Upgrade nixos

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-03-25 11:57:48 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2020-04-25 00:04:53 +0200
commit: 72300eb8116c960935a462564d96db6fac355bca (patch)
tree: da182278dc7b1a39c287cc701cff73df2b44fc52 /modules/websites
parent: 22e09a87fb538a0eaf81837750b0948f26f79cf1 (diff)
download: NUR-72300eb8116c960935a462564d96db6fac355bca.tar.gz
NUR-72300eb8116c960935a462564d96db6fac355bca.tar.zst
NUR-72300eb8116c960935a462564d96db6fac355bca.zip
3 files changed, 51 insertions, 76 deletions
diff --git a/modules/websites/default.nix b/modules/websites/default.nix
index 767a7b23..3f46e65d 100644
--- a/modules/websites/default.nix
+++ b/modules/websites/default.nix
@@ -38,7 +38,7 @@ in
            description = "Name of the httpd instance to assign this type to";
          };
          ips = mkOption {
-            type = listOf string;
+            type = listOf str;
            default = [];
            description = "ips to listen to";
          };
@@ -59,7 +59,7 @@ in
              options = {
                enable = mkEnableOption "Add default no-ssl vhost for this instance";
                host = mkOption {
-                  type = string;
+                  type = str;
                  description = "The hostname to use for this vhost";
                };
                root = mkOption {
@@ -68,7 +68,7 @@ in
                  description = "The root folder to serve";
                };
                indexFile = mkOption {
-                  type = string;
+                  type = str;
                  default = "index.html";
                  description = "The index file to show.";
                };
@@ -79,8 +79,8 @@ in
            description = "The fallback vhost that will be defined as first vhost in Apache";
            type = submodule {
              options = {
-                certName = mkOption { type = string; };
+                certName = mkOption { type = str; };
-                hosts    = mkOption { type = listOf string; };
+                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
@@ -91,7 +91,7 @@ in
            description = "List of no ssl vhosts to define for Apache";
            type = attrsOf (submodule {
              options = {
-                hosts    = mkOption { type = listOf string; };
+                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
@@ -102,25 +102,25 @@ in
            description = "List of vhosts to define for Apache";
            type = attrsOf (submodule {
              options = {
-                certName = mkOption { type = string; };
+                certName = mkOption { type = str; };
                addToCerts = mkOption {
                  type = bool;
                  default = false;
                  description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
                };
                certMainHost = mkOption {
-                  type = nullOr string;
+                  type = nullOr str;
                  description = "Use that host as 'main host' for acme certs";
                  default = null;
                };
-                hosts    = mkOption { type = listOf string; };
+                hosts    = mkOption { type = listOf str; };
                root     = mkOption { type = nullOr path; };
                extraConfig = mkOption { type = listOf lines; default = []; };
              };
            });
          };
          watchPaths = mkOption {
-            type = listOf string;
+            type = listOf str;
            default = [];
            description = ''
              Paths to watch that should trigger a reload of httpd
@@ -178,9 +178,9 @@ in
    };
    toVhost = ips: vhostConf: {
      enableSSL = true;
-      sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem";
+      sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";
-      sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem";
+      sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
-      sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem";
+      sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
      logFormat = "combinedVhost";
      listen = map (ip: { inherit ip; port = 443; }) ips;
      hostName = builtins.head vhostConf.hosts;
@@ -231,7 +231,7 @@ in
    }
  ) cfg.env;
-  config.security.acme2.certs = let
+  config.security.acme.certs = let
    typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
    flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
      attrValues v.vhostConfs
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
index d049202c..f0208ab5 100644
--- a/modules/websites/httpd-service-builder.nix
+++ b/modules/websites/httpd-service-builder.nix
@@ -11,8 +11,6 @@ let
  httpd = mainCfg.package.out;
-  version24 = !versionOlder httpd.version "2.4";
  httpdConf = mainCfg.configFile;
  php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
@@ -26,10 +24,9 @@ let
    else [{ip = "*"; port = 80;}];
  getListen = cfg:
-    let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;
+    if cfg.listen == []
-    in if list == []
+      then defaultListen cfg
-        then defaultListen cfg
+      else cfg.listen;
-        else list;
  listenToString = l: "${l.ip}:${toString l.port}";
@@ -110,11 +107,10 @@ let
      "auth_basic" "auth_digest"
      # Authentication: is the user who he claims to be?
-      "authn_file" "authn_dbm" "authn_anon"
+      "authn_file" "authn_dbm" "authn_anon" "authn_core"
-      (if version24 then "authn_core" else "authn_alias")
      # Authorization: is the user allowed access?
-      "authz_user" "authz_groupfile" "authz_host"
+      "authz_user" "authz_groupfile" "authz_host" "authz_core"
      # Other modules.
      "ext_filter" "include" "log_config" "env" "mime_magic"
@@ -122,14 +118,9 @@ let
      "mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
      "vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
      "userdir" "alias" "rewrite" "proxy" "proxy_http"
-    ]
+      "unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb"
-    ++ optionals version24 [
      "mpm_${mainCfg.multiProcessingModule}"
-      "authz_core"
-      "unixd"
-      "cache" "cache_disk"
-      "slotmem_shm"
-      "socache_shmcb"
      # For compatibility with old configurations, the new module mod_access_compat is provided.
      "access_compat"
    ]
@@ -138,19 +129,8 @@ let
    ++ extraApacheModules;
-  allDenied = if version24 then ''
+  allDenied = "Require all denied";
-    Require all denied
+  allGranted = "Require all granted";
-  '' else ''
-    Order deny,allow
-    Deny from all
-  '';
-  allGranted = if version24 then ''
-    Require all granted
-  '' else ''
-    Order allow,deny
-    Allow from all
-  '';
  loggingConf = (if mainCfg.logFormat != "none" then ''
@@ -183,9 +163,9 @@ let
  sslConf = ''
-    SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)
+    SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000)
-    ${if version24 then "Mutex" else "SSLMutex"} posixsem
+    Mutex posixsem
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
@@ -325,9 +305,7 @@ let
    ServerRoot ${httpd}
-    ${optionalString version24 ''
+    DefaultRuntimeDir ${mainCfg.stateDir}/runtime
-      DefaultRuntimeDir ${mainCfg.stateDir}/runtime
-    ''}
    PidFile ${mainCfg.stateDir}/httpd.pid
@@ -361,7 +339,7 @@ let
          ++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
          ++ concatMap (svc: svc.extraModules) allSubservices
          ++ extraForeignModules;
-      in concatMapStrings load allModules
+      in concatMapStrings load (unique allModules)
    }
    AddHandler type-map var
@@ -393,14 +371,6 @@ let
    # Generate directives for the main server.
    ${perServerConf true mainCfg}
-    # Always enable virtual hosts; it doesn't seem to hurt.
-    ${let
-        listen = concatMap getListen allHosts;
-        uniqueListen = uniqList {inputList = listen;};
-        directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
-      in optionalString (!version24) directives
-    }
    ${let
        makeVirtualHost = vhost: ''
          <VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
@@ -663,7 +633,7 @@ in
                     message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
                 ];
-    warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/*ip = "*"; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);
+    warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts);
    users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton
      { name = "wwwrun";
@@ -686,7 +656,7 @@ in
        ; Don't advertise PHP
        expose_php = off
-      '' + optionalString (!isNull config.time.timeZone) ''
+      '' + optionalString (config.time.timeZone != null) ''
        ; Apparently PHP doesn't use $TZ.
        date.timezone = "${config.time.timeZone}"
@@ -713,10 +683,10 @@ in
          ''
            mkdir -m 0750 -p ${mainCfg.stateDir}
            [ $(id -u) != 0 ] || chown root.${mainCfg.group} ${mainCfg.stateDir}
-            ${optionalString version24 ''
-              mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
+            mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
-              [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
+            [ $(id -u) != 0 ] || chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
-            ''}
            mkdir -m 0700 -p ${mainCfg.logDir}
            # Get rid of old semaphores.  These tend to accumulate across
diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix
index 8ad7a0df..20e2a5dd 100644
--- a/modules/websites/php-application.nix
+++ b/modules/websites/php-application.nix
@@ -44,10 +44,15 @@ in
            description = "Name of the socket to listen to. Defaults to app name if null";
          };
          phpPool = mkOption {
-            type = lines;
+            type = attrsOf str;
-            default = "";
+            default = {};
            description = "Pool configuration to append";
          };
+          phpEnv = mkOption {
+            type = attrsOf str;
+            default = {};
+            description = "Pool environment to append";
+          };
          phpOptions = mkOption {
            type = lines;
            default = "";
@@ -135,7 +140,7 @@ in
    services.phpApplication.phpListenPaths = mkOption {
      type = attrsOf path;
      default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
-        name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock"
+        name config.services.phpfpm.pools."${name}".socket
      ) cfg.apps;
      readOnly = true;
      description = ''
@@ -162,17 +167,17 @@ in
    services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
      name {
-        listen = cfg.phpListenPaths."${name}";
+        user = icfg.httpdUser;
-        extraConfig = ''
+        group = icfg.httpdUser;
-          user = ${icfg.httpdUser}
+        settings = {
-          group = ${icfg.httpdGroup}
+          "listen.owner" = icfg.httpdUser;
-          listen.owner = ${icfg.httpdUser}
+          "listen.group" = icfg.httpdGroup;
-          listen.group = ${icfg.httpdGroup}
+          "php_admin_value[open_basedir]" = builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir);
-          ${optionalString (icfg.phpSession) ''
+        }
-            php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''}
+        // optionalAttrs (icfg.phpSession) { "php_admin_value[session.save_path]" = "${icfg.varDir}/phpSessions"; }
-          php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir)}"
+        // icfg.phpPool;
-          '' + icfg.phpPool;
        phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions;
+        inherit (icfg) phpEnv;
      }
    ) cfg.apps;
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-03-25 11:57:48 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2020-04-25 00:04:53 +0200
commit	72300eb8116c960935a462564d96db6fac355bca (patch)
tree	da182278dc7b1a39c287cc701cff73df2b44fc52 /modules/websites
parent	22e09a87fb538a0eaf81837750b0948f26f79cf1 (diff)
download	NUR-72300eb8116c960935a462564d96db6fac355bca.tar.gz NUR-72300eb8116c960935a462564d96db6fac355bca.tar.zst NUR-72300eb8116c960935a462564d96db6fac355bca.zip

diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 767a7b23..3f46e65d 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix
@@ -38,7 +38,7 @@ in
38	description = "Name of the httpd instance to assign this type to";	38	description = "Name of the httpd instance to assign this type to";
39	};	39	};
40	ips = mkOption {	40	ips = mkOption {
41	type = listOf string;	41	type = listOf str;
42	default = [];	42	default = [];
43	description = "ips to listen to";	43	description = "ips to listen to";
44	};	44	};
@@ -59,7 +59,7 @@ in
59	options = {	59	options = {
60	enable = mkEnableOption "Add default no-ssl vhost for this instance";	60	enable = mkEnableOption "Add default no-ssl vhost for this instance";
61	host = mkOption {	61	host = mkOption {
62	type = string;	62	type = str;
63	description = "The hostname to use for this vhost";	63	description = "The hostname to use for this vhost";
64	};	64	};
65	root = mkOption {	65	root = mkOption {
@@ -68,7 +68,7 @@ in
68	description = "The root folder to serve";	68	description = "The root folder to serve";
69	};	69	};
70	indexFile = mkOption {	70	indexFile = mkOption {
71	type = string;	71	type = str;
72	default = "index.html";	72	default = "index.html";
73	description = "The index file to show.";	73	description = "The index file to show.";
74	};	74	};
@@ -79,8 +79,8 @@ in
79	description = "The fallback vhost that will be defined as first vhost in Apache";	79	description = "The fallback vhost that will be defined as first vhost in Apache";
80	type = submodule {	80	type = submodule {
81	options = {	81	options = {
82	certName = mkOption { type = string; };	82	certName = mkOption { type = str; };
83	hosts = mkOption { type = listOf string; };	83	hosts = mkOption { type = listOf str; };
84	root = mkOption { type = nullOr path; };	84	root = mkOption { type = nullOr path; };
85	extraConfig = mkOption { type = listOf lines; default = []; };	85	extraConfig = mkOption { type = listOf lines; default = []; };
86	};	86	};
@@ -91,7 +91,7 @@ in
91	description = "List of no ssl vhosts to define for Apache";	91	description = "List of no ssl vhosts to define for Apache";
92	type = attrsOf (submodule {	92	type = attrsOf (submodule {
93	options = {	93	options = {
94	hosts = mkOption { type = listOf string; };	94	hosts = mkOption { type = listOf str; };
95	root = mkOption { type = nullOr path; };	95	root = mkOption { type = nullOr path; };
96	extraConfig = mkOption { type = listOf lines; default = []; };	96	extraConfig = mkOption { type = listOf lines; default = []; };
97	};	97	};
@@ -102,25 +102,25 @@ in
102	description = "List of vhosts to define for Apache";	102	description = "List of vhosts to define for Apache";
103	type = attrsOf (submodule {	103	type = attrsOf (submodule {
104	options = {	104	options = {
105	certName = mkOption { type = string; };	105	certName = mkOption { type = str; };
106	addToCerts = mkOption {	106	addToCerts = mkOption {
107	type = bool;	107	type = bool;
108	default = false;	108	default = false;
109	description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";	109	description = "Use these to certificates. Is ignored (considered true) if certMainHost is not null";
110	};	110	};
111	certMainHost = mkOption {	111	certMainHost = mkOption {
112	type = nullOr string;	112	type = nullOr str;
113	description = "Use that host as 'main host' for acme certs";	113	description = "Use that host as 'main host' for acme certs";
114	default = null;	114	default = null;
115	};	115	};
116	hosts = mkOption { type = listOf string; };	116	hosts = mkOption { type = listOf str; };
117	root = mkOption { type = nullOr path; };	117	root = mkOption { type = nullOr path; };
118	extraConfig = mkOption { type = listOf lines; default = []; };	118	extraConfig = mkOption { type = listOf lines; default = []; };
119	};	119	};
120	});	120	});
121	};	121	};
122	watchPaths = mkOption {	122	watchPaths = mkOption {
123	type = listOf string;	123	type = listOf str;
124	default = [];	124	default = [];
125	description = ''	125	description = ''
126	Paths to watch that should trigger a reload of httpd	126	Paths to watch that should trigger a reload of httpd
@@ -178,9 +178,9 @@ in
178	};	178	};
179	toVhost = ips: vhostConf: {	179	toVhost = ips: vhostConf: {
180	enableSSL = true;	180	enableSSL = true;
181	sslServerCert = "${config.security.acme2.certs."${vhostConf.certName}".directory}/cert.pem";	181	sslServerCert = "${config.security.acme.certs."${vhostConf.certName}".directory}/cert.pem";
182	sslServerKey = "${config.security.acme2.certs."${vhostConf.certName}".directory}/key.pem";	182	sslServerKey = "${config.security.acme.certs."${vhostConf.certName}".directory}/key.pem";
183	sslServerChain = "${config.security.acme2.certs."${vhostConf.certName}".directory}/chain.pem";	183	sslServerChain = "${config.security.acme.certs."${vhostConf.certName}".directory}/chain.pem";
184	logFormat = "combinedVhost";	184	logFormat = "combinedVhost";
185	listen = map (ip: { inherit ip; port = 443; }) ips;	185	listen = map (ip: { inherit ip; port = 443; }) ips;
186	hostName = builtins.head vhostConf.hosts;	186	hostName = builtins.head vhostConf.hosts;
@@ -231,7 +231,7 @@ in
231	}	231	}
232	) cfg.env;	232	) cfg.env;
233		233
234	config.security.acme2.certs = let	234	config.security.acme.certs = let
235	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;	235	typesToManage = attrsets.filterAttrs (k: v: v.enable) cfg.env;
236	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:	236	flatVhosts = lists.flatten (attrsets.mapAttrsToList (k: v:
237	attrValues v.vhostConfs	237	attrValues v.vhostConfs


diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix index d049202c..f0208ab5 100644 --- a/modules/websites/httpd-service-builder.nix +++ b/modules/websites/httpd-service-builder.nix
@@ -11,8 +11,6 @@ let
11		11
12	httpd = mainCfg.package.out;	12	httpd = mainCfg.package.out;
13		13
14	version24 = !versionOlder httpd.version "2.4";
15
16	httpdConf = mainCfg.configFile;	14	httpdConf = mainCfg.configFile;
17		15
18	php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };	16	php = mainCfg.phpPackage.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
@@ -26,10 +24,9 @@ let
26	else [{ip = "*"; port = 80;}];	24	else [{ip = "*"; port = 80;}];
27		25
28	getListen = cfg:	26	getListen = cfg:
29	let list = (lib.optional (cfg.port != 0) {ip = "*"; port = cfg.port;}) ++ cfg.listen;	27	if cfg.listen == []
30	in if list == []	28	then defaultListen cfg
31	then defaultListen cfg	29	else cfg.listen;
32	else list;
33		30
34	listenToString = l: "${l.ip}:${toString l.port}";	31	listenToString = l: "${l.ip}:${toString l.port}";
35		32
@@ -110,11 +107,10 @@ let
110	"auth_basic" "auth_digest"	107	"auth_basic" "auth_digest"
111		108
112	# Authentication: is the user who he claims to be?	109	# Authentication: is the user who he claims to be?
113	"authn_file" "authn_dbm" "authn_anon"	110	"authn_file" "authn_dbm" "authn_anon" "authn_core"
114	(if version24 then "authn_core" else "authn_alias")
115		111
116	# Authorization: is the user allowed access?	112	# Authorization: is the user allowed access?
117	"authz_user" "authz_groupfile" "authz_host"	113	"authz_user" "authz_groupfile" "authz_host" "authz_core"
118		114
119	# Other modules.	115	# Other modules.
120	"ext_filter" "include" "log_config" "env" "mime_magic"	116	"ext_filter" "include" "log_config" "env" "mime_magic"
@@ -122,14 +118,9 @@ let
122	"mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"	118	"mime" "dav" "status" "autoindex" "asis" "info" "dav_fs"
123	"vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"	119	"vhost_alias" "negotiation" "dir" "imagemap" "actions" "speling"
124	"userdir" "alias" "rewrite" "proxy" "proxy_http"	120	"userdir" "alias" "rewrite" "proxy" "proxy_http"
125	]	121	"unixd" "cache" "cache_disk" "slotmem_shm" "socache_shmcb"
126	++ optionals version24 [
127	"mpm_${mainCfg.multiProcessingModule}"	122	"mpm_${mainCfg.multiProcessingModule}"
128	"authz_core"	123
129	"unixd"
130	"cache" "cache_disk"
131	"slotmem_shm"
132	"socache_shmcb"
133	# For compatibility with old configurations, the new module mod_access_compat is provided.	124	# For compatibility with old configurations, the new module mod_access_compat is provided.
134	"access_compat"	125	"access_compat"
135	]	126	]
@@ -138,19 +129,8 @@ let
138	++ extraApacheModules;	129	++ extraApacheModules;
139		130
140		131
141	allDenied = if version24 then ''	132	allDenied = "Require all denied";
142	Require all denied	133	allGranted = "Require all granted";
143	'' else ''
144	Order deny,allow
145	Deny from all
146	'';
147
148	allGranted = if version24 then ''
149	Require all granted
150	'' else ''
151	Order allow,deny
152	Allow from all
153	'';
154		134
155		135
156	loggingConf = (if mainCfg.logFormat != "none" then ''	136	loggingConf = (if mainCfg.logFormat != "none" then ''
@@ -183,9 +163,9 @@ let
183		163
184		164
185	sslConf = ''	165	sslConf = ''
186	SSLSessionCache ${if version24 then "shmcb" else "shm"}:${mainCfg.stateDir}/ssl_scache(512000)	166	SSLSessionCache shmcb:${mainCfg.stateDir}/ssl_scache(512000)
187		167
188	${if version24 then "Mutex" else "SSLMutex"} posixsem	168	Mutex posixsem
189		169
190	SSLRandomSeed startup builtin	170	SSLRandomSeed startup builtin
191	SSLRandomSeed connect builtin	171	SSLRandomSeed connect builtin
@@ -325,9 +305,7 @@ let
325		305
326	ServerRoot ${httpd}	306	ServerRoot ${httpd}
327		307
328	${optionalString version24 ''	308	DefaultRuntimeDir ${mainCfg.stateDir}/runtime
329	DefaultRuntimeDir ${mainCfg.stateDir}/runtime
330	''}
331		309
332	PidFile ${mainCfg.stateDir}/httpd.pid	310	PidFile ${mainCfg.stateDir}/httpd.pid
333		311
@@ -361,7 +339,7 @@ let
361	++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }	339	++ optional enablePerl { name = "perl"; path = "${mod_perl}/modules/mod_perl.so"; }
362	++ concatMap (svc: svc.extraModules) allSubservices	340	++ concatMap (svc: svc.extraModules) allSubservices
363	++ extraForeignModules;	341	++ extraForeignModules;
364	in concatMapStrings load allModules	342	in concatMapStrings load (unique allModules)
365	}	343	}
366		344
367	AddHandler type-map var	345	AddHandler type-map var
@@ -393,14 +371,6 @@ let
393	# Generate directives for the main server.	371	# Generate directives for the main server.
394	${perServerConf true mainCfg}	372	${perServerConf true mainCfg}
395		373
396	# Always enable virtual hosts; it doesn't seem to hurt.
397	${let
398	listen = concatMap getListen allHosts;
399	uniqueListen = uniqList {inputList = listen;};
400	directives = concatMapStrings (listen: "NameVirtualHost ${listenToString listen}\n") uniqueListen;
401	in optionalString (!version24) directives
402	}
403
404	${let	374	${let
405	makeVirtualHost = vhost: ''	375	makeVirtualHost = vhost: ''
406	<VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>	376	<VirtualHost ${concatStringsSep " " (map listenToString (getListen vhost))}>
@@ -663,7 +633,7 @@ in
663	message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }	633	message = "SSL is enabled for httpd, but sslServerCert and/or sslServerKey haven't been specified."; }
664	];	634	];
665		635
666	warnings = map (cfg: ''apache-httpd's port option is deprecated. Use listen = [{/ip = ""; */ port = ${toString cfg.port};}]; instead'' ) (lib.filter (cfg: cfg.port != 0) allHosts);	636	warnings = map (cfg: "apache-httpd's extraSubservices option is deprecated. Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.") (lib.filter (cfg: cfg.extraSubservices != []) allHosts);
667		637
668	users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton	638	users.users = optionalAttrs (withUsers && mainCfg.user == "wwwrun") (singleton
669	{ name = "wwwrun";	639	{ name = "wwwrun";
@@ -686,7 +656,7 @@ in
686		656
687	; Don't advertise PHP	657	; Don't advertise PHP
688	expose_php = off	658	expose_php = off
689	'' + optionalString (!isNull config.time.timeZone) ''	659	'' + optionalString (config.time.timeZone != null) ''
690		660
691	; Apparently PHP doesn't use $TZ.	661	; Apparently PHP doesn't use $TZ.
692	date.timezone = "${config.time.timeZone}"	662	date.timezone = "${config.time.timeZone}"
@@ -713,10 +683,10 @@ in
713	''	683	''
714	mkdir -m 0750 -p ${mainCfg.stateDir}	684	mkdir -m 0750 -p ${mainCfg.stateDir}
715	[ $(id -u) != 0 ] \|\| chown root.${mainCfg.group} ${mainCfg.stateDir}	685	[ $(id -u) != 0 ] \|\| chown root.${mainCfg.group} ${mainCfg.stateDir}
716	${optionalString version24 ''	686
717	mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"	687	mkdir -m 0750 -p "${mainCfg.stateDir}/runtime"
718	[ $(id -u) != 0 ] \|\| chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"	688	[ $(id -u) != 0 ] \|\| chown root.${mainCfg.group} "${mainCfg.stateDir}/runtime"
719	''}	689
720	mkdir -m 0700 -p ${mainCfg.logDir}	690	mkdir -m 0700 -p ${mainCfg.logDir}
721		691
722	# Get rid of old semaphores. These tend to accumulate across	692	# Get rid of old semaphores. These tend to accumulate across


diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix index 8ad7a0df..20e2a5dd 100644 --- a/modules/websites/php-application.nix +++ b/modules/websites/php-application.nix
@@ -44,10 +44,15 @@ in
44	description = "Name of the socket to listen to. Defaults to app name if null";	44	description = "Name of the socket to listen to. Defaults to app name if null";
45	};	45	};
46	phpPool = mkOption {	46	phpPool = mkOption {
47	type = lines;	47	type = attrsOf str;
48	default = "";	48	default = {};
49	description = "Pool configuration to append";	49	description = "Pool configuration to append";
50	};	50	};
		51	phpEnv = mkOption {
		52	type = attrsOf str;
		53	default = {};
		54	description = "Pool environment to append";
		55	};
51	phpOptions = mkOption {	56	phpOptions = mkOption {
52	type = lines;	57	type = lines;
53	default = "";	58	default = "";
@@ -135,7 +140,7 @@ in
135	services.phpApplication.phpListenPaths = mkOption {	140	services.phpApplication.phpListenPaths = mkOption {
136	type = attrsOf path;	141	type = attrsOf path;
137	default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair	142	default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
138	name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock"	143	name config.services.phpfpm.pools."${name}".socket
139	) cfg.apps;	144	) cfg.apps;
140	readOnly = true;	145	readOnly = true;
141	description = ''	146	description = ''
@@ -162,17 +167,17 @@ in
162		167
163	services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair	168	services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair
164	name {	169	name {
165	listen = cfg.phpListenPaths."${name}";	170	user = icfg.httpdUser;
166	extraConfig = ''	171	group = icfg.httpdUser;
167	user = ${icfg.httpdUser}	172	settings = {
168	group = ${icfg.httpdGroup}	173	"listen.owner" = icfg.httpdUser;
169	listen.owner = ${icfg.httpdUser}	174	"listen.group" = icfg.httpdGroup;
170	listen.group = ${icfg.httpdGroup}	175	"php_admin_value[open_basedir]" = builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir);
171	${optionalString (icfg.phpSession) ''	176	}
172	php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''}	177	// optionalAttrs (icfg.phpSession) { "php_admin_value[session.save_path]" = "${icfg.varDir}/phpSessions"; }
173	php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpWatchFiles ++ icfg.phpOpenbasedir)}"	178	// icfg.phpPool;
174	'' + icfg.phpPool;
175	phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions;	179	phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions;
		180	inherit (icfg) phpEnv;
176	}	181	}
177	) cfg.apps;	182	) cfg.apps;
178		183