l 3: add nginx site modules

This commit is contained in:
lassulus 2015-12-12 18:20:50 +01:00
parent c8b82b0336
commit 717c6f4ade
3 changed files with 319 additions and 11 deletions

View File

@ -0,0 +1,215 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.lass.owncloud;
out = {
options.lass.owncloud = api;
config = imp;
};
api = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = {
domain = mkOption {
type = str;
default = config._module.args.name;
};
dataDir = mkOption {
type = str;
default = "${config.folder}/data";
};
dbUser = mkOption {
type = str;
default = replaceStrings ["."] ["_"] config.domain;
};
dbName = mkOption {
type = str;
default = replaceStrings ["."] ["_"] config.domain;
};
dbType = mkOption {
# TODO: check for valid dbType
type = str;
default = "mysql";
};
folder = mkOption {
type = str;
default = "/srv/http/${config.domain}";
};
auto = mkOption {
type = bool;
default = false;
};
instanceid = mkOption {
type = str;
};
ssl = mkOption {
type = bool;
default = false;
};
};
}));
default = {};
};
user = config.services.nginx.user;
group = config.services.nginx.group;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
server-names = [
"${domain}"
"www.${domain}"
];
locations = [
(nameValuePair "/" ''
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ /index.php;
'')
(nameValuePair "~ \.php$" ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:${folder}/phpfpm.pool;
'')
(nameValuePair "~ /\\." ''
deny all;
'')
];
extraConfig = ''
root ${folder}/;
#index index.php;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
'';
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool
user = ${user}
group = ${group}
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
listen.owner = ${user}
listen.group = ${group}
# errors to journal
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'');
#systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
# name = "owncloudInit-${name}";
# value = {
# path = [
# pkgs.mysql
# pkgs.su
# pkgs.gawk
# pkgs.jq
# ];
# requiredBy = [ "nginx.service" ];
# serviceConfig = let
# php.define = name: value:
# "define(${php.newdoc name}, ${php.newdoc value});";
# php.toString = x:
# "'${x}'";
# php.newdoc = s:
# let b = "EOF${builtins.hashString "sha256" s}"; in
# ''<<<'${b}'
# ${s}
# ${b}
# '';
# in {
# Type = "oneshot";
# ExecStart = pkgs.writeScript "wordpressInit" ''
# #!/bin/sh
# set -euf
# oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
# db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
# get_secret() {
# echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
# }
# to_php_string() {
# echo "base64_decode('$(base64)')"
# }
# {
# cat ${toString <secrets/mysql_rootPassword>}
# password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
# # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
# # TODO as package pkgs.sqlHashPassword
# # TODO not using mysql
# # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
# passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
# user=${shell.escape dbUser}@localhost
# database=${shell.escape dbName}
# cat << EOF
# CREATE DATABASE IF NOT EXISTS $database;
# GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
# GRANT ALL PRIVILEGES ON $database.* TO $user;
# FLUSH PRIVILEGES;
# EOF
# } | mysql -u root -p
# # TODO nix2php for wp-config.php
# mkdir -p ${folder}/config
# cat > ${folder}/config/config.php << EOF
# <?php
# \$CONFIG = array (
# 'dbhost' => 'localhost',
# 'dbtableprefix' => 'oc_',
# 'dbpassword' => '$db_password',
# 'installed' => 'true',
# 'trusted_domains' =>
# array (
# 0 => '${domain}',
# ),
# 'overwrite.cli.url' => 'http://${domain}',
# ${concatStringsSep "\n" (mapAttrsToList (name: value:
# "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
# ) {
# instanceid = instanceid;
# datadirectory = dataDir;
# dbtype = dbType;
# dbname = dbName;
# dbuser = dbUser;
# })}
# ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
# "secret"
# "passwordsalt"
# ]}
# );
# EOF
# '';
# };
# };
#});
users.users.nobody_oc = {
uid = 1651469147; # genid nobody_oc
useDefaultShell = true;
};
};
in out

View File

@ -0,0 +1,49 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.lass.staticPage;
out = {
options.lass.staticPage = api;
config = imp;
};
api = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = {
domain = mkOption {
type = str;
default = config._module.args.name;
};
folder = mkOption {
type = str;
default = "/srv/http/${config.domain}";
};
};
}));
default = {};
};
user = config.services.nginx.user;
group = config.services.nginx.group;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
server-names = [
"${domain}"
"www.${domain}"
];
locations = [
(nameValuePair "/" ''
root ${folder};
'')
(nameValuePair "~ /\\." ''
deny all;
'')
];
});
};
in out

View File

@ -45,35 +45,70 @@ let
type = bool; type = bool;
default = false; default = false;
}; };
multiSite = mkOption {
type = attrsOf str;
default = {};
example = {
"0" = "bla.testsite.de";
"1" = "test.testsite.de";
};
};
}; };
})); }));
default = {}; default = {};
}; };
dataFolder = "/srv/http";
user = config.services.nginx.user; user = config.services.nginx.user;
group = config.services.nginx.group; group = config.services.nginx.group;
imp = { imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, ... }: { #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
# map $http_host $blogid {
# ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
# }
#'';
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
server-names = [ server-names = [
"${domain}" "${domain}"
"www.${domain}" "www.${domain}"
]; ];
locations = [ #(mkIf (multiSite != {})
#)
locations = (if (multiSite != {}) then
[
(nameValuePair "~ ^/files/(.*)$" ''
try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
'')
(nameValuePair "^~ /blogs.dir" ''
internal;
alias ${folder}/wp-content/blogs.dir ;
access_log off; log_not_found off; expires max;
'')
]
else
[]
) ++
[
(nameValuePair "/" '' (nameValuePair "/" ''
try_files $uri $uri/ /index.php?$args; try_files $uri $uri/ /index.php?$args;
'') '')
(nameValuePair "~ \.php$" '' (nameValuePair "~ \.php$" ''
fastcgi_pass unix:${dataFolder}/${domain}/phpfpm.pool; fastcgi_pass unix:${folder}/phpfpm.pool;
include ${pkgs.nginx}/conf/fastcgi.conf; include ${pkgs.nginx}/conf/fastcgi.conf;
'') '')
(nameValuePair "~ /\\." '' (nameValuePair "~ /\\." ''
deny all; deny all;
'') '')
#Directives to send expires headers and turn off 404 error logging.
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
access_log off;
log_not_found off;
expires max;
'')
]; ];
extraConfig = '' extraConfig = ''
root ${dataFolder}/${domain}/; root ${folder}/;
index index.php; index index.php;
access_log /tmp/nginx_acc.log; access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log; error_log /tmp/nginx_err.log;
@ -81,8 +116,8 @@ let
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
''; '';
}); });
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, ... }: '' services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${dataFolder}/${domain}/phpfpm.pool listen = ${folder}/phpfpm.pool
user = ${user} user = ${user}
group = ${group} group = ${group}
pm = dynamic pm = dynamic
@ -97,7 +132,7 @@ let
php_admin_flag[log_errors] = on php_admin_flag[log_errors] = on
catch_workers_output = yes catch_workers_output = yes
''); '');
systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, ... }: { systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
name = "wordpressInit-${name}"; name = "wordpressInit-${name}";
value = { value = {
path = [ path = [
@ -175,6 +210,13 @@ let
]} ]}
\$table_prefix = 'wp_'; \$table_prefix = 'wp_';
${if (multiSite != {}) then
"define('WP_ALLOW_MULTISITE', true);"
else
""
}
define('WP_DEBUG', ${toJSON debug}); define('WP_DEBUG', ${toJSON debug});
if ( !defined('ABSPATH') ) if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/'); define('ABSPATH', dirname(__FILE__) . '/');
@ -186,10 +228,12 @@ let
}; };
}; };
}); });
users.users.nobody2 = { users.users.nobody2 = mkDefault {
uid = 125816384; # genid nobody2 uid = mkDefault 125816384; # genid nobody2
useDefaultShell = true; useDefaultShell = mkDefault true;
}; };
}; };
indent = replaceChars ["\n"] ["\n "];
in out in out