndex index.php index.htm index.html | 39 | DirectoryIndex index.php index.htm index.html |
41 | AllowOverride None | 40 | AllowOverride None |
42 | Require all granted | 41 | Require all granted |
43 | <FilesMatch "\.php$"> | 42 | <FilesMatch "\.php$"> |
44 | SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" | 43 | SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" |
45 | </FilesMatch> | 44 | </FilesMatch> |
46 | </Directory> | 45 | </Directory> |
47 | <Directory "${config.security.acme2.certs.papa.webroot}"> | 46 | <Directory "${config.security.acme.certs.papa.webroot}"> |
48 | Options Indexes FollowSymLinks | 47 | Options Indexes FollowSymLinks |
49 | AllowOverride None | 48 | AllowOverride None |
50 | Require all granted | 49 | Require all granted |
@@ -64,7 +63,7 @@ in { | |||
64 | AllowOverride None | 63 | AllowOverride None |
65 | Require all granted | 64 | Require all granted |
66 | <FilesMatch "\.php$"> | 65 | <FilesMatch "\.php$"> |
67 | SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" | 66 | SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" |
68 | </FilesMatch> | 67 | </FilesMatch> |
69 | </Directory> | 68 | </Directory> |
70 | '' | 69 | '' |
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix index f6e1772..1bb6ac8 100644 --- a/modules/private/websites/papa/surveillance.nix +++ b/modules/private/websites/papa/surveillance.nix | |||
@@ -6,7 +6,7 @@ in { | |||
6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; | 6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; |
7 | 7 | ||
8 | config = lib.mkIf cfg.enable { | 8 | config = lib.mkIf cfg.enable { |
9 | security.acme2.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; | 9 | security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; |
10 | 10 | ||
11 | services.cron = { | 11 | services.cron = { |
12 | systemCronJobs = let | 12 | systemCronJobs = let |
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index 5907bc8..76523ed 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix | |||
@@ -23,16 +23,18 @@ in { | |||
23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
24 | ]; | 24 | ]; |
25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
26 | phpPool = '' | 26 | phpPool = { |
27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
30 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 30 | "pm" = "ondemand"; |
31 | pm = ondemand | 31 | "pm.max_children" = "5"; |
32 | pm.max_children = 5 | 32 | "pm.process_idle_timeout" = "60"; |
33 | pm.process_idle_timeout = 60 | 33 | }; |
34 | env[SYMFONY_DEBUG_MODE] = "yes" | 34 | phpEnv = { |
35 | ''; | 35 | PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; |
36 | SYMFONY_DEBUG_MODE = "yes"; | ||
37 | }; | ||
36 | phpWatchFiles = [ | 38 | phpWatchFiles = [ |
37 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" | 39 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" |
38 | ]; | 40 | ]; |
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index e4e29c7..d3e5c2b 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix | |||
@@ -24,17 +24,19 @@ in { | |||
24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 31 | "pm" = "dynamic"; |
32 | pm = dynamic | 32 | "pm.max_children" = "20"; |
33 | pm.max_children = 20 | 33 | "pm.start_servers" = "2"; |
34 | pm.start_servers = 2 | 34 | "pm.min_spare_servers" = "1"; |
35 | pm.min_spare_servers = 1 | 35 | "pm.max_spare_servers" = "3"; |
36 | pm.max_spare_servers = 3 | 36 | }; |
37 | ''; | 37 | phpEnv = { |
38 | PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; | ||
39 | }; | ||
38 | phpWatchFiles = [ | 40 | phpWatchFiles = [ |
39 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" | 41 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" |
40 | ]; | 42 | ]; |
diff --git a/modules/private/websites/teliotortay/production.nix b/modules/private/websites/teliotortay/production.nix index 2c62d10..62762ec 100644 --- a/modules/private/websites/teliotortay/production.nix +++ b/modules/private/websites/teliotortay/production.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.telioTortay.production; | 4 | cfg = config.myServices.websites.telioTortay.production; |
5 | varDir = "/var/lib/ftp/telio_tortay"; | 5 | varDir = "/var/lib/ftp/telio_tortay"; |
6 | env = config.myEnv.websites.telioTortay; | 6 | env = config.myEnv.websites.telioTortay; |
@@ -10,7 +10,7 @@ in { | |||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; | 11 | services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; |
12 | 12 | ||
13 | security.acme2.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; | 13 | security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; |
14 | 14 | ||
15 | system.activationScripts.telio-tortay = { | 15 | system.activationScripts.telio-tortay = { |
16 | deps = [ "httpd" ]; | 16 | deps = [ "httpd" ]; |
@@ -22,20 +22,19 @@ in { | |||
22 | systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; | 22 | systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; |
23 | systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; | 23 | systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; |
24 | services.phpfpm.pools.telio-tortay = { | 24 | services.phpfpm.pools.telio-tortay = { |
25 | listen = "/run/phpfpm/telio-tortay.sock"; | 25 | user = "wwwrun"; |
26 | extraConfig = '' | 26 | group = "wwwrun"; |
27 | user = wwwrun | 27 | settings = { |
28 | group = wwwrun | 28 | "listen.owner" = "wwwrun"; |
29 | listen.owner = wwwrun | 29 | "listen.group" = "wwwrun"; |
30 | listen.group = wwwrun | ||
31 | 30 | ||
32 | pm = ondemand | 31 | "pm" = "ondemand"; |
33 | pm.max_children = 5 | 32 | "pm.max_children" = "5"; |
34 | pm.process_idle_timeout = 60 | 33 | "pm.process_idle_timeout" = "60"; |
35 | 34 | ||
36 | php_admin_value[open_basedir] = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp" | 35 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp"; |
37 | php_admin_value[session.save_path] = "/var/lib/php/sessions/telio-tortay" | 36 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/telio-tortay"; |
38 | ''; | 37 | }; |
39 | phpOptions = config.services.phpfpm.phpOptions + '' | 38 | phpOptions = config.services.phpfpm.phpOptions + '' |
40 | disable_functions = "mail" | 39 | disable_functions = "mail" |
41 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 40 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -48,7 +47,7 @@ in { | |||
48 | hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; | 47 | hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; |
49 | root = varDir; | 48 | root = varDir; |
50 | extraConfig = [ | 49 | extraConfig = [ |
51 | adminer.apache.vhostConf | 50 | (adminer.apache.vhostConf null) |
52 | '' | 51 | '' |
53 | Use Stats telio-tortay.immae.eu | 52 | Use Stats telio-tortay.immae.eu |
54 | ServerAdmin ${env.server_admin} | 53 | ServerAdmin ${env.server_admin} |
@@ -56,7 +55,7 @@ in { | |||
56 | CustomLog "${varDir}/logs/access_log" combined | 55 | CustomLog "${varDir}/logs/access_log" combined |
57 | 56 | ||
58 | <FilesMatch "\.php$"> | 57 | <FilesMatch "\.php$"> |
59 | SetHandler "proxy:unix:/run/phpfpm/telio-tortay.sock|fcgi://localhost" | 58 | SetHandler "proxy:unix:${config.services.phpfpm.pools.telio-tortay.socket}|fcgi://localhost" |
60 | </FilesMatch> | 59 | </FilesMatch> |
61 | 60 | ||
62 | <Directory ${varDir}/logs> | 61 | <Directory ${varDir}/logs> |
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index 4785074..b9bb32f 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix | |||
@@ -10,37 +10,34 @@ let | |||
10 | basedir = builtins.concatStringsSep ":" ( | 10 | basedir = builtins.concatStringsSep ":" ( |
11 | [ nextcloud varDir ] | 11 | [ nextcloud varDir ] |
12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); | 12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); |
13 | socket = "/var/run/phpfpm/nextcloud.sock"; | ||
14 | phpConfig = '' | 13 | phpConfig = '' |
15 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | 14 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so |
16 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | 15 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so |
17 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | 16 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so |
18 | ''; | 17 | ''; |
19 | pool = '' | 18 | pool = { |
20 | user = wwwrun | 19 | "listen.owner" = "wwwrun"; |
21 | group = wwwrun | 20 | "listen.group" = "wwwrun"; |
22 | listen.owner = wwwrun | 21 | "pm" = "ondemand"; |
23 | listen.group = wwwrun | 22 | "pm.max_children" = "60"; |
24 | pm = ondemand | 23 | "pm.process_idle_timeout" = "60"; |
25 | pm.max_children = 60 | ||
26 | pm.process_idle_timeout = 60 | ||
27 | 24 | ||
28 | php_admin_value[output_buffering] = 0 | 25 | "php_admin_value[output_buffering]" = "0"; |
29 | php_admin_value[max_execution_time] = 1800 | 26 | "php_admin_value[max_execution_time]" = "1800"; |
30 | php_admin_value[zend_extension] = "opcache" | 27 | "php_admin_value[zend_extension]" = "opcache"; |
31 | ;already enabled by default? | 28 | #already enabled by default? |
32 | ;php_value[opcache.enable] = 1 | 29 | #"php_value[opcache.enable]" = "1"; |
33 | php_value[opcache.enable_cli] = 1 | 30 | "php_value[opcache.enable_cli]" = "1"; |
34 | php_value[opcache.interned_strings_buffer] = 8 | 31 | "php_value[opcache.interned_strings_buffer]" = "8"; |
35 | php_value[opcache.max_accelerated_files] = 10000 | 32 | "php_value[opcache.max_accelerated_files]" = "10000"; |
36 | php_value[opcache.memory_consumption] = 128 | 33 | "php_value[opcache.memory_consumption]" = "128"; |
37 | php_value[opcache.save_comments] = 1 | 34 | "php_value[opcache.save_comments]" = "1"; |
38 | php_value[opcache.revalidate_freq] = 1 | 35 | "php_value[opcache.revalidate_freq]" = "1"; |
39 | php_admin_value[memory_limit] = 512M | 36 | "php_admin_value[memory_limit]" = "512M"; |
40 | 37 | ||
41 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" | 38 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; |
42 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 39 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
43 | ''; | 40 | }; |
44 | }; | 41 | }; |
45 | in { | 42 | in { |
46 | options.myServices.websites.tools.cloud = { | 43 | options.myServices.websites.tools.cloud = { |
@@ -71,7 +68,7 @@ in { | |||
71 | </IfModule> | 68 | </IfModule> |
72 | <FilesMatch "\.php$"> | 69 | <FilesMatch "\.php$"> |
73 | CGIPassAuth on | 70 | CGIPassAuth on |
74 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 71 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" |
75 | </FilesMatch> | 72 | </FilesMatch> |
76 | 73 | ||
77 | </Directory> | 74 | </Directory> |
@@ -171,8 +168,9 @@ in { | |||
171 | ''; | 168 | ''; |
172 | 169 | ||
173 | services.phpfpm.pools.nextcloud = { | 170 | services.phpfpm.pools.nextcloud = { |
174 | listen = phpFpm.socket; | 171 | user = "wwwrun"; |
175 | extraConfig = phpFpm.pool; | 172 | group = "wwwrun"; |
173 | settings = phpFpm.pool; | ||
176 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; | 174 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; |
177 | }; | 175 | }; |
178 | 176 | ||
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 5eb3fab..9d6cd21 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix | |||
@@ -73,7 +73,7 @@ rec { | |||
73 | modules = [ "proxy_fcgi" ]; | 73 | modules = [ "proxy_fcgi" ]; |
74 | webappName = "tools_davical"; | 74 | webappName = "tools_davical"; |
75 | root = "/run/current-system/webapps/${webappName}"; | 75 | root = "/run/current-system/webapps/${webappName}"; |
76 | vhostConf = '' | 76 | vhostConf = socket: '' |
77 | Alias /davical "${root}" | 77 | Alias /davical "${root}" |
78 | Alias /caldav.php "${root}/caldav.php" | 78 | Alias /caldav.php "${root}/caldav.php" |
79 | <Directory "${root}"> | 79 | <Directory "${root}"> |
@@ -84,7 +84,7 @@ rec { | |||
84 | 84 | ||
85 | <FilesMatch "\.php$"> | 85 | <FilesMatch "\.php$"> |
86 | CGIPassAuth on | 86 | CGIPassAuth on |
87 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 87 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
88 | </FilesMatch> | 88 | </FilesMatch> |
89 | 89 | ||
90 | RewriteEngine On | 90 | RewriteEngine On |
@@ -111,28 +111,25 @@ rec { | |||
111 | phpFpm = rec { | 111 | phpFpm = rec { |
112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; | 113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; |
114 | socket = "/var/run/phpfpm/davical.sock"; | 114 | pool = { |
115 | pool = '' | 115 | "listen.owner" = apache.user; |
116 | user = ${apache.user} | 116 | "listen.group" = apache.group; |
117 | group = ${apache.group} | 117 | "pm" = "dynamic"; |
118 | listen.owner = ${apache.user} | 118 | "pm.max_children" = "60"; |
119 | listen.group = ${apache.group} | 119 | "pm.start_servers" = "2"; |
120 | pm = dynamic | 120 | "pm.min_spare_servers" = "1"; |
121 | pm.max_children = 60 | 121 | "pm.max_spare_servers" = "10"; |
122 | pm.start_servers = 2 | ||
123 | pm.min_spare_servers = 1 | ||
124 | pm.max_spare_servers = 10 | ||
125 | 122 | ||
126 | ; Needed to avoid clashes in browser cookies (same domain) | 123 | # Needed to avoid clashes in browser cookies (same domain) |
127 | php_value[session.name] = DavicalPHPSESSID | 124 | "php_value[session.name]" = "DavicalPHPSESSID"; |
128 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical" | 125 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/davical"; |
129 | php_admin_value[include_path] = "${awl}/inc:${webapp}/inc" | 126 | "php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc"; |
130 | php_admin_value[session.save_path] = "/var/lib/php/sessions/davical" | 127 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/davical"; |
131 | php_flag[magic_quotes_gpc] = Off | 128 | "php_flag[magic_quotes_gpc]" = "Off"; |
132 | php_flag[register_globals] = Off | 129 | "php_flag[register_globals]" = "Off"; |
133 | php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE" | 130 | "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE"; |
134 | php_admin_value[default_charset] = "utf-8" | 131 | "php_admin_value[default_charset]" = "utf-8"; |
135 | php_flag[magic_quotes_runtime] = Off | 132 | "php_flag[magic_quotes_runtime]" = "Off"; |
136 | ''; | 133 | }; |
137 | }; | 134 | }; |
138 | } | 135 | } |
diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index 0012965..30a562c 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix | |||
@@ -38,14 +38,15 @@ in { | |||
38 | root = "/run/current-system/webapps/_dav"; | 38 | root = "/run/current-system/webapps/_dav"; |
39 | extraConfig = [ | 39 | extraConfig = [ |
40 | infcloud.vhostConf | 40 | infcloud.vhostConf |
41 | davical.apache.vhostConf | 41 | (davical.apache.vhostConf config.services.phpfpm.pools.davical.socket) |
42 | ]; | 42 | ]; |
43 | }; | 43 | }; |
44 | 44 | ||
45 | services.phpfpm.pools = { | 45 | services.phpfpm.pools = { |
46 | davical = { | 46 | davical = { |
47 | listen = davical.phpFpm.socket; | 47 | user = config.services.httpd.Tools.user; |
48 | extraConfig = davical.phpFpm.pool; | 48 | group = config.services.httpd.Tools.group; |
49 | settings = davical.phpFpm.pool; | ||
49 | }; | 50 | }; |
50 | }; | 51 | }; |
51 | 52 | ||
diff --git a/modules/private/websites/tools/db/default.nix b/modules/private/websites/tools/db/default.nix index 60592e5..fc8d989 100644 --- a/modules/private/websites/tools/db/default.nix +++ b/modules/private/websites/tools/db/default.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../../commons/adminer.nix { inherit config; }; |
4 | 4 | ||
5 | cfg = config.myServices.websites.tools.db; | 5 | cfg = config.myServices.websites.tools.db; |
6 | in { | 6 | in { |
@@ -15,7 +15,7 @@ in { | |||
15 | addToCerts = true; | 15 | addToCerts = true; |
16 | hosts = ["db-1.immae.eu" ]; | 16 | hosts = ["db-1.immae.eu" ]; |
17 | root = null; | 17 | root = null; |
18 | extraConfig = [ adminer.apache.vhostConf ]; | 18 | extraConfig = [ (adminer.apache.vhostConf null) ]; |
19 | }; | 19 | }; |
20 | }; | 20 | }; |
21 | } | 21 | } |
diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 054e47b..56e4401 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix | |||
@@ -30,7 +30,7 @@ in { | |||
30 | root = gitweb.apache.root; | 30 | root = gitweb.apache.root; |
31 | extraConfig = [ | 31 | extraConfig = [ |
32 | gitweb.apache.vhostConf | 32 | gitweb.apache.vhostConf |
33 | mantisbt.apache.vhostConf | 33 | (mantisbt.apache.vhostConf config.services.phpfpm.pools.mantisbt.socket) |
34 | '' | 34 | '' |
35 | RewriteEngine on | 35 | RewriteEngine on |
36 | RewriteCond %{REQUEST_URI} ^/releases | 36 | RewriteCond %{REQUEST_URI} ^/releases |
@@ -40,8 +40,9 @@ in { | |||
40 | }; | 40 | }; |
41 | services.phpfpm.pools = { | 41 | services.phpfpm.pools = { |
42 | mantisbt = { | 42 | mantisbt = { |
43 | listen = mantisbt.phpFpm.socket; | 43 | user = config.services.httpd.Tools.user; |
44 | extraConfig = mantisbt.phpFpm.pool; | 44 | group = config.services.httpd.Tools.group; |
45 | settings = mantisbt.phpFpm.pool; | ||
45 | }; | 46 | }; |
46 | }; | 47 | }; |
47 | }; | 48 | }; |
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index d75b022..50851aa 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix | |||
@@ -53,12 +53,12 @@ rec { | |||
53 | modules = [ "proxy_fcgi" ]; | 53 | modules = [ "proxy_fcgi" ]; |
54 | webappName = "tools_mantisbt"; | 54 | webappName = "tools_mantisbt"; |
55 | root = "/run/current-system/webapps/${webappName}"; | 55 | root = "/run/current-system/webapps/${webappName}"; |
56 | vhostConf = '' | 56 | vhostConf = socket: '' |
57 | Alias /mantisbt "${root}" | 57 | Alias /mantisbt "${root}" |
58 | <Directory "${root}"> | 58 | <Directory "${root}"> |
59 | DirectoryIndex index.php | 59 | DirectoryIndex index.php |
60 | <FilesMatch "\.php$"> | 60 | <FilesMatch "\.php$"> |
61 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 61 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
62 | </FilesMatch> | 62 | </FilesMatch> |
63 | 63 | ||
64 | AllowOverride All | 64 | AllowOverride All |
@@ -76,20 +76,17 @@ rec { | |||
76 | basedir = builtins.concatStringsSep ":" ( | 76 | basedir = builtins.concatStringsSep ":" ( |
77 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] | 77 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] |
78 | ++ webRoot.plugins); | 78 | ++ webRoot.plugins); |
79 | socket = "/var/run/phpfpm/mantisbt.sock"; | 79 | pool = { |
80 | pool = '' | 80 | "listen.owner" = apache.user; |
81 | user = ${apache.user} | 81 | "listen.group" = apache.group; |
82 | group = ${apache.group} | 82 | "pm" = "ondemand"; |
83 | listen.owner = ${apache.user} | 83 | "pm.max_children" = "60"; |
84 | listen.group = ${apache.group} | 84 | "pm.process_idle_timeout" = "60"; |
85 | pm = ondemand | ||
86 | pm.max_children = 60 | ||
87 | pm.process_idle_timeout = 60 | ||
88 | 85 | ||
89 | php_admin_value[upload_max_filesize] = 5000000 | 86 | "php_admin_value[upload_max_filesize]" = "5000000"; |
90 | 87 | ||
91 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt" | 88 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"; |
92 | php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt" | 89 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/mantisbt"; |
93 | ''; | 90 | }; |
94 | }; | 91 | }; |
95 | } | 92 | } |
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index bb36042..1f7f7bf 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix | |||
@@ -6,6 +6,7 @@ let | |||
6 | }; | 6 | }; |
7 | rainloop = pkgs.callPackage ./rainloop.nix {}; | 7 | rainloop = pkgs.callPackage ./rainloop.nix {}; |
8 | cfg = config.myServices.websites.tools.email; | 8 | cfg = config.myServices.websites.tools.email; |
9 | pcfg = config.services.phpfpm.pools; | ||
9 | in | 10 | in |
10 | { | 11 | { |
11 | options.myServices.websites.tools.email = { | 12 | options.myServices.websites.tools.email = { |
@@ -34,8 +35,8 @@ in | |||
34 | hosts = ["mail.immae.eu"]; | 35 | hosts = ["mail.immae.eu"]; |
35 | root = "/run/current-system/webapps/_mail"; | 36 | root = "/run/current-system/webapps/_mail"; |
36 | extraConfig = [ | 37 | extraConfig = [ |
37 | rainloop.apache.vhostConf | 38 | (rainloop.apache.vhostConf pcfg.rainloop.socket) |
38 | roundcubemail.apache.vhostConf | 39 | (roundcubemail.apache.vhostConf pcfg.roundcubemail.socket) |
39 | '' | 40 | '' |
40 | <Directory /run/current-system/webapps/_mail> | 41 | <Directory /run/current-system/webapps/_mail> |
41 | Require all granted | 42 | Require all granted |
@@ -56,13 +57,15 @@ in | |||
56 | }; | 57 | }; |
57 | 58 | ||
58 | services.phpfpm.pools.roundcubemail = { | 59 | services.phpfpm.pools.roundcubemail = { |
59 | listen = roundcubemail.phpFpm.socket; | 60 | user = "wwwrun"; |
60 | extraConfig = roundcubemail.phpFpm.pool; | 61 | group = "wwwrun"; |
62 | settings = roundcubemail.phpFpm.pool; | ||
61 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; | 63 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; |
62 | }; | 64 | }; |
63 | services.phpfpm.pools.rainloop = { | 65 | services.phpfpm.pools.rainloop = { |
64 | listen = rainloop.phpFpm.socket; | 66 | user = "wwwrun"; |
65 | extraConfig = rainloop.phpFpm.pool; | 67 | group = "wwwrun"; |
68 | settings = rainloop.phpFpm.pool; | ||
66 | }; | 69 | }; |
67 | system.activationScripts = { | 70 | system.activationScripts = { |
68 | roundcubemail = roundcubemail.activationScript; | 71 | roundcubemail = roundcubemail.activationScript; |
diff --git a/modules/private/websites/tools/mail/rainloop.nix b/modules/private/websites/tools/mail/rainloop.nix index 2dad46e..9b1f0c5 100644 --- a/modules/private/websites/tools/mail/rainloop.nix +++ b/modules/private/websites/tools/mail/rainloop.nix | |||
@@ -16,7 +16,7 @@ rec { | |||
16 | modules = [ "proxy_fcgi" ]; | 16 | modules = [ "proxy_fcgi" ]; |
17 | webappName = "tools_rainloop"; | 17 | webappName = "tools_rainloop"; |
18 | root = "/run/current-system/webapps/${webappName}"; | 18 | root = "/run/current-system/webapps/${webappName}"; |
19 | vhostConf = '' | 19 | vhostConf = socket: '' |
20 | Alias /rainloop "${root}" | 20 | Alias /rainloop "${root}" |
21 | <Directory "${root}"> | 21 | <Directory "${root}"> |
22 | DirectoryIndex index.php | 22 | DirectoryIndex index.php |
@@ -25,7 +25,7 @@ rec { | |||
25 | Require all granted | 25 | Require all granted |
26 | 26 | ||
27 | <FilesMatch "\.php$"> | 27 | <FilesMatch "\.php$"> |
28 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 28 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
29 | </FilesMatch> | 29 | </FilesMatch> |
30 | </Directory> | 30 | </Directory> |
31 | 31 | ||
@@ -37,22 +37,19 @@ rec { | |||
37 | phpFpm = rec { | 37 | phpFpm = rec { |
38 | serviceDeps = [ "postgresql.service" ]; | 38 | serviceDeps = [ "postgresql.service" ]; |
39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
40 | socket = "/var/run/phpfpm/rainloop.sock"; | 40 | pool = { |
41 | pool = '' | 41 | "listen.owner" = apache.user; |
42 | user = ${apache.user} | 42 | "listen.group" = apache.group; |
43 | group = ${apache.group} | 43 | "pm" = "ondemand"; |
44 | listen.owner = ${apache.user} | 44 | "pm.max_children" = "60"; |
45 | listen.group = ${apache.group} | 45 | "pm.process_idle_timeout" = "60"; |
46 | pm = ondemand | ||
47 | pm.max_children = 60 | ||
48 | pm.process_idle_timeout = 60 | ||
49 | 46 | ||
50 | ; Needed to avoid clashes in browser cookies (same domain) | 47 | # Needed to avoid clashes in browser cookies (same domain) |
51 | php_value[session.name] = RainloopPHPSESSID | 48 | "php_value[session.name]" = "RainloopPHPSESSID"; |
52 | php_admin_value[upload_max_filesize] = 200M | 49 | "php_admin_value[upload_max_filesize]" = "200M"; |
53 | php_admin_value[post_max_size] = 200M | 50 | "php_admin_value[post_max_size]" = "200M"; |
54 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 51 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
55 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 52 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
56 | ''; | 53 | }; |
57 | }; | 54 | }; |
58 | } | 55 | } |
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 35de312..0b35d02 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix | |||
@@ -83,7 +83,7 @@ rec { | |||
83 | modules = [ "proxy_fcgi" ]; | 83 | modules = [ "proxy_fcgi" ]; |
84 | webappName = "tools_roundcubemail"; | 84 | webappName = "tools_roundcubemail"; |
85 | root = "/run/current-system/webapps/${webappName}"; | 85 | root = "/run/current-system/webapps/${webappName}"; |
86 | vhostConf = '' | 86 | vhostConf = socket: '' |
87 | Alias /roundcube "${root}" | 87 | Alias /roundcube "${root}" |
88 | <Directory "${root}"> | 88 | <Directory "${root}"> |
89 | DirectoryIndex index.php | 89 | DirectoryIndex index.php |
@@ -92,7 +92,7 @@ rec { | |||
92 | Require all granted | 92 | Require all granted |
93 | 93 | ||
94 | <FilesMatch "\.php$"> | 94 | <FilesMatch "\.php$"> |
95 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 95 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
96 | </FilesMatch> | 96 | </FilesMatch> |
97 | </Directory> | 97 | </Directory> |
98 | ''; | 98 | ''; |
@@ -107,22 +107,19 @@ rec { | |||
107 | date.timezone = 'CET' | 107 | date.timezone = 'CET' |
108 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | 108 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so |
109 | ''; | 109 | ''; |
110 | socket = "/var/run/phpfpm/roundcubemail.sock"; | 110 | pool = { |
111 | pool = '' | 111 | "listen.owner" = apache.user; |
112 | user = ${apache.user} | 112 | "listen.group" = apache.group; |
113 | group = ${apache.group} | 113 | "pm" = "ondemand"; |
114 | listen.owner = ${apache.user} | 114 | "pm.max_children" = "60"; |
115 | listen.group = ${apache.group} | 115 | "pm.process_idle_timeout" = "60"; |
116 | pm = ondemand | ||
117 | pm.max_children = 60 | ||
118 | pm.process_idle_timeout = 60 | ||
119 | 116 | ||
120 | ; Needed to avoid clashes in browser cookies (same domain) | 117 | # Needed to avoid clashes in browser cookies (same domain) |
121 | php_value[session.name] = RoundcubemailPHPSESSID | 118 | "php_value[session.name]" = "RoundcubemailPHPSESSID"; |
122 | php_admin_value[upload_max_filesize] = 200M | 119 | "php_admin_value[upload_max_filesize]" = "200M"; |
123 | php_admin_value[post_max_size] = 200M | 120 | "php_admin_value[post_max_size]" = "200M"; |
124 | php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp" | 121 | "php_admin_value[open_basedir]" = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"; |
125 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 122 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
126 | ''; | 123 | }; |
127 | }; | 124 | }; |
128 | } | 125 | } |
diff --git a/modules/private/websites/tools/tools/adminer.nix b/modules/private/websites/tools/tools/adminer.nix index 907e37f..52a132c 100644 --- a/modules/private/websites/tools/tools/adminer.nix +++ b/modules/private/websites/tools/tools/adminer.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { adminer }: | 1 | { adminer, php73, forcePhpSocket ? null }: |
2 | rec { | 2 | rec { |
3 | activationScript = { | 3 | activationScript = { |
4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
@@ -9,22 +9,33 @@ rec { | |||
9 | }; | 9 | }; |
10 | webRoot = adminer; | 10 | webRoot = adminer; |
11 | phpFpm = rec { | 11 | phpFpm = rec { |
12 | socket = "/var/run/phpfpm/adminer.sock"; | 12 | user = apache.user; |
13 | pool = '' | 13 | group = apache.group; |
14 | user = ${apache.user} | 14 | phpPackage = (php73.override { |
15 | group = ${apache.group} | 15 | config.php.mysqlnd = true; |
16 | listen.owner = ${apache.user} | 16 | config.php.mysqli = false; |
17 | listen.group = ${apache.group} | 17 | config.php.pdo-mysql = false; |
18 | pm = ondemand | 18 | }).overrideAttrs(old: rec { |
19 | pm.max_children = 5 | 19 | configureFlags = old.configureFlags ++ [ |
20 | pm.process_idle_timeout = 60 | 20 | "--with-mysqli=shared,mysqlnd" |
21 | ;php_admin_flag[log_errors] = on | 21 | ]; |
22 | ; Needed to avoid clashes in browser cookies (same domain) | 22 | }); |
23 | php_value[session.name] = AdminerPHPSESSID | 23 | phpOptions = '' |
24 | php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer" | 24 | extension=${phpPackage}/lib/php/extensions/mysqli.so |
25 | php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer" | 25 | ''; |
26 | php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer" | 26 | settings = { |
27 | ''; | 27 | "listen.owner" = apache.user; |
28 | "listen.group" = apache.group; | ||
29 | "pm" = "ondemand"; | ||
30 | "pm.max_children" = "5"; | ||
31 | "pm.process_idle_timeout" = "60"; | ||
32 | #"php_admin_flag[log_errors]" = "on"; | ||
33 | # Needed to avoid clashes in browser cookies (same domain) | ||
34 | "php_value[session.name]" = "AdminerPHPSESSID"; | ||
35 | "php_admin_value[open_basedir]" = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"; | ||
36 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/adminer"; | ||
37 | "php_admin_value[upload_tmp_dir]" = "/var/lib/php/tmp/adminer"; | ||
38 | }; | ||
28 | }; | 39 | }; |
29 | apache = rec { | 40 | apache = rec { |
30 | user = "wwwrun"; | 41 | user = "wwwrun"; |
@@ -32,12 +43,12 @@ rec { | |||
32 | modules = [ "proxy_fcgi" ]; | 43 | modules = [ "proxy_fcgi" ]; |
33 | webappName = "_adminer"; | 44 | webappName = "_adminer"; |
34 | root = "/run/current-system/webapps/${webappName}"; | 45 | root = "/run/current-system/webapps/${webappName}"; |
35 | vhostConf = '' | 46 | vhostConf = socket: '' |
36 | Alias /adminer ${root} | 47 | Alias /adminer ${root} |
37 | <Directory ${root}> | 48 | <Directory ${root}> |
38 | DirectoryIndex index.php | 49 | DirectoryIndex index.php |
39 | <FilesMatch "\.php$"> | 50 | <FilesMatch "\.php$"> |
40 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 51 | SetHandler "proxy:unix:${if forcePhpSocket != null then forcePhpSocket else socket}|fcgi://localhost" |
41 | </FilesMatch> | 52 | </FilesMatch> |
42 | 53 | ||
43 | Use LDAPConnect | 54 | Use LDAPConnect |
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 5dc0981..5e0d446 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix | |||
@@ -40,6 +40,7 @@ let | |||
40 | }; | 40 | }; |
41 | 41 | ||
42 | cfg = config.myServices.websites.tools.tools; | 42 | cfg = config.myServices.websites.tools.tools; |
43 | pcfg = config.services.phpfpm.pools; | ||
43 | in { | 44 | in { |
44 | options.myServices.websites.tools.tools = { | 45 | options.myServices.websites.tools.tools = { |
45 | enable = lib.mkEnableOption "enable tools website"; | 46 | enable = lib.mkEnableOption "enable tools website"; |
@@ -92,7 +93,7 @@ in { | |||
92 | AllowOverride all | 93 | AllowOverride all |
93 | Require all granted | 94 | Require all granted |
94 | <FilesMatch "\.php$"> | 95 | <FilesMatch "\.php$"> |
95 | SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost" | 96 | SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost" |
96 | </FilesMatch> | 97 | </FilesMatch> |
97 | </Directory> | 98 | </Directory> |
98 | '' | 99 | '' |
@@ -115,21 +116,21 @@ in { | |||
115 | AllowOverride all | 116 | AllowOverride all |
116 | Require all granted | 117 | Require all granted |
117 | <FilesMatch "\.php$"> | 118 | <FilesMatch "\.php$"> |
118 | SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost" | 119 | SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost" |
119 | </FilesMatch> | 120 | </FilesMatch> |
120 | </Directory> | 121 | </Directory> |
121 | '' | 122 | '' |
122 | adminer.apache.vhostConf | 123 | (adminer.apache.vhostConf pcfg.adminer.socket) |
123 | ympd.apache.vhostConf | 124 | ympd.apache.vhostConf |
124 | ttrss.apache.vhostConf | 125 | (ttrss.apache.vhostConf pcfg.ttrss.socket) |
125 | wallabag.apache.vhostConf | 126 | (wallabag.apache.vhostConf pcfg.wallabag.socket) |
126 | yourls.apache.vhostConf | 127 | (yourls.apache.vhostConf pcfg.yourls.socket) |
127 | rompr.apache.vhostConf | 128 | (rompr.apache.vhostConf pcfg.rompr.socket) |
128 | shaarli.apache.vhostConf | 129 | (shaarli.apache.vhostConf pcfg.shaarli.socket) |
129 | dokuwiki.apache.vhostConf | 130 | (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket) |
130 | ldap.apache.vhostConf | 131 | (ldap.apache.vhostConf pcfg.ldap.socket) |
131 | kanboard.apache.vhostConf | 132 | (kanboard.apache.vhostConf pcfg.kanboard.socket) |
132 | grocy.apache.vhostConf | 133 | (grocy.apache.vhostConf pcfg.grocy.socket) |
133 | ]; | 134 | ]; |
134 | }; | 135 | }; |
135 | 136 | ||
@@ -226,38 +227,36 @@ in { | |||
226 | 227 | ||
227 | services.phpfpm.pools = { | 228 | services.phpfpm.pools = { |
228 | tools = { | 229 | tools = { |
229 | listen = "/var/run/phpfpm/tools.sock"; | 230 | user = "wwwrun"; |
230 | extraConfig = '' | 231 | group = "wwwrun"; |
231 | user = wwwrun | 232 | settings = { |
232 | group = wwwrun | 233 | "listen.owner" = "wwwrun"; |
233 | listen.owner = wwwrun | 234 | "listen.group" = "wwwrun"; |
234 | listen.group = wwwrun | 235 | "pm" = "dynamic"; |
235 | pm = dynamic | 236 | "pm.max_children" = "60"; |
236 | pm.max_children = 60 | 237 | "pm.start_servers" = "2"; |
237 | pm.start_servers = 2 | 238 | "pm.min_spare_servers" = "1"; |
238 | pm.min_spare_servers = 1 | 239 | "pm.max_spare_servers" = "10"; |
239 | pm.max_spare_servers = 10 | ||
240 | 240 | ||
241 | ; Needed to avoid clashes in browser cookies (same domain) | 241 | # Needed to avoid clashes in browser cookies (same domain) |
242 | php_value[session.name] = ToolsPHPSESSID | 242 | "php_value[session.name]" = "ToolsPHPSESSID"; |
243 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp" | 243 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"; |
244 | ''; | 244 | }; |
245 | }; | 245 | }; |
246 | devtools = { | 246 | devtools = { |
247 | listen = "/var/run/phpfpm/devtools.sock"; | 247 | user = "wwwrun"; |
248 | extraConfig = '' | 248 | group = "wwwrun"; |
249 | user = wwwrun | 249 | settings = { |
250 | group = wwwrun | 250 | "listen.owner" = "wwwrun"; |
251 | listen.owner = wwwrun | 251 | "listen.group" = "wwwrun"; |
252 | listen.group = wwwrun | 252 | "pm" = "dynamic"; |
253 | pm = dynamic | 253 | "pm.max_children" = "60"; |
254 | pm.max_children = 60 | 254 | "pm.start_servers" = "2"; |
255 | pm.start_servers = 2 | 255 | "pm.min_spare_servers" = "1"; |
256 | pm.min_spare_servers = 1 | 256 | "pm.max_spare_servers" = "10"; |
257 | pm.max_spare_servers = 10 | ||
258 | 257 | ||
259 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp" | 258 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"; |
260 | ''; | 259 | }; |
261 | phpOptions = config.services.phpfpm.phpOptions + '' | 260 | phpOptions = config.services.phpfpm.phpOptions + '' |
262 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 261 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
263 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | 262 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so |
@@ -265,45 +264,51 @@ in { | |||
265 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | 264 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so |
266 | ''; | 265 | ''; |
267 | }; | 266 | }; |
268 | adminer = { | 267 | adminer = adminer.phpFpm; |
269 | listen = adminer.phpFpm.socket; | ||
270 | extraConfig = adminer.phpFpm.pool; | ||
271 | }; | ||
272 | ttrss = { | 268 | ttrss = { |
273 | listen = ttrss.phpFpm.socket; | 269 | user = "wwwrun"; |
274 | extraConfig = ttrss.phpFpm.pool; | 270 | group = "wwwrun"; |
271 | settings = ttrss.phpFpm.pool; | ||
275 | }; | 272 | }; |
276 | wallabag = { | 273 | wallabag = { |
277 | listen = wallabag.phpFpm.socket; | 274 | user = "wwwrun"; |
278 | extraConfig = wallabag.phpFpm.pool; | 275 | group = "wwwrun"; |
276 | settings = wallabag.phpFpm.pool; | ||
279 | }; | 277 | }; |
280 | yourls = { | 278 | yourls = { |
281 | listen = yourls.phpFpm.socket; | 279 | user = "wwwrun"; |
282 | extraConfig = yourls.phpFpm.pool; | 280 | group = "wwwrun"; |
281 | settings = yourls.phpFpm.pool; | ||
283 | }; | 282 | }; |
284 | rompr = { | 283 | rompr = { |
285 | listen = rompr.phpFpm.socket; | 284 | user = "wwwrun"; |
286 | extraConfig = rompr.phpFpm.pool; | 285 | group = "wwwrun"; |
286 | settings = rompr.phpFpm.pool; | ||
287 | }; | 287 | }; |
288 | shaarli = { | 288 | shaarli = { |
289 | listen = shaarli.phpFpm.socket; | 289 | user = "wwwrun"; |
290 | extraConfig = shaarli.phpFpm.pool; | 290 | group = "wwwrun"; |
291 | settings = shaarli.phpFpm.pool; | ||
291 | }; | 292 | }; |
292 | dokuwiki = { | 293 | dokuwiki = { |
293 | listen = dokuwiki.phpFpm.socket; | 294 | user = "wwwrun"; |
294 | extraConfig = dokuwiki.phpFpm.pool; | 295 | group = "wwwrun"; |
296 | settings = dokuwiki.phpFpm.pool; | ||
295 | }; | 297 | }; |
296 | ldap = { | 298 | ldap = { |
297 | listen = ldap.phpFpm.socket; | 299 | user = "wwwrun"; |
298 | extraConfig = ldap.phpFpm.pool; | 300 | group = "wwwrun"; |
301 | settings = ldap.phpFpm.pool; | ||
299 | }; | 302 | }; |
300 | kanboard = { | 303 | kanboard = { |
301 | listen = kanboard.phpFpm.socket; | 304 | user = "wwwrun"; |
302 | extraConfig = kanboard.phpFpm.pool; | 305 | group = "wwwrun"; |
306 | settings = kanboard.phpFpm.pool; | ||
303 | }; | 307 | }; |
304 | grocy = { | 308 | grocy = { |
305 | listen = grocy.phpFpm.socket; | 309 | user = "wwwrun"; |
306 | extraConfig = grocy.phpFpm.pool; | 310 | group = "wwwrun"; |
311 | settings = grocy.phpFpm.pool; | ||
307 | }; | 312 | }; |
308 | }; | 313 | }; |
309 | 314 | ||
diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix index d66e85d..26c04b7 100644 --- a/modules/private/websites/tools/tools/dokuwiki.nix +++ b/modules/private/websites/tools/tools/dokuwiki.nix | |||
@@ -26,12 +26,12 @@ rec { | |||
26 | modules = [ "proxy_fcgi" ]; | 26 | modules = [ "proxy_fcgi" ]; |
27 | webappName = "tools_dokuwiki"; | 27 | webappName = "tools_dokuwiki"; |
28 | root = "/run/current-system/webapps/${webappName}"; | 28 | root = "/run/current-system/webapps/${webappName}"; |
29 | vhostConf = '' | 29 | vhostConf = socket: '' |
30 | Alias /dokuwiki "${root}" | 30 | Alias /dokuwiki "${root}" |
31 | <Directory "${root}"> | 31 | <Directory "${root}"> |
32 | DirectoryIndex index.php | 32 | DirectoryIndex index.php |
33 | <FilesMatch "\.php$"> | 33 | <FilesMatch "\.php$"> |
34 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 34 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
35 | </FilesMatch> | 35 | </FilesMatch> |
36 | 36 | ||
37 | AllowOverride All | 37 | AllowOverride All |
@@ -44,20 +44,17 @@ rec { | |||
44 | serviceDeps = [ "openldap.service" ]; | 44 | serviceDeps = [ "openldap.service" ]; |
45 | basedir = builtins.concatStringsSep ":" ( | 45 | basedir = builtins.concatStringsSep ":" ( |
46 | [ webRoot varDir ] ++ webRoot.plugins); | 46 | [ webRoot varDir ] ++ webRoot.plugins); |
47 | socket = "/var/run/phpfpm/dokuwiki.sock"; | 47 | pool = { |
48 | pool = '' | 48 | "listen.owner" = apache.user; |
49 | user = ${apache.user} | 49 | "listen.group" = apache.group; |
50 | group = ${apache.group} | 50 | "pm" = "ondemand"; |
51 | listen.owner = ${apache.user} | 51 | "pm.max_children" = "60"; |
52 | listen.group = ${apache.group} | 52 | "pm.process_idle_timeout" = "60"; |
53 | pm = ondemand | ||
54 | pm.max_children = 60 | ||
55 | pm.process_idle_timeout = 60 | ||
56 | 53 | ||
57 | ; Needed to avoid clashes in browser cookies (same domain) | 54 | # Needed to avoid clashes in browser cookies (same domain) |
58 | php_value[session.name] = DokuwikiPHPSESSID | 55 | "php_value[session.name]" = "DokuwikiPHPSESSID"; |
59 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 56 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
60 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 57 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
61 | ''; | 58 | }; |
62 | }; | 59 | }; |
63 | } | 60 | } |
diff --git a/modules/private/websites/tools/tools/grocy.nix b/modules/private/websites/tools/tools/grocy.nix index 1b8da20..a98d8ac 100644 --- a/modules/private/websites/tools/tools/grocy.nix +++ b/modules/private/websites/tools/tools/grocy.nix | |||
@@ -18,12 +18,12 @@ rec { | |||
18 | modules = [ "proxy_fcgi" ]; | 18 | modules = [ "proxy_fcgi" ]; |
19 | webappName = "tools_grocy"; | 19 | webappName = "tools_grocy"; |
20 | root = "/run/current-system/webapps/${webappName}"; | 20 | root = "/run/current-system/webapps/${webappName}"; |
21 | vhostConf = '' | 21 | vhostConf = socket: '' |
22 | Alias /grocy "${root}" | 22 | Alias /grocy "${root}" |
23 | <Directory "${root}"> | 23 | <Directory "${root}"> |
24 | DirectoryIndex index.php | 24 | DirectoryIndex index.php |
25 | <FilesMatch "\.php$"> | 25 | <FilesMatch "\.php$"> |
26 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 26 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
27 | </FilesMatch> | 27 | </FilesMatch> |
28 | 28 | ||
29 | AllowOverride All | 29 | AllowOverride All |
@@ -35,21 +35,18 @@ rec { | |||
35 | phpFpm = rec { | 35 | phpFpm = rec { |
36 | basedir = builtins.concatStringsSep ":" ( | 36 | basedir = builtins.concatStringsSep ":" ( |
37 | [ grocy grocy.yarnModules varDir ]); | 37 | [ grocy grocy.yarnModules varDir ]); |
38 | socket = "/var/run/phpfpm/grocy.sock"; | 38 | pool = { |
39 | pool = '' | 39 | "listen.owner" = apache.user; |
40 | user = ${apache.user} | 40 | "listen.group" = apache.group; |
41 | group = ${apache.group} | 41 | "pm" = "ondemand"; |
42 | listen.owner = ${apache.user} | 42 | "pm.max_children" = "60"; |
43 | listen.group = ${apache.group} | 43 | "pm.process_idle_timeout" = "60"; |
44 | pm = ondemand | ||
45 | pm.max_children = 60 | ||
46 | pm.process_idle_timeout = 60 | ||
47 | 44 | ||
48 | ; Needed to avoid clashes in browser cookies (same domain) | 45 | # Needed to avoid clashes in browser cookies (same domain) |
49 | php_value[session.name] = grocyPHPSESSID | 46 | "php_value[session.name]" = "grocyPHPSESSID"; |
50 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 47 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
51 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 48 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
52 | ''; | 49 | }; |
53 | }; | 50 | }; |
54 | } | 51 | } |
55 | 52 | ||
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 1880cbd..0f6fefc 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix | |||
@@ -49,7 +49,7 @@ rec { | |||
49 | modules = [ "proxy_fcgi" ]; | 49 | modules = [ "proxy_fcgi" ]; |
50 | webappName = "tools_kanboard"; | 50 | webappName = "tools_kanboard"; |
51 | root = "/run/current-system/webapps/${webappName}"; | 51 | root = "/run/current-system/webapps/${webappName}"; |
52 | vhostConf = '' | 52 | vhostConf = socket: '' |
53 | Alias /kanboard "${root}" | 53 | Alias /kanboard "${root}" |
54 | <Directory "${root}"> | 54 | <Directory "${root}"> |
55 | DirectoryIndex index.php | 55 | DirectoryIndex index.php |
@@ -58,7 +58,7 @@ rec { | |||
58 | Require all granted | 58 | Require all granted |
59 | 59 | ||
60 | <FilesMatch "\.php$"> | 60 | <FilesMatch "\.php$"> |
61 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 61 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
62 | </FilesMatch> | 62 | </FilesMatch> |
63 | </Directory> | 63 | </Directory> |
64 | <DirectoryMatch "${root}/data"> | 64 | <DirectoryMatch "${root}/data"> |
@@ -69,20 +69,17 @@ rec { | |||
69 | phpFpm = rec { | 69 | phpFpm = rec { |
70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; | 71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; |
72 | socket = "/var/run/phpfpm/kanboard.sock"; | 72 | pool = { |
73 | pool = '' | 73 | "listen.owner" = apache.user; |
74 | user = ${apache.user} | 74 | "listen.group" = apache.group; |
75 | group = ${apache.group} | 75 | "pm" = "ondemand"; |
76 | listen.owner = ${apache.user} | 76 | "pm.max_children" = "60"; |
77 | listen.group = ${apache.group} | 77 | "pm.process_idle_timeout" = "60"; |
78 | pm = ondemand | ||
79 | pm.max_children = 60 | ||
80 | pm.process_idle_timeout = 60 | ||
81 | 78 | ||
82 | ; Needed to avoid clashes in browser cookies (same domain) | 79 | # Needed to avoid clashes in browser cookies (same domain) |
83 | php_value[session.name] = KanboardPHPSESSID | 80 | "php_value[session.name]" = "KanboardPHPSESSID"; |
84 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 81 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
85 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 82 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
86 | ''; | 83 | }; |
87 | }; | 84 | }; |
88 | } | 85 | } |
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index e58a9bd..0c1a21f 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix | |||
@@ -39,12 +39,12 @@ rec { | |||
39 | modules = [ "proxy_fcgi" ]; | 39 | modules = [ "proxy_fcgi" ]; |
40 | webappName = "tools_ldap"; | 40 | webappName = "tools_ldap"; |
41 | root = "/run/current-system/webapps/${webappName}"; | 41 | root = "/run/current-system/webapps/${webappName}"; |
42 | vhostConf = '' | 42 | vhostConf = socket: '' |
43 | Alias /ldap "${root}" | 43 | Alias /ldap "${root}" |
44 | <Directory "${root}"> | 44 | <Directory "${root}"> |
45 | DirectoryIndex index.php | 45 | DirectoryIndex index.php |
46 | <FilesMatch "\.php$"> | 46 | <FilesMatch "\.php$"> |
47 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 47 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
48 | </FilesMatch> | 48 | </FilesMatch> |
49 | 49 | ||
50 | AllowOverride None | 50 | AllowOverride None |
@@ -55,20 +55,17 @@ rec { | |||
55 | phpFpm = rec { | 55 | phpFpm = rec { |
56 | serviceDeps = [ "openldap.service" ]; | 56 | serviceDeps = [ "openldap.service" ]; |
57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; | 57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; |
58 | socket = "/var/run/phpfpm/ldap.sock"; | 58 | pool = { |
59 | pool = '' | 59 | "listen.owner" = apache.user; |
60 | user = ${apache.user} | 60 | "listen.group" = apache.group; |
61 | group = ${apache.group} | 61 | "pm" = "ondemand"; |
62 | listen.owner = ${apache.user} | 62 | "pm.max_children" = "60"; |
63 | listen.group = ${apache.group} | 63 | "pm.process_idle_timeout" = "60"; |
64 | pm = ondemand | ||
65 | pm.max_children = 60 | ||
66 | pm.process_idle_timeout = 60 | ||
67 | 64 | ||
68 | ; Needed to avoid clashes in browser cookies (same domain) | 65 | # Needed to avoid clashes in browser cookies (same domain) |
69 | php_value[session.name] = LdapPHPSESSID | 66 | "php_value[session.name]" = "LdapPHPSESSID"; |
70 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin" | 67 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; |
71 | php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin" | 68 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; |
72 | ''; | 69 | }; |
73 | }; | 70 | }; |
74 | } | 71 | } |
diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix index 75adabe..106164c 100644 --- a/modules/private/websites/tools/tools/rompr.nix +++ b/modules/private/websites/tools/tools/rompr.nix | |||
@@ -15,7 +15,7 @@ rec { | |||
15 | modules = [ "headers" "mime" "proxy_fcgi" ]; | 15 | modules = [ "headers" "mime" "proxy_fcgi" ]; |
16 | webappName = "tools_rompr"; | 16 | webappName = "tools_rompr"; |
17 | root = "/run/current-system/webapps/${webappName}"; | 17 | root = "/run/current-system/webapps/${webappName}"; |
18 | vhostConf = '' | 18 | vhostConf = socket: '' |
19 | Alias /rompr ${root} | 19 | Alias /rompr ${root} |
20 | 20 | ||
21 | <Directory ${root}> | 21 | <Directory ${root}> |
@@ -29,7 +29,7 @@ rec { | |||
29 | AddType image/x-icon .ico | 29 | AddType image/x-icon .ico |
30 | 30 | ||
31 | <FilesMatch "\.php$"> | 31 | <FilesMatch "\.php$"> |
32 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 32 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
33 | </FilesMatch> | 33 | </FilesMatch> |
34 | </Directory> | 34 | </Directory> |
35 | 35 | ||
@@ -51,29 +51,26 @@ rec { | |||
51 | }; | 51 | }; |
52 | phpFpm = rec { | 52 | phpFpm = rec { |
53 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 53 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
54 | socket = "/var/run/phpfpm/rompr.sock"; | 54 | pool = { |
55 | pool = '' | 55 | "listen.owner" = apache.user; |
56 | user = ${apache.user} | 56 | "listen.group" = apache.group; |
57 | group = ${apache.group} | 57 | "pm" = "ondemand"; |
58 | listen.owner = ${apache.user} | 58 | "pm.max_children" = "60"; |
59 | listen.group = ${apache.group} | 59 | "pm.process_idle_timeout" = "60"; |
60 | pm = ondemand | ||
61 | pm.max_children = 60 | ||
62 | pm.process_idle_timeout = 60 | ||
63 | 60 | ||
64 | ; Needed to avoid clashes in browser cookies (same domain) | 61 | # Needed to avoid clashes in browser cookies (same domain) |
65 | php_value[session.name] = RomprPHPSESSID | 62 | "php_value[session.name]" = "RomprPHPSESSID"; |
66 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 63 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
67 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 64 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
68 | php_flag[magic_quotes_gpc] = Off | 65 | "php_flag[magic_quotes_gpc]" = "Off"; |
69 | php_flag[track_vars] = On | 66 | "php_flag[track_vars]" = "On"; |
70 | php_flag[register_globals] = Off | 67 | "php_flag[register_globals]" = "Off"; |
71 | php_admin_flag[allow_url_fopen] = On | 68 | "php_admin_flag[allow_url_fopen]" = "On"; |
72 | php_value[include_path] = ${webRoot} | 69 | "php_value[include_path]" = "${webRoot}"; |
73 | php_admin_value[upload_tmp_dir] = "${varDir}/prefs" | 70 | "php_admin_value[upload_tmp_dir]" = "${varDir}/prefs"; |
74 | php_admin_value[post_max_size] = 32M | 71 | "php_admin_value[post_max_size]" = "32M"; |
75 | php_admin_value[upload_max_filesize] = 32M | 72 | "php_admin_value[upload_max_filesize]" = "32M"; |
76 | php_admin_value[memory_limit] = 256M | 73 | "php_admin_value[memory_limit]" = "256M"; |
77 | ''; | 74 | }; |
78 | }; | 75 | }; |
79 | } | 76 | } |
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 0a75755..950d296 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix | |||
@@ -17,7 +17,7 @@ in rec { | |||
17 | modules = [ "proxy_fcgi" "rewrite" "env" ]; | 17 | modules = [ "proxy_fcgi" "rewrite" "env" ]; |
18 | webappName = "tools_shaarli"; | 18 | webappName = "tools_shaarli"; |
19 | root = "/run/current-system/webapps/${webappName}"; | 19 | root = "/run/current-system/webapps/${webappName}"; |
20 | vhostConf = '' | 20 | vhostConf = socket: '' |
21 | Alias /Shaarli "${root}" | 21 | Alias /Shaarli "${root}" |
22 | 22 | ||
23 | Include /var/secrets/webapps/tools-shaarli | 23 | Include /var/secrets/webapps/tools-shaarli |
@@ -27,7 +27,7 @@ in rec { | |||
27 | AllowOverride All | 27 | AllowOverride All |
28 | Require all granted | 28 | Require all granted |
29 | <FilesMatch "\.php$"> | 29 | <FilesMatch "\.php$"> |
30 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 30 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
31 | </FilesMatch> | 31 | </FilesMatch> |
32 | </Directory> | 32 | </Directory> |
33 | ''; | 33 | ''; |
@@ -48,20 +48,17 @@ in rec { | |||
48 | phpFpm = rec { | 48 | phpFpm = rec { |
49 | serviceDeps = [ "openldap.service" ]; | 49 | serviceDeps = [ "openldap.service" ]; |
50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
51 | socket = "/var/run/phpfpm/shaarli.sock"; | 51 | pool = { |
52 | pool = '' | 52 | "listen.owner" = apache.user; |
53 | user = ${apache.user} | 53 | "listen.group" = apache.group; |
54 | group = ${apache.group} | 54 | "pm" = "ondemand"; |
55 | listen.owner = ${apache.user} | 55 | "pm.max_children" = "60"; |
56 | listen.group = ${apache.group} | 56 | "pm.process_idle_timeout" = "60"; |
57 | pm = ondemand | ||
58 | pm.max_children = 60 | ||
59 | pm.process_idle_timeout = 60 | ||
60 | 57 | ||
61 | ; Needed to avoid clashes in browser cookies (same domain) | 58 | # Needed to avoid clashes in browser cookies (same domain) |
62 | php_value[session.name] = ShaarliPHPSESSID | 59 | "php_value[session.name]" = "ShaarliPHPSESSID"; |
63 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 60 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
64 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 61 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
65 | ''; | 62 | }; |
66 | }; | 63 | }; |
67 | } | 64 | } |
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index a8b2a93..48876d3 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix | |||
@@ -95,12 +95,12 @@ rec { | |||
95 | modules = [ "proxy_fcgi" ]; | 95 | modules = [ "proxy_fcgi" ]; |
96 | webappName = "tools_ttrss"; | 96 | webappName = "tools_ttrss"; |
97 | root = "/run/current-system/webapps/${webappName}"; | 97 | root = "/run/current-system/webapps/${webappName}"; |
98 | vhostConf = '' | 98 | vhostConf = socket: '' |
99 | Alias /ttrss "${root}" | 99 | Alias /ttrss "${root}" |
100 | <Directory "${root}"> | 100 | <Directory "${root}"> |
101 | DirectoryIndex index.php | 101 | DirectoryIndex index.php |
102 | <FilesMatch "\.php$"> | 102 | <FilesMatch "\.php$"> |
103 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 103 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
104 | </FilesMatch> | 104 | </FilesMatch> |
105 | 105 | ||
106 | AllowOverride All | 106 | AllowOverride All |
@@ -114,20 +114,17 @@ rec { | |||
114 | basedir = builtins.concatStringsSep ":" ( | 114 | basedir = builtins.concatStringsSep ":" ( |
115 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] | 115 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] |
116 | ++ webRoot.plugins); | 116 | ++ webRoot.plugins); |
117 | socket = "/var/run/phpfpm/ttrss.sock"; | 117 | pool = { |
118 | pool = '' | 118 | "listen.owner" = apache.user; |
119 | user = ${apache.user} | 119 | "listen.group" = apache.group; |
120 | group = ${apache.group} | 120 | "pm" = "ondemand"; |
121 | listen.owner = ${apache.user} | 121 | "pm.max_children" = "60"; |
122 | listen.group = ${apache.group} | 122 | "pm.process_idle_timeout" = "60"; |
123 | pm = ondemand | 123 | |
124 | pm.max_children = 60 | 124 | # Needed to avoid clashes in browser cookies (same domain) |
125 | pm.process_idle_timeout = 60 | 125 | "php_value[session.name]" = "TtrssPHPSESSID"; |
126 | 126 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; | |
127 | ; Needed to avoid clashes in browser cookies (same domain) | 127 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
128 | php_value[session.name] = TtrssPHPSESSID | 128 | }; |
129 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
130 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
131 | ''; | ||
132 | }; | 129 | }; |
133 | } | 130 | } |
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 014d8a1..00e2dc9 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix | |||
@@ -82,7 +82,7 @@ rec { | |||
82 | modules = [ "proxy_fcgi" ]; | 82 | modules = [ "proxy_fcgi" ]; |
83 | webappName = "tools_wallabag"; | 83 | webappName = "tools_wallabag"; |
84 | root = "/run/current-system/webapps/${webappName}"; | 84 | root = "/run/current-system/webapps/${webappName}"; |
85 | vhostConf = '' | 85 | vhostConf = socket: '' |
86 | Alias /wallabag "${root}" | 86 | Alias /wallabag "${root}" |
87 | <Directory "${root}"> | 87 | <Directory "${root}"> |
88 | AllowOverride None | 88 | AllowOverride None |
@@ -91,7 +91,7 @@ rec { | |||
91 | CGIPassAuth On | 91 | CGIPassAuth On |
92 | 92 | ||
93 | <FilesMatch "\.php$"> | 93 | <FilesMatch "\.php$"> |
94 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 94 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
95 | </FilesMatch> | 95 | </FilesMatch> |
96 | 96 | ||
97 | <IfModule mod_rewrite.c> | 97 | <IfModule mod_rewrite.c> |
@@ -129,22 +129,19 @@ rec { | |||
129 | ''; | 129 | ''; |
130 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 130 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
131 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; | 131 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; |
132 | socket = "/var/run/phpfpm/wallabag.sock"; | 132 | pool = { |
133 | pool = '' | 133 | "listen.owner" = apache.user; |
134 | user = ${apache.user} | 134 | "listen.group" = apache.group; |
135 | group = ${apache.group} | 135 | "pm" = "dynamic"; |
136 | listen.owner = ${apache.user} | 136 | "pm.max_children" = "60"; |
137 | listen.group = ${apache.group} | 137 | "pm.start_servers" = "2"; |
138 | pm = dynamic | 138 | "pm.min_spare_servers" = "1"; |
139 | pm.max_children = 60 | 139 | "pm.max_spare_servers" = "10"; |
140 | pm.start_servers = 2 | ||
141 | pm.min_spare_servers = 1 | ||
142 | pm.max_spare_servers = 10 | ||
143 | 140 | ||
144 | ; Needed to avoid clashes in browser cookies (same domain) | 141 | # Needed to avoid clashes in browser cookies (same domain) |
145 | php_value[session.name] = WallabagPHPSESSID | 142 | "php_value[session.name]" = "WallabagPHPSESSID"; |
146 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp" | 143 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/tmp"; |
147 | php_value[max_execution_time] = 300 | 144 | "php_value[max_execution_time]" = "300"; |
148 | ''; | 145 | }; |
149 | }; | 146 | }; |
150 | } | 147 | } |
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 466ceae..cb03b6c 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix | |||
@@ -48,11 +48,11 @@ rec { | |||
48 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
49 | webappName = "tools_yourls"; | 49 | webappName = "tools_yourls"; |
50 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
51 | vhostConf = '' | 51 | vhostConf = socket: '' |
52 | Alias /url "${root}" | 52 | Alias /url "${root}" |
53 | <Directory "${root}"> | 53 | <Directory "${root}"> |
54 | <FilesMatch "\.php$"> | 54 | <FilesMatch "\.php$"> |
55 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 55 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
56 | </FilesMatch> | 56 | </FilesMatch> |
57 | 57 | ||
58 | AllowOverride None | 58 | AllowOverride None |
@@ -73,20 +73,17 @@ rec { | |||
73 | basedir = builtins.concatStringsSep ":" ( | 73 | basedir = builtins.concatStringsSep ":" ( |
74 | [ webRoot "/var/secrets/webapps/tools-yourls" ] | 74 | [ webRoot "/var/secrets/webapps/tools-yourls" ] |
75 | ++ webRoot.plugins); | 75 | ++ webRoot.plugins); |
76 | socket = "/var/run/phpfpm/yourls.sock"; | 76 | pool = { |
77 | pool = '' | 77 | "listen.owner" = apache.user; |
78 | user = ${apache.user} | 78 | "listen.group" = apache.group; |
79 | group = ${apache.group} | 79 | "pm" = "ondemand"; |
80 | listen.owner = ${apache.user} | 80 | "pm.max_children" = "60"; |
81 | listen.group = ${apache.group} | 81 | "pm.process_idle_timeout" = "60"; |
82 | pm = ondemand | ||
83 | pm.max_children = 60 | ||
84 | pm.process_idle_timeout = 60 | ||
85 | 82 | ||
86 | ; Needed to avoid clashes in browser cookies (same domain) | 83 | # Needed to avoid clashes in browser cookies (same domain) |
87 | php_value[session.name] = YourlsPHPSESSID | 84 | "php_value[session.name]" = "YourlsPHPSESSID"; |
88 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls" | 85 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/yourls"; |
89 | php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls" | 86 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/yourls"; |
90 | ''; | 87 | }; |
91 | }; | 88 | }; |
92 | } | 89 | } |
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index eed9e3f..68531cf 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix | |||
@@ -27,7 +27,7 @@ in | |||
27 | ''; | 27 | ''; |
28 | }; | 28 | }; |
29 | socketsPrefix = lib.mkOption { | 29 | socketsPrefix = lib.mkOption { |
30 | type = lib.types.string; | 30 | type = lib.types.str; |
31 | default = "live"; | 31 | default = "live"; |
32 | description = '' | 32 | description = '' |
33 | The prefix to use for Mastodon sockets. | 33 | The prefix to use for Mastodon sockets. |
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index e822645..fe5f068 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix | |||
@@ -23,7 +23,7 @@ in { | |||
23 | ''; | 23 | ''; |
24 | }; | 24 | }; |
25 | name = lib.mkOption { | 25 | name = lib.mkOption { |
26 | type = lib.types.string; | 26 | type = lib.types.str; |
27 | description = '' | 27 | description = '' |
28 | Domain name. Corresponds to the Apache file name and the | 28 | Domain name. Corresponds to the Apache file name and the |
29 | folder name in which the state will be saved. | 29 | folder name in which the state will be saved. |
diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 767a7b2..3f46e65 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix | |||
@@ -38,7 +38,7 @@ in | |||
38 | description = "Name of the httpd instance to assign this type to"; | 38 | description = "Name of the httpd instance to assign this type to"; |
39 | }; | 39 | }; |
40 | ips = mkOption { | 40 | ips = mkOption { |
41 | type = listOf string; | 41 | type = listOf str; |
42 | default = []; | 42 | default = []; |
43 | description = "ips to listen to"; | 43 | description = "ips to listen to"; |
44 | }; | 44 | }; |
@@ -59,7 +59,7 @@ in | |||
59 | options = { | 59 | options = { |
60 | enable = mkEnableOption "Add default no-ssl vhost for this instance"; | 60 | enable = mkEnableOption "Add default no-ssl vhost for this instance"; |
61 | host = mkOption { | 61 | host = mkOption { |
62 | type = string; | 62 | type = str; |
63 | description = "The hostname to use for this vhost"; | 63 | description = "The hostname to use for this vhost"; |
64 | }; | 64 | }; |
65 | root = mkOption { | 65 | root = mkOption { |
@@ -68,7 +68,7 @@ in | |||
68 | description = "The root folder to serve"; | 68 | description = "The root folder to serve"; |
69 | }; | 69 | }; |
70 | indexFile = mkOption { | 70 | indexFile = mkOption { |
71 | type = string; | 71 | type = str; |
72 | default = "index.html"; | 72 | default = "index.html"; |
73 | description = "The index file to show."; | 73 | description = "The index file to show."; |
74 | }; | 74 | }; |
@@ -79,8 +79,8 @@ in | |||
79 | description = "The fallback vhost that will be defined as first vhost in Apache"; | 79 | description = "The fallback vhost that will be defined as first vhost in Apache"; |
80 | type = submodule { | 80 | type = submodule { |
81 | options = { | 81 | options = { |
82 | certName = mkOption { type = string; }; | 82 | certName = mkOption { type = str; }; |
83 | hosts = mkOption { type = listOf string; }; | 83 | hosts = mkOption { type = listOf str; }; |
84 | root = mkOption { type = nullOr path; }; | 84 | root = mkOption { type = nullOr path; }; |
85 | extraConfig = mkOption { type = listOf lines; default = []; }; | 85 | extraConfig = mkOption { type = listOf lines; default = []; }; |
86 | }; | 86 | }; |
@@ -91,7 +91,7 @@ in | |||
91 | description = "List of no ssl vhosts to define for Apache"; | 91 | description = "List of no ssl vhosts to define for Apache"; |
92 | type = attrsOf (submodule { | 92 | type = attrsOf (submodule { |
93 | options = { | 93 | options = { |
94 | hosts = mkOption { type = listOf string; }; | 94 | hosts = mkOption { type = listOf str; }; |
95 | root = mkOption { type = nullOr path; }; | 95 | root = mkOption { type = nullOr path; }; |
96 | extraConfig = mkOption { type = listOf lines; default = []; }; | 96 | extraConfig = mkOption { type = listOf lines; default = []; }; |
97 | }; | 97 | }; |
@@ -102,25 +102,25 @@ in | |||
102 | description = "List of vhosts to define for Apache"; | 102 | description = "List of vhosts to define for Apache"; |
103 | type = attrsOf (submodule { | 103 | type = attrsOf (submodule { |
104 | options = { | 104 | options = { |
105 | certName = mkOption { type = string; }; | 105 | certName = mkOption { type = str; }; |
106 | addToCerts = mkOption { | 106 | addToCerts = mkOption { |
107 | type = bool; | 107 | type = bool; |
108 | default = false; | 108 | default = false; |
109 | description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; | 109 | description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; |
110 | }; | 110 | }; |
111 | certMainHost = mkOption { | 111 | certMainHost = mkOption { |
112 | type = nullOr string; | 112 | type = nullOr str; |
113 | description = "Use that host as 'main host' for acme certs"; | 113 | description = "Use that host as 'main host' for acme certs"; |
114 | default = null; | 114 | default = null; |
115 | }; | 115 | }; |
116 | hosts = mkOption { type = listOf string; }; | 116 | hosts = mkOption { type = listOf str; }; |
117 | root = mkOption { type = nullOr path; }; | 117 | root = mkOption { type = nullOr path; }; |
118 | extraConfig = mkOption { type = listOf lines; default = []; }; | 118 | extraConfig = mkOption { type = listOf lines; default = []; }; |
119 | }; | 119 | }; |
120 | }); | 120 | }); |
121 | }; | 121 | }; |
122 | watchPaths = mkOption { | 122 | watchPaths = mkOption { |
123 | type = listOf string; | 123 | type = listOf str; |
124 | default = []; | 124 | default = []; |
125 | description = '' | 125 | description = '' |
126 | Paths to watch that should trigger a reload of httpd | 126 | Paths to watch that should trigger a reload of httpd |
@@ -178,9 +178,9 @@ in | |||
178 | }; | 178 | }; |
179 | toVhost = ips: vhostConf: { | 179 | toVhost = ips: vhostConf: { |
180 | enableSSL = true; | 180 | enableSSL = true; |
181 | sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem"; | 181 | sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem"; |
182 | sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem"; | 182 | sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem"; |
183 | sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem"; | 183 | sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem"; |
184 | logFormat = "combinedVhost"; | 184 | logFormat = "combinedVhost"; |
185 | listen = map (ip: { inherit ip; port = 443; }) ips; | 185 | listen = map (ip: { inherit ip; port = 443; }) ips; |
186 | hostName = builtins.head vhostConf.hosts; | 186 | hostName = builtins.head vhostConf.hosts; |
@@ -231,7 +231,7 @@ in | |||
231 | } | 231 | } |
232 | ) cfg.env; | 232 | ) cfg.env; |
233 | 233 | ||
234 | config.security.acme2.certs = let | 234 | config.security.acme.certs = let |
235 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; | 235 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; |
236 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: | 236 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: |
237 | attrValues v.vhostConfs | 237 | attrValues v.vhostConfs |
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix index d049202..f0208ab 100644 --- a/modules/websites/httpd-service-builder.nix +++ b/modules/websites/httpd-service-builder.nix | |||
@@ -11,8 +11,6 @@ let | |||
11 | 11 | ||
12 | httpd = mainCfg.package.out; | 12 | httpd = mainCfg.package.out; |
13 | 13 | ||
14 | version24 = !versionOlder httpd.version "2.4"; | ||
15 | |||
16 | httpdConf = mainCfg.configFile; | 14 | httpdConf = mainCfg.configFile; |
17 | 15 | ||
18 | php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; | 16 | php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; |
@@ -26,10 +24,9 @@ let | |||
26 | else [{ip = "*"; port = 80;}]; | 24 | else [{ip = "*"; port = 80;}]; |
27 | 25 | ||
28 | getListen = cfg: | 26 | getListen = cfg: |
29 | let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen; | 27 | if cfg.listen == [] |
30 | in if list == [] | 28 | then defaultListen cfg |
31 | then defaultListen cfg | 29 | else cfg.listen; |
32 | else list; | ||
33 | 30 | ||
34 | listenToString = l: "${l.ip}:${toString l.port}"; | 31 | listenToString = l: "${l.ip}:${toString l.port}"; |
35 | 32 | ||
@@ -110,11 +107,10 @@ let | |||
110 | "auth_basic" "auth_digest" | 107 | "auth_basic" "auth_digest" |
111 | 108 | ||
112 | # Authentication: is the user who he claims to be? | 109 | # Authentication: is the user who he claims to be? |
113 | "authn_file" "authn_dbm" "authn_anon" | 110 | "authn_file" "authn_dbm" "authn_anon" "authn_core" |
114 | (if version24 then "authn_core" else "authn_alias") | ||
115 | 111 | ||
116 | # Authorization: is the user allowed access? | 112 | # Authorization: is the user allowed access? |
117 | "authz_user" "authz_groupfile" "authz_host" | 113 | "authz_user" "authz_groupfile" "authz_host" "authz_core" |
118 | 114 | ||
119 | # Other modules. | 115 | # Other modules. |
120 | "ext_filter" "include" "log_config" "env" "mime_magic" | 116 | "ext_filter" "include" "log_config" "env" "mime_magic" |
@@ -122,14 +118,9 @@ let | |||
122 | "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" | 118 | "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" |
123 | "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" | 119 | "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" |
124 | "userdir" "alias" "rewrite" "proxy" "proxy_http" | 120 | "userdir" "alias" "rewrite" "proxy" "proxy_http" |
125 | ] | 121 | "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" |
126 | ++ optionals version24 [ | ||
127 | "mpm_${mainCfg.multiProcessingModule}" | 122 | "mpm_${mainCfg.multiProcessingModule}" |
128 | "authz_core" | 123 | |
129 | "unixd" | ||
130 | "cache" "cache_disk" | ||
131 | "slotmem_shm" | ||
132 | "socache_shmcb" | ||
133 | # For compatibility with old configurations, the new module mod_access_compat is provided. | 124 | # For compatibility with old configurations, the new module mod_access_compat is provided. |
134 | "access_compat" | 125 | "access_compat" |
135 | ] | 126 | ] |
@@ -138,19 +129,8 @@ let | |||
138 | ++ extraApacheModules; | 129 | ++ extraApacheModules; |
139 | 130 | ||
140 | 131 | ||
141 | allDenied = if version24 then '' | 132 | allDenied = "Require all denied"; |
142 | Require all denied | 133 | allGranted = "Require all granted"; |
143 | '' else '' | ||
144 | Order deny,allow | ||
145 | Deny from all | ||
146 | ''; | ||
147 | |||
148 | allGranted = if version24 then '' | ||
149 | Require all granted | ||
150 | '' else '' | ||
151 | Order allow,deny | ||
152 | Allow from all | ||
153 | ''; | ||
154 | 134 | ||
155 | 135 | ||
156 | loggingConf = (if mainCfg.logFormat != "none" then '' | 136 | loggingConf = (if mainCfg.logFormat != "none" then '' |
@@ -183,9 +163,9 @@ let | |||
183 | 163 | ||
184 | 164 | ||
185 | sslConf = '' | 165 | sslConf = '' |
186 | SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000) | 166 | SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) |
187 | 167 | ||
188 | ${if version24 then "Mutex" else "SSLMutex"} posixsem | 168 | Mutex posixsem |
189 | 169 | ||
190 | SSLRandomSeed startup builtin | 170 | SSLRandomSeed startup builtin |
191 | SSLRandomSeed connect builtin | 171 | SSLRandomSeed connect builtin |
@@ -325,9 +305,7 @@ let | |||
325 | 305 | ||
326 | ServerRoot ${httpd} | 306 | ServerRoot ${httpd} |
327 | 307 | ||
328 | ${optionalString version24 '' | 308 | DefaultRuntimeDir ${mainCfg.stateDir}/runtime |
329 | DefaultRuntimeDir ${mainCfg.stateDir}/runtime | ||
330 | ''} | ||
331 | 309 | ||
332 | PidFile ${mainCfg.stateDir}/httpd.pid | 310 | PidFile ${mainCfg.stateDir}/httpd.pid |
333 | 311 | ||
@@ -361,7 +339,7 @@ let | |||
361 | ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } | 339 | ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } |
362 | ++ concatMap (svc: svc.extraModules) allSubservices | 340 | ++ concatMap (svc: svc.extraModules) allSubservices |
363 | ++ extraForeignModules; | 341 | ++ extraForeignModules; |
364 | in concatMapStrings load allModules | 342 | in concatMapStrings load (unique allModules) |
365 | } | 343 | } |
366 | 344 | ||
367 | AddHandler type-map var | 345 | AddHandler type-map var |
@@ -393,14 +371,6 @@ let | |||
393 | # Generate directives for the main server. | 371 | # Generate directives for the main server. |
394 | ${perServerConf true mainCfg} | 372 | ${perServerConf true mainCfg} |
395 | 373 | ||
396 | # Always enable virtual hosts; it doesn't seem to hurt. | ||
397 | ${let | ||
398 | listen = concatMap getListen allHosts; | ||
399 | uniqueListen = uniqList {inputList = listen;}; | ||
400 | directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen; | ||
401 | in optionalString (!version24) directives | ||
402 | } | ||
403 | |||
404 | ${let | 374 | ${let |
405 | makeVirtualHost = vhost: '' | 375 | makeVirtualHost = vhost: '' |
406 | <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> | 376 | <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> |
@@ -663,7 +633,7 @@ in | |||
663 | message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } | 633 | message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } |
664 | ]; | 634 | ]; |
665 | 635 | ||
666 | warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); | 636 | warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts); |
667 | 637 | ||
668 | users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton | 638 | users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton |
669 | { name = "wwwrun"; | 639 | { name = "wwwrun"; |
@@ -686,7 +656,7 @@ in | |||
686 | 656 | ||
687 | ; Don't advertise PHP | 657 | ; Don't advertise PHP |
688 | expose_php = off | 658 | expose_php = off |
689 | '' + optionalString (!isNull config.time.timeZone) '' | 659 | '' + optionalString (config.time.timeZone != null) '' |
690 | 660 | ||
691 | ; Apparently PHP doesn't use $TZ. | 661 | ; Apparently PHP doesn't use $TZ. |
692 | date.timezone = "${config.time.timeZone}" | 662 | date.timezone = "${config.time.timeZone}" |
@@ -713,10 +683,10 @@ in | |||
713 | '' | 683 | '' |
714 | mkdir -m 0750 -p ${mainCfg.stateDir} | 684 | mkdir -m 0750 -p ${mainCfg.stateDir} |
715 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} | 685 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} |
716 | ${optionalString version24 '' | 686 | |
717 | mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" | 687 | mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" |
718 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" | 688 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" |
719 | ''} | 689 | |
720 | mkdir -m 0700 -p ${mainCfg.logDir} | 690 | mkdir -m 0700 -p ${mainCfg.logDir} |
721 | 691 | ||
722 | # Get rid of old semaphores. These tend to accumulate across | 692 | # Get rid of old semaphores. These tend to accumulate across |
diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix index 8ad7a0d..20e2a5d 100644 --- a/modules/websites/php-application.nix +++ b/modules/websites/php-application.nix | |||
@@ -44,10 +44,15 @@ in | |||
44 | description = "Name of the socket to listen to. Defaults to app name if null"; | 44 | description = "Name of the socket to listen to. Defaults to app name if null"; |
45 | }; | 45 | }; |
46 | phpPool = mkOption { | 46 | phpPool = mkOption { |
47 | type = lines; | 47 | type = attrsOf str; |
48 | default = ""; | 48 | default = {}; |
49 | description = "Pool configuration to append"; | 49 | description = "Pool configuration to append"; |
50 | }; | 50 | }; |
51 | phpEnv = mkOption { | ||
52 | type = attrsOf str; | ||
53 | default = {}; | ||
54 | description = "Pool environment to append"; | ||
55 | }; | ||
51 | phpOptions = mkOption { | 56 | phpOptions = mkOption { |
52 | type = lines; | 57 | type = lines; |
53 | default = ""; | 58 | default = ""; |
@@ -135,7 +140,7 @@ in | |||
135 | services.phpApplication.phpListenPaths = mkOption { | 140 | services.phpApplication.phpListenPaths = mkOption { |
136 | type = attrsOf path; | 141 | type = attrsOf path; |
137 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 142 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
138 | name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock" | 143 | name config.services.phpfpm.pools."${name}".socket |
139 | ) cfg.apps; | 144 | ) cfg.apps; |
140 | readOnly = true; | 145 | readOnly = true; |
141 | description = '' | 146 | description = '' |
@@ -162,17 +167,17 @@ in | |||
162 | 167 | ||
163 | services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 168 | services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
164 | name { | 169 | name { |
165 | listen = cfg.phpListenPaths."${name}"; | 170 | user = icfg.httpdUser; |
166 | extraConfig = '' | 171 | group = icfg.httpdUser; |
167 | user = ${icfg.httpdUser} | 172 | settings = { |
168 | group = ${icfg.httpdGroup} | 173 | "listen.owner" = icfg.httpdUser; |
169 | listen.owner = ${icfg.httpdUser} | 174 | "listen.group" = icfg.httpdGroup; |
170 | listen.group = ${icfg.httpdGroup} | 175 | "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir); |
171 | ${optionalString (icfg.phpSession) '' | 176 | } |
172 | php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''} | 177 | // optionalAttrs (icfg.phpSession) { "php_admin_value[session.save_path]" = "${icfg.varDir}/phpSessions"; } |
173 | php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir)}" | 178 | // icfg.phpPool; |
174 | '' + icfg.phpPool; | ||
175 | phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; | 179 | phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; |
180 | inherit (icfg) phpEnv; | ||
176 | } | 181 | } |
177 | ) cfg.apps; | 182 | ) cfg.apps; |
178 | 183 | ||