summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/owncloud_nginx.nix210
-rw-r--r--lass/3modules/wordpress_nginx.nix265
3 files changed, 0 insertions, 476 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 6588ca0d3..b169fea40 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -8,7 +8,6 @@ _:
./umts.nix
./urxvtd.nix
./usershadow.nix
- ./wordpress_nginx.nix
./xresources.nix
];
}
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
deleted file mode 100644
index 01e07ae66..000000000
--- a/lass/3modules/owncloud_nginx.nix
+++ /dev/null
@@ -1,210 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
- cfg = config.lass.owncloud;
-
- out = {
- options.lass.owncloud = api;
- config = imp;
- };
-
- api = mkOption {
- type = with types; attrsOf (submodule ({ config, ... }: {
- options = {
- domain = mkOption {
- type = str;
- default = config._module.args.name;
- };
- dataDir = mkOption {
- type = str;
- default = "${config.folder}/data";
- };
- dbUser = mkOption {
- type = str;
- default = replaceStrings ["."] ["_"] config.domain;
- };
- dbName = mkOption {
- type = str;
- default = replaceStrings ["."] ["_"] config.domain;
- };
- dbType = mkOption {
- # TODO: check for valid dbType
- type = str;
- default = "mysql";
- };
- folder = mkOption {
- type = str;
- default = "/srv/http/${config.domain}";
- };
- auto = mkOption {
- type = bool;
- default = false;
- };
- instanceid = mkOption {
- type = str;
- };
- };
- }));
- default = {};
- };
-
- user = config.services.nginx.user;
- group = config.services.nginx.group;
-
- imp = {
- krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
- server-names = [
- "${domain}"
- "www.${domain}"
- ];
- locations = [
- (nameValuePair "/" ''
- # The following 2 rules are only needed with webfinger
- rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
- rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
- rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
- rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
-
- rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-
- try_files $uri $uri/ /index.php;
- '')
- (nameValuePair "~ \.php$" ''
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- fastcgi_param PATH_INFO $fastcgi_path_info;
- fastcgi_pass unix:${folder}/phpfpm.pool;
- '')
- (nameValuePair "~ /\\." ''
- deny all;
- '')
- ];
- extraConfig = ''
- root ${folder}/;
- #index index.php;
- access_log /tmp/nginx_acc.log;
- error_log /tmp/nginx_err.log;
-
- # set max upload size
- client_max_body_size 10G;
- fastcgi_buffers 64 4K;
-
- rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
- rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
- rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
-
- error_page 403 /core/templates/403.php;
- error_page 404 /core/templates/404.php;
- '';
- });
- services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
- listen = ${folder}/phpfpm.pool
- user = ${user}
- group = ${group}
- pm = dynamic
- pm.max_children = 5
- pm.start_servers = 2
- pm.min_spare_servers = 1
- pm.max_spare_servers = 3
- listen.owner = ${user}
- listen.group = ${group}
- php_admin_value[error_log] = 'stderr'
- php_admin_flag[log_errors] = on
- catch_workers_output = yes
- '');
- #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
- # name = "owncloudInit-${name}";
- # value = {
- # path = [
- # pkgs.mysql
- # pkgs.su
- # pkgs.gawk
- # pkgs.jq
- # ];
- # requiredBy = [ "nginx.service" ];
- # serviceConfig = let
- # php.define = name: value:
- # "define(${php.newdoc name}, ${php.newdoc value});";
- # php.toString = x:
- # "'${x}'";
- # php.newdoc = s:
- # let b = "EOF${builtins.hashString "sha256" s}"; in
- # ''<<<'${b}'
- # ${s}
- # ${b}
- # '';
- # in {
- # Type = "oneshot";
- # ExecStart = pkgs.writeScript "wordpressInit" ''
- # #!/bin/sh
- # set -euf
- # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
- # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
- # get_secret() {
- # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
- # }
- # to_php_string() {
- # echo "base64_decode('$(base64)')"
- # }
- # {
- # cat ${toString <secrets/mysql_rootPassword>}
- # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
- # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
- # # TODO as package pkgs.sqlHashPassword
- # # TODO not using mysql
- # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
- # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
- # user=${shell.escape dbUser}@localhost
- # database=${shell.escape dbName}
- # cat << EOF
- # CREATE DATABASE IF NOT EXISTS $database;
- # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
- # GRANT ALL PRIVILEGES ON $database.* TO $user;
- # FLUSH PRIVILEGES;
- # EOF
- # } | mysql -u root -p
- # # TODO nix2php for wp-config.php
- # mkdir -p ${folder}/config
- # cat > ${folder}/config/config.php << EOF
- # <?php
- # \$CONFIG = array (
- # 'dbhost' => 'localhost',
- # 'dbtableprefix' => 'oc_',
- # 'dbpassword' => '$db_password',
- # 'installed' => 'true',
- # 'trusted_domains' =>
- # array (
- # 0 => '${domain}',
- # ),
- # 'overwrite.cli.url' => 'http://${domain}',
-
- # ${concatStringsSep "\n" (mapAttrsToList (name: value:
- # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
- # ) {
- # instanceid = instanceid;
- # datadirectory = dataDir;
- # dbtype = dbType;
- # dbname = dbName;
- # dbuser = dbUser;
- # })}
-
- # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
- # "secret"
- # "passwordsalt"
- # ]}
- # );
- # EOF
- # '';
- # };
- # };
- #});
- users.users.nobody_oc = {
- uid = genid "nobody_oc";
- useDefaultShell = true;
- };
- };
-
-in out
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
deleted file mode 100644
index 5d88e3fde..000000000
--- a/lass/3modules/wordpress_nginx.nix
+++ /dev/null
@@ -1,265 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
- cfg = config.lass.wordpress;
-
- out = {
- options.lass.wordpress = api;
- config = imp;
- };
-
- api = mkOption {
- type = with types; attrsOf (submodule ({ config, ... }: {
- options = {
- domain = mkOption {
- type = str;
- default = config._module.args.name;
- };
- dbUser = mkOption {
- type = str;
- default = replaceStrings ["."] ["_"] config.domain;
- };
- dbName = mkOption {
- type = str;
- default = replaceStrings ["."] ["_"] config.domain;
- };
- folder = mkOption {
- type = str;
- default = "/srv/http/${config.domain}";
- };
- auto = mkOption {
- type = bool;
- default = false;
- };
- charset = mkOption {
- type = str;
- default = "utf8mb4";
- };
- collate = mkOption {
- type = str;
- default = "";
- };
- debug = mkOption {
- type = bool;
- default = false;
- };
- multiSite = mkOption {
- type = attrsOf str;
- default = {};
- example = {
- "0" = "bla.testsite.de";
- "1" = "test.testsite.de";
- };
- };
- ssl = mkOption {
- type = with types; submodule ({
- options = {
- enable = mkEnableOption "ssl";
- certificate = mkOption {
- type = str;
- };
- certificate_key = mkOption {
- type = str;
- };
- ciphers = mkOption {
- type = str;
- default = "AES128+EECDH:AES128+EDH";
- };
- };
- });
- };
- };
- }));
- default = {};
- };
-
- user = config.services.nginx.user;
- group = config.services.nginx.group;
-
- imp = {
- #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
- # map $http_host $blogid {
- # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
- # }
- #'';
-
- krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
- server-names = [
- "${domain}"
- "www.${domain}"
- ];
- #(mkIf (multiSite != {})
- #)
- locations = (if (multiSite != {}) then
- [
- (nameValuePair "~ ^/files/(.*)$" ''
- try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
- '')
- (nameValuePair "^~ /blogs.dir" ''
- internal;
- alias ${folder}/wp-content/blogs.dir ;
- access_log off; log_not_found off; expires max;
- '')
- ]
- else
- []
- ) ++
- [
- (nameValuePair "/" ''
- try_files $uri $uri/ /index.php?$args;
- '')
- (nameValuePair "~ \.php$" ''
- fastcgi_pass unix:${folder}/phpfpm.pool;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- '')
- (nameValuePair "~ /\\." ''
- deny all;
- '')
- #Directives to send expires headers and turn off 404 error logging.
- (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
- access_log off;
- log_not_found off;
- expires max;
- '')
- ];
- extraConfig = ''
- root ${folder}/;
- index index.php;
- access_log /tmp/nginx_acc.log;
- error_log /tmp/nginx_err.log;
- error_page 404 /404.html;
- error_page 500 502 503 504 /50x.html;
- ${if ssl.enable then ''
- ssl_certificate ${ssl.certificate};
- ssl_certificate_key ${ssl.certificate_key};
- '' else ""}
-
- '';
- listen = (if ssl.enable then
- [ "80" "443 ssl" ]
- else
- "80"
- );
- });
- services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
- listen = ${folder}/phpfpm.pool
- user = ${user}
- group = ${group}
- pm = dynamic
- pm.max_children = 5
- pm.start_servers = 2
- pm.min_spare_servers = 1
- pm.max_spare_servers = 3
- listen.owner = ${user}
- listen.group = ${group}
- php_admin_value[error_log] = 'stderr'
- php_admin_flag[log_errors] = on
- catch_workers_output = yes
- '');
- systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
- name = "wordpressInit-${name}";
- value = {
- path = [
- pkgs.mysql
- pkgs.su
- pkgs.gawk
- pkgs.jq
- ];
- requiredBy = [ "nginx.service" ];
- serviceConfig = let
- php.define = name: value:
- "define(${php.newdoc name}, ${php.newdoc value});";
- php.toString = x:
- "'${x}'";
- php.newdoc = s:
- let b = "EOF${builtins.hashString "sha256" s}"; in
- ''<<<'${b}'
- ${s}
- ${b}
- '';
- in {
- Type = "oneshot";
- ExecStart = pkgs.writeScript "wordpressInit" ''
- #!/bin/sh
- set -euf
- wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"}
- db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
- get_secret() {
- echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));"
- }
- to_php_string() {
- echo "base64_decode('$(base64)')"
- }
- {
- cat ${toString <secrets/mysql_rootPassword>}
- password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
- # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
- # TODO as package pkgs.sqlHashPassword
- # TODO not using mysql
- # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
- passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
- user=${shell.escape dbUser}@localhost
- database=${shell.escape dbName}
- cat << EOF
- CREATE DATABASE IF NOT EXISTS $database;
- GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
- GRANT ALL PRIVILEGES ON $database.* TO $user;
- FLUSH PRIVILEGES;
- EOF
- } | mysql -u root -p
- # TODO nix2php for wp-config.php
- cat > ${folder}/wp-config.php << EOF
- <?php
- define('DB_PASSWORD', '$db_password');
- define('DB_HOST', 'localhost');
-
- ${concatStringsSep "\n" (mapAttrsToList (name: value:
- "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));"
- ) {
- DB_NAME = dbName;
- DB_USER = dbUser;
- DB_CHARSET = charset;
- DB_COLLATE = collate;
- })}
-
- ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
- "AUTH_KEY"
- "SECURE_AUTH_KEY"
- "LOGGED_IN_KEY"
- "NONCE_KEY"
- "AUTH_SALT"
- "SECURE_AUTH_SALT"
- "LOGGED_IN_SALT"
- "NONCE_SALT"
- ]}
-
- \$table_prefix = 'wp_';
-
- ${if (multiSite != {}) then
- "define('WP_ALLOW_MULTISITE', true);"
- else
- ""
- }
-
- define('WP_DEBUG', ${toJSON debug});
- if ( !defined('ABSPATH') )
- define('ABSPATH', dirname(__FILE__) . '/');
-
- /** Sets up WordPress vars and included files. */
- require_once(ABSPATH . 'wp-settings.php');
- EOF
- '';
- };
- };
- });
- users.users.nobody2 = mkDefault {
- uid = mkDefault (genid "nobody2");
- useDefaultShell = mkDefault true;
- };
- };
-
- indent = replaceChars ["\n"] ["\n "];
-
-in out