diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/secrets.nix | 9 | ||||
-rw-r--r-- | modules/websites/default.nix | 19 | ||||
-rw-r--r-- | modules/websites/php-application.nix | 101 |
3 files changed, 103 insertions, 26 deletions
diff --git a/modules/secrets.nix b/modules/secrets.nix index 808b15c5..a2424e92 100644 --- a/modules/secrets.nix +++ b/modules/secrets.nix | |||
@@ -11,7 +11,16 @@ | |||
11 | default = "/var/secrets"; | 11 | default = "/var/secrets"; |
12 | description = "Location where to put the keys"; | 12 | description = "Location where to put the keys"; |
13 | }; | 13 | }; |
14 | # Read-only variables | ||
15 | fullPaths = lib.mkOption { | ||
16 | type = lib.types.attrsOf lib.types.path; | ||
17 | default = builtins.listToAttrs | ||
18 | (map (v: { name = v.dest; value = "${config.secrets.location}/${v.dest}"; }) config.secrets.keys); | ||
19 | readOnly = true; | ||
20 | description = "set of full paths to secrets"; | ||
21 | }; | ||
14 | }; | 22 | }; |
23 | |||
15 | config = let | 24 | config = let |
16 | location = config.secrets.location; | 25 | location = config.secrets.location; |
17 | keys = config.secrets.keys; | 26 | keys = config.secrets.keys; |
diff --git a/modules/websites/default.nix b/modules/websites/default.nix index ef79cb3c..043fc6ec 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix | |||
@@ -23,14 +23,6 @@ in | |||
23 | Name of the webapp dir to create in /run/current-system | 23 | Name of the webapp dir to create in /run/current-system |
24 | ''; | 24 | ''; |
25 | }; | 25 | }; |
26 | webappDirsPath = mkOption { | ||
27 | type = str; | ||
28 | readOnly = true; | ||
29 | description = '' | ||
30 | Full path of the webapp dir | ||
31 | ''; | ||
32 | default = "/run/current-system/${cfg.webappDirsName}"; | ||
33 | }; | ||
34 | env = mkOption { | 26 | env = mkOption { |
35 | default = {}; | 27 | default = {}; |
36 | description = "Each type of website to enable will target a distinct httpd server"; | 28 | description = "Each type of website to enable will target a distinct httpd server"; |
@@ -126,6 +118,17 @@ in | |||
126 | }; | 118 | }; |
127 | }); | 119 | }); |
128 | }; | 120 | }; |
121 | # Readonly variables | ||
122 | webappDirsPaths = mkOption { | ||
123 | type = attrsOf path; | ||
124 | readOnly = true; | ||
125 | description = '' | ||
126 | Full paths of the webapp dir | ||
127 | ''; | ||
128 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | ||
129 | name "/run/current-system/${cfg.webappDirsName}/${name}" | ||
130 | ) cfg.webappDirs; | ||
131 | }; | ||
129 | }; | 132 | }; |
130 | 133 | ||
131 | config.services.httpd = let | 134 | config.services.httpd = let |
diff --git a/modules/websites/php-application.nix b/modules/websites/php-application.nix index 765d4067..1bc4872e 100644 --- a/modules/websites/php-application.nix +++ b/modules/websites/php-application.nix | |||
@@ -2,11 +2,11 @@ | |||
2 | with lib; | 2 | with lib; |
3 | let | 3 | let |
4 | cfg = config.services.phpApplication; | 4 | cfg = config.services.phpApplication; |
5 | cfgByEnv = lists.groupBy (x: x.websiteEnv) (builtins.attrValues cfg); | 5 | cfgByEnv = lists.groupBy (x: x.websiteEnv) (builtins.attrValues cfg.apps); |
6 | in | 6 | in |
7 | { | 7 | { |
8 | options = { | 8 | options = with types; { |
9 | services.phpApplication = with types; mkOption { | 9 | services.phpApplication.apps = mkOption { |
10 | default = {}; | 10 | default = {}; |
11 | description = '' | 11 | description = '' |
12 | php applications to define | 12 | php applications to define |
@@ -31,6 +31,35 @@ in | |||
31 | default = true; | 31 | default = true; |
32 | description = "Handle phpsession files separately in vardir"; | 32 | description = "Handle phpsession files separately in vardir"; |
33 | }; | 33 | }; |
34 | phpListen = mkOption { | ||
35 | type = nullOr str; | ||
36 | default = null; | ||
37 | description = "Name of the socket to listen to. Defaults to app name if null"; | ||
38 | }; | ||
39 | phpPool = mkOption { | ||
40 | type = lines; | ||
41 | default = ""; | ||
42 | description = "Pool configuration to append"; | ||
43 | }; | ||
44 | phpOptions = mkOption { | ||
45 | type = lines; | ||
46 | default = ""; | ||
47 | description = "php configuration to append"; | ||
48 | }; | ||
49 | phpOpenbasedir = mkOption { | ||
50 | type = listOf path; | ||
51 | default = []; | ||
52 | description = '' | ||
53 | paths to add to php open_basedir configuration in addition to app and vardir | ||
54 | ''; | ||
55 | }; | ||
56 | phpWatchFiles = mkOption { | ||
57 | type = listOf path; | ||
58 | default = []; | ||
59 | description = '' | ||
60 | Path to other files to watch to trigger preStart scripts | ||
61 | ''; | ||
62 | }; | ||
34 | websiteEnv = mkOption { | 63 | websiteEnv = mkOption { |
35 | type = str; | 64 | type = str; |
36 | description = '' | 65 | description = '' |
@@ -51,6 +80,13 @@ in | |||
51 | httpd group to run the prestart scripts as. | 80 | httpd group to run the prestart scripts as. |
52 | ''; | 81 | ''; |
53 | }; | 82 | }; |
83 | httpdWatchFiles = mkOption { | ||
84 | type = listOf path; | ||
85 | default = []; | ||
86 | description = '' | ||
87 | Path to other files to watch to trigger httpd reload | ||
88 | ''; | ||
89 | }; | ||
54 | app = mkOption { | 90 | app = mkOption { |
55 | type = path; | 91 | type = path; |
56 | description = '' | 92 | description = '' |
@@ -59,6 +95,7 @@ in | |||
59 | }; | 95 | }; |
60 | webappName = mkOption { | 96 | webappName = mkOption { |
61 | type = nullOr str; | 97 | type = nullOr str; |
98 | default = null; | ||
62 | description = '' | 99 | description = '' |
63 | Alias name for the app, to be used in services.websites.webappDirs | 100 | Alias name for the app, to be used in services.websites.webappDirs |
64 | ''; | 101 | ''; |
@@ -84,29 +121,57 @@ in | |||
84 | List of systemd services this application depends on | 121 | List of systemd services this application depends on |
85 | ''; | 122 | ''; |
86 | }; | 123 | }; |
87 | watchFiles = mkOption { | ||
88 | type = listOf path; | ||
89 | default = []; | ||
90 | description = '' | ||
91 | Path to other files to watch to trigger preStart scripts | ||
92 | ''; | ||
93 | }; | ||
94 | }; | 124 | }; |
95 | }); | 125 | }); |
96 | }; | 126 | }; |
127 | # Read-only variables | ||
128 | services.phpApplication.phpListenPaths = mkOption { | ||
129 | type = attrsOf path; | ||
130 | default = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | ||
131 | name "/run/phpfpm/${if icfg.phpListen == null then name else icfg.phpListen}.sock" | ||
132 | ) cfg.apps; | ||
133 | readOnly = true; | ||
134 | description = '' | ||
135 | Full paths to listen for php | ||
136 | ''; | ||
137 | }; | ||
138 | services.phpApplication.webappDirs = mkOption { | ||
139 | type = attrsOf path; | ||
140 | default = attrsets.filterAttrs (n: v: builtins.hasAttr n cfg.apps) config.services.websites.webappDirsPaths; | ||
141 | readOnly = true; | ||
142 | description = '' | ||
143 | Stable name webapp dirs for httpd | ||
144 | ''; | ||
145 | }; | ||
97 | }; | 146 | }; |
98 | 147 | ||
99 | config = { | 148 | config = { |
100 | services.websites.env = attrsets.mapAttrs' (name: cfgs: attrsets.nameValuePair | 149 | services.websites.env = attrsets.mapAttrs' (name: cfgs: attrsets.nameValuePair |
101 | name { | 150 | name { |
102 | modules = [ "proxy_fcgi" ]; | 151 | modules = [ "proxy_fcgi" ]; |
103 | watchPaths = builtins.concatLists (map (c: c.watchFiles) cfgs); | 152 | watchPaths = builtins.concatLists (map (c: c.httpdWatchFiles) cfgs); |
104 | } | 153 | } |
105 | ) cfgByEnv; | 154 | ) cfgByEnv; |
106 | 155 | ||
156 | services.phpfpm.pools = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | ||
157 | name { | ||
158 | listen = cfg.phpListenPaths."${name}"; | ||
159 | extraConfig = '' | ||
160 | user = ${icfg.httpdUser} | ||
161 | group = ${icfg.httpdGroup} | ||
162 | listen.owner = ${icfg.httpdUser} | ||
163 | listen.group = ${icfg.httpdGroup} | ||
164 | ${optionalString (icfg.phpSession) '' | ||
165 | php_admin_value[session.save_path] = "${icfg.varDir}/phpSessions"''} | ||
166 | php_admin_value[open_basedir] = "${builtins.concatStringsSep ":" ([icfg.app icfg.varDir] ++ icfg.phpOpenbasedir)}" | ||
167 | '' + icfg.phpPool; | ||
168 | phpOptions = config.services.phpfpm.phpOptions + icfg.phpOptions; | ||
169 | } | ||
170 | ) cfg.apps; | ||
171 | |||
107 | services.websites.webappDirs = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 172 | services.websites.webappDirs = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
108 | icfg.webappName icfg.webRoot | 173 | (if icfg.webappName == null then name else icfg.webappName) icfg.webRoot |
109 | ) (attrsets.filterAttrs (n: v: !isNull v.webappName && !isNull v.webRoot) cfg); | 174 | ) (attrsets.filterAttrs (n: v: !isNull v.webRoot) cfg.apps); |
110 | 175 | ||
111 | systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 176 | systemd.services = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
112 | "phpfpm-${name}" { | 177 | "phpfpm-${name}" { |
@@ -114,7 +179,7 @@ in | |||
114 | wants = icfg.serviceDeps; | 179 | wants = icfg.serviceDeps; |
115 | preStart = lib.mkAfter (optionalString (!isNull icfg.varDir) '' | 180 | preStart = lib.mkAfter (optionalString (!isNull icfg.varDir) '' |
116 | watchFilesChanged() { | 181 | watchFilesChanged() { |
117 | ${optionalString (builtins.length icfg.watchFiles == 0) "return 0"} | 182 | ${optionalString (builtins.length icfg.phpWatchFiles == 0) "return 1"} |
118 | [ ! -f "${icfg.varDir}"/watchedFiles ] \ | 183 | [ ! -f "${icfg.varDir}"/watchedFiles ] \ |
119 | || ! sha512sum -c --status ${icfg.varDir}/watchedFiles | 184 | || ! sha512sum -c --status ${icfg.varDir}/watchedFiles |
120 | } | 185 | } |
@@ -123,8 +188,8 @@ in | |||
123 | "${icfg.app}" != "$(cat ${icfg.varDir}/currentWebappDir 2>/dev/null)" ] | 188 | "${icfg.app}" != "$(cat ${icfg.varDir}/currentWebappDir 2>/dev/null)" ] |
124 | } | 189 | } |
125 | updateWatchFiles() { | 190 | updateWatchFiles() { |
126 | ${optionalString (builtins.length icfg.watchFiles == 0) "return 0"} | 191 | ${optionalString (builtins.length icfg.phpWatchFiles == 0) "return 0"} |
127 | sha512sum ${builtins.concatStringsSep " " icfg.watchFiles} > ${icfg.varDir}/watchedFiles | 192 | sha512sum ${builtins.concatStringsSep " " icfg.phpWatchFiles} > ${icfg.varDir}/watchedFiles |
128 | } | 193 | } |
129 | 194 | ||
130 | if watchFilesChanged || appDirChanged; then | 195 | if watchFilesChanged || appDirChanged; then |
@@ -136,7 +201,7 @@ in | |||
136 | fi | 201 | fi |
137 | ''); | 202 | ''); |
138 | } | 203 | } |
139 | ) cfg; | 204 | ) cfg.apps; |
140 | 205 | ||
141 | system.activationScripts = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair | 206 | system.activationScripts = attrsets.mapAttrs' (name: icfg: attrsets.nameValuePair |
142 | name { | 207 | name { |
@@ -147,6 +212,6 @@ in | |||
147 | install -m 0700 -o ${icfg.httpdUser} -g ${icfg.httpdGroup} -d ${icfg.varDir}/phpSessions | 212 | install -m 0700 -o ${icfg.httpdUser} -g ${icfg.httpdGroup} -d ${icfg.varDir}/phpSessions |
148 | ''; | 213 | ''; |
149 | } | 214 | } |
150 | ) cfg; | 215 | ) cfg.apps; |
151 | }; | 216 | }; |
152 | } | 217 | } |