From 5400b9b6f65451d41a9106fae6fc00f97d83f4ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 25 Mar 2020 11:57:48 +0100 Subject: Upgrade nixos --- modules/websites/default.nix | 28 ++++++------ modules/websites/httpd-service-builder.nix | 68 +++++++++--------------------- modules/websites/php-application.nix | 31 ++++++++------ 3 files changed, 51 insertions(+), 76 deletions(-) (limited to 'modules/websites') diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 767a7b2..3f46e65 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix @@ -38,7 +38,7 @@ in description = "Name of the httpd instance to assign this type to"; }; ips = mkOption { - type = listOf string; + type = listOf str; default = []; description = "ips to listen to"; }; @@ -59,7 +59,7 @@ in options = { enable = mkEnableOption "Add default no-ssl vhost for this instance"; host = mkOption { - type = string; + type = str; description = "The hostname to use for this vhost"; }; root = mkOption { @@ -68,7 +68,7 @@ in description = "The root folder to serve"; }; indexFile = mkOption { - type = string; + type = str; default = "index.html"; description = "The index file to show."; }; @@ -79,8 +79,8 @@ in description = "The fallback vhost that will be defined as first vhost in Apache"; type = submodule { options = { - certName = mkOption { type = string; }; - hosts = mkOption { type = listOf string; }; + certName = mkOption { type = str; }; + hosts = mkOption { type = listOf str; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; }; @@ -91,7 +91,7 @@ in description = "List of no ssl vhosts to define for Apache"; type = attrsOf (submodule { options = { - hosts = mkOption { type = listOf string; }; + hosts = mkOption { type = listOf str; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; }; @@ -102,25 +102,25 @@ in description = "List of vhosts to define for Apache"; type = attrsOf (submodule { options = { - certName = mkOption { type = string; }; + certName = mkOption { type = str; }; addToCerts = mkOption { type = bool; default = false; description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; }; certMainHost = mkOption { - type = nullOr string; + type = nullOr str; description = "Use that host as 'main host' for acme certs"; default = null; }; - hosts = mkOption { type = listOf string; }; + hosts = mkOption { type = listOf str; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; }; }); }; watchPaths = mkOption { - type = listOf string; + type = listOf str; default = []; description = '' Paths to watch that should trigger a reload of httpd @@ -178,9 +178,9 @@ in }; toVhost = ips: vhostConf: { enableSSL = true; - sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem"; - sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem"; - sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem"; + sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem"; + sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem"; + sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem"; logFormat = "combinedVhost"; listen = map (ip: { inherit ip; port = 443; }) ips; hostName = builtins.head vhostConf.hosts; @@ -231,7 +231,7 @@ in } ) cfg.env; - config.security.acme2.certs = let + config.security.acme.certs = let typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: attrValues v.vhostConfs diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix index d049202..f0208ab 100644 --- a/modules/websites/httpd-service-builder.nix +++ b/modules/websites/httpd-service-builder.nix @@ -11,8 +11,6 @@ let httpd = mainCfg.package.out; - version24 = !versionOlder httpd.version "2.4"; - httpdConf = mainCfg.configFile; php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; @@ -26,10 +24,9 @@ let else [{ip = "*"; port = 80;}]; getListen = cfg: - let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen; - in if list == [] - then defaultListen cfg - else list; + if cfg.listen == [] + then defaultListen cfg + else cfg.listen; listenToString = l: "${l.ip}:${toString l.port}"; @@ -110,11 +107,10 @@ let "auth_basic" "auth_digest" # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" - (if version24 then "authn_core" else "authn_alias") + "authn_file" "authn_dbm" "authn_anon" "authn_core" # Authorization: is the user allowed access? - "authz_user" "authz_groupfile" "authz_host" + "authz_user" "authz_groupfile" "authz_host" "authz_core" # Other modules. "ext_filter" "include" "log_config" "env" "mime_magic" @@ -122,14 +118,9 @@ let "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "userdir" "alias" "rewrite" "proxy" "proxy_http" - ] - ++ optionals version24 [ + "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" "mpm_${mainCfg.multiProcessingModule}" - "authz_core" - "unixd" - "cache" "cache_disk" - "slotmem_shm" - "socache_shmcb" + # For compatibility with old configurations, the new module mod_access_compat is provided. "access_compat" ] @@ -138,19 +129,8 @@ let ++ extraApacheModules; - allDenied = if version24 then '' - Require all denied - '' else '' - Order deny,allow - Deny from all - ''; - - allGranted = if version24 then '' - Require all granted - '' else '' - Order allow,deny - Allow from all - ''; + allDenied = "Require all denied"; + allGranted = "Require all granted"; loggingConf = (if mainCfg.logFormat != "none" then '' @@ -183,9 +163,9 @@ let sslConf = '' - SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000) + SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) - ${if version24 then "Mutex" else "SSLMutex"} posixsem + Mutex posixsem SSLRandomSeed startup builtin SSLRandomSeed connect builtin @@ -325,9 +305,7 @@ let ServerRoot ${httpd} - ${optionalString version24 '' - DefaultRuntimeDir ${mainCfg.stateDir}/runtime - ''} + DefaultRuntimeDir ${mainCfg.stateDir}/runtime PidFile ${mainCfg.stateDir}/httpd.pid @@ -361,7 +339,7 @@ let ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } ++ concatMap (svc: svc.extraModules) allSubservices ++ extraForeignModules; - in concatMapStrings load allModules + in concatMapStrings load (unique allModules) } AddHandler type-map var @@ -393,14 +371,6 @@ let # Generate directives for the main server. ${perServerConf true mainCfg} - # Always enable virtual hosts; it doesn't seem to hurt. - ${let - listen = concatMap getListen allHosts; - uniqueListen = uniqList {inputList = listen;}; - directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen; - in optionalString (!version24) directives - } - ${let makeVirtualHost = vhost: '' @@ -663,7 +633,7 @@ in message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } ]; - warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); + warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts); users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; @@ -686,7 +656,7 @@ in ; Don't advertise PHP expose_php = off - '' + optionalString (!isNull config.time.timeZone) '' + '' + optionalString (config.time.timeZone != null) '' ; Apparently PHP doesn't use $TZ. date.timezone = "${config.time.timeZone}" @@ -713,10 +683,10 @@ in '' mkdir -m 0750 -p ${mainCfg.stateDir} [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} - ${optionalString version24 '' - mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" - [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" - ''} + + mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" + [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" + mkdir -m 0700 -p ${mainCfg.logDir} # Get rid of old semaphores. These tend to accumulate across diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix index 8ad7a0d..20e2a5d 100644 --- a/modules/websites/php-application.nix +++ b/modules/websites/php-application.nix @@ -44,10 +44,15 @@ in description = "Name of the socket to listen to. Defaults to app name if null"; }; phpPool = mkOption { - type = lines; - default = ""; + type = attrsOf str; + default = {}; description = "Pool configuration to append"; }; + phpEnv = mkOption { + type = attrsOf str; + default = {}; + description = "Pool environment to append"; + }; phpOptions = mkOption { type = lines; default = ""; @@ -135,7 +140,7 @@ in services.phpApplication.phpListenPaths = mkOption { type = attrsOf path; default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair - name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock" + name config.services.phpfpm.pools."${name}".socket ) cfg.apps; readOnly = true; description = '' @@ -162,17 +167,17 @@ in services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair name { - listen = cfg.phpListenPaths."${name}"; - extraConfig = '' - user = ${icfg.httpdUser} - group = ${icfg.httpdGroup} - listen.owner = ${icfg.httpdUser} - listen.group = ${icfg.httpdGroup} - ${optionalString (icfg.phpSession) '' - php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''} - php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir)}" - '' + icfg.phpPool; + user = icfg.httpdUser; + group = icfg.httpdUser; + settings = { + "listen.owner" = icfg.httpdUser; + "listen.group" = icfg.httpdGroup; + "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir); + } + // optionalAttrs (icfg.phpSession) { "php_admin_value[session.save_path]" = "${icfg.varDir}/phpSessions"; } + // icfg.phpPool; phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; + inherit (icfg) phpEnv; } ) cfg.apps; -- cgit v1.2.3