From 5400b9b6f65451d41a9106fae6fc00f97d83f4ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 25 Mar 2020 11:57:48 +0100 Subject: Upgrade nixos --- modules/acme2.nix | 353 --------------------- modules/default.nix | 1 - modules/private/buildbot/default.nix | 1 + modules/private/certificates.nix | 34 +- modules/private/databases/mariadb.nix | 6 +- modules/private/databases/openldap/default.nix | 35 +- .../private/databases/openldap/eldiron_schemas.nix | 8 +- modules/private/databases/openldap_replication.nix | 4 + modules/private/databases/postgresql.nix | 17 +- modules/private/databases/redis.nix | 11 - modules/private/ejabberd/default.nix | 10 +- modules/private/ejabberd/ejabberd.yml | 2 - modules/private/environment.nix | 8 +- modules/private/ftp.nix | 4 +- modules/private/gitolite/default.nix | 2 +- modules/private/irc.nix | 4 +- modules/private/mail/default.nix | 2 +- modules/private/mail/dovecot.nix | 2 +- modules/private/mail/postfix.nix | 2 +- modules/private/mail/relay.nix | 2 +- modules/private/monitoring/objects_backup-2.nix | 4 + modules/private/monitoring/status.nix | 2 +- modules/private/tasks/default.nix | 43 +-- modules/private/websites/chloe/builder.nix | 45 ++- modules/private/websites/chloe/integration.nix | 9 +- modules/private/websites/chloe/production.nix | 7 +- modules/private/websites/commons/adminer.nix | 27 +- .../websites/connexionswing/integration.nix | 20 +- .../private/websites/connexionswing/production.nix | 20 +- modules/private/websites/default.nix | 10 +- modules/private/websites/emilia/richie.nix | 31 +- modules/private/websites/evariste/production.nix | 50 ++- modules/private/websites/florian/app.nix | 24 +- modules/private/websites/florian/integration.nix | 6 +- modules/private/websites/florian/production.nix | 6 +- .../private/websites/isabelle/aten_integration.nix | 20 +- .../private/websites/isabelle/aten_production.nix | 20 +- modules/private/websites/isabelle/iridologie.nix | 7 +- modules/private/websites/isabelle/spip_builder.nix | 45 ++- modules/private/websites/leila/production.nix | 27 +- .../websites/ludivinecassal/integration.nix | 20 +- .../private/websites/ludivinecassal/production.nix | 20 +- modules/private/websites/nassime/production.nix | 2 +- .../private/websites/naturaloutil/production.nix | 35 +- modules/private/websites/papa/maison_bbc.nix | 29 +- modules/private/websites/papa/surveillance.nix | 2 +- .../private/websites/piedsjaloux/integration.nix | 22 +- .../private/websites/piedsjaloux/production.nix | 24 +- .../private/websites/teliotortay/production.nix | 31 +- modules/private/websites/tools/cloud/default.nix | 52 ++- modules/private/websites/tools/dav/davical.nix | 45 ++- modules/private/websites/tools/dav/default.nix | 7 +- modules/private/websites/tools/db/default.nix | 4 +- modules/private/websites/tools/git/default.nix | 7 +- modules/private/websites/tools/git/mantisbt.nix | 27 +- modules/private/websites/tools/mail/default.nix | 15 +- modules/private/websites/tools/mail/rainloop.nix | 33 +- .../private/websites/tools/mail/roundcubemail.nix | 33 +- modules/private/websites/tools/tools/adminer.nix | 49 +-- modules/private/websites/tools/tools/default.nix | 129 ++++---- modules/private/websites/tools/tools/dokuwiki.nix | 29 +- modules/private/websites/tools/tools/grocy.nix | 29 +- modules/private/websites/tools/tools/kanboard.nix | 29 +- modules/private/websites/tools/tools/ldap.nix | 29 +- modules/private/websites/tools/tools/rompr.nix | 47 ++- modules/private/websites/tools/tools/shaarli.nix | 29 +- modules/private/websites/tools/tools/ttrss.nix | 31 +- modules/private/websites/tools/tools/wallabag.nix | 33 +- modules/private/websites/tools/tools/yourls.nix | 29 +- modules/webapps/mastodon.nix | 2 +- modules/webapps/webstats/default.nix | 2 +- modules/websites/default.nix | 28 +- modules/websites/httpd-service-builder.nix | 68 ++-- modules/websites/php-application.nix | 31 +- 74 files changed, 763 insertions(+), 1170 deletions(-) delete mode 100644 modules/acme2.nix (limited to 'modules') diff --git a/modules/acme2.nix b/modules/acme2.nix deleted file mode 100644 index b22e4cc..0000000 --- a/modules/acme2.nix +++ /dev/null @@ -1,353 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.security.acme2; - - certOpts = { name, ... }: { - options = { - webroot = mkOption { - type = types.str; - example = "/var/lib/acme/acme-challenges"; - description = '' - Where the webroot of the HTTP vhost is located. - .well-known/acme-challenge/ directory - will be created below the webroot if it doesn't exist. - http://example.org/.well-known/acme-challenge/ must also - be available (notice unencrypted HTTP). - ''; - }; - - server = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - ACME Directory Resource URI. Defaults to let's encrypt - production endpoint, - https://acme-v02.api.letsencrypt.org/directory, if unset. - ''; - }; - - domain = mkOption { - type = types.str; - default = name; - description = "Domain to fetch certificate for (defaults to the entry name)"; - }; - - email = mkOption { - type = types.nullOr types.str; - default = null; - description = "Contact email address for the CA to be able to reach you."; - }; - - user = mkOption { - type = types.str; - default = "root"; - description = "User running the ACME client."; - }; - - group = mkOption { - type = types.str; - default = "root"; - description = "Group running the ACME client."; - }; - - allowKeysForGroup = mkOption { - type = types.bool; - default = false; - description = '' - Give read permissions to the specified group - () to read SSL private certificates. - ''; - }; - - postRun = mkOption { - type = types.lines; - default = ""; - example = "systemctl reload nginx.service"; - description = '' - Commands to run after new certificates go live. Typically - the web server and other servers using certificates need to - be reloaded. - - Executed in the same directory with the new certificate. - ''; - }; - - plugins = mkOption { - type = types.listOf (types.enum [ - "cert.der" "cert.pem" "chain.pem" "external.sh" - "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" "account_reg.json" - ]); - default = [ "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json" ]; - description = '' - Plugins to enable. With default settings simp_le will - store public certificate bundle in fullchain.pem, - private key in key.pem and those two previous - files combined in full.pem in its state directory. - ''; - }; - - directory = mkOption { - type = types.str; - readOnly = true; - default = "/var/lib/acme/${name}"; - description = "Directory where certificate and other state is stored."; - }; - - extraDomains = mkOption { - type = types.attrsOf (types.nullOr types.str); - default = {}; - example = literalExample '' - { - "example.org" = "/srv/http/nginx"; - "mydomain.org" = null; - } - ''; - description = '' - A list of extra domain names, which are included in the one certificate to be issued, with their - own server roots if needed. - ''; - }; - }; - }; - -in - -{ - - ###### interface - imports = [ - (mkRemovedOptionModule [ "security" "acme2" "production" ] '' - Use security.acme2.server to define your staging ACME server URL instead. - - To use the let's encrypt staging server, use security.acme2.server = - "https://acme-staging-v02.api.letsencrypt.org/directory". - '' - ) - (mkRemovedOptionModule [ "security" "acme2" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.") - (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal") - ]; - options = { - security.acme2 = { - - validMin = mkOption { - type = types.int; - default = 30 * 24 * 3600; - description = "Minimum remaining validity before renewal in seconds."; - }; - - renewInterval = mkOption { - type = types.str; - default = "weekly"; - description = '' - Systemd calendar expression when to check for renewal. See - systemd.time - 7. - ''; - }; - - server = mkOption { - type = types.nullOr types.str; - default = null; - description = '' - ACME Directory Resource URI. Defaults to let's encrypt - production endpoint, - https://acme-v02.api.letsencrypt.org/directory, if unset. - ''; - }; - - preliminarySelfsigned = mkOption { - type = types.bool; - default = true; - description = '' - Whether a preliminary self-signed certificate should be generated before - doing ACME requests. This can be useful when certificates are required in - a webserver, but ACME needs the webserver to make its requests. - - With preliminary self-signed certificate the webserver can be started and - can later reload the correct ACME certificates. - ''; - }; - - certs = mkOption { - default = { }; - type = with types; attrsOf (submodule certOpts); - description = '' - Attribute set of certificates to get signed and renewed. Creates - acme-''${cert}.{service,timer} systemd units for - each certificate defined here. Other services can add dependencies - to those units if they rely on the certificates being present, - or trigger restarts of the service if certificates get renewed. - ''; - example = literalExample '' - { - "example.com" = { - webroot = "/var/www/challenges/"; - email = "foo@example.com"; - extraDomains = { "www.example.com" = null; "foo.example.com" = "/var/www/foo/"; }; - }; - "bar.example.com" = { - webroot = "/var/www/challenges/"; - email = "bar@example.com"; - }; - } - ''; - }; - }; - }; - - ###### implementation - config = mkMerge [ - (mkIf (cfg.certs != { }) { - - systemd.services = let - services = concatLists servicesLists; - servicesLists = mapAttrsToList certToServices cfg.certs; - certToServices = cert: data: - let - lpath = "acme/${cert}"; - rights = if data.allowKeysForGroup then "750" else "700"; - cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ] - ++ optionals (data.email != null) [ "--email" data.email ] - ++ concatMap (p: [ "-f" p ]) data.plugins - ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains) - ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)]; - acmeService = { - description = "Renew ACME Certificate for ${cert}"; - after = [ "network.target" "network-online.target" ]; - wants = [ "network-online.target" ]; - # simp_le uses requests, which uses certifi under the hood, - # which doesn't respect the system trust store. - # At least in the acme test, we provision a fake CA, impersonating the LE endpoint. - # REQUESTS_CA_BUNDLE is a way to teach python requests to use something else - environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"; - serviceConfig = { - Type = "oneshot"; - # With RemainAfterExit the service is considered active even - # after the main process having exited, which means when it - # gets changed, the activation phase restarts it, meaning - # the permissions of the StateDirectory get adjusted - # according to the specified group - # Edit: Timers will never run because of this - # RemainAfterExit = true; - SuccessExitStatus = [ "0" "1" ]; - User = data.user; - Group = data.group; - PrivateTmp = true; - StateDirectory = lpath; - StateDirectoryMode = rights; - ExecStartPre = - let - script = pkgs.writeScript "acme-pre-start" '' - #!${pkgs.runtimeShell} -e - mkdir -p '${data.webroot}/.well-known/acme-challenge' - chmod a+w '${data.webroot}/.well-known/acme-challenge' - #doesn't work for multiple concurrent runs - #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' - ''; - in - "+${script}"; - WorkingDirectory = "/var/lib/${lpath}"; - ExecStart = "${pkgs.simp_le_0_17}/bin/simp_le ${escapeShellArgs cmdline}"; - ExecStartPost = - let - script = pkgs.writeScript "acme-post-start" '' - #!${pkgs.runtimeShell} -e - ${data.postRun} - ''; - in - "+${script}"; - }; - - }; - selfsignedService = { - description = "Create preliminary self-signed certificate for ${cert}"; - path = [ pkgs.openssl ]; - script = - '' - workdir="$(mktemp -d)" - - # Create CA - openssl genrsa -des3 -passout pass:xxxx -out $workdir/ca.pass.key 2048 - openssl rsa -passin pass:xxxx -in $workdir/ca.pass.key -out $workdir/ca.key - openssl req -new -key $workdir/ca.key -out $workdir/ca.csr \ - -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=Security Department/CN=example.com" - openssl x509 -req -days 1 -in $workdir/ca.csr -signkey $workdir/ca.key -out $workdir/ca.crt - - # Create key - openssl genrsa -des3 -passout pass:xxxx -out $workdir/server.pass.key 2048 - openssl rsa -passin pass:xxxx -in $workdir/server.pass.key -out $workdir/server.key - openssl req -new -key $workdir/server.key -out $workdir/server.csr \ - -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com" - openssl x509 -req -days 1 -in $workdir/server.csr -CA $workdir/ca.crt \ - -CAkey $workdir/ca.key -CAserial $workdir/ca.srl -CAcreateserial \ - -out $workdir/server.crt - - # Copy key to destination - cp $workdir/server.key /var/lib/${lpath}/key.pem - - # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates) - cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem" - - # Create full.pem for e.g. lighttpd - cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem" - - # Give key acme permissions - chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem - chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem - ''; - serviceConfig = { - Type = "oneshot"; - PrivateTmp = true; - StateDirectory = lpath; - User = data.user; - Group = data.group; - }; - unitConfig = { - # Do not create self-signed key when key already exists - ConditionPathExists = "!/var/lib/${lpath}/key.pem"; - }; - }; - in ( - [ { name = "acme-${cert}"; value = acmeService; } ] - ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; } - ); - servicesAttr = listToAttrs services; - in - servicesAttr; - - # FIXME: this doesn't work for multiple users - systemd.tmpfiles.rules = - flip mapAttrsToList cfg.certs - (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}"); - - systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair - ("acme-${cert}") - ({ - description = "Renew ACME Certificate for ${cert}"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = cfg.renewInterval; - Unit = "acme-${cert}.service"; - Persistent = "yes"; - AccuracySec = "5m"; - RandomizedDelaySec = "1h"; - }; - }) - ); - - systemd.targets.acme-selfsigned-certificates = mkIf cfg.preliminarySelfsigned {}; - systemd.targets.acme-certificates = {}; - }) - - ]; - - meta = { - maintainers = with lib.maintainers; [ abbradar fpletz globin ]; - #doc = ./acme.xml; - }; -} diff --git a/modules/default.nix b/modules/default.nix index 98dc77d..9ff6ea6 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -19,5 +19,4 @@ php-application = ./websites/php-application.nix; websites = ./websites; - acme2 = ./acme2.nix; } // (if builtins.pathExists ./private then import ./private else {}) diff --git a/modules/private/buildbot/default.nix b/modules/private/buildbot/default.nix index 47e30fc..c8ee48e 100644 --- a/modules/private/buildbot/default.nix +++ b/modules/private/buildbot/default.nix @@ -180,6 +180,7 @@ in ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (k: v: "install -Dm600 -o buildbot -g buildbot -T /var/secrets/buildbot/${project.name}/${k} $buildbot_secrets/${k}") project.secrets )} + ${buildbot}/bin/buildbot upgrade-master ${varDir}/${project.name} ''; environment = let project_env = with lib.attrsets; diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix index f057200..2bf2730 100644 --- a/modules/private/certificates.nix +++ b/modules/private/certificates.nix @@ -30,9 +30,9 @@ myServices.databasesCerts = config.myServices.certificates.certConfig; myServices.ircCerts = config.myServices.certificates.certConfig; - security.acme2.preliminarySelfsigned = true; + security.acme.preliminarySelfsigned = true; - security.acme2.certs = { + security.acme.certs = { "${name}" = config.myServices.certificates.certConfig // { domain = config.hostEnv.fqdn; }; @@ -41,17 +41,33 @@ systemd.services = lib.attrsets.mapAttrs' (k: v: lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script = (lib.optionalString (builtins.elem "cert.pem" v.plugins) '' - cp $workdir/server.crt ${config.security.acme2.certs."${k}".directory}/cert.pem - chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/cert.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/cert.pem + cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem '') + (lib.optionalString (builtins.elem "chain.pem" v.plugins) '' - cp $workdir/ca.crt ${config.security.acme2.certs."${k}".directory}/chain.pem - chown '${v.user}:${v.group}' ${config.security.acme2.certs."${k}".directory}/chain.pem - chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme2.certs."${k}".directory}/chain.pem + cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem + chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem + chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem '') ; }) - ) config.security.acme2.certs // { + ) config.security.acme.certs // + lib.attrsets.mapAttrs' (k: data: + lib.attrsets.nameValuePair "acme-${k}" { + serviceConfig.ExecStartPre = + let + script = pkgs.writeScript "acme-pre-start" '' + #!${pkgs.runtimeShell} -e + mkdir -p '${data.webroot}/.well-known/acme-challenge' + chmod a+w '${data.webroot}/.well-known/acme-challenge' + #doesn't work for multiple concurrent runs + #chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge' + ''; + in + "+${script}"; + } + ) config.security.acme.certs // + { httpdProd = lib.mkIf config.services.httpd.Prod.enable { after = [ "acme-selfsigned-certificates.target" ]; wants = [ "acme-selfsigned-certificates.target" ]; }; httpdTools = lib.mkIf config.services.httpd.Tools.enable diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix index ed647ea..04e4bd6 100644 --- a/modules/private/databases/mariadb.nix +++ b/modules/private/databases/mariadb.nix @@ -96,8 +96,8 @@ in { dataDir = cfg.dataDir; extraOptions = '' ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ssl_key = ${config.security.acme2.certs.mysql.directory}/key.pem - ssl_cert = ${config.security.acme2.certs.mysql.directory}/fullchain.pem + ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem + ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem # for replication log-bin=mariadb-bin @@ -110,7 +110,7 @@ in { }; users.users.mysql.extraGroups = [ "keys" ]; - security.acme2.certs."mysql" = config.myServices.databasesCerts // { + security.acme.certs."mysql" = config.myServices.databasesCerts // { user = "mysql"; group = "mysql"; plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix index d7d61db..efe9379 100644 --- a/modules/private/databases/openldap/default.nix +++ b/modules/private/databases/openldap/default.nix @@ -12,27 +12,14 @@ let moduleload back_hdb backend hdb - moduleload memberof - database hdb - suffix "${cfg.baseDn}" - rootdn "${cfg.rootDn}" - include ${config.secrets.location}/ldap/password - directory ${cfg.dataDir} - overlay memberof - - moduleload syncprov - overlay syncprov - syncprov-checkpoint 100 10 - - TLSCertificateFile ${config.security.acme2.certs.ldap.directory}/cert.pem - TLSCertificateKeyFile ${config.security.acme2.certs.ldap.directory}/key.pem - TLSCACertificateFile ${config.security.acme2.certs.ldap.directory}/fullchain.pem + TLSCertificateFile ${config.security.acme.certs.ldap.directory}/cert.pem + TLSCertificateKeyFile ${config.security.acme.certs.ldap.directory}/key.pem + TLSCACertificateFile ${config.security.acme.certs.ldap.directory}/fullchain.pem TLSCACertificatePath ${pkgs.cacert.unbundled}/etc/ssl/certs/ #This makes openldap crash #TLSCipherSuite DEFAULT sasl-host kerberos.immae.eu - include ${config.secrets.location}/ldap/access ''; in { @@ -117,7 +104,7 @@ in users.users.openldap.extraGroups = [ "keys" ]; networking.firewall.allowedTCPPorts = [ 636 389 ]; - security.acme2.certs."ldap" = config.myServices.databasesCerts // { + security.acme.certs."ldap" = config.myServices.databasesCerts // { user = "openldap"; group = "openldap"; plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; @@ -137,6 +124,20 @@ in dataDir = cfg.dataDir; urlList = [ "ldap://" "ldaps://" ]; extraConfig = ldapConfig; + extraDatabaseConfig = '' + moduleload memberof + overlay memberof + + moduleload syncprov + overlay syncprov + syncprov-checkpoint 100 10 + + include ${config.secrets.location}/ldap/access + ''; + rootpwFile = "${config.secrets.location}/ldap/password"; + suffix = cfg.baseDn; + rootdn = cfg.rootDn; + database = "hdb"; }; }; } diff --git a/modules/private/databases/openldap/eldiron_schemas.nix b/modules/private/databases/openldap/eldiron_schemas.nix index fc686dd..cf45ebe 100644 --- a/modules/private/databases/openldap/eldiron_schemas.nix +++ b/modules/private/databases/openldap/eldiron_schemas.nix @@ -9,10 +9,10 @@ let sha256 = "11bjf5zfvqlim7p9vddcafs0wiq3v8ys77x8h6fbp9c6bdfh0awh"; }; schemas = [ - "${openldap}/etc/schema/core.schema" - "${openldap}/etc/schema/cosine.schema" - "${openldap}/etc/schema/inetorgperson.schema" - "${openldap}/etc/schema/nis.schema" + #"${openldap}/etc/schema/core.schema" + #"${openldap}/etc/schema/cosine.schema" + #"${openldap}/etc/schema/inetorgperson.schema" + #"${openldap}/etc/schema/nis.schema" puppetSchema kerberosSchema ./immae.schema diff --git a/modules/private/databases/openldap_replication.nix b/modules/private/databases/openldap_replication.nix index 2980c97..df4101b 100644 --- a/modules/private/databases/openldap_replication.nix +++ b/modules/private/databases/openldap_replication.nix @@ -3,6 +3,10 @@ let cfg = config.myServices.databasesReplication.openldap; eldiron_schemas = pkgs.callPackage ./openldap/eldiron_schemas.nix {}; ldapConfig = hcfg: name: pkgs.writeText "slapd.conf" '' + include ${pkgs.openldap}/etc/schema/core.schema + include ${pkgs.openldap}/etc/schema/cosine.schema + include ${pkgs.openldap}/etc/schema/inetorgperson.schema + include ${pkgs.openldap}/etc/schema/nis.schema ${eldiron_schemas} pidfile /run/slapd_${name}/slapd.pid argsfile /run/slapd_${name}/slapd.args diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix index 27ea59c..d0b1a75 100644 --- a/modules/private/databases/postgresql.nix +++ b/modules/private/databases/postgresql.nix @@ -91,23 +91,13 @@ in { ''; readOnly = true; }; - systemdRuntimeDirectory = lib.mkOption { - type = lib.types.str; - # Use ReadWritePaths= instead if socketsDir is outside of /run - default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; - lib.strings.removePrefix "/run/" cfg.socketsDir; - description = '' - Adjusted Postgresql sockets directory for systemd - ''; - readOnly = true; - }; }; }; config = lib.mkIf cfg.enable { networking.firewall.allowedTCPPorts = [ 5432 ]; - security.acme2.certs."postgresql" = config.myServices.databasesCerts // { + security.acme.certs."postgresql" = config.myServices.databasesCerts // { user = "postgres"; group = "postgres"; plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ]; @@ -119,7 +109,6 @@ in { systemd.services.postgresql.serviceConfig = { SupplementaryGroups = "keys"; - RuntimeDirectory = cfg.systemdRuntimeDirectory; }; systemd.services.postgresql.postStart = lib.mkAfter '' # This line is already defined in 19.09 @@ -165,8 +154,8 @@ in { # makes it order of magnitudes quicker synchronous_commit = off ssl = on - ssl_cert_file = '${config.security.acme2.certs.postgresql.directory}/fullchain.pem' - ssl_key_file = '${config.security.acme2.certs.postgresql.directory}/key.pem' + ssl_cert_file = '${config.security.acme.certs.postgresql.directory}/fullchain.pem' + ssl_key_file = '${config.security.acme.certs.postgresql.directory}/key.pem' ''; authentication = let hosts = builtins.concatStringsSep "\n" ( diff --git a/modules/private/databases/redis.nix b/modules/private/databases/redis.nix index 4b26283..4602510 100644 --- a/modules/private/databases/redis.nix +++ b/modules/private/databases/redis.nix @@ -17,16 +17,6 @@ in { ''; }; # Output variables - systemdRuntimeDirectory = lib.mkOption { - type = lib.types.str; - # Use ReadWritePaths= instead if socketsDir is outside of /run - default = assert lib.strings.hasPrefix "/run/" cfg.socketsDir; - lib.strings.removePrefix "/run/" cfg.socketsDir; - description = '' - Adjusted redis sockets directory for systemd - ''; - readOnly = true; - }; sockets = lib.mkOption { type = lib.types.attrsOf lib.types.path; default = { @@ -51,7 +41,6 @@ in { maxclients 1024 ''; }; - systemd.services.redis.serviceConfig.RuntimeDirectory = cfg.systemdRuntimeDirectory; services.spiped = { enable = true; diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix index 3537c24..382b42d 100644 --- a/modules/private/ejabberd/default.nix +++ b/modules/private/ejabberd/default.nix @@ -14,7 +14,7 @@ in }; config = lib.mkIf cfg.enable { - security.acme2.certs = { + security.acme.certs = { "ejabberd" = config.myServices.certificates.certConfig // { user = "ejabberd"; group = "ejabberd"; @@ -58,7 +58,7 @@ in text = '' host_config: "immae.fr": - domain_certfile: "${config.security.acme2.certs.ejabberd.directory}/full.pem" + domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem" auth_method: [ldap] ldap_servers: ["${config.myEnv.jabber.ldap.host}"] ldap_encrypt: tls @@ -66,8 +66,8 @@ in ldap_password: "${config.myEnv.jabber.ldap.password}" ldap_base: "${config.myEnv.jabber.ldap.base}" ldap_uids: - - "uid": "%u" - - "immaeXmppUid": "%u" + uid: "%u" + immaeXmppUid: "%u" ldap_filter: "${config.myEnv.jabber.ldap.filter}" ''; } @@ -81,7 +81,7 @@ in ERLANG_NODE=ejabberd@localhost ''; configFile = pkgs.runCommand "ejabberd.yml" { - certificatePrivateKeyAndFullChain = "${config.security.acme2.certs.ejabberd.directory}/full.pem"; + certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem"; certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; diff --git a/modules/private/ejabberd/ejabberd.yml b/modules/private/ejabberd/ejabberd.yml index 0f678b6..82ac35b 100644 --- a/modules/private/ejabberd/ejabberd.yml +++ b/modules/private/ejabberd/ejabberd.yml @@ -69,7 +69,6 @@ s2s_use_starttls: optional s2s_cafile: "@certificateCA@" default_db: sql -sql_type: pgsql include_config_file: @sql_config_file@ include_config_file: @host_config_file@ new_sql_schema: true @@ -193,7 +192,6 @@ modules: access_createnode: pubsub_createnode plugins: - "flat" - - "hometree" - "pep" force_node_config: ## Change from "whitelist" to "open" to enable OMEMO support diff --git a/modules/private/environment.nix b/modules/private/environment.nix index b7589eb..77e9c8d 100644 --- a/modules/private/environment.nix +++ b/modules/private/environment.nix @@ -133,8 +133,8 @@ let ''; type = submodule { options = { - password = mkOption { type = string; description = "Password for the LDAP connection"; }; - dn = mkOption { type = string; description = "DN for the LDAP connection"; }; + password = mkOption { type = str; description = "Password for the LDAP connection"; }; + dn = mkOption { type = str; description = "DN for the LDAP connection"; }; }; }; }; @@ -156,13 +156,13 @@ let type = attrsOf (submodule { options = { ip4 = mkOption { - type = string; + type = str; description = '' ip4 address of the host ''; }; ip6 = mkOption { - type = listOf string; + type = listOf str; default = []; description = '' ip6 addresses of the host diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix index 585fe63..417af87 100644 --- a/modules/private/ftp.nix +++ b/modules/private/ftp.nix @@ -17,7 +17,7 @@ in services.duplyBackup.profiles.ftp = { rootDir = "/var/lib/ftp"; }; - security.acme2.certs."ftp" = config.myServices.certificates.certConfig // { + security.acme.certs."ftp" = config.myServices.certificates.certConfig // { domain = "eldiron.immae.eu"; postRun = '' systemctl restart pure-ftpd.service @@ -113,7 +113,7 @@ in MaxDiskUsage 99 CustomerProof yes TLS 1 - CertFile ${config.security.acme2.certs.ftp.directory}/full.pem + CertFile ${config.security.acme.certs.ftp.directory}/full.pem ''; in { description = "Pure-FTPd server"; diff --git a/modules/private/gitolite/default.nix b/modules/private/gitolite/default.nix index 9dfa04d..9f5c179 100644 --- a/modules/private/gitolite/default.nix +++ b/modules/private/gitolite/default.nix @@ -5,7 +5,7 @@ in { options.myServices.gitolite = { enable = lib.mkEnableOption "my gitolite service"; gitoliteDir = lib.mkOption { - type = lib.types.string; + type = lib.types.str; default = "/var/lib/gitolite"; }; }; diff --git a/modules/private/irc.nix b/modules/private/irc.nix index 1054b96..9871508 100644 --- a/modules/private/irc.nix +++ b/modules/private/irc.nix @@ -20,7 +20,7 @@ in services.duplyBackup.profiles.irc = { rootDir = "/var/lib/bitlbee"; }; - security.acme2.certs."irc" = config.myServices.ircCerts // { + security.acme.certs."irc" = config.myServices.ircCerts // { domain = "irc.immae.eu"; postRun = '' systemctl restart stunnel.service @@ -49,7 +49,7 @@ in bitlbee = { accept = 6697; connect = 6667; - cert = "${config.security.acme2.certs.irc.directory}/full.pem"; + cert = "${config.security.acme.certs.irc.directory}/full.pem"; }; }; }; diff --git a/modules/private/mail/default.nix b/modules/private/mail/default.nix index 1c64e15..b50e346 100644 --- a/modules/private/mail/default.nix +++ b/modules/private/mail/default.nix @@ -13,7 +13,7 @@ options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services"; config = lib.mkIf config.myServices.mail.enable { - security.acme2.certs."mail" = config.myServices.certificates.certConfig // { + security.acme.certs."mail" = config.myServices.certificates.certConfig // { domain = config.hostEnv.fqdn; extraDomains = let zonesWithMx = builtins.filter (zone: diff --git a/modules/private/mail/dovecot.nix b/modules/private/mail/dovecot.nix index 9836f78..77f9bd7 100644 --- a/modules/private/mail/dovecot.nix +++ b/modules/private/mail/dovecot.nix @@ -269,7 +269,7 @@ in [ "0 2 * * * root ${cron_script}/bin/cleanup-imap-folders" ]; - security.acme2.certs."mail" = { + security.acme.certs."mail" = { postRun = '' systemctl restart dovecot2.service ''; diff --git a/modules/private/mail/postfix.nix b/modules/private/mail/postfix.nix index e0347ec..4791b41 100644 --- a/modules/private/mail/postfix.nix +++ b/modules/private/mail/postfix.nix @@ -428,7 +428,7 @@ }; }; }; - security.acme2.certs."mail" = { + security.acme.certs."mail" = { postRun = '' systemctl restart postfix.service ''; diff --git a/modules/private/mail/relay.nix b/modules/private/mail/relay.nix index 18d6bc3..c6231aa 100644 --- a/modules/private/mail/relay.nix +++ b/modules/private/mail/relay.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, nodes, name, ... }: { config = lib.mkIf config.myServices.mailBackup.enable { - security.acme2.certs."mail" = config.myServices.certificates.certConfig // { + security.acme.certs."mail" = config.myServices.certificates.certConfig // { postRun = '' systemctl restart postfix.service ''; diff --git a/modules/private/monitoring/objects_backup-2.nix b/modules/private/monitoring/objects_backup-2.nix index cc8e36b..4cdf59a 100644 --- a/modules/private/monitoring/objects_backup-2.nix +++ b/modules/private/monitoring/objects_backup-2.nix @@ -79,6 +79,10 @@ in base = config.myServices.databasesReplication.openldap.base; eldiron_schemas = pkgs.callPackage ../databases/openldap/eldiron_schemas.nix {}; ldapConfig = pkgs.writeText "slapd.conf" '' + include ${pkgs.openldap}/etc/schema/core.schema + include ${pkgs.openldap}/etc/schema/cosine.schema + include ${pkgs.openldap}/etc/schema/inetorgperson.schema + include ${pkgs.openldap}/etc/schema/nis.schema ${eldiron_schemas} moduleload back_hdb backend hdb diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix index 2860e96..d25d934 100644 --- a/modules/private/monitoring/status.nix +++ b/modules/private/monitoring/status.nix @@ -34,7 +34,7 @@ locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/"; }; }; - security.acme2.certs."${name}".extraDomains."status.immae.eu" = null; + security.acme.certs."${name}".extraDomains."status.immae.eu" = null; myServices.certificates.enable = true; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix index 78e07c1..42cc8d2 100644 --- a/modules/private/tasks/default.nix +++ b/modules/private/tasks/default.nix @@ -123,7 +123,7 @@ in { Use LDAPConnect Require ldap-group cn=users,cn=taskwarrior,ou=services,dc=immae,dc=eu - SetHandler "proxy:unix:/var/run/phpfpm/task.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.tasks.socket}|fcgi://localhost" Include /var/secrets/webapps/tools-taskwarrior-web @@ -172,29 +172,30 @@ in { }; services.phpfpm.pools = { tasks = { - listen = "/var/run/phpfpm/task.sock"; - extraConfig = '' - user = ${user} - group = ${group} - listen.owner = wwwrun - listen.group = wwwrun - pm = dynamic - pm.max_children = 60 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 10 + user = user; + group = group; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; + "pm" = "dynamic"; + "pm.max_children" = "60"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "10"; - ; Needed to avoid clashes in browser cookies (same domain) - env[PATH] = "/etc/profiles/per-user/${user}/bin" - php_value[session.name] = TaskPHPSESSID - php_admin_value[open_basedir] = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "TaskPHPSESSID"; + "php_admin_value[open_basedir]" = "${./www}:/tmp:${server_vardir}:/etc/profiles/per-user/${user}/bin/"; + }; + phpEnv = { + PATH = "/etc/profiles/per-user/${user}/bin"; + }; }; }; myServices.websites.webappDirs._task = ./www; - security.acme2.certs."task" = config.myServices.certificates.certConfig // { + security.acme.certs."task" = config.myServices.certificates.certConfig // { inherit user group; plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ]; domain = fqdn; @@ -246,9 +247,9 @@ in { inherit fqdn; listenHost = "::"; pki.manual.ca.cert = "${server_vardir}/keys/ca.cert"; - pki.manual.server.cert = "${config.security.acme2.certs.task.directory}/fullchain.pem"; - pki.manual.server.crl = "${config.security.acme2.certs.task.directory}/invalid.crl"; - pki.manual.server.key = "${config.security.acme2.certs.task.directory}/key.pem"; + pki.manual.server.cert = "${config.security.acme.certs.task.directory}/fullchain.pem"; + pki.manual.server.crl = "${config.security.acme.certs.task.directory}/invalid.crl"; + pki.manual.server.key = "${config.security.acme.certs.task.directory}/key.pem"; requestLimit = 104857600; }; diff --git a/modules/private/websites/chloe/builder.nix b/modules/private/websites/chloe/builder.nix index f21caeb..bce2b4d 100644 --- a/modules/private/websites/chloe/builder.nix +++ b/modules/private/websites/chloe/builder.nix @@ -3,28 +3,25 @@ rec { app = chloe.override { inherit (config) environment; }; phpFpm = rec { serviceDeps = [ "mysql.service" ]; - socket = "/var/run/phpfpm/chloe-${app.environment}.sock"; - pool = '' - user = ${apacheUser} - group = ${apacheGroup} - listen.owner = ${apacheUser} - listen.group = ${apacheGroup} - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" - php_admin_value[session.save_path] = "${app.varDir}/phpSessions" - ${if app.environment == "dev" then '' - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - '' else '' - pm = dynamic - pm.max_children = 20 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - ''}''; + pool = { + "listen.owner" = apacheUser; + "listen.group" = apacheGroup; + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + # "php_admin_flag[log_errors]" = "on"; + "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; + "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; + } // (if app.environment == "dev" then { + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + } else { + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }); }; keys = [{ dest = "webapps/${app.environment}-chloe"; @@ -51,7 +48,7 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "chloe_${app.environment}"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Include /var/secrets/webapps/${app.environment}-chloe RewriteEngine On @@ -60,7 +57,7 @@ rec { '' else ""} - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" diff --git a/modules/private/websites/chloe/integration.nix b/modules/private/websites/chloe/integration.nix index 6276eb7..caf6548 100644 --- a/modules/private/websites/chloe/integration.nix +++ b/modules/private/websites/chloe/integration.nix @@ -17,8 +17,9 @@ in { systemd.services.phpfpm-chloe_dev.after = lib.mkAfter chloe.phpFpm.serviceDeps; systemd.services.phpfpm-chloe_dev.wants = chloe.phpFpm.serviceDeps; services.phpfpm.pools.chloe_dev = { - listen = chloe.phpFpm.socket; - extraConfig = chloe.phpFpm.pool; + user = config.services.httpd.Inte.user; + group = config.services.httpd.Inte.group; + settings = chloe.phpFpm.pool; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; @@ -31,7 +32,9 @@ in { addToCerts = true; hosts = ["chloe.immae.eu" ]; root = chloe.apache.root; - extraConfig = [ chloe.apache.vhostConf ]; + extraConfig = [ + (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_dev.socket) + ]; }; services.websites.env.integration.watchPaths = [ "/var/secrets/webapps/${chloe.app.environment}-chloe" diff --git a/modules/private/websites/chloe/production.nix b/modules/private/websites/chloe/production.nix index 578bf91..83f6c9b 100644 --- a/modules/private/websites/chloe/production.nix +++ b/modules/private/websites/chloe/production.nix @@ -19,8 +19,9 @@ in { systemd.services.phpfpm-chloe_prod.after = lib.mkAfter chloe.phpFpm.serviceDeps; systemd.services.phpfpm-chloe_prod.wants = chloe.phpFpm.serviceDeps; services.phpfpm.pools.chloe_prod = { - listen = chloe.phpFpm.socket; - extraConfig = chloe.phpFpm.pool; + user = config.services.httpd.Prod.user; + group = config.services.httpd.Prod.group; + settings = chloe.phpFpm.pool; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; @@ -39,7 +40,7 @@ in { RewriteCond "%{HTTP_HOST}" "!^www\.osteopathe-cc\.fr$" [NC] RewriteRule ^(.+)$ https://www.osteopathe-cc.fr$1 [R=302,L] '' - chloe.apache.vhostConf + (chloe.apache.vhostConf config.services.phpfpm.pools.chloe_prod.socket) ]; }; services.websites.env.production.watchPaths = [ diff --git a/modules/private/websites/commons/adminer.nix b/modules/private/websites/commons/adminer.nix index d591c90..1803468 100644 --- a/modules/private/websites/commons/adminer.nix +++ b/modules/private/websites/commons/adminer.nix @@ -1,24 +1,5 @@ -{}: -rec { - phpFpm = { - socket = "/var/run/phpfpm/adminer.sock"; - }; - apache = rec { - modules = [ "proxy_fcgi" ]; - webappName = "_adminer"; - root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' - Alias /adminer ${root} - - DirectoryIndex index.php - - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" - - - Use LDAPConnect - Require ldap-group cn=users,cn=mysql,cn=pam,ou=services,dc=immae,dc=eu - Require ldap-group cn=users,cn=postgresql,cn=pam,ou=services,dc=immae,dc=eu - - ''; - }; +{ config, callPackage }: +callPackage ../tools/tools/adminer.nix { + adminer = null; + forcePhpSocket = config.services.phpfpm.pools.adminer.socket; } diff --git a/modules/private/websites/connexionswing/integration.nix b/modules/private/websites/connexionswing/integration.nix index 81cff8f..4f7b72d 100644 --- a/modules/private/websites/connexionswing/integration.nix +++ b/modules/private/websites/connexionswing/integration.nix @@ -25,15 +25,17 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - env[SYMFONY_DEBUG_MODE] = "yes" - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + }; + phpEnv = { + SYMFONY_DEBUG_MODE = "yes"; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-connexionswing" ]; diff --git a/modules/private/websites/connexionswing/production.nix b/modules/private/websites/connexionswing/production.nix index fa31931..0b52af1 100644 --- a/modules/private/websites/connexionswing/production.nix +++ b/modules/private/websites/connexionswing/production.nix @@ -26,16 +26,16 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" "/run/wrappers/bin/sendmail" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = dynamic - pm.max_children = 20 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-connexionswing" ]; diff --git a/modules/private/websites/default.nix b/modules/private/websites/default.nix index 5c0e655..529ec5c 100644 --- a/modules/private/websites/default.nix +++ b/modules/private/websites/default.nix @@ -87,9 +87,9 @@ in #openssl = self.openssl_1_1; php = php72; php72 = (super.php72.override { - mysql.connector-c = self.mariadb; - config.php.mysqlnd = false; + config.php.mysqlnd = true; config.php.mysqli = false; + config.php.mhash = true; # Is it needed? }).overrideAttrs(old: rec { # Didn't manage to build with mysqli + mysql_config connector configureFlags = old.configureFlags ++ [ @@ -140,9 +140,9 @@ in ; 30 days (minutes) session.cache_expire = 43200 ''; - extraConfig = '' - log_level = notice - ''; + settings = { + log_level = "notice"; + }; }; services.filesWatcher.httpdProd.paths = [ "/var/secrets/apache-ldap" ]; diff --git a/modules/private/websites/emilia/richie.nix b/modules/private/websites/emilia/richie.nix index f7b4f8d..98ab1cd 100644 --- a/modules/private/websites/emilia/richie.nix +++ b/modules/private/websites/emilia/richie.nix @@ -49,22 +49,23 @@ in ''; }; services.phpfpm.pools.richie_production = { - listen = "/run/phpfpm/richie_production.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - env[PATH] = /run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]} - env[BDD_CONNECT] = "/var/secrets/webapps/prod-richie" - php_admin_value[open_basedir] = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp" - php_admin_value[session.save_path] = "/var/lib/php/sessions/richie_production" - ''; + "php_admin_value[open_basedir]" = "${vardir}:/var/lib/php/sessions/richie_production:/var/secrets/webapps/prod-richie:${richieSrc}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/richie_production"; + }; + phpEnv = { + PATH = "/run/current-system/sw/bin:${lib.makeBinPath [ pkgs.imagemagick ]}"; + BDD_CONNECT = "/var/secrets/webapps/prod-richie"; + }; phpOptions = config.services.phpfpm.phpOptions + '' date.timezone = 'Europe/Paris' extension=${pkgs.php}/lib/php/extensions/mysqli.so @@ -91,7 +92,7 @@ in Require all granted - SetHandler "proxy:unix:/run/phpfpm/richie_production.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.richie_production.socket}|fcgi://localhost" '' diff --git a/modules/private/websites/evariste/production.nix b/modules/private/websites/evariste/production.nix index 00e6fe1..43b26c8 100644 --- a/modules/private/websites/evariste/production.nix +++ b/modules/private/websites/evariste/production.nix @@ -21,20 +21,19 @@ in { ''; }; services.phpfpm.pools.nsievariste = { - listen = "/run/phpfpm/nsievariste.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - php_admin_value[open_basedir] = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp" - php_admin_value[session.save_path] = "/var/lib/php/sessions/nsievariste" - ''; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/nsievariste:${nsiVarDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/nsievariste"; + }; }; services.websites.env.production.vhostConfs.nsievariste = { certName = "eldiron"; @@ -46,7 +45,7 @@ in { Use Stats nsievariste.immae.eu - SetHandler "proxy:unix:/run/phpfpm/nsievariste.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.nsievariste.socket}|fcgi://localhost" @@ -60,20 +59,19 @@ in { }; services.phpfpm.pools.stmgevariste = { - listen = "/run/phpfpm/stmgevariste.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - php_admin_value[open_basedir] = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp" - php_admin_value[session.save_path] = "/var/lib/php/sessions/stmgevariste" - ''; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/stmgevariste:${stmgVarDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/stmgevariste"; + }; }; services.websites.env.production.vhostConfs.stmgevariste = { certName = "eldiron"; @@ -85,7 +83,7 @@ in { Use Stats stmgevariste.immae.eu - SetHandler "proxy:unix:/run/phpfpm/stmgevariste.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.stmgevariste.socket}|fcgi://localhost" diff --git a/modules/private/websites/florian/app.nix b/modules/private/websites/florian/app.nix index e262c59..c65c26f 100644 --- a/modules/private/websites/florian/app.nix +++ b/modules/private/websites/florian/app.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix {}; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; secrets = config.myEnv.websites.tellesflorian.integration; app = pkgs.webapps.tellesflorian.override { environment = secrets.environment; }; cfg = config.myServices.websites.florian.app; @@ -24,15 +24,17 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - env[SYMFONY_DEBUG_MODE] = "yes" - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + }; + phpEnv = { + SYMFONY_DEBUG_MODE = "yes"; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-tellesflorian" ]; @@ -134,7 +136,7 @@ in { '' - adminer.apache.vhostConf + (adminer.apache.vhostConf null) ]; }; }; diff --git a/modules/private/websites/florian/integration.nix b/modules/private/websites/florian/integration.nix index 57c4006..4ee160a 100644 --- a/modules/private/websites/florian/integration.nix +++ b/modules/private/websites/florian/integration.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix {}; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; cfg = config.myServices.websites.florian.integration; varDir = "/var/lib/ftp/florian"; env = config.myEnv.websites.florian; @@ -8,7 +8,7 @@ in { options.myServices.websites.florian.integration.enable = lib.mkEnableOption "enable Florian's website integration"; config = lib.mkIf cfg.enable { - security.acme2.certs."ftp".extraDomains."florian.immae.eu" = null; + security.acme.certs."ftp".extraDomains."florian.immae.eu" = null; services.websites.env.integration.modules = adminer.apache.modules; services.websites.env.integration.vhostConfs.florian = { @@ -17,7 +17,7 @@ in { hosts = [ "florian.immae.eu" ]; root = "${varDir}/florian.immae.eu"; extraConfig = [ - adminer.apache.vhostConf + (adminer.apache.vhostConf null) '' ServerAdmin ${env.server_admin} diff --git a/modules/private/websites/florian/production.nix b/modules/private/websites/florian/production.nix index 1abc715..16c6022 100644 --- a/modules/private/websites/florian/production.nix +++ b/modules/private/websites/florian/production.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix {}; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; cfg = config.myServices.websites.florian.production; varDir = "/var/lib/ftp/florian"; env = config.myEnv.websites.florian; @@ -8,7 +8,7 @@ in { options.myServices.websites.florian.production.enable = lib.mkEnableOption "enable Florian's website production"; config = lib.mkIf cfg.enable { - security.acme2.certs."ftp".extraDomains."tellesflorian.com" = null; + security.acme.certs."ftp".extraDomains."tellesflorian.com" = null; services.websites.env.production.modules = adminer.apache.modules; services.websites.env.production.vhostConfs.florian = { @@ -17,7 +17,7 @@ in { hosts = [ "tellesflorian.com" "www.tellesflorian.com" ]; root = "${varDir}/tellesflorian.com"; extraConfig = [ - adminer.apache.vhostConf + (adminer.apache.vhostConf null) '' ServerAdmin ${env.server_admin} diff --git a/modules/private/websites/isabelle/aten_integration.nix b/modules/private/websites/isabelle/aten_integration.nix index a2a087c..fb6eda9 100644 --- a/modules/private/websites/isabelle/aten_integration.nix +++ b/modules/private/websites/isabelle/aten_integration.nix @@ -23,15 +23,17 @@ in { "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - env[SYMFONY_DEBUG_MODE] = "yes" - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + }; + phpEnv = { + SYMFONY_DEBUG_MODE = "yes"; + }; }; secrets.keys = [{ diff --git a/modules/private/websites/isabelle/aten_production.nix b/modules/private/websites/isabelle/aten_production.nix index 8e33f0f..cf7e4a2 100644 --- a/modules/private/websites/isabelle/aten_production.nix +++ b/modules/private/websites/isabelle/aten_production.nix @@ -24,16 +24,16 @@ in { "APP_ENV=${app.environment} ./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = dynamic - pm.max_children = 20 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }; }; secrets.keys = [{ diff --git a/modules/private/websites/isabelle/iridologie.nix b/modules/private/websites/isabelle/iridologie.nix index 460bd2a..ffbf259 100644 --- a/modules/private/websites/isabelle/iridologie.nix +++ b/modules/private/websites/isabelle/iridologie.nix @@ -19,8 +19,9 @@ in { systemd.services.phpfpm-iridologie.after = lib.mkAfter iridologie.phpFpm.serviceDeps; systemd.services.phpfpm-iridologie.wants = iridologie.phpFpm.serviceDeps; services.phpfpm.pools.iridologie = { - listen = iridologie.phpFpm.socket; - extraConfig = iridologie.phpFpm.pool; + user = config.services.httpd.Prod.user; + group = config.services.httpd.Prod.group; + settings = iridologie.phpFpm.pool; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; @@ -39,7 +40,7 @@ in { RewriteCond "%{HTTP_HOST}" "!^iridologie\.icommandeur\.org$" [NC] RewriteRule ^(.+)$ https://iridologie.icommandeur.org$1 [R=302,L] '' - iridologie.apache.vhostConf + (iridologie.apache.vhostConf config.services.phpfpm.pools.iridologie.socket) ]; }; services.websites.env.production.watchPaths = [ diff --git a/modules/private/websites/isabelle/spip_builder.nix b/modules/private/websites/isabelle/spip_builder.nix index 2ab5394..e1130d1 100644 --- a/modules/private/websites/isabelle/spip_builder.nix +++ b/modules/private/websites/isabelle/spip_builder.nix @@ -3,28 +3,25 @@ rec { app = iridologie.override { inherit (config) environment; }; phpFpm = rec { serviceDeps = [ "mysql.service" ]; - socket = "/var/run/phpfpm/iridologie-${app.environment}.sock"; - pool = '' - user = ${apacheUser} - group = ${apacheGroup} - listen.owner = ${apacheUser} - listen.group = ${apacheGroup} - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - php_admin_value[open_basedir] = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp" - php_admin_value[session.save_path] = "${app.varDir}/phpSessions" - ${if app.environment == "dev" then '' - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - '' else '' - pm = dynamic - pm.max_children = 20 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - ''}''; + pool = { + "listen.owner" = "${apacheUser}"; + "listen.group" = "${apacheGroup}"; + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "php_admin_value[open_basedir]" = "${app.spipConfig}:${configDir}:${app}:${app.varDir}:/tmp"; + "php_admin_value[session.save_path]" = "${app.varDir}/phpSessions"; + } // (if app.environment == "dev" then { + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + } else { + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }); }; keys = [{ dest = "webapps/${app.environment}-iridologie"; @@ -51,13 +48,13 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "iridologie_${app.environment}"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Include /var/secrets/webapps/${app.environment}-iridologie RewriteEngine On - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" diff --git a/modules/private/websites/leila/production.nix b/modules/private/websites/leila/production.nix index e8591c8..3b289cf 100644 --- a/modules/private/websites/leila/production.nix +++ b/modules/private/websites/leila/production.nix @@ -7,19 +7,18 @@ in { config = lib.mkIf cfg.enable { services.phpfpm.pools.leila = { - listen = "/run/phpfpm/leila.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - php_admin_value[open_basedir] = "${varDir}:/tmp" - ''; + "php_admin_value[open_basedir]" = "${varDir}:/tmp"; + }; }; services.webstats.sites = [ @@ -46,7 +45,7 @@ in { Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu - SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" '' @@ -66,7 +65,7 @@ in { AllowOverride None - SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" '' @@ -89,7 +88,7 @@ in { Require ldap-group cn=chorale.leila.bouya.org,cn=httpd,ou=services,dc=immae,dc=eu - SetHandler "proxy:unix:/run/phpfpm/leila.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.leila.socket}|fcgi://localhost" diff --git a/modules/private/websites/ludivinecassal/integration.nix b/modules/private/websites/ludivinecassal/integration.nix index 1cbfd12..d304fdf 100644 --- a/modules/private/websites/ludivinecassal/integration.nix +++ b/modules/private/websites/ludivinecassal/integration.nix @@ -23,15 +23,17 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - env[SYMFONY_DEBUG_MODE] = "yes" - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + }; + phpEnv = { + SYMFONY_DEBUG_MODE = "yes"; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" ]; diff --git a/modules/private/websites/ludivinecassal/production.nix b/modules/private/websites/ludivinecassal/production.nix index 7cf00f0..5761be7 100644 --- a/modules/private/websites/ludivinecassal/production.nix +++ b/modules/private/websites/ludivinecassal/production.nix @@ -24,16 +24,16 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - pm = dynamic - pm.max_children = 20 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-ludivinecassal" ]; diff --git a/modules/private/websites/nassime/production.nix b/modules/private/websites/nassime/production.nix index 293519f..f9468f9 100644 --- a/modules/private/websites/nassime/production.nix +++ b/modules/private/websites/nassime/production.nix @@ -9,7 +9,7 @@ in { config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "nassime.bouya.org"; } ]; - security.acme2.certs."ftp".extraDomains."nassime.bouya.org" = null; + security.acme.certs."ftp".extraDomains."nassime.bouya.org" = null; services.websites.env.production.vhostConfs.nassime = { certName = "nassime"; diff --git a/modules/private/websites/naturaloutil/production.nix b/modules/private/websites/naturaloutil/production.nix index a276c47..1e79141 100644 --- a/modules/private/websites/naturaloutil/production.nix +++ b/modules/private/websites/naturaloutil/production.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix {}; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; cfg = config.myServices.websites.naturaloutil.production; varDir = "/var/lib/ftp/jerome"; env = config.myEnv.websites.jerome; @@ -10,7 +10,7 @@ in { config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "naturaloutil.immae.eu"; } ]; - security.acme2.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; + security.acme.certs."ftp".extraDomains."naturaloutil.immae.eu" = null; secrets.keys = [{ dest = "webapps/prod-naturaloutil"; @@ -42,21 +42,22 @@ in { systemd.services.phpfpm-jerome.after = lib.mkAfter [ "mysql.service" ]; systemd.services.phpfpm-jerome.wants = [ "mysql.service" ]; services.phpfpm.pools.jerome = { - listen = "/run/phpfpm/naturaloutil.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - env[BDD_CONNECT] = "/var/secrets/webapps/prod-naturaloutil" - php_admin_value[open_basedir] = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp" - php_admin_value[session.save_path] = "/var/lib/php/sessions/naturaloutil" - ''; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/naturaloutil:/var/secrets/webapps/prod-naturaloutil:${varDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/naturaloutil"; + }; + phpEnv = { + BDD_CONNECT = "/var/secrets/webapps/prod-naturaloutil"; + }; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so ''; @@ -68,7 +69,7 @@ in { hosts = ["naturaloutil.immae.eu" ]; root = varDir; extraConfig = [ - adminer.apache.vhostConf + (adminer.apache.vhostConf null) '' Use Stats naturaloutil.immae.eu ServerAdmin ${env.server_admin} @@ -76,7 +77,7 @@ in { CustomLog "${varDir}/logs/access_log" combined - SetHandler "proxy:unix:/run/phpfpm/naturaloutil.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.jerome.socket}|fcgi://localhost" diff --git a/modules/private/websites/papa/maison_bbc.nix b/modules/private/websites/papa/maison_bbc.nix index eb61b6d..11e7937 100644 --- a/modules/private/websites/papa/maison_bbc.nix +++ b/modules/private/websites/papa/maison_bbc.nix @@ -9,19 +9,18 @@ in { services.duplyBackup.profiles.papa_maison_bbc.rootDir = varDir; services.webstats.sites = [ { name = "maison.bbc.bouya.org"; } ]; services.phpfpm.pools.papa_maison_bbc = { - listen = "/run/phpfpm/papa_maison_bbc.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - php_admin_value[open_basedir] = "${varDir}" - ''; + "php_admin_value[open_basedir]" = varDir; + }; phpOptions = config.services.phpfpm.phpOptions + '' date.timezone = 'Europe/Paris' extension=${pkgs.php}/lib/php/extensions/mysqli.so @@ -34,17 +33,17 @@ in { root = varDir; extraConfig = [ '' - Alias /.well-known/acme-challenge ${config.security.acme2.certs.papa.webroot}/.well-known/acme-challenge + Alias /.well-known/acme-challenge ${config.security.acme.certs.papa.webroot}/.well-known/acme-challenge RedirectMatch 301 ^/((?!(\.well-known|add.php).*$).*)$ https://maison.bbc.bouya.org/$1 DirectoryIndex index.php index.htm index.html AllowOverride None Require all granted - SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" - + Options Indexes FollowSymLinks AllowOverride None Require all granted @@ -64,7 +63,7 @@ in { AllowOverride None Require all granted - SetHandler "proxy:unix:/run/phpfpm/papa_maison_bbc.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.papa_maison_bbc.socket}|fcgi://localhost" '' diff --git a/modules/private/websites/papa/surveillance.nix b/modules/private/websites/papa/surveillance.nix index f6e1772..1bb6ac8 100644 --- a/modules/private/websites/papa/surveillance.nix +++ b/modules/private/websites/papa/surveillance.nix @@ -6,7 +6,7 @@ in { options.myServices.websites.papa.surveillance.enable = lib.mkEnableOption "enable Papa surveillance's website"; config = lib.mkIf cfg.enable { - security.acme2.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; + security.acme.certs."ftp".extraDomains."surveillance.maison.bbc.bouya.org" = null; services.cron = { systemCronJobs = let diff --git a/modules/private/websites/piedsjaloux/integration.nix b/modules/private/websites/piedsjaloux/integration.nix index 5907bc8..76523ed 100644 --- a/modules/private/websites/piedsjaloux/integration.nix +++ b/modules/private/websites/piedsjaloux/integration.nix @@ -23,16 +23,18 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - env[SYMFONY_DEBUG_MODE] = "yes" - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + }; + phpEnv = { + PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; + SYMFONY_DEBUG_MODE = "yes"; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" ]; diff --git a/modules/private/websites/piedsjaloux/production.nix b/modules/private/websites/piedsjaloux/production.nix index e4e29c7..d3e5c2b 100644 --- a/modules/private/websites/piedsjaloux/production.nix +++ b/modules/private/websites/piedsjaloux/production.nix @@ -24,17 +24,19 @@ in { "./bin/console --env=${app.environment} cache:clear --no-warmup" ]; phpOpenbasedir = [ "/tmp" ]; - phpPool = '' - php_admin_value[upload_max_filesize] = 20M - php_admin_value[post_max_size] = 20M - ;php_admin_flag[log_errors] = on - env[PATH] = ${lib.makeBinPath [ pkgs.apg pkgs.unzip ]} - pm = dynamic - pm.max_children = 20 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - ''; + phpPool = { + "php_admin_value[upload_max_filesize]" = "20M"; + "php_admin_value[post_max_size]" = "20M"; + #"php_admin_flag[log_errors]" = "on"; + "pm" = "dynamic"; + "pm.max_children" = "20"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + }; + phpEnv = { + PATH = lib.makeBinPath [ pkgs.apg pkgs.unzip ]; + }; phpWatchFiles = [ config.secrets.fullPaths."webapps/${app.environment}-piedsjaloux" ]; diff --git a/modules/private/websites/teliotortay/production.nix b/modules/private/websites/teliotortay/production.nix index 2c62d10..62762ec 100644 --- a/modules/private/websites/teliotortay/production.nix +++ b/modules/private/websites/teliotortay/production.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../commons/adminer.nix {}; + adminer = pkgs.callPackage ../commons/adminer.nix { inherit config; }; cfg = config.myServices.websites.telioTortay.production; varDir = "/var/lib/ftp/telio_tortay"; env = config.myEnv.websites.telioTortay; @@ -10,7 +10,7 @@ in { config = lib.mkIf cfg.enable { services.webstats.sites = [ { name = "telio-tortay.immae.eu"; } ]; - security.acme2.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; + security.acme.certs."ftp".extraDomains."telio-tortay.immae.eu" = null; system.activationScripts.telio-tortay = { deps = [ "httpd" ]; @@ -22,20 +22,19 @@ in { systemd.services.phpfpm-telio-tortay.after = lib.mkAfter [ "mysql.service" ]; systemd.services.phpfpm-telio-tortay.wants = [ "mysql.service" ]; services.phpfpm.pools.telio-tortay = { - listen = "/run/phpfpm/telio-tortay.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; - php_admin_value[open_basedir] = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp" - php_admin_value[session.save_path] = "/var/lib/php/sessions/telio-tortay" - ''; + "php_admin_value[open_basedir]" = "/var/lib/php/sessions/telio-tortay:${varDir}:/tmp"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/telio-tortay"; + }; phpOptions = config.services.phpfpm.phpOptions + '' disable_functions = "mail" extension=${pkgs.php}/lib/php/extensions/mysqli.so @@ -48,7 +47,7 @@ in { hosts = ["telio-tortay.immae.eu" "realistesmedia.fr" "www.realistesmedia.fr" ]; root = varDir; extraConfig = [ - adminer.apache.vhostConf + (adminer.apache.vhostConf null) '' Use Stats telio-tortay.immae.eu ServerAdmin ${env.server_admin} @@ -56,7 +55,7 @@ in { CustomLog "${varDir}/logs/access_log" combined - SetHandler "proxy:unix:/run/phpfpm/telio-tortay.sock|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.telio-tortay.socket}|fcgi://localhost" diff --git a/modules/private/websites/tools/cloud/default.nix b/modules/private/websites/tools/cloud/default.nix index 4785074..b9bb32f 100644 --- a/modules/private/websites/tools/cloud/default.nix +++ b/modules/private/websites/tools/cloud/default.nix @@ -10,37 +10,34 @@ let basedir = builtins.concatStringsSep ":" ( [ nextcloud varDir ] ++ builtins.attrValues pkgs.webapps.nextcloud-apps); - socket = "/var/run/phpfpm/nextcloud.sock"; phpConfig = '' extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so zend_extension=${pkgs.php}/lib/php/extensions/opcache.so ''; - pool = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - php_admin_value[output_buffering] = 0 - php_admin_value[max_execution_time] = 1800 - php_admin_value[zend_extension] = "opcache" - ;already enabled by default? - ;php_value[opcache.enable] = 1 - php_value[opcache.enable_cli] = 1 - php_value[opcache.interned_strings_buffer] = 8 - php_value[opcache.max_accelerated_files] = 10000 - php_value[opcache.memory_consumption] = 128 - php_value[opcache.save_comments] = 1 - php_value[opcache.revalidate_freq] = 1 - php_admin_value[memory_limit] = 512M + "php_admin_value[output_buffering]" = "0"; + "php_admin_value[max_execution_time]" = "1800"; + "php_admin_value[zend_extension]" = "opcache"; + #already enabled by default? + #"php_value[opcache.enable]" = "1"; + "php_value[opcache.enable_cli]" = "1"; + "php_value[opcache.interned_strings_buffer]" = "8"; + "php_value[opcache.max_accelerated_files]" = "10000"; + "php_value[opcache.memory_consumption]" = "128"; + "php_value[opcache.save_comments]" = "1"; + "php_value[opcache.revalidate_freq]" = "1"; + "php_admin_value[memory_limit]" = "512M"; - php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; in { options.myServices.websites.tools.cloud = { @@ -71,7 +68,7 @@ in { CGIPassAuth on - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" @@ -171,8 +168,9 @@ in { ''; services.phpfpm.pools.nextcloud = { - listen = phpFpm.socket; - extraConfig = phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = phpFpm.pool; phpOptions = config.services.phpfpm.phpOptions + phpFpm.phpConfig; }; diff --git a/modules/private/websites/tools/dav/davical.nix b/modules/private/websites/tools/dav/davical.nix index 5eb3fab..9d6cd21 100644 --- a/modules/private/websites/tools/dav/davical.nix +++ b/modules/private/websites/tools/dav/davical.nix @@ -73,7 +73,7 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_davical"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /davical "${root}" Alias /caldav.php "${root}/caldav.php" @@ -84,7 +84,7 @@ rec { CGIPassAuth on - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" RewriteEngine On @@ -111,28 +111,25 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webapp "/var/secrets/webapps/dav-davical" awl ]; - socket = "/var/run/phpfpm/davical.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = dynamic - pm.max_children = 60 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 10 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "dynamic"; + "pm.max_children" = "60"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "10"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = DavicalPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/davical" - php_admin_value[include_path] = "${awl}/inc:${webapp}/inc" - php_admin_value[session.save_path] = "/var/lib/php/sessions/davical" - php_flag[magic_quotes_gpc] = Off - php_flag[register_globals] = Off - php_admin_value[error_reporting] = "E_ALL & ~E_NOTICE" - php_admin_value[default_charset] = "utf-8" - php_flag[magic_quotes_runtime] = Off - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "DavicalPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/davical"; + "php_admin_value[include_path]" = "${awl}/inc:${webapp}/inc"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/davical"; + "php_flag[magic_quotes_gpc]" = "Off"; + "php_flag[register_globals]" = "Off"; + "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE"; + "php_admin_value[default_charset]" = "utf-8"; + "php_flag[magic_quotes_runtime]" = "Off"; + }; }; } diff --git a/modules/private/websites/tools/dav/default.nix b/modules/private/websites/tools/dav/default.nix index 0012965..30a562c 100644 --- a/modules/private/websites/tools/dav/default.nix +++ b/modules/private/websites/tools/dav/default.nix @@ -38,14 +38,15 @@ in { root = "/run/current-system/webapps/_dav"; extraConfig = [ infcloud.vhostConf - davical.apache.vhostConf + (davical.apache.vhostConf config.services.phpfpm.pools.davical.socket) ]; }; services.phpfpm.pools = { davical = { - listen = davical.phpFpm.socket; - extraConfig = davical.phpFpm.pool; + user = config.services.httpd.Tools.user; + group = config.services.httpd.Tools.group; + settings = davical.phpFpm.pool; }; }; diff --git a/modules/private/websites/tools/db/default.nix b/modules/private/websites/tools/db/default.nix index 60592e5..fc8d989 100644 --- a/modules/private/websites/tools/db/default.nix +++ b/modules/private/websites/tools/db/default.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: let - adminer = pkgs.callPackage ../../commons/adminer.nix {}; + adminer = pkgs.callPackage ../../commons/adminer.nix { inherit config; }; cfg = config.myServices.websites.tools.db; in { @@ -15,7 +15,7 @@ in { addToCerts = true; hosts = ["db-1.immae.eu" ]; root = null; - extraConfig = [ adminer.apache.vhostConf ]; + extraConfig = [ (adminer.apache.vhostConf null) ]; }; }; } diff --git a/modules/private/websites/tools/git/default.nix b/modules/private/websites/tools/git/default.nix index 054e47b..56e4401 100644 --- a/modules/private/websites/tools/git/default.nix +++ b/modules/private/websites/tools/git/default.nix @@ -30,7 +30,7 @@ in { root = gitweb.apache.root; extraConfig = [ gitweb.apache.vhostConf - mantisbt.apache.vhostConf + (mantisbt.apache.vhostConf config.services.phpfpm.pools.mantisbt.socket) '' RewriteEngine on RewriteCond %{REQUEST_URI} ^/releases @@ -40,8 +40,9 @@ in { }; services.phpfpm.pools = { mantisbt = { - listen = mantisbt.phpFpm.socket; - extraConfig = mantisbt.phpFpm.pool; + user = config.services.httpd.Tools.user; + group = config.services.httpd.Tools.group; + settings = mantisbt.phpFpm.pool; }; }; }; diff --git a/modules/private/websites/tools/git/mantisbt.nix b/modules/private/websites/tools/git/mantisbt.nix index d75b022..50851aa 100644 --- a/modules/private/websites/tools/git/mantisbt.nix +++ b/modules/private/websites/tools/git/mantisbt.nix @@ -53,12 +53,12 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_mantisbt"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /mantisbt "${root}" DirectoryIndex index.php - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" AllowOverride All @@ -76,20 +76,17 @@ rec { basedir = builtins.concatStringsSep ":" ( [ webRoot "/var/secrets/webapps/tools-mantisbt" ] ++ webRoot.plugins); - socket = "/var/run/phpfpm/mantisbt.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - php_admin_value[upload_max_filesize] = 5000000 + "php_admin_value[upload_max_filesize]" = "5000000"; - php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt" - php_admin_value[session.save_path] = "/var/lib/php/sessions/mantisbt" - ''; + "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/mantisbt"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/mantisbt"; + }; }; } diff --git a/modules/private/websites/tools/mail/default.nix b/modules/private/websites/tools/mail/default.nix index bb36042..1f7f7bf 100644 --- a/modules/private/websites/tools/mail/default.nix +++ b/modules/private/websites/tools/mail/default.nix @@ -6,6 +6,7 @@ let }; rainloop = pkgs.callPackage ./rainloop.nix {}; cfg = config.myServices.websites.tools.email; + pcfg = config.services.phpfpm.pools; in { options.myServices.websites.tools.email = { @@ -34,8 +35,8 @@ in hosts = ["mail.immae.eu"]; root = "/run/current-system/webapps/_mail"; extraConfig = [ - rainloop.apache.vhostConf - roundcubemail.apache.vhostConf + (rainloop.apache.vhostConf pcfg.rainloop.socket) + (roundcubemail.apache.vhostConf pcfg.roundcubemail.socket) '' Require all granted @@ -56,13 +57,15 @@ in }; services.phpfpm.pools.roundcubemail = { - listen = roundcubemail.phpFpm.socket; - extraConfig = roundcubemail.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = roundcubemail.phpFpm.pool; phpOptions = config.services.phpfpm.phpOptions + roundcubemail.phpFpm.phpConfig; }; services.phpfpm.pools.rainloop = { - listen = rainloop.phpFpm.socket; - extraConfig = rainloop.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = rainloop.phpFpm.pool; }; system.activationScripts = { roundcubemail = roundcubemail.activationScript; diff --git a/modules/private/websites/tools/mail/rainloop.nix b/modules/private/websites/tools/mail/rainloop.nix index 2dad46e..9b1f0c5 100644 --- a/modules/private/websites/tools/mail/rainloop.nix +++ b/modules/private/websites/tools/mail/rainloop.nix @@ -16,7 +16,7 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_rainloop"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /rainloop "${root}" DirectoryIndex index.php @@ -25,7 +25,7 @@ rec { Require all granted - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" @@ -37,22 +37,19 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; - socket = "/var/run/phpfpm/rainloop.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = RainloopPHPSESSID - php_admin_value[upload_max_filesize] = 200M - php_admin_value[post_max_size] = 200M - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "RainloopPHPSESSID"; + "php_admin_value[upload_max_filesize]" = "200M"; + "php_admin_value[post_max_size]" = "200M"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/mail/roundcubemail.nix b/modules/private/websites/tools/mail/roundcubemail.nix index 35de312..0b35d02 100644 --- a/modules/private/websites/tools/mail/roundcubemail.nix +++ b/modules/private/websites/tools/mail/roundcubemail.nix @@ -83,7 +83,7 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_roundcubemail"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /roundcube "${root}" DirectoryIndex index.php @@ -92,7 +92,7 @@ rec { Require all granted - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" ''; @@ -107,22 +107,19 @@ rec { date.timezone = 'CET' extension=${phpPackages.imagick}/lib/php/extensions/imagick.so ''; - socket = "/var/run/phpfpm/roundcubemail.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = RoundcubemailPHPSESSID - php_admin_value[upload_max_filesize] = 200M - php_admin_value[post_max_size] = 200M - php_admin_value[open_basedir] = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "RoundcubemailPHPSESSID"; + "php_admin_value[upload_max_filesize]" = "200M"; + "php_admin_value[post_max_size]" = "200M"; + "php_admin_value[open_basedir]" = "${basedir}:${apacheHttpd}/conf/mime.types:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/tools/adminer.nix b/modules/private/websites/tools/tools/adminer.nix index 907e37f..52a132c 100644 --- a/modules/private/websites/tools/tools/adminer.nix +++ b/modules/private/websites/tools/tools/adminer.nix @@ -1,4 +1,4 @@ -{ adminer }: +{ adminer, php73, forcePhpSocket ? null }: rec { activationScript = { deps = [ "httpd" ]; @@ -9,22 +9,33 @@ rec { }; webRoot = adminer; phpFpm = rec { - socket = "/var/run/phpfpm/adminer.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 5 - pm.process_idle_timeout = 60 - ;php_admin_flag[log_errors] = on - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = AdminerPHPSESSID - php_admin_value[open_basedir] = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer" - php_admin_value[session.save_path] = "/var/lib/php/sessions/adminer" - php_admin_value[upload_tmp_dir] = "/var/lib/php/tmp/adminer" - ''; + user = apache.user; + group = apache.group; + phpPackage = (php73.override { + config.php.mysqlnd = true; + config.php.mysqli = false; + config.php.pdo-mysql = false; + }).overrideAttrs(old: rec { + configureFlags = old.configureFlags ++ [ + "--with-mysqli=shared,mysqlnd" + ]; + }); + phpOptions = '' + extension=${phpPackage}/lib/php/extensions/mysqli.so + ''; + settings = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "5"; + "pm.process_idle_timeout" = "60"; + #"php_admin_flag[log_errors]" = "on"; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "AdminerPHPSESSID"; + "php_admin_value[open_basedir]" = "${webRoot}:/tmp:/var/lib/php/sessions/adminer:/var/lib/php/tmp/adminer"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/adminer"; + "php_admin_value[upload_tmp_dir]" = "/var/lib/php/tmp/adminer"; + }; }; apache = rec { user = "wwwrun"; @@ -32,12 +43,12 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "_adminer"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /adminer ${root} DirectoryIndex index.php - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${if forcePhpSocket != null then forcePhpSocket else socket}|fcgi://localhost" Use LDAPConnect diff --git a/modules/private/websites/tools/tools/default.nix b/modules/private/websites/tools/tools/default.nix index 5dc0981..5e0d446 100644 --- a/modules/private/websites/tools/tools/default.nix +++ b/modules/private/websites/tools/tools/default.nix @@ -40,6 +40,7 @@ let }; cfg = config.myServices.websites.tools.tools; + pcfg = config.services.phpfpm.pools; in { options.myServices.websites.tools.tools = { enable = lib.mkEnableOption "enable tools website"; @@ -92,7 +93,7 @@ in { AllowOverride all Require all granted - SetHandler "proxy:unix:/var/run/phpfpm/devtools.sock|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.devtools.socket}|fcgi://localhost" '' @@ -115,21 +116,21 @@ in { AllowOverride all Require all granted - SetHandler "proxy:unix:/var/run/phpfpm/tools.sock|fcgi://localhost" + SetHandler "proxy:unix:${pcfg.tools.socket}|fcgi://localhost" '' - adminer.apache.vhostConf + (adminer.apache.vhostConf pcfg.adminer.socket) ympd.apache.vhostConf - ttrss.apache.vhostConf - wallabag.apache.vhostConf - yourls.apache.vhostConf - rompr.apache.vhostConf - shaarli.apache.vhostConf - dokuwiki.apache.vhostConf - ldap.apache.vhostConf - kanboard.apache.vhostConf - grocy.apache.vhostConf + (ttrss.apache.vhostConf pcfg.ttrss.socket) + (wallabag.apache.vhostConf pcfg.wallabag.socket) + (yourls.apache.vhostConf pcfg.yourls.socket) + (rompr.apache.vhostConf pcfg.rompr.socket) + (shaarli.apache.vhostConf pcfg.shaarli.socket) + (dokuwiki.apache.vhostConf pcfg.dokuwiki.socket) + (ldap.apache.vhostConf pcfg.ldap.socket) + (kanboard.apache.vhostConf pcfg.kanboard.socket) + (grocy.apache.vhostConf pcfg.grocy.socket) ]; }; @@ -226,38 +227,36 @@ in { services.phpfpm.pools = { tools = { - listen = "/var/run/phpfpm/tools.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = dynamic - pm.max_children = 60 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 10 + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; + "pm" = "dynamic"; + "pm.max_children" = "60"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "10"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = ToolsPHPSESSID - php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "ToolsPHPSESSID"; + "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/tools.immae.eu:/tmp"; + }; }; devtools = { - listen = "/var/run/phpfpm/devtools.sock"; - extraConfig = '' - user = wwwrun - group = wwwrun - listen.owner = wwwrun - listen.group = wwwrun - pm = dynamic - pm.max_children = 60 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 10 + user = "wwwrun"; + group = "wwwrun"; + settings = { + "listen.owner" = "wwwrun"; + "listen.group" = "wwwrun"; + "pm" = "dynamic"; + "pm.max_children" = "60"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "10"; - php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp" - ''; + "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:/var/lib/ftp/devtools.immae.eu:/tmp"; + }; phpOptions = config.services.phpfpm.phpOptions + '' extension=${pkgs.php}/lib/php/extensions/mysqli.so extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so @@ -265,45 +264,51 @@ in { zend_extension=${pkgs.php}/lib/php/extensions/opcache.so ''; }; - adminer = { - listen = adminer.phpFpm.socket; - extraConfig = adminer.phpFpm.pool; - }; + adminer = adminer.phpFpm; ttrss = { - listen = ttrss.phpFpm.socket; - extraConfig = ttrss.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = ttrss.phpFpm.pool; }; wallabag = { - listen = wallabag.phpFpm.socket; - extraConfig = wallabag.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = wallabag.phpFpm.pool; }; yourls = { - listen = yourls.phpFpm.socket; - extraConfig = yourls.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = yourls.phpFpm.pool; }; rompr = { - listen = rompr.phpFpm.socket; - extraConfig = rompr.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = rompr.phpFpm.pool; }; shaarli = { - listen = shaarli.phpFpm.socket; - extraConfig = shaarli.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = shaarli.phpFpm.pool; }; dokuwiki = { - listen = dokuwiki.phpFpm.socket; - extraConfig = dokuwiki.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = dokuwiki.phpFpm.pool; }; ldap = { - listen = ldap.phpFpm.socket; - extraConfig = ldap.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = ldap.phpFpm.pool; }; kanboard = { - listen = kanboard.phpFpm.socket; - extraConfig = kanboard.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = kanboard.phpFpm.pool; }; grocy = { - listen = grocy.phpFpm.socket; - extraConfig = grocy.phpFpm.pool; + user = "wwwrun"; + group = "wwwrun"; + settings = grocy.phpFpm.pool; }; }; diff --git a/modules/private/websites/tools/tools/dokuwiki.nix b/modules/private/websites/tools/tools/dokuwiki.nix index d66e85d..26c04b7 100644 --- a/modules/private/websites/tools/tools/dokuwiki.nix +++ b/modules/private/websites/tools/tools/dokuwiki.nix @@ -26,12 +26,12 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_dokuwiki"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /dokuwiki "${root}" DirectoryIndex index.php - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" AllowOverride All @@ -44,20 +44,17 @@ rec { serviceDeps = [ "openldap.service" ]; basedir = builtins.concatStringsSep ":" ( [ webRoot varDir ] ++ webRoot.plugins); - socket = "/var/run/phpfpm/dokuwiki.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = DokuwikiPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "DokuwikiPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/tools/grocy.nix b/modules/private/websites/tools/tools/grocy.nix index 1b8da20..a98d8ac 100644 --- a/modules/private/websites/tools/tools/grocy.nix +++ b/modules/private/websites/tools/tools/grocy.nix @@ -18,12 +18,12 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_grocy"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /grocy "${root}" DirectoryIndex index.php - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" AllowOverride All @@ -35,21 +35,18 @@ rec { phpFpm = rec { basedir = builtins.concatStringsSep ":" ( [ grocy grocy.yarnModules varDir ]); - socket = "/var/run/phpfpm/grocy.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = grocyPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "grocyPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/tools/kanboard.nix b/modules/private/websites/tools/tools/kanboard.nix index 1880cbd..0f6fefc 100644 --- a/modules/private/websites/tools/tools/kanboard.nix +++ b/modules/private/websites/tools/tools/kanboard.nix @@ -49,7 +49,7 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_kanboard"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /kanboard "${root}" DirectoryIndex index.php @@ -58,7 +58,7 @@ rec { Require all granted - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" @@ -69,20 +69,17 @@ rec { phpFpm = rec { serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot varDir "/var/secrets/webapps/tools-kanboard" ]; - socket = "/var/run/phpfpm/kanboard.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = KanboardPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "KanboardPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/tools/ldap.nix b/modules/private/websites/tools/tools/ldap.nix index e58a9bd..0c1a21f 100644 --- a/modules/private/websites/tools/tools/ldap.nix +++ b/modules/private/websites/tools/tools/ldap.nix @@ -39,12 +39,12 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_ldap"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /ldap "${root}" DirectoryIndex index.php - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" AllowOverride None @@ -55,20 +55,17 @@ rec { phpFpm = rec { serviceDeps = [ "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot "/var/secrets/webapps/tools-ldap" ]; - socket = "/var/run/phpfpm/ldap.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = LdapPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin" - php_admin_value[session.save_path] = "/var/lib/php/sessions/phpldapadmin" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "LdapPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; + }; }; } diff --git a/modules/private/websites/tools/tools/rompr.nix b/modules/private/websites/tools/tools/rompr.nix index 75adabe..106164c 100644 --- a/modules/private/websites/tools/tools/rompr.nix +++ b/modules/private/websites/tools/tools/rompr.nix @@ -15,7 +15,7 @@ rec { modules = [ "headers" "mime" "proxy_fcgi" ]; webappName = "tools_rompr"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /rompr ${root} @@ -29,7 +29,7 @@ rec { AddType image/x-icon .ico - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" @@ -51,29 +51,26 @@ rec { }; phpFpm = rec { basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; - socket = "/var/run/phpfpm/rompr.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = RomprPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - php_flag[magic_quotes_gpc] = Off - php_flag[track_vars] = On - php_flag[register_globals] = Off - php_admin_flag[allow_url_fopen] = On - php_value[include_path] = ${webRoot} - php_admin_value[upload_tmp_dir] = "${varDir}/prefs" - php_admin_value[post_max_size] = 32M - php_admin_value[upload_max_filesize] = 32M - php_admin_value[memory_limit] = 256M - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "RomprPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + "php_flag[magic_quotes_gpc]" = "Off"; + "php_flag[track_vars]" = "On"; + "php_flag[register_globals]" = "Off"; + "php_admin_flag[allow_url_fopen]" = "On"; + "php_value[include_path]" = "${webRoot}"; + "php_admin_value[upload_tmp_dir]" = "${varDir}/prefs"; + "php_admin_value[post_max_size]" = "32M"; + "php_admin_value[upload_max_filesize]" = "32M"; + "php_admin_value[memory_limit]" = "256M"; + }; }; } diff --git a/modules/private/websites/tools/tools/shaarli.nix b/modules/private/websites/tools/tools/shaarli.nix index 0a75755..950d296 100644 --- a/modules/private/websites/tools/tools/shaarli.nix +++ b/modules/private/websites/tools/tools/shaarli.nix @@ -17,7 +17,7 @@ in rec { modules = [ "proxy_fcgi" "rewrite" "env" ]; webappName = "tools_shaarli"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /Shaarli "${root}" Include /var/secrets/webapps/tools-shaarli @@ -27,7 +27,7 @@ in rec { AllowOverride All Require all granted - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" ''; @@ -48,20 +48,17 @@ in rec { phpFpm = rec { serviceDeps = [ "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webRoot varDir ]; - socket = "/var/run/phpfpm/shaarli.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = ShaarliPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "ShaarliPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/tools/ttrss.nix b/modules/private/websites/tools/tools/ttrss.nix index a8b2a93..48876d3 100644 --- a/modules/private/websites/tools/tools/ttrss.nix +++ b/modules/private/websites/tools/tools/ttrss.nix @@ -95,12 +95,12 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_ttrss"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /ttrss "${root}" DirectoryIndex index.php - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" AllowOverride All @@ -114,20 +114,17 @@ rec { basedir = builtins.concatStringsSep ":" ( [ webRoot "/var/secrets/webapps/tools-ttrss" varDir ] ++ webRoot.plugins); - socket = "/var/run/phpfpm/ttrss.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 - - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = TtrssPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp" - php_admin_value[session.save_path] = "${varDir}/phpSessions" - ''; + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; + + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "TtrssPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp"; + "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; + }; }; } diff --git a/modules/private/websites/tools/tools/wallabag.nix b/modules/private/websites/tools/tools/wallabag.nix index 014d8a1..00e2dc9 100644 --- a/modules/private/websites/tools/tools/wallabag.nix +++ b/modules/private/websites/tools/tools/wallabag.nix @@ -82,7 +82,7 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_wallabag"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /wallabag "${root}" AllowOverride None @@ -91,7 +91,7 @@ rec { CGIPassAuth On - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" @@ -129,22 +129,19 @@ rec { ''; serviceDeps = [ "postgresql.service" "openldap.service" ]; basedir = builtins.concatStringsSep ":" [ webappDir "/var/secrets/webapps/tools-wallabag" varDir ]; - socket = "/var/run/phpfpm/wallabag.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = dynamic - pm.max_children = 60 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 10 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "dynamic"; + "pm.max_children" = "60"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "10"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = WallabagPHPSESSID - php_admin_value[open_basedir] = "/run/wrappers/bin/sendmail:${basedir}:/tmp" - php_value[max_execution_time] = 300 - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "WallabagPHPSESSID"; + "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/tmp"; + "php_value[max_execution_time]" = "300"; + }; }; } diff --git a/modules/private/websites/tools/tools/yourls.nix b/modules/private/websites/tools/tools/yourls.nix index 466ceae..cb03b6c 100644 --- a/modules/private/websites/tools/tools/yourls.nix +++ b/modules/private/websites/tools/tools/yourls.nix @@ -48,11 +48,11 @@ rec { modules = [ "proxy_fcgi" ]; webappName = "tools_yourls"; root = "/run/current-system/webapps/${webappName}"; - vhostConf = '' + vhostConf = socket: '' Alias /url "${root}" - SetHandler "proxy:unix:${phpFpm.socket}|fcgi://localhost" + SetHandler "proxy:unix:${socket}|fcgi://localhost" AllowOverride None @@ -73,20 +73,17 @@ rec { basedir = builtins.concatStringsSep ":" ( [ webRoot "/var/secrets/webapps/tools-yourls" ] ++ webRoot.plugins); - socket = "/var/run/phpfpm/yourls.sock"; - pool = '' - user = ${apache.user} - group = ${apache.group} - listen.owner = ${apache.user} - listen.group = ${apache.group} - pm = ondemand - pm.max_children = 60 - pm.process_idle_timeout = 60 + pool = { + "listen.owner" = apache.user; + "listen.group" = apache.group; + "pm" = "ondemand"; + "pm.max_children" = "60"; + "pm.process_idle_timeout" = "60"; - ; Needed to avoid clashes in browser cookies (same domain) - php_value[session.name] = YourlsPHPSESSID - php_admin_value[open_basedir] = "${basedir}:/tmp:/var/lib/php/sessions/yourls" - php_admin_value[session.save_path] = "/var/lib/php/sessions/yourls" - ''; + # Needed to avoid clashes in browser cookies (same domain) + "php_value[session.name]" = "YourlsPHPSESSID"; + "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/yourls"; + "php_admin_value[session.save_path]" = "/var/lib/php/sessions/yourls"; + }; }; } diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix index eed9e3f..68531cf 100644 --- a/modules/webapps/mastodon.nix +++ b/modules/webapps/mastodon.nix @@ -27,7 +27,7 @@ in ''; }; socketsPrefix = lib.mkOption { - type = lib.types.string; + type = lib.types.str; default = "live"; description = '' The prefix to use for Mastodon sockets. diff --git a/modules/webapps/webstats/default.nix b/modules/webapps/webstats/default.nix index e822645..fe5f068 100644 --- a/modules/webapps/webstats/default.nix +++ b/modules/webapps/webstats/default.nix @@ -23,7 +23,7 @@ in { ''; }; name = lib.mkOption { - type = lib.types.string; + type = lib.types.str; description = '' Domain name. Corresponds to the Apache file name and the folder name in which the state will be saved. diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 767a7b2..3f46e65 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix @@ -38,7 +38,7 @@ in description = "Name of the httpd instance to assign this type to"; }; ips = mkOption { - type = listOf string; + type = listOf str; default = []; description = "ips to listen to"; }; @@ -59,7 +59,7 @@ in options = { enable = mkEnableOption "Add default no-ssl vhost for this instance"; host = mkOption { - type = string; + type = str; description = "The hostname to use for this vhost"; }; root = mkOption { @@ -68,7 +68,7 @@ in description = "The root folder to serve"; }; indexFile = mkOption { - type = string; + type = str; default = "index.html"; description = "The index file to show."; }; @@ -79,8 +79,8 @@ in description = "The fallback vhost that will be defined as first vhost in Apache"; type = submodule { options = { - certName = mkOption { type = string; }; - hosts = mkOption { type = listOf string; }; + certName = mkOption { type = str; }; + hosts = mkOption { type = listOf str; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; }; @@ -91,7 +91,7 @@ in description = "List of no ssl vhosts to define for Apache"; type = attrsOf (submodule { options = { - hosts = mkOption { type = listOf string; }; + hosts = mkOption { type = listOf str; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; }; @@ -102,25 +102,25 @@ in description = "List of vhosts to define for Apache"; type = attrsOf (submodule { options = { - certName = mkOption { type = string; }; + certName = mkOption { type = str; }; addToCerts = mkOption { type = bool; default = false; description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null"; }; certMainHost = mkOption { - type = nullOr string; + type = nullOr str; description = "Use that host as 'main host' for acme certs"; default = null; }; - hosts = mkOption { type = listOf string; }; + hosts = mkOption { type = listOf str; }; root = mkOption { type = nullOr path; }; extraConfig = mkOption { type = listOf lines; default = []; }; }; }); }; watchPaths = mkOption { - type = listOf string; + type = listOf str; default = []; description = '' Paths to watch that should trigger a reload of httpd @@ -178,9 +178,9 @@ in }; toVhost = ips: vhostConf: { enableSSL = true; - sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem"; - sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem"; - sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem"; + sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem"; + sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem"; + sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem"; logFormat = "combinedVhost"; listen = map (ip: { inherit ip; port = 443; }) ips; hostName = builtins.head vhostConf.hosts; @@ -231,7 +231,7 @@ in } ) cfg.env; - config.security.acme2.certs = let + config.security.acme.certs = let typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env; flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v: attrValues v.vhostConfs diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix index d049202..f0208ab 100644 --- a/modules/websites/httpd-service-builder.nix +++ b/modules/websites/httpd-service-builder.nix @@ -11,8 +11,6 @@ let httpd = mainCfg.package.out; - version24 = !versionOlder httpd.version "2.4"; - httpdConf = mainCfg.configFile; php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ }; @@ -26,10 +24,9 @@ let else [{ip = "*"; port = 80;}]; getListen = cfg: - let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen; - in if list == [] - then defaultListen cfg - else list; + if cfg.listen == [] + then defaultListen cfg + else cfg.listen; listenToString = l: "${l.ip}:${toString l.port}"; @@ -110,11 +107,10 @@ let "auth_basic" "auth_digest" # Authentication: is the user who he claims to be? - "authn_file" "authn_dbm" "authn_anon" - (if version24 then "authn_core" else "authn_alias") + "authn_file" "authn_dbm" "authn_anon" "authn_core" # Authorization: is the user allowed access? - "authz_user" "authz_groupfile" "authz_host" + "authz_user" "authz_groupfile" "authz_host" "authz_core" # Other modules. "ext_filter" "include" "log_config" "env" "mime_magic" @@ -122,14 +118,9 @@ let "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs" "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling" "userdir" "alias" "rewrite" "proxy" "proxy_http" - ] - ++ optionals version24 [ + "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb" "mpm_${mainCfg.multiProcessingModule}" - "authz_core" - "unixd" - "cache" "cache_disk" - "slotmem_shm" - "socache_shmcb" + # For compatibility with old configurations, the new module mod_access_compat is provided. "access_compat" ] @@ -138,19 +129,8 @@ let ++ extraApacheModules; - allDenied = if version24 then '' - Require all denied - '' else '' - Order deny,allow - Deny from all - ''; - - allGranted = if version24 then '' - Require all granted - '' else '' - Order allow,deny - Allow from all - ''; + allDenied = "Require all denied"; + allGranted = "Require all granted"; loggingConf = (if mainCfg.logFormat != "none" then '' @@ -183,9 +163,9 @@ let sslConf = '' - SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000) + SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000) - ${if version24 then "Mutex" else "SSLMutex"} posixsem + Mutex posixsem SSLRandomSeed startup builtin SSLRandomSeed connect builtin @@ -325,9 +305,7 @@ let ServerRoot ${httpd} - ${optionalString version24 '' - DefaultRuntimeDir ${mainCfg.stateDir}/runtime - ''} + DefaultRuntimeDir ${mainCfg.stateDir}/runtime PidFile ${mainCfg.stateDir}/httpd.pid @@ -361,7 +339,7 @@ let ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; } ++ concatMap (svc: svc.extraModules) allSubservices ++ extraForeignModules; - in concatMapStrings load allModules + in concatMapStrings load (unique allModules) } AddHandler type-map var @@ -393,14 +371,6 @@ let # Generate directives for the main server. ${perServerConf true mainCfg} - # Always enable virtual hosts; it doesn't seem to hurt. - ${let - listen = concatMap getListen allHosts; - uniqueListen = uniqList {inputList = listen;}; - directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen; - in optionalString (!version24) directives - } - ${let makeVirtualHost = vhost: '' @@ -663,7 +633,7 @@ in message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; } ]; - warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts); + warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts); users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton { name = "wwwrun"; @@ -686,7 +656,7 @@ in ; Don't advertise PHP expose_php = off - '' + optionalString (!isNull config.time.timeZone) '' + '' + optionalString (config.time.timeZone != null) '' ; Apparently PHP doesn't use $TZ. date.timezone = "${config.time.timeZone}" @@ -713,10 +683,10 @@ in '' mkdir -m 0750 -p ${mainCfg.stateDir} [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir} - ${optionalString version24 '' - mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" - [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" - ''} + + mkdir -m 0750 -p "${mainCfg.stateDir}/runtime" + [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime" + mkdir -m 0700 -p ${mainCfg.logDir} # Get rid of old semaphores. These tend to accumulate across diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix index 8ad7a0d..20e2a5d 100644 --- a/modules/websites/php-application.nix +++ b/modules/websites/php-application.nix @@ -44,10 +44,15 @@ in description = "Name of the socket to listen to. Defaults to app name if null"; }; phpPool = mkOption { - type = lines; - default = ""; + type = attrsOf str; + default = {}; description = "Pool configuration to append"; }; + phpEnv = mkOption { + type = attrsOf str; + default = {}; + description = "Pool environment to append"; + }; phpOptions = mkOption { type = lines; default = ""; @@ -135,7 +140,7 @@ in services.phpApplication.phpListenPaths = mkOption { type = attrsOf path; default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair - name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock" + name config.services.phpfpm.pools."${name}".socket ) cfg.apps; readOnly = true; description = '' @@ -162,17 +167,17 @@ in services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair name { - listen = cfg.phpListenPaths."${name}"; - extraConfig = '' - user = ${icfg.httpdUser} - group = ${icfg.httpdGroup} - listen.owner = ${icfg.httpdUser} - listen.group = ${icfg.httpdGroup} - ${optionalString (icfg.phpSession) '' - php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''} - php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir)}" - '' + icfg.phpPool; + user = icfg.httpdUser; + group = icfg.httpdUser; + settings = { + "listen.owner" = icfg.httpdUser; + "listen.group" = icfg.httpdGroup; + "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir); + } + // optionalAttrs (icfg.phpSession) { "php_admin_value[session.save_path]" = "${icfg.varDir}/phpSessions"; } + // icfg.phpPool; phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; + inherit (icfg) phpEnv; } ) cfg.apps; -- cgit v1.2.3