Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master'

Browse Source
This commit is contained in:
makefu 2016-12-28 03:40:28 +01:00
commit c422632d03
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
23 changed files with 434 additions and 818 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
krebs/3modules/lass/default.nix
View File

@ -298,6 +298,7 @@ with import <stockholm/lib>;
''; '';
}; };
}; };
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
}; };

2
krebs/3modules/realwallpaper.nix
View File

@ -24,7 +24,7 @@ let
daymap = mkOption { daymap = mkOption {
type = types.str; type = types.str;
default = "http://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png"; default = "https://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
}; };
cloudmap = mkOption { cloudmap = mkOption {

64
krebs/5pkgs/git-hooks/default.nix
View File

@ -108,67 +108,5 @@ let
fi fi
''; '';
irc-announce-script = pkgs.writeDash "irc-announce-script" '' irc-announce-script = "${pkgs.irc-announce}/bin/irc-announce";
set -euf
export PATH=${makeSearchPath "bin" (with pkgs; [
coreutils
gawk
gnused
netcat
nettools
])}
IRC_SERVER=$1
IRC_PORT=$2
IRC_NICK=$3$$
IRC_CHANNEL=$4
message=$5
export IRC_CHANNEL # for privmsg_cat
# echo2 and cat2 are used output to both, stdout and stderr
# This is used to see what we send to the irc server. (debug output)
echo2() { echo "$*"; echo "$*" >&2; }
cat2() { tee /dev/stderr; }
# privmsg_cat transforms stdin to a privmsg
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
# ircin is used to feed the output of netcat back to the "irc client"
# so we can implement expect-like behavior with sed^_^
# XXX mkselfdestructingtmpfifo would be nice instead of this cruft
tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
cd "$tmpdir"
mkfifo ircin
trap "
rm ircin
cd '$OLDPWD'
rmdir '$tmpdir'
trap - EXIT INT QUIT
" EXIT INT QUIT
{
echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
echo2 "NICK $IRC_NICK"
# wait for MODE message
sed -n '/^:[^ ]* MODE /q'
echo2 "JOIN $IRC_CHANNEL"
printf '%s' "$message" \
| privmsg_cat \
| cat2
echo2 "PART $IRC_CHANNEL"
# wait for PART confirmation
sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
echo2 'QUIT :Gone to have lunch'
} < ircin \
| nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
'';
in out in out

68
krebs/5pkgs/irc-announce/default.nix Normal file
View File

@ -0,0 +1,68 @@
{ pkgs, lib, ... }:
with lib;
pkgs.writeDashBin "irc-announce" ''
set -euf
export PATH=${makeSearchPath "bin" (with pkgs; [
coreutils
gawk
gnused
netcat
nettools
])}
IRC_SERVER=$1
IRC_PORT=$2
IRC_NICK=$3$$
IRC_CHANNEL=$4
message=$5
export IRC_CHANNEL # for privmsg_cat
# echo2 and cat2 are used output to both, stdout and stderr
# This is used to see what we send to the irc server. (debug output)
echo2() { echo "$*"; echo "$*" >&2; }
cat2() { tee /dev/stderr; }
# privmsg_cat transforms stdin to a privmsg
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
# we cd to /tmp here to be able to create a tmpdir in the first place
cd /tmp
# ircin is used to feed the output of netcat back to the "irc client"
# so we can implement expect-like behavior with sed^_^
# XXX mkselfdestructingtmpfifo would be nice instead of this cruft
tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
cd "$tmpdir"
mkfifo ircin
trap "
rm ircin
cd '$OLDPWD'
rmdir '$tmpdir'
trap - EXIT INT QUIT
" EXIT INT QUIT
{
echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
echo2 "NICK $IRC_NICK"
# wait for MODE message
sed -n '/^:[^ ]* MODE /q'
echo2 "JOIN $IRC_CHANNEL"
printf '%s' "$message" \
| privmsg_cat \
| cat2
echo2 "PART $IRC_CHANNEL"
# wait for PART confirmation
sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
echo2 'QUIT :Gone to have lunch'
} < ircin \
| nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
''

150
lass/1systems/mors.nix
View File

@ -17,7 +17,6 @@ with import <stockholm/lib>;
../2configs/steam.nix ../2configs/steam.nix
../2configs/wine.nix ../2configs/wine.nix
../2configs/git.nix ../2configs/git.nix
../2configs/skype.nix
../2configs/libvirt.nix ../2configs/libvirt.nix
../2configs/fetchWallpaper.nix ../2configs/fetchWallpaper.nix
#../2configs/c-base.nix #../2configs/c-base.nix
@ -66,20 +65,18 @@ with import <stockholm/lib>;
}; };
} }
{ {
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.default = { virtualHosts.default = {
server-names = [ serverAliases = [
"localhost" "localhost"
"${config.krebs.build.host.name}" "${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.r"
"${config.krebs.build.host.name}.retiolum" "${config.krebs.build.host.name}.retiolum"
]; ];
locations = [ locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
(nameValuePair "~ ^/~(.+?)(/.*)?\$" '' alias /home/$1/public_html$2;
alias /home/$1/public_html$2; '';
'')
];
}; };
}; };
} }
@ -89,6 +86,137 @@ with import <stockholm/lib>;
{ {
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
} }
{
services.nginx = {
enable = mkDefault true;
virtualHosts = {
"stats.mors" = {
locations = {
"/" = {
proxyPass = "http://localhost:3000/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
};
};
services.grafana = {
enable = true;
addr = "127.0.0.1";
users.allowSignUp = false;
users.allowOrgCreate = false;
users.autoAssignOrg = false;
auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
services.graphite = {
api = {
enable = true;
listenAddress = "127.0.0.1";
port = 18080;
};
carbon = {
enableCache = true;
# save disk usage by restricting to 1 bulk update per second
config = ''
[cache]
MAX_CACHE_SIZE = inf
MAX_UPDATES_PER_SECOND = 1
MAX_CREATES_PER_MINUTE = 500
'';
storageSchemas = ''
[carbon]
pattern = ^carbon\.
retentions = 60:90d
[elchos]
patterhn = ^elchos\.
retentions = 10s:30d,60s:3y
[default]
pattern = .*
retentions = 30s:30d,300s:1y
'';
};
};
services.collectd = {
enable = true;
include = [ (toString (pkgs.writeText "collectd-graphite-cfg" ''
LoadPlugin write_graphite
<Plugin "write_graphite">
<Carbon>
Host "localhost"
Port "2003"
EscapeCharacter "_"
StoreRates false
AlwaysAppendDS false
</Carbon>
</Plugin>
''))
];
extraConfig = ''
LoadPlugin interface
LoadPlugin battery
LoadPlugin load
LoadPlugin cpu
LoadPlugin entropy
LoadPlugin write_graphite
<Plugin "interface">
Interface "et0"
Interface "wl0"
Interface "retiolum"
</Plugin>
'';
};
services.graphite.beacon = {
enable = true;
config = {
graphite_url = "http://localhost:18080";
cli = {
command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' '';
};
smtp = {
from = "beacon@mors.r";
to = [
"lass@mors.r"
];
};
normal_handlers = [
"smtp"
"cli"
];
warning_handlers = [
"smtp"
"cli"
];
critical_handlers = [
"smtp"
"cli"
];
alerts = [
{
name = "testbattery";
query = "*.battery-0.capacity";
method = "last_value";
interval = "1minute";
logging = "info";
repeat_interval = "5minute";
rules = [
"warning: < 30.0"
"critical: < 10.0"
];
}
];
};
};
}
]; ];
krebs.build.host = config.krebs.hosts.mors; krebs.build.host = config.krebs.hosts.mors;
@ -238,8 +366,4 @@ with import <stockholm/lib>;
krebs.repo-sync.timerConfig = { krebs.repo-sync.timerConfig = {
OnCalendar = "00:37"; OnCalendar = "00:37";
}; };
services.mongodb = {
enable = true;
};
} }

29
lass/1systems/prism.nix
View File

@ -24,6 +24,8 @@ in {
../2configs/repo-sync.nix ../2configs/repo-sync.nix
../2configs/binary-cache/server.nix ../2configs/binary-cache/server.nix
../2configs/iodined.nix ../2configs/iodined.nix
../2configs/libvirt.nix
../2configs/hfos.nix
{ {
users.extraGroups = { users.extraGroups = {
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@ -178,11 +180,9 @@ in {
imports = [ imports = [
../2configs/realwallpaper.nix ../2configs/realwallpaper.nix
]; ];
krebs.nginx.servers."lassul.us".locations = [ services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
(lib.nameValuePair "/wallpaper.png" '' alias /tmp/wallpaper.png;
alias /tmp/wallpaper.png; '';
'')
];
} }
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
@ -202,16 +202,13 @@ in {
}; };
} }
{ {
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.public = { virtualHosts.public = {
listen = [ "8088" ]; port = 8088;
server-names = [ "default" ]; locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
locations = [ alias /home/$1/public_html$2;
(nameValuePair "~ ^/~(.+?)(/.*)?\$" '' '';
alias /home/$1/public_html$2;
'')
];
}; };
}; };
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
@ -228,10 +225,6 @@ in {
enable = true; enable = true;
}; };
} }
{
virtualisation.libvirtd.enable = true;
users.users.mainUser.extraGroups = [ "libvirtd" ];
}
]; ];
krebs.build.host = config.krebs.hosts.prism; krebs.build.host = config.krebs.hosts.prism;

10
lass/2configs/binary-cache/server.nix
View File

@ -17,13 +17,13 @@
owner.name = "nix-serve"; owner.name = "nix-serve";
source-path = toString <secrets> + "/nix-serve.key"; source-path = toString <secrets> + "/nix-serve.key";
}; };
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.nix-serve = { virtualHosts.nix-serve = {
server-names = [ "cache.prism.r" ]; serverAliases = [ "cache.prism.r" ];
locations = lib.singleton (lib.nameValuePair "/" '' locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${toString config.services.nix-serve.port};
''); '';
}; };
}; };
} }

5
lass/2configs/downloading.nix
View File

@ -40,9 +40,8 @@ with import <stockholm/lib>;
enable = true; enable = true;
web = { web = {
enable = true; enable = true;
enableAuth = true; port = 9091;
listenAddress = "9091"; basicAuth = import <secrets/torrent-auth>;
authfile = <secrets/torrent-authfile>;
}; };
rutorrent.enable = true; rutorrent.enable = true;
enableXMLRPC = true; enableXMLRPC = true;

16
lass/2configs/go.nix
View File

@ -8,16 +8,14 @@ with import <stockholm/lib>;
krebs.go = { krebs.go = {
enable = true; enable = true;
}; };
krebs.nginx = { services.nginx = {
enable = true; enable = true;
servers.go = { virtualHosts.go = {
locations = [ locations."/".extraConfig = ''
(nameValuePair "/" '' proxy_set_header Host go;
proxy_set_header Host go; proxy_pass http://localhost:1337;
proxy_pass http://localhost:1337; '';
'') serverAliases = [
];
server-names = [
"go" "go"
"go.retiolum" "go.retiolum"
]; ];

33
lass/2configs/hfos.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
users.users.riot = {
uid = genid "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange"
config.krebs.users.lass.pubkey
];
};
networking.interfaces.et0.ip4 = [
{
address = "213.239.205.246";
prefixLength = 24;
}
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
];
}

43
lass/2configs/libvirt.nix
View File

@ -1,23 +1,30 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let {
mainUser = config.users.extraUsers.mainUser; users.users.mainUser.extraGroups = [ "libvirtd" ];
inherit (import <stockholm/lib>) genid;
in {
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
users.extraUsers = { krebs.iptables.tables.filter.INPUT.rules = [
libvirt = { { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
uid = genid "libvirt"; { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
description = "user for running libvirt stuff"; { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; }
home = "/home/libvirt"; { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
useDefaultShell = true; ];
extraGroups = [ "libvirtd" "audio" ]; krebs.iptables.tables.filter.FORWARD.rules = [
createHome = true; { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
}; { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; }
}; { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; }
security.sudo.extraConfig = '' { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
${mainUser.name} ALL=(libvirt) NOPASSWD: ALL { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
''; ];
krebs.iptables.tables.filter.OUTPUT.rules = [
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
} }

4
lass/2configs/nixpkgs.nix
View File

@ -2,7 +2,7 @@
{ {
krebs.build.source.nixpkgs.git = { krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs; url = https://github.com/lassulus/nixpkgs;
ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905"; ref = "819c1ab486a9c81d6a6b76c759aedece2df39037";
}; };
} }

12
lass/2configs/radio.nix
View File

@ -156,7 +156,7 @@ in {
}) })
]; ];
}; };
krebs.nginx.servers."lassul.us".locations = let services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
html = pkgs.writeText "index.html" '' html = pkgs.writeText "index.html" ''
<!DOCTYPE html> <!DOCTYPE html>
<html lang="en"> <html lang="en">
@ -175,10 +175,8 @@ in {
</body> </body>
</html> </html>
''; '';
in [ in ''
(nameValuePair "/the_playlist" '' default_type "text/html";
default_type "text/html"; alias ${html};
alias ${html}; '';
'')
];
} }

12
lass/2configs/realwallpaper.nix
View File

@ -9,15 +9,13 @@ let
in { in {
krebs.realwallpaper.enable = true; krebs.realwallpaper.enable = true;
krebs.nginx.servers.wallpaper = { services.nginx.virtualHosts.wallpaper = {
server-names = [ serverAliases = [
hostname hostname
]; ];
locations = [ locations."/wallpaper.png".extraConfig = ''
(nameValuePair "/wallpaper.png" '' root /tmp/;
root /tmp/; '';
'')
];
}; };
krebs.iptables = { krebs.iptables = {

3
lass/2configs/tests/dummy-secrets/torrent-auth Normal file
View File

@ -0,0 +1,3 @@
{
x = "xxx";
}

1
lass/2configs/tests/dummy-secrets/torrent-authfile
View File

@ -1 +0,0 @@
"xxx"

13
lass/2configs/websites/domsen.nix
View File

@ -35,10 +35,10 @@ in {
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ]) (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
(ssl [ "pixelpocket.de" ]) (ssl [ "pixelpocket.de" ])
(servePage [ "pixelpocket.de" "www.pixelpocket.de" ]) (servePage [ "pixelpocket.de" ])
(ssl [ "o.ubikmedia.de" ]) (ssl [ "o.ubikmedia.de" ])
(serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ]) (serveOwncloud [ "o.ubikmedia.de" ])
(ssl [ (ssl [
"ubikmedia.de" "ubikmedia.de"
@ -88,15 +88,12 @@ in {
"www.illucloud.eu" "www.illucloud.eu"
"www.illucloud.de" "www.illucloud.de"
"www.illucloud.com" "www.illucloud.com"
"*.ubikmedia.de"
]) ])
]; ];
krebs.nginx.servers."ubikmedia.de".locations = [ services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
(lib.nameValuePair "/piwik" '' try_files $uri $uri/ /index.php?$args;
try_files $uri $uri/ /index.php?$args; '';
'')
];
lass.mysqlBackup.config.all.databases = [ lass.mysqlBackup.config.all.databases = [
"ubikmedia_de" "ubikmedia_de"

18
lass/2configs/websites/fritz.nix
View File

@ -7,7 +7,6 @@ let
head head
; ;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
manageCerts
ssl ssl
servePage servePage
serveWordpress serveWordpress
@ -26,8 +25,6 @@ let
in { in {
imports = [ imports = [
./sqlBackup.nix ./sqlBackup.nix
(ssl [ "biostase.de" "www.biostase.de" ])
(serveWordpress [ "biostase.de" "www.biostase.de" ])
(ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ]) (ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
(serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ]) (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
@ -50,30 +47,17 @@ in {
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ]) (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ])
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ]) (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
]; ];
lass.mysqlBackup.config.all.databases = [ lass.mysqlBackup.config.all.databases = [
"biostase_de"
"eastuttgart_de" "eastuttgart_de"
"radical_dreamers_de" "radical_dreamers_de"
"spielwaren_kern_de" "spielwaren_kern_de"
"ttf_kleinaspach_de" "ttf_kleinaspach_de"
]; ];
#password protect some dirs
krebs.nginx.servers."biostase.de".locations = [
(nameValuePair "/old_biostase.de" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
'')
(nameValuePair "/mysqldumper" ''
auth_basic "Administrator Login";
auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
'')
];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey config.krebs.users.fritz.pubkey
]; ];

97
lass/2configs/websites/lassulus.nix
View File

@ -14,7 +14,7 @@ in {
security.acme = { security.acme = {
certs."lassul.us" = { certs."lassul.us" = {
email = "lass@lassul.us"; email = "lass@lassul.us";
webroot = "/var/lib/acme/challenges/lassul.us"; webroot = "/var/lib/acme/acme-challenges";
plugins = [ plugins = [
"account_key.json" "account_key.json"
"key.pem" "key.pem"
@ -26,7 +26,7 @@ in {
}; };
certs."cgit.lassul.us" = { certs."cgit.lassul.us" = {
email = "lassulus@gmail.com"; email = "lassulus@gmail.com";
webroot = "/var/lib/acme/challenges/cgit.lassul.us"; webroot = "/var/lib/acme/acme-challenges";
plugins = [ plugins = [
"account_key.json" "account_key.json"
"key.pem" "key.pem"
@ -69,59 +69,54 @@ in {
"nginx" "nginx"
]; ];
krebs.nginx.servers."lassul.us" = { services.nginx.virtualHosts."lassul.us" = {
server-names = [ "lassul.us" ]; serverAliases = [ "lassul.us" ];
locations = [ locations."/".extraConfig = ''
(nameValuePair "/" '' root /srv/http/lassul.us;
root /srv/http/lassul.us; '';
'') locations."/.well-known/acme-challenge".extraConfig = ''
(nameValuePair "/.well-known/acme-challenge" '' root /var/lib/acme/challenges/lassul.us/;
root /var/lib/acme/challenges/lassul.us/; '';
'') locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
(nameValuePair "= /retiolum-hosts.tar.bz2" '' alias ${config.krebs.tinc.retiolum.hostsArchive};
alias ${config.krebs.tinc.retiolum.hostsArchive}; '';
'') locations."/tinc".extraConfig = ''
(nameValuePair "/tinc" '' alias ${config.krebs.tinc_graphs.workingDir}/external;
alias ${config.krebs.tinc_graphs.workingDir}/external; '';
'') locations."= /ddate".extraConfig = let
(let script = pkgs.writeBash "test" ''
script = pkgs.writeBash "test" '' echo "hello world"
echo "hello world" '';
''; #script = pkgs.execve "ddate-wrapper" {
#script = pkgs.execve "ddate-wrapper" { # filename = "${pkgs.ddate}/bin/ddate";
# filename = "${pkgs.ddate}/bin/ddate"; # argv = [];
# argv = []; #};
#}; in ''
in nameValuePair "= /ddate" '' gzip off;
gzip off; fastcgi_pass unix:/var/run/lass-stuff.socket;
fastcgi_pass unix:/var/run/lass-stuff.socket; include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi_params; fastcgi_param DOCUMENT_ROOT /var/empty;
fastcgi_param DOCUMENT_ROOT /var/empty; fastcgi_param SCRIPT_FILENAME ${script};
fastcgi_param SCRIPT_FILENAME ${script}; fastcgi_param SCRIPT_NAME ${script};
fastcgi_param SCRIPT_NAME ${script}; '';
'')
]; enableSSL = true;
ssl = { extraConfig = "listen 80;";
enable = true; sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
certificate = "/var/lib/acme/lassul.us/fullchain.pem"; sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
certificate_key = "/var/lib/acme/lassul.us/key.pem";
};
}; };
krebs.nginx.servers.cgit = { services.nginx.virtualHosts.cgit = {
server-names = [ serverAliases = [
"cgit.lassul.us" "cgit.lassul.us"
]; ];
locations = [ locations."/.well-known/acme-challenge".extraConfig = ''
(nameValuePair "/.well-known/acme-challenge" '' root /var/lib/acme/acme-challenges;
root /var/lib/acme/challenges/cgit.lassul.us/; '';
'') enableSSL = true;
]; extraConfig = "listen 80;";
ssl = { sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
enable = true; sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
};
}; };
users.users.blog = { users.users.blog = {

195
lass/2configs/websites/util.nix
View File

@ -4,66 +4,24 @@ with lib;
rec { rec {
manageCerts = domains: ssl = domains :
let let
domain = head domains; domain = head domains;
in { in {
#security.acme = {
# certs."${domain}" = {
# email = "lassulus@gmail.com";
# webroot = "/var/lib/acme/challenges/${domain}";
# plugins = [
# "account_key.json"
# "key.pem"
# "fullchain.pem"
# ];
# group = "nginx";
# allowKeysForGroup = true;
# extraDomains = genAttrs domains (_: null);
# };
#};
krebs.nginx.servers."${domain}" = {
ssl.acmeEnable = true;
server-names = domains;
#locations = [
# (nameValuePair "/.well-known/acme-challenge" ''
# root /var/lib/acme/challenges/${domain}/;
# '')
#];
};
};
ssl = domains:
{
imports = [
( manageCerts domains )
#( activateACME (head domains) )
];
};
activateACME = domain:
{
krebs.nginx.servers.${domain} = {
ssl = {
enable = true;
certificate = "/var/lib/acme/${domain}/fullchain.pem";
certificate_key = "/var/lib/acme/${domain}/key.pem";
};
};
}; };
servePage = domains: servePage = domains:
let let
domain = head domains; domain = head domains;
in { in {
krebs.nginx.servers.${domain} = { services.nginx.virtualHosts.${domain} = {
server-names = domains; enableACME = true;
locations = [ enableSSL = true;
(nameValuePair "/" '' extraConfig = "listen 80;";
root /srv/http/${domain}; serverAliases = domains;
'') locations."/".extraConfig = ''
]; root /srv/http/${domain};
'';
}; };
}; };
@ -71,9 +29,13 @@ rec {
let let
domain = head domains; domain = head domains;
in { in {
krebs.nginx.servers."${domain}" = { services.nginx.virtualHosts."${domain}" = {
server-names = domains; enableACME = true;
enableSSL = true;
serverAliases = domains;
extraConfig = '' extraConfig = ''
listen 80;
# Add headers to serve security related headers # Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
@ -109,56 +71,53 @@ rec {
rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
''; '';
locations = [ locations."/robots.txt".extraConfig = ''
(nameValuePair "/robots.txt" '' allow all;
allow all; log_not_found off;
log_not_found off; access_log off;
access_log off; '';
'') locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
(nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' deny all;
deny all; '';
'')
(nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = ''
deny all; deny all;
'') '';
(nameValuePair "/" '' locations."/".extraConfig = ''
rewrite ^/remote/(.*) /remote.php last; rewrite ^/remote/(.*) /remote.php last;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
'') '';
(nameValuePair "~ \.php(?:$|/)" '' locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on; fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
'') '';
# Adding the cache control header for js and css files # Adding the cache control header for js and css files
# Make sure it is BELOW the location ~ \.php(?:$|/) { block # Make sure it is BELOW the location ~ \.php(?:$|/) { block
(nameValuePair "~* \.(?:css|js)$" '' locations."~* \.(?:css|js)$".extraConfig = ''
add_header Cache-Control "public, max-age=7200"; add_header Cache-Control "public, max-age=7200";
# Add headers to serve security related headers # Add headers to serve security related headers
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; add_header X-Robots-Tag none;
# Optional: Don't log access to assets # Optional: Don't log access to assets
access_log off; access_log off;
'') '';
# Optional: Don't log access to other assets
# Optional: Don't log access to other assets locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
(nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' access_log off;
access_log off; '';
'')
];
}; };
services.phpfpm.poolConfigs."${domain}" = '' services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool listen = /srv/http/${domain}/phpfpm.pool
@ -183,9 +142,12 @@ rec {
domain = head domains; domain = head domains;
in { in {
krebs.nginx.servers."${domain}" = { services.nginx.virtualHosts."${domain}" = {
server-names = domains; enableACME = true;
enableSSL = true;
serverAliases = domains;
extraConfig = '' extraConfig = ''
listen 80;
root /srv/http/${domain}/; root /srv/http/${domain}/;
index index.php; index index.php;
access_log /tmp/nginx_acc.log; access_log /tmp/nginx_acc.log;
@ -194,24 +156,19 @@ rec {
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
client_max_body_size 100m; client_max_body_size 100m;
''; '';
locations = [ locations."/".extraConfig = ''
(nameValuePair "/" '' try_files $uri $uri/ /index.php?$args;
try_files $uri $uri/ /index.php?$args; '';
'') locations."~ \.php$".extraConfig = ''
(nameValuePair "~ \.php$" '' fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; include ${pkgs.nginx}/conf/fastcgi.conf;
include ${pkgs.nginx}/conf/fastcgi.conf; '';
'') #Directives to send expires headers and turn off 404 error logging.
#(nameValuePair "~ /\\." '' locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
# deny all; access_log off;
#'') log_not_found off;
#Directives to send expires headers and turn off 404 error logging. expires max;
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' '';
access_log off;
log_not_found off;
expires max;
'')
];
}; };
services.phpfpm.poolConfigs."${domain}" = '' services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool listen = /srv/http/${domain}/phpfpm.pool

1
lass/3modules/default.nix
View File

@ -8,7 +8,6 @@ _:
./umts.nix ./umts.nix
./urxvtd.nix ./urxvtd.nix
./usershadow.nix ./usershadow.nix
./wordpress_nginx.nix
./xresources.nix ./xresources.nix
]; ];
} }

210
lass/3modules/owncloud_nginx.nix
View File

@ -1,210 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.lass.owncloud;
out = {
options.lass.owncloud = api;
config = imp;
};
api = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = {
domain = mkOption {
type = str;
default = config._module.args.name;
};
dataDir = mkOption {
type = str;
default = "${config.folder}/data";
};
dbUser = mkOption {
type = str;
default = replaceStrings ["."] ["_"] config.domain;
};
dbName = mkOption {
type = str;
default = replaceStrings ["."] ["_"] config.domain;
};
dbType = mkOption {
# TODO: check for valid dbType
type = str;
default = "mysql";
};
folder = mkOption {
type = str;
default = "/srv/http/${config.domain}";
};
auto = mkOption {
type = bool;
default = false;
};
instanceid = mkOption {
type = str;
};
};
}));
default = {};
};
user = config.services.nginx.user;
group = config.services.nginx.group;
imp = {
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
server-names = [
"${domain}"
"www.${domain}"
];
locations = [
(nameValuePair "/" ''
# The following 2 rules are only needed with webfinger
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
try_files $uri $uri/ /index.php;
'')
(nameValuePair "~ \.php$" ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:${folder}/phpfpm.pool;
'')
(nameValuePair "~ /\\." ''
deny all;
'')
];
extraConfig = ''
root ${folder}/;
#index index.php;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
'';
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool
user = ${user}
group = ${group}
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
listen.owner = ${user}
listen.group = ${group}
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'');
#systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
# name = "owncloudInit-${name}";
# value = {
# path = [
# pkgs.mysql
# pkgs.su
# pkgs.gawk
# pkgs.jq
# ];
# requiredBy = [ "nginx.service" ];
# serviceConfig = let
# php.define = name: value:
# "define(${php.newdoc name}, ${php.newdoc value});";
# php.toString = x:
# "'${x}'";
# php.newdoc = s:
# let b = "EOF${builtins.hashString "sha256" s}"; in
# ''<<<'${b}'
# ${s}
# ${b}
# '';
# in {
# Type = "oneshot";
# ExecStart = pkgs.writeScript "wordpressInit" ''
# #!/bin/sh
# set -euf
# oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
# db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
# get_secret() {
# echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
# }
# to_php_string() {
# echo "base64_decode('$(base64)')"
# }
# {
# cat ${toString <secrets/mysql_rootPassword>}
# password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
# # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
# # TODO as package pkgs.sqlHashPassword
# # TODO not using mysql
# # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
# passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
# user=${shell.escape dbUser}@localhost
# database=${shell.escape dbName}
# cat << EOF
# CREATE DATABASE IF NOT EXISTS $database;
# GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
# GRANT ALL PRIVILEGES ON $database.* TO $user;
# FLUSH PRIVILEGES;
# EOF
# } | mysql -u root -p
# # TODO nix2php for wp-config.php
# mkdir -p ${folder}/config
# cat > ${folder}/config/config.php << EOF
# <?php
# \$CONFIG = array (
# 'dbhost' => 'localhost',
# 'dbtableprefix' => 'oc_',
# 'dbpassword' => '$db_password',
# 'installed' => 'true',
# 'trusted_domains' =>
# array (
# 0 => '${domain}',
# ),
# 'overwrite.cli.url' => 'http://${domain}',
# ${concatStringsSep "\n" (mapAttrsToList (name: value:
# "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
# ) {
# instanceid = instanceid;
# datadirectory = dataDir;
# dbtype = dbType;
# dbname = dbName;
# dbuser = dbUser;
# })}
# ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
# "secret"
# "passwordsalt"
# ]}
# );
# EOF
# '';
# };
# };
#});
users.users.nobody_oc = {
uid = genid "nobody_oc";
useDefaultShell = true;
};
};
in out

265
lass/3modules/wordpress_nginx.nix
View File

@ -1,265 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.lass.wordpress;
out = {
options.lass.wordpress = api;
config = imp;
};
api = mkOption {
type = with types; attrsOf (submodule ({ config, ... }: {
options = {
domain = mkOption {
type = str;
default = config._module.args.name;
};
dbUser = mkOption {
type = str;
default = replaceStrings ["."] ["_"] config.domain;
};
dbName = mkOption {
type = str;
default = replaceStrings ["."] ["_"] config.domain;
};
folder = mkOption {
type = str;
default = "/srv/http/${config.domain}";
};
auto = mkOption {
type = bool;
default = false;
};
charset = mkOption {
type = str;
default = "utf8mb4";
};
collate = mkOption {
type = str;
default = "";
};
debug = mkOption {
type = bool;
default = false;
};
multiSite = mkOption {
type = attrsOf str;
default = {};
example = {
"0" = "bla.testsite.de";
"1" = "test.testsite.de";
};
};
ssl = mkOption {
type = with types; submodule ({
options = {
enable = mkEnableOption "ssl";
certificate = mkOption {
type = str;
};
certificate_key = mkOption {
type = str;
};
ciphers = mkOption {
type = str;
default = "AES128+EECDH:AES128+EDH";
};
};
});
};
};
}));
default = {};
};
user = config.services.nginx.user;
group = config.services.nginx.group;
imp = {
#services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
# map $http_host $blogid {
# ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
# }
#'';
krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
server-names = [
"${domain}"
"www.${domain}"
];
#(mkIf (multiSite != {})
#)
locations = (if (multiSite != {}) then
[
(nameValuePair "~ ^/files/(.*)$" ''
try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
'')
(nameValuePair "^~ /blogs.dir" ''
internal;
alias ${folder}/wp-content/blogs.dir ;
access_log off; log_not_found off; expires max;
'')
]
else
[]
) ++
[
(nameValuePair "/" ''
try_files $uri $uri/ /index.php?$args;
'')
(nameValuePair "~ \.php$" ''
fastcgi_pass unix:${folder}/phpfpm.pool;
include ${pkgs.nginx}/conf/fastcgi.conf;
'')
(nameValuePair "~ /\\." ''
deny all;
'')
#Directives to send expires headers and turn off 404 error logging.
(nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
access_log off;
log_not_found off;
expires max;
'')
];
extraConfig = ''
root ${folder}/;
index index.php;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
${if ssl.enable then ''
ssl_certificate ${ssl.certificate};
ssl_certificate_key ${ssl.certificate_key};
'' else ""}
'';
listen = (if ssl.enable then
[ "80" "443 ssl" ]
else
"80"
);
});
services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
listen = ${folder}/phpfpm.pool
user = ${user}
group = ${group}
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
listen.owner = ${user}
listen.group = ${group}
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'');
systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
name = "wordpressInit-${name}";
value = {
path = [
pkgs.mysql
pkgs.su
pkgs.gawk
pkgs.jq
];
requiredBy = [ "nginx.service" ];
serviceConfig = let
php.define = name: value:
"define(${php.newdoc name}, ${php.newdoc value});";
php.toString = x:
"'${x}'";
php.newdoc = s:
let b = "EOF${builtins.hashString "sha256" s}"; in
''<<<'${b}'
${s}
${b}
'';
in {
Type = "oneshot";
ExecStart = pkgs.writeScript "wordpressInit" ''
#!/bin/sh
set -euf
wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"}
db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
get_secret() {
echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));"
}
to_php_string() {
echo "base64_decode('$(base64)')"
}
{
cat ${toString <secrets/mysql_rootPassword>}
password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
# TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
# TODO as package pkgs.sqlHashPassword
# TODO not using mysql
# SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
user=${shell.escape dbUser}@localhost
database=${shell.escape dbName}
cat << EOF
CREATE DATABASE IF NOT EXISTS $database;
GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
GRANT ALL PRIVILEGES ON $database.* TO $user;
FLUSH PRIVILEGES;
EOF
} | mysql -u root -p
# TODO nix2php for wp-config.php
cat > ${folder}/wp-config.php << EOF
<?php
define('DB_PASSWORD', '$db_password');
define('DB_HOST', 'localhost');
${concatStringsSep "\n" (mapAttrsToList (name: value:
"define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));"
) {
DB_NAME = dbName;
DB_USER = dbUser;
DB_CHARSET = charset;
DB_COLLATE = collate;
})}
${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
"AUTH_KEY"
"SECURE_AUTH_KEY"
"LOGGED_IN_KEY"
"NONCE_KEY"
"AUTH_SALT"
"SECURE_AUTH_SALT"
"LOGGED_IN_SALT"
"NONCE_SALT"
]}
\$table_prefix = 'wp_';
${if (multiSite != {}) then
"define('WP_ALLOW_MULTISITE', true);"
else
""
}
define('WP_DEBUG', ${toJSON debug});
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
EOF
'';
};
};
});
users.users.nobody2 = mkDefault {
uid = mkDefault (genid "nobody2");
useDefaultShell = mkDefault true;
};
};
indent = replaceChars ["\n"] ["\n "];
in out