diff options
-rw-r--r-- | lass/3modules/owncloud_nginx.nix | 215 | ||||
-rw-r--r-- | lass/3modules/static_nginx.nix | 49 | ||||
-rw-r--r-- | lass/3modules/wordpress_nginx.nix | 66 |
3 files changed, 319 insertions, 11 deletions
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix new file mode 100644 index 000000000..a0db87b0b --- /dev/null +++ b/lass/3modules/owncloud_nginx.nix @@ -0,0 +1,215 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.owncloud; + + out = { + options.lass.owncloud = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + dataDir = mkOption { + type = str; + default = "${config.folder}/data"; + }; + dbUser = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbName = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbType = mkOption { + # TODO: check for valid dbType + type = str; + default = "mysql"; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + auto = mkOption { + type = bool; + default = false; + }; + instanceid = mkOption { + type = str; + }; + ssl = mkOption { + type = bool; + default = false; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ /index.php; + '') + (nameValuePair "~ \.php$" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:${folder}/phpfpm.pool; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + extraConfig = '' + root ${folder}/; + #index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + ''; + }); + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' + listen = ${folder}/phpfpm.pool + user = ${user} + group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = ${user} + listen.group = ${group} + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''); + #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: { + # name = "owncloudInit-${name}"; + # value = { + # path = [ + # pkgs.mysql + # pkgs.su + # pkgs.gawk + # pkgs.jq + # ]; + # requiredBy = [ "nginx.service" ]; + # serviceConfig = let + # php.define = name: value: + # "define(${php.newdoc name}, ${php.newdoc value});"; + # php.toString = x: + # "'${x}'"; + # php.newdoc = s: + # let b = "EOF${builtins.hashString "sha256" s}"; in + # ''<<<'${b}' + # ${s} + # ${b} + # ''; + # in { + # Type = "oneshot"; + # ExecStart = pkgs.writeScript "wordpressInit" '' + # #!/bin/sh + # set -euf + # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"} + # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) + # get_secret() { + # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string)," + # } + # to_php_string() { + # echo "base64_decode('$(base64)')" + # } + # { + # cat ${toString <secrets/mysql_rootPassword>} + # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) + # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") + # # TODO as package pkgs.sqlHashPassword + # # TODO not using mysql + # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; + # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") + # user=${shell.escape dbUser}@localhost + # database=${shell.escape dbName} + # cat << EOF + # CREATE DATABASE IF NOT EXISTS $database; + # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; + # GRANT ALL PRIVILEGES ON $database.* TO $user; + # FLUSH PRIVILEGES; + # EOF + # } | mysql -u root -p + # # TODO nix2php for wp-config.php + # mkdir -p ${folder}/config + # cat > ${folder}/config/config.php << EOF + # <?php + # \$CONFIG = array ( + # 'dbhost' => 'localhost', + # 'dbtableprefix' => 'oc_', + # 'dbpassword' => '$db_password', + # 'installed' => 'true', + # 'trusted_domains' => + # array ( + # 0 => '${domain}', + # ), + # 'overwrite.cli.url' => 'http://${domain}', + + # ${concatStringsSep "\n" (mapAttrsToList (name: value: + # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string)," + # ) { + # instanceid = instanceid; + # datadirectory = dataDir; + # dbtype = dbType; + # dbname = dbName; + # dbuser = dbUser; + # })} + + # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ + # "secret" + # "passwordsalt" + # ]} + # ); + # EOF + # ''; + # }; + # }; + #}); + users.users.nobody_oc = { + uid = 1651469147; # genid nobody_oc + useDefaultShell = true; + }; + }; + +in out diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix new file mode 100644 index 000000000..cc2641af2 --- /dev/null +++ b/lass/3modules/static_nginx.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.staticPage; + + out = { + options.lass.staticPage = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root ${folder}; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + }); + }; + +in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix index 65170698f..2f31f6e02 100644 --- a/lass/3modules/wordpress_nginx.nix +++ b/lass/3modules/wordpress_nginx.nix @@ -45,35 +45,70 @@ let type = bool; default = false; }; + multiSite = mkOption { + type = attrsOf str; + default = {}; + example = { + "0" = "bla.testsite.de"; + "1" = "test.testsite.de"; + }; + }; }; })); default = {}; }; - dataFolder = "/srv/http"; user = config.services.nginx.user; group = config.services.nginx.group; imp = { - krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, ... }: { + #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) '' + # map $http_host $blogid { + # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)} + # } + #''; + + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: { server-names = [ "${domain}" "www.${domain}" ]; - locations = [ + #(mkIf (multiSite != {}) + #) + locations = (if (multiSite != {}) then + [ + (nameValuePair "~ ^/files/(.*)$" '' + try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ; + '') + (nameValuePair "^~ /blogs.dir" '' + internal; + alias ${folder}/wp-content/blogs.dir ; + access_log off; log_not_found off; expires max; + '') + ] + else + [] + ) ++ + [ (nameValuePair "/" '' try_files $uri $uri/ /index.php?$args; '') (nameValuePair "~ \.php$" '' - fastcgi_pass unix:${dataFolder}/${domain}/phpfpm.pool; + fastcgi_pass unix:${folder}/phpfpm.pool; include ${pkgs.nginx}/conf/fastcgi.conf; '') (nameValuePair "~ /\\." '' deny all; '') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') ]; extraConfig = '' - root ${dataFolder}/${domain}/; + root ${folder}/; index index.php; access_log /tmp/nginx_acc.log; error_log /tmp/nginx_err.log; @@ -81,8 +116,8 @@ let error_page 500 502 503 504 /50x.html; ''; }); - services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, ... }: '' - listen = ${dataFolder}/${domain}/phpfpm.pool + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' + listen = ${folder}/phpfpm.pool user = ${user} group = ${group} pm = dynamic @@ -97,7 +132,7 @@ let php_admin_flag[log_errors] = on catch_workers_output = yes ''); - systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, ... }: { + systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: { name = "wordpressInit-${name}"; value = { path = [ @@ -175,6 +210,13 @@ let ]} \$table_prefix = 'wp_'; + + ${if (multiSite != {}) then + "define('WP_ALLOW_MULTISITE', true);" + else + "" + } + define('WP_DEBUG', ${toJSON debug}); if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); @@ -186,10 +228,12 @@ let }; }; }); - users.users.nobody2 = { - uid = 125816384; # genid nobody2 - useDefaultShell = true; + users.users.nobody2 = mkDefault { + uid = mkDefault 125816384; # genid nobody2 + useDefaultShell = mkDefault true; }; }; + indent = replaceChars ["\n"] ["\n "]; + in out |