diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-03-25 11:57:48 +0100 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2020-04-03 16:25:07 +0200 |
| commit | 5400b9b6f65451d41a9106fae6fc00f97d83f4ef (patch) | |
| tree | 6ed072da7b1f17ac3994ffea052aa0c0822f8446 /modules | |
| parent | 441da8aac378f401625e82caf281fa0e26128310 (diff) | |
| download | Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.gz Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.tar.zst Nix-5400b9b6f65451d41a9106fae6fc00f97d83f4ef.zip | |
Upgrade nixos
Diffstat (limited to 'modules')
74 files changed, 763 insertions, 1170 deletions
diff --git a/modules/acme2.nix b/modules/acme2.nix deleted file mode 100644 index b22e4cc..0000000 --- a/modules/acme2.nix +++ /dev/null | |||
| @@ -1,353 +0,0 @@ | |||
| 1 | { config, lib, pkgs, ... }: | ||
| 2 | |||
| 3 | with lib; | ||
| 4 | |||
| 5 | let | ||
| 6 | |||
| 7 | cfg = config.security.acme2; | ||
| 8 | |||
| 9 | certOpts = { name, ... }: { | ||
| 10 | options = { | ||
| 11 | webroot = mkOption { | ||
| 12 | type = types.str; | ||
| 13 | example = "/var/lib/acme/acme-challenges"; | ||
| 14 | description = '' | ||
| 15 | Where the webroot of the HTTP vhost is located. | ||
| 16 | <filename>.well-known/acme-challenge/</filename> directory | ||
| 17 | will be created below the webroot if it doesn't exist. | ||
| 18 | <literal>http://example.org/.well-known/acme-challenge/</literal> must also | ||
| 19 | be available (notice unencrypted HTTP). | ||
| 20 | ''; | ||
| 21 | }; | ||
| 22 | |||
| 23 | server = mkOption { | ||
| 24 | type = types.nullOr types.str; | ||
| 25 | default = null; | ||
| 26 | description = '' | ||
| 27 | ACME Directory Resource URI. Defaults to let's encrypt | ||
| 28 | production endpoint, | ||
| 29 | https://acme-v02.api.letsencrypt.org/directory, if unset. | ||
| 30 | ''; | ||
| 31 | }; | ||
| 32 | |||
| 33 | domain = mkOption { | ||
| 34 | type = types.str; | ||
| 35 | default = name; | ||
| 36 | description = "Domain to fetch certificate for (defaults to the entry name)"; | ||
| 37 | }; | ||
| 38 | |||
| 39 | email = mkOption { | ||
| 40 | type = types.nullOr types.str; | ||
| 41 | default = null; | ||
| 42 | description = "Contact email address for the CA to be able to reach you."; | ||
| 43 | }; | ||
| 44 | |||
| 45 | user = mkOption { | ||
| 46 | type = types.str; | ||
| 47 | default = "root"; | ||
| 48 | description = "User running the ACME client."; | ||
| 49 | }; | ||
| 50 | |||
| 51 | group = mkOption { | ||
| 52 | type = types.str; | ||
| 53 | default = "root"; | ||
| 54 | description = "Group running the ACME client."; | ||
| 55 | }; | ||
| 56 | |||
| 57 | allowKeysForGroup = mkOption { | ||
| 58 | type = types.bool; | ||
| 59 | default = false; | ||
| 60 | description = '' | ||
| 61 | Give read permissions to the specified group | ||
| 62 | (<option>security.acme2.cert.<name>.group</option>) to read SSL private certificates. | ||
| 63 | ''; | ||
| 64 | }; | ||
| 65 | |||
| 66 | postRun = mkOption { | ||
| 67 | type = types.lines; | ||
| 68 | default = ""; | ||
| 69 | example = "systemctl reload nginx.service"; | ||
| 70 | description = '' | ||
| 71 | Commands to run after new certificates go live. Typically | ||
| 72 | the web server and other servers using certificates need to | ||
| 73 | be reloaded. | ||
| 74 | |||
| 75 | Executed in the same directory with the new certificate. | ||
| 76 | ''; | ||
| 77 | }; | ||
| 78 | |||
| 79 | plugins = mkOption { | ||
| 80 | type = types.listOf (types.enum [ | ||
| 81 | "cert.der" "cert.pem" "chain.pem" "external.sh" | ||
| 82 | "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json" | ||
| 83 | ]); | ||
| 84 | default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ]; | ||
| 85 | description = '' | ||
| 86 | Plugins to enable. With default settings simp_le will | ||
| 87 | store public certificate bundle in <filename>fullchain.pem</filename>, | ||
| 88 | private key in <filename>key.pem</filename> and those two previous | ||
| 89 | files combined in <filename>full.pem</filename> in its state directory. | ||
| 90 | ''; | ||
| 91 | }; | ||
| 92 | |||
| 93 | directory = mkOption { | ||
| 94 | type = types.str; | ||
| 95 | readOnly = true; | ||
| 96 | default = "/var/lib/acme/${name}"; | ||
| 97 | description = "Directory where certificate and other state is stored."; | ||
| 98 | }; | ||
| 99 | |||
| 100 | extraDomains = mkOption { | ||
| 101 | type = types.attrsOf (types.nullOr types.str); | ||
| 102 | default = {}; | ||
| 103 | example = literalExample '' | ||
| 104 | { | ||
| 105 | "example.org" = "/srv/http/nginx"; | ||
| 106 | "mydomain.org" = null; | ||
| 107 | } | ||
| 108 | ''; | ||
| 109 | description = '' | ||
| 110 | A list of extra domain names, which are included in the one certificate to be issued, with their | ||
| 111 | own server roots if needed. | ||
| 112 | ''; | ||
| 113 | }; | ||
| 114 | }; | ||
| 115 | }; | ||
| 116 | |||
| 117 | in | ||
| 118 | |||
| 119 | { | ||
| 120 | |||
| 121 | ###### interface | ||
| 122 | imports = [ | ||
| 123 | (mkRemovedOptionModule [ "security" "acme2" "production" ] '' | ||
| 124 | Use security.acme2.server to define your staging ACME server URL instead. | ||
| 125 | |||
| 126 | To use the let's encrypt staging server, use security.acme2.server = | ||
| 127 | "https://acme-staging-v02.api.letsencrypt.org/directory". | ||
| 128 | '' | ||
| 129 | ) | ||
| 130 | (mkRemovedOptionModule [ "security" "acme2" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") | ||
| 131 | (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") | ||
| 132 | (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") | ||
| 133 | ]; | ||
| 134 | options = { | ||
| 135 | security.acme2 = { | ||
| 136 | |||
| 137 | validMin = mkOption { | ||
| 138 | type = types.int; | ||
| 139 | default = 30 * 24 * 3600; | ||
| 140 | description = "Minimum remaining validity before renewal in seconds."; | ||
| 141 | }; | ||
| 142 | |||
| 143 | renewInterval = mkOption { | ||
| 144 | type = types.str; | ||
| 145 | default = "weekly"; | ||
| 146 | description = '' | ||
| 147 | Systemd calendar expression when to check for renewal. See | ||
| 148 | <citerefentry><refentrytitle>systemd.time</refentrytitle> | ||
| 149 | <manvolnum>7</manvolnum></citerefentry>. | ||
| 150 | ''; | ||
| 151 | }; | ||
| 152 | |||
| 153 | server = mkOption { | ||
| 154 | type = types.nullOr types.str; | ||
| 155 | default = null; | ||
| 156 | description = '' | ||
| 157 | ACME Directory Resource URI. Defaults to let's encrypt | ||
| 158 | production endpoint, | ||
| 159 | <literal>https://acme-v02.api.letsencrypt.org/directory</literal>, if unset. | ||
| 160 | ''; | ||
| 161 | }; | ||
| 162 | |||
| 163 | preliminarySelfsigned = mkOption { | ||
| 164 | type = types.bool; | ||
| 165 | default = true; | ||
| 166 | description = '' | ||
| 167 | Whether a preliminary self-signed certificate should be generated before | ||
| 168 | doing ACME requests. This can be useful when certificates are required in | ||
| 169 | a webserver, but ACME needs the webserver to make its requests. | ||
| 170 | |||
| 171 | With preliminary self-signed certificate the webserver can be started and | ||
| 172 | can later reload the correct ACME certificates. | ||
| 173 | ''; | ||
| 174 | }; | ||
| 175 | |||
| 176 | certs = mkOption { | ||
| 177 | default = { }; | ||
| 178 | type = with types; attrsOf (submodule certOpts); | ||
| 179 | description = '' | ||
| 180 | Attribute set of certificates to get signed and renewed. Creates | ||
| 181 | <literal>acme-''${cert}.{service,timer}</literal> systemd units for | ||
| 182 | each certificate defined here. Other services can add dependencies | ||
| 183 | to those units if they rely on the certificates being present, | ||
| 184 | or trigger restarts of the service if certificates get renewed. | ||
| 185 | ''; | ||
| 186 | example = literalExample '' | ||
| 187 | { | ||
| 188 | "example.com" = { | ||
| 189 | webroot = "/var/www/challenges/"; | ||
| 190 | email = "foo@example.com"; | ||
| 191 | extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; | ||
| 192 | }; | ||
| 193 | "bar.example.com" = { | ||
| 194 | webroot = "/var/www/challenges/"; | ||
| 195 | email = "bar@example.com"; | ||
| 196 | }; | ||
| 197 | } | ||
| 198 | ''; | ||
| 199 | }; | ||
| 200 | }; | ||
| 201 | }; | ||
| 202 | |||
| 203 | ###### implementation | ||
| 204 | config = mkMerge [ | ||
| 205 | (mkIf (cfg.certs != { }) { | ||
| 206 | |||
| 207 | systemd.services = let | ||
| 208 | services = concatLists servicesLists; | ||
| 209 | servicesLists = mapAttrsToList certToServices cfg.certs; | ||
| 210 | certToServices = cert: data: | ||
| 211 | let | ||
| 212 | lpath = "acme/${cert}"; | ||
| 213 | rights = if data.allowKeysForGroup then "750" else "700"; | ||
| 214 | cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] | ||
| 215 | ++ optionals (data.email != null) [ "--email" data.email ] | ||
| 216 | ++ concatMap (p: [ "-f" p ]) data.plugins | ||
| 217 | ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) | ||
| 218 | ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; | ||
| 219 | acmeService = { | ||
| 220 | description = "Renew ACME Certificate for ${cert}"; | ||
| 221 | after = [ "network.target" "network-online.target" ]; | ||
| 222 | wants = [ "network-online.target" ]; | ||
| 223 | # simp_le uses requests, which uses certifi under the hood, | ||
| 224 | # which doesn't respect the system trust store. | ||
| 225 | # At least in the acme test, we provision a fake CA, impersonating the LE endpoint. | ||
| 226 | # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else | ||
| 227 | environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; | ||
| 228 | serviceConfig = { | ||
| 229 | Type = "oneshot"; | ||
| 230 | # With RemainAfterExit the service is considered active even | ||
| 231 | # after the main process having exited, which means when it | ||
| 232 | # gets changed, the activation phase restarts it, meaning | ||
| 233 | # the permissions of the StateDirectory get adjusted | ||
| 234 | # according to the specified group | ||
| 235 | # Edit: Timers will never run because of this | ||
| 236 | # RemainAfterExit = true; | ||
| 237 | SuccessExitStatus = [ "0" "1" ]; | ||
| 238 | User = data.user; | ||
| 239 | Group = data.group; | ||
| 240 | PrivateTmp = true; | ||
| 241 | StateDirectory = lpath; | ||
| 242 | StateDirectoryMode = rights; | ||
| 243 | ExecStartPre = | ||
| 244 | let | ||
| 245 | script = pkgs.writeScript "acme-pre-start" '' | ||
| 246 | #!${pkgs.runtimeShell} -e | ||
| 247 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
| 248 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
| 249 | #doesn't work for multiple concurrent runs | ||
| 250 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
| 251 | ''; | ||
| 252 | in | ||
| 253 | "+${script}"; | ||
| 254 | WorkingDirectory = "/var/lib/${lpath}"; | ||
| 255 | ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; | ||
| 256 | ExecStartPost = | ||
| 257 | let | ||
| 258 | script = pkgs.writeScript "acme-post-start" '' | ||
| 259 | #!${pkgs.runtimeShell} -e | ||
| 260 | ${data.postRun} | ||
| 261 | ''; | ||
| 262 | in | ||
| 263 | "+${script}"; | ||
| 264 | }; | ||
| 265 | |||
| 266 | }; | ||
| 267 | selfsignedService = { | ||
| 268 | description = "Create preliminary self-signed certificate for ${cert}"; | ||
| 269 | path = [ pkgs.openssl ]; | ||
| 270 | script = | ||
| 271 | '' | ||
| 272 | workdir="$(mktemp -d)" | ||
| 273 | |||
| 274 | # Create CA | ||
| 275 | openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048 | ||
| 276 | openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key | ||
| 277 | openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \ | ||
| 278 | -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com" | ||
| 279 | openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt | ||
| 280 | |||
| 281 | # Create key | ||
| 282 | openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048 | ||
| 283 | openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key | ||
| 284 | openssl req -new -key $workdir/server.key -out $workdir/server.csr \ | ||
| 285 | -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" | ||
| 286 | openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \ | ||
| 287 | -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \ | ||
| 288 | -out $workdir/server.crt | ||
| 289 | |||
| 290 | # Copy key to destination | ||
| 291 | cp $workdir/server.key /var/lib/${lpath}/key.pem | ||
| 292 | |||
| 293 | # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) | ||
| 294 | cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem" | ||
| 295 | |||
| 296 | # Create full.pem for e.g. lighttpd | ||
| 297 | cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem" | ||
| 298 | |||
| 299 | # Give key acme permissions | ||
| 300 | chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem | ||
| 301 | chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem | ||
| 302 | ''; | ||
| 303 | serviceConfig = { | ||
| 304 | Type = "oneshot"; | ||
| 305 | PrivateTmp = true; | ||
| 306 | StateDirectory = lpath; | ||
| 307 | User = data.user; | ||
| 308 | Group = data.group; | ||
| 309 | }; | ||
| 310 | unitConfig = { | ||
| 311 | # Do not create self-signed key when key already exists | ||
| 312 | ConditionPathExists = "!/var/lib/${lpath}/key.pem"; | ||
| 313 | }; | ||
| 314 | }; | ||
| 315 | in ( | ||
| 316 | [ { name = "acme-${cert}"; value = acmeService; } ] | ||
| 317 | ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } | ||
| 318 | ); | ||
| 319 | servicesAttr = listToAttrs services; | ||
| 320 | in | ||
| 321 | servicesAttr; | ||
| 322 | |||
| 323 | # FIXME: this doesn't work for multiple users | ||
| 324 | systemd.tmpfiles.rules = | ||
| 325 | flip mapAttrsToList cfg.certs | ||
| 326 | (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); | ||
| 327 | |||
| 328 | systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair | ||
| 329 | ("acme-${cert}") | ||
| 330 | ({ | ||
| 331 | description = "Renew ACME Certificate for ${cert}"; | ||
| 332 | wantedBy = [ "timers.target" ]; | ||
| 333 | timerConfig = { | ||
| 334 | OnCalendar = cfg.renewInterval; | ||
| 335 | Unit = "acme-${cert}.service"; | ||
| 336 | Persistent = "yes"; | ||
| 337 | AccuracySec = "5m"; | ||
| 338 | RandomizedDelaySec = "1h"; | ||
| 339 | }; | ||
| 340 | }) | ||
| 341 | ); | ||
| 342 | |||
| 343 | systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {}; | ||
| 344 | systemd.targets.acme-certificates = {}; | ||
| 345 | }) | ||
| 346 | |||
| 347 | ]; | ||
| 348 | |||
| 349 | meta = { | ||
| 350 | maintainers = with lib.maintainers; [ abbradar fpletz globin ]; | ||
| 351 | #doc = ./acme.xml; | ||
| 352 | }; | ||
| 353 | } | ||
diff --git a/modules/default.nix b/modules/default.nix index 98dc77d..9ff6ea6 100644 --- a/modules/default.nix +++ b/modules/default.nix | |||
| @@ -19,5 +19,4 @@ | |||
| 19 | 19 | ||
| 20 | php-application = ./websites/php-application.nix; | 20 | php-application = ./websites/php-application.nix; |
| 21 | websites = ./websites; | 21 | websites = ./websites; |
| 22 | acme2 = ./acme2.nix; | ||
| 23 | } // (if builtins.pathExists ./private then import ./private else {}) | 22 | } // (if builtins.pathExists ./private then import ./private else {}) |
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 47e30fc..c8ee48e 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix | |||
| @@ -180,6 +180,7 @@ in | |||
| 180 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | 180 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList |
| 181 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets | 181 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets |
| 182 | )} | 182 | )} |
| 183 | ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} | ||
| 183 | ''; | 184 | ''; |
| 184 | environment = let | 185 | environment = let |
| 185 | project_env = with lib.attrsets; | 186 | project_env = with lib.attrsets; |
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
| @@ -30,9 +30,9 @@ | |||
| 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
| 31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
| 32 | 32 | ||
| 33 | security.acme2.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
| 34 | 34 | ||
| 35 | security.acme2.certs = { | 35 | security.acme.certs = { |
| 36 | "${name}" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
| 37 | domain = config.hostEnv.fqdn; | 37 | domain = config.hostEnv.fqdn; |
| 38 | }; | 38 | }; |
| @@ -41,17 +41,33 @@ | |||
| 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
| 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = |
| 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' |
| 44 | cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem | 44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
| 45 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem | 45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
| 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem | 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
| 47 | '') + | 47 | '') + |
| 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' |
| 49 | cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem | 49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
| 50 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem | 50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
| 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem | 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
| 52 | '') | 52 | '') |
| 53 | ; }) | 53 | ; }) |
| 54 | ) config.security.acme2.certs // { | 54 | ) config.security.acme.certs // |
| 55 | lib.attrsets.mapAttrs' (k: data: | ||
| 56 | lib.attrsets.nameValuePair "acme-${k}" { | ||
| 57 | serviceConfig.ExecStartPre = | ||
| 58 | let | ||
| 59 | script = pkgs.writeScript "acme-pre-start" '' | ||
| 60 | #!${pkgs.runtimeShell} -e | ||
| 61 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
| 62 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
| 63 | #doesn't work for multiple concurrent runs | ||
| 64 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
| 65 | ''; | ||
| 66 | in | ||
| 67 | "+${script}"; | ||
| 68 | } | ||
| 69 | ) config.security.acme.certs // | ||
| 70 | { | ||
| 55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | 71 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
| 56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | 72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
| 57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | 73 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index ed647ea..04e4bd6 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
| @@ -96,8 +96,8 @@ in { | |||
| 96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
| 97 | extraOptions = '' | 97 | extraOptions = '' |
| 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt |
| 99 | ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem | 99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem |
| 100 | ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem | 100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem |
| 101 | 101 | ||
| 102 | # for replication | 102 | # for replication |
| 103 | log-bin=mariadb-bin | 103 | log-bin=mariadb-bin |
| @@ -110,7 +110,7 @@ in { | |||
| 110 | }; | 110 | }; |
| 111 | 111 | ||
| 112 | users.users.mysql.extraGroups = [ "keys" ]; | 112 | users.users.mysql.extraGroups = [ "keys" ]; |
| 113 | security.acme2.certs."mysql" = config.myServices.databasesCerts // { | 113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
| 114 | user = "mysql"; | 114 | user = "mysql"; |
| 115 | group = "mysql"; | 115 | group = "mysql"; |
| 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index d7d61db..efe9379 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
| @@ -12,27 +12,14 @@ let | |||
| 12 | moduleload back_hdb | 12 | moduleload back_hdb |
| 13 | backend hdb | 13 | backend hdb |
| 14 | 14 | ||
| 15 | moduleload memberof | 15 | TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem |
| 16 | database hdb | 16 | TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem |
| 17 | suffix "${cfg.baseDn}" | 17 | TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem |
| 18 | rootdn "${cfg.rootDn}" | ||
| 19 | include ${config.secrets.location}/ldap/password | ||
| 20 | directory ${cfg.dataDir} | ||
| 21 | overlay memberof | ||
| 22 | |||
| 23 | moduleload syncprov | ||
| 24 | overlay syncprov | ||
| 25 | syncprov-checkpoint 100 10 | ||
| 26 | |||
| 27 | TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem | ||
| 28 | TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem | ||
| 29 | TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem | ||
| 30 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | 18 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ |
| 31 | #This makes openldap crash | 19 | #This makes openldap crash |
| 32 | #TLSCipherSuite DEFAULT | 20 | #TLSCipherSuite DEFAULT |
| 33 | 21 | ||
| 34 | sasl-host kerberos.immae.eu | 22 | sasl-host kerberos.immae.eu |
| 35 | include ${config.secrets.location}/ldap/access | ||
| 36 | ''; | 23 | ''; |
| 37 | in | 24 | in |
| 38 | { | 25 | { |
| @@ -117,7 +104,7 @@ in | |||
| 117 | users.users.openldap.extraGroups = [ "keys" ]; | 104 | users.users.openldap.extraGroups = [ "keys" ]; |
| 118 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 105 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
| 119 | 106 | ||
| 120 | security.acme2.certs."ldap" = config.myServices.databasesCerts // { | 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
| 121 | user = "openldap"; | 108 | user = "openldap"; |
| 122 | group = "openldap"; | 109 | group = "openldap"; |
| 123 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 110 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
| @@ -137,6 +124,20 @@ in | |||
| 137 | dataDir = cfg.dataDir; | 124 | dataDir = cfg.dataDir; |
| 138 | urlList = [ "ldap://" "ldaps://" ]; | 125 | urlList = [ "ldap://" "ldaps://" ]; |
| 139 | extraConfig = ldapConfig; | 126 | extraConfig = ldapConfig; |
| 127 | extraDatabaseConfig = '' | ||
| 128 | moduleload memberof | ||
| 129 | overlay memberof | ||
| 130 | |||
| 131 | moduleload syncprov | ||
| 132 | overlay syncprov | ||
| 133 | syncprov-checkpoint 100 10 | ||
| 134 | |||
| 135 | include ${config.secrets.location}/ldap/access | ||
| 136 | ''; | ||
| 137 | rootpwFile = "${config.secrets.location}/ldap/password"; | ||
| 138 | suffix = cfg.baseDn; | ||
| 139 | rootdn = cfg.rootDn; | ||
| 140 | database = "hdb"; | ||
| 140 | }; | 141 | }; |
| 141 | }; | 142 | }; |
| 142 | } | 143 | } |
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix index fc686dd..cf45ebe 100644 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ b/modules/private/databases/openldap/eldiron_schemas.nix | |||
| @@ -9,10 +9,10 @@ let | |||
| 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; |
| 10 | }; | 10 | }; |
| 11 | schemas = [ | 11 | schemas = [ |
| 12 | "${openldap}/etc/schema/core.schema" | 12 | #"${openldap}/etc/schema/core.schema" |
| 13 | "${openldap}/etc/schema/cosine.schema" | 13 | #"${openldap}/etc/schema/cosine.schema" |
| 14 | "${openldap}/etc/schema/inetorgperson.schema" | 14 | #"${openldap}/etc/schema/inetorgperson.schema" |
| 15 | "${openldap}/etc/schema/nis.schema" | 15 | #"${openldap}/etc/schema/nis.schema" |
| 16 | puppetSchema | 16 | puppetSchema |
| 17 | kerberosSchema | 17 | kerberosSchema |
| 18 | ./immae.schema | 18 | ./immae.schema |
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 2980c97..df4101b 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix | |||
| @@ -3,6 +3,10 @@ let | |||
| 3 | cfg = config.myServices.databasesReplication.openldap; | 3 | cfg = config.myServices.databasesReplication.openldap; |
| 4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; | 4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; |
| 5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' | 5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' |
| 6 | include ${pkgs.openldap}/etc/schema/core.schema | ||
| 7 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
| 8 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
| 9 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
| 6 | ${eldiron_schemas} | 10 | ${eldiron_schemas} |
| 7 | pidfile /run/slapd_${name}/slapd.pid | 11 | pidfile /run/slapd_${name}/slapd.pid |
| 8 | argsfile /run/slapd_${name}/slapd.args | 12 | argsfile /run/slapd_${name}/slapd.args |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 27ea59c..d0b1a75 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
| @@ -91,23 +91,13 @@ in { | |||
| 91 | ''; | 91 | ''; |
| 92 | readOnly = true; | 92 | readOnly = true; |
| 93 | }; | 93 | }; |
| 94 | systemdRuntimeDirectory = lib.mkOption { | ||
| 95 | type = lib.types.str; | ||
| 96 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 97 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 98 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 99 | description = '' | ||
| 100 | Adjusted Postgresql sockets directory for systemd | ||
| 101 | ''; | ||
| 102 | readOnly = true; | ||
| 103 | }; | ||
| 104 | }; | 94 | }; |
| 105 | }; | 95 | }; |
| 106 | 96 | ||
| 107 | config = lib.mkIf cfg.enable { | 97 | config = lib.mkIf cfg.enable { |
| 108 | networking.firewall.allowedTCPPorts = [ 5432 ]; | 98 | networking.firewall.allowedTCPPorts = [ 5432 ]; |
| 109 | 99 | ||
| 110 | security.acme2.certs."postgresql" = config.myServices.databasesCerts // { | 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { |
| 111 | user = "postgres"; | 101 | user = "postgres"; |
| 112 | group = "postgres"; | 102 | group = "postgres"; |
| 113 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 103 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
| @@ -119,7 +109,6 @@ in { | |||
| 119 | 109 | ||
| 120 | systemd.services.postgresql.serviceConfig = { | 110 | systemd.services.postgresql.serviceConfig = { |
| 121 | SupplementaryGroups = "keys"; | 111 | SupplementaryGroups = "keys"; |
| 122 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 123 | }; | 112 | }; |
| 124 | systemd.services.postgresql.postStart = lib.mkAfter '' | 113 | systemd.services.postgresql.postStart = lib.mkAfter '' |
| 125 | # This line is already defined in 19.09 | 114 | # This line is already defined in 19.09 |
| @@ -165,8 +154,8 @@ in { | |||
| 165 | # makes it order of magnitudes quicker | 154 | # makes it order of magnitudes quicker |
| 166 | synchronous_commit = off | 155 | synchronous_commit = off |
| 167 | ssl = on | 156 | ssl = on |
| 168 | ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem' | 157 | ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem' |
| 169 | ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem' | 158 | ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem' |
| 170 | ''; | 159 | ''; |
| 171 | authentication = let | 160 | authentication = let |
| 172 | hosts = builtins.concatStringsSep "\n" ( | 161 | hosts = builtins.concatStringsSep "\n" ( |
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4b26283..4602510 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
| @@ -17,16 +17,6 @@ in { | |||
| 17 | ''; | 17 | ''; |
| 18 | }; | 18 | }; |
| 19 | # Output variables | 19 | # Output variables |
| 20 | systemdRuntimeDirectory = lib.mkOption { | ||
| 21 | type = lib.types.str; | ||
| 22 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
| 23 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
| 24 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
| 25 | description = '' | ||
| 26 | Adjusted redis sockets directory for systemd | ||
| 27 | ''; | ||
| 28 | readOnly = true; | ||
| 29 | }; | ||
| 30 | sockets = lib.mkOption { | 20 | sockets = lib.mkOption { |
| 31 | type = lib.types.attrsOf lib.types.path; | 21 | type = lib.types.attrsOf lib.types.path; |
| 32 | default = { | 22 | default = { |
| @@ -51,7 +41,6 @@ in { | |||
| 51 | maxclients 1024 | 41 | maxclients 1024 |
| 52 | ''; | 42 | ''; |
| 53 | }; | 43 | }; |
| 54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
| 55 | 44 | ||
| 56 | services.spiped = { | 45 | services.spiped = { |
| 57 | enable = true; | 46 | enable = true; |
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix index 3537c24..382b42d 100644 --- a/modules/private/ejabberd/default.nix +++ b/modules/private/ejabberd/default.nix | |||
| @@ -14,7 +14,7 @@ in | |||
| 14 | }; | 14 | }; |
| 15 | 15 | ||
| 16 | config = lib.mkIf cfg.enable { | 16 | config = lib.mkIf cfg.enable { |
| 17 | security.acme2.certs = { | 17 | security.acme.certs = { |
| 18 | "ejabberd" = config.myServices.certificates.certConfig // { | 18 | "ejabberd" = config.myServices.certificates.certConfig // { |
| 19 | user = "ejabberd"; | 19 | user = "ejabberd"; |
| 20 | group = "ejabberd"; | 20 | group = "ejabberd"; |
| @@ -58,7 +58,7 @@ in | |||
| 58 | text = '' | 58 | text = '' |
| 59 | host_config: | 59 | host_config: |
| 60 | "immae.fr": | 60 | "immae.fr": |
| 61 | domain_certfile: "${config.security.acme2.certs.ejabberd.directory}/full.pem" | 61 | domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem" |
| 62 | auth_method: [ldap] | 62 | auth_method: [ldap] |
| 63 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] | 63 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] |
| 64 | ldap_encrypt: tls | 64 | ldap_encrypt: tls |
| @@ -66,8 +66,8 @@ in | |||
| 66 | ldap_password: "${config.myEnv.jabber.ldap.password}" | 66 | ldap_password: "${config.myEnv.jabber.ldap.password}" |
| 67 | ldap_base: "${config.myEnv.jabber.ldap.base}" | 67 | ldap_base: "${config.myEnv.jabber.ldap.base}" |
| 68 | ldap_uids: | 68 | ldap_uids: |
| 69 | - "uid": "%u" | 69 | uid: "%u" |
| 70 | - "immaeXmppUid": "%u" | 70 | immaeXmppUid: "%u" |
| 71 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" | 71 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" |
| 72 | ''; | 72 | ''; |
| 73 | } | 73 | } |
| @@ -81,7 +81,7 @@ in | |||
| 81 | ERLANG_NODE=ejabberd@localhost | 81 | ERLANG_NODE=ejabberd@localhost |
| 82 | ''; | 82 | ''; |
| 83 | configFile = pkgs.runCommand "ejabberd.yml" { | 83 | configFile = pkgs.runCommand "ejabberd.yml" { |
| 84 | certificatePrivateKeyAndFullChain = "${config.security.acme2.certs.ejabberd.directory}/full.pem"; | 84 | certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem"; |
| 85 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; | 85 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
| 86 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; | 86 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; |
| 87 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; | 87 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; |
diff --git a/modules/private/ejabberd/ejabberd.yml b/modules/private/ejabberd/ejabberd.yml index 0f678b6..82ac35b 100644 --- a/modules/private/ejabberd/ejabberd.yml +++ b/modules/private/ejabberd/ejabberd.yml | |||
| @@ -69,7 +69,6 @@ s2s_use_starttls: optional | |||
| 69 | s2s_cafile: "@certificateCA@" | 69 | s2s_cafile: "@certificateCA@" |
| 70 | 70 | ||
| 71 | default_db: sql | 71 | default_db: sql |
| 72 | sql_type: pgsql | ||
| 73 | include_config_file: @sql_config_file@ | 72 | include_config_file: @sql_config_file@ |
| 74 | include_config_file: @host_config_file@ | 73 | include_config_file: @host_config_file@ |
| 75 | new_sql_schema: true | 74 | new_sql_schema: true |
| @@ -193,7 +192,6 @@ modules: | |||
| 193 | access_createnode: pubsub_createnode | 192 | access_createnode: pubsub_createnode |
| 194 | plugins: | 193 | plugins: |
| 195 | - "flat" | 194 | - "flat" |
| 196 | - "hometree" | ||
| 197 | - "pep" | 195 | - "pep" |
| 198 | force_node_config: | 196 | force_node_config: |
| 199 | ## Change from "whitelist" to "open" to enable OMEMO support | 197 | ## Change from "whitelist" to "open" to enable OMEMO support |
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index b7589eb..77e9c8d 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
| @@ -133,8 +133,8 @@ let | |||
| 133 | ''; | 133 | ''; |
| 134 | type = submodule { | 134 | type = submodule { |
| 135 | options = { | 135 | options = { |
| 136 | password = mkOption { type = string; description = "Password for the LDAP connection"; }; | 136 | password = mkOption { type = str; description = "Password for the LDAP connection"; }; |
| 137 | dn = mkOption { type = string; description = "DN for the LDAP connection"; }; | 137 | dn = mkOption { type = str; description = "DN for the LDAP connection"; }; |
| 138 | }; | 138 | }; |
| 139 | }; | 139 | }; |
| 140 | }; | 140 | }; |
| @@ -156,13 +156,13 @@ let | |||
| 156 | type = attrsOf (submodule { | 156 | type = attrsOf (submodule { |
| 157 | options = { | 157 | options = { |
| 158 | ip4 = mkOption { | 158 | ip4 = mkOption { |
| 159 | type = string; | 159 | type = str; |
| 160 | description = '' | 160 | description = '' |
| 161 | ip4 address of the host | 161 | ip4 address of the host |
| 162 | ''; | 162 | ''; |
| 163 | }; | 163 | }; |
| 164 | ip6 = mkOption { | 164 | ip6 = mkOption { |
| 165 | type = listOf string; | 165 | type = listOf str; |
| 166 | default = []; | 166 | default = []; |
| 167 | description = '' | 167 | description = '' |
| 168 | ip6 addresses of the host | 168 | ip6 addresses of the host |
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 585fe63..417af87 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix | |||
| @@ -17,7 +17,7 @@ in | |||
| 17 | services.duplyBackup.profiles.ftp = { | 17 | services.duplyBackup.profiles.ftp = { |
| 18 | rootDir = "/var/lib/ftp"; | 18 | rootDir = "/var/lib/ftp"; |
| 19 | }; | 19 | }; |
| 20 | security.acme2.certs."ftp" = config.myServices.certificates.certConfig // { | 20 | security.acme.certs."ftp" = config.myServices.certificates.certConfig // { |
| 21 | domain = "eldiron.immae.eu"; | 21 | domain = "eldiron.immae.eu"; |
| 22 | postRun = '' | 22 | postRun = '' |
| 23 | systemctl restart pure-ftpd.service | 23 | systemctl restart pure-ftpd.service |
| @@ -113,7 +113,7 @@ in | |||
| 113 | MaxDiskUsage 99 | 113 | MaxDiskUsage 99 |
| 114 | CustomerProof yes | 114 | CustomerProof yes |
| 115 | TLS 1 | 115 | TLS 1 |
| 116 | CertFile ${config.security.acme2.certs.ftp.directory}/full.pem | 116 | CertFile ${config.security.acme.certs.ftp.directory}/full.pem |
| 117 | ''; | 117 | ''; |
| 118 | in { | 118 | in { |
| 119 | description = "Pure-FTPd server"; | 119 | description = "Pure-FTPd server"; |
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 9dfa04d..9f5c179 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix | |||
| @@ -5,7 +5,7 @@ in { | |||
| 5 | options.myServices.gitolite = { | 5 | options.myServices.gitolite = { |
| 6 | enable = lib.mkEnableOption "my gitolite service"; | 6 | enable = lib.mkEnableOption "my gitolite service"; |
| 7 | gitoliteDir = lib.mkOption { | 7 | gitoliteDir = lib.mkOption { |
| 8 | type = lib.types.string; | 8 | type = lib.types.str; |
| 9 | default = "/var/lib/gitolite"; | 9 | default = "/var/lib/gitolite"; |
| 10 | }; | 10 | }; |
| 11 | }; | 11 | }; |
diff --git a/modules/private/irc.nix b/modules/private/irc.nix index 1054b96..9871508 100644 --- a/modules/private/irc.nix +++ b/modules/private/irc.nix | |||
| @@ -20,7 +20,7 @@ in | |||
| 20 | services.duplyBackup.profiles.irc = { | 20 | services.duplyBackup.profiles.irc = { |
| 21 | rootDir = "/var/lib/bitlbee"; | 21 | rootDir = "/var/lib/bitlbee"; |
| 22 | }; | 22 | }; |
| 23 | security.acme2.certs."irc" = config.myServices.ircCerts // { | 23 | security.acme.certs."irc" = config.myServices.ircCerts // { |
| 24 | domain = "irc.immae.eu"; | 24 | domain = "irc.immae.eu"; |
| 25 | postRun = '' | 25 | postRun = '' |
| 26 | systemctl restart stunnel.service | 26 | systemctl restart stunnel.service |
| @@ -49,7 +49,7 @@ in | |||
| 49 | bitlbee = { | 49 | bitlbee = { |
| 50 | accept = 6697; | 50 | accept = 6697; |
| 51 | connect = 6667; | 51 | connect = 6667; |
| 52 | cert = "${config.security.acme2.certs.irc.directory}/full.pem"; | 52 | cert = "${config.security.acme.certs.irc.directory}/full.pem"; |
| 53 | }; | 53 | }; |
| 54 | }; | 54 | }; |
| 55 | }; | 55 | }; |
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 1c64e15..b50e346 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix | |||
| @@ -13,7 +13,7 @@ | |||
| 13 | options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; | 13 | options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; |
| 14 | 14 | ||
| 15 | config = lib.mkIf config.myServices.mail.enable { | 15 | config = lib.mkIf config.myServices.mail.enable { |
| 16 | security.acme2.certs."mail" = config.myServices.certificates.certConfig // { | 16 | security.acme.certs."mail" = config.myServices.certificates.certConfig // { |
| 17 | domain = config.hostEnv.fqdn; | 17 | domain = config.hostEnv.fqdn; |
| 18 | extraDomains = let | 18 | extraDomains = let |
| 19 | zonesWithMx = builtins.filter (zone: | 19 | zonesWithMx = builtins.filter (zone: |
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 9836f78..77f9bd7 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix | |||
| @@ -269,7 +269,7 @@ in | |||
| 269 | [ | 269 | [ |
| 270 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" | 270 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" |
| 271 | ]; | 271 | ]; |
| 272 | security.acme2.certs."mail" = { | 272 | security.acme.certs."mail" = { |
| 273 | postRun = '' | 273 | postRun = '' |
| 274 | systemctl restart dovecot2.service | 274 | systemctl restart dovecot2.service |
| 275 | ''; | 275 | ''; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index e0347ec..4791b41 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
| @@ -428,7 +428,7 @@ | |||
| 428 | }; | 428 | }; |
| 429 | }; | 429 | }; |
| 430 | }; | 430 | }; |
| 431 | security.acme2.certs."mail" = { | 431 | security.acme.certs."mail" = { |
| 432 | postRun = '' | 432 | postRun = '' |
| 433 | systemctl restart postfix.service | 433 | systemctl restart postfix.service |
| 434 | ''; | 434 | ''; |
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 18d6bc3..c6231aa 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | { lib, pkgs, config, nodes, name, ... }: | 1 | { lib, pkgs, config, nodes, name, ... }: |
| 2 | { | 2 | { |
| 3 | config = lib.mkIf config.myServices.mailBackup.enable { | 3 | config = lib.mkIf config.myServices.mailBackup.enable { |
| 4 | security.acme2.certs."mail" = config.myServices.certificates.certConfig // { | 4 | security.acme.certs."mail" = config.myServices.certificates.certConfig // { |
| 5 | postRun = '' | 5 | postRun = '' |
| 6 | systemctl restart postfix.service | 6 | systemctl restart postfix.service |
| 7 | ''; | 7 | ''; |
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index cc8e36b..4cdf59a 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix | |||
| @@ -79,6 +79,10 @@ in | |||
| 79 | base = config.myServices.databasesReplication.openldap.base; | 79 | base = config.myServices.databasesReplication.openldap.base; |
| 80 | eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; | 80 | eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; |
| 81 | ldapConfig = pkgs.writeText "slapd.conf" '' | 81 | ldapConfig = pkgs.writeText "slapd.conf" '' |
| 82 | include ${pkgs.openldap}/etc/schema/core.schema | ||
| 83 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
| 84 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
| 85 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
| 82 | ${eldiron_schemas} | 86 | ${eldiron_schemas} |
| 83 | moduleload back_hdb | 87 | moduleload back_hdb |
| 84 | backend hdb | 88 | backend hdb |
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index 2860e96..d25d934 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix | |||
| @@ -34,7 +34,7 @@ | |||
| 34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; | 34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; |
| 35 | }; | 35 | }; |
| 36 | }; | 36 | }; |
| 37 | security.acme2.certs."${name}".extraDomains."status.immae.eu" = null; | 37 | security.acme.certs."${name}".extraDomains."status.immae.eu" = null; |
| 38 | 38 | ||
| 39 | myServices.certificates.enable = true; | 39 | myServices.certificates.enable = true; |
| 40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | 40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 78e07c1..42cc8d2 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix | |||
| @@ -123,7 +123,7 @@ in { | |||
| 123 | Use LDAPConnect | 123 | Use LDAPConnect |
| 124 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | 124 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu |
| 125 | <FilesMatch "\.php$"> | 125 | <FilesMatch "\.php$"> |
| 126 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" | 126 | SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" |
| 127 | </FilesMatch> | 127 | </FilesMatch> |
| 128 | Include /var/secrets/webapps/tools-taskwarrior-web | 128 | Include /var/secrets/webapps/tools-taskwarrior-web |
| 129 | </Directory> | 129 | </Directory> |
| @@ -172,29 +172,30 @@ in { | |||
| 172 | }; | 172 | }; |
| 173 | services.phpfpm.pools = { | 173 | services.phpfpm.pools = { |
| 174 | tasks = { | 174 | tasks = { |
| 175 | listen = "/var/run/phpfpm/task.sock"; | 175 | user = user; |
| 176 | extraConfig = '' | 176 | group = group; |
| 177 | user = ${user} | 177 | settings = { |
| 178 | group = ${group} | 178 | "listen.owner" = "wwwrun"; |
| 179 | listen.owner = wwwrun | 179 | "listen.group" = "wwwrun"; |
| 180 | listen.group = wwwrun | 180 | "pm" = "dynamic"; |
| 181 | pm = dynamic | 181 | "pm.max_children" = "60"; |
| 182 | pm.max_children = 60 | 182 | "pm.start_servers" = "2"; |
| 183 | pm.start_servers = 2 | 183 | "pm.min_spare_servers" = "1"; |
| 184 | pm.min_spare_servers = 1 | 184 | "pm.max_spare_servers" = "10"; |
| 185 | pm.max_spare_servers = 10 | ||
| 186 | 185 | ||
| 187 | ; Needed to avoid clashes in browser cookies (same domain) | 186 | # Needed to avoid clashes in browser cookies (same domain) |
| 188 | env[PATH] = "/etc/profiles/per-user/${user}/bin" | 187 | "php_value[session.name]" = "TaskPHPSESSID"; |
| 189 | php_value[session.name] = TaskPHPSESSID | 188 | "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"; |
| 190 | php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/" | 189 | }; |
| 191 | ''; | 190 | phpEnv = { |
| 191 | PATH = "/etc/profiles/per-user/${user}/bin"; | ||
| 192 | }; | ||
| 192 | }; | 193 | }; |
| 193 | }; | 194 | }; |
| 194 | 195 | ||
| 195 | myServices.websites.webappDirs._task = ./www; | 196 | myServices.websites.webappDirs._task = ./www; |
| 196 | 197 | ||
| 197 | security.acme2.certs."task" = config.myServices.certificates.certConfig // { | 198 | security.acme.certs."task" = config.myServices.certificates.certConfig // { |
| 198 | inherit user group; | 199 | inherit user group; |
| 199 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 200 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
| 200 | domain = fqdn; | 201 | domain = fqdn; |
| @@ -246,9 +247,9 @@ in { | |||
| 246 | inherit fqdn; | 247 | inherit fqdn; |
| 247 | listenHost = "::"; | 248 | listenHost = "::"; |
| 248 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; | 249 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; |
| 249 | pki.manual.server.cert = "${config.security.acme2.certs.task.directory}/fullchain.pem"; | 250 | pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem"; |
| 250 | pki.manual.server.crl = "${config.security.acme2.certs.task.directory}/invalid.crl"; | 251 | pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl"; |
| 251 | pki.manual.server.key = "${config.security.acme2.certs.task.directory}/key.pem"; | 252 | pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem"; |
| 252 | requestLimit = 104857600; | 253 | requestLimit = 104857600; |
| 253 | }; | 254 | }; |
| 254 | 255 | ||
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix index f21caeb..bce2b4d 100644 --- a/modules/private/websites/chloe/builder.nix +++ b/modules/private/websites/chloe/builder.nix | |||
| @@ -3,28 +3,25 @@ rec { | |||
| 3 | app = chloe.override { inherit (config) environment; }; | 3 | app = chloe.override { inherit (config) environment; }; |
| 4 | phpFpm = rec { | 4 | phpFpm = rec { |
| 5 | serviceDeps = [ "mysql.service" ]; | 5 | serviceDeps = [ "mysql.service" ]; |
| 6 | socket = "/var/run/phpfpm/chloe-${app.environment}.sock"; | 6 | pool = { |
| 7 | pool = '' | 7 | "listen.owner" = apacheUser; |
| 8 | user = ${apacheUser} | 8 | "listen.group" = apacheGroup; |
| 9 | group = ${apacheGroup} | 9 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 10 | listen.owner = ${apacheUser} | 10 | "php_admin_value[post_max_size]" = "20M"; |
| 11 | listen.group = ${apacheGroup} | 11 | # "php_admin_flag[log_errors]" = "on"; |
| 12 | php_admin_value[upload_max_filesize] = 20M | 12 | "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; |
| 13 | php_admin_value[post_max_size] = 20M | 13 | "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; |
| 14 | ;php_admin_flag[log_errors] = on | 14 | } // (if app.environment == "dev" then { |
| 15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | 15 | "pm" = "ondemand"; |
| 16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | 16 | "pm.max_children" = "5"; |
| 17 | ${if app.environment == "dev" then '' | 17 | "pm.process_idle_timeout" = "60"; |
| 18 | pm = ondemand | 18 | } else { |
| 19 | pm.max_children = 5 | 19 | "pm" = "dynamic"; |
| 20 | pm.process_idle_timeout = 60 | 20 | "pm.max_children" = "20"; |
| 21 | '' else '' | 21 | "pm.start_servers" = "2"; |
| 22 | pm = dynamic | 22 | "pm.min_spare_servers" = "1"; |
| 23 | pm.max_children = 20 | 23 | "pm.max_spare_servers" = "3"; |
| 24 | pm.start_servers = 2 | 24 | }); |
| 25 | pm.min_spare_servers = 1 | ||
| 26 | pm.max_spare_servers = 3 | ||
| 27 | ''}''; | ||
| 28 | }; | 25 | }; |
| 29 | keys = [{ | 26 | keys = [{ |
| 30 | dest = "webapps/${app.environment}-chloe"; | 27 | dest = "webapps/${app.environment}-chloe"; |
| @@ -51,7 +48,7 @@ rec { | |||
| 51 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
| 52 | webappName = "chloe_${app.environment}"; | 49 | webappName = "chloe_${app.environment}"; |
| 53 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
| 54 | vhostConf = '' | 51 | vhostConf = socket: '' |
| 55 | Include /var/secrets/webapps/${app.environment}-chloe | 52 | Include /var/secrets/webapps/${app.environment}-chloe |
| 56 | 53 | ||
| 57 | RewriteEngine On | 54 | RewriteEngine On |
| @@ -60,7 +57,7 @@ rec { | |||
| 60 | '' else ""} | 57 | '' else ""} |
| 61 | 58 | ||
| 62 | <FilesMatch "\.php$"> | 59 | <FilesMatch "\.php$"> |
| 63 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 60 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 64 | </FilesMatch> | 61 | </FilesMatch> |
| 65 | 62 | ||
| 66 | <Directory ${root}> | 63 | <Directory ${root}> |
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index 6276eb7..caf6548 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix | |||
| @@ -17,8 +17,9 @@ in { | |||
| 17 | systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; | 17 | systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; |
| 18 | systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; | 18 | systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; |
| 19 | services.phpfpm.pools.chloe_dev = { | 19 | services.phpfpm.pools.chloe_dev = { |
| 20 | listen = chloe.phpFpm.socket; | 20 | user = config.services.httpd.Inte.user; |
| 21 | extraConfig = chloe.phpFpm.pool; | 21 | group = config.services.httpd.Inte.group; |
| 22 | settings = chloe.phpFpm.pool; | ||
| 22 | phpOptions = config.services.phpfpm.phpOptions + '' | 23 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 23 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 24 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| 24 | ''; | 25 | ''; |
| @@ -31,7 +32,9 @@ in { | |||
| 31 | addToCerts = true; | 32 | addToCerts = true; |
| 32 | hosts = ["chloe.immae.eu" ]; | 33 | hosts = ["chloe.immae.eu" ]; |
| 33 | root = chloe.apache.root; | 34 | root = chloe.apache.root; |
| 34 | extraConfig = [ chloe.apache.vhostConf ]; | 35 | extraConfig = [ |
| 36 | (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_dev.socket) | ||
| 37 | ]; | ||
| 35 | }; | 38 | }; |
| 36 | services.websites.env.integration.watchPaths = [ | 39 | services.websites.env.integration.watchPaths = [ |
| 37 | "/var/secrets/webapps/${chloe.app.environment}-chloe" | 40 | "/var/secrets/webapps/${chloe.app.environment}-chloe" |
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 578bf91..83f6c9b 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix | |||
| @@ -19,8 +19,9 @@ in { | |||
| 19 | systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; | 19 | systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; |
| 20 | systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; | 20 | systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; |
| 21 | services.phpfpm.pools.chloe_prod = { | 21 | services.phpfpm.pools.chloe_prod = { |
| 22 | listen = chloe.phpFpm.socket; | 22 | user = config.services.httpd.Prod.user; |
| 23 | extraConfig = chloe.phpFpm.pool; | 23 | group = config.services.httpd.Prod.group; |
| 24 | settings = chloe.phpFpm.pool; | ||
| 24 | phpOptions = config.services.phpfpm.phpOptions + '' | 25 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| 26 | ''; | 27 | ''; |
| @@ -39,7 +40,7 @@ in { | |||
| 39 | RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] | 40 | RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] |
| 40 | RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] | 41 | RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] |
| 41 | '' | 42 | '' |
| 42 | chloe.apache.vhostConf | 43 | (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_prod.socket) |
| 43 | ]; | 44 | ]; |
| 44 | }; | 45 | }; |
| 45 | services.websites.env.production.watchPaths = [ | 46 | services.websites.env.production.watchPaths = [ |
diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix index d591c90..1803468 100644 --- a/modules/private/websites/commons/adminer.nix +++ b/modules/private/websites/commons/adminer.nix | |||
| @@ -1,24 +1,5 @@ | |||
| 1 | {}: | 1 | { config, callPackage }: |
| 2 | rec { | 2 | callPackage ../tools/tools/adminer.nix { |
| 3 | phpFpm = { | 3 | adminer = null; |
| 4 | socket = "/var/run/phpfpm/adminer.sock"; | 4 | forcePhpSocket = config.services.phpfpm.pools.adminer.socket; |
| 5 | }; | ||
| 6 | apache = rec { | ||
| 7 | modules = [ "proxy_fcgi" ]; | ||
| 8 | webappName = "_adminer"; | ||
| 9 | root = "/run/current-system/webapps/${webappName}"; | ||
| 10 | vhostConf = '' | ||
| 11 | Alias /adminer ${root} | ||
| 12 | <Directory ${root}> | ||
| 13 | DirectoryIndex index.php | ||
| 14 | <FilesMatch "\.php$"> | ||
| 15 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
| 16 | </FilesMatch> | ||
| 17 | |||
| 18 | Use LDAPConnect | ||
| 19 | Require ldap-group cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | ||
| 20 | Require ldap-group cn=users,cn=postgresql,cn=pam,ou=services,dc=immae,dc=eu | ||
| 21 | </Directory> | ||
| 22 | ''; | ||
| 23 | }; | ||
| 24 | } | 5 | } |
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 81cff8f..4f7b72d 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix | |||
| @@ -25,15 +25,17 @@ in { | |||
| 25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 26 | ]; | 26 | ]; |
| 27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | 27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; |
| 28 | phpPool = '' | 28 | phpPool = { |
| 29 | php_admin_value[upload_max_filesize] = 20M | 29 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 30 | php_admin_value[post_max_size] = 20M | 30 | "php_admin_value[post_max_size]" = "20M"; |
| 31 | ;php_admin_flag[log_errors] = on | 31 | #"php_admin_flag[log_errors]" = "on"; |
| 32 | pm = ondemand | 32 | "pm" = "ondemand"; |
| 33 | pm.max_children = 5 | 33 | "pm.max_children" = "5"; |
| 34 | pm.process_idle_timeout = 60 | 34 | "pm.process_idle_timeout" = "60"; |
| 35 | env[SYMFONY_DEBUG_MODE] = "yes" | 35 | }; |
| 36 | ''; | 36 | phpEnv = { |
| 37 | SYMFONY_DEBUG_MODE = "yes"; | ||
| 38 | }; | ||
| 37 | phpWatchFiles = [ | 39 | phpWatchFiles = [ |
| 38 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" |
| 39 | ]; | 41 | ]; |
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index fa31931..0b52af1 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix | |||
| @@ -26,16 +26,16 @@ in { | |||
| 26 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 26 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 27 | ]; | 27 | ]; |
| 28 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | 28 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; |
| 29 | phpPool = '' | 29 | phpPool = { |
| 30 | php_admin_value[upload_max_filesize] = 20M | 30 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 31 | php_admin_value[post_max_size] = 20M | 31 | "php_admin_value[post_max_size]" = "20M"; |
| 32 | ;php_admin_flag[log_errors] = on | 32 | #"php_admin_flag[log_errors]" = "on"; |
| 33 | pm = dynamic | 33 | "pm" = "dynamic"; |
| 34 | pm.max_children = 20 | 34 | "pm.max_children" = "20"; |
| 35 | pm.start_servers = 2 | 35 | "pm.start_servers" = "2"; |
| 36 | pm.min_spare_servers = 1 | 36 | "pm.min_spare_servers" = "1"; |
| 37 | pm.max_spare_servers = 3 | 37 | "pm.max_spare_servers" = "3"; |
| 38 | ''; | 38 | }; |
| 39 | phpWatchFiles = [ | 39 | phpWatchFiles = [ |
| 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" |
| 41 | ]; | 41 | ]; |
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 5c0e655..529ec5c 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix | |||
| @@ -87,9 +87,9 @@ in | |||
| 87 | #openssl = self.openssl_1_1; | 87 | #openssl = self.openssl_1_1; |
| 88 | php = php72; | 88 | php = php72; |
| 89 | php72 = (super.php72.override { | 89 | php72 = (super.php72.override { |
| 90 | mysql.connector-c = self.mariadb; | 90 | config.php.mysqlnd = true; |
| 91 | config.php.mysqlnd = false; | ||
| 92 | config.php.mysqli = false; | 91 | config.php.mysqli = false; |
| 92 | config.php.mhash = true; # Is it needed? | ||
| 93 | }).overrideAttrs(old: rec { | 93 | }).overrideAttrs(old: rec { |
| 94 | # Didn't manage to build with mysqli + mysql_config connector | 94 | # Didn't manage to build with mysqli + mysql_config connector |
| 95 | configureFlags = old.configureFlags ++ [ | 95 | configureFlags = old.configureFlags ++ [ |
| @@ -140,9 +140,9 @@ in | |||
| 140 | ; 30 days (minutes) | 140 | ; 30 days (minutes) |
| 141 | session.cache_expire = 43200 | 141 | session.cache_expire = 43200 |
| 142 | ''; | 142 | ''; |
| 143 | extraConfig = '' | 143 | settings = { |
| 144 | log_level = notice | 144 | log_level = "notice"; |
| 145 | ''; | 145 | }; |
| 146 | }; | 146 | }; |
| 147 | 147 | ||
| 148 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; | 148 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; |
diff --git a/modules/private/websites/emilia/richie.nix b/modules/private/websites/emilia/richie.nix index f7b4f8d..98ab1cd 100644 --- a/modules/private/websites/emilia/richie.nix +++ b/modules/private/websites/emilia/richie.nix | |||
| @@ -49,22 +49,23 @@ in | |||
| 49 | ''; | 49 | ''; |
| 50 | }; | 50 | }; |
| 51 | services.phpfpm.pools.richie_production = { | 51 | services.phpfpm.pools.richie_production = { |
| 52 | listen = "/run/phpfpm/richie_production.sock"; | 52 | user = "wwwrun"; |
| 53 | extraConfig = '' | 53 | group = "wwwrun"; |
| 54 | user = wwwrun | 54 | settings = { |
| 55 | group = wwwrun | 55 | "listen.owner" = "wwwrun"; |
| 56 | listen.owner = wwwrun | 56 | "listen.group" = "wwwrun"; |
| 57 | listen.group = wwwrun | ||
| 58 | 57 | ||
| 59 | pm = ondemand | 58 | "pm" = "ondemand"; |
| 60 | pm.max_children = 5 | 59 | "pm.max_children" = "5"; |
| 61 | pm.process_idle_timeout = 60 | 60 | "pm.process_idle_timeout" = "60"; |
| 62 | 61 | ||
| 63 | env[PATH] = /run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]} | 62 | "php_admin_value[open_basedir]" = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp"; |
| 64 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-richie" | 63 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/richie_production"; |
| 65 | php_admin_value[open_basedir] = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp" | 64 | }; |
| 66 | php_admin_value[session.save_path] = "/var/lib/php/sessions/richie_production" | 65 | phpEnv = { |
| 67 | ''; | 66 | PATH = "/run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]}"; |
| 67 | BDD_CONNECT = "/var/secrets/webapps/prod-richie"; | ||
| 68 | }; | ||
| 68 | phpOptions = config.services.phpfpm.phpOptions + '' | 69 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 69 | date.timezone = 'Europe/Paris' | 70 | date.timezone = 'Europe/Paris' |
| 70 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 71 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| @@ -91,7 +92,7 @@ in | |||
| 91 | Require all granted | 92 | Require all granted |
| 92 | 93 | ||
| 93 | <FilesMatch "\.php$"> | 94 | <FilesMatch "\.php$"> |
| 94 | SetHandler "proxy:unix:/run/phpfpm/richie_production.sock|fcgi://localhost" | 95 | SetHandler "proxy:unix:${config.services.phpfpm.pools.richie_production.socket}|fcgi://localhost" |
| 95 | </FilesMatch> | 96 | </FilesMatch> |
| 96 | </Directory> | 97 | </Directory> |
| 97 | '' | 98 | '' |
diff --git a/modules/private/websites/evariste/production.nix b/modules/private/websites/evariste/production.nix index 00e6fe1..43b26c8 100644 --- a/modules/private/websites/evariste/production.nix +++ b/modules/private/websites/evariste/production.nix | |||
| @@ -21,20 +21,19 @@ in { | |||
| 21 | ''; | 21 | ''; |
| 22 | }; | 22 | }; |
| 23 | services.phpfpm.pools.nsievariste = { | 23 | services.phpfpm.pools.nsievariste = { |
| 24 | listen = "/run/phpfpm/nsievariste.sock"; | 24 | user = "wwwrun"; |
| 25 | extraConfig = '' | 25 | group = "wwwrun"; |
| 26 | user = wwwrun | 26 | settings = { |
| 27 | group = wwwrun | 27 | "listen.owner" = "wwwrun"; |
| 28 | listen.owner = wwwrun | 28 | "listen.group" = "wwwrun"; |
| 29 | listen.group = wwwrun | ||
| 30 | 29 | ||
| 31 | pm = ondemand | 30 | "pm" = "ondemand"; |
| 32 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
| 33 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
| 34 | 33 | ||
| 35 | php_admin_value[open_basedir] = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp" | 34 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp"; |
| 36 | php_admin_value[session.save_path] = "/var/lib/php/sessions/nsievariste" | 35 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/nsievariste"; |
| 37 | ''; | 36 | }; |
| 38 | }; | 37 | }; |
| 39 | services.websites.env.production.vhostConfs.nsievariste = { | 38 | services.websites.env.production.vhostConfs.nsievariste = { |
| 40 | certName = "eldiron"; | 39 | certName = "eldiron"; |
| @@ -46,7 +45,7 @@ in { | |||
| 46 | Use Stats nsievariste.immae.eu | 45 | Use Stats nsievariste.immae.eu |
| 47 | 46 | ||
| 48 | <FilesMatch "\.php$"> | 47 | <FilesMatch "\.php$"> |
| 49 | SetHandler "proxy:unix:/run/phpfpm/nsievariste.sock|fcgi://localhost" | 48 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nsievariste.socket}|fcgi://localhost" |
| 50 | </FilesMatch> | 49 | </FilesMatch> |
| 51 | 50 | ||
| 52 | <Directory ${nsiVarDir}> | 51 | <Directory ${nsiVarDir}> |
| @@ -60,20 +59,19 @@ in { | |||
| 60 | }; | 59 | }; |
| 61 | 60 | ||
| 62 | services.phpfpm.pools.stmgevariste = { | 61 | services.phpfpm.pools.stmgevariste = { |
| 63 | listen = "/run/phpfpm/stmgevariste.sock"; | 62 | user = "wwwrun"; |
| 64 | extraConfig = '' | 63 | group = "wwwrun"; |
| 65 | user = wwwrun | 64 | settings = { |
| 66 | group = wwwrun | 65 | "listen.owner" = "wwwrun"; |
| 67 | listen.owner = wwwrun | 66 | "listen.group" = "wwwrun"; |
| 68 | listen.group = wwwrun | ||
| 69 | 67 | ||
| 70 | pm = ondemand | 68 | "pm" = "ondemand"; |
| 71 | pm.max_children = 5 | 69 | "pm.max_children" = "5"; |
| 72 | pm.process_idle_timeout = 60 | 70 | "pm.process_idle_timeout" = "60"; |
| 73 | 71 | ||
| 74 | php_admin_value[open_basedir] = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp" | 72 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp"; |
| 75 | php_admin_value[session.save_path] = "/var/lib/php/sessions/stmgevariste" | 73 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/stmgevariste"; |
| 76 | ''; | 74 | }; |
| 77 | }; | 75 | }; |
| 78 | services.websites.env.production.vhostConfs.stmgevariste = { | 76 | services.websites.env.production.vhostConfs.stmgevariste = { |
| 79 | certName = "eldiron"; | 77 | certName = "eldiron"; |
| @@ -85,7 +83,7 @@ in { | |||
| 85 | Use Stats stmgevariste.immae.eu | 83 | Use Stats stmgevariste.immae.eu |
| 86 | 84 | ||
| 87 | <FilesMatch "\.php$"> | 85 | <FilesMatch "\.php$"> |
| 88 | SetHandler "proxy:unix:/run/phpfpm/stmgevariste.sock|fcgi://localhost" | 86 | SetHandler "proxy:unix:${config.services.phpfpm.pools.stmgevariste.socket}|fcgi://localhost" |
| 89 | </FilesMatch> | 87 | </FilesMatch> |
| 90 | 88 | ||
| 91 | <Directory ${stmgVarDir}> | 89 | <Directory ${stmgVarDir}> |
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index e262c59..c65c26f 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
| 2 | let | 2 | let |
| 3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
| 4 | secrets = config.myEnv.websites.tellesflorian.integration; | 4 | secrets = config.myEnv.websites.tellesflorian.integration; |
| 5 | app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; | 5 | app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; |
| 6 | cfg = config.myServices.websites.florian.app; | 6 | cfg = config.myServices.websites.florian.app; |
| @@ -24,15 +24,17 @@ in { | |||
| 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 25 | ]; | 25 | ]; |
| 26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
| 27 | phpPool = '' | 27 | phpPool = { |
| 28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
| 30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
| 31 | pm = ondemand | 31 | "pm" = "ondemand"; |
| 32 | pm.max_children = 5 | 32 | "pm.max_children" = "5"; |
| 33 | pm.process_idle_timeout = 60 | 33 | "pm.process_idle_timeout" = "60"; |
| 34 | env[SYMFONY_DEBUG_MODE] = "yes" | 34 | }; |
| 35 | ''; | 35 | phpEnv = { |
| 36 | SYMFONY_DEBUG_MODE = "yes"; | ||
| 37 | }; | ||
| 36 | phpWatchFiles = [ | 38 | phpWatchFiles = [ |
| 37 | config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" | 39 | config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" |
| 38 | ]; | 40 | ]; |
| @@ -134,7 +136,7 @@ in { | |||
| 134 | 136 | ||
| 135 | </Directory> | 137 | </Directory> |
| 136 | '' | 138 | '' |
| 137 | adminer.apache.vhostConf | 139 | (adminer.apache.vhostConf null) |
| 138 | ]; | 140 | ]; |
| 139 | }; | 141 | }; |
| 140 | }; | 142 | }; |
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix index 57c4006..4ee160a 100644 --- a/modules/private/websites/florian/integration.nix +++ b/modules/private/websites/florian/integration.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
| 2 | let | 2 | let |
| 3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
| 4 | cfg = config.myServices.websites.florian.integration; | 4 | cfg = config.myServices.websites.florian.integration; |
| 5 | varDir = "/var/lib/ftp/florian"; | 5 | varDir = "/var/lib/ftp/florian"; |
| 6 | env = config.myEnv.websites.florian; | 6 | env = config.myEnv.websites.florian; |
| @@ -8,7 +8,7 @@ in { | |||
| 8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; | 8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; |
| 9 | 9 | ||
| 10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
| 11 | security.acme2.certs."ftp".extraDomains."florian.immae.eu" = null; | 11 | security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; |
| 12 | 12 | ||
| 13 | services.websites.env.integration.modules = adminer.apache.modules; | 13 | services.websites.env.integration.modules = adminer.apache.modules; |
| 14 | services.websites.env.integration.vhostConfs.florian = { | 14 | services.websites.env.integration.vhostConfs.florian = { |
| @@ -17,7 +17,7 @@ in { | |||
| 17 | hosts = [ "florian.immae.eu" ]; | 17 | hosts = [ "florian.immae.eu" ]; |
| 18 | root = "${varDir}/florian.immae.eu"; | 18 | root = "${varDir}/florian.immae.eu"; |
| 19 | extraConfig = [ | 19 | extraConfig = [ |
| 20 | adminer.apache.vhostConf | 20 | (adminer.apache.vhostConf null) |
| 21 | '' | 21 | '' |
| 22 | ServerAdmin ${env.server_admin} | 22 | ServerAdmin ${env.server_admin} |
| 23 | 23 | ||
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix index 1abc715..16c6022 100644 --- a/modules/private/websites/florian/production.nix +++ b/modules/private/websites/florian/production.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
| 2 | let | 2 | let |
| 3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
| 4 | cfg = config.myServices.websites.florian.production; | 4 | cfg = config.myServices.websites.florian.production; |
| 5 | varDir = "/var/lib/ftp/florian"; | 5 | varDir = "/var/lib/ftp/florian"; |
| 6 | env = config.myEnv.websites.florian; | 6 | env = config.myEnv.websites.florian; |
| @@ -8,7 +8,7 @@ in { | |||
| 8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; | 8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; |
| 9 | 9 | ||
| 10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
| 11 | security.acme2.certs."ftp".extraDomains."tellesflorian.com" = null; | 11 | security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; |
| 12 | 12 | ||
| 13 | services.websites.env.production.modules = adminer.apache.modules; | 13 | services.websites.env.production.modules = adminer.apache.modules; |
| 14 | services.websites.env.production.vhostConfs.florian = { | 14 | services.websites.env.production.vhostConfs.florian = { |
| @@ -17,7 +17,7 @@ in { | |||
| 17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; | 17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; |
| 18 | root = "${varDir}/tellesflorian.com"; | 18 | root = "${varDir}/tellesflorian.com"; |
| 19 | extraConfig = [ | 19 | extraConfig = [ |
| 20 | adminer.apache.vhostConf | 20 | (adminer.apache.vhostConf null) |
| 21 | '' | 21 | '' |
| 22 | ServerAdmin ${env.server_admin} | 22 | ServerAdmin ${env.server_admin} |
| 23 | 23 | ||
diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix index a2a087c..fb6eda9 100644 --- a/modules/private/websites/isabelle/aten_integration.nix +++ b/modules/private/websites/isabelle/aten_integration.nix | |||
| @@ -23,15 +23,17 @@ in { | |||
| 23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 24 | ]; | 24 | ]; |
| 25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
| 26 | phpPool = '' | 26 | phpPool = { |
| 27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
| 29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
| 30 | pm = ondemand | 30 | "pm" = "ondemand"; |
| 31 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
| 32 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
| 33 | env[SYMFONY_DEBUG_MODE] = "yes" | 33 | }; |
| 34 | ''; | 34 | phpEnv = { |
| 35 | SYMFONY_DEBUG_MODE = "yes"; | ||
| 36 | }; | ||
| 35 | }; | 37 | }; |
| 36 | 38 | ||
| 37 | secrets.keys = [{ | 39 | secrets.keys = [{ |
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index 8e33f0f..cf7e4a2 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix | |||
| @@ -24,16 +24,16 @@ in { | |||
| 24 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 25 | ]; | 25 | ]; |
| 26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
| 27 | phpPool = '' | 27 | phpPool = { |
| 28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
| 30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
| 31 | pm = dynamic | 31 | "pm" = "dynamic"; |
| 32 | pm.max_children = 20 | 32 | "pm.max_children" = "20"; |
| 33 | pm.start_servers = 2 | 33 | "pm.start_servers" = "2"; |
| 34 | pm.min_spare_servers = 1 | 34 | "pm.min_spare_servers" = "1"; |
| 35 | pm.max_spare_servers = 3 | 35 | "pm.max_spare_servers" = "3"; |
| 36 | ''; | 36 | }; |
| 37 | }; | 37 | }; |
| 38 | 38 | ||
| 39 | secrets.keys = [{ | 39 | secrets.keys = [{ |
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index 460bd2a..ffbf259 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix | |||
| @@ -19,8 +19,9 @@ in { | |||
| 19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; | 19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; |
| 20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; | 20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; |
| 21 | services.phpfpm.pools.iridologie = { | 21 | services.phpfpm.pools.iridologie = { |
| 22 | listen = iridologie.phpFpm.socket; | 22 | user = config.services.httpd.Prod.user; |
| 23 | extraConfig = iridologie.phpFpm.pool; | 23 | group = config.services.httpd.Prod.group; |
| 24 | settings = iridologie.phpFpm.pool; | ||
| 24 | phpOptions = config.services.phpfpm.phpOptions + '' | 25 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| 26 | ''; | 27 | ''; |
| @@ -39,7 +40,7 @@ in { | |||
| 39 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] | 40 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] |
| 40 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] | 41 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] |
| 41 | '' | 42 | '' |
| 42 | iridologie.apache.vhostConf | 43 | (iridologie.apache.vhostConf config.services.phpfpm.pools.iridologie.socket) |
| 43 | ]; | 44 | ]; |
| 44 | }; | 45 | }; |
| 45 | services.websites.env.production.watchPaths = [ | 46 | services.websites.env.production.watchPaths = [ |
diff --git a/modules/private/websites/isabelle/spip_builder.nix b/modules/private/websites/isabelle/spip_builder.nix index 2ab5394..e1130d1 100644 --- a/modules/private/websites/isabelle/spip_builder.nix +++ b/modules/private/websites/isabelle/spip_builder.nix | |||
| @@ -3,28 +3,25 @@ rec { | |||
| 3 | app = iridologie.override { inherit (config) environment; }; | 3 | app = iridologie.override { inherit (config) environment; }; |
| 4 | phpFpm = rec { | 4 | phpFpm = rec { |
| 5 | serviceDeps = [ "mysql.service" ]; | 5 | serviceDeps = [ "mysql.service" ]; |
| 6 | socket = "/var/run/phpfpm/iridologie-${app.environment}.sock"; | 6 | pool = { |
| 7 | pool = '' | 7 | "listen.owner" = "${apacheUser}"; |
| 8 | user = ${apacheUser} | 8 | "listen.group" = "${apacheGroup}"; |
| 9 | group = ${apacheGroup} | 9 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 10 | listen.owner = ${apacheUser} | 10 | "php_admin_value[post_max_size]" = "20M"; |
| 11 | listen.group = ${apacheGroup} | 11 | #"php_admin_flag[log_errors]" = "on"; |
| 12 | php_admin_value[upload_max_filesize] = 20M | 12 | "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; |
| 13 | php_admin_value[post_max_size] = 20M | 13 | "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; |
| 14 | ;php_admin_flag[log_errors] = on | 14 | } // (if app.environment == "dev" then { |
| 15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | 15 | "pm" = "ondemand"; |
| 16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | 16 | "pm.max_children" = "5"; |
| 17 | ${if app.environment == "dev" then '' | 17 | "pm.process_idle_timeout" = "60"; |
| 18 | pm = ondemand | 18 | } else { |
| 19 | pm.max_children = 5 | 19 | "pm" = "dynamic"; |
| 20 | pm.process_idle_timeout = 60 | 20 | "pm.max_children" = "20"; |
| 21 | '' else '' | 21 | "pm.start_servers" = "2"; |
| 22 | pm = dynamic | 22 | "pm.min_spare_servers" = "1"; |
| 23 | pm.max_children = 20 | 23 | "pm.max_spare_servers" = "3"; |
| 24 | pm.start_servers = 2 | 24 | }); |
| 25 | pm.min_spare_servers = 1 | ||
| 26 | pm.max_spare_servers = 3 | ||
| 27 | ''}''; | ||
| 28 | }; | 25 | }; |
| 29 | keys = [{ | 26 | keys = [{ |
| 30 | dest = "webapps/${app.environment}-iridologie"; | 27 | dest = "webapps/${app.environment}-iridologie"; |
| @@ -51,13 +48,13 @@ rec { | |||
| 51 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
| 52 | webappName = "iridologie_${app.environment}"; | 49 | webappName = "iridologie_${app.environment}"; |
| 53 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
| 54 | vhostConf = '' | 51 | vhostConf = socket: '' |
| 55 | Include /var/secrets/webapps/${app.environment}-iridologie | 52 | Include /var/secrets/webapps/${app.environment}-iridologie |
| 56 | 53 | ||
| 57 | RewriteEngine On | 54 | RewriteEngine On |
| 58 | 55 | ||
| 59 | <FilesMatch "\.php$"> | 56 | <FilesMatch "\.php$"> |
| 60 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 57 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 61 | </FilesMatch> | 58 | </FilesMatch> |
| 62 | 59 | ||
| 63 | <Directory ${root}> | 60 | <Directory ${root}> |
diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix index e8591c8..3b289cf 100644 --- a/modules/private/websites/leila/production.nix +++ b/modules/private/websites/leila/production.nix | |||
| @@ -7,19 +7,18 @@ in { | |||
| 7 | 7 | ||
| 8 | config = lib.mkIf cfg.enable { | 8 | config = lib.mkIf cfg.enable { |
| 9 | services.phpfpm.pools.leila = { | 9 | services.phpfpm.pools.leila = { |
| 10 | listen = "/run/phpfpm/leila.sock"; | 10 | user = "wwwrun"; |
| 11 | extraConfig = '' | 11 | group = "wwwrun"; |
| 12 | user = wwwrun | 12 | settings = { |
| 13 | group = wwwrun | 13 | "listen.owner" = "wwwrun"; |
| 14 | listen.owner = wwwrun | 14 | "listen.group" = "wwwrun"; |
| 15 | listen.group = wwwrun | ||
| 16 | 15 | ||
| 17 | pm = ondemand | 16 | "pm" = "ondemand"; |
| 18 | pm.max_children = 5 | 17 | "pm.max_children" = "5"; |
| 19 | pm.process_idle_timeout = 60 | 18 | "pm.process_idle_timeout" = "60"; |
| 20 | 19 | ||
| 21 | php_admin_value[open_basedir] = "${varDir}:/tmp" | 20 | "php_admin_value[open_basedir]" = "${varDir}:/tmp"; |
| 22 | ''; | 21 | }; |
| 23 | }; | 22 | }; |
| 24 | 23 | ||
| 25 | services.webstats.sites = [ | 24 | services.webstats.sites = [ |
| @@ -46,7 +45,7 @@ in { | |||
| 46 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | 45 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu |
| 47 | 46 | ||
| 48 | <FilesMatch "\.php$"> | 47 | <FilesMatch "\.php$"> |
| 49 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 48 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
| 50 | </FilesMatch> | 49 | </FilesMatch> |
| 51 | </Directory> | 50 | </Directory> |
| 52 | '' | 51 | '' |
| @@ -66,7 +65,7 @@ in { | |||
| 66 | AllowOverride None | 65 | AllowOverride None |
| 67 | 66 | ||
| 68 | <FilesMatch "\.php$"> | 67 | <FilesMatch "\.php$"> |
| 69 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 68 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
| 70 | </FilesMatch> | 69 | </FilesMatch> |
| 71 | </Directory> | 70 | </Directory> |
| 72 | '' | 71 | '' |
| @@ -89,7 +88,7 @@ in { | |||
| 89 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | 88 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu |
| 90 | 89 | ||
| 91 | <FilesMatch "\.php$"> | 90 | <FilesMatch "\.php$"> |
| 92 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 91 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
| 93 | </FilesMatch> | 92 | </FilesMatch> |
| 94 | </Directory> | 93 | </Directory> |
| 95 | <Directory ${varDir}> | 94 | <Directory ${varDir}> |
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index 1cbfd12..d304fdf 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix | |||
| @@ -23,15 +23,17 @@ in { | |||
| 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 24 | ]; | 24 | ]; |
| 25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
| 26 | phpPool = '' | 26 | phpPool = { |
| 27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
| 29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
| 30 | pm = ondemand | 30 | "pm" = "ondemand"; |
| 31 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
| 32 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
| 33 | env[SYMFONY_DEBUG_MODE] = "yes" | 33 | }; |
| 34 | ''; | 34 | phpEnv = { |
| 35 | SYMFONY_DEBUG_MODE = "yes"; | ||
| 36 | }; | ||
| 35 | phpWatchFiles = [ | 37 | phpWatchFiles = [ |
| 36 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" | 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" |
| 37 | ]; | 39 | ]; |
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 7cf00f0..5761be7 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix | |||
| @@ -24,16 +24,16 @@ in { | |||
| 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 25 | ]; | 25 | ]; |
| 26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
| 27 | phpPool = '' | 27 | phpPool = { |
| 28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
| 30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
| 31 | pm = dynamic | 31 | "pm" = "dynamic"; |
| 32 | pm.max_children = 20 | 32 | "pm.max_children" = "20"; |
| 33 | pm.start_servers = 2 | 33 | "pm.start_servers" = "2"; |
| 34 | pm.min_spare_servers = 1 | 34 | "pm.min_spare_servers" = "1"; |
| 35 | pm.max_spare_servers = 3 | 35 | "pm.max_spare_servers" = "3"; |
| 36 | ''; | 36 | }; |
| 37 | phpWatchFiles = [ | 37 | phpWatchFiles = [ |
| 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" | 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" |
| 39 | ]; | 39 | ]; |
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix index 293519f..f9468f9 100644 --- a/modules/private/websites/nassime/production.nix +++ b/modules/private/websites/nassime/production.nix | |||
| @@ -9,7 +9,7 @@ in { | |||
| 9 | config = lib.mkIf cfg.enable { | 9 | config = lib.mkIf cfg.enable { |
| 10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; | 10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; |
| 11 | 11 | ||
| 12 | security.acme2.certs."ftp".extraDomains."nassime.bouya.org" = null; | 12 | security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; |
| 13 | 13 | ||
| 14 | services.websites.env.production.vhostConfs.nassime = { | 14 | services.websites.env.production.vhostConfs.nassime = { |
| 15 | certName = "nassime"; | 15 | certName = "nassime"; |
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix index a276c47..1e79141 100644 --- a/modules/private/websites/naturaloutil/production.nix +++ b/modules/private/websites/naturaloutil/production.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
| 2 | let | 2 | let |
| 3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
| 4 | cfg = config.myServices.websites.naturaloutil.production; | 4 | cfg = config.myServices.websites.naturaloutil.production; |
| 5 | varDir = "/var/lib/ftp/jerome"; | 5 | varDir = "/var/lib/ftp/jerome"; |
| 6 | env = config.myEnv.websites.jerome; | 6 | env = config.myEnv.websites.jerome; |
| @@ -10,7 +10,7 @@ in { | |||
| 10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
| 11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; | 11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; |
| 12 | 12 | ||
| 13 | security.acme2.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; | 13 | security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; |
| 14 | 14 | ||
| 15 | secrets.keys = [{ | 15 | secrets.keys = [{ |
| 16 | dest = "webapps/prod-naturaloutil"; | 16 | dest = "webapps/prod-naturaloutil"; |
| @@ -42,21 +42,22 @@ in { | |||
| 42 | systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; | 42 | systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; |
| 43 | systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; | 43 | systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; |
| 44 | services.phpfpm.pools.jerome = { | 44 | services.phpfpm.pools.jerome = { |
| 45 | listen = "/run/phpfpm/naturaloutil.sock"; | 45 | user = "wwwrun"; |
| 46 | extraConfig = '' | 46 | group = "wwwrun"; |
| 47 | user = wwwrun | 47 | settings = { |
| 48 | group = wwwrun | 48 | "listen.owner" = "wwwrun"; |
| 49 | listen.owner = wwwrun | 49 | "listen.group" = "wwwrun"; |
| 50 | listen.group = wwwrun | ||
| 51 | 50 | ||
| 52 | pm = ondemand | 51 | "pm" = "ondemand"; |
| 53 | pm.max_children = 5 | 52 | "pm.max_children" = "5"; |
| 54 | pm.process_idle_timeout = 60 | 53 | "pm.process_idle_timeout" = "60"; |
| 55 | 54 | ||
| 56 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" | 55 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"; |
| 57 | php_admin_value[open_basedir] = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" | 56 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/naturaloutil"; |
| 58 | php_admin_value[session.save_path] = "/var/lib/php/sessions/naturaloutil" | 57 | }; |
| 59 | ''; | 58 | phpEnv = { |
| 59 | BDD_CONNECT = "/var/secrets/webapps/prod-naturaloutil"; | ||
| 60 | }; | ||
| 60 | phpOptions = config.services.phpfpm.phpOptions + '' | 61 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 61 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 62 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| 62 | ''; | 63 | ''; |
| @@ -68,7 +69,7 @@ in { | |||
| 68 | hosts = ["naturaloutil.immae.eu" ]; | 69 | hosts = ["naturaloutil.immae.eu" ]; |
| 69 | root = varDir; | 70 | root = varDir; |
| 70 | extraConfig = [ | 71 | extraConfig = [ |
| 71 | adminer.apache.vhostConf | 72 | (adminer.apache.vhostConf null) |
| 72 | '' | 73 | '' |
| 73 | Use Stats naturaloutil.immae.eu | 74 | Use Stats naturaloutil.immae.eu |
| 74 | ServerAdmin ${env.server_admin} | 75 | ServerAdmin ${env.server_admin} |
| @@ -76,7 +77,7 @@ in { | |||
| 76 | CustomLog "${varDir}/logs/access_log" combined | 77 | CustomLog "${varDir}/logs/access_log" combined |
| 77 | 78 | ||
| 78 | <FilesMatch "\.php$"> | 79 | <FilesMatch "\.php$"> |
| 79 | SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost" | 80 | SetHandler "proxy:unix:${config.services.phpfpm.pools.jerome.socket}|fcgi://localhost" |
| 80 | </FilesMatch> | 81 | </FilesMatch> |
| 81 | 82 | ||
| 82 | <Directory ${varDir}/logs> | 83 | <Directory ${varDir}/logs> |
diff --git a/modules/private/websites/papa/maison_bbc.nix b/modules/private/websites/papa/maison_bbc.nix index eb61b6d..11e7937 100644 --- a/modules/private/websites/papa/maison_bbc.nix +++ b/modules/private/websites/papa/maison_bbc.nix | |||
| @@ -9,19 +9,18 @@ in { | |||
| 9 | services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; | 9 | services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; |
| 10 | services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; | 10 | services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; |
| 11 | services.phpfpm.pools.papa_maison_bbc = { | 11 | services.phpfpm.pools.papa_maison_bbc = { |
| 12 | listen = "/run/phpfpm/papa_maison_bbc.sock"; | 12 | user = "wwwrun"; |
| 13 | extraConfig = '' | 13 | group = "wwwrun"; |
| 14 | user = wwwrun | 14 | settings = { |
| 15 | group = wwwrun | 15 | "listen.owner" = "wwwrun"; |
| 16 | listen.owner = wwwrun | 16 | "listen.group" = "wwwrun"; |
| 17 | listen.group = wwwrun | ||
| 18 | 17 | ||
| 19 | pm = ondemand | 18 | "pm" = "ondemand"; |
| 20 | pm.max_children = 5 | 19 | "pm.max_children" = "5"; |
| 21 | pm.process_idle_timeout = 60 | 20 | "pm.process_idle_timeout" = "60"; |
| 22 | 21 | ||
| 23 | php_admin_value[open_basedir] = "${varDir}" | 22 | "php_admin_value[open_basedir]" = varDir; |
| 24 | ''; | 23 | }; |
| 25 | phpOptions = config.services.phpfpm.phpOptions + '' | 24 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 26 | date.timezone = 'Europe/Paris' | 25 | date.timezone = 'Europe/Paris' |
| 27 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| @@ -34,17 +33,17 @@ in { | |||
| 34 | root = varDir; | 33 | root = varDir; |
| 35 | extraConfig = [ | 34 | extraConfig = [ |
| 36 | '' | 35 | '' |
| 37 | Alias /.well-known/acme-challenge ${config.security.acme2.certs.papa.webroot}/.well-known/acme-challenge | 36 | Alias /.well-known/acme-challenge ${config.security.acme.certs.papa.webroot}/.well-known/acme-challenge |
| 38 | RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 | 37 | RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 |
| 39 | <Directory ${varDir}> | 38 | <Directory ${varDir}> |
| 40 | DirectoryIndex index.php index.htm index.html | 39 | DirectoryIndex index.php index.htm index.html |
| 41 | AllowOverride None | 40 | AllowOverride None |
| 42 | Require all granted | 41 | Require all granted |
| 43 | <FilesMatch "\.php$"> | 42 | <FilesMatch "\.php$"> |
| 44 | SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" | 43 | SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" |
| 45 | </FilesMatch> | 44 | </FilesMatch> |
| 46 | </Directory> | 45 | </Directory> |
| 47 | <Directory "${config.security.acme2.certs.papa.webroot}"> | 46 | <Directory "${config.security.acme.certs.papa.webroot}"> |
| 48 | Options Indexes FollowSymLinks | 47 | Options Indexes FollowSymLinks |
| 49 | AllowOverride None | 48 | AllowOverride None |
| 50 | Require all granted | 49 | Require all granted |
| @@ -64,7 +63,7 @@ in { | |||
| 64 | AllowOverride None | 63 | AllowOverride None |
| 65 | Require all granted | 64 | Require all granted |
| 66 | <FilesMatch "\.php$"> | 65 | <FilesMatch "\.php$"> |
| 67 | SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" | 66 | SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" |
| 68 | </FilesMatch> | 67 | </FilesMatch> |
| 69 | </Directory> | 68 | </Directory> |
| 70 | '' | 69 | '' |
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix index f6e1772..1bb6ac8 100644 --- a/modules/private/websites/papa/surveillance.nix +++ b/modules/private/websites/papa/surveillance.nix | |||
| @@ -6,7 +6,7 @@ in { | |||
| 6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; | 6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; |
| 7 | 7 | ||
| 8 | config = lib.mkIf cfg.enable { | 8 | config = lib.mkIf cfg.enable { |
| 9 | security.acme2.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; | 9 | security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; |
| 10 | 10 | ||
| 11 | services.cron = { | 11 | services.cron = { |
| 12 | systemCronJobs = let | 12 | systemCronJobs = let |
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index 5907bc8..76523ed 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix | |||
| @@ -23,16 +23,18 @@ in { | |||
| 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 24 | ]; | 24 | ]; |
| 25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
| 26 | phpPool = '' | 26 | phpPool = { |
| 27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
| 29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
| 30 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 30 | "pm" = "ondemand"; |
| 31 | pm = ondemand | 31 | "pm.max_children" = "5"; |
| 32 | pm.max_children = 5 | 32 | "pm.process_idle_timeout" = "60"; |
| 33 | pm.process_idle_timeout = 60 | 33 | }; |
| 34 | env[SYMFONY_DEBUG_MODE] = "yes" | 34 | phpEnv = { |
| 35 | ''; | 35 | PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; |
| 36 | SYMFONY_DEBUG_MODE = "yes"; | ||
| 37 | }; | ||
| 36 | phpWatchFiles = [ | 38 | phpWatchFiles = [ |
| 37 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" | 39 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" |
| 38 | ]; | 40 | ]; |
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index e4e29c7..d3e5c2b 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix | |||
| @@ -24,17 +24,19 @@ in { | |||
| 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
| 25 | ]; | 25 | ]; |
| 26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
| 27 | phpPool = '' | 27 | phpPool = { |
| 28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
| 29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
| 30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
| 31 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 31 | "pm" = "dynamic"; |
| 32 | pm = dynamic | 32 | "pm.max_children" = "20"; |
| 33 | pm.max_children = 20 | 33 | "pm.start_servers" = "2"; |
| 34 | pm.start_servers = 2 | 34 | "pm.min_spare_servers" = "1"; |
| 35 | pm.min_spare_servers = 1 | 35 | "pm.max_spare_servers" = "3"; |
| 36 | pm.max_spare_servers = 3 | 36 | }; |
| 37 | ''; | 37 | phpEnv = { |
| 38 | PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; | ||
| 39 | }; | ||
| 38 | phpWatchFiles = [ | 40 | phpWatchFiles = [ |
| 39 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" | 41 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" |
| 40 | ]; | 42 | ]; |
diff --git a/modules/private/websites/teliotortay/production.nix b/modules/private/websites/teliotortay/production.nix index 2c62d10..62762ec 100644 --- a/modules/private/websites/teliotortay/production.nix +++ b/modules/private/websites/teliotortay/production.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
| 2 | let | 2 | let |
| 3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
| 4 | cfg = config.myServices.websites.telioTortay.production; | 4 | cfg = config.myServices.websites.telioTortay.production; |
| 5 | varDir = "/var/lib/ftp/telio_tortay"; | 5 | varDir = "/var/lib/ftp/telio_tortay"; |
| 6 | env = config.myEnv.websites.telioTortay; | 6 | env = config.myEnv.websites.telioTortay; |
| @@ -10,7 +10,7 @@ in { | |||
| 10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
| 11 | services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; | 11 | services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; |
| 12 | 12 | ||
| 13 | security.acme2.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; | 13 | security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; |
| 14 | 14 | ||
| 15 | system.activationScripts.telio-tortay = { | 15 | system.activationScripts.telio-tortay = { |
| 16 | deps = [ "httpd" ]; | 16 | deps = [ "httpd" ]; |
| @@ -22,20 +22,19 @@ in { | |||
| 22 | systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; | 22 | systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; |
| 23 | systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; | 23 | systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; |
| 24 | services.phpfpm.pools.telio-tortay = { | 24 | services.phpfpm.pools.telio-tortay = { |
| 25 | listen = "/run/phpfpm/telio-tortay.sock"; | 25 | user = "wwwrun"; |
| 26 | extraConfig = '' | 26 | group = "wwwrun"; |
| 27 | user = wwwrun | 27 | settings = { |
| 28 | group = wwwrun | 28 | "listen.owner" = "wwwrun"; |
| 29 | listen.owner = wwwrun | 29 | "listen.group" = "wwwrun"; |
| 30 | listen.group = wwwrun | ||
| 31 | 30 | ||
| 32 | pm = ondemand | 31 | "pm" = "ondemand"; |
| 33 | pm.max_children = 5 | 32 | "pm.max_children" = "5"; |
| 34 | pm.process_idle_timeout = 60 | 33 | "pm.process_idle_timeout" = "60"; |
| 35 | 34 | ||
| 36 | php_admin_value[open_basedir] = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp" | 35 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp"; |
| 37 | php_admin_value[session.save_path] = "/var/lib/php/sessions/telio-tortay" | 36 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/telio-tortay"; |
| 38 | ''; | 37 | }; |
| 39 | phpOptions = config.services.phpfpm.phpOptions + '' | 38 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 40 | disable_functions = "mail" | 39 | disable_functions = "mail" |
| 41 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 40 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| @@ -48,7 +47,7 @@ in { | |||
| 48 | hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; | 47 | hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; |
| 49 | root = varDir; | 48 | root = varDir; |
| 50 | extraConfig = [ | 49 | extraConfig = [ |
| 51 | adminer.apache.vhostConf | 50 | (adminer.apache.vhostConf null) |
| 52 | '' | 51 | '' |
| 53 | Use Stats telio-tortay.immae.eu | 52 | Use Stats telio-tortay.immae.eu |
| 54 | ServerAdmin ${env.server_admin} | 53 | ServerAdmin ${env.server_admin} |
| @@ -56,7 +55,7 @@ in { | |||
| 56 | CustomLog "${varDir}/logs/access_log" combined | 55 | CustomLog "${varDir}/logs/access_log" combined |
| 57 | 56 | ||
| 58 | <FilesMatch "\.php$"> | 57 | <FilesMatch "\.php$"> |
| 59 | SetHandler "proxy:unix:/run/phpfpm/telio-tortay.sock|fcgi://localhost" | 58 | SetHandler "proxy:unix:${config.services.phpfpm.pools.telio-tortay.socket}|fcgi://localhost" |
| 60 | </FilesMatch> | 59 | </FilesMatch> |
| 61 | 60 | ||
| 62 | <Directory ${varDir}/logs> | 61 | <Directory ${varDir}/logs> |
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index 4785074..b9bb32f 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix | |||
| @@ -10,37 +10,34 @@ let | |||
| 10 | basedir = builtins.concatStringsSep ":" ( | 10 | basedir = builtins.concatStringsSep ":" ( |
| 11 | [ nextcloud varDir ] | 11 | [ nextcloud varDir ] |
| 12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); | 12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); |
| 13 | socket = "/var/run/phpfpm/nextcloud.sock"; | ||
| 14 | phpConfig = '' | 13 | phpConfig = '' |
| 15 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | 14 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so |
| 16 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | 15 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so |
| 17 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | 16 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so |
| 18 | ''; | 17 | ''; |
| 19 | pool = '' | 18 | pool = { |
| 20 | user = wwwrun | 19 | "listen.owner" = "wwwrun"; |
| 21 | group = wwwrun | 20 | "listen.group" = "wwwrun"; |
| 22 | listen.owner = wwwrun | 21 | "pm" = "ondemand"; |
| 23 | listen.group = wwwrun | 22 | "pm.max_children" = "60"; |
| 24 | pm = ondemand | 23 | "pm.process_idle_timeout" = "60"; |
| 25 | pm.max_children = 60 | ||
| 26 | pm.process_idle_timeout = 60 | ||
| 27 | 24 | ||
| 28 | php_admin_value[output_buffering] = 0 | 25 | "php_admin_value[output_buffering]" = "0"; |
| 29 | php_admin_value[max_execution_time] = 1800 | 26 | "php_admin_value[max_execution_time]" = "1800"; |
| 30 | php_admin_value[zend_extension] = "opcache" | 27 | "php_admin_value[zend_extension]" = "opcache"; |
| 31 | ;already enabled by default? | 28 | #already enabled by default? |
| 32 | ;php_value[opcache.enable] = 1 | 29 | #"php_value[opcache.enable]" = "1"; |
| 33 | php_value[opcache.enable_cli] = 1 | 30 | "php_value[opcache.enable_cli]" = "1"; |
| 34 | php_value[opcache.interned_strings_buffer] = 8 | 31 | "php_value[opcache.interned_strings_buffer]" = "8"; |
| 35 | php_value[opcache.max_accelerated_files] = 10000 | 32 | "php_value[opcache.max_accelerated_files]" = "10000"; |
| 36 | php_value[opcache.memory_consumption] = 128 | 33 | "php_value[opcache.memory_consumption]" = "128"; |
| 37 | php_value[opcache.save_comments] = 1 | 34 | "php_value[opcache.save_comments]" = "1"; |
| 38 | php_value[opcache.revalidate_freq] = 1 | 35 | "php_value[opcache.revalidate_freq]" = "1"; |
| 39 | php_admin_value[memory_limit] = 512M | 36 | "php_admin_value[memory_limit]" = "512M"; |
| 40 | 37 | ||
| 41 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" | 38 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; |
| 42 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 39 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 43 | ''; | 40 | }; |
| 44 | }; | 41 | }; |
| 45 | in { | 42 | in { |
| 46 | options.myServices.websites.tools.cloud = { | 43 | options.myServices.websites.tools.cloud = { |
| @@ -71,7 +68,7 @@ in { | |||
| 71 | </IfModule> | 68 | </IfModule> |
| 72 | <FilesMatch "\.php$"> | 69 | <FilesMatch "\.php$"> |
| 73 | CGIPassAuth on | 70 | CGIPassAuth on |
| 74 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 71 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" |
| 75 | </FilesMatch> | 72 | </FilesMatch> |
| 76 | 73 | ||
| 77 | </Directory> | 74 | </Directory> |
| @@ -171,8 +168,9 @@ in { | |||
| 171 | ''; | 168 | ''; |
| 172 | 169 | ||
| 173 | services.phpfpm.pools.nextcloud = { | 170 | services.phpfpm.pools.nextcloud = { |
| 174 | listen = phpFpm.socket; | 171 | user = "wwwrun"; |
| 175 | extraConfig = phpFpm.pool; | 172 | group = "wwwrun"; |
| 173 | settings = phpFpm.pool; | ||
| 176 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; | 174 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; |
| 177 | }; | 175 | }; |
| 178 | 176 | ||
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 5eb3fab..9d6cd21 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix | |||
| @@ -73,7 +73,7 @@ rec { | |||
| 73 | modules = [ "proxy_fcgi" ]; | 73 | modules = [ "proxy_fcgi" ]; |
| 74 | webappName = "tools_davical"; | 74 | webappName = "tools_davical"; |
| 75 | root = "/run/current-system/webapps/${webappName}"; | 75 | root = "/run/current-system/webapps/${webappName}"; |
| 76 | vhostConf = '' | 76 | vhostConf = socket: '' |
| 77 | Alias /davical "${root}" | 77 | Alias /davical "${root}" |
| 78 | Alias /caldav.php "${root}/caldav.php" | 78 | Alias /caldav.php "${root}/caldav.php" |
| 79 | <Directory "${root}"> | 79 | <Directory "${root}"> |
| @@ -84,7 +84,7 @@ rec { | |||
| 84 | 84 | ||
| 85 | <FilesMatch "\.php$"> | 85 | <FilesMatch "\.php$"> |
| 86 | CGIPassAuth on | 86 | CGIPassAuth on |
| 87 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 87 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 88 | </FilesMatch> | 88 | </FilesMatch> |
| 89 | 89 | ||
| 90 | RewriteEngine On | 90 | RewriteEngine On |
| @@ -111,28 +111,25 @@ rec { | |||
| 111 | phpFpm = rec { | 111 | phpFpm = rec { |
| 112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; | 113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; |
| 114 | socket = "/var/run/phpfpm/davical.sock"; | 114 | pool = { |
| 115 | pool = '' | 115 | "listen.owner" = apache.user; |
| 116 | user = ${apache.user} | 116 | "listen.group" = apache.group; |
| 117 | group = ${apache.group} | 117 | "pm" = "dynamic"; |
| 118 | listen.owner = ${apache.user} | 118 | "pm.max_children" = "60"; |
| 119 | listen.group = ${apache.group} | 119 | "pm.start_servers" = "2"; |
| 120 | pm = dynamic | 120 | "pm.min_spare_servers" = "1"; |
| 121 | pm.max_children = 60 | 121 | "pm.max_spare_servers" = "10"; |
| 122 | pm.start_servers = 2 | ||
| 123 | pm.min_spare_servers = 1 | ||
| 124 | pm.max_spare_servers = 10 | ||
| 125 | 122 | ||
| 126 | ; Needed to avoid clashes in browser cookies (same domain) | 123 | # Needed to avoid clashes in browser cookies (same domain) |
| 127 | php_value[session.name] = DavicalPHPSESSID | 124 | "php_value[session.name]" = "DavicalPHPSESSID"; |
| 128 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical" | 125 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/davical"; |
| 129 | php_admin_value[include_path] = "${awl}/inc:${webapp}/inc" | 126 | "php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc"; |
| 130 | php_admin_value[session.save_path] = "/var/lib/php/sessions/davical" | 127 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/davical"; |
| 131 | php_flag[magic_quotes_gpc] = Off | 128 | "php_flag[magic_quotes_gpc]" = "Off"; |
| 132 | php_flag[register_globals] = Off | 129 | "php_flag[register_globals]" = "Off"; |
| 133 | php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE" | 130 | "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE"; |
| 134 | php_admin_value[default_charset] = "utf-8" | 131 | "php_admin_value[default_charset]" = "utf-8"; |
| 135 | php_flag[magic_quotes_runtime] = Off | 132 | "php_flag[magic_quotes_runtime]" = "Off"; |
| 136 | ''; | 133 | }; |
| 137 | }; | 134 | }; |
| 138 | } | 135 | } |
diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index 0012965..30a562c 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix | |||
| @@ -38,14 +38,15 @@ in { | |||
| 38 | root = "/run/current-system/webapps/_dav"; | 38 | root = "/run/current-system/webapps/_dav"; |
| 39 | extraConfig = [ | 39 | extraConfig = [ |
| 40 | infcloud.vhostConf | 40 | infcloud.vhostConf |
| 41 | davical.apache.vhostConf | 41 | (davical.apache.vhostConf config.services.phpfpm.pools.davical.socket) |
| 42 | ]; | 42 | ]; |
| 43 | }; | 43 | }; |
| 44 | 44 | ||
| 45 | services.phpfpm.pools = { | 45 | services.phpfpm.pools = { |
| 46 | davical = { | 46 | davical = { |
| 47 | listen = davical.phpFpm.socket; | 47 | user = config.services.httpd.Tools.user; |
| 48 | extraConfig = davical.phpFpm.pool; | 48 | group = config.services.httpd.Tools.group; |
| 49 | settings = davical.phpFpm.pool; | ||
| 49 | }; | 50 | }; |
| 50 | }; | 51 | }; |
| 51 | 52 | ||
diff --git a/modules/private/websites/tools/db/default.nix b/modules/private/websites/tools/db/default.nix index 60592e5..fc8d989 100644 --- a/modules/private/websites/tools/db/default.nix +++ b/modules/private/websites/tools/db/default.nix | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
| 2 | let | 2 | let |
| 3 | adminer = pkgs.callPackage ../../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../../commons/adminer.nix { inherit config; }; |
| 4 | 4 | ||
| 5 | cfg = config.myServices.websites.tools.db; | 5 | cfg = config.myServices.websites.tools.db; |
| 6 | in { | 6 | in { |
| @@ -15,7 +15,7 @@ in { | |||
| 15 | addToCerts = true; | 15 | addToCerts = true; |
| 16 | hosts = ["db-1.immae.eu" ]; | 16 | hosts = ["db-1.immae.eu" ]; |
| 17 | root = null; | 17 | root = null; |
| 18 | extraConfig = [ adminer.apache.vhostConf ]; | 18 | extraConfig = [ (adminer.apache.vhostConf null) ]; |
| 19 | }; | 19 | }; |
| 20 | }; | 20 | }; |
| 21 | } | 21 | } |
diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 054e47b..56e4401 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix | |||
| @@ -30,7 +30,7 @@ in { | |||
| 30 | root = gitweb.apache.root; | 30 | root = gitweb.apache.root; |
| 31 | extraConfig = [ | 31 | extraConfig = [ |
| 32 | gitweb.apache.vhostConf | 32 | gitweb.apache.vhostConf |
| 33 | mantisbt.apache.vhostConf | 33 | (mantisbt.apache.vhostConf config.services.phpfpm.pools.mantisbt.socket) |
| 34 | '' | 34 | '' |
| 35 | RewriteEngine on | 35 | RewriteEngine on |
| 36 | RewriteCond %{REQUEST_URI} ^/releases | 36 | RewriteCond %{REQUEST_URI} ^/releases |
| @@ -40,8 +40,9 @@ in { | |||
| 40 | }; | 40 | }; |
| 41 | services.phpfpm.pools = { | 41 | services.phpfpm.pools = { |
| 42 | mantisbt = { | 42 | mantisbt = { |
| 43 | listen = mantisbt.phpFpm.socket; | 43 | user = config.services.httpd.Tools.user; |
| 44 | extraConfig = mantisbt.phpFpm.pool; | 44 | group = config.services.httpd.Tools.group; |
| 45 | settings = mantisbt.phpFpm.pool; | ||
| 45 | }; | 46 | }; |
| 46 | }; | 47 | }; |
| 47 | }; | 48 | }; |
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index d75b022..50851aa 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix | |||
| @@ -53,12 +53,12 @@ rec { | |||
| 53 | modules = [ "proxy_fcgi" ]; | 53 | modules = [ "proxy_fcgi" ]; |
| 54 | webappName = "tools_mantisbt"; | 54 | webappName = "tools_mantisbt"; |
| 55 | root = "/run/current-system/webapps/${webappName}"; | 55 | root = "/run/current-system/webapps/${webappName}"; |
| 56 | vhostConf = '' | 56 | vhostConf = socket: '' |
| 57 | Alias /mantisbt "${root}" | 57 | Alias /mantisbt "${root}" |
| 58 | <Directory "${root}"> | 58 | <Directory "${root}"> |
| 59 | DirectoryIndex index.php | 59 | DirectoryIndex index.php |
| 60 | <FilesMatch "\.php$"> | 60 | <FilesMatch "\.php$"> |
| 61 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 61 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 62 | </FilesMatch> | 62 | </FilesMatch> |
| 63 | 63 | ||
| 64 | AllowOverride All | 64 | AllowOverride All |
| @@ -76,20 +76,17 @@ rec { | |||
| 76 | basedir = builtins.concatStringsSep ":" ( | 76 | basedir = builtins.concatStringsSep ":" ( |
| 77 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] | 77 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] |
| 78 | ++ webRoot.plugins); | 78 | ++ webRoot.plugins); |
| 79 | socket = "/var/run/phpfpm/mantisbt.sock"; | 79 | pool = { |
| 80 | pool = '' | 80 | "listen.owner" = apache.user; |
| 81 | user = ${apache.user} | 81 | "listen.group" = apache.group; |
| 82 | group = ${apache.group} | 82 | "pm" = "ondemand"; |
| 83 | listen.owner = ${apache.user} | 83 | "pm.max_children" = "60"; |
| 84 | listen.group = ${apache.group} | 84 | "pm.process_idle_timeout" = "60"; |
| 85 | pm = ondemand | ||
| 86 | pm.max_children = 60 | ||
| 87 | pm.process_idle_timeout = 60 | ||
| 88 | 85 | ||
| 89 | php_admin_value[upload_max_filesize] = 5000000 | 86 | "php_admin_value[upload_max_filesize]" = "5000000"; |
| 90 | 87 | ||
| 91 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt" | 88 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"; |
| 92 | php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt" | 89 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/mantisbt"; |
| 93 | ''; | 90 | }; |
| 94 | }; | 91 | }; |
| 95 | } | 92 | } |
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index bb36042..1f7f7bf 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix | |||
| @@ -6,6 +6,7 @@ let | |||
| 6 | }; | 6 | }; |
| 7 | rainloop = pkgs.callPackage ./rainloop.nix {}; | 7 | rainloop = pkgs.callPackage ./rainloop.nix {}; |
| 8 | cfg = config.myServices.websites.tools.email; | 8 | cfg = config.myServices.websites.tools.email; |
| 9 | pcfg = config.services.phpfpm.pools; | ||
| 9 | in | 10 | in |
| 10 | { | 11 | { |
| 11 | options.myServices.websites.tools.email = { | 12 | options.myServices.websites.tools.email = { |
| @@ -34,8 +35,8 @@ in | |||
| 34 | hosts = ["mail.immae.eu"]; | 35 | hosts = ["mail.immae.eu"]; |
| 35 | root = "/run/current-system/webapps/_mail"; | 36 | root = "/run/current-system/webapps/_mail"; |
| 36 | extraConfig = [ | 37 | extraConfig = [ |
| 37 | rainloop.apache.vhostConf | 38 | (rainloop.apache.vhostConf pcfg.rainloop.socket) |
| 38 | roundcubemail.apache.vhostConf | 39 | (roundcubemail.apache.vhostConf pcfg.roundcubemail.socket) |
| 39 | '' | 40 | '' |
| 40 | <Directory /run/current-system/webapps/_mail> | 41 | <Directory /run/current-system/webapps/_mail> |
| 41 | Require all granted | 42 | Require all granted |
| @@ -56,13 +57,15 @@ in | |||
| 56 | }; | 57 | }; |
| 57 | 58 | ||
| 58 | services.phpfpm.pools.roundcubemail = { | 59 | services.phpfpm.pools.roundcubemail = { |
| 59 | listen = roundcubemail.phpFpm.socket; | 60 | user = "wwwrun"; |
| 60 | extraConfig = roundcubemail.phpFpm.pool; | 61 | group = "wwwrun"; |
| 62 | settings = roundcubemail.phpFpm.pool; | ||
| 61 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; | 63 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; |
| 62 | }; | 64 | }; |
| 63 | services.phpfpm.pools.rainloop = { | 65 | services.phpfpm.pools.rainloop = { |
| 64 | listen = rainloop.phpFpm.socket; | 66 | user = "wwwrun"; |
| 65 | extraConfig = rainloop.phpFpm.pool; | 67 | group = "wwwrun"; |
| 68 | settings = rainloop.phpFpm.pool; | ||
| 66 | }; | 69 | }; |
| 67 | system.activationScripts = { | 70 | system.activationScripts = { |
| 68 | roundcubemail = roundcubemail.activationScript; | 71 | roundcubemail = roundcubemail.activationScript; |
diff --git a/modules/private/websites/tools/mail/rainloop.nix b/modules/private/websites/tools/mail/rainloop.nix index 2dad46e..9b1f0c5 100644 --- a/modules/private/websites/tools/mail/rainloop.nix +++ b/modules/private/websites/tools/mail/rainloop.nix | |||
| @@ -16,7 +16,7 @@ rec { | |||
| 16 | modules = [ "proxy_fcgi" ]; | 16 | modules = [ "proxy_fcgi" ]; |
| 17 | webappName = "tools_rainloop"; | 17 | webappName = "tools_rainloop"; |
| 18 | root = "/run/current-system/webapps/${webappName}"; | 18 | root = "/run/current-system/webapps/${webappName}"; |
| 19 | vhostConf = '' | 19 | vhostConf = socket: '' |
| 20 | Alias /rainloop "${root}" | 20 | Alias /rainloop "${root}" |
| 21 | <Directory "${root}"> | 21 | <Directory "${root}"> |
| 22 | DirectoryIndex index.php | 22 | DirectoryIndex index.php |
| @@ -25,7 +25,7 @@ rec { | |||
| 25 | Require all granted | 25 | Require all granted |
| 26 | 26 | ||
| 27 | <FilesMatch "\.php$"> | 27 | <FilesMatch "\.php$"> |
| 28 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 28 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 29 | </FilesMatch> | 29 | </FilesMatch> |
| 30 | </Directory> | 30 | </Directory> |
| 31 | 31 | ||
| @@ -37,22 +37,19 @@ rec { | |||
| 37 | phpFpm = rec { | 37 | phpFpm = rec { |
| 38 | serviceDeps = [ "postgresql.service" ]; | 38 | serviceDeps = [ "postgresql.service" ]; |
| 39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
| 40 | socket = "/var/run/phpfpm/rainloop.sock"; | 40 | pool = { |
| 41 | pool = '' | 41 | "listen.owner" = apache.user; |
| 42 | user = ${apache.user} | 42 | "listen.group" = apache.group; |
| 43 | group = ${apache.group} | 43 | "pm" = "ondemand"; |
| 44 | listen.owner = ${apache.user} | 44 | "pm.max_children" = "60"; |
| 45 | listen.group = ${apache.group} | 45 | "pm.process_idle_timeout" = "60"; |
| 46 | pm = ondemand | ||
| 47 | pm.max_children = 60 | ||
| 48 | pm.process_idle_timeout = 60 | ||
| 49 | 46 | ||
| 50 | ; Needed to avoid clashes in browser cookies (same domain) | 47 | # Needed to avoid clashes in browser cookies (same domain) |
| 51 | php_value[session.name] = RainloopPHPSESSID | 48 | "php_value[session.name]" = "RainloopPHPSESSID"; |
| 52 | php_admin_value[upload_max_filesize] = 200M | 49 | "php_admin_value[upload_max_filesize]" = "200M"; |
| 53 | php_admin_value[post_max_size] = 200M | 50 | "php_admin_value[post_max_size]" = "200M"; |
| 54 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 51 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
| 55 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 52 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 56 | ''; | 53 | }; |
| 57 | }; | 54 | }; |
| 58 | } | 55 | } |
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 35de312..0b35d02 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix | |||
| @@ -83,7 +83,7 @@ rec { | |||
| 83 | modules = [ "proxy_fcgi" ]; | 83 | modules = [ "proxy_fcgi" ]; |
| 84 | webappName = "tools_roundcubemail"; | 84 | webappName = "tools_roundcubemail"; |
| 85 | root = "/run/current-system/webapps/${webappName}"; | 85 | root = "/run/current-system/webapps/${webappName}"; |
| 86 | vhostConf = '' | 86 | vhostConf = socket: '' |
| 87 | Alias /roundcube "${root}" | 87 | Alias /roundcube "${root}" |
| 88 | <Directory "${root}"> | 88 | <Directory "${root}"> |
| 89 | DirectoryIndex index.php | 89 | DirectoryIndex index.php |
| @@ -92,7 +92,7 @@ rec { | |||
| 92 | Require all granted | 92 | Require all granted |
| 93 | 93 | ||
| 94 | <FilesMatch "\.php$"> | 94 | <FilesMatch "\.php$"> |
| 95 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 95 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 96 | </FilesMatch> | 96 | </FilesMatch> |
| 97 | </Directory> | 97 | </Directory> |
| 98 | ''; | 98 | ''; |
| @@ -107,22 +107,19 @@ rec { | |||
| 107 | date.timezone = 'CET' | 107 | date.timezone = 'CET' |
| 108 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | 108 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so |
| 109 | ''; | 109 | ''; |
| 110 | socket = "/var/run/phpfpm/roundcubemail.sock"; | 110 | pool = { |
| 111 | pool = '' | 111 | "listen.owner" = apache.user; |
| 112 | user = ${apache.user} | 112 | "listen.group" = apache.group; |
| 113 | group = ${apache.group} | 113 | "pm" = "ondemand"; |
| 114 | listen.owner = ${apache.user} | 114 | "pm.max_children" = "60"; |
| 115 | listen.group = ${apache.group} | 115 | "pm.process_idle_timeout" = "60"; |
| 116 | pm = ondemand | ||
| 117 | pm.max_children = 60 | ||
| 118 | pm.process_idle_timeout = 60 | ||
| 119 | 116 | ||
| 120 | ; Needed to avoid clashes in browser cookies (same domain) | 117 | # Needed to avoid clashes in browser cookies (same domain) |
| 121 | php_value[session.name] = RoundcubemailPHPSESSID | 118 | "php_value[session.name]" = "RoundcubemailPHPSESSID"; |
| 122 | php_admin_value[upload_max_filesize] = 200M | 119 | "php_admin_value[upload_max_filesize]" = "200M"; |
| 123 | php_admin_value[post_max_size] = 200M | 120 | "php_admin_value[post_max_size]" = "200M"; |
| 124 | php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp" | 121 | "php_admin_value[open_basedir]" = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"; |
| 125 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 122 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 126 | ''; | 123 | }; |
| 127 | }; | 124 | }; |
| 128 | } | 125 | } |
diff --git a/modules/private/websites/tools/tools/adminer.nix b/modules/private/websites/tools/tools/adminer.nix index 907e37f..52a132c 100644 --- a/modules/private/websites/tools/tools/adminer.nix +++ b/modules/private/websites/tools/tools/adminer.nix | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | { adminer }: | 1 | { adminer, php73, forcePhpSocket ? null }: |
| 2 | rec { | 2 | rec { |
| 3 | activationScript = { | 3 | activationScript = { |
| 4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
| @@ -9,22 +9,33 @@ rec { | |||
| 9 | }; | 9 | }; |
| 10 | webRoot = adminer; | 10 | webRoot = adminer; |
| 11 | phpFpm = rec { | 11 | phpFpm = rec { |
| 12 | socket = "/var/run/phpfpm/adminer.sock"; | 12 | user = apache.user; |
| 13 | pool = '' | 13 | group = apache.group; |
| 14 | user = ${apache.user} | 14 | phpPackage = (php73.override { |
| 15 | group = ${apache.group} | 15 | config.php.mysqlnd = true; |
| 16 | listen.owner = ${apache.user} | 16 | config.php.mysqli = false; |
| 17 | listen.group = ${apache.group} | 17 | config.php.pdo-mysql = false; |
| 18 | pm = ondemand | 18 | }).overrideAttrs(old: rec { |
| 19 | pm.max_children = 5 | 19 | configureFlags = old.configureFlags ++ [ |
| 20 | pm.process_idle_timeout = 60 | 20 | "--with-mysqli=shared,mysqlnd" |
| 21 | ;php_admin_flag[log_errors] = on | 21 | ]; |
| 22 | ; Needed to avoid clashes in browser cookies (same domain) | 22 | }); |
| 23 | php_value[session.name] = AdminerPHPSESSID | 23 | phpOptions = '' |
| 24 | php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer" | 24 | extension=${phpPackage}/lib/php/extensions/mysqli.so |
| 25 | php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer" | 25 | ''; |
| 26 | php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer" | 26 | settings = { |
| 27 | ''; | 27 | "listen.owner" = apache.user; |
| 28 | "listen.group" = apache.group; | ||
| 29 | "pm" = "ondemand"; | ||
| 30 | "pm.max_children" = "5"; | ||
| 31 | "pm.process_idle_timeout" = "60"; | ||
| 32 | #"php_admin_flag[log_errors]" = "on"; | ||
| 33 | # Needed to avoid clashes in browser cookies (same domain) | ||
| 34 | "php_value[session.name]" = "AdminerPHPSESSID"; | ||
| 35 | "php_admin_value[open_basedir]" = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"; | ||
| 36 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/adminer"; | ||
| 37 | "php_admin_value[upload_tmp_dir]" = "/var/lib/php/tmp/adminer"; | ||
| 38 | }; | ||
| 28 | }; | 39 | }; |
| 29 | apache = rec { | 40 | apache = rec { |
| 30 | user = "wwwrun"; | 41 | user = "wwwrun"; |
| @@ -32,12 +43,12 @@ rec { | |||
| 32 | modules = [ "proxy_fcgi" ]; | 43 | modules = [ "proxy_fcgi" ]; |
| 33 | webappName = "_adminer"; | 44 | webappName = "_adminer"; |
| 34 | root = "/run/current-system/webapps/${webappName}"; | 45 | root = "/run/current-system/webapps/${webappName}"; |
| 35 | vhostConf = '' | 46 | vhostConf = socket: '' |
| 36 | Alias /adminer ${root} | 47 | Alias /adminer ${root} |
| 37 | <Directory ${root}> | 48 | <Directory ${root}> |
| 38 | DirectoryIndex index.php | 49 | DirectoryIndex index.php |
| 39 | <FilesMatch "\.php$"> | 50 | <FilesMatch "\.php$"> |
| 40 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 51 | SetHandler "proxy:unix:${if forcePhpSocket != null then forcePhpSocket else socket}|fcgi://localhost" |
| 41 | </FilesMatch> | 52 | </FilesMatch> |
| 42 | 53 | ||
| 43 | Use LDAPConnect | 54 | Use LDAPConnect |
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 5dc0981..5e0d446 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix | |||
| @@ -40,6 +40,7 @@ let | |||
| 40 | }; | 40 | }; |
| 41 | 41 | ||
| 42 | cfg = config.myServices.websites.tools.tools; | 42 | cfg = config.myServices.websites.tools.tools; |
| 43 | pcfg = config.services.phpfpm.pools; | ||
| 43 | in { | 44 | in { |
| 44 | options.myServices.websites.tools.tools = { | 45 | options.myServices.websites.tools.tools = { |
| 45 | enable = lib.mkEnableOption "enable tools website"; | 46 | enable = lib.mkEnableOption "enable tools website"; |
| @@ -92,7 +93,7 @@ in { | |||
| 92 | AllowOverride all | 93 | AllowOverride all |
| 93 | Require all granted | 94 | Require all granted |
| 94 | <FilesMatch "\.php$"> | 95 | <FilesMatch "\.php$"> |
| 95 | SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost" | 96 | SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost" |
| 96 | </FilesMatch> | 97 | </FilesMatch> |
| 97 | </Directory> | 98 | </Directory> |
| 98 | '' | 99 | '' |
| @@ -115,21 +116,21 @@ in { | |||
| 115 | AllowOverride all | 116 | AllowOverride all |
| 116 | Require all granted | 117 | Require all granted |
| 117 | <FilesMatch "\.php$"> | 118 | <FilesMatch "\.php$"> |
| 118 | SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost" | 119 | SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost" |
| 119 | </FilesMatch> | 120 | </FilesMatch> |
| 120 | </Directory> | 121 | </Directory> |
| 121 | '' | 122 | '' |
| 122 | adminer.apache.vhostConf | 123 | (adminer.apache.vhostConf pcfg.adminer.socket) |
| 123 | ympd.apache.vhostConf | 124 | ympd.apache.vhostConf |
| 124 | ttrss.apache.vhostConf | 125 | (ttrss.apache.vhostConf pcfg.ttrss.socket) |
| 125 | wallabag.apache.vhostConf | 126 | (wallabag.apache.vhostConf pcfg.wallabag.socket) |
| 126 | yourls.apache.vhostConf | 127 | (yourls.apache.vhostConf pcfg.yourls.socket) |
| 127 | rompr.apache.vhostConf | 128 | (rompr.apache.vhostConf pcfg.rompr.socket) |
| 128 | shaarli.apache.vhostConf | 129 | (shaarli.apache.vhostConf pcfg.shaarli.socket) |
| 129 | dokuwiki.apache.vhostConf | 130 | (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket) |
| 130 | ldap.apache.vhostConf | 131 | (ldap.apache.vhostConf pcfg.ldap.socket) |
| 131 | kanboard.apache.vhostConf | 132 | (kanboard.apache.vhostConf pcfg.kanboard.socket) |
| 132 | grocy.apache.vhostConf | 133 | (grocy.apache.vhostConf pcfg.grocy.socket) |
| 133 | ]; | 134 | ]; |
| 134 | }; | 135 | }; |
| 135 | 136 | ||
| @@ -226,38 +227,36 @@ in { | |||
| 226 | 227 | ||
| 227 | services.phpfpm.pools = { | 228 | services.phpfpm.pools = { |
| 228 | tools = { | 229 | tools = { |
| 229 | listen = "/var/run/phpfpm/tools.sock"; | 230 | user = "wwwrun"; |
| 230 | extraConfig = '' | 231 | group = "wwwrun"; |
| 231 | user = wwwrun | 232 | settings = { |
| 232 | group = wwwrun | 233 | "listen.owner" = "wwwrun"; |
| 233 | listen.owner = wwwrun | 234 | "listen.group" = "wwwrun"; |
| 234 | listen.group = wwwrun | 235 | "pm" = "dynamic"; |
| 235 | pm = dynamic | 236 | "pm.max_children" = "60"; |
| 236 | pm.max_children = 60 | 237 | "pm.start_servers" = "2"; |
| 237 | pm.start_servers = 2 | 238 | "pm.min_spare_servers" = "1"; |
| 238 | pm.min_spare_servers = 1 | 239 | "pm.max_spare_servers" = "10"; |
| 239 | pm.max_spare_servers = 10 | ||
| 240 | 240 | ||
| 241 | ; Needed to avoid clashes in browser cookies (same domain) | 241 | # Needed to avoid clashes in browser cookies (same domain) |
| 242 | php_value[session.name] = ToolsPHPSESSID | 242 | "php_value[session.name]" = "ToolsPHPSESSID"; |
| 243 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp" | 243 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"; |
| 244 | ''; | 244 | }; |
| 245 | }; | 245 | }; |
| 246 | devtools = { | 246 | devtools = { |
| 247 | listen = "/var/run/phpfpm/devtools.sock"; | 247 | user = "wwwrun"; |
| 248 | extraConfig = '' | 248 | group = "wwwrun"; |
| 249 | user = wwwrun | 249 | settings = { |
| 250 | group = wwwrun | 250 | "listen.owner" = "wwwrun"; |
| 251 | listen.owner = wwwrun | 251 | "listen.group" = "wwwrun"; |
| 252 | listen.group = wwwrun | 252 | "pm" = "dynamic"; |
| 253 | pm = dynamic | 253 | "pm.max_children" = "60"; |
| 254 | pm.max_children = 60 | 254 | "pm.start_servers" = "2"; |
| 255 | pm.start_servers = 2 | 255 | "pm.min_spare_servers" = "1"; |
| 256 | pm.min_spare_servers = 1 | 256 | "pm.max_spare_servers" = "10"; |
| 257 | pm.max_spare_servers = 10 | ||
| 258 | 257 | ||
| 259 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp" | 258 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"; |
| 260 | ''; | 259 | }; |
| 261 | phpOptions = config.services.phpfpm.phpOptions + '' | 260 | phpOptions = config.services.phpfpm.phpOptions + '' |
| 262 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 261 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
| 263 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | 262 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so |
| @@ -265,45 +264,51 @@ in { | |||
| 265 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | 264 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so |
| 266 | ''; | 265 | ''; |
| 267 | }; | 266 | }; |
| 268 | adminer = { | 267 | adminer = adminer.phpFpm; |
| 269 | listen = adminer.phpFpm.socket; | ||
| 270 | extraConfig = adminer.phpFpm.pool; | ||
| 271 | }; | ||
| 272 | ttrss = { | 268 | ttrss = { |
| 273 | listen = ttrss.phpFpm.socket; | 269 | user = "wwwrun"; |
| 274 | extraConfig = ttrss.phpFpm.pool; | 270 | group = "wwwrun"; |
| 271 | settings = ttrss.phpFpm.pool; | ||
| 275 | }; | 272 | }; |
| 276 | wallabag = { | 273 | wallabag = { |
| 277 | listen = wallabag.phpFpm.socket; | 274 | user = "wwwrun"; |
| 278 | extraConfig = wallabag.phpFpm.pool; | 275 | group = "wwwrun"; |
| 276 | settings = wallabag.phpFpm.pool; | ||
| 279 | }; | 277 | }; |
| 280 | yourls = { | 278 | yourls = { |
| 281 | listen = yourls.phpFpm.socket; | 279 | user = "wwwrun"; |
| 282 | extraConfig = yourls.phpFpm.pool; | 280 | group = "wwwrun"; |
| 281 | settings = yourls.phpFpm.pool; | ||
| 283 | }; | 282 | }; |
| 284 | rompr = { | 283 | rompr = { |
| 285 | listen = rompr.phpFpm.socket; | 284 | user = "wwwrun"; |
| 286 | extraConfig = rompr.phpFpm.pool; | 285 | group = "wwwrun"; |
| 286 | settings = rompr.phpFpm.pool; | ||
| 287 | }; | 287 | }; |
| 288 | shaarli = { | 288 | shaarli = { |
| 289 | listen = shaarli.phpFpm.socket; | 289 | user = "wwwrun"; |
| 290 | extraConfig = shaarli.phpFpm.pool; | 290 | group = "wwwrun"; |
| 291 | settings = shaarli.phpFpm.pool; | ||
| 291 | }; | 292 | }; |
| 292 | dokuwiki = { | 293 | dokuwiki = { |
| 293 | listen = dokuwiki.phpFpm.socket; | 294 | user = "wwwrun"; |
| 294 | extraConfig = dokuwiki.phpFpm.pool; | 295 | group = "wwwrun"; |
| 296 | settings = dokuwiki.phpFpm.pool; | ||
| 295 | }; | 297 | }; |
| 296 | ldap = { | 298 | ldap = { |
| 297 | listen = ldap.phpFpm.socket; | 299 | user = "wwwrun"; |
| 298 | extraConfig = ldap.phpFpm.pool; | 300 | group = "wwwrun"; |
| 301 | settings = ldap.phpFpm.pool; | ||
| 299 | }; | 302 | }; |
| 300 | kanboard = { | 303 | kanboard = { |
| 301 | listen = kanboard.phpFpm.socket; | 304 | user = "wwwrun"; |
| 302 | extraConfig = kanboard.phpFpm.pool; | 305 | group = "wwwrun"; |
| 306 | settings = kanboard.phpFpm.pool; | ||
| 303 | }; | 307 | }; |
| 304 | grocy = { | 308 | grocy = { |
| 305 | listen = grocy.phpFpm.socket; | 309 | user = "wwwrun"; |
| 306 | extraConfig = grocy.phpFpm.pool; | 310 | group = "wwwrun"; |
| 311 | settings = grocy.phpFpm.pool; | ||
| 307 | }; | 312 | }; |
| 308 | }; | 313 | }; |
| 309 | 314 | ||
diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix index d66e85d..26c04b7 100644 --- a/modules/private/websites/tools/tools/dokuwiki.nix +++ b/modules/private/websites/tools/tools/dokuwiki.nix | |||
| @@ -26,12 +26,12 @@ rec { | |||
| 26 | modules = [ "proxy_fcgi" ]; | 26 | modules = [ "proxy_fcgi" ]; |
| 27 | webappName = "tools_dokuwiki"; | 27 | webappName = "tools_dokuwiki"; |
| 28 | root = "/run/current-system/webapps/${webappName}"; | 28 | root = "/run/current-system/webapps/${webappName}"; |
| 29 | vhostConf = '' | 29 | vhostConf = socket: '' |
| 30 | Alias /dokuwiki "${root}" | 30 | Alias /dokuwiki "${root}" |
| 31 | <Directory "${root}"> | 31 | <Directory "${root}"> |
| 32 | DirectoryIndex index.php | 32 | DirectoryIndex index.php |
| 33 | <FilesMatch "\.php$"> | 33 | <FilesMatch "\.php$"> |
| 34 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 34 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 35 | </FilesMatch> | 35 | </FilesMatch> |
| 36 | 36 | ||
| 37 | AllowOverride All | 37 | AllowOverride All |
| @@ -44,20 +44,17 @@ rec { | |||
| 44 | serviceDeps = [ "openldap.service" ]; | 44 | serviceDeps = [ "openldap.service" ]; |
| 45 | basedir = builtins.concatStringsSep ":" ( | 45 | basedir = builtins.concatStringsSep ":" ( |
| 46 | [ webRoot varDir ] ++ webRoot.plugins); | 46 | [ webRoot varDir ] ++ webRoot.plugins); |
| 47 | socket = "/var/run/phpfpm/dokuwiki.sock"; | 47 | pool = { |
| 48 | pool = '' | 48 | "listen.owner" = apache.user; |
| 49 | user = ${apache.user} | 49 | "listen.group" = apache.group; |
| 50 | group = ${apache.group} | 50 | "pm" = "ondemand"; |
| 51 | listen.owner = ${apache.user} | 51 | "pm.max_children" = "60"; |
| 52 | listen.group = ${apache.group} | 52 | "pm.process_idle_timeout" = "60"; |
| 53 | pm = ondemand | ||
| 54 | pm.max_children = 60 | ||
| 55 | pm.process_idle_timeout = 60 | ||
| 56 | 53 | ||
| 57 | ; Needed to avoid clashes in browser cookies (same domain) | 54 | # Needed to avoid clashes in browser cookies (same domain) |
| 58 | php_value[session.name] = DokuwikiPHPSESSID | 55 | "php_value[session.name]" = "DokuwikiPHPSESSID"; |
| 59 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 56 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
| 60 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 57 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 61 | ''; | 58 | }; |
| 62 | }; | 59 | }; |
| 63 | } | 60 | } |
diff --git a/modules/private/websites/tools/tools/grocy.nix b/modules/private/websites/tools/tools/grocy.nix index 1b8da20..a98d8ac 100644 --- a/modules/private/websites/tools/tools/grocy.nix +++ b/modules/private/websites/tools/tools/grocy.nix | |||
| @@ -18,12 +18,12 @@ rec { | |||
| 18 | modules = [ "proxy_fcgi" ]; | 18 | modules = [ "proxy_fcgi" ]; |
| 19 | webappName = "tools_grocy"; | 19 | webappName = "tools_grocy"; |
| 20 | root = "/run/current-system/webapps/${webappName}"; | 20 | root = "/run/current-system/webapps/${webappName}"; |
| 21 | vhostConf = '' | 21 | vhostConf = socket: '' |
| 22 | Alias /grocy "${root}" | 22 | Alias /grocy "${root}" |
| 23 | <Directory "${root}"> | 23 | <Directory "${root}"> |
| 24 | DirectoryIndex index.php | 24 | DirectoryIndex index.php |
| 25 | <FilesMatch "\.php$"> | 25 | <FilesMatch "\.php$"> |
| 26 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 26 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 27 | </FilesMatch> | 27 | </FilesMatch> |
| 28 | 28 | ||
| 29 | AllowOverride All | 29 | AllowOverride All |
| @@ -35,21 +35,18 @@ rec { | |||
| 35 | phpFpm = rec { | 35 | phpFpm = rec { |
| 36 | basedir = builtins.concatStringsSep ":" ( | 36 | basedir = builtins.concatStringsSep ":" ( |
| 37 | [ grocy grocy.yarnModules varDir ]); | 37 | [ grocy grocy.yarnModules varDir ]); |
| 38 | socket = "/var/run/phpfpm/grocy.sock"; | 38 | pool = { |
| 39 | pool = '' | 39 | "listen.owner" = apache.user; |
| 40 | user = ${apache.user} | 40 | "listen.group" = apache.group; |
| 41 | group = ${apache.group} | 41 | "pm" = "ondemand"; |
| 42 | listen.owner = ${apache.user} | 42 | "pm.max_children" = "60"; |
| 43 | listen.group = ${apache.group} | 43 | "pm.process_idle_timeout" = "60"; |
| 44 | pm = ondemand | ||
| 45 | pm.max_children = 60 | ||
| 46 | pm.process_idle_timeout = 60 | ||
| 47 | 44 | ||
| 48 | ; Needed to avoid clashes in browser cookies (same domain) | 45 | # Needed to avoid clashes in browser cookies (same domain) |
| 49 | php_value[session.name] = grocyPHPSESSID | 46 | "php_value[session.name]" = "grocyPHPSESSID"; |
| 50 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 47 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
| 51 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 48 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 52 | ''; | 49 | }; |
| 53 | }; | 50 | }; |
| 54 | } | 51 | } |
| 55 | 52 | ||
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 1880cbd..0f6fefc 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix | |||
| @@ -49,7 +49,7 @@ rec { | |||
| 49 | modules = [ "proxy_fcgi" ]; | 49 | modules = [ "proxy_fcgi" ]; |
| 50 | webappName = "tools_kanboard"; | 50 | webappName = "tools_kanboard"; |
| 51 | root = "/run/current-system/webapps/${webappName}"; | 51 | root = "/run/current-system/webapps/${webappName}"; |
| 52 | vhostConf = '' | 52 | vhostConf = socket: '' |
| 53 | Alias /kanboard "${root}" | 53 | Alias /kanboard "${root}" |
| 54 | <Directory "${root}"> | 54 | <Directory "${root}"> |
| 55 | DirectoryIndex index.php | 55 | DirectoryIndex index.php |
| @@ -58,7 +58,7 @@ rec { | |||
| 58 | Require all granted | 58 | Require all granted |
| 59 | 59 | ||
| 60 | <FilesMatch "\.php$"> | 60 | <FilesMatch "\.php$"> |
| 61 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 61 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 62 | </FilesMatch> | 62 | </FilesMatch> |
| 63 | </Directory> | 63 | </Directory> |
| 64 | <DirectoryMatch "${root}/data"> | 64 | <DirectoryMatch "${root}/data"> |
| @@ -69,20 +69,17 @@ rec { | |||
| 69 | phpFpm = rec { | 69 | phpFpm = rec { |
| 70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; | 71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; |
| 72 | socket = "/var/run/phpfpm/kanboard.sock"; | 72 | pool = { |
| 73 | pool = '' | 73 | "listen.owner" = apache.user; |
| 74 | user = ${apache.user} | 74 | "listen.group" = apache.group; |
| 75 | group = ${apache.group} | 75 | "pm" = "ondemand"; |
| 76 | listen.owner = ${apache.user} | 76 | "pm.max_children" = "60"; |
| 77 | listen.group = ${apache.group} | 77 | "pm.process_idle_timeout" = "60"; |
| 78 | pm = ondemand | ||
| 79 | pm.max_children = 60 | ||
| 80 | pm.process_idle_timeout = 60 | ||
| 81 | 78 | ||
| 82 | ; Needed to avoid clashes in browser cookies (same domain) | 79 | # Needed to avoid clashes in browser cookies (same domain) |
| 83 | php_value[session.name] = KanboardPHPSESSID | 80 | "php_value[session.name]" = "KanboardPHPSESSID"; |
| 84 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 81 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
| 85 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 82 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 86 | ''; | 83 | }; |
| 87 | }; | 84 | }; |
| 88 | } | 85 | } |
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index e58a9bd..0c1a21f 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix | |||
| @@ -39,12 +39,12 @@ rec { | |||
| 39 | modules = [ "proxy_fcgi" ]; | 39 | modules = [ "proxy_fcgi" ]; |
| 40 | webappName = "tools_ldap"; | 40 | webappName = "tools_ldap"; |
| 41 | root = "/run/current-system/webapps/${webappName}"; | 41 | root = "/run/current-system/webapps/${webappName}"; |
| 42 | vhostConf = '' | 42 | vhostConf = socket: '' |
| 43 | Alias /ldap "${root}" | 43 | Alias /ldap "${root}" |
| 44 | <Directory "${root}"> | 44 | <Directory "${root}"> |
| 45 | DirectoryIndex index.php | 45 | DirectoryIndex index.php |
| 46 | <FilesMatch "\.php$"> | 46 | <FilesMatch "\.php$"> |
| 47 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 47 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 48 | </FilesMatch> | 48 | </FilesMatch> |
| 49 | 49 | ||
| 50 | AllowOverride None | 50 | AllowOverride None |
| @@ -55,20 +55,17 @@ rec { | |||
| 55 | phpFpm = rec { | 55 | phpFpm = rec { |
| 56 | serviceDeps = [ "openldap.service" ]; | 56 | serviceDeps = [ "openldap.service" ]; |
| 57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; | 57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; |
| 58 | socket = "/var/run/phpfpm/ldap.sock"; | 58 | pool = { |
| 59 | pool = '' | 59 | "listen.owner" = apache.user; |
| 60 | user = ${apache.user} | 60 | "listen.group" = apache.group; |
| 61 | group = ${apache.group} | 61 | "pm" = "ondemand"; |
| 62 | listen.owner = ${apache.user} | 62 | "pm.max_children" = "60"; |
| 63 | listen.group = ${apache.group} | 63 | "pm.process_idle_timeout" = "60"; |
| 64 | pm = ondemand | ||
| 65 | pm.max_children = 60 | ||
| 66 | pm.process_idle_timeout = 60 | ||
| 67 | 64 | ||
| 68 | ; Needed to avoid clashes in browser cookies (same domain) | 65 | # Needed to avoid clashes in browser cookies (same domain) |
| 69 | php_value[session.name] = LdapPHPSESSID | 66 | "php_value[session.name]" = "LdapPHPSESSID"; |
| 70 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin" | 67 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; |
| 71 | php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin" | 68 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; |
| 72 | ''; | 69 | }; |
| 73 | }; | 70 | }; |
| 74 | } | 71 | } |
diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix index 75adabe..106164c 100644 --- a/modules/private/websites/tools/tools/rompr.nix +++ b/modules/private/websites/tools/tools/rompr.nix | |||
| @@ -15,7 +15,7 @@ rec { | |||
| 15 | modules = [ "headers" "mime" "proxy_fcgi" ]; | 15 | modules = [ "headers" "mime" "proxy_fcgi" ]; |
| 16 | webappName = "tools_rompr"; | 16 | webappName = "tools_rompr"; |
| 17 | root = "/run/current-system/webapps/${webappName}"; | 17 | root = "/run/current-system/webapps/${webappName}"; |
| 18 | vhostConf = '' | 18 | vhostConf = socket: '' |
| 19 | Alias /rompr ${root} | 19 | Alias /rompr ${root} |
| 20 | 20 | ||
| 21 | <Directory ${root}> | 21 | <Directory ${root}> |
| @@ -29,7 +29,7 @@ rec { | |||
| 29 | AddType image/x-icon .ico | 29 | AddType image/x-icon .ico |
| 30 | 30 | ||
| 31 | <FilesMatch "\.php$"> | 31 | <FilesMatch "\.php$"> |
| 32 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 32 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 33 | </FilesMatch> | 33 | </FilesMatch> |
| 34 | </Directory> | 34 | </Directory> |
| 35 | 35 | ||
| @@ -51,29 +51,26 @@ rec { | |||
| 51 | }; | 51 | }; |
| 52 | phpFpm = rec { | 52 | phpFpm = rec { |
| 53 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 53 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
| 54 | socket = "/var/run/phpfpm/rompr.sock"; | 54 | pool = { |
| 55 | pool = '' | 55 | "listen.owner" = apache.user; |
| 56 | user = ${apache.user} | 56 | "listen.group" = apache.group; |
| 57 | group = ${apache.group} | 57 | "pm" = "ondemand"; |
| 58 | listen.owner = ${apache.user} | 58 | "pm.max_children" = "60"; |
| 59 | listen.group = ${apache.group} | 59 | "pm.process_idle_timeout" = "60"; |
| 60 | pm = ondemand | ||
| 61 | pm.max_children = 60 | ||
| 62 | pm.process_idle_timeout = 60 | ||
| 63 | 60 | ||
| 64 | ; Needed to avoid clashes in browser cookies (same domain) | 61 | # Needed to avoid clashes in browser cookies (same domain) |
| 65 | php_value[session.name] = RomprPHPSESSID | 62 | "php_value[session.name]" = "RomprPHPSESSID"; |
| 66 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 63 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
| 67 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 64 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 68 | php_flag[magic_quotes_gpc] = Off | 65 | "php_flag[magic_quotes_gpc]" = "Off"; |
| 69 | php_flag[track_vars] = On | 66 | "php_flag[track_vars]" = "On"; |
| 70 | php_flag[register_globals] = Off | 67 | "php_flag[register_globals]" = "Off"; |
| 71 | php_admin_flag[allow_url_fopen] = On | 68 | "php_admin_flag[allow_url_fopen]" = "On"; |
| 72 | php_value[include_path] = ${webRoot} | 69 | "php_value[include_path]" = "${webRoot}"; |
| 73 | php_admin_value[upload_tmp_dir] = "${varDir}/prefs" | 70 | "php_admin_value[upload_tmp_dir]" = "${varDir}/prefs"; |
| 74 | php_admin_value[post_max_size] = 32M | 71 | "php_admin_value[post_max_size]" = "32M"; |
| 75 | php_admin_value[upload_max_filesize] = 32M | 72 | "php_admin_value[upload_max_filesize]" = "32M"; |
| 76 | php_admin_value[memory_limit] = 256M | 73 | "php_admin_value[memory_limit]" = "256M"; |
| 77 | ''; | 74 | }; |
| 78 | }; | 75 | }; |
| 79 | } | 76 | } |
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 0a75755..950d296 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix | |||
| @@ -17,7 +17,7 @@ in rec { | |||
| 17 | modules = [ "proxy_fcgi" "rewrite" "env" ]; | 17 | modules = [ "proxy_fcgi" "rewrite" "env" ]; |
| 18 | webappName = "tools_shaarli"; | 18 | webappName = "tools_shaarli"; |
| 19 | root = "/run/current-system/webapps/${webappName}"; | 19 | root = "/run/current-system/webapps/${webappName}"; |
| 20 | vhostConf = '' | 20 | vhostConf = socket: '' |
| 21 | Alias /Shaarli "${root}" | 21 | Alias /Shaarli "${root}" |
| 22 | 22 | ||
| 23 | Include /var/secrets/webapps/tools-shaarli | 23 | Include /var/secrets/webapps/tools-shaarli |
| @@ -27,7 +27,7 @@ in rec { | |||
| 27 | AllowOverride All | 27 | AllowOverride All |
| 28 | Require all granted | 28 | Require all granted |
| 29 | <FilesMatch "\.php$"> | 29 | <FilesMatch "\.php$"> |
| 30 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 30 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 31 | </FilesMatch> | 31 | </FilesMatch> |
| 32 | </Directory> | 32 | </Directory> |
| 33 | ''; | 33 | ''; |
| @@ -48,20 +48,17 @@ in rec { | |||
| 48 | phpFpm = rec { | 48 | phpFpm = rec { |
| 49 | serviceDeps = [ "openldap.service" ]; | 49 | serviceDeps = [ "openldap.service" ]; |
| 50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
| 51 | socket = "/var/run/phpfpm/shaarli.sock"; | 51 | pool = { |
| 52 | pool = '' | 52 | "listen.owner" = apache.user; |
| 53 | user = ${apache.user} | 53 | "listen.group" = apache.group; |
| 54 | group = ${apache.group} | 54 | "pm" = "ondemand"; |
| 55 | listen.owner = ${apache.user} | 55 | "pm.max_children" = "60"; |
| 56 | listen.group = ${apache.group} | 56 | "pm.process_idle_timeout" = "60"; |
| 57 | pm = ondemand | ||
| 58 | pm.max_children = 60 | ||
| 59 | pm.process_idle_timeout = 60 | ||
| 60 | 57 | ||
| 61 | ; Needed to avoid clashes in browser cookies (same domain) | 58 | # Needed to avoid clashes in browser cookies (same domain) |
| 62 | php_value[session.name] = ShaarliPHPSESSID | 59 | "php_value[session.name]" = "ShaarliPHPSESSID"; |
| 63 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 60 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
| 64 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 61 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 65 | ''; | 62 | }; |
| 66 | }; | 63 | }; |
| 67 | } | 64 | } |
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index a8b2a93..48876d3 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix | |||
| @@ -95,12 +95,12 @@ rec { | |||
| 95 | modules = [ "proxy_fcgi" ]; | 95 | modules = [ "proxy_fcgi" ]; |
| 96 | webappName = "tools_ttrss"; | 96 | webappName = "tools_ttrss"; |
| 97 | root = "/run/current-system/webapps/${webappName}"; | 97 | root = "/run/current-system/webapps/${webappName}"; |
| 98 | vhostConf = '' | 98 | vhostConf = socket: '' |
| 99 | Alias /ttrss "${root}" | 99 | Alias /ttrss "${root}" |
| 100 | <Directory "${root}"> | 100 | <Directory "${root}"> |
| 101 | DirectoryIndex index.php | 101 | DirectoryIndex index.php |
| 102 | <FilesMatch "\.php$"> | 102 | <FilesMatch "\.php$"> |
| 103 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 103 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 104 | </FilesMatch> | 104 | </FilesMatch> |
| 105 | 105 | ||
| 106 | AllowOverride All | 106 | AllowOverride All |
| @@ -114,20 +114,17 @@ rec { | |||
| 114 | basedir = builtins.concatStringsSep ":" ( | 114 | basedir = builtins.concatStringsSep ":" ( |
| 115 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] | 115 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] |
| 116 | ++ webRoot.plugins); | 116 | ++ webRoot.plugins); |
| 117 | socket = "/var/run/phpfpm/ttrss.sock"; | 117 | pool = { |
| 118 | pool = '' | 118 | "listen.owner" = apache.user; |
| 119 | user = ${apache.user} | 119 | "listen.group" = apache.group; |
| 120 | group = ${apache.group} | 120 | "pm" = "ondemand"; |
| 121 | listen.owner = ${apache.user} | 121 | "pm.max_children" = "60"; |
| 122 | listen.group = ${apache.group} | 122 | "pm.process_idle_timeout" = "60"; |
| 123 | pm = ondemand | 123 | |
| 124 | pm.max_children = 60 | 124 | # Needed to avoid clashes in browser cookies (same domain) |
| 125 | pm.process_idle_timeout = 60 | 125 | "php_value[session.name]" = "TtrssPHPSESSID"; |
| 126 | 126 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; | |
| 127 | ; Needed to avoid clashes in browser cookies (same domain) | 127 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
| 128 | php_value[session.name] = TtrssPHPSESSID | 128 | }; |
| 129 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
| 130 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
| 131 | ''; | ||
| 132 | }; | 129 | }; |
| 133 | } | 130 | } |
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 014d8a1..00e2dc9 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix | |||
| @@ -82,7 +82,7 @@ rec { | |||
| 82 | modules = [ "proxy_fcgi" ]; | 82 | modules = [ "proxy_fcgi" ]; |
| 83 | webappName = "tools_wallabag"; | 83 | webappName = "tools_wallabag"; |
| 84 | root = "/run/current-system/webapps/${webappName}"; | 84 | root = "/run/current-system/webapps/${webappName}"; |
| 85 | vhostConf = '' | 85 | vhostConf = socket: '' |
| 86 | Alias /wallabag "${root}" | 86 | Alias /wallabag "${root}" |
| 87 | <Directory "${root}"> | 87 | <Directory "${root}"> |
| 88 | AllowOverride None | 88 | AllowOverride None |
| @@ -91,7 +91,7 @@ rec { | |||
| 91 | CGIPassAuth On | 91 | CGIPassAuth On |
| 92 | 92 | ||
| 93 | <FilesMatch "\.php$"> | 93 | <FilesMatch "\.php$"> |
| 94 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 94 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 95 | </FilesMatch> | 95 | </FilesMatch> |
| 96 | 96 | ||
| 97 | <IfModule mod_rewrite.c> | 97 | <IfModule mod_rewrite.c> |
| @@ -129,22 +129,19 @@ rec { | |||
| 129 | ''; | 129 | ''; |
| 130 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 130 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
| 131 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; | 131 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; |
| 132 | socket = "/var/run/phpfpm/wallabag.sock"; | 132 | pool = { |
| 133 | pool = '' | 133 | "listen.owner" = apache.user; |
| 134 | user = ${apache.user} | 134 | "listen.group" = apache.group; |
| 135 | group = ${apache.group} | 135 | "pm" = "dynamic"; |
| 136 | listen.owner = ${apache.user} | 136 | "pm.max_children" = "60"; |
| 137 | listen.group = ${apache.group} | 137 | "pm.start_servers" = "2"; |
| 138 | pm = dynamic | 138 | "pm.min_spare_servers" = "1"; |
| 139 | pm.max_children = 60 | 139 | "pm.max_spare_servers" = "10"; |
| 140 | pm.start_servers = 2 | ||
| 141 | pm.min_spare_servers = 1 | ||
| 142 | pm.max_spare_servers = 10 | ||
| 143 | 140 | ||
| 144 | ; Needed to avoid clashes in browser cookies (same domain) | 141 | # Needed to avoid clashes in browser cookies (same domain) |
| 145 | php_value[session.name] = WallabagPHPSESSID | 142 | "php_value[session.name]" = "WallabagPHPSESSID"; |
| 146 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp" | 143 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/tmp"; |
| 147 | php_value[max_execution_time] = 300 | 144 | "php_value[max_execution_time]" = "300"; |
| 148 | ''; | 145 | }; |
| 149 | }; | 146 | }; |
| 150 | } | 147 | } |
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 466ceae..cb03b6c 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix | |||
| @@ -48,11 +48,11 @@ rec { | |||
| 48 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
| 49 | webappName = "tools_yourls"; | 49 | webappName = "tools_yourls"; |
| 50 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
| 51 | vhostConf = '' | 51 | vhostConf = socket: '' |
| 52 | Alias /url "${root}" | 52 | Alias /url "${root}" |
| 53 | <Directory "${root}"> | 53 | <Directory "${root}"> |
| 54 | <FilesMatch "\.php$"> | 54 | <FilesMatch "\.php$"> |
| 55 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 55 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
| 56 | </FilesMatch> | 56 | </FilesMatch> |
| 57 | 57 | ||
| 58 | AllowOverride None | 58 | AllowOverride None |
| @@ -73,20 +73,17 @@ rec { | |||
| 73 | basedir = builtins.concatStringsSep ":" ( | 73 | basedir = builtins.concatStringsSep ":" ( |
| 74 | [ webRoot "/var/secrets/webapps/tools-yourls" ] | 74 | [ webRoot "/var/secrets/webapps/tools-yourls" ] |
| 75 | ++ webRoot.plugins); | 75 | ++ webRoot.plugins); |
| 76 | socket = "/var/run/phpfpm/yourls.sock"; | 76 | pool = { |
| 77 | pool = '' | 77 | "listen.owner" = apache.user; |
| 78 | user = ${apache.user} | 78 | "listen.group" = apache.group; |
| 79 | group = ${apache.group} | 79 | "pm" = "ondemand"; |
| 80 | listen.owner = ${apache.user} | 80 | "pm.max_children" = "60"; |
| 81 | listen.group = ${apache.group} | 81 | "pm.process_idle_timeout" = "60"; |
| 82 | pm = ondemand | ||
| 83 | pm.max_children = 60 | ||
| 84 | pm.process_idle_timeout = 60 | ||
| 85 | 82 | ||
| 86 | ; Needed to avoid clashes in browser cookies (same domain) | 83 | # Needed to avoid clashes in browser cookies (same domain) |
| 87 | php_value[session.name] = YourlsPHPSESSID | 84 | "php_value[session.name]" = "YourlsPHPSESSID"; |
| 88 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls" | 85 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/yourls"; |
| 89 | php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls" | 86 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/yourls"; |
| 90 | ''; | 87 | }; |
| 91 | }; | 88 | }; |
| 92 | } | 89 | } |
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index eed9e3f..68531cf 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix | |||
| @@ -27,7 +27,7 @@ in | |||
| 27 | ''; | 27 | ''; |
| 28 | }; | 28 | }; |
| 29 | socketsPrefix = lib.mkOption { | 29 | socketsPrefix = lib.mkOption { |
| 30 | type = lib.types.string; | 30 | type = lib.types.str; |
| 31 | default = "live"; | 31 | default = "live"; |
| 32 | description = '' | 32 | description = '' |
| 33 | The prefix to use for Mastodon sockets. | 33 | The prefix to use for Mastodon sockets. |
diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index e822645..fe5f068 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix | |||
| @@ -23,7 +23,7 @@ in { | |||
| 23 | ''; | 23 | ''; |
| 24 | }; | 24 | }; |
| 25 | name = lib.mkOption { | 25 | name = lib.mkOption { |
| 26 | type = lib.types.string; | 26 | type = lib.types.str; |
| 27 | description = '' | 27 | description = '' |
| 28 | Domain name. Corresponds to the Apache file name and the | 28 | Domain name. Corresponds to the Apache file name and the |
| 29 | folder name in which the state will be saved. | 29 | folder name in which the state will be saved. |
diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 767a7b2..3f46e65 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix | |||
| @@ -38,7 +38,7 @@ in | |||
| 38 | description = "Name of the httpd instance to assign this type to"; | 38 | description = "Name of the httpd instance to assign this type to"; |
| 39 | }; | 39 | }; |
| 40 | ips = mkOption { | 40 | ips = mkOption { |
| 41 | type = listOf string; | 41 | type = listOf str; |
| 42 | default = []; | 42 | default = []; |
| 43 | description = "ips to listen to"; | 43 | description = "ips to listen to"; |
| 44 | }; | 44 | }; |
| @@ -59,7 +59,7 @@ in | |||
| 59 | options = { | 59 | options = { |
| 60 | enable = mkEnableOption "Add default no-ssl vhost for this instance"; | 60 | enable = mkEnableOption "Add default no-ssl vhost for this instance"; |
| 61 | host = mkOption { | 61 | host = mkOption { |
| 62 | type = string; | 62 | type = str; |
| 63 | description = "The hostname to use for this vhost"; | 63 | description = "The hostname to use for this vhost"; |
| 64 | }; | 64 | }; |
| 65 | root = mkOption { | 65 | root = mkOption { |
| @@ -68,7 +68,7 @@ in | |||
| 68 | description = "The root folder to serve"; | 68 | description = "The root folder to serve"; |
| 69 | }; | 69 | }; |
| 70 | indexFile = mkOption { | 70 | indexFile = mkOption { |
| 71 | type = string; | 71 | type = str; |
| 72 | default = "index.html"; | 72 | default = "index.html"; |
| 73 | description = "The index file to show."; | 73 | description = "The index file to show."; |
| 74 | }; | 74 | }; |
| @@ -79,8 +79,8 @@ in | |||
| 79 | description = "The fallback vhost that will be defined as first vhost in Apache"; | 79 | description = "The fallback vhost that will be defined as first vhost in Apache"; |
| 80 | type = submodule { | 80 | type = submodule { |
| 81 | options = { | 81 | options = { |
| 82 | certName = mkOption { type = string; }; | 82 | certName = mkOption { type = str; }; |
| 83 | hosts = mkOption { type = listOf string; }; | 83 | hosts = mkOption { type = listOf str; }; |
| 84 | root = mkOption { type = nullOr path; }; | 84 | root = mkOption { type = nullOr path; }; |
| 85 | extraConfig = mkOption { type = listOf lines; default = []; }; | 85 | extraConfig = mkOption { type = listOf lines; default = []; }; |
| 86 | }; | 86 | }; |
| @@ -91,7 +91,7 @@ in | |||
| 91 | description = "List of no ssl vhosts to define for Apache"; | 91 | description = "List of no ssl vhosts to define for Apache"; |
| 92 | type = attrsOf (submodule { | 92 | type = attrsOf (submodule { |
| 93 | options = { | 93 | options = { |
| 94 | hosts = mkOption { type = listOf string; }; | 94 | hosts = mkOption { type = listOf str; }; |
| 95 | root = mkOption { type = nullOr path; }; | 95 | root = mkOption { type = nullOr path; }; |
| 96 | extraConfig = mkOption { type = listOf lines; default = []; }; | 96 | extraConfig = mkOption { type = listOf lines; default = []; }; |
| 97 | }; | 97 | }; |
| @@ -102,25 +102,25 @@ in | |||
| 102 | description = "List of vhosts to define for Apache"; | 102 | description = "List of vhosts to define for Apache"; |
| 103 | type = attrsOf (submodule { | 103 | type = attrsOf (submodule { |
| 104 | options = { | 104 | options = { |
| 105 | certName = mkOption { type = string; }; | 105 | certName = mkOption { type = str; }; |
| 106 | addToCerts = mkOption { | 106 | addToCerts = mkOption { |
| 107 | type = bool; | 107 | type = bool; |
| 108 | default = false; | 108 | default = false; |
| 109 | description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; | 109 | description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; |
| 110 | }; | 110 | }; |
| 111 | certMainHost = mkOption { | 111 | certMainHost = mkOption { |
| 112 | type = nullOr string; | 112 | type = nullOr str; |
| 113 | description = "Use that host as 'main host' for acme certs"; | 113 | description = "Use that host as 'main host' for acme certs"; |
| 114 | default = null; | 114 | default = null; |
| 115 | }; | 115 | }; |
| 116 | hosts = mkOption { type = listOf string; }; | 116 | hosts = mkOption { type = listOf str; }; |
| 117 | root = mkOption { type = nullOr path; }; | 117 | root = mkOption { type = nullOr path; }; |
| 118 | extraConfig = mkOption { type = listOf lines; default = []; }; | 118 | extraConfig = mkOption { type = listOf lines; default = []; }; |
| 119 | }; | 119 | }; |
| 120 | }); | 120 | }); |
| 121 | }; | 121 | }; |
| 122 | watchPaths = mkOption { | 122 | watchPaths = mkOption { |
| 123 | type = listOf string; | 123 | type = listOf str; |
| 124 | default = []; | 124 | default = []; |
| 125 | description = '' | 125 | description = '' |
| 126 | Paths to watch that should trigger a reload of httpd | 126 | Paths to watch that should trigger a reload of httpd |
| @@ -178,9 +178,9 @@ in | |||
| 178 | }; | 178 | }; |
| 179 | toVhost = ips: vhostConf: { | 179 | toVhost = ips: vhostConf: { |
| 180 | enableSSL = true; | 180 | enableSSL = true; |
| 181 | sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem"; | 181 | sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem"; |
| 182 | sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem"; | 182 | sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem"; |
| 183 | sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem"; | 183 | sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem"; |
| 184 | logFormat = "combinedVhost"; | 184 | logFormat = "combinedVhost"; |
| 185 | listen = map (ip: { inherit ip; port = 443; }) ips; | 185 | listen = map (ip: { inherit ip; port = 443; }) ips; |
| 186 | hostName = builtins.head vhostConf.hosts; | 186 | hostName = builtins.head vhostConf.hosts; |
| @@ -231,7 +231,7 @@ in | |||
| 231 | } | 231 | } |
| 232 | ) cfg.env; | 232 | ) cfg.env; |
| 233 | 233 | ||
| 234 | config.security.acme2.certs = let | 234 | config.security.acme.certs = let |
| 235 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; | 235 | typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; |
| 236 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: | 236 | flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: |
| 237 | attrValues v.vhostConfs | 237 | attrValues v.vhostConfs |
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix index d049202..f0208ab 100644 --- a/modules/websites/httpd-service-builder.nix +++ b/modules/websites/httpd-service-builder.nix | |||
| @@ -11,8 +11,6 @@ let | |||
| 11 | 11 | ||
| 12 | httpd = mainCfg.package.out; | 12 | httpd = mainCfg.package.out; |
| 13 | 13 | ||
| 14 | version24 = !versionOlder httpd.version "2.4"; | ||
| 15 | |||
| 16 | httpdConf = mainCfg.configFile; | 14 | httpdConf = mainCfg.configFile; |
| 17 | 15 | ||
| 18 | php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; | 16 | php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; |
| @@ -26,10 +24,9 @@ let | |||
| 26 | else [{ip = "*"; port = 80;}]; | 24 | else [{ip = "*"; port = 80;}]; |
| 27 | 25 | ||
| 28 | getListen = cfg: | 26 | getListen = cfg: |
| 29 | let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen; | 27 | if cfg.listen == [] |
| 30 | in if list == [] | 28 | then defaultListen cfg |
| 31 | then defaultListen cfg | 29 | else cfg.listen; |
| 32 | else list; | ||
| 33 | 30 | ||
| 34 | listenToString = l: "${l.ip}:${toString l.port}"; | 31 | listenToString = l: "${l.ip}:${toString l.port}"; |
| 35 | 32 | ||
| @@ -110,11 +107,10 @@ let | |||
| 110 | "auth_basic" "auth_digest" | 107 | "auth_basic" "auth_digest" |
| 111 | 108 | ||
| 112 | # Authentication: is the user who he claims to be? | 109 | # Authentication: is the user who he claims to be? |
| 113 | "authn_file" "authn_dbm" "authn_anon" | 110 | "authn_file" "authn_dbm" "authn_anon" "authn_core" |
| 114 | (if version24 then "authn_core" else "authn_alias") | ||
| 115 | 111 | ||
| 116 | # Authorization: is the user allowed access? | 112 | # Authorization: is the user allowed access? |
| 117 | "authz_user" "authz_groupfile" "authz_host" | 113 | "authz_user" "authz_groupfile" "authz_host" "authz_core" |
| 118 | 114 | ||
| 119 | # Other modules. | 115 | # Other modules. |
| 120 | "ext_filter" "include" "log_config" "env" "mime_magic" | 116 | "ext_filter" "include" "log_config" "env" "mime_magic" |
| @@ -122,14 +118,9 @@ let | |||
| 122 | "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" | 118 | "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" |
| 123 | "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" | 119 | "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" |
| 124 | "userdir" "alias" "rewrite" "proxy" "proxy_http" | 120 | "userdir" "alias" "rewrite" "proxy" "proxy_http" |
| 125 | ] | 121 | "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" |
| 126 | ++ optionals version24 [ | ||
| 127 | "mpm_${mainCfg.multiProcessingModule}" | 122 | "mpm_${mainCfg.multiProcessingModule}" |
| 128 | "authz_core" | 123 | |
| 129 | "unixd" | ||
| 130 | "cache" "cache_disk" | ||
| 131 | "slotmem_shm" | ||
| 132 | "socache_shmcb" | ||
| 133 | # For compatibility with old configurations, the new module mod_access_compat is provided. | 124 | # For compatibility with old configurations, the new module mod_access_compat is provided. |
| 134 | "access_compat" | 125 | "access_compat" |
| 135 | ] | 126 | ] |
| @@ -138,19 +129,8 @@ let | |||
| 138 | ++ extraApacheModules; | 129 | ++ extraApacheModules; |
| 139 | 130 | ||
| 140 | 131 | ||
| 141 | allDenied = if version24 then '' | 132 | allDenied = "Require all denied"; |
| 142 | Require all denied | 133 | allGranted = "Require all granted"; |
| 143 | '' else '' | ||
| 144 | Order deny,allow | ||
| 145 | Deny from all | ||
| 146 | ''; | ||
| 147 | |||
| 148 | allGranted = if version24 then '' | ||
| 149 | Require all granted | ||
| 150 | '' else '' | ||
| 151 | Order allow,deny | ||
| 152 | Allow from all | ||
| 153 | ''; | ||
| 154 | 134 | ||
| 155 | 135 | ||
| 156 | loggingConf = (if mainCfg.logFormat != "none" then '' | 136 | loggingConf = (if mainCfg.logFormat != "none" then '' |
| @@ -183,9 +163,9 @@ let | |||
| 183 | 163 | ||
| 184 | 164 | ||
| 185 | sslConf = '' | 165 | sslConf = '' |
| 186 | SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000) | 166 | SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) |
| 187 | 167 | ||
| 188 | ${if version24 then "Mutex" else "SSLMutex"} posixsem | 168 | Mutex posixsem |
| 189 | 169 | ||
| 190 | SSLRandomSeed startup builtin | 170 | SSLRandomSeed startup builtin |
| 191 | SSLRandomSeed connect builtin | 171 | SSLRandomSeed connect builtin |
| @@ -325,9 +305,7 @@ let | |||
| 325 | 305 | ||
| 326 | ServerRoot ${httpd} | 306 | ServerRoot ${httpd} |
| 327 | 307 | ||
| 328 | ${optionalString version24 '' | 308 | DefaultRuntimeDir ${mainCfg.stateDir}/runtime |
| 329 | DefaultRuntimeDir ${mainCfg.stateDir}/runtime | ||
| 330 | ''} | ||
| 331 | 309 | ||
| 332 | PidFile ${mainCfg.stateDir}/httpd.pid | 310 | PidFile ${mainCfg.stateDir}/httpd.pid |
| 333 | 311 | ||
| @@ -361,7 +339,7 @@ let | |||
| 361 | ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } | 339 | ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } |
| 362 | ++ concatMap (svc: svc.extraModules) allSubservices | 340 | ++ concatMap (svc: svc.extraModules) allSubservices |
| 363 | ++ extraForeignModules; | 341 | ++ extraForeignModules; |
| 364 | in concatMapStrings load allModules | 342 | in concatMapStrings load (unique allModules) |
| 365 | } | 343 | } |
| 366 | 344 | ||
| 367 | AddHandler type-map var | 345 | AddHandler type-map var |
| @@ -393,14 +371,6 @@ let | |||
| 393 | # Generate directives for the main server. | 371 | # Generate directives for the main server. |
| 394 | ${perServerConf true mainCfg} | 372 | ${perServerConf true mainCfg} |
| 395 | 373 | ||
| 396 | # Always enable virtual hosts; it doesn't seem to hurt. | ||
| 397 | ${let | ||
| 398 | listen = concatMap getListen allHosts; | ||
| 399 | uniqueListen = uniqList {inputList = listen;}; | ||
| 400 | directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen; | ||
| 401 | in optionalString (!version24) directives | ||
| 402 | } | ||
| 403 | |||
| 404 | ${let | 374 | ${let |
| 405 | makeVirtualHost = vhost: '' | 375 | makeVirtualHost = vhost: '' |
| 406 | <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> | 376 | <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}> |
| @@ -663,7 +633,7 @@ in | |||
| 663 | message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } | 633 | message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } |
| 664 | ]; | 634 | ]; |
| 665 | 635 | ||
| 666 | warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); | 636 | warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts); |
| 667 | 637 | ||
| 668 | users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton | 638 | users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton |
| 669 | { name = "wwwrun"; | 639 | { name = "wwwrun"; |
| @@ -686,7 +656,7 @@ in | |||
| 686 | 656 | ||
| 687 | ; Don't advertise PHP | 657 | ; Don't advertise PHP |
| 688 | expose_php = off | 658 | expose_php = off |
| 689 | '' + optionalString (!isNull config.time.timeZone) '' | 659 | '' + optionalString (config.time.timeZone != null) '' |
| 690 | 660 | ||
| 691 | ; Apparently PHP doesn't use $TZ. | 661 | ; Apparently PHP doesn't use $TZ. |
| 692 | date.timezone = "${config.time.timeZone}" | 662 | date.timezone = "${config.time.timeZone}" |
| @@ -713,10 +683,10 @@ in | |||
| 713 | '' | 683 | '' |
| 714 | mkdir -m 0750 -p ${mainCfg.stateDir} | 684 | mkdir -m 0750 -p ${mainCfg.stateDir} |
| 715 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} | 685 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} |
| 716 | ${optionalString version24 '' | 686 | |
| 717 | mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" | 687 | mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" |
| 718 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" | 688 | [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" |
| 719 | ''} | 689 | |
| 720 | mkdir -m 0700 -p ${mainCfg.logDir} | 690 | mkdir -m 0700 -p ${mainCfg.logDir} |
| 721 | 691 | ||
| 722 | # Get rid of old semaphores. These tend to accumulate across | 692 | # Get rid of old semaphores. These tend to accumulate across |
diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix index 8ad7a0d..20e2a5d 100644 --- a/modules/websites/php-application.nix +++ b/modules/websites/php-application.nix | |||
| @@ -44,10 +44,15 @@ in | |||
| 44 | description = "Name of the socket to listen to. Defaults to app name if null"; | 44 | description = "Name of the socket to listen to. Defaults to app name if null"; |
| 45 | }; | 45 | }; |
| 46 | phpPool = mkOption { | 46 | phpPool = mkOption { |
| 47 | type = lines; | 47 | type = attrsOf str; |
| 48 | default = ""; | 48 | default = {}; |
| 49 | description = "Pool configuration to append"; | 49 | description = "Pool configuration to append"; |
| 50 | }; | 50 | }; |
| 51 | phpEnv = mkOption { | ||
| 52 | type = attrsOf str; | ||
| 53 | default = {}; | ||
| 54 | description = "Pool environment to append"; | ||
| 55 | }; | ||
| 51 | phpOptions = mkOption { | 56 | phpOptions = mkOption { |
| 52 | type = lines; | 57 | type = lines; |
| 53 | default = ""; | 58 | default = ""; |
| @@ -135,7 +140,7 @@ in | |||
| 135 | services.phpApplication.phpListenPaths = mkOption { | 140 | services.phpApplication.phpListenPaths = mkOption { |
| 136 | type = attrsOf path; | 141 | type = attrsOf path; |
| 137 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 142 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
| 138 | name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock" | 143 | name config.services.phpfpm.pools."${name}".socket |
| 139 | ) cfg.apps; | 144 | ) cfg.apps; |
| 140 | readOnly = true; | 145 | readOnly = true; |
| 141 | description = '' | 146 | description = '' |
| @@ -162,17 +167,17 @@ in | |||
| 162 | 167 | ||
| 163 | services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 168 | services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
| 164 | name { | 169 | name { |
| 165 | listen = cfg.phpListenPaths."${name}"; | 170 | user = icfg.httpdUser; |
| 166 | extraConfig = '' | 171 | group = icfg.httpdUser; |
| 167 | user = ${icfg.httpdUser} | 172 | settings = { |
| 168 | group = ${icfg.httpdGroup} | 173 | "listen.owner" = icfg.httpdUser; |
| 169 | listen.owner = ${icfg.httpdUser} | 174 | "listen.group" = icfg.httpdGroup; |
| 170 | listen.group = ${icfg.httpdGroup} | 175 | "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir); |
| 171 | ${optionalString (icfg.phpSession) '' | 176 | } |
| 172 | php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''} | 177 | // optionalAttrs (icfg.phpSession) { "php_admin_value[session.save_path]" = "${icfg.varDir}/phpSessions"; } |
| 173 | php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir)}" | 178 | // icfg.phpPool; |
| 174 | '' + icfg.phpPool; | ||
| 175 | phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; | 179 | phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; |
| 180 | inherit (icfg) phpEnv; | ||
| 176 | } | 181 | } |
| 177 | ) cfg.apps; | 182 | ) cfg.apps; |
| 178 | 183 | ||