diff options
Diffstat (limited to 'modules/private')
67 files changed, 710 insertions, 738 deletions
diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 47e30fc..c8ee48e 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix | |||
@@ -180,6 +180,7 @@ in | |||
180 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList | 180 | ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList |
181 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets | 181 | (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets |
182 | )} | 182 | )} |
183 | ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} | ||
183 | ''; | 184 | ''; |
184 | environment = let | 185 | environment = let |
185 | project_env = with lib.attrsets; | 186 | project_env = with lib.attrsets; |
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix | |||
@@ -30,9 +30,9 @@ | |||
30 | myServices.databasesCerts = config.myServices.certificates.certConfig; | 30 | myServices.databasesCerts = config.myServices.certificates.certConfig; |
31 | myServices.ircCerts = config.myServices.certificates.certConfig; | 31 | myServices.ircCerts = config.myServices.certificates.certConfig; |
32 | 32 | ||
33 | security.acme2.preliminarySelfsigned = true; | 33 | security.acme.preliminarySelfsigned = true; |
34 | 34 | ||
35 | security.acme2.certs = { | 35 | security.acme.certs = { |
36 | "${name}" = config.myServices.certificates.certConfig // { | 36 | "${name}" = config.myServices.certificates.certConfig // { |
37 | domain = config.hostEnv.fqdn; | 37 | domain = config.hostEnv.fqdn; |
38 | }; | 38 | }; |
@@ -41,17 +41,33 @@ | |||
41 | systemd.services = lib.attrsets.mapAttrs' (k: v: | 41 | systemd.services = lib.attrsets.mapAttrs' (k: v: |
42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = | 42 | lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = |
43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' | 43 | (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' |
44 | cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem | 44 | cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem |
45 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem | 45 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem |
46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem | 46 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem |
47 | '') + | 47 | '') + |
48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' | 48 | (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' |
49 | cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem | 49 | cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem |
50 | chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem | 50 | chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem |
51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem | 51 | chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem |
52 | '') | 52 | '') |
53 | ; }) | 53 | ; }) |
54 | ) config.security.acme2.certs // { | 54 | ) config.security.acme.certs // |
55 | lib.attrsets.mapAttrs' (k: data: | ||
56 | lib.attrsets.nameValuePair "acme-${k}" { | ||
57 | serviceConfig.ExecStartPre = | ||
58 | let | ||
59 | script = pkgs.writeScript "acme-pre-start" '' | ||
60 | #!${pkgs.runtimeShell} -e | ||
61 | mkdir -p '${data.webroot}/.well-known/acme-challenge' | ||
62 | chmod a+w '${data.webroot}/.well-known/acme-challenge' | ||
63 | #doesn't work for multiple concurrent runs | ||
64 | #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' | ||
65 | ''; | ||
66 | in | ||
67 | "+${script}"; | ||
68 | } | ||
69 | ) config.security.acme.certs // | ||
70 | { | ||
55 | httpdProd = lib.mkIf config.services.httpd.Prod.enable | 71 | httpdProd = lib.mkIf config.services.httpd.Prod.enable |
56 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; | 72 | { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; |
57 | httpdTools = lib.mkIf config.services.httpd.Tools.enable | 73 | httpdTools = lib.mkIf config.services.httpd.Tools.enable |
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index ed647ea..04e4bd6 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix | |||
@@ -96,8 +96,8 @@ in { | |||
96 | dataDir = cfg.dataDir; | 96 | dataDir = cfg.dataDir; |
97 | extraOptions = '' | 97 | extraOptions = '' |
98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt | 98 | ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt |
99 | ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem | 99 | ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem |
100 | ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem | 100 | ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem |
101 | 101 | ||
102 | # for replication | 102 | # for replication |
103 | log-bin=mariadb-bin | 103 | log-bin=mariadb-bin |
@@ -110,7 +110,7 @@ in { | |||
110 | }; | 110 | }; |
111 | 111 | ||
112 | users.users.mysql.extraGroups = [ "keys" ]; | 112 | users.users.mysql.extraGroups = [ "keys" ]; |
113 | security.acme2.certs."mysql" = config.myServices.databasesCerts // { | 113 | security.acme.certs."mysql" = config.myServices.databasesCerts // { |
114 | user = "mysql"; | 114 | user = "mysql"; |
115 | group = "mysql"; | 115 | group = "mysql"; |
116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 116 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index d7d61db..efe9379 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix | |||
@@ -12,27 +12,14 @@ let | |||
12 | moduleload back_hdb | 12 | moduleload back_hdb |
13 | backend hdb | 13 | backend hdb |
14 | 14 | ||
15 | moduleload memberof | 15 | TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem |
16 | database hdb | 16 | TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem |
17 | suffix "${cfg.baseDn}" | 17 | TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem |
18 | rootdn "${cfg.rootDn}" | ||
19 | include ${config.secrets.location}/ldap/password | ||
20 | directory ${cfg.dataDir} | ||
21 | overlay memberof | ||
22 | |||
23 | moduleload syncprov | ||
24 | overlay syncprov | ||
25 | syncprov-checkpoint 100 10 | ||
26 | |||
27 | TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem | ||
28 | TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem | ||
29 | TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem | ||
30 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ | 18 | TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ |
31 | #This makes openldap crash | 19 | #This makes openldap crash |
32 | #TLSCipherSuite DEFAULT | 20 | #TLSCipherSuite DEFAULT |
33 | 21 | ||
34 | sasl-host kerberos.immae.eu | 22 | sasl-host kerberos.immae.eu |
35 | include ${config.secrets.location}/ldap/access | ||
36 | ''; | 23 | ''; |
37 | in | 24 | in |
38 | { | 25 | { |
@@ -117,7 +104,7 @@ in | |||
117 | users.users.openldap.extraGroups = [ "keys" ]; | 104 | users.users.openldap.extraGroups = [ "keys" ]; |
118 | networking.firewall.allowedTCPPorts = [ 636 389 ]; | 105 | networking.firewall.allowedTCPPorts = [ 636 389 ]; |
119 | 106 | ||
120 | security.acme2.certs."ldap" = config.myServices.databasesCerts // { | 107 | security.acme.certs."ldap" = config.myServices.databasesCerts // { |
121 | user = "openldap"; | 108 | user = "openldap"; |
122 | group = "openldap"; | 109 | group = "openldap"; |
123 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 110 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
@@ -137,6 +124,20 @@ in | |||
137 | dataDir = cfg.dataDir; | 124 | dataDir = cfg.dataDir; |
138 | urlList = [ "ldap://" "ldaps://" ]; | 125 | urlList = [ "ldap://" "ldaps://" ]; |
139 | extraConfig = ldapConfig; | 126 | extraConfig = ldapConfig; |
127 | extraDatabaseConfig = '' | ||
128 | moduleload memberof | ||
129 | overlay memberof | ||
130 | |||
131 | moduleload syncprov | ||
132 | overlay syncprov | ||
133 | syncprov-checkpoint 100 10 | ||
134 | |||
135 | include ${config.secrets.location}/ldap/access | ||
136 | ''; | ||
137 | rootpwFile = "${config.secrets.location}/ldap/password"; | ||
138 | suffix = cfg.baseDn; | ||
139 | rootdn = cfg.rootDn; | ||
140 | database = "hdb"; | ||
140 | }; | 141 | }; |
141 | }; | 142 | }; |
142 | } | 143 | } |
diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix index fc686dd..cf45ebe 100644 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ b/modules/private/databases/openldap/eldiron_schemas.nix | |||
@@ -9,10 +9,10 @@ let | |||
9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; | 9 | sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; |
10 | }; | 10 | }; |
11 | schemas = [ | 11 | schemas = [ |
12 | "${openldap}/etc/schema/core.schema" | 12 | #"${openldap}/etc/schema/core.schema" |
13 | "${openldap}/etc/schema/cosine.schema" | 13 | #"${openldap}/etc/schema/cosine.schema" |
14 | "${openldap}/etc/schema/inetorgperson.schema" | 14 | #"${openldap}/etc/schema/inetorgperson.schema" |
15 | "${openldap}/etc/schema/nis.schema" | 15 | #"${openldap}/etc/schema/nis.schema" |
16 | puppetSchema | 16 | puppetSchema |
17 | kerberosSchema | 17 | kerberosSchema |
18 | ./immae.schema | 18 | ./immae.schema |
diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 2980c97..df4101b 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix | |||
@@ -3,6 +3,10 @@ let | |||
3 | cfg = config.myServices.databasesReplication.openldap; | 3 | cfg = config.myServices.databasesReplication.openldap; |
4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; | 4 | eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; |
5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' | 5 | ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' |
6 | include ${pkgs.openldap}/etc/schema/core.schema | ||
7 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
8 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
9 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
6 | ${eldiron_schemas} | 10 | ${eldiron_schemas} |
7 | pidfile /run/slapd_${name}/slapd.pid | 11 | pidfile /run/slapd_${name}/slapd.pid |
8 | argsfile /run/slapd_${name}/slapd.args | 12 | argsfile /run/slapd_${name}/slapd.args |
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 27ea59c..d0b1a75 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix | |||
@@ -91,23 +91,13 @@ in { | |||
91 | ''; | 91 | ''; |
92 | readOnly = true; | 92 | readOnly = true; |
93 | }; | 93 | }; |
94 | systemdRuntimeDirectory = lib.mkOption { | ||
95 | type = lib.types.str; | ||
96 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
97 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
98 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
99 | description = '' | ||
100 | Adjusted Postgresql sockets directory for systemd | ||
101 | ''; | ||
102 | readOnly = true; | ||
103 | }; | ||
104 | }; | 94 | }; |
105 | }; | 95 | }; |
106 | 96 | ||
107 | config = lib.mkIf cfg.enable { | 97 | config = lib.mkIf cfg.enable { |
108 | networking.firewall.allowedTCPPorts = [ 5432 ]; | 98 | networking.firewall.allowedTCPPorts = [ 5432 ]; |
109 | 99 | ||
110 | security.acme2.certs."postgresql" = config.myServices.databasesCerts // { | 100 | security.acme.certs."postgresql" = config.myServices.databasesCerts // { |
111 | user = "postgres"; | 101 | user = "postgres"; |
112 | group = "postgres"; | 102 | group = "postgres"; |
113 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; | 103 | plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; |
@@ -119,7 +109,6 @@ in { | |||
119 | 109 | ||
120 | systemd.services.postgresql.serviceConfig = { | 110 | systemd.services.postgresql.serviceConfig = { |
121 | SupplementaryGroups = "keys"; | 111 | SupplementaryGroups = "keys"; |
122 | RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
123 | }; | 112 | }; |
124 | systemd.services.postgresql.postStart = lib.mkAfter '' | 113 | systemd.services.postgresql.postStart = lib.mkAfter '' |
125 | # This line is already defined in 19.09 | 114 | # This line is already defined in 19.09 |
@@ -165,8 +154,8 @@ in { | |||
165 | # makes it order of magnitudes quicker | 154 | # makes it order of magnitudes quicker |
166 | synchronous_commit = off | 155 | synchronous_commit = off |
167 | ssl = on | 156 | ssl = on |
168 | ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem' | 157 | ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem' |
169 | ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem' | 158 | ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem' |
170 | ''; | 159 | ''; |
171 | authentication = let | 160 | authentication = let |
172 | hosts = builtins.concatStringsSep "\n" ( | 161 | hosts = builtins.concatStringsSep "\n" ( |
diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4b26283..4602510 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix | |||
@@ -17,16 +17,6 @@ in { | |||
17 | ''; | 17 | ''; |
18 | }; | 18 | }; |
19 | # Output variables | 19 | # Output variables |
20 | systemdRuntimeDirectory = lib.mkOption { | ||
21 | type = lib.types.str; | ||
22 | # Use ReadWritePaths= instead if socketsDir is outside of /run | ||
23 | default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; | ||
24 | lib.strings.removePrefix "/run/" cfg.socketsDir; | ||
25 | description = '' | ||
26 | Adjusted redis sockets directory for systemd | ||
27 | ''; | ||
28 | readOnly = true; | ||
29 | }; | ||
30 | sockets = lib.mkOption { | 20 | sockets = lib.mkOption { |
31 | type = lib.types.attrsOf lib.types.path; | 21 | type = lib.types.attrsOf lib.types.path; |
32 | default = { | 22 | default = { |
@@ -51,7 +41,6 @@ in { | |||
51 | maxclients 1024 | 41 | maxclients 1024 |
52 | ''; | 42 | ''; |
53 | }; | 43 | }; |
54 | systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; | ||
55 | 44 | ||
56 | services.spiped = { | 45 | services.spiped = { |
57 | enable = true; | 46 | enable = true; |
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix index 3537c24..382b42d 100644 --- a/modules/private/ejabberd/default.nix +++ b/modules/private/ejabberd/default.nix | |||
@@ -14,7 +14,7 @@ in | |||
14 | }; | 14 | }; |
15 | 15 | ||
16 | config = lib.mkIf cfg.enable { | 16 | config = lib.mkIf cfg.enable { |
17 | security.acme2.certs = { | 17 | security.acme.certs = { |
18 | "ejabberd" = config.myServices.certificates.certConfig // { | 18 | "ejabberd" = config.myServices.certificates.certConfig // { |
19 | user = "ejabberd"; | 19 | user = "ejabberd"; |
20 | group = "ejabberd"; | 20 | group = "ejabberd"; |
@@ -58,7 +58,7 @@ in | |||
58 | text = '' | 58 | text = '' |
59 | host_config: | 59 | host_config: |
60 | "immae.fr": | 60 | "immae.fr": |
61 | domain_certfile: "${config.security.acme2.certs.ejabberd.directory}/full.pem" | 61 | domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem" |
62 | auth_method: [ldap] | 62 | auth_method: [ldap] |
63 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] | 63 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] |
64 | ldap_encrypt: tls | 64 | ldap_encrypt: tls |
@@ -66,8 +66,8 @@ in | |||
66 | ldap_password: "${config.myEnv.jabber.ldap.password}" | 66 | ldap_password: "${config.myEnv.jabber.ldap.password}" |
67 | ldap_base: "${config.myEnv.jabber.ldap.base}" | 67 | ldap_base: "${config.myEnv.jabber.ldap.base}" |
68 | ldap_uids: | 68 | ldap_uids: |
69 | - "uid": "%u" | 69 | uid: "%u" |
70 | - "immaeXmppUid": "%u" | 70 | immaeXmppUid: "%u" |
71 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" | 71 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" |
72 | ''; | 72 | ''; |
73 | } | 73 | } |
@@ -81,7 +81,7 @@ in | |||
81 | ERLANG_NODE=ejabberd@localhost | 81 | ERLANG_NODE=ejabberd@localhost |
82 | ''; | 82 | ''; |
83 | configFile = pkgs.runCommand "ejabberd.yml" { | 83 | configFile = pkgs.runCommand "ejabberd.yml" { |
84 | certificatePrivateKeyAndFullChain = "${config.security.acme2.certs.ejabberd.directory}/full.pem"; | 84 | certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem"; |
85 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; | 85 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
86 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; | 86 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; |
87 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; | 87 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; |
diff --git a/modules/private/ejabberd/ejabberd.yml b/modules/private/ejabberd/ejabberd.yml index 0f678b6..82ac35b 100644 --- a/modules/private/ejabberd/ejabberd.yml +++ b/modules/private/ejabberd/ejabberd.yml | |||
@@ -69,7 +69,6 @@ s2s_use_starttls: optional | |||
69 | s2s_cafile: "@certificateCA@" | 69 | s2s_cafile: "@certificateCA@" |
70 | 70 | ||
71 | default_db: sql | 71 | default_db: sql |
72 | sql_type: pgsql | ||
73 | include_config_file: @sql_config_file@ | 72 | include_config_file: @sql_config_file@ |
74 | include_config_file: @host_config_file@ | 73 | include_config_file: @host_config_file@ |
75 | new_sql_schema: true | 74 | new_sql_schema: true |
@@ -193,7 +192,6 @@ modules: | |||
193 | access_createnode: pubsub_createnode | 192 | access_createnode: pubsub_createnode |
194 | plugins: | 193 | plugins: |
195 | - "flat" | 194 | - "flat" |
196 | - "hometree" | ||
197 | - "pep" | 195 | - "pep" |
198 | force_node_config: | 196 | force_node_config: |
199 | ## Change from "whitelist" to "open" to enable OMEMO support | 197 | ## Change from "whitelist" to "open" to enable OMEMO support |
diff --git a/modules/private/environment.nix b/modules/private/environment.nix index b7589eb..77e9c8d 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix | |||
@@ -133,8 +133,8 @@ let | |||
133 | ''; | 133 | ''; |
134 | type = submodule { | 134 | type = submodule { |
135 | options = { | 135 | options = { |
136 | password = mkOption { type = string; description = "Password for the LDAP connection"; }; | 136 | password = mkOption { type = str; description = "Password for the LDAP connection"; }; |
137 | dn = mkOption { type = string; description = "DN for the LDAP connection"; }; | 137 | dn = mkOption { type = str; description = "DN for the LDAP connection"; }; |
138 | }; | 138 | }; |
139 | }; | 139 | }; |
140 | }; | 140 | }; |
@@ -156,13 +156,13 @@ let | |||
156 | type = attrsOf (submodule { | 156 | type = attrsOf (submodule { |
157 | options = { | 157 | options = { |
158 | ip4 = mkOption { | 158 | ip4 = mkOption { |
159 | type = string; | 159 | type = str; |
160 | description = '' | 160 | description = '' |
161 | ip4 address of the host | 161 | ip4 address of the host |
162 | ''; | 162 | ''; |
163 | }; | 163 | }; |
164 | ip6 = mkOption { | 164 | ip6 = mkOption { |
165 | type = listOf string; | 165 | type = listOf str; |
166 | default = []; | 166 | default = []; |
167 | description = '' | 167 | description = '' |
168 | ip6 addresses of the host | 168 | ip6 addresses of the host |
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 585fe63..417af87 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix | |||
@@ -17,7 +17,7 @@ in | |||
17 | services.duplyBackup.profiles.ftp = { | 17 | services.duplyBackup.profiles.ftp = { |
18 | rootDir = "/var/lib/ftp"; | 18 | rootDir = "/var/lib/ftp"; |
19 | }; | 19 | }; |
20 | security.acme2.certs."ftp" = config.myServices.certificates.certConfig // { | 20 | security.acme.certs."ftp" = config.myServices.certificates.certConfig // { |
21 | domain = "eldiron.immae.eu"; | 21 | domain = "eldiron.immae.eu"; |
22 | postRun = '' | 22 | postRun = '' |
23 | systemctl restart pure-ftpd.service | 23 | systemctl restart pure-ftpd.service |
@@ -113,7 +113,7 @@ in | |||
113 | MaxDiskUsage 99 | 113 | MaxDiskUsage 99 |
114 | CustomerProof yes | 114 | CustomerProof yes |
115 | TLS 1 | 115 | TLS 1 |
116 | CertFile ${config.security.acme2.certs.ftp.directory}/full.pem | 116 | CertFile ${config.security.acme.certs.ftp.directory}/full.pem |
117 | ''; | 117 | ''; |
118 | in { | 118 | in { |
119 | description = "Pure-FTPd server"; | 119 | description = "Pure-FTPd server"; |
diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 9dfa04d..9f5c179 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix | |||
@@ -5,7 +5,7 @@ in { | |||
5 | options.myServices.gitolite = { | 5 | options.myServices.gitolite = { |
6 | enable = lib.mkEnableOption "my gitolite service"; | 6 | enable = lib.mkEnableOption "my gitolite service"; |
7 | gitoliteDir = lib.mkOption { | 7 | gitoliteDir = lib.mkOption { |
8 | type = lib.types.string; | 8 | type = lib.types.str; |
9 | default = "/var/lib/gitolite"; | 9 | default = "/var/lib/gitolite"; |
10 | }; | 10 | }; |
11 | }; | 11 | }; |
diff --git a/modules/private/irc.nix b/modules/private/irc.nix index 1054b96..9871508 100644 --- a/modules/private/irc.nix +++ b/modules/private/irc.nix | |||
@@ -20,7 +20,7 @@ in | |||
20 | services.duplyBackup.profiles.irc = { | 20 | services.duplyBackup.profiles.irc = { |
21 | rootDir = "/var/lib/bitlbee"; | 21 | rootDir = "/var/lib/bitlbee"; |
22 | }; | 22 | }; |
23 | security.acme2.certs."irc" = config.myServices.ircCerts // { | 23 | security.acme.certs."irc" = config.myServices.ircCerts // { |
24 | domain = "irc.immae.eu"; | 24 | domain = "irc.immae.eu"; |
25 | postRun = '' | 25 | postRun = '' |
26 | systemctl restart stunnel.service | 26 | systemctl restart stunnel.service |
@@ -49,7 +49,7 @@ in | |||
49 | bitlbee = { | 49 | bitlbee = { |
50 | accept = 6697; | 50 | accept = 6697; |
51 | connect = 6667; | 51 | connect = 6667; |
52 | cert = "${config.security.acme2.certs.irc.directory}/full.pem"; | 52 | cert = "${config.security.acme.certs.irc.directory}/full.pem"; |
53 | }; | 53 | }; |
54 | }; | 54 | }; |
55 | }; | 55 | }; |
diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 1c64e15..b50e346 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix | |||
@@ -13,7 +13,7 @@ | |||
13 | options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; | 13 | options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; |
14 | 14 | ||
15 | config = lib.mkIf config.myServices.mail.enable { | 15 | config = lib.mkIf config.myServices.mail.enable { |
16 | security.acme2.certs."mail" = config.myServices.certificates.certConfig // { | 16 | security.acme.certs."mail" = config.myServices.certificates.certConfig // { |
17 | domain = config.hostEnv.fqdn; | 17 | domain = config.hostEnv.fqdn; |
18 | extraDomains = let | 18 | extraDomains = let |
19 | zonesWithMx = builtins.filter (zone: | 19 | zonesWithMx = builtins.filter (zone: |
diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 9836f78..77f9bd7 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix | |||
@@ -269,7 +269,7 @@ in | |||
269 | [ | 269 | [ |
270 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" | 270 | "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" |
271 | ]; | 271 | ]; |
272 | security.acme2.certs."mail" = { | 272 | security.acme.certs."mail" = { |
273 | postRun = '' | 273 | postRun = '' |
274 | systemctl restart dovecot2.service | 274 | systemctl restart dovecot2.service |
275 | ''; | 275 | ''; |
diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index e0347ec..4791b41 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix | |||
@@ -428,7 +428,7 @@ | |||
428 | }; | 428 | }; |
429 | }; | 429 | }; |
430 | }; | 430 | }; |
431 | security.acme2.certs."mail" = { | 431 | security.acme.certs."mail" = { |
432 | postRun = '' | 432 | postRun = '' |
433 | systemctl restart postfix.service | 433 | systemctl restart postfix.service |
434 | ''; | 434 | ''; |
diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 18d6bc3..c6231aa 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix | |||
@@ -1,7 +1,7 @@ | |||
1 | { lib, pkgs, config, nodes, name, ... }: | 1 | { lib, pkgs, config, nodes, name, ... }: |
2 | { | 2 | { |
3 | config = lib.mkIf config.myServices.mailBackup.enable { | 3 | config = lib.mkIf config.myServices.mailBackup.enable { |
4 | security.acme2.certs."mail" = config.myServices.certificates.certConfig // { | 4 | security.acme.certs."mail" = config.myServices.certificates.certConfig // { |
5 | postRun = '' | 5 | postRun = '' |
6 | systemctl restart postfix.service | 6 | systemctl restart postfix.service |
7 | ''; | 7 | ''; |
diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index cc8e36b..4cdf59a 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix | |||
@@ -79,6 +79,10 @@ in | |||
79 | base = config.myServices.databasesReplication.openldap.base; | 79 | base = config.myServices.databasesReplication.openldap.base; |
80 | eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; | 80 | eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; |
81 | ldapConfig = pkgs.writeText "slapd.conf" '' | 81 | ldapConfig = pkgs.writeText "slapd.conf" '' |
82 | include ${pkgs.openldap}/etc/schema/core.schema | ||
83 | include ${pkgs.openldap}/etc/schema/cosine.schema | ||
84 | include ${pkgs.openldap}/etc/schema/inetorgperson.schema | ||
85 | include ${pkgs.openldap}/etc/schema/nis.schema | ||
82 | ${eldiron_schemas} | 86 | ${eldiron_schemas} |
83 | moduleload back_hdb | 87 | moduleload back_hdb |
84 | backend hdb | 88 | backend hdb |
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index 2860e96..d25d934 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix | |||
@@ -34,7 +34,7 @@ | |||
34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; | 34 | locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; |
35 | }; | 35 | }; |
36 | }; | 36 | }; |
37 | security.acme2.certs."${name}".extraDomains."status.immae.eu" = null; | 37 | security.acme.certs."${name}".extraDomains."status.immae.eu" = null; |
38 | 38 | ||
39 | myServices.certificates.enable = true; | 39 | myServices.certificates.enable = true; |
40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | 40 | networking.firewall.allowedTCPPorts = [ 80 443 ]; |
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 78e07c1..42cc8d2 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix | |||
@@ -123,7 +123,7 @@ in { | |||
123 | Use LDAPConnect | 123 | Use LDAPConnect |
124 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu | 124 | Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu |
125 | <FilesMatch "\.php$"> | 125 | <FilesMatch "\.php$"> |
126 | SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" | 126 | SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" |
127 | </FilesMatch> | 127 | </FilesMatch> |
128 | Include /var/secrets/webapps/tools-taskwarrior-web | 128 | Include /var/secrets/webapps/tools-taskwarrior-web |
129 | </Directory> | 129 | </Directory> |
@@ -172,29 +172,30 @@ in { | |||
172 | }; | 172 | }; |
173 | services.phpfpm.pools = { | 173 | services.phpfpm.pools = { |
174 | tasks = { | 174 | tasks = { |
175 | listen = "/var/run/phpfpm/task.sock"; | 175 | user = user; |
176 | extraConfig = '' | 176 | group = group; |
177 | user = ${user} | 177 | settings = { |
178 | group = ${group} | 178 | "listen.owner" = "wwwrun"; |
179 | listen.owner = wwwrun | 179 | "listen.group" = "wwwrun"; |
180 | listen.group = wwwrun | 180 | "pm" = "dynamic"; |
181 | pm = dynamic | 181 | "pm.max_children" = "60"; |
182 | pm.max_children = 60 | 182 | "pm.start_servers" = "2"; |
183 | pm.start_servers = 2 | 183 | "pm.min_spare_servers" = "1"; |
184 | pm.min_spare_servers = 1 | 184 | "pm.max_spare_servers" = "10"; |
185 | pm.max_spare_servers = 10 | ||
186 | 185 | ||
187 | ; Needed to avoid clashes in browser cookies (same domain) | 186 | # Needed to avoid clashes in browser cookies (same domain) |
188 | env[PATH] = "/etc/profiles/per-user/${user}/bin" | 187 | "php_value[session.name]" = "TaskPHPSESSID"; |
189 | php_value[session.name] = TaskPHPSESSID | 188 | "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"; |
190 | php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/" | 189 | }; |
191 | ''; | 190 | phpEnv = { |
191 | PATH = "/etc/profiles/per-user/${user}/bin"; | ||
192 | }; | ||
192 | }; | 193 | }; |
193 | }; | 194 | }; |
194 | 195 | ||
195 | myServices.websites.webappDirs._task = ./www; | 196 | myServices.websites.webappDirs._task = ./www; |
196 | 197 | ||
197 | security.acme2.certs."task" = config.myServices.certificates.certConfig // { | 198 | security.acme.certs."task" = config.myServices.certificates.certConfig // { |
198 | inherit user group; | 199 | inherit user group; |
199 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; | 200 | plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; |
200 | domain = fqdn; | 201 | domain = fqdn; |
@@ -246,9 +247,9 @@ in { | |||
246 | inherit fqdn; | 247 | inherit fqdn; |
247 | listenHost = "::"; | 248 | listenHost = "::"; |
248 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; | 249 | pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; |
249 | pki.manual.server.cert = "${config.security.acme2.certs.task.directory}/fullchain.pem"; | 250 | pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem"; |
250 | pki.manual.server.crl = "${config.security.acme2.certs.task.directory}/invalid.crl"; | 251 | pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl"; |
251 | pki.manual.server.key = "${config.security.acme2.certs.task.directory}/key.pem"; | 252 | pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem"; |
252 | requestLimit = 104857600; | 253 | requestLimit = 104857600; |
253 | }; | 254 | }; |
254 | 255 | ||
diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix index f21caeb..bce2b4d 100644 --- a/modules/private/websites/chloe/builder.nix +++ b/modules/private/websites/chloe/builder.nix | |||
@@ -3,28 +3,25 @@ rec { | |||
3 | app = chloe.override { inherit (config) environment; }; | 3 | app = chloe.override { inherit (config) environment; }; |
4 | phpFpm = rec { | 4 | phpFpm = rec { |
5 | serviceDeps = [ "mysql.service" ]; | 5 | serviceDeps = [ "mysql.service" ]; |
6 | socket = "/var/run/phpfpm/chloe-${app.environment}.sock"; | 6 | pool = { |
7 | pool = '' | 7 | "listen.owner" = apacheUser; |
8 | user = ${apacheUser} | 8 | "listen.group" = apacheGroup; |
9 | group = ${apacheGroup} | 9 | "php_admin_value[upload_max_filesize]" = "20M"; |
10 | listen.owner = ${apacheUser} | 10 | "php_admin_value[post_max_size]" = "20M"; |
11 | listen.group = ${apacheGroup} | 11 | # "php_admin_flag[log_errors]" = "on"; |
12 | php_admin_value[upload_max_filesize] = 20M | 12 | "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; |
13 | php_admin_value[post_max_size] = 20M | 13 | "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; |
14 | ;php_admin_flag[log_errors] = on | 14 | } // (if app.environment == "dev" then { |
15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | 15 | "pm" = "ondemand"; |
16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | 16 | "pm.max_children" = "5"; |
17 | ${if app.environment == "dev" then '' | 17 | "pm.process_idle_timeout" = "60"; |
18 | pm = ondemand | 18 | } else { |
19 | pm.max_children = 5 | 19 | "pm" = "dynamic"; |
20 | pm.process_idle_timeout = 60 | 20 | "pm.max_children" = "20"; |
21 | '' else '' | 21 | "pm.start_servers" = "2"; |
22 | pm = dynamic | 22 | "pm.min_spare_servers" = "1"; |
23 | pm.max_children = 20 | 23 | "pm.max_spare_servers" = "3"; |
24 | pm.start_servers = 2 | 24 | }); |
25 | pm.min_spare_servers = 1 | ||
26 | pm.max_spare_servers = 3 | ||
27 | ''}''; | ||
28 | }; | 25 | }; |
29 | keys = [{ | 26 | keys = [{ |
30 | dest = "webapps/${app.environment}-chloe"; | 27 | dest = "webapps/${app.environment}-chloe"; |
@@ -51,7 +48,7 @@ rec { | |||
51 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
52 | webappName = "chloe_${app.environment}"; | 49 | webappName = "chloe_${app.environment}"; |
53 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
54 | vhostConf = '' | 51 | vhostConf = socket: '' |
55 | Include /var/secrets/webapps/${app.environment}-chloe | 52 | Include /var/secrets/webapps/${app.environment}-chloe |
56 | 53 | ||
57 | RewriteEngine On | 54 | RewriteEngine On |
@@ -60,7 +57,7 @@ rec { | |||
60 | '' else ""} | 57 | '' else ""} |
61 | 58 | ||
62 | <FilesMatch "\.php$"> | 59 | <FilesMatch "\.php$"> |
63 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 60 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
64 | </FilesMatch> | 61 | </FilesMatch> |
65 | 62 | ||
66 | <Directory ${root}> | 63 | <Directory ${root}> |
diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index 6276eb7..caf6548 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix | |||
@@ -17,8 +17,9 @@ in { | |||
17 | systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; | 17 | systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; |
18 | systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; | 18 | systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; |
19 | services.phpfpm.pools.chloe_dev = { | 19 | services.phpfpm.pools.chloe_dev = { |
20 | listen = chloe.phpFpm.socket; | 20 | user = config.services.httpd.Inte.user; |
21 | extraConfig = chloe.phpFpm.pool; | 21 | group = config.services.httpd.Inte.group; |
22 | settings = chloe.phpFpm.pool; | ||
22 | phpOptions = config.services.phpfpm.phpOptions + '' | 23 | phpOptions = config.services.phpfpm.phpOptions + '' |
23 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 24 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
24 | ''; | 25 | ''; |
@@ -31,7 +32,9 @@ in { | |||
31 | addToCerts = true; | 32 | addToCerts = true; |
32 | hosts = ["chloe.immae.eu" ]; | 33 | hosts = ["chloe.immae.eu" ]; |
33 | root = chloe.apache.root; | 34 | root = chloe.apache.root; |
34 | extraConfig = [ chloe.apache.vhostConf ]; | 35 | extraConfig = [ |
36 | (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_dev.socket) | ||
37 | ]; | ||
35 | }; | 38 | }; |
36 | services.websites.env.integration.watchPaths = [ | 39 | services.websites.env.integration.watchPaths = [ |
37 | "/var/secrets/webapps/${chloe.app.environment}-chloe" | 40 | "/var/secrets/webapps/${chloe.app.environment}-chloe" |
diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 578bf91..83f6c9b 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix | |||
@@ -19,8 +19,9 @@ in { | |||
19 | systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; | 19 | systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; |
20 | systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; | 20 | systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; |
21 | services.phpfpm.pools.chloe_prod = { | 21 | services.phpfpm.pools.chloe_prod = { |
22 | listen = chloe.phpFpm.socket; | 22 | user = config.services.httpd.Prod.user; |
23 | extraConfig = chloe.phpFpm.pool; | 23 | group = config.services.httpd.Prod.group; |
24 | settings = chloe.phpFpm.pool; | ||
24 | phpOptions = config.services.phpfpm.phpOptions + '' | 25 | phpOptions = config.services.phpfpm.phpOptions + '' |
25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
26 | ''; | 27 | ''; |
@@ -39,7 +40,7 @@ in { | |||
39 | RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] | 40 | RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] |
40 | RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] | 41 | RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] |
41 | '' | 42 | '' |
42 | chloe.apache.vhostConf | 43 | (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_prod.socket) |
43 | ]; | 44 | ]; |
44 | }; | 45 | }; |
45 | services.websites.env.production.watchPaths = [ | 46 | services.websites.env.production.watchPaths = [ |
diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix index d591c90..1803468 100644 --- a/modules/private/websites/commons/adminer.nix +++ b/modules/private/websites/commons/adminer.nix | |||
@@ -1,24 +1,5 @@ | |||
1 | {}: | 1 | { config, callPackage }: |
2 | rec { | 2 | callPackage ../tools/tools/adminer.nix { |
3 | phpFpm = { | 3 | adminer = null; |
4 | socket = "/var/run/phpfpm/adminer.sock"; | 4 | forcePhpSocket = config.services.phpfpm.pools.adminer.socket; |
5 | }; | ||
6 | apache = rec { | ||
7 | modules = [ "proxy_fcgi" ]; | ||
8 | webappName = "_adminer"; | ||
9 | root = "/run/current-system/webapps/${webappName}"; | ||
10 | vhostConf = '' | ||
11 | Alias /adminer ${root} | ||
12 | <Directory ${root}> | ||
13 | DirectoryIndex index.php | ||
14 | <FilesMatch "\.php$"> | ||
15 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | ||
16 | </FilesMatch> | ||
17 | |||
18 | Use LDAPConnect | ||
19 | Require ldap-group cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu | ||
20 | Require ldap-group cn=users,cn=postgresql,cn=pam,ou=services,dc=immae,dc=eu | ||
21 | </Directory> | ||
22 | ''; | ||
23 | }; | ||
24 | } | 5 | } |
diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 81cff8f..4f7b72d 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix | |||
@@ -25,15 +25,17 @@ in { | |||
25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 25 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
26 | ]; | 26 | ]; |
27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | 27 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; |
28 | phpPool = '' | 28 | phpPool = { |
29 | php_admin_value[upload_max_filesize] = 20M | 29 | "php_admin_value[upload_max_filesize]" = "20M"; |
30 | php_admin_value[post_max_size] = 20M | 30 | "php_admin_value[post_max_size]" = "20M"; |
31 | ;php_admin_flag[log_errors] = on | 31 | #"php_admin_flag[log_errors]" = "on"; |
32 | pm = ondemand | 32 | "pm" = "ondemand"; |
33 | pm.max_children = 5 | 33 | "pm.max_children" = "5"; |
34 | pm.process_idle_timeout = 60 | 34 | "pm.process_idle_timeout" = "60"; |
35 | env[SYMFONY_DEBUG_MODE] = "yes" | 35 | }; |
36 | ''; | 36 | phpEnv = { |
37 | SYMFONY_DEBUG_MODE = "yes"; | ||
38 | }; | ||
37 | phpWatchFiles = [ | 39 | phpWatchFiles = [ |
38 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" |
39 | ]; | 41 | ]; |
diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index fa31931..0b52af1 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix | |||
@@ -26,16 +26,16 @@ in { | |||
26 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 26 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
27 | ]; | 27 | ]; |
28 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; | 28 | phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; |
29 | phpPool = '' | 29 | phpPool = { |
30 | php_admin_value[upload_max_filesize] = 20M | 30 | "php_admin_value[upload_max_filesize]" = "20M"; |
31 | php_admin_value[post_max_size] = 20M | 31 | "php_admin_value[post_max_size]" = "20M"; |
32 | ;php_admin_flag[log_errors] = on | 32 | #"php_admin_flag[log_errors]" = "on"; |
33 | pm = dynamic | 33 | "pm" = "dynamic"; |
34 | pm.max_children = 20 | 34 | "pm.max_children" = "20"; |
35 | pm.start_servers = 2 | 35 | "pm.start_servers" = "2"; |
36 | pm.min_spare_servers = 1 | 36 | "pm.min_spare_servers" = "1"; |
37 | pm.max_spare_servers = 3 | 37 | "pm.max_spare_servers" = "3"; |
38 | ''; | 38 | }; |
39 | phpWatchFiles = [ | 39 | phpWatchFiles = [ |
40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" | 40 | config.secrets.fullPaths."webapps/${app.environment}-connexionswing" |
41 | ]; | 41 | ]; |
diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 5c0e655..529ec5c 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix | |||
@@ -87,9 +87,9 @@ in | |||
87 | #openssl = self.openssl_1_1; | 87 | #openssl = self.openssl_1_1; |
88 | php = php72; | 88 | php = php72; |
89 | php72 = (super.php72.override { | 89 | php72 = (super.php72.override { |
90 | mysql.connector-c = self.mariadb; | 90 | config.php.mysqlnd = true; |
91 | config.php.mysqlnd = false; | ||
92 | config.php.mysqli = false; | 91 | config.php.mysqli = false; |
92 | config.php.mhash = true; # Is it needed? | ||
93 | }).overrideAttrs(old: rec { | 93 | }).overrideAttrs(old: rec { |
94 | # Didn't manage to build with mysqli + mysql_config connector | 94 | # Didn't manage to build with mysqli + mysql_config connector |
95 | configureFlags = old.configureFlags ++ [ | 95 | configureFlags = old.configureFlags ++ [ |
@@ -140,9 +140,9 @@ in | |||
140 | ; 30 days (minutes) | 140 | ; 30 days (minutes) |
141 | session.cache_expire = 43200 | 141 | session.cache_expire = 43200 |
142 | ''; | 142 | ''; |
143 | extraConfig = '' | 143 | settings = { |
144 | log_level = notice | 144 | log_level = "notice"; |
145 | ''; | 145 | }; |
146 | }; | 146 | }; |
147 | 147 | ||
148 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; | 148 | services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; |
diff --git a/modules/private/websites/emilia/richie.nix b/modules/private/websites/emilia/richie.nix index f7b4f8d..98ab1cd 100644 --- a/modules/private/websites/emilia/richie.nix +++ b/modules/private/websites/emilia/richie.nix | |||
@@ -49,22 +49,23 @@ in | |||
49 | ''; | 49 | ''; |
50 | }; | 50 | }; |
51 | services.phpfpm.pools.richie_production = { | 51 | services.phpfpm.pools.richie_production = { |
52 | listen = "/run/phpfpm/richie_production.sock"; | 52 | user = "wwwrun"; |
53 | extraConfig = '' | 53 | group = "wwwrun"; |
54 | user = wwwrun | 54 | settings = { |
55 | group = wwwrun | 55 | "listen.owner" = "wwwrun"; |
56 | listen.owner = wwwrun | 56 | "listen.group" = "wwwrun"; |
57 | listen.group = wwwrun | ||
58 | 57 | ||
59 | pm = ondemand | 58 | "pm" = "ondemand"; |
60 | pm.max_children = 5 | 59 | "pm.max_children" = "5"; |
61 | pm.process_idle_timeout = 60 | 60 | "pm.process_idle_timeout" = "60"; |
62 | 61 | ||
63 | env[PATH] = /run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]} | 62 | "php_admin_value[open_basedir]" = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp"; |
64 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-richie" | 63 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/richie_production"; |
65 | php_admin_value[open_basedir] = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp" | 64 | }; |
66 | php_admin_value[session.save_path] = "/var/lib/php/sessions/richie_production" | 65 | phpEnv = { |
67 | ''; | 66 | PATH = "/run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]}"; |
67 | BDD_CONNECT = "/var/secrets/webapps/prod-richie"; | ||
68 | }; | ||
68 | phpOptions = config.services.phpfpm.phpOptions + '' | 69 | phpOptions = config.services.phpfpm.phpOptions + '' |
69 | date.timezone = 'Europe/Paris' | 70 | date.timezone = 'Europe/Paris' |
70 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 71 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -91,7 +92,7 @@ in | |||
91 | Require all granted | 92 | Require all granted |
92 | 93 | ||
93 | <FilesMatch "\.php$"> | 94 | <FilesMatch "\.php$"> |
94 | SetHandler "proxy:unix:/run/phpfpm/richie_production.sock|fcgi://localhost" | 95 | SetHandler "proxy:unix:${config.services.phpfpm.pools.richie_production.socket}|fcgi://localhost" |
95 | </FilesMatch> | 96 | </FilesMatch> |
96 | </Directory> | 97 | </Directory> |
97 | '' | 98 | '' |
diff --git a/modules/private/websites/evariste/production.nix b/modules/private/websites/evariste/production.nix index 00e6fe1..43b26c8 100644 --- a/modules/private/websites/evariste/production.nix +++ b/modules/private/websites/evariste/production.nix | |||
@@ -21,20 +21,19 @@ in { | |||
21 | ''; | 21 | ''; |
22 | }; | 22 | }; |
23 | services.phpfpm.pools.nsievariste = { | 23 | services.phpfpm.pools.nsievariste = { |
24 | listen = "/run/phpfpm/nsievariste.sock"; | 24 | user = "wwwrun"; |
25 | extraConfig = '' | 25 | group = "wwwrun"; |
26 | user = wwwrun | 26 | settings = { |
27 | group = wwwrun | 27 | "listen.owner" = "wwwrun"; |
28 | listen.owner = wwwrun | 28 | "listen.group" = "wwwrun"; |
29 | listen.group = wwwrun | ||
30 | 29 | ||
31 | pm = ondemand | 30 | "pm" = "ondemand"; |
32 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
33 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
34 | 33 | ||
35 | php_admin_value[open_basedir] = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp" | 34 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp"; |
36 | php_admin_value[session.save_path] = "/var/lib/php/sessions/nsievariste" | 35 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/nsievariste"; |
37 | ''; | 36 | }; |
38 | }; | 37 | }; |
39 | services.websites.env.production.vhostConfs.nsievariste = { | 38 | services.websites.env.production.vhostConfs.nsievariste = { |
40 | certName = "eldiron"; | 39 | certName = "eldiron"; |
@@ -46,7 +45,7 @@ in { | |||
46 | Use Stats nsievariste.immae.eu | 45 | Use Stats nsievariste.immae.eu |
47 | 46 | ||
48 | <FilesMatch "\.php$"> | 47 | <FilesMatch "\.php$"> |
49 | SetHandler "proxy:unix:/run/phpfpm/nsievariste.sock|fcgi://localhost" | 48 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nsievariste.socket}|fcgi://localhost" |
50 | </FilesMatch> | 49 | </FilesMatch> |
51 | 50 | ||
52 | <Directory ${nsiVarDir}> | 51 | <Directory ${nsiVarDir}> |
@@ -60,20 +59,19 @@ in { | |||
60 | }; | 59 | }; |
61 | 60 | ||
62 | services.phpfpm.pools.stmgevariste = { | 61 | services.phpfpm.pools.stmgevariste = { |
63 | listen = "/run/phpfpm/stmgevariste.sock"; | 62 | user = "wwwrun"; |
64 | extraConfig = '' | 63 | group = "wwwrun"; |
65 | user = wwwrun | 64 | settings = { |
66 | group = wwwrun | 65 | "listen.owner" = "wwwrun"; |
67 | listen.owner = wwwrun | 66 | "listen.group" = "wwwrun"; |
68 | listen.group = wwwrun | ||
69 | 67 | ||
70 | pm = ondemand | 68 | "pm" = "ondemand"; |
71 | pm.max_children = 5 | 69 | "pm.max_children" = "5"; |
72 | pm.process_idle_timeout = 60 | 70 | "pm.process_idle_timeout" = "60"; |
73 | 71 | ||
74 | php_admin_value[open_basedir] = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp" | 72 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp"; |
75 | php_admin_value[session.save_path] = "/var/lib/php/sessions/stmgevariste" | 73 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/stmgevariste"; |
76 | ''; | 74 | }; |
77 | }; | 75 | }; |
78 | services.websites.env.production.vhostConfs.stmgevariste = { | 76 | services.websites.env.production.vhostConfs.stmgevariste = { |
79 | certName = "eldiron"; | 77 | certName = "eldiron"; |
@@ -85,7 +83,7 @@ in { | |||
85 | Use Stats stmgevariste.immae.eu | 83 | Use Stats stmgevariste.immae.eu |
86 | 84 | ||
87 | <FilesMatch "\.php$"> | 85 | <FilesMatch "\.php$"> |
88 | SetHandler "proxy:unix:/run/phpfpm/stmgevariste.sock|fcgi://localhost" | 86 | SetHandler "proxy:unix:${config.services.phpfpm.pools.stmgevariste.socket}|fcgi://localhost" |
89 | </FilesMatch> | 87 | </FilesMatch> |
90 | 88 | ||
91 | <Directory ${stmgVarDir}> | 89 | <Directory ${stmgVarDir}> |
diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index e262c59..c65c26f 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | secrets = config.myEnv.websites.tellesflorian.integration; | 4 | secrets = config.myEnv.websites.tellesflorian.integration; |
5 | app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; | 5 | app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; |
6 | cfg = config.myServices.websites.florian.app; | 6 | cfg = config.myServices.websites.florian.app; |
@@ -24,15 +24,17 @@ in { | |||
24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | pm = ondemand | 31 | "pm" = "ondemand"; |
32 | pm.max_children = 5 | 32 | "pm.max_children" = "5"; |
33 | pm.process_idle_timeout = 60 | 33 | "pm.process_idle_timeout" = "60"; |
34 | env[SYMFONY_DEBUG_MODE] = "yes" | 34 | }; |
35 | ''; | 35 | phpEnv = { |
36 | SYMFONY_DEBUG_MODE = "yes"; | ||
37 | }; | ||
36 | phpWatchFiles = [ | 38 | phpWatchFiles = [ |
37 | config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" | 39 | config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" |
38 | ]; | 40 | ]; |
@@ -134,7 +136,7 @@ in { | |||
134 | 136 | ||
135 | </Directory> | 137 | </Directory> |
136 | '' | 138 | '' |
137 | adminer.apache.vhostConf | 139 | (adminer.apache.vhostConf null) |
138 | ]; | 140 | ]; |
139 | }; | 141 | }; |
140 | }; | 142 | }; |
diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix index 57c4006..4ee160a 100644 --- a/modules/private/websites/florian/integration.nix +++ b/modules/private/websites/florian/integration.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.florian.integration; | 4 | cfg = config.myServices.websites.florian.integration; |
5 | varDir = "/var/lib/ftp/florian"; | 5 | varDir = "/var/lib/ftp/florian"; |
6 | env = config.myEnv.websites.florian; | 6 | env = config.myEnv.websites.florian; |
@@ -8,7 +8,7 @@ in { | |||
8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; | 8 | options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; |
9 | 9 | ||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | security.acme2.certs."ftp".extraDomains."florian.immae.eu" = null; | 11 | security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; |
12 | 12 | ||
13 | services.websites.env.integration.modules = adminer.apache.modules; | 13 | services.websites.env.integration.modules = adminer.apache.modules; |
14 | services.websites.env.integration.vhostConfs.florian = { | 14 | services.websites.env.integration.vhostConfs.florian = { |
@@ -17,7 +17,7 @@ in { | |||
17 | hosts = [ "florian.immae.eu" ]; | 17 | hosts = [ "florian.immae.eu" ]; |
18 | root = "${varDir}/florian.immae.eu"; | 18 | root = "${varDir}/florian.immae.eu"; |
19 | extraConfig = [ | 19 | extraConfig = [ |
20 | adminer.apache.vhostConf | 20 | (adminer.apache.vhostConf null) |
21 | '' | 21 | '' |
22 | ServerAdmin ${env.server_admin} | 22 | ServerAdmin ${env.server_admin} |
23 | 23 | ||
diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix index 1abc715..16c6022 100644 --- a/modules/private/websites/florian/production.nix +++ b/modules/private/websites/florian/production.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.florian.production; | 4 | cfg = config.myServices.websites.florian.production; |
5 | varDir = "/var/lib/ftp/florian"; | 5 | varDir = "/var/lib/ftp/florian"; |
6 | env = config.myEnv.websites.florian; | 6 | env = config.myEnv.websites.florian; |
@@ -8,7 +8,7 @@ in { | |||
8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; | 8 | options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; |
9 | 9 | ||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | security.acme2.certs."ftp".extraDomains."tellesflorian.com" = null; | 11 | security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; |
12 | 12 | ||
13 | services.websites.env.production.modules = adminer.apache.modules; | 13 | services.websites.env.production.modules = adminer.apache.modules; |
14 | services.websites.env.production.vhostConfs.florian = { | 14 | services.websites.env.production.vhostConfs.florian = { |
@@ -17,7 +17,7 @@ in { | |||
17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; | 17 | hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; |
18 | root = "${varDir}/tellesflorian.com"; | 18 | root = "${varDir}/tellesflorian.com"; |
19 | extraConfig = [ | 19 | extraConfig = [ |
20 | adminer.apache.vhostConf | 20 | (adminer.apache.vhostConf null) |
21 | '' | 21 | '' |
22 | ServerAdmin ${env.server_admin} | 22 | ServerAdmin ${env.server_admin} |
23 | 23 | ||
diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix index a2a087c..fb6eda9 100644 --- a/modules/private/websites/isabelle/aten_integration.nix +++ b/modules/private/websites/isabelle/aten_integration.nix | |||
@@ -23,15 +23,17 @@ in { | |||
23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" |
24 | ]; | 24 | ]; |
25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
26 | phpPool = '' | 26 | phpPool = { |
27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
30 | pm = ondemand | 30 | "pm" = "ondemand"; |
31 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
32 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
33 | env[SYMFONY_DEBUG_MODE] = "yes" | 33 | }; |
34 | ''; | 34 | phpEnv = { |
35 | SYMFONY_DEBUG_MODE = "yes"; | ||
36 | }; | ||
35 | }; | 37 | }; |
36 | 38 | ||
37 | secrets.keys = [{ | 39 | secrets.keys = [{ |
diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index 8e33f0f..cf7e4a2 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix | |||
@@ -24,16 +24,16 @@ in { | |||
24 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | pm = dynamic | 31 | "pm" = "dynamic"; |
32 | pm.max_children = 20 | 32 | "pm.max_children" = "20"; |
33 | pm.start_servers = 2 | 33 | "pm.start_servers" = "2"; |
34 | pm.min_spare_servers = 1 | 34 | "pm.min_spare_servers" = "1"; |
35 | pm.max_spare_servers = 3 | 35 | "pm.max_spare_servers" = "3"; |
36 | ''; | 36 | }; |
37 | }; | 37 | }; |
38 | 38 | ||
39 | secrets.keys = [{ | 39 | secrets.keys = [{ |
diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index 460bd2a..ffbf259 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix | |||
@@ -19,8 +19,9 @@ in { | |||
19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; | 19 | systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; |
20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; | 20 | systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; |
21 | services.phpfpm.pools.iridologie = { | 21 | services.phpfpm.pools.iridologie = { |
22 | listen = iridologie.phpFpm.socket; | 22 | user = config.services.httpd.Prod.user; |
23 | extraConfig = iridologie.phpFpm.pool; | 23 | group = config.services.httpd.Prod.group; |
24 | settings = iridologie.phpFpm.pool; | ||
24 | phpOptions = config.services.phpfpm.phpOptions + '' | 25 | phpOptions = config.services.phpfpm.phpOptions + '' |
25 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
26 | ''; | 27 | ''; |
@@ -39,7 +40,7 @@ in { | |||
39 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] | 40 | RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] |
40 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] | 41 | RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] |
41 | '' | 42 | '' |
42 | iridologie.apache.vhostConf | 43 | (iridologie.apache.vhostConf config.services.phpfpm.pools.iridologie.socket) |
43 | ]; | 44 | ]; |
44 | }; | 45 | }; |
45 | services.websites.env.production.watchPaths = [ | 46 | services.websites.env.production.watchPaths = [ |
diff --git a/modules/private/websites/isabelle/spip_builder.nix b/modules/private/websites/isabelle/spip_builder.nix index 2ab5394..e1130d1 100644 --- a/modules/private/websites/isabelle/spip_builder.nix +++ b/modules/private/websites/isabelle/spip_builder.nix | |||
@@ -3,28 +3,25 @@ rec { | |||
3 | app = iridologie.override { inherit (config) environment; }; | 3 | app = iridologie.override { inherit (config) environment; }; |
4 | phpFpm = rec { | 4 | phpFpm = rec { |
5 | serviceDeps = [ "mysql.service" ]; | 5 | serviceDeps = [ "mysql.service" ]; |
6 | socket = "/var/run/phpfpm/iridologie-${app.environment}.sock"; | 6 | pool = { |
7 | pool = '' | 7 | "listen.owner" = "${apacheUser}"; |
8 | user = ${apacheUser} | 8 | "listen.group" = "${apacheGroup}"; |
9 | group = ${apacheGroup} | 9 | "php_admin_value[upload_max_filesize]" = "20M"; |
10 | listen.owner = ${apacheUser} | 10 | "php_admin_value[post_max_size]" = "20M"; |
11 | listen.group = ${apacheGroup} | 11 | #"php_admin_flag[log_errors]" = "on"; |
12 | php_admin_value[upload_max_filesize] = 20M | 12 | "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; |
13 | php_admin_value[post_max_size] = 20M | 13 | "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; |
14 | ;php_admin_flag[log_errors] = on | 14 | } // (if app.environment == "dev" then { |
15 | php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" | 15 | "pm" = "ondemand"; |
16 | php_admin_value[session.save_path] = "${app.varDir}/phpSessions" | 16 | "pm.max_children" = "5"; |
17 | ${if app.environment == "dev" then '' | 17 | "pm.process_idle_timeout" = "60"; |
18 | pm = ondemand | 18 | } else { |
19 | pm.max_children = 5 | 19 | "pm" = "dynamic"; |
20 | pm.process_idle_timeout = 60 | 20 | "pm.max_children" = "20"; |
21 | '' else '' | 21 | "pm.start_servers" = "2"; |
22 | pm = dynamic | 22 | "pm.min_spare_servers" = "1"; |
23 | pm.max_children = 20 | 23 | "pm.max_spare_servers" = "3"; |
24 | pm.start_servers = 2 | 24 | }); |
25 | pm.min_spare_servers = 1 | ||
26 | pm.max_spare_servers = 3 | ||
27 | ''}''; | ||
28 | }; | 25 | }; |
29 | keys = [{ | 26 | keys = [{ |
30 | dest = "webapps/${app.environment}-iridologie"; | 27 | dest = "webapps/${app.environment}-iridologie"; |
@@ -51,13 +48,13 @@ rec { | |||
51 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
52 | webappName = "iridologie_${app.environment}"; | 49 | webappName = "iridologie_${app.environment}"; |
53 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
54 | vhostConf = '' | 51 | vhostConf = socket: '' |
55 | Include /var/secrets/webapps/${app.environment}-iridologie | 52 | Include /var/secrets/webapps/${app.environment}-iridologie |
56 | 53 | ||
57 | RewriteEngine On | 54 | RewriteEngine On |
58 | 55 | ||
59 | <FilesMatch "\.php$"> | 56 | <FilesMatch "\.php$"> |
60 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 57 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
61 | </FilesMatch> | 58 | </FilesMatch> |
62 | 59 | ||
63 | <Directory ${root}> | 60 | <Directory ${root}> |
diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix index e8591c8..3b289cf 100644 --- a/modules/private/websites/leila/production.nix +++ b/modules/private/websites/leila/production.nix | |||
@@ -7,19 +7,18 @@ in { | |||
7 | 7 | ||
8 | config = lib.mkIf cfg.enable { | 8 | config = lib.mkIf cfg.enable { |
9 | services.phpfpm.pools.leila = { | 9 | services.phpfpm.pools.leila = { |
10 | listen = "/run/phpfpm/leila.sock"; | 10 | user = "wwwrun"; |
11 | extraConfig = '' | 11 | group = "wwwrun"; |
12 | user = wwwrun | 12 | settings = { |
13 | group = wwwrun | 13 | "listen.owner" = "wwwrun"; |
14 | listen.owner = wwwrun | 14 | "listen.group" = "wwwrun"; |
15 | listen.group = wwwrun | ||
16 | 15 | ||
17 | pm = ondemand | 16 | "pm" = "ondemand"; |
18 | pm.max_children = 5 | 17 | "pm.max_children" = "5"; |
19 | pm.process_idle_timeout = 60 | 18 | "pm.process_idle_timeout" = "60"; |
20 | 19 | ||
21 | php_admin_value[open_basedir] = "${varDir}:/tmp" | 20 | "php_admin_value[open_basedir]" = "${varDir}:/tmp"; |
22 | ''; | 21 | }; |
23 | }; | 22 | }; |
24 | 23 | ||
25 | services.webstats.sites = [ | 24 | services.webstats.sites = [ |
@@ -46,7 +45,7 @@ in { | |||
46 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | 45 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu |
47 | 46 | ||
48 | <FilesMatch "\.php$"> | 47 | <FilesMatch "\.php$"> |
49 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 48 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
50 | </FilesMatch> | 49 | </FilesMatch> |
51 | </Directory> | 50 | </Directory> |
52 | '' | 51 | '' |
@@ -66,7 +65,7 @@ in { | |||
66 | AllowOverride None | 65 | AllowOverride None |
67 | 66 | ||
68 | <FilesMatch "\.php$"> | 67 | <FilesMatch "\.php$"> |
69 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 68 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
70 | </FilesMatch> | 69 | </FilesMatch> |
71 | </Directory> | 70 | </Directory> |
72 | '' | 71 | '' |
@@ -89,7 +88,7 @@ in { | |||
89 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu | 88 | Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu |
90 | 89 | ||
91 | <FilesMatch "\.php$"> | 90 | <FilesMatch "\.php$"> |
92 | SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" | 91 | SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" |
93 | </FilesMatch> | 92 | </FilesMatch> |
94 | </Directory> | 93 | </Directory> |
95 | <Directory ${varDir}> | 94 | <Directory ${varDir}> |
diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index 1cbfd12..d304fdf 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix | |||
@@ -23,15 +23,17 @@ in { | |||
23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
24 | ]; | 24 | ]; |
25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
26 | phpPool = '' | 26 | phpPool = { |
27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
30 | pm = ondemand | 30 | "pm" = "ondemand"; |
31 | pm.max_children = 5 | 31 | "pm.max_children" = "5"; |
32 | pm.process_idle_timeout = 60 | 32 | "pm.process_idle_timeout" = "60"; |
33 | env[SYMFONY_DEBUG_MODE] = "yes" | 33 | }; |
34 | ''; | 34 | phpEnv = { |
35 | SYMFONY_DEBUG_MODE = "yes"; | ||
36 | }; | ||
35 | phpWatchFiles = [ | 37 | phpWatchFiles = [ |
36 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" | 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" |
37 | ]; | 39 | ]; |
diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 7cf00f0..5761be7 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix | |||
@@ -24,16 +24,16 @@ in { | |||
24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | pm = dynamic | 31 | "pm" = "dynamic"; |
32 | pm.max_children = 20 | 32 | "pm.max_children" = "20"; |
33 | pm.start_servers = 2 | 33 | "pm.start_servers" = "2"; |
34 | pm.min_spare_servers = 1 | 34 | "pm.min_spare_servers" = "1"; |
35 | pm.max_spare_servers = 3 | 35 | "pm.max_spare_servers" = "3"; |
36 | ''; | 36 | }; |
37 | phpWatchFiles = [ | 37 | phpWatchFiles = [ |
38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" | 38 | config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" |
39 | ]; | 39 | ]; |
diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix index 293519f..f9468f9 100644 --- a/modules/private/websites/nassime/production.nix +++ b/modules/private/websites/nassime/production.nix | |||
@@ -9,7 +9,7 @@ in { | |||
9 | config = lib.mkIf cfg.enable { | 9 | config = lib.mkIf cfg.enable { |
10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; | 10 | services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; |
11 | 11 | ||
12 | security.acme2.certs."ftp".extraDomains."nassime.bouya.org" = null; | 12 | security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; |
13 | 13 | ||
14 | services.websites.env.production.vhostConfs.nassime = { | 14 | services.websites.env.production.vhostConfs.nassime = { |
15 | certName = "nassime"; | 15 | certName = "nassime"; |
diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix index a276c47..1e79141 100644 --- a/modules/private/websites/naturaloutil/production.nix +++ b/modules/private/websites/naturaloutil/production.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.naturaloutil.production; | 4 | cfg = config.myServices.websites.naturaloutil.production; |
5 | varDir = "/var/lib/ftp/jerome"; | 5 | varDir = "/var/lib/ftp/jerome"; |
6 | env = config.myEnv.websites.jerome; | 6 | env = config.myEnv.websites.jerome; |
@@ -10,7 +10,7 @@ in { | |||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; | 11 | services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; |
12 | 12 | ||
13 | security.acme2.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; | 13 | security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; |
14 | 14 | ||
15 | secrets.keys = [{ | 15 | secrets.keys = [{ |
16 | dest = "webapps/prod-naturaloutil"; | 16 | dest = "webapps/prod-naturaloutil"; |
@@ -42,21 +42,22 @@ in { | |||
42 | systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; | 42 | systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; |
43 | systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; | 43 | systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; |
44 | services.phpfpm.pools.jerome = { | 44 | services.phpfpm.pools.jerome = { |
45 | listen = "/run/phpfpm/naturaloutil.sock"; | 45 | user = "wwwrun"; |
46 | extraConfig = '' | 46 | group = "wwwrun"; |
47 | user = wwwrun | 47 | settings = { |
48 | group = wwwrun | 48 | "listen.owner" = "wwwrun"; |
49 | listen.owner = wwwrun | 49 | "listen.group" = "wwwrun"; |
50 | listen.group = wwwrun | ||
51 | 50 | ||
52 | pm = ondemand | 51 | "pm" = "ondemand"; |
53 | pm.max_children = 5 | 52 | "pm.max_children" = "5"; |
54 | pm.process_idle_timeout = 60 | 53 | "pm.process_idle_timeout" = "60"; |
55 | 54 | ||
56 | env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" | 55 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"; |
57 | php_admin_value[open_basedir] = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" | 56 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/naturaloutil"; |
58 | php_admin_value[session.save_path] = "/var/lib/php/sessions/naturaloutil" | 57 | }; |
59 | ''; | 58 | phpEnv = { |
59 | BDD_CONNECT = "/var/secrets/webapps/prod-naturaloutil"; | ||
60 | }; | ||
60 | phpOptions = config.services.phpfpm.phpOptions + '' | 61 | phpOptions = config.services.phpfpm.phpOptions + '' |
61 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 62 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
62 | ''; | 63 | ''; |
@@ -68,7 +69,7 @@ in { | |||
68 | hosts = ["naturaloutil.immae.eu" ]; | 69 | hosts = ["naturaloutil.immae.eu" ]; |
69 | root = varDir; | 70 | root = varDir; |
70 | extraConfig = [ | 71 | extraConfig = [ |
71 | adminer.apache.vhostConf | 72 | (adminer.apache.vhostConf null) |
72 | '' | 73 | '' |
73 | Use Stats naturaloutil.immae.eu | 74 | Use Stats naturaloutil.immae.eu |
74 | ServerAdmin ${env.server_admin} | 75 | ServerAdmin ${env.server_admin} |
@@ -76,7 +77,7 @@ in { | |||
76 | CustomLog "${varDir}/logs/access_log" combined | 77 | CustomLog "${varDir}/logs/access_log" combined |
77 | 78 | ||
78 | <FilesMatch "\.php$"> | 79 | <FilesMatch "\.php$"> |
79 | SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost" | 80 | SetHandler "proxy:unix:${config.services.phpfpm.pools.jerome.socket}|fcgi://localhost" |
80 | </FilesMatch> | 81 | </FilesMatch> |
81 | 82 | ||
82 | <Directory ${varDir}/logs> | 83 | <Directory ${varDir}/logs> |
diff --git a/modules/private/websites/papa/maison_bbc.nix b/modules/private/websites/papa/maison_bbc.nix index eb61b6d..11e7937 100644 --- a/modules/private/websites/papa/maison_bbc.nix +++ b/modules/private/websites/papa/maison_bbc.nix | |||
@@ -9,19 +9,18 @@ in { | |||
9 | services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; | 9 | services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; |
10 | services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; | 10 | services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; |
11 | services.phpfpm.pools.papa_maison_bbc = { | 11 | services.phpfpm.pools.papa_maison_bbc = { |
12 | listen = "/run/phpfpm/papa_maison_bbc.sock"; | 12 | user = "wwwrun"; |
13 | extraConfig = '' | 13 | group = "wwwrun"; |
14 | user = wwwrun | 14 | settings = { |
15 | group = wwwrun | 15 | "listen.owner" = "wwwrun"; |
16 | listen.owner = wwwrun | 16 | "listen.group" = "wwwrun"; |
17 | listen.group = wwwrun | ||
18 | 17 | ||
19 | pm = ondemand | 18 | "pm" = "ondemand"; |
20 | pm.max_children = 5 | 19 | "pm.max_children" = "5"; |
21 | pm.process_idle_timeout = 60 | 20 | "pm.process_idle_timeout" = "60"; |
22 | 21 | ||
23 | php_admin_value[open_basedir] = "${varDir}" | 22 | "php_admin_value[open_basedir]" = varDir; |
24 | ''; | 23 | }; |
25 | phpOptions = config.services.phpfpm.phpOptions + '' | 24 | phpOptions = config.services.phpfpm.phpOptions + '' |
26 | date.timezone = 'Europe/Paris' | 25 | date.timezone = 'Europe/Paris' |
27 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 26 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -34,17 +33,17 @@ in { | |||
34 | root = varDir; | 33 | root = varDir; |
35 | extraConfig = [ | 34 | extraConfig = [ |
36 | '' | 35 | '' |
37 | Alias /.well-known/acme-challenge ${config.security.acme2.certs.papa.webroot}/.well-known/acme-challenge | 36 | Alias /.well-known/acme-challenge ${config.security.acme.certs.papa.webroot}/.well-known/acme-challenge |
38 | RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 | 37 | RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 |
39 | <Directory ${varDir}> | 38 | <Directory ${varDir}> |
40 | DirectoryIndex index.php index.htm index.html | 39 | DirectoryIndex index.php index.htm index.html |
41 | AllowOverride None | 40 | AllowOverride None |
42 | Require all granted | 41 | Require all granted |
43 | <FilesMatch "\.php$"> | 42 | <FilesMatch "\.php$"> |
44 | SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" | 43 | SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" |
45 | </FilesMatch> | 44 | </FilesMatch> |
46 | </Directory> | 45 | </Directory> |
47 | <Directory "${config.security.acme2.certs.papa.webroot}"> | 46 | <Directory "${config.security.acme.certs.papa.webroot}"> |
48 | Options Indexes FollowSymLinks | 47 | Options Indexes FollowSymLinks |
49 | AllowOverride None | 48 | AllowOverride None |
50 | Require all granted | 49 | Require all granted |
@@ -64,7 +63,7 @@ in { | |||
64 | AllowOverride None | 63 | AllowOverride None |
65 | Require all granted | 64 | Require all granted |
66 | <FilesMatch "\.php$"> | 65 | <FilesMatch "\.php$"> |
67 | SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" | 66 | SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" |
68 | </FilesMatch> | 67 | </FilesMatch> |
69 | </Directory> | 68 | </Directory> |
70 | '' | 69 | '' |
diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix index f6e1772..1bb6ac8 100644 --- a/modules/private/websites/papa/surveillance.nix +++ b/modules/private/websites/papa/surveillance.nix | |||
@@ -6,7 +6,7 @@ in { | |||
6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; | 6 | options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; |
7 | 7 | ||
8 | config = lib.mkIf cfg.enable { | 8 | config = lib.mkIf cfg.enable { |
9 | security.acme2.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; | 9 | security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; |
10 | 10 | ||
11 | services.cron = { | 11 | services.cron = { |
12 | systemCronJobs = let | 12 | systemCronJobs = let |
diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index 5907bc8..76523ed 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix | |||
@@ -23,16 +23,18 @@ in { | |||
23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 23 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
24 | ]; | 24 | ]; |
25 | phpOpenbasedir = [ "/tmp" ]; | 25 | phpOpenbasedir = [ "/tmp" ]; |
26 | phpPool = '' | 26 | phpPool = { |
27 | php_admin_value[upload_max_filesize] = 20M | 27 | "php_admin_value[upload_max_filesize]" = "20M"; |
28 | php_admin_value[post_max_size] = 20M | 28 | "php_admin_value[post_max_size]" = "20M"; |
29 | ;php_admin_flag[log_errors] = on | 29 | #"php_admin_flag[log_errors]" = "on"; |
30 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 30 | "pm" = "ondemand"; |
31 | pm = ondemand | 31 | "pm.max_children" = "5"; |
32 | pm.max_children = 5 | 32 | "pm.process_idle_timeout" = "60"; |
33 | pm.process_idle_timeout = 60 | 33 | }; |
34 | env[SYMFONY_DEBUG_MODE] = "yes" | 34 | phpEnv = { |
35 | ''; | 35 | PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; |
36 | SYMFONY_DEBUG_MODE = "yes"; | ||
37 | }; | ||
36 | phpWatchFiles = [ | 38 | phpWatchFiles = [ |
37 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" | 39 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" |
38 | ]; | 40 | ]; |
diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index e4e29c7..d3e5c2b 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix | |||
@@ -24,17 +24,19 @@ in { | |||
24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" | 24 | "./bin/console --env=${app.environment} cache:clear --no-warmup" |
25 | ]; | 25 | ]; |
26 | phpOpenbasedir = [ "/tmp" ]; | 26 | phpOpenbasedir = [ "/tmp" ]; |
27 | phpPool = '' | 27 | phpPool = { |
28 | php_admin_value[upload_max_filesize] = 20M | 28 | "php_admin_value[upload_max_filesize]" = "20M"; |
29 | php_admin_value[post_max_size] = 20M | 29 | "php_admin_value[post_max_size]" = "20M"; |
30 | ;php_admin_flag[log_errors] = on | 30 | #"php_admin_flag[log_errors]" = "on"; |
31 | env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} | 31 | "pm" = "dynamic"; |
32 | pm = dynamic | 32 | "pm.max_children" = "20"; |
33 | pm.max_children = 20 | 33 | "pm.start_servers" = "2"; |
34 | pm.start_servers = 2 | 34 | "pm.min_spare_servers" = "1"; |
35 | pm.min_spare_servers = 1 | 35 | "pm.max_spare_servers" = "3"; |
36 | pm.max_spare_servers = 3 | 36 | }; |
37 | ''; | 37 | phpEnv = { |
38 | PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; | ||
39 | }; | ||
38 | phpWatchFiles = [ | 40 | phpWatchFiles = [ |
39 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" | 41 | config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" |
40 | ]; | 42 | ]; |
diff --git a/modules/private/websites/teliotortay/production.nix b/modules/private/websites/teliotortay/production.nix index 2c62d10..62762ec 100644 --- a/modules/private/websites/teliotortay/production.nix +++ b/modules/private/websites/teliotortay/production.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; |
4 | cfg = config.myServices.websites.telioTortay.production; | 4 | cfg = config.myServices.websites.telioTortay.production; |
5 | varDir = "/var/lib/ftp/telio_tortay"; | 5 | varDir = "/var/lib/ftp/telio_tortay"; |
6 | env = config.myEnv.websites.telioTortay; | 6 | env = config.myEnv.websites.telioTortay; |
@@ -10,7 +10,7 @@ in { | |||
10 | config = lib.mkIf cfg.enable { | 10 | config = lib.mkIf cfg.enable { |
11 | services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; | 11 | services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; |
12 | 12 | ||
13 | security.acme2.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; | 13 | security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; |
14 | 14 | ||
15 | system.activationScripts.telio-tortay = { | 15 | system.activationScripts.telio-tortay = { |
16 | deps = [ "httpd" ]; | 16 | deps = [ "httpd" ]; |
@@ -22,20 +22,19 @@ in { | |||
22 | systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; | 22 | systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; |
23 | systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; | 23 | systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; |
24 | services.phpfpm.pools.telio-tortay = { | 24 | services.phpfpm.pools.telio-tortay = { |
25 | listen = "/run/phpfpm/telio-tortay.sock"; | 25 | user = "wwwrun"; |
26 | extraConfig = '' | 26 | group = "wwwrun"; |
27 | user = wwwrun | 27 | settings = { |
28 | group = wwwrun | 28 | "listen.owner" = "wwwrun"; |
29 | listen.owner = wwwrun | 29 | "listen.group" = "wwwrun"; |
30 | listen.group = wwwrun | ||
31 | 30 | ||
32 | pm = ondemand | 31 | "pm" = "ondemand"; |
33 | pm.max_children = 5 | 32 | "pm.max_children" = "5"; |
34 | pm.process_idle_timeout = 60 | 33 | "pm.process_idle_timeout" = "60"; |
35 | 34 | ||
36 | php_admin_value[open_basedir] = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp" | 35 | "php_admin_value[open_basedir]" = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp"; |
37 | php_admin_value[session.save_path] = "/var/lib/php/sessions/telio-tortay" | 36 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/telio-tortay"; |
38 | ''; | 37 | }; |
39 | phpOptions = config.services.phpfpm.phpOptions + '' | 38 | phpOptions = config.services.phpfpm.phpOptions + '' |
40 | disable_functions = "mail" | 39 | disable_functions = "mail" |
41 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 40 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
@@ -48,7 +47,7 @@ in { | |||
48 | hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; | 47 | hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; |
49 | root = varDir; | 48 | root = varDir; |
50 | extraConfig = [ | 49 | extraConfig = [ |
51 | adminer.apache.vhostConf | 50 | (adminer.apache.vhostConf null) |
52 | '' | 51 | '' |
53 | Use Stats telio-tortay.immae.eu | 52 | Use Stats telio-tortay.immae.eu |
54 | ServerAdmin ${env.server_admin} | 53 | ServerAdmin ${env.server_admin} |
@@ -56,7 +55,7 @@ in { | |||
56 | CustomLog "${varDir}/logs/access_log" combined | 55 | CustomLog "${varDir}/logs/access_log" combined |
57 | 56 | ||
58 | <FilesMatch "\.php$"> | 57 | <FilesMatch "\.php$"> |
59 | SetHandler "proxy:unix:/run/phpfpm/telio-tortay.sock|fcgi://localhost" | 58 | SetHandler "proxy:unix:${config.services.phpfpm.pools.telio-tortay.socket}|fcgi://localhost" |
60 | </FilesMatch> | 59 | </FilesMatch> |
61 | 60 | ||
62 | <Directory ${varDir}/logs> | 61 | <Directory ${varDir}/logs> |
diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index 4785074..b9bb32f 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix | |||
@@ -10,37 +10,34 @@ let | |||
10 | basedir = builtins.concatStringsSep ":" ( | 10 | basedir = builtins.concatStringsSep ":" ( |
11 | [ nextcloud varDir ] | 11 | [ nextcloud varDir ] |
12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); | 12 | ++ builtins.attrValues pkgs.webapps.nextcloud-apps); |
13 | socket = "/var/run/phpfpm/nextcloud.sock"; | ||
14 | phpConfig = '' | 13 | phpConfig = '' |
15 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | 14 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so |
16 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so | 15 | extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so |
17 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | 16 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so |
18 | ''; | 17 | ''; |
19 | pool = '' | 18 | pool = { |
20 | user = wwwrun | 19 | "listen.owner" = "wwwrun"; |
21 | group = wwwrun | 20 | "listen.group" = "wwwrun"; |
22 | listen.owner = wwwrun | 21 | "pm" = "ondemand"; |
23 | listen.group = wwwrun | 22 | "pm.max_children" = "60"; |
24 | pm = ondemand | 23 | "pm.process_idle_timeout" = "60"; |
25 | pm.max_children = 60 | ||
26 | pm.process_idle_timeout = 60 | ||
27 | 24 | ||
28 | php_admin_value[output_buffering] = 0 | 25 | "php_admin_value[output_buffering]" = "0"; |
29 | php_admin_value[max_execution_time] = 1800 | 26 | "php_admin_value[max_execution_time]" = "1800"; |
30 | php_admin_value[zend_extension] = "opcache" | 27 | "php_admin_value[zend_extension]" = "opcache"; |
31 | ;already enabled by default? | 28 | #already enabled by default? |
32 | ;php_value[opcache.enable] = 1 | 29 | #"php_value[opcache.enable]" = "1"; |
33 | php_value[opcache.enable_cli] = 1 | 30 | "php_value[opcache.enable_cli]" = "1"; |
34 | php_value[opcache.interned_strings_buffer] = 8 | 31 | "php_value[opcache.interned_strings_buffer]" = "8"; |
35 | php_value[opcache.max_accelerated_files] = 10000 | 32 | "php_value[opcache.max_accelerated_files]" = "10000"; |
36 | php_value[opcache.memory_consumption] = 128 | 33 | "php_value[opcache.memory_consumption]" = "128"; |
37 | php_value[opcache.save_comments] = 1 | 34 | "php_value[opcache.save_comments]" = "1"; |
38 | php_value[opcache.revalidate_freq] = 1 | 35 | "php_value[opcache.revalidate_freq]" = "1"; |
39 | php_admin_value[memory_limit] = 512M | 36 | "php_admin_value[memory_limit]" = "512M"; |
40 | 37 | ||
41 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" | 38 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; |
42 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 39 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
43 | ''; | 40 | }; |
44 | }; | 41 | }; |
45 | in { | 42 | in { |
46 | options.myServices.websites.tools.cloud = { | 43 | options.myServices.websites.tools.cloud = { |
@@ -71,7 +68,7 @@ in { | |||
71 | </IfModule> | 68 | </IfModule> |
72 | <FilesMatch "\.php$"> | 69 | <FilesMatch "\.php$"> |
73 | CGIPassAuth on | 70 | CGIPassAuth on |
74 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 71 | SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" |
75 | </FilesMatch> | 72 | </FilesMatch> |
76 | 73 | ||
77 | </Directory> | 74 | </Directory> |
@@ -171,8 +168,9 @@ in { | |||
171 | ''; | 168 | ''; |
172 | 169 | ||
173 | services.phpfpm.pools.nextcloud = { | 170 | services.phpfpm.pools.nextcloud = { |
174 | listen = phpFpm.socket; | 171 | user = "wwwrun"; |
175 | extraConfig = phpFpm.pool; | 172 | group = "wwwrun"; |
173 | settings = phpFpm.pool; | ||
176 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; | 174 | phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; |
177 | }; | 175 | }; |
178 | 176 | ||
diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 5eb3fab..9d6cd21 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix | |||
@@ -73,7 +73,7 @@ rec { | |||
73 | modules = [ "proxy_fcgi" ]; | 73 | modules = [ "proxy_fcgi" ]; |
74 | webappName = "tools_davical"; | 74 | webappName = "tools_davical"; |
75 | root = "/run/current-system/webapps/${webappName}"; | 75 | root = "/run/current-system/webapps/${webappName}"; |
76 | vhostConf = '' | 76 | vhostConf = socket: '' |
77 | Alias /davical "${root}" | 77 | Alias /davical "${root}" |
78 | Alias /caldav.php "${root}/caldav.php" | 78 | Alias /caldav.php "${root}/caldav.php" |
79 | <Directory "${root}"> | 79 | <Directory "${root}"> |
@@ -84,7 +84,7 @@ rec { | |||
84 | 84 | ||
85 | <FilesMatch "\.php$"> | 85 | <FilesMatch "\.php$"> |
86 | CGIPassAuth on | 86 | CGIPassAuth on |
87 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 87 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
88 | </FilesMatch> | 88 | </FilesMatch> |
89 | 89 | ||
90 | RewriteEngine On | 90 | RewriteEngine On |
@@ -111,28 +111,25 @@ rec { | |||
111 | phpFpm = rec { | 111 | phpFpm = rec { |
112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 112 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; | 113 | basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; |
114 | socket = "/var/run/phpfpm/davical.sock"; | 114 | pool = { |
115 | pool = '' | 115 | "listen.owner" = apache.user; |
116 | user = ${apache.user} | 116 | "listen.group" = apache.group; |
117 | group = ${apache.group} | 117 | "pm" = "dynamic"; |
118 | listen.owner = ${apache.user} | 118 | "pm.max_children" = "60"; |
119 | listen.group = ${apache.group} | 119 | "pm.start_servers" = "2"; |
120 | pm = dynamic | 120 | "pm.min_spare_servers" = "1"; |
121 | pm.max_children = 60 | 121 | "pm.max_spare_servers" = "10"; |
122 | pm.start_servers = 2 | ||
123 | pm.min_spare_servers = 1 | ||
124 | pm.max_spare_servers = 10 | ||
125 | 122 | ||
126 | ; Needed to avoid clashes in browser cookies (same domain) | 123 | # Needed to avoid clashes in browser cookies (same domain) |
127 | php_value[session.name] = DavicalPHPSESSID | 124 | "php_value[session.name]" = "DavicalPHPSESSID"; |
128 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical" | 125 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/davical"; |
129 | php_admin_value[include_path] = "${awl}/inc:${webapp}/inc" | 126 | "php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc"; |
130 | php_admin_value[session.save_path] = "/var/lib/php/sessions/davical" | 127 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/davical"; |
131 | php_flag[magic_quotes_gpc] = Off | 128 | "php_flag[magic_quotes_gpc]" = "Off"; |
132 | php_flag[register_globals] = Off | 129 | "php_flag[register_globals]" = "Off"; |
133 | php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE" | 130 | "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE"; |
134 | php_admin_value[default_charset] = "utf-8" | 131 | "php_admin_value[default_charset]" = "utf-8"; |
135 | php_flag[magic_quotes_runtime] = Off | 132 | "php_flag[magic_quotes_runtime]" = "Off"; |
136 | ''; | 133 | }; |
137 | }; | 134 | }; |
138 | } | 135 | } |
diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index 0012965..30a562c 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix | |||
@@ -38,14 +38,15 @@ in { | |||
38 | root = "/run/current-system/webapps/_dav"; | 38 | root = "/run/current-system/webapps/_dav"; |
39 | extraConfig = [ | 39 | extraConfig = [ |
40 | infcloud.vhostConf | 40 | infcloud.vhostConf |
41 | davical.apache.vhostConf | 41 | (davical.apache.vhostConf config.services.phpfpm.pools.davical.socket) |
42 | ]; | 42 | ]; |
43 | }; | 43 | }; |
44 | 44 | ||
45 | services.phpfpm.pools = { | 45 | services.phpfpm.pools = { |
46 | davical = { | 46 | davical = { |
47 | listen = davical.phpFpm.socket; | 47 | user = config.services.httpd.Tools.user; |
48 | extraConfig = davical.phpFpm.pool; | 48 | group = config.services.httpd.Tools.group; |
49 | settings = davical.phpFpm.pool; | ||
49 | }; | 50 | }; |
50 | }; | 51 | }; |
51 | 52 | ||
diff --git a/modules/private/websites/tools/db/default.nix b/modules/private/websites/tools/db/default.nix index 60592e5..fc8d989 100644 --- a/modules/private/websites/tools/db/default.nix +++ b/modules/private/websites/tools/db/default.nix | |||
@@ -1,6 +1,6 @@ | |||
1 | { lib, pkgs, config, ... }: | 1 | { lib, pkgs, config, ... }: |
2 | let | 2 | let |
3 | adminer = pkgs.callPackage ../../commons/adminer.nix {}; | 3 | adminer = pkgs.callPackage ../../commons/adminer.nix { inherit config; }; |
4 | 4 | ||
5 | cfg = config.myServices.websites.tools.db; | 5 | cfg = config.myServices.websites.tools.db; |
6 | in { | 6 | in { |
@@ -15,7 +15,7 @@ in { | |||
15 | addToCerts = true; | 15 | addToCerts = true; |
16 | hosts = ["db-1.immae.eu" ]; | 16 | hosts = ["db-1.immae.eu" ]; |
17 | root = null; | 17 | root = null; |
18 | extraConfig = [ adminer.apache.vhostConf ]; | 18 | extraConfig = [ (adminer.apache.vhostConf null) ]; |
19 | }; | 19 | }; |
20 | }; | 20 | }; |
21 | } | 21 | } |
diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 054e47b..56e4401 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix | |||
@@ -30,7 +30,7 @@ in { | |||
30 | root = gitweb.apache.root; | 30 | root = gitweb.apache.root; |
31 | extraConfig = [ | 31 | extraConfig = [ |
32 | gitweb.apache.vhostConf | 32 | gitweb.apache.vhostConf |
33 | mantisbt.apache.vhostConf | 33 | (mantisbt.apache.vhostConf config.services.phpfpm.pools.mantisbt.socket) |
34 | '' | 34 | '' |
35 | RewriteEngine on | 35 | RewriteEngine on |
36 | RewriteCond %{REQUEST_URI} ^/releases | 36 | RewriteCond %{REQUEST_URI} ^/releases |
@@ -40,8 +40,9 @@ in { | |||
40 | }; | 40 | }; |
41 | services.phpfpm.pools = { | 41 | services.phpfpm.pools = { |
42 | mantisbt = { | 42 | mantisbt = { |
43 | listen = mantisbt.phpFpm.socket; | 43 | user = config.services.httpd.Tools.user; |
44 | extraConfig = mantisbt.phpFpm.pool; | 44 | group = config.services.httpd.Tools.group; |
45 | settings = mantisbt.phpFpm.pool; | ||
45 | }; | 46 | }; |
46 | }; | 47 | }; |
47 | }; | 48 | }; |
diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index d75b022..50851aa 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix | |||
@@ -53,12 +53,12 @@ rec { | |||
53 | modules = [ "proxy_fcgi" ]; | 53 | modules = [ "proxy_fcgi" ]; |
54 | webappName = "tools_mantisbt"; | 54 | webappName = "tools_mantisbt"; |
55 | root = "/run/current-system/webapps/${webappName}"; | 55 | root = "/run/current-system/webapps/${webappName}"; |
56 | vhostConf = '' | 56 | vhostConf = socket: '' |
57 | Alias /mantisbt "${root}" | 57 | Alias /mantisbt "${root}" |
58 | <Directory "${root}"> | 58 | <Directory "${root}"> |
59 | DirectoryIndex index.php | 59 | DirectoryIndex index.php |
60 | <FilesMatch "\.php$"> | 60 | <FilesMatch "\.php$"> |
61 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 61 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
62 | </FilesMatch> | 62 | </FilesMatch> |
63 | 63 | ||
64 | AllowOverride All | 64 | AllowOverride All |
@@ -76,20 +76,17 @@ rec { | |||
76 | basedir = builtins.concatStringsSep ":" ( | 76 | basedir = builtins.concatStringsSep ":" ( |
77 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] | 77 | [ webRoot "/var/secrets/webapps/tools-mantisbt" ] |
78 | ++ webRoot.plugins); | 78 | ++ webRoot.plugins); |
79 | socket = "/var/run/phpfpm/mantisbt.sock"; | 79 | pool = { |
80 | pool = '' | 80 | "listen.owner" = apache.user; |
81 | user = ${apache.user} | 81 | "listen.group" = apache.group; |
82 | group = ${apache.group} | 82 | "pm" = "ondemand"; |
83 | listen.owner = ${apache.user} | 83 | "pm.max_children" = "60"; |
84 | listen.group = ${apache.group} | 84 | "pm.process_idle_timeout" = "60"; |
85 | pm = ondemand | ||
86 | pm.max_children = 60 | ||
87 | pm.process_idle_timeout = 60 | ||
88 | 85 | ||
89 | php_admin_value[upload_max_filesize] = 5000000 | 86 | "php_admin_value[upload_max_filesize]" = "5000000"; |
90 | 87 | ||
91 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt" | 88 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"; |
92 | php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt" | 89 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/mantisbt"; |
93 | ''; | 90 | }; |
94 | }; | 91 | }; |
95 | } | 92 | } |
diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index bb36042..1f7f7bf 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix | |||
@@ -6,6 +6,7 @@ let | |||
6 | }; | 6 | }; |
7 | rainloop = pkgs.callPackage ./rainloop.nix {}; | 7 | rainloop = pkgs.callPackage ./rainloop.nix {}; |
8 | cfg = config.myServices.websites.tools.email; | 8 | cfg = config.myServices.websites.tools.email; |
9 | pcfg = config.services.phpfpm.pools; | ||
9 | in | 10 | in |
10 | { | 11 | { |
11 | options.myServices.websites.tools.email = { | 12 | options.myServices.websites.tools.email = { |
@@ -34,8 +35,8 @@ in | |||
34 | hosts = ["mail.immae.eu"]; | 35 | hosts = ["mail.immae.eu"]; |
35 | root = "/run/current-system/webapps/_mail"; | 36 | root = "/run/current-system/webapps/_mail"; |
36 | extraConfig = [ | 37 | extraConfig = [ |
37 | rainloop.apache.vhostConf | 38 | (rainloop.apache.vhostConf pcfg.rainloop.socket) |
38 | roundcubemail.apache.vhostConf | 39 | (roundcubemail.apache.vhostConf pcfg.roundcubemail.socket) |
39 | '' | 40 | '' |
40 | <Directory /run/current-system/webapps/_mail> | 41 | <Directory /run/current-system/webapps/_mail> |
41 | Require all granted | 42 | Require all granted |
@@ -56,13 +57,15 @@ in | |||
56 | }; | 57 | }; |
57 | 58 | ||
58 | services.phpfpm.pools.roundcubemail = { | 59 | services.phpfpm.pools.roundcubemail = { |
59 | listen = roundcubemail.phpFpm.socket; | 60 | user = "wwwrun"; |
60 | extraConfig = roundcubemail.phpFpm.pool; | 61 | group = "wwwrun"; |
62 | settings = roundcubemail.phpFpm.pool; | ||
61 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; | 63 | phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; |
62 | }; | 64 | }; |
63 | services.phpfpm.pools.rainloop = { | 65 | services.phpfpm.pools.rainloop = { |
64 | listen = rainloop.phpFpm.socket; | 66 | user = "wwwrun"; |
65 | extraConfig = rainloop.phpFpm.pool; | 67 | group = "wwwrun"; |
68 | settings = rainloop.phpFpm.pool; | ||
66 | }; | 69 | }; |
67 | system.activationScripts = { | 70 | system.activationScripts = { |
68 | roundcubemail = roundcubemail.activationScript; | 71 | roundcubemail = roundcubemail.activationScript; |
diff --git a/modules/private/websites/tools/mail/rainloop.nix b/modules/private/websites/tools/mail/rainloop.nix index 2dad46e..9b1f0c5 100644 --- a/modules/private/websites/tools/mail/rainloop.nix +++ b/modules/private/websites/tools/mail/rainloop.nix | |||
@@ -16,7 +16,7 @@ rec { | |||
16 | modules = [ "proxy_fcgi" ]; | 16 | modules = [ "proxy_fcgi" ]; |
17 | webappName = "tools_rainloop"; | 17 | webappName = "tools_rainloop"; |
18 | root = "/run/current-system/webapps/${webappName}"; | 18 | root = "/run/current-system/webapps/${webappName}"; |
19 | vhostConf = '' | 19 | vhostConf = socket: '' |
20 | Alias /rainloop "${root}" | 20 | Alias /rainloop "${root}" |
21 | <Directory "${root}"> | 21 | <Directory "${root}"> |
22 | DirectoryIndex index.php | 22 | DirectoryIndex index.php |
@@ -25,7 +25,7 @@ rec { | |||
25 | Require all granted | 25 | Require all granted |
26 | 26 | ||
27 | <FilesMatch "\.php$"> | 27 | <FilesMatch "\.php$"> |
28 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 28 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
29 | </FilesMatch> | 29 | </FilesMatch> |
30 | </Directory> | 30 | </Directory> |
31 | 31 | ||
@@ -37,22 +37,19 @@ rec { | |||
37 | phpFpm = rec { | 37 | phpFpm = rec { |
38 | serviceDeps = [ "postgresql.service" ]; | 38 | serviceDeps = [ "postgresql.service" ]; |
39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 39 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
40 | socket = "/var/run/phpfpm/rainloop.sock"; | 40 | pool = { |
41 | pool = '' | 41 | "listen.owner" = apache.user; |
42 | user = ${apache.user} | 42 | "listen.group" = apache.group; |
43 | group = ${apache.group} | 43 | "pm" = "ondemand"; |
44 | listen.owner = ${apache.user} | 44 | "pm.max_children" = "60"; |
45 | listen.group = ${apache.group} | 45 | "pm.process_idle_timeout" = "60"; |
46 | pm = ondemand | ||
47 | pm.max_children = 60 | ||
48 | pm.process_idle_timeout = 60 | ||
49 | 46 | ||
50 | ; Needed to avoid clashes in browser cookies (same domain) | 47 | # Needed to avoid clashes in browser cookies (same domain) |
51 | php_value[session.name] = RainloopPHPSESSID | 48 | "php_value[session.name]" = "RainloopPHPSESSID"; |
52 | php_admin_value[upload_max_filesize] = 200M | 49 | "php_admin_value[upload_max_filesize]" = "200M"; |
53 | php_admin_value[post_max_size] = 200M | 50 | "php_admin_value[post_max_size]" = "200M"; |
54 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 51 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
55 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 52 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
56 | ''; | 53 | }; |
57 | }; | 54 | }; |
58 | } | 55 | } |
diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 35de312..0b35d02 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix | |||
@@ -83,7 +83,7 @@ rec { | |||
83 | modules = [ "proxy_fcgi" ]; | 83 | modules = [ "proxy_fcgi" ]; |
84 | webappName = "tools_roundcubemail"; | 84 | webappName = "tools_roundcubemail"; |
85 | root = "/run/current-system/webapps/${webappName}"; | 85 | root = "/run/current-system/webapps/${webappName}"; |
86 | vhostConf = '' | 86 | vhostConf = socket: '' |
87 | Alias /roundcube "${root}" | 87 | Alias /roundcube "${root}" |
88 | <Directory "${root}"> | 88 | <Directory "${root}"> |
89 | DirectoryIndex index.php | 89 | DirectoryIndex index.php |
@@ -92,7 +92,7 @@ rec { | |||
92 | Require all granted | 92 | Require all granted |
93 | 93 | ||
94 | <FilesMatch "\.php$"> | 94 | <FilesMatch "\.php$"> |
95 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 95 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
96 | </FilesMatch> | 96 | </FilesMatch> |
97 | </Directory> | 97 | </Directory> |
98 | ''; | 98 | ''; |
@@ -107,22 +107,19 @@ rec { | |||
107 | date.timezone = 'CET' | 107 | date.timezone = 'CET' |
108 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so | 108 | extension=${phpPackages.imagick}/lib/php/extensions/imagick.so |
109 | ''; | 109 | ''; |
110 | socket = "/var/run/phpfpm/roundcubemail.sock"; | 110 | pool = { |
111 | pool = '' | 111 | "listen.owner" = apache.user; |
112 | user = ${apache.user} | 112 | "listen.group" = apache.group; |
113 | group = ${apache.group} | 113 | "pm" = "ondemand"; |
114 | listen.owner = ${apache.user} | 114 | "pm.max_children" = "60"; |
115 | listen.group = ${apache.group} | 115 | "pm.process_idle_timeout" = "60"; |
116 | pm = ondemand | ||
117 | pm.max_children = 60 | ||
118 | pm.process_idle_timeout = 60 | ||
119 | 116 | ||
120 | ; Needed to avoid clashes in browser cookies (same domain) | 117 | # Needed to avoid clashes in browser cookies (same domain) |
121 | php_value[session.name] = RoundcubemailPHPSESSID | 118 | "php_value[session.name]" = "RoundcubemailPHPSESSID"; |
122 | php_admin_value[upload_max_filesize] = 200M | 119 | "php_admin_value[upload_max_filesize]" = "200M"; |
123 | php_admin_value[post_max_size] = 200M | 120 | "php_admin_value[post_max_size]" = "200M"; |
124 | php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp" | 121 | "php_admin_value[open_basedir]" = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"; |
125 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 122 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
126 | ''; | 123 | }; |
127 | }; | 124 | }; |
128 | } | 125 | } |
diff --git a/modules/private/websites/tools/tools/adminer.nix b/modules/private/websites/tools/tools/adminer.nix index 907e37f..52a132c 100644 --- a/modules/private/websites/tools/tools/adminer.nix +++ b/modules/private/websites/tools/tools/adminer.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { adminer }: | 1 | { adminer, php73, forcePhpSocket ? null }: |
2 | rec { | 2 | rec { |
3 | activationScript = { | 3 | activationScript = { |
4 | deps = [ "httpd" ]; | 4 | deps = [ "httpd" ]; |
@@ -9,22 +9,33 @@ rec { | |||
9 | }; | 9 | }; |
10 | webRoot = adminer; | 10 | webRoot = adminer; |
11 | phpFpm = rec { | 11 | phpFpm = rec { |
12 | socket = "/var/run/phpfpm/adminer.sock"; | 12 | user = apache.user; |
13 | pool = '' | 13 | group = apache.group; |
14 | user = ${apache.user} | 14 | phpPackage = (php73.override { |
15 | group = ${apache.group} | 15 | config.php.mysqlnd = true; |
16 | listen.owner = ${apache.user} | 16 | config.php.mysqli = false; |
17 | listen.group = ${apache.group} | 17 | config.php.pdo-mysql = false; |
18 | pm = ondemand | 18 | }).overrideAttrs(old: rec { |
19 | pm.max_children = 5 | 19 | configureFlags = old.configureFlags ++ [ |
20 | pm.process_idle_timeout = 60 | 20 | "--with-mysqli=shared,mysqlnd" |
21 | ;php_admin_flag[log_errors] = on | 21 | ]; |
22 | ; Needed to avoid clashes in browser cookies (same domain) | 22 | }); |
23 | php_value[session.name] = AdminerPHPSESSID | 23 | phpOptions = '' |
24 | php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer" | 24 | extension=${phpPackage}/lib/php/extensions/mysqli.so |
25 | php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer" | 25 | ''; |
26 | php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer" | 26 | settings = { |
27 | ''; | 27 | "listen.owner" = apache.user; |
28 | "listen.group" = apache.group; | ||
29 | "pm" = "ondemand"; | ||
30 | "pm.max_children" = "5"; | ||
31 | "pm.process_idle_timeout" = "60"; | ||
32 | #"php_admin_flag[log_errors]" = "on"; | ||
33 | # Needed to avoid clashes in browser cookies (same domain) | ||
34 | "php_value[session.name]" = "AdminerPHPSESSID"; | ||
35 | "php_admin_value[open_basedir]" = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"; | ||
36 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/adminer"; | ||
37 | "php_admin_value[upload_tmp_dir]" = "/var/lib/php/tmp/adminer"; | ||
38 | }; | ||
28 | }; | 39 | }; |
29 | apache = rec { | 40 | apache = rec { |
30 | user = "wwwrun"; | 41 | user = "wwwrun"; |
@@ -32,12 +43,12 @@ rec { | |||
32 | modules = [ "proxy_fcgi" ]; | 43 | modules = [ "proxy_fcgi" ]; |
33 | webappName = "_adminer"; | 44 | webappName = "_adminer"; |
34 | root = "/run/current-system/webapps/${webappName}"; | 45 | root = "/run/current-system/webapps/${webappName}"; |
35 | vhostConf = '' | 46 | vhostConf = socket: '' |
36 | Alias /adminer ${root} | 47 | Alias /adminer ${root} |
37 | <Directory ${root}> | 48 | <Directory ${root}> |
38 | DirectoryIndex index.php | 49 | DirectoryIndex index.php |
39 | <FilesMatch "\.php$"> | 50 | <FilesMatch "\.php$"> |
40 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 51 | SetHandler "proxy:unix:${if forcePhpSocket != null then forcePhpSocket else socket}|fcgi://localhost" |
41 | </FilesMatch> | 52 | </FilesMatch> |
42 | 53 | ||
43 | Use LDAPConnect | 54 | Use LDAPConnect |
diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 5dc0981..5e0d446 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix | |||
@@ -40,6 +40,7 @@ let | |||
40 | }; | 40 | }; |
41 | 41 | ||
42 | cfg = config.myServices.websites.tools.tools; | 42 | cfg = config.myServices.websites.tools.tools; |
43 | pcfg = config.services.phpfpm.pools; | ||
43 | in { | 44 | in { |
44 | options.myServices.websites.tools.tools = { | 45 | options.myServices.websites.tools.tools = { |
45 | enable = lib.mkEnableOption "enable tools website"; | 46 | enable = lib.mkEnableOption "enable tools website"; |
@@ -92,7 +93,7 @@ in { | |||
92 | AllowOverride all | 93 | AllowOverride all |
93 | Require all granted | 94 | Require all granted |
94 | <FilesMatch "\.php$"> | 95 | <FilesMatch "\.php$"> |
95 | SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost" | 96 | SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost" |
96 | </FilesMatch> | 97 | </FilesMatch> |
97 | </Directory> | 98 | </Directory> |
98 | '' | 99 | '' |
@@ -115,21 +116,21 @@ in { | |||
115 | AllowOverride all | 116 | AllowOverride all |
116 | Require all granted | 117 | Require all granted |
117 | <FilesMatch "\.php$"> | 118 | <FilesMatch "\.php$"> |
118 | SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost" | 119 | SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost" |
119 | </FilesMatch> | 120 | </FilesMatch> |
120 | </Directory> | 121 | </Directory> |
121 | '' | 122 | '' |
122 | adminer.apache.vhostConf | 123 | (adminer.apache.vhostConf pcfg.adminer.socket) |
123 | ympd.apache.vhostConf | 124 | ympd.apache.vhostConf |
124 | ttrss.apache.vhostConf | 125 | (ttrss.apache.vhostConf pcfg.ttrss.socket) |
125 | wallabag.apache.vhostConf | 126 | (wallabag.apache.vhostConf pcfg.wallabag.socket) |
126 | yourls.apache.vhostConf | 127 | (yourls.apache.vhostConf pcfg.yourls.socket) |
127 | rompr.apache.vhostConf | 128 | (rompr.apache.vhostConf pcfg.rompr.socket) |
128 | shaarli.apache.vhostConf | 129 | (shaarli.apache.vhostConf pcfg.shaarli.socket) |
129 | dokuwiki.apache.vhostConf | 130 | (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket) |
130 | ldap.apache.vhostConf | 131 | (ldap.apache.vhostConf pcfg.ldap.socket) |
131 | kanboard.apache.vhostConf | 132 | (kanboard.apache.vhostConf pcfg.kanboard.socket) |
132 | grocy.apache.vhostConf | 133 | (grocy.apache.vhostConf pcfg.grocy.socket) |
133 | ]; | 134 | ]; |
134 | }; | 135 | }; |
135 | 136 | ||
@@ -226,38 +227,36 @@ in { | |||
226 | 227 | ||
227 | services.phpfpm.pools = { | 228 | services.phpfpm.pools = { |
228 | tools = { | 229 | tools = { |
229 | listen = "/var/run/phpfpm/tools.sock"; | 230 | user = "wwwrun"; |
230 | extraConfig = '' | 231 | group = "wwwrun"; |
231 | user = wwwrun | 232 | settings = { |
232 | group = wwwrun | 233 | "listen.owner" = "wwwrun"; |
233 | listen.owner = wwwrun | 234 | "listen.group" = "wwwrun"; |
234 | listen.group = wwwrun | 235 | "pm" = "dynamic"; |
235 | pm = dynamic | 236 | "pm.max_children" = "60"; |
236 | pm.max_children = 60 | 237 | "pm.start_servers" = "2"; |
237 | pm.start_servers = 2 | 238 | "pm.min_spare_servers" = "1"; |
238 | pm.min_spare_servers = 1 | 239 | "pm.max_spare_servers" = "10"; |
239 | pm.max_spare_servers = 10 | ||
240 | 240 | ||
241 | ; Needed to avoid clashes in browser cookies (same domain) | 241 | # Needed to avoid clashes in browser cookies (same domain) |
242 | php_value[session.name] = ToolsPHPSESSID | 242 | "php_value[session.name]" = "ToolsPHPSESSID"; |
243 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp" | 243 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"; |
244 | ''; | 244 | }; |
245 | }; | 245 | }; |
246 | devtools = { | 246 | devtools = { |
247 | listen = "/var/run/phpfpm/devtools.sock"; | 247 | user = "wwwrun"; |
248 | extraConfig = '' | 248 | group = "wwwrun"; |
249 | user = wwwrun | 249 | settings = { |
250 | group = wwwrun | 250 | "listen.owner" = "wwwrun"; |
251 | listen.owner = wwwrun | 251 | "listen.group" = "wwwrun"; |
252 | listen.group = wwwrun | 252 | "pm" = "dynamic"; |
253 | pm = dynamic | 253 | "pm.max_children" = "60"; |
254 | pm.max_children = 60 | 254 | "pm.start_servers" = "2"; |
255 | pm.start_servers = 2 | 255 | "pm.min_spare_servers" = "1"; |
256 | pm.min_spare_servers = 1 | 256 | "pm.max_spare_servers" = "10"; |
257 | pm.max_spare_servers = 10 | ||
258 | 257 | ||
259 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp" | 258 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"; |
260 | ''; | 259 | }; |
261 | phpOptions = config.services.phpfpm.phpOptions + '' | 260 | phpOptions = config.services.phpfpm.phpOptions + '' |
262 | extension=${pkgs.php}/lib/php/extensions/mysqli.so | 261 | extension=${pkgs.php}/lib/php/extensions/mysqli.so |
263 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so | 262 | extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so |
@@ -265,45 +264,51 @@ in { | |||
265 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so | 264 | zend_extension=${pkgs.php}/lib/php/extensions/opcache.so |
266 | ''; | 265 | ''; |
267 | }; | 266 | }; |
268 | adminer = { | 267 | adminer = adminer.phpFpm; |
269 | listen = adminer.phpFpm.socket; | ||
270 | extraConfig = adminer.phpFpm.pool; | ||
271 | }; | ||
272 | ttrss = { | 268 | ttrss = { |
273 | listen = ttrss.phpFpm.socket; | 269 | user = "wwwrun"; |
274 | extraConfig = ttrss.phpFpm.pool; | 270 | group = "wwwrun"; |
271 | settings = ttrss.phpFpm.pool; | ||
275 | }; | 272 | }; |
276 | wallabag = { | 273 | wallabag = { |
277 | listen = wallabag.phpFpm.socket; | 274 | user = "wwwrun"; |
278 | extraConfig = wallabag.phpFpm.pool; | 275 | group = "wwwrun"; |
276 | settings = wallabag.phpFpm.pool; | ||
279 | }; | 277 | }; |
280 | yourls = { | 278 | yourls = { |
281 | listen = yourls.phpFpm.socket; | 279 | user = "wwwrun"; |
282 | extraConfig = yourls.phpFpm.pool; | 280 | group = "wwwrun"; |
281 | settings = yourls.phpFpm.pool; | ||
283 | }; | 282 | }; |
284 | rompr = { | 283 | rompr = { |
285 | listen = rompr.phpFpm.socket; | 284 | user = "wwwrun"; |
286 | extraConfig = rompr.phpFpm.pool; | 285 | group = "wwwrun"; |
286 | settings = rompr.phpFpm.pool; | ||
287 | }; | 287 | }; |
288 | shaarli = { | 288 | shaarli = { |
289 | listen = shaarli.phpFpm.socket; | 289 | user = "wwwrun"; |
290 | extraConfig = shaarli.phpFpm.pool; | 290 | group = "wwwrun"; |
291 | settings = shaarli.phpFpm.pool; | ||
291 | }; | 292 | }; |
292 | dokuwiki = { | 293 | dokuwiki = { |
293 | listen = dokuwiki.phpFpm.socket; | 294 | user = "wwwrun"; |
294 | extraConfig = dokuwiki.phpFpm.pool; | 295 | group = "wwwrun"; |
296 | settings = dokuwiki.phpFpm.pool; | ||
295 | }; | 297 | }; |
296 | ldap = { | 298 | ldap = { |
297 | listen = ldap.phpFpm.socket; | 299 | user = "wwwrun"; |
298 | extraConfig = ldap.phpFpm.pool; | 300 | group = "wwwrun"; |
301 | settings = ldap.phpFpm.pool; | ||
299 | }; | 302 | }; |
300 | kanboard = { | 303 | kanboard = { |
301 | listen = kanboard.phpFpm.socket; | 304 | user = "wwwrun"; |
302 | extraConfig = kanboard.phpFpm.pool; | 305 | group = "wwwrun"; |
306 | settings = kanboard.phpFpm.pool; | ||
303 | }; | 307 | }; |
304 | grocy = { | 308 | grocy = { |
305 | listen = grocy.phpFpm.socket; | 309 | user = "wwwrun"; |
306 | extraConfig = grocy.phpFpm.pool; | 310 | group = "wwwrun"; |
311 | settings = grocy.phpFpm.pool; | ||
307 | }; | 312 | }; |
308 | }; | 313 | }; |
309 | 314 | ||
diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix index d66e85d..26c04b7 100644 --- a/modules/private/websites/tools/tools/dokuwiki.nix +++ b/modules/private/websites/tools/tools/dokuwiki.nix | |||
@@ -26,12 +26,12 @@ rec { | |||
26 | modules = [ "proxy_fcgi" ]; | 26 | modules = [ "proxy_fcgi" ]; |
27 | webappName = "tools_dokuwiki"; | 27 | webappName = "tools_dokuwiki"; |
28 | root = "/run/current-system/webapps/${webappName}"; | 28 | root = "/run/current-system/webapps/${webappName}"; |
29 | vhostConf = '' | 29 | vhostConf = socket: '' |
30 | Alias /dokuwiki "${root}" | 30 | Alias /dokuwiki "${root}" |
31 | <Directory "${root}"> | 31 | <Directory "${root}"> |
32 | DirectoryIndex index.php | 32 | DirectoryIndex index.php |
33 | <FilesMatch "\.php$"> | 33 | <FilesMatch "\.php$"> |
34 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 34 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
35 | </FilesMatch> | 35 | </FilesMatch> |
36 | 36 | ||
37 | AllowOverride All | 37 | AllowOverride All |
@@ -44,20 +44,17 @@ rec { | |||
44 | serviceDeps = [ "openldap.service" ]; | 44 | serviceDeps = [ "openldap.service" ]; |
45 | basedir = builtins.concatStringsSep ":" ( | 45 | basedir = builtins.concatStringsSep ":" ( |
46 | [ webRoot varDir ] ++ webRoot.plugins); | 46 | [ webRoot varDir ] ++ webRoot.plugins); |
47 | socket = "/var/run/phpfpm/dokuwiki.sock"; | 47 | pool = { |
48 | pool = '' | 48 | "listen.owner" = apache.user; |
49 | user = ${apache.user} | 49 | "listen.group" = apache.group; |
50 | group = ${apache.group} | 50 | "pm" = "ondemand"; |
51 | listen.owner = ${apache.user} | 51 | "pm.max_children" = "60"; |
52 | listen.group = ${apache.group} | 52 | "pm.process_idle_timeout" = "60"; |
53 | pm = ondemand | ||
54 | pm.max_children = 60 | ||
55 | pm.process_idle_timeout = 60 | ||
56 | 53 | ||
57 | ; Needed to avoid clashes in browser cookies (same domain) | 54 | # Needed to avoid clashes in browser cookies (same domain) |
58 | php_value[session.name] = DokuwikiPHPSESSID | 55 | "php_value[session.name]" = "DokuwikiPHPSESSID"; |
59 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 56 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
60 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 57 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
61 | ''; | 58 | }; |
62 | }; | 59 | }; |
63 | } | 60 | } |
diff --git a/modules/private/websites/tools/tools/grocy.nix b/modules/private/websites/tools/tools/grocy.nix index 1b8da20..a98d8ac 100644 --- a/modules/private/websites/tools/tools/grocy.nix +++ b/modules/private/websites/tools/tools/grocy.nix | |||
@@ -18,12 +18,12 @@ rec { | |||
18 | modules = [ "proxy_fcgi" ]; | 18 | modules = [ "proxy_fcgi" ]; |
19 | webappName = "tools_grocy"; | 19 | webappName = "tools_grocy"; |
20 | root = "/run/current-system/webapps/${webappName}"; | 20 | root = "/run/current-system/webapps/${webappName}"; |
21 | vhostConf = '' | 21 | vhostConf = socket: '' |
22 | Alias /grocy "${root}" | 22 | Alias /grocy "${root}" |
23 | <Directory "${root}"> | 23 | <Directory "${root}"> |
24 | DirectoryIndex index.php | 24 | DirectoryIndex index.php |
25 | <FilesMatch "\.php$"> | 25 | <FilesMatch "\.php$"> |
26 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 26 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
27 | </FilesMatch> | 27 | </FilesMatch> |
28 | 28 | ||
29 | AllowOverride All | 29 | AllowOverride All |
@@ -35,21 +35,18 @@ rec { | |||
35 | phpFpm = rec { | 35 | phpFpm = rec { |
36 | basedir = builtins.concatStringsSep ":" ( | 36 | basedir = builtins.concatStringsSep ":" ( |
37 | [ grocy grocy.yarnModules varDir ]); | 37 | [ grocy grocy.yarnModules varDir ]); |
38 | socket = "/var/run/phpfpm/grocy.sock"; | 38 | pool = { |
39 | pool = '' | 39 | "listen.owner" = apache.user; |
40 | user = ${apache.user} | 40 | "listen.group" = apache.group; |
41 | group = ${apache.group} | 41 | "pm" = "ondemand"; |
42 | listen.owner = ${apache.user} | 42 | "pm.max_children" = "60"; |
43 | listen.group = ${apache.group} | 43 | "pm.process_idle_timeout" = "60"; |
44 | pm = ondemand | ||
45 | pm.max_children = 60 | ||
46 | pm.process_idle_timeout = 60 | ||
47 | 44 | ||
48 | ; Needed to avoid clashes in browser cookies (same domain) | 45 | # Needed to avoid clashes in browser cookies (same domain) |
49 | php_value[session.name] = grocyPHPSESSID | 46 | "php_value[session.name]" = "grocyPHPSESSID"; |
50 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 47 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
51 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 48 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
52 | ''; | 49 | }; |
53 | }; | 50 | }; |
54 | } | 51 | } |
55 | 52 | ||
diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 1880cbd..0f6fefc 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix | |||
@@ -49,7 +49,7 @@ rec { | |||
49 | modules = [ "proxy_fcgi" ]; | 49 | modules = [ "proxy_fcgi" ]; |
50 | webappName = "tools_kanboard"; | 50 | webappName = "tools_kanboard"; |
51 | root = "/run/current-system/webapps/${webappName}"; | 51 | root = "/run/current-system/webapps/${webappName}"; |
52 | vhostConf = '' | 52 | vhostConf = socket: '' |
53 | Alias /kanboard "${root}" | 53 | Alias /kanboard "${root}" |
54 | <Directory "${root}"> | 54 | <Directory "${root}"> |
55 | DirectoryIndex index.php | 55 | DirectoryIndex index.php |
@@ -58,7 +58,7 @@ rec { | |||
58 | Require all granted | 58 | Require all granted |
59 | 59 | ||
60 | <FilesMatch "\.php$"> | 60 | <FilesMatch "\.php$"> |
61 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 61 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
62 | </FilesMatch> | 62 | </FilesMatch> |
63 | </Directory> | 63 | </Directory> |
64 | <DirectoryMatch "${root}/data"> | 64 | <DirectoryMatch "${root}/data"> |
@@ -69,20 +69,17 @@ rec { | |||
69 | phpFpm = rec { | 69 | phpFpm = rec { |
70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 70 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; | 71 | basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; |
72 | socket = "/var/run/phpfpm/kanboard.sock"; | 72 | pool = { |
73 | pool = '' | 73 | "listen.owner" = apache.user; |
74 | user = ${apache.user} | 74 | "listen.group" = apache.group; |
75 | group = ${apache.group} | 75 | "pm" = "ondemand"; |
76 | listen.owner = ${apache.user} | 76 | "pm.max_children" = "60"; |
77 | listen.group = ${apache.group} | 77 | "pm.process_idle_timeout" = "60"; |
78 | pm = ondemand | ||
79 | pm.max_children = 60 | ||
80 | pm.process_idle_timeout = 60 | ||
81 | 78 | ||
82 | ; Needed to avoid clashes in browser cookies (same domain) | 79 | # Needed to avoid clashes in browser cookies (same domain) |
83 | php_value[session.name] = KanboardPHPSESSID | 80 | "php_value[session.name]" = "KanboardPHPSESSID"; |
84 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 81 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
85 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 82 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
86 | ''; | 83 | }; |
87 | }; | 84 | }; |
88 | } | 85 | } |
diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index e58a9bd..0c1a21f 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix | |||
@@ -39,12 +39,12 @@ rec { | |||
39 | modules = [ "proxy_fcgi" ]; | 39 | modules = [ "proxy_fcgi" ]; |
40 | webappName = "tools_ldap"; | 40 | webappName = "tools_ldap"; |
41 | root = "/run/current-system/webapps/${webappName}"; | 41 | root = "/run/current-system/webapps/${webappName}"; |
42 | vhostConf = '' | 42 | vhostConf = socket: '' |
43 | Alias /ldap "${root}" | 43 | Alias /ldap "${root}" |
44 | <Directory "${root}"> | 44 | <Directory "${root}"> |
45 | DirectoryIndex index.php | 45 | DirectoryIndex index.php |
46 | <FilesMatch "\.php$"> | 46 | <FilesMatch "\.php$"> |
47 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 47 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
48 | </FilesMatch> | 48 | </FilesMatch> |
49 | 49 | ||
50 | AllowOverride None | 50 | AllowOverride None |
@@ -55,20 +55,17 @@ rec { | |||
55 | phpFpm = rec { | 55 | phpFpm = rec { |
56 | serviceDeps = [ "openldap.service" ]; | 56 | serviceDeps = [ "openldap.service" ]; |
57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; | 57 | basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; |
58 | socket = "/var/run/phpfpm/ldap.sock"; | 58 | pool = { |
59 | pool = '' | 59 | "listen.owner" = apache.user; |
60 | user = ${apache.user} | 60 | "listen.group" = apache.group; |
61 | group = ${apache.group} | 61 | "pm" = "ondemand"; |
62 | listen.owner = ${apache.user} | 62 | "pm.max_children" = "60"; |
63 | listen.group = ${apache.group} | 63 | "pm.process_idle_timeout" = "60"; |
64 | pm = ondemand | ||
65 | pm.max_children = 60 | ||
66 | pm.process_idle_timeout = 60 | ||
67 | 64 | ||
68 | ; Needed to avoid clashes in browser cookies (same domain) | 65 | # Needed to avoid clashes in browser cookies (same domain) |
69 | php_value[session.name] = LdapPHPSESSID | 66 | "php_value[session.name]" = "LdapPHPSESSID"; |
70 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin" | 67 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; |
71 | php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin" | 68 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; |
72 | ''; | 69 | }; |
73 | }; | 70 | }; |
74 | } | 71 | } |
diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix index 75adabe..106164c 100644 --- a/modules/private/websites/tools/tools/rompr.nix +++ b/modules/private/websites/tools/tools/rompr.nix | |||
@@ -15,7 +15,7 @@ rec { | |||
15 | modules = [ "headers" "mime" "proxy_fcgi" ]; | 15 | modules = [ "headers" "mime" "proxy_fcgi" ]; |
16 | webappName = "tools_rompr"; | 16 | webappName = "tools_rompr"; |
17 | root = "/run/current-system/webapps/${webappName}"; | 17 | root = "/run/current-system/webapps/${webappName}"; |
18 | vhostConf = '' | 18 | vhostConf = socket: '' |
19 | Alias /rompr ${root} | 19 | Alias /rompr ${root} |
20 | 20 | ||
21 | <Directory ${root}> | 21 | <Directory ${root}> |
@@ -29,7 +29,7 @@ rec { | |||
29 | AddType image/x-icon .ico | 29 | AddType image/x-icon .ico |
30 | 30 | ||
31 | <FilesMatch "\.php$"> | 31 | <FilesMatch "\.php$"> |
32 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 32 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
33 | </FilesMatch> | 33 | </FilesMatch> |
34 | </Directory> | 34 | </Directory> |
35 | 35 | ||
@@ -51,29 +51,26 @@ rec { | |||
51 | }; | 51 | }; |
52 | phpFpm = rec { | 52 | phpFpm = rec { |
53 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 53 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
54 | socket = "/var/run/phpfpm/rompr.sock"; | 54 | pool = { |
55 | pool = '' | 55 | "listen.owner" = apache.user; |
56 | user = ${apache.user} | 56 | "listen.group" = apache.group; |
57 | group = ${apache.group} | 57 | "pm" = "ondemand"; |
58 | listen.owner = ${apache.user} | 58 | "pm.max_children" = "60"; |
59 | listen.group = ${apache.group} | 59 | "pm.process_idle_timeout" = "60"; |
60 | pm = ondemand | ||
61 | pm.max_children = 60 | ||
62 | pm.process_idle_timeout = 60 | ||
63 | 60 | ||
64 | ; Needed to avoid clashes in browser cookies (same domain) | 61 | # Needed to avoid clashes in browser cookies (same domain) |
65 | php_value[session.name] = RomprPHPSESSID | 62 | "php_value[session.name]" = "RomprPHPSESSID"; |
66 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 63 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
67 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 64 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
68 | php_flag[magic_quotes_gpc] = Off | 65 | "php_flag[magic_quotes_gpc]" = "Off"; |
69 | php_flag[track_vars] = On | 66 | "php_flag[track_vars]" = "On"; |
70 | php_flag[register_globals] = Off | 67 | "php_flag[register_globals]" = "Off"; |
71 | php_admin_flag[allow_url_fopen] = On | 68 | "php_admin_flag[allow_url_fopen]" = "On"; |
72 | php_value[include_path] = ${webRoot} | 69 | "php_value[include_path]" = "${webRoot}"; |
73 | php_admin_value[upload_tmp_dir] = "${varDir}/prefs" | 70 | "php_admin_value[upload_tmp_dir]" = "${varDir}/prefs"; |
74 | php_admin_value[post_max_size] = 32M | 71 | "php_admin_value[post_max_size]" = "32M"; |
75 | php_admin_value[upload_max_filesize] = 32M | 72 | "php_admin_value[upload_max_filesize]" = "32M"; |
76 | php_admin_value[memory_limit] = 256M | 73 | "php_admin_value[memory_limit]" = "256M"; |
77 | ''; | 74 | }; |
78 | }; | 75 | }; |
79 | } | 76 | } |
diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 0a75755..950d296 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix | |||
@@ -17,7 +17,7 @@ in rec { | |||
17 | modules = [ "proxy_fcgi" "rewrite" "env" ]; | 17 | modules = [ "proxy_fcgi" "rewrite" "env" ]; |
18 | webappName = "tools_shaarli"; | 18 | webappName = "tools_shaarli"; |
19 | root = "/run/current-system/webapps/${webappName}"; | 19 | root = "/run/current-system/webapps/${webappName}"; |
20 | vhostConf = '' | 20 | vhostConf = socket: '' |
21 | Alias /Shaarli "${root}" | 21 | Alias /Shaarli "${root}" |
22 | 22 | ||
23 | Include /var/secrets/webapps/tools-shaarli | 23 | Include /var/secrets/webapps/tools-shaarli |
@@ -27,7 +27,7 @@ in rec { | |||
27 | AllowOverride All | 27 | AllowOverride All |
28 | Require all granted | 28 | Require all granted |
29 | <FilesMatch "\.php$"> | 29 | <FilesMatch "\.php$"> |
30 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 30 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
31 | </FilesMatch> | 31 | </FilesMatch> |
32 | </Directory> | 32 | </Directory> |
33 | ''; | 33 | ''; |
@@ -48,20 +48,17 @@ in rec { | |||
48 | phpFpm = rec { | 48 | phpFpm = rec { |
49 | serviceDeps = [ "openldap.service" ]; | 49 | serviceDeps = [ "openldap.service" ]; |
50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; | 50 | basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; |
51 | socket = "/var/run/phpfpm/shaarli.sock"; | 51 | pool = { |
52 | pool = '' | 52 | "listen.owner" = apache.user; |
53 | user = ${apache.user} | 53 | "listen.group" = apache.group; |
54 | group = ${apache.group} | 54 | "pm" = "ondemand"; |
55 | listen.owner = ${apache.user} | 55 | "pm.max_children" = "60"; |
56 | listen.group = ${apache.group} | 56 | "pm.process_idle_timeout" = "60"; |
57 | pm = ondemand | ||
58 | pm.max_children = 60 | ||
59 | pm.process_idle_timeout = 60 | ||
60 | 57 | ||
61 | ; Needed to avoid clashes in browser cookies (same domain) | 58 | # Needed to avoid clashes in browser cookies (same domain) |
62 | php_value[session.name] = ShaarliPHPSESSID | 59 | "php_value[session.name]" = "ShaarliPHPSESSID"; |
63 | php_admin_value[open_basedir] = "${basedir}:/tmp" | 60 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; |
64 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | 61 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
65 | ''; | 62 | }; |
66 | }; | 63 | }; |
67 | } | 64 | } |
diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index a8b2a93..48876d3 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix | |||
@@ -95,12 +95,12 @@ rec { | |||
95 | modules = [ "proxy_fcgi" ]; | 95 | modules = [ "proxy_fcgi" ]; |
96 | webappName = "tools_ttrss"; | 96 | webappName = "tools_ttrss"; |
97 | root = "/run/current-system/webapps/${webappName}"; | 97 | root = "/run/current-system/webapps/${webappName}"; |
98 | vhostConf = '' | 98 | vhostConf = socket: '' |
99 | Alias /ttrss "${root}" | 99 | Alias /ttrss "${root}" |
100 | <Directory "${root}"> | 100 | <Directory "${root}"> |
101 | DirectoryIndex index.php | 101 | DirectoryIndex index.php |
102 | <FilesMatch "\.php$"> | 102 | <FilesMatch "\.php$"> |
103 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 103 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
104 | </FilesMatch> | 104 | </FilesMatch> |
105 | 105 | ||
106 | AllowOverride All | 106 | AllowOverride All |
@@ -114,20 +114,17 @@ rec { | |||
114 | basedir = builtins.concatStringsSep ":" ( | 114 | basedir = builtins.concatStringsSep ":" ( |
115 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] | 115 | [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] |
116 | ++ webRoot.plugins); | 116 | ++ webRoot.plugins); |
117 | socket = "/var/run/phpfpm/ttrss.sock"; | 117 | pool = { |
118 | pool = '' | 118 | "listen.owner" = apache.user; |
119 | user = ${apache.user} | 119 | "listen.group" = apache.group; |
120 | group = ${apache.group} | 120 | "pm" = "ondemand"; |
121 | listen.owner = ${apache.user} | 121 | "pm.max_children" = "60"; |
122 | listen.group = ${apache.group} | 122 | "pm.process_idle_timeout" = "60"; |
123 | pm = ondemand | 123 | |
124 | pm.max_children = 60 | 124 | # Needed to avoid clashes in browser cookies (same domain) |
125 | pm.process_idle_timeout = 60 | 125 | "php_value[session.name]" = "TtrssPHPSESSID"; |
126 | 126 | "php_admin_value[open_basedir]" = "${basedir}:/tmp"; | |
127 | ; Needed to avoid clashes in browser cookies (same domain) | 127 | "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; |
128 | php_value[session.name] = TtrssPHPSESSID | 128 | }; |
129 | php_admin_value[open_basedir] = "${basedir}:/tmp" | ||
130 | php_admin_value[session.save_path] = "${varDir}/phpSessions" | ||
131 | ''; | ||
132 | }; | 129 | }; |
133 | } | 130 | } |
diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 014d8a1..00e2dc9 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix | |||
@@ -82,7 +82,7 @@ rec { | |||
82 | modules = [ "proxy_fcgi" ]; | 82 | modules = [ "proxy_fcgi" ]; |
83 | webappName = "tools_wallabag"; | 83 | webappName = "tools_wallabag"; |
84 | root = "/run/current-system/webapps/${webappName}"; | 84 | root = "/run/current-system/webapps/${webappName}"; |
85 | vhostConf = '' | 85 | vhostConf = socket: '' |
86 | Alias /wallabag "${root}" | 86 | Alias /wallabag "${root}" |
87 | <Directory "${root}"> | 87 | <Directory "${root}"> |
88 | AllowOverride None | 88 | AllowOverride None |
@@ -91,7 +91,7 @@ rec { | |||
91 | CGIPassAuth On | 91 | CGIPassAuth On |
92 | 92 | ||
93 | <FilesMatch "\.php$"> | 93 | <FilesMatch "\.php$"> |
94 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 94 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
95 | </FilesMatch> | 95 | </FilesMatch> |
96 | 96 | ||
97 | <IfModule mod_rewrite.c> | 97 | <IfModule mod_rewrite.c> |
@@ -129,22 +129,19 @@ rec { | |||
129 | ''; | 129 | ''; |
130 | serviceDeps = [ "postgresql.service" "openldap.service" ]; | 130 | serviceDeps = [ "postgresql.service" "openldap.service" ]; |
131 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; | 131 | basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; |
132 | socket = "/var/run/phpfpm/wallabag.sock"; | 132 | pool = { |
133 | pool = '' | 133 | "listen.owner" = apache.user; |
134 | user = ${apache.user} | 134 | "listen.group" = apache.group; |
135 | group = ${apache.group} | 135 | "pm" = "dynamic"; |
136 | listen.owner = ${apache.user} | 136 | "pm.max_children" = "60"; |
137 | listen.group = ${apache.group} | 137 | "pm.start_servers" = "2"; |
138 | pm = dynamic | 138 | "pm.min_spare_servers" = "1"; |
139 | pm.max_children = 60 | 139 | "pm.max_spare_servers" = "10"; |
140 | pm.start_servers = 2 | ||
141 | pm.min_spare_servers = 1 | ||
142 | pm.max_spare_servers = 10 | ||
143 | 140 | ||
144 | ; Needed to avoid clashes in browser cookies (same domain) | 141 | # Needed to avoid clashes in browser cookies (same domain) |
145 | php_value[session.name] = WallabagPHPSESSID | 142 | "php_value[session.name]" = "WallabagPHPSESSID"; |
146 | php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp" | 143 | "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/tmp"; |
147 | php_value[max_execution_time] = 300 | 144 | "php_value[max_execution_time]" = "300"; |
148 | ''; | 145 | }; |
149 | }; | 146 | }; |
150 | } | 147 | } |
diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 466ceae..cb03b6c 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix | |||
@@ -48,11 +48,11 @@ rec { | |||
48 | modules = [ "proxy_fcgi" ]; | 48 | modules = [ "proxy_fcgi" ]; |
49 | webappName = "tools_yourls"; | 49 | webappName = "tools_yourls"; |
50 | root = "/run/current-system/webapps/${webappName}"; | 50 | root = "/run/current-system/webapps/${webappName}"; |
51 | vhostConf = '' | 51 | vhostConf = socket: '' |
52 | Alias /url "${root}" | 52 | Alias /url "${root}" |
53 | <Directory "${root}"> | 53 | <Directory "${root}"> |
54 | <FilesMatch "\.php$"> | 54 | <FilesMatch "\.php$"> |
55 | SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" | 55 | SetHandler "proxy:unix:${socket}|fcgi://localhost" |
56 | </FilesMatch> | 56 | </FilesMatch> |
57 | 57 | ||
58 | AllowOverride None | 58 | AllowOverride None |
@@ -73,20 +73,17 @@ rec { | |||
73 | basedir = builtins.concatStringsSep ":" ( | 73 | basedir = builtins.concatStringsSep ":" ( |
74 | [ webRoot "/var/secrets/webapps/tools-yourls" ] | 74 | [ webRoot "/var/secrets/webapps/tools-yourls" ] |
75 | ++ webRoot.plugins); | 75 | ++ webRoot.plugins); |
76 | socket = "/var/run/phpfpm/yourls.sock"; | 76 | pool = { |
77 | pool = '' | 77 | "listen.owner" = apache.user; |
78 | user = ${apache.user} | 78 | "listen.group" = apache.group; |
79 | group = ${apache.group} | 79 | "pm" = "ondemand"; |
80 | listen.owner = ${apache.user} | 80 | "pm.max_children" = "60"; |
81 | listen.group = ${apache.group} | 81 | "pm.process_idle_timeout" = "60"; |
82 | pm = ondemand | ||
83 | pm.max_children = 60 | ||
84 | pm.process_idle_timeout = 60 | ||
85 | 82 | ||
86 | ; Needed to avoid clashes in browser cookies (same domain) | 83 | # Needed to avoid clashes in browser cookies (same domain) |
87 | php_value[session.name] = YourlsPHPSESSID | 84 | "php_value[session.name]" = "YourlsPHPSESSID"; |
88 | php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls" | 85 | "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/yourls"; |
89 | php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls" | 86 | "php_admin_value[session.save_path]" = "/var/lib/php/sessions/yourls"; |
90 | ''; | 87 | }; |
91 | }; | 88 | }; |
92 | } | 89 | } |