diff options
Diffstat (limited to 'lass/3modules')
-rw-r--r-- | lass/3modules/default.nix | 1 | ||||
-rw-r--r-- | lass/3modules/owncloud_nginx.nix | 210 | ||||
-rw-r--r-- | lass/3modules/wordpress_nginx.nix | 265 |
3 files changed, 0 insertions, 476 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 6588ca0d3..b169fea40 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -8,7 +8,6 @@ _: ./umts.nix ./urxvtd.nix ./usershadow.nix - ./wordpress_nginx.nix ./xresources.nix ]; } diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix deleted file mode 100644 index 01e07ae66..000000000 --- a/lass/3modules/owncloud_nginx.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; - -let - cfg = config.lass.owncloud; - - out = { - options.lass.owncloud = api; - config = imp; - }; - - api = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - domain = mkOption { - type = str; - default = config._module.args.name; - }; - dataDir = mkOption { - type = str; - default = "${config.folder}/data"; - }; - dbUser = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - dbName = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - dbType = mkOption { - # TODO: check for valid dbType - type = str; - default = "mysql"; - }; - folder = mkOption { - type = str; - default = "/srv/http/${config.domain}"; - }; - auto = mkOption { - type = bool; - default = false; - }; - instanceid = mkOption { - type = str; - }; - }; - })); - default = {}; - }; - - user = config.services.nginx.user; - group = config.services.nginx.group; - - imp = { - krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - # The following 2 rules are only needed with webfinger - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - - try_files $uri $uri/ /index.php; - '') - (nameValuePair "~ \.php$" '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_pass unix:${folder}/phpfpm.pool; - '') - (nameValuePair "~ /\\." '' - deny all; - '') - ]; - extraConfig = '' - root ${folder}/; - #index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; - - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - ''; - }); - services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' - listen = ${folder}/phpfpm.pool - user = ${user} - group = ${group} - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - listen.owner = ${user} - listen.group = ${group} - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''); - #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: { - # name = "owncloudInit-${name}"; - # value = { - # path = [ - # pkgs.mysql - # pkgs.su - # pkgs.gawk - # pkgs.jq - # ]; - # requiredBy = [ "nginx.service" ]; - # serviceConfig = let - # php.define = name: value: - # "define(${php.newdoc name}, ${php.newdoc value});"; - # php.toString = x: - # "'${x}'"; - # php.newdoc = s: - # let b = "EOF${builtins.hashString "sha256" s}"; in - # ''<<<'${b}' - # ${s} - # ${b} - # ''; - # in { - # Type = "oneshot"; - # ExecStart = pkgs.writeScript "wordpressInit" '' - # #!/bin/sh - # set -euf - # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"} - # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) - # get_secret() { - # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string)," - # } - # to_php_string() { - # echo "base64_decode('$(base64)')" - # } - # { - # cat ${toString <secrets/mysql_rootPassword>} - # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) - # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") - # # TODO as package pkgs.sqlHashPassword - # # TODO not using mysql - # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; - # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") - # user=${shell.escape dbUser}@localhost - # database=${shell.escape dbName} - # cat << EOF - # CREATE DATABASE IF NOT EXISTS $database; - # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; - # GRANT ALL PRIVILEGES ON $database.* TO $user; - # FLUSH PRIVILEGES; - # EOF - # } | mysql -u root -p - # # TODO nix2php for wp-config.php - # mkdir -p ${folder}/config - # cat > ${folder}/config/config.php << EOF - # <?php - # \$CONFIG = array ( - # 'dbhost' => 'localhost', - # 'dbtableprefix' => 'oc_', - # 'dbpassword' => '$db_password', - # 'installed' => 'true', - # 'trusted_domains' => - # array ( - # 0 => '${domain}', - # ), - # 'overwrite.cli.url' => 'http://${domain}', - - # ${concatStringsSep "\n" (mapAttrsToList (name: value: - # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string)," - # ) { - # instanceid = instanceid; - # datadirectory = dataDir; - # dbtype = dbType; - # dbname = dbName; - # dbuser = dbUser; - # })} - - # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ - # "secret" - # "passwordsalt" - # ]} - # ); - # EOF - # ''; - # }; - # }; - #}); - users.users.nobody_oc = { - uid = genid "nobody_oc"; - useDefaultShell = true; - }; - }; - -in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix deleted file mode 100644 index 5d88e3fde..000000000 --- a/lass/3modules/wordpress_nginx.nix +++ /dev/null @@ -1,265 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; - -let - cfg = config.lass.wordpress; - - out = { - options.lass.wordpress = api; - config = imp; - }; - - api = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - domain = mkOption { - type = str; - default = config._module.args.name; - }; - dbUser = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - dbName = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - folder = mkOption { - type = str; - default = "/srv/http/${config.domain}"; - }; - auto = mkOption { - type = bool; - default = false; - }; - charset = mkOption { - type = str; - default = "utf8mb4"; - }; - collate = mkOption { - type = str; - default = ""; - }; - debug = mkOption { - type = bool; - default = false; - }; - multiSite = mkOption { - type = attrsOf str; - default = {}; - example = { - "0" = "bla.testsite.de"; - "1" = "test.testsite.de"; - }; - }; - ssl = mkOption { - type = with types; submodule ({ - options = { - enable = mkEnableOption "ssl"; - certificate = mkOption { - type = str; - }; - certificate_key = mkOption { - type = str; - }; - ciphers = mkOption { - type = str; - default = "AES128+EECDH:AES128+EDH"; - }; - }; - }); - }; - }; - })); - default = {}; - }; - - user = config.services.nginx.user; - group = config.services.nginx.group; - - imp = { - #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) '' - # map $http_host $blogid { - # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)} - # } - #''; - - krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: { - server-names = [ - "${domain}" - "www.${domain}" - ]; - #(mkIf (multiSite != {}) - #) - locations = (if (multiSite != {}) then - [ - (nameValuePair "~ ^/files/(.*)$" '' - try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ; - '') - (nameValuePair "^~ /blogs.dir" '' - internal; - alias ${folder}/wp-content/blogs.dir ; - access_log off; log_not_found off; expires max; - '') - ] - else - [] - ) ++ - [ - (nameValuePair "/" '' - try_files $uri $uri/ /index.php?$args; - '') - (nameValuePair "~ \.php$" '' - fastcgi_pass unix:${folder}/phpfpm.pool; - include ${pkgs.nginx}/conf/fastcgi.conf; - '') - (nameValuePair "~ /\\." '' - deny all; - '') - #Directives to send expires headers and turn off 404 error logging. - (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' - access_log off; - log_not_found off; - expires max; - '') - ]; - extraConfig = '' - root ${folder}/; - index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - ${if ssl.enable then '' - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - '' else ""} - - ''; - listen = (if ssl.enable then - [ "80" "443 ssl" ] - else - "80" - ); - }); - services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' - listen = ${folder}/phpfpm.pool - user = ${user} - group = ${group} - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - listen.owner = ${user} - listen.group = ${group} - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''); - systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: { - name = "wordpressInit-${name}"; - value = { - path = [ - pkgs.mysql - pkgs.su - pkgs.gawk - pkgs.jq - ]; - requiredBy = [ "nginx.service" ]; - serviceConfig = let - php.define = name: value: - "define(${php.newdoc name}, ${php.newdoc value});"; - php.toString = x: - "'${x}'"; - php.newdoc = s: - let b = "EOF${builtins.hashString "sha256" s}"; in - ''<<<'${b}' - ${s} - ${b} - ''; - in { - Type = "oneshot"; - ExecStart = pkgs.writeScript "wordpressInit" '' - #!/bin/sh - set -euf - wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"} - db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) - get_secret() { - echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));" - } - to_php_string() { - echo "base64_decode('$(base64)')" - } - { - cat ${toString <secrets/mysql_rootPassword>} - password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) - # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") - # TODO as package pkgs.sqlHashPassword - # TODO not using mysql - # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; - passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") - user=${shell.escape dbUser}@localhost - database=${shell.escape dbName} - cat << EOF - CREATE DATABASE IF NOT EXISTS $database; - GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; - GRANT ALL PRIVILEGES ON $database.* TO $user; - FLUSH PRIVILEGES; - EOF - } | mysql -u root -p - # TODO nix2php for wp-config.php - cat > ${folder}/wp-config.php << EOF - <?php - define('DB_PASSWORD', '$db_password'); - define('DB_HOST', 'localhost'); - - ${concatStringsSep "\n" (mapAttrsToList (name: value: - "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));" - ) { - DB_NAME = dbName; - DB_USER = dbUser; - DB_CHARSET = charset; - DB_COLLATE = collate; - })} - - ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ - "AUTH_KEY" - "SECURE_AUTH_KEY" - "LOGGED_IN_KEY" - "NONCE_KEY" - "AUTH_SALT" - "SECURE_AUTH_SALT" - "LOGGED_IN_SALT" - "NONCE_SALT" - ]} - - \$table_prefix = 'wp_'; - - ${if (multiSite != {}) then - "define('WP_ALLOW_MULTISITE', true);" - else - "" - } - - define('WP_DEBUG', ${toJSON debug}); - if ( !defined('ABSPATH') ) - define('ABSPATH', dirname(__FILE__) . '/'); - - /** Sets up WordPress vars and included files. */ - require_once(ABSPATH . 'wp-settings.php'); - EOF - ''; - }; - }; - }); - users.users.nobody2 = mkDefault { - uid = mkDefault (genid "nobody2"); - useDefaultShell = mkDefault true; - }; - }; - - indent = replaceChars ["\n"] ["\n "]; - -in out |