diff options
Diffstat (limited to 'lass/3modules')
| -rw-r--r-- | lass/3modules/bitlbee.nix | 153 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 3 | ||||
| -rw-r--r-- | lass/3modules/dnsmasq.nix | 7 | ||||
| -rw-r--r-- | lass/3modules/go.nix | 61 | ||||
| -rw-r--r-- | lass/3modules/wordpress_nginx.nix | 195 |
5 files changed, 196 insertions, 223 deletions
diff --git a/lass/3modules/bitlbee.nix b/lass/3modules/bitlbee.nix deleted file mode 100644 index 8ce560146..000000000 --- a/lass/3modules/bitlbee.nix +++ /dev/null @@ -1,153 +0,0 @@ -{ config, lib, pkgs, ... }: - - -let - - inherit (lib) - mkIf - mkOption - types - singleton - ; - - authModeCheck = v: - v == "Open" || - v == "Closed" || - v == "Registered" - ; - - bitlbeeConfig = pkgs.writeText "bitlbee.conf" '' - [settings] - RunMode = Daemon - User = bitlbee - ConfigDir = ${cfg.configDir} - DaemonInterface = ${cfg.interface} - DaemonPort = ${toString cfg.portNumber} - AuthMode = ${cfg.authMode} - ${lib.optionalString (cfg.hostName != "") "HostName = ${cfg.hostName}"} - ${lib.optionalString (cfg.protocols != "") "Protocols = ${cfg.protocols}"} - ${cfg.extraSettings} - - [defaults] - ${cfg.extraDefaults} - ''; - - cfg = config.lass.bitlbee; - - out = { - options.lass.bitlbee = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkOption { - default = false; - description = '' - Whether to run the BitlBee IRC to other chat network gateway. - Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat - networks via an IRC client. - ''; - }; - - interface = mkOption { - default = "127.0.0.1"; - description = '' - The interface the BitlBee deamon will be listening to. If `127.0.0.1', - only clients on the local host can connect to it; if `0.0.0.0', clients - can access it from any network interface. - ''; - }; - - portNumber = mkOption { - default = 6667; - description = '' - Number of the port BitlBee will be listening to. - ''; - }; - - authMode = mkOption { - default = "Open"; - type = types.addCheck types.str authModeCheck; - description = '' - The following authentication modes are available: - Open -- Accept connections from anyone, use NickServ for user authentication. - Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all. - Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself. - ''; - }; - - hostName = mkOption { - default = ""; - type = types.str; - description = '' - Normally, BitlBee gets a hostname using getsockname(). If you have a nicer - alias for your BitlBee daemon, you can set it here and BitlBee will identify - itself with that name instead. - ''; - }; - - configDir = mkOption { - default = "/var/lib/bitlbee"; - type = types.path; - description = '' - Specify an alternative directory to store all the per-user configuration - files. - ''; - }; - - protocols = mkOption { - default = ""; - type = types.str; - description = '' - This option allows to remove the support of protocol, even if compiled - in. If nothing is given, there are no restrictions. - ''; - }; - - extraSettings = mkOption { - default = ""; - description = '' - Will be inserted in the Settings section of the config file. - ''; - }; - - extraDefaults = mkOption { - default = ""; - description = '' - Will be inserted in the Default section of the config file. - ''; - }; - - bitlbeePkg = mkOption { - default = pkgs.bitlbee; - description = '' - the bitlbee pkg to use. - ''; - }; - }; - - imp = { - users.extraUsers = singleton { - name = "bitlbee"; - uid = config.ids.uids.bitlbee; - description = "BitlBee user"; - home = "/var/lib/bitlbee"; - createHome = true; - }; - - users.extraGroups = singleton { - name = "bitlbee"; - gid = config.ids.gids.bitlbee; - }; - - systemd.services.bitlbee = { - description = "BitlBee IRC to other chat networks gateway"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "bitlbee"; - serviceConfig.ExecStart = "${cfg.bitlbeePkg}/sbin/bitlbee -F -n -c ${bitlbeeConfig}"; - }; - }; - -in -out diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index b081dc3cc..0dcad971c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -2,12 +2,11 @@ _: { imports = [ ./xresources.nix - ./bitlbee.nix ./folderPerms.nix - ./go.nix ./newsbot-js.nix ./per-user.nix ./urxvtd.nix ./xresources.nix + ./wordpress_nginx.nix ]; } diff --git a/lass/3modules/dnsmasq.nix b/lass/3modules/dnsmasq.nix index 99c165479..83a9cb180 100644 --- a/lass/3modules/dnsmasq.nix +++ b/lass/3modules/dnsmasq.nix @@ -25,13 +25,6 @@ let configFile = pkgs.writeText "dnsmasq.conf" cfg.config; imp = { - #users.extraUsers.go = { - # name = "go"; - # uid = 42774411; #genid go - # description = "go url shortener user"; - # home = "/var/lib/go"; - # createHome = true; - #}; systemd.services.dnsmasq = { description = "dnsmasq"; diff --git a/lass/3modules/go.nix b/lass/3modules/go.nix deleted file mode 100644 index aa900f118..000000000 --- a/lass/3modules/go.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.lass.go; - - out = { - options.lass.go = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "Enable go url shortener"; - port = mkOption { - type = types.str; - default = "1337"; - description = "on which port go should run on"; - }; - redisKeyPrefix = mkOption { - type = types.str; - default = "go:"; - description = "change the Redis key prefix which defaults to `go:`"; - }; - }; - - imp = { - users.extraUsers.go = { - name = "go"; - uid = 42774411; #genid go - description = "go url shortener user"; - home = "/var/lib/go"; - createHome = true; - }; - - systemd.services.go = { - description = "go url shortener"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - go - ]; - - environment = { - PORT = cfg.port; - REDIS_KEY_PREFIX = cfg.redisKeyPrefix; - }; - - restartIfChanged = true; - - serviceConfig = { - User = "go"; - Restart = "always"; - ExecStart = "${pkgs.go}/bin/go"; - }; - }; - }; - -in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix new file mode 100644 index 000000000..65170698f --- /dev/null +++ b/lass/3modules/wordpress_nginx.nix @@ -0,0 +1,195 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.wordpress; + + out = { + options.lass.wordpress = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + dbUser = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbName = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + auto = mkOption { + type = bool; + default = false; + }; + charset = mkOption { + type = str; + default = "utf8mb4"; + }; + collate = mkOption { + type = str; + default = ""; + }; + debug = mkOption { + type = bool; + default = false; + }; + }; + })); + default = {}; + }; + + dataFolder = "/srv/http"; + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:${dataFolder}/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + extraConfig = '' + root ${dataFolder}/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + }); + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, ... }: '' + listen = ${dataFolder}/${domain}/phpfpm.pool + user = ${user} + group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = ${user} + listen.group = ${group} + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''); + systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, ... }: { + name = "wordpressInit-${name}"; + value = { + path = [ + pkgs.mysql + pkgs.su + pkgs.gawk + pkgs.jq + ]; + requiredBy = [ "nginx.service" ]; + serviceConfig = let + php.define = name: value: + "define(${php.newdoc name}, ${php.newdoc value});"; + php.toString = x: + "'${x}'"; + php.newdoc = s: + let b = "EOF${builtins.hashString "sha256" s}"; in + ''<<<'${b}' + ${s} + ${b} + ''; + in { + Type = "oneshot"; + ExecStart = pkgs.writeScript "wordpressInit" '' + #!/bin/sh + set -euf + wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"} + db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) + get_secret() { + echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));" + } + to_php_string() { + echo "base64_decode('$(base64)')" + } + { + cat ${toString <secrets/mysql_rootPassword>} + password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) + # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") + # TODO as package pkgs.sqlHashPassword + # TODO not using mysql + # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; + passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") + user=${shell.escape dbUser}@localhost + database=${shell.escape dbName} + cat << EOF + CREATE DATABASE IF NOT EXISTS $database; + GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; + GRANT ALL PRIVILEGES ON $database.* TO $user; + FLUSH PRIVILEGES; + EOF + } | mysql -u root -p + # TODO nix2php for wp-config.php + cat > ${folder}/wp-config.php << EOF + <?php + define('DB_PASSWORD', '$db_password'); + define('DB_HOST', 'localhost'); + + ${concatStringsSep "\n" (mapAttrsToList (name: value: + "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));" + ) { + DB_NAME = dbName; + DB_USER = dbUser; + DB_CHARSET = charset; + DB_COLLATE = collate; + })} + + ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ + "AUTH_KEY" + "SECURE_AUTH_KEY" + "LOGGED_IN_KEY" + "NONCE_KEY" + "AUTH_SALT" + "SECURE_AUTH_SALT" + "LOGGED_IN_SALT" + "NONCE_SALT" + ]} + + \$table_prefix = 'wp_'; + define('WP_DEBUG', ${toJSON debug}); + if ( !defined('ABSPATH') ) + define('ABSPATH', dirname(__FILE__) . '/'); + + /** Sets up WordPress vars and included files. */ + require_once(ABSPATH . 'wp-settings.php'); + EOF + ''; + }; + }; + }); + users.users.nobody2 = { + uid = 125816384; # genid nobody2 + useDefaultShell = true; + }; + }; + +in out |