diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-08-24 18:55:06 -0600 |
| commit | d7ac88762db111a7962c4e14b5f4e37ab85ccac7 (patch) | |
| tree | 0c2c8c4383bef74215e3b7c48a2f6b0117f084bc /sys/web | |
| parent | 504589d1035f27b766bd33040b415b2725ece4ca (diff) | |
tree-wide: reformat using alejandra after enabling trivionomicon
Diffstat (limited to '')
| -rw-r--r-- | sys/web/nginx.nix | 17 | ||||
| -rw-r--r-- | sys/web/php-fpm.nix | 252 | ||||
| -rw-r--r-- | sys/web/sites/home.nix | 11 | ||||
| -rw-r--r-- | sys/web/sites/host.nix | 61 | ||||
| -rw-r--r-- | sys/web/sites/portal.nix | 15 |
5 files changed, 188 insertions, 168 deletions
diff --git a/sys/web/nginx.nix b/sys/web/nginx.nix index b6e7414..a054289 100644 --- a/sys/web/nginx.nix +++ b/sys/web/nginx.nix @@ -1,9 +1,12 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.web; inherit (config.local) domains; -in -{ +in { options.local.web = { enable = mkEnableOption "web server"; @@ -13,7 +16,7 @@ in ownedCerts = mkOption { type = with lib.types; listOf str; - default = [ ]; + default = []; }; }; @@ -72,7 +75,7 @@ in }) cfg.ownedCerts); - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [80 443]; security = { acme.certs = listToAttrs (map @@ -80,12 +83,12 @@ in name = domains.${name}.main; value = { group = mkDefault config.services.nginx.group; - reloadServices = [ "nginx.service" ]; + reloadServices = ["nginx.service"]; }; }) cfg.ownedCerts); - dhparams.params.nginx = { }; + dhparams.params.nginx = {}; }; }; } diff --git a/sys/web/php-fpm.nix b/sys/web/php-fpm.nix index 65276ba..33efe1a 100644 --- a/sys/web/php-fpm.nix +++ b/sys/web/php-fpm.nix @@ -2,151 +2,153 @@ # See also: # - <https://albert.cx/20181125-use-separate-systemd-units-for-php-fpm-pools> # - <https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/> - -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: with lib; let cfg = config.services.php-fpm-isolated; - configFile = { pool, poolOpts, runtimeDir, sockFile, pidFile }: - let - config = { - global = { - daemonize = false; - error_log = "syslog"; - pid = pidFile; - }; + configFile = { + pool, + poolOpts, + runtimeDir, + sockFile, + pidFile, + }: let + config = { + global = { + daemonize = false; + error_log = "syslog"; + pid = pidFile; + }; - "${pool}" = - let - enforced = { - inherit (poolOpts) user group; - listen = sockFile; - }; + "${pool}" = let + enforced = { + inherit (poolOpts) user group; + listen = sockFile; + }; - defaults = { - "pm" = "dynamic"; - "pm.max_children" = 16; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 4; - "pm.start_servers" = 1; - "catch_workers_output" = true; - "php_admin_flag[log_errors]" = true; - "env[PATH]" = makeBinPath [ pkgs.php ]; - }; + defaults = { + "pm" = "dynamic"; + "pm.max_children" = 16; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 4; + "pm.start_servers" = 1; + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + "env[PATH]" = makeBinPath [pkgs.php]; + }; - env = mapAttrs' - (name: value: { - name = "env[${name}]"; - value = "\"${escape [ "\"" ] value}\""; - }) - poolOpts.env; - in - defaults // poolOpts.config // env // enforced; - }; - in - (pkgs.formats.ini { }).generate "php-fpm-pool-${pool}.conf" config; -in -{ + env = + mapAttrs' + (name: value: { + name = "env[${name}]"; + value = "\"${escape ["\""] value}\""; + }) + poolOpts.env; + in + defaults // poolOpts.config // env // enforced; + }; + in + (pkgs.formats.ini {}).generate "php-fpm-pool-${pool}.conf" config; +in { options.services.php-fpm-isolated.pools = mkOption { - default = { }; + default = {}; - type = with types; attrsOf (submodule { - options = { - enable = mkEnableOption "PHP-FPM pool"; + type = with types; + attrsOf (submodule { + options = { + enable = mkEnableOption "PHP-FPM pool"; - user = mkOption { - type = str; - }; + user = mkOption { + type = str; + }; - group = mkOption { - type = str; - }; + group = mkOption { + type = str; + }; - unveil = mkOption { - type = listOf (either package str); - }; + unveil = mkOption { + type = listOf (either package str); + }; - env = mkOption { - type = attrsOf str; - default = { }; - }; + env = mkOption { + type = attrsOf str; + default = {}; + }; - config = mkOption { - type = attrsOf (oneOf [ int str bool ]); - default = { }; + config = mkOption { + type = attrsOf (oneOf [int str bool]); + default = {}; + }; }; - }; - }); + }); }; - config.systemd = - let - php-fpm = "${pkgs.php}/bin/php-fpm"; - - unitsFor = pool: poolOpts: - let - runtimeBase = "php-fpm-isolated/${pool}"; - runtimeDir = "/run/${runtimeBase}"; - pidFile = "${runtimeDir}/${pool}.pid"; - sockFile = "${runtimeDir}/${pool}.sock"; - in - { - name = "php-fpm-pool-${pool}"; - - value.service = { - description = "PHP-FPM process manager for pool '${pool}'"; - after = [ "network.target" ]; - - confinement.enable = true; - - serviceConfig = { - Type = "notify"; - ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; - PIDFile = pidFile; - - Environment = "FPM_SOCKETS=${sockFile}=3"; - - ExecStart = - let - fpmConfig = configFile { - inherit pool poolOpts runtimeDir sockFile pidFile; - }; - in - "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}"; - - PrivateTmp = true; - PrivateNetwork = true; - PrivateDevices = true; - # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work - RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; - - User = poolOpts.user; - Group = poolOpts.group; - RuntimeDirectory = runtimeBase; - - BindReadOnlyPaths = - let - unveiled = map builtins.toString poolOpts.unveil; - in - [ "/run/systemd/journal/socket" ] ++ unveiled; - }; - }; + config.systemd = let + php-fpm = "${pkgs.php}/bin/php-fpm"; + + unitsFor = pool: poolOpts: let + runtimeBase = "php-fpm-isolated/${pool}"; + runtimeDir = "/run/${runtimeBase}"; + pidFile = "${runtimeDir}/${pool}.pid"; + sockFile = "${runtimeDir}/${pool}.sock"; + in { + name = "php-fpm-pool-${pool}"; - value.socket = { - description = "PHP-FPM socket for pool '${pool}'"; - listenStreams = [ sockFile ]; + value.service = { + description = "PHP-FPM process manager for pool '${pool}'"; + after = ["network.target"]; - socketConfig = { - User = poolOpts.user; - Group = poolOpts.group; + confinement.enable = true; + + serviceConfig = { + Type = "notify"; + ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID"; + PIDFile = pidFile; + + Environment = "FPM_SOCKETS=${sockFile}=3"; + + ExecStart = let + fpmConfig = configFile { + inherit pool poolOpts runtimeDir sockFile pidFile; }; - }; + in "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}"; + + PrivateTmp = true; + PrivateNetwork = true; + PrivateDevices = true; + # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + + User = poolOpts.user; + Group = poolOpts.group; + RuntimeDirectory = runtimeBase; + + BindReadOnlyPaths = let + unveiled = map builtins.toString poolOpts.unveil; + in + ["/run/systemd/journal/socket"] ++ unveiled; }; + }; + + value.socket = { + description = "PHP-FPM socket for pool '${pool}'"; + listenStreams = [sockFile]; - units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools); - in - { - sockets = mapAttrs (_: unit: unit.socket) units; - services = mapAttrs (_: unit: unit.service) units; + socketConfig = { + User = poolOpts.user; + Group = poolOpts.group; + }; + }; }; + + units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools); + in { + sockets = mapAttrs (_: unit: unit.socket) units; + services = mapAttrs (_: unit: unit.service) units; + }; } diff --git a/sys/web/sites/home.nix b/sys/web/sites/home.nix index 616bf94..fed9b84 100644 --- a/sys/web/sites/home.nix +++ b/sys/web/sites/home.nix @@ -1,9 +1,12 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.web.sites.home; inherit (config.local) domains; -in -{ +in { options.local.web.sites.home = { enable = mkEnableOption "home site"; @@ -15,7 +18,7 @@ in config = mkIf cfg.enable { local.web = { enable = mkDefault true; - ownedCerts = [ "home" ]; + ownedCerts = ["home"]; }; services.nginx.virtualHosts.${domains.home.main} = { diff --git a/sys/web/sites/host.nix b/sys/web/sites/host.nix index 32ef1a6..ea6cc23 100644 --- a/sys/web/sites/host.nix +++ b/sys/web/sites/host.nix @@ -1,4 +1,8 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.web.sites.host; @@ -10,15 +14,15 @@ with lib; let hostDomainName = "host-${hostname}"; userCerts = flatten (flatten (mapAttrsToList - (name: user: map + (name: user: + map (cert: { fprint = config.local.pki.byPath.${cert}.fingerprint.sha1-lower; inherit name; }) user.mail.certs) users)); -in -{ +in { options.local.web.sites.host = { enable = mkEnableOption "host site, restricted to per-user client certs"; }; @@ -26,7 +30,7 @@ in config = mkIf cfg.enable { local.web = { enable = mkDefault true; - ownedCerts = [ hostDomainName ]; + ownedCerts = [hostDomainName]; }; services = { @@ -53,31 +57,36 @@ in #} ''; - locations = { - "/".return = 403; - } // concatMapAttrs - (name: user: - let - userLocation = config: { - extraConfig = '' + locations = + { + "/".return = 403; + } + // concatMapAttrs + (name: user: let + userLocation = config: { + extraConfig = + '' if ($host_user_from_fprint != "${name}") { return 403; } - '' + config; - }; + '' + + config; + }; - userLocations = { + userLocations = + { "/${name}" = '' return 404; ''; - } // optionalAttrs user.mail.dav { + } + // optionalAttrs user.mail.dav { "/${name}/dav" = '' proxy_pass http://unix:/run/host-www/${name}/dav.sock; ''; }; - in + in mapAttrs (_: userLocation) userLocations) - (filterAttrs (_: user: user.mail.certs != [ ]) users); + (filterAttrs (_: user: user.mail.certs != []) users); }; }; }; @@ -85,13 +94,13 @@ in systemd.tmpfiles.settings."10-run-host-www" = concatMapAttrs - (name: _: { - "/run/host-www/${name}".d = { - mode = "0750"; - user = name; - group = "nginx"; - }; - }) - users; + (name: _: { + "/run/host-www/${name}".d = { + mode = "0750"; + user = name; + group = "nginx"; + }; + }) + users; }; } diff --git a/sys/web/sites/portal.nix b/sys/web/sites/portal.nix index 2365ba1..fe96cfb 100644 --- a/sys/web/sites/portal.nix +++ b/sys/web/sites/portal.nix @@ -1,9 +1,12 @@ -{ config, lib, ... }: +{ + config, + lib, + ... +}: with lib; let cfg = config.local.web.sites.portal; inherit (config.local) domains; -in -{ +in { options.local.web.sites.portal = { enable = mkEnableOption "public non-fqdn portal"; }; @@ -11,7 +14,7 @@ in config = mkIf cfg.enable { local.web = { enable = mkDefault true; - ownedCerts = [ "host" "exdev" ]; + ownedCerts = ["host" "exdev"]; defaultACMEHost = domains.host.main; }; @@ -19,13 +22,13 @@ in ${domains.host.www} = { forceSSL = true; useACMEHost = domains.host.main; - serverAliases = [ domains.host.main ]; + serverAliases = [domains.host.main]; }; ${domains.exdev.main} = { forceSSL = true; useACMEHost = domains.exdev.main; - serverAliases = [ domains.exdev.www ]; + serverAliases = [domains.exdev.www]; locations."/fsociety".return = "301 https://meet.posixlycorrect.com/%C6%92%C6%A8%C5%8F%C4%8B%D3%80%C9%99%CF%AE%D0%A3"; }; |