From 58d1a7828bde7f9a432c31b9d3b381ba27b7e3d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Fri, 28 Dec 2018 17:02:01 +0100 Subject: Add php configuration and switch to httpd instead of nginx --- virtual/eldiron.nix | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 115 insertions(+), 1 deletion(-) diff --git a/virtual/eldiron.nix b/virtual/eldiron.nix index 1c2fca6..55b0bf7 100644 --- a/virtual/eldiron.nix +++ b/virtual/eldiron.nix @@ -47,8 +47,96 @@ }; }; - services.nginx = rec { + # FIXME: open_basedir + services.phpfpm = { + extraConfig = '' + log_level = notice + ''; + poolConfigs = { + adminer = '' + listen = /var/run/phpfpm/adminer.sock + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "${mypkgs.adminer}:/tmp" + ''; + www = '' + listen = /var/run/phpfpm/www.sock + user = wwwrun + group = wwwrun + listen.owner = wwwrun + listen.group = wwwrun + pm = ondemand + pm.max_children = 5 + pm.process_idle_timeout = 60 + ;php_admin_flag[log_errors] = on + php_admin_value[open_basedir] = "/var/www" + ''; + }; + }; + + services.httpd = let + withSSL = domain: { + enableSSL = true; + sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only? + sslServerKey = "/var/lib/acme/${domain}/key.pem"; + sslServerChain = "/var/lib/acme/${domain}/fullchain.pem"; + }; + in rec { enable = true; + logPerVirtualHost = true; + multiProcessingModule = "worker"; + adminAddr = "httpd@immae.eu"; + extraModules = [ + "proxy_fcgi" # for PHP + ]; + virtualHosts = [ + (withSSL "eldiron" // { + listen = [ { ip = "*"; port = 443; } ]; + hostName = "eldiron.immae.eu"; + # FIXME: directory needs to exist + documentRoot = "/var/www"; + }) + (withSSL "eldiron" // { + listen = [ { ip = "*"; port = 443; } ]; + hostName = "db-1.immae.eu"; + documentRoot = null; + extraConfig = '' + Alias /adminer ${mypkgs.adminer} + + DirectoryIndex = index.php + + SetHandler "proxy:unix:/var/run/phpfpm/adminer.sock|fcgi://localhost" + + + ''; + }) + { # Should go last, default fallback + listen = [ { ip = "*"; port = 80; } ]; + hostName = "redirectSSL"; + serverAliases = [ "*" ]; + enableSSL = false; + # FIXME: directory needs to exist + documentRoot = "/var/lib/acme/acme-challenge"; + extraConfig = '' + RewriteEngine on + RewriteCond "%{REQUEST_URI}" "!^/\.well-known" + RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301] + # To redirect in specific "VirtualHost *:80", do + # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1 + # rather than rewrite + ''; + } + ]; + }; + + services.nginx = rec { + enable = false; virtualHosts = { "_" = { serverName = "_"; @@ -60,6 +148,32 @@ locations."/" = { # FIXME: directory needs to exist root = "/var/www"; + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_param HTTP_PROXY ""; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_pass unix:/var/run/phpfpm/www.sock; + fastcgi_index index.php; + fastcgi_intercept_errors on; + ''; + }; + }; + "db-1.immae.eu" = { + forceSSL = true; + useACMEHost = "eldiron"; + locations."/adminer" = { + alias = mypkgs.adminer; + index = "index.php"; + extraConfig = '' + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + fastcgi_param HTTP_PROXY ""; + fastcgi_param SCRIPT_FILENAME ${mypkgs.adminer}/index.php; + fastcgi_pass unix:/var/run/phpfpm/adminer.sock; + fastcgi_index index.php; + fastcgi_intercept_errors on; + ''; }; }; }; -- cgit v1.2.3