summaryrefslogtreecommitdiff
path: root/sys/web
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--sys/web/nginx.nix17
-rw-r--r--sys/web/php-fpm.nix252
-rw-r--r--sys/web/sites/home.nix11
-rw-r--r--sys/web/sites/host.nix61
-rw-r--r--sys/web/sites/portal.nix15
5 files changed, 188 insertions, 168 deletions
diff --git a/sys/web/nginx.nix b/sys/web/nginx.nix
index b6e7414..a054289 100644
--- a/sys/web/nginx.nix
+++ b/sys/web/nginx.nix
@@ -1,9 +1,12 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ ...
+}:
with lib; let
cfg = config.local.web;
inherit (config.local) domains;
-in
-{
+in {
options.local.web = {
enable = mkEnableOption "web server";
@@ -13,7 +16,7 @@ in
ownedCerts = mkOption {
type = with lib.types; listOf str;
- default = [ ];
+ default = [];
};
};
@@ -72,7 +75,7 @@ in
})
cfg.ownedCerts);
- networking.firewall.allowedTCPPorts = [ 80 443 ];
+ networking.firewall.allowedTCPPorts = [80 443];
security = {
acme.certs = listToAttrs (map
@@ -80,12 +83,12 @@ in
name = domains.${name}.main;
value = {
group = mkDefault config.services.nginx.group;
- reloadServices = [ "nginx.service" ];
+ reloadServices = ["nginx.service"];
};
})
cfg.ownedCerts);
- dhparams.params.nginx = { };
+ dhparams.params.nginx = {};
};
};
}
diff --git a/sys/web/php-fpm.nix b/sys/web/php-fpm.nix
index 65276ba..33efe1a 100644
--- a/sys/web/php-fpm.nix
+++ b/sys/web/php-fpm.nix
@@ -2,151 +2,153 @@
# See also:
# - <https://albert.cx/20181125-use-separate-systemd-units-for-php-fpm-pools>
# - <https://freedesktop.org/wiki/Software/systemd/DaemonSocketActivation/>
-
-{ config, lib, pkgs, ... }:
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
with lib; let
cfg = config.services.php-fpm-isolated;
- configFile = { pool, poolOpts, runtimeDir, sockFile, pidFile }:
- let
- config = {
- global = {
- daemonize = false;
- error_log = "syslog";
- pid = pidFile;
- };
+ configFile = {
+ pool,
+ poolOpts,
+ runtimeDir,
+ sockFile,
+ pidFile,
+ }: let
+ config = {
+ global = {
+ daemonize = false;
+ error_log = "syslog";
+ pid = pidFile;
+ };
- "${pool}" =
- let
- enforced = {
- inherit (poolOpts) user group;
- listen = sockFile;
- };
+ "${pool}" = let
+ enforced = {
+ inherit (poolOpts) user group;
+ listen = sockFile;
+ };
- defaults = {
- "pm" = "dynamic";
- "pm.max_children" = 16;
- "pm.min_spare_servers" = 1;
- "pm.max_spare_servers" = 4;
- "pm.start_servers" = 1;
- "catch_workers_output" = true;
- "php_admin_flag[log_errors]" = true;
- "env[PATH]" = makeBinPath [ pkgs.php ];
- };
+ defaults = {
+ "pm" = "dynamic";
+ "pm.max_children" = 16;
+ "pm.min_spare_servers" = 1;
+ "pm.max_spare_servers" = 4;
+ "pm.start_servers" = 1;
+ "catch_workers_output" = true;
+ "php_admin_flag[log_errors]" = true;
+ "env[PATH]" = makeBinPath [pkgs.php];
+ };
- env = mapAttrs'
- (name: value: {
- name = "env[${name}]";
- value = "\"${escape [ "\"" ] value}\"";
- })
- poolOpts.env;
- in
- defaults // poolOpts.config // env // enforced;
- };
- in
- (pkgs.formats.ini { }).generate "php-fpm-pool-${pool}.conf" config;
-in
-{
+ env =
+ mapAttrs'
+ (name: value: {
+ name = "env[${name}]";
+ value = "\"${escape ["\""] value}\"";
+ })
+ poolOpts.env;
+ in
+ defaults // poolOpts.config // env // enforced;
+ };
+ in
+ (pkgs.formats.ini {}).generate "php-fpm-pool-${pool}.conf" config;
+in {
options.services.php-fpm-isolated.pools = mkOption {
- default = { };
+ default = {};
- type = with types; attrsOf (submodule {
- options = {
- enable = mkEnableOption "PHP-FPM pool";
+ type = with types;
+ attrsOf (submodule {
+ options = {
+ enable = mkEnableOption "PHP-FPM pool";
- user = mkOption {
- type = str;
- };
+ user = mkOption {
+ type = str;
+ };
- group = mkOption {
- type = str;
- };
+ group = mkOption {
+ type = str;
+ };
- unveil = mkOption {
- type = listOf (either package str);
- };
+ unveil = mkOption {
+ type = listOf (either package str);
+ };
- env = mkOption {
- type = attrsOf str;
- default = { };
- };
+ env = mkOption {
+ type = attrsOf str;
+ default = {};
+ };
- config = mkOption {
- type = attrsOf (oneOf [ int str bool ]);
- default = { };
+ config = mkOption {
+ type = attrsOf (oneOf [int str bool]);
+ default = {};
+ };
};
- };
- });
+ });
};
- config.systemd =
- let
- php-fpm = "${pkgs.php}/bin/php-fpm";
-
- unitsFor = pool: poolOpts:
- let
- runtimeBase = "php-fpm-isolated/${pool}";
- runtimeDir = "/run/${runtimeBase}";
- pidFile = "${runtimeDir}/${pool}.pid";
- sockFile = "${runtimeDir}/${pool}.sock";
- in
- {
- name = "php-fpm-pool-${pool}";
-
- value.service = {
- description = "PHP-FPM process manager for pool '${pool}'";
- after = [ "network.target" ];
-
- confinement.enable = true;
-
- serviceConfig = {
- Type = "notify";
- ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
- PIDFile = pidFile;
-
- Environment = "FPM_SOCKETS=${sockFile}=3";
-
- ExecStart =
- let
- fpmConfig = configFile {
- inherit pool poolOpts runtimeDir sockFile pidFile;
- };
- in
- "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}";
-
- PrivateTmp = true;
- PrivateNetwork = true;
- PrivateDevices = true;
- # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
- RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
-
- User = poolOpts.user;
- Group = poolOpts.group;
- RuntimeDirectory = runtimeBase;
-
- BindReadOnlyPaths =
- let
- unveiled = map builtins.toString poolOpts.unveil;
- in
- [ "/run/systemd/journal/socket" ] ++ unveiled;
- };
- };
+ config.systemd = let
+ php-fpm = "${pkgs.php}/bin/php-fpm";
+
+ unitsFor = pool: poolOpts: let
+ runtimeBase = "php-fpm-isolated/${pool}";
+ runtimeDir = "/run/${runtimeBase}";
+ pidFile = "${runtimeDir}/${pool}.pid";
+ sockFile = "${runtimeDir}/${pool}.sock";
+ in {
+ name = "php-fpm-pool-${pool}";
- value.socket = {
- description = "PHP-FPM socket for pool '${pool}'";
- listenStreams = [ sockFile ];
+ value.service = {
+ description = "PHP-FPM process manager for pool '${pool}'";
+ after = ["network.target"];
- socketConfig = {
- User = poolOpts.user;
- Group = poolOpts.group;
+ confinement.enable = true;
+
+ serviceConfig = {
+ Type = "notify";
+ ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
+ PIDFile = pidFile;
+
+ Environment = "FPM_SOCKETS=${sockFile}=3";
+
+ ExecStart = let
+ fpmConfig = configFile {
+ inherit pool poolOpts runtimeDir sockFile pidFile;
};
- };
+ in "${php-fpm} --nodaemonize --fpm-config ${fpmConfig} --pid ${pidFile}";
+
+ PrivateTmp = true;
+ PrivateNetwork = true;
+ PrivateDevices = true;
+ # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work
+ RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+
+ User = poolOpts.user;
+ Group = poolOpts.group;
+ RuntimeDirectory = runtimeBase;
+
+ BindReadOnlyPaths = let
+ unveiled = map builtins.toString poolOpts.unveil;
+ in
+ ["/run/systemd/journal/socket"] ++ unveiled;
};
+ };
+
+ value.socket = {
+ description = "PHP-FPM socket for pool '${pool}'";
+ listenStreams = [sockFile];
- units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools);
- in
- {
- sockets = mapAttrs (_: unit: unit.socket) units;
- services = mapAttrs (_: unit: unit.service) units;
+ socketConfig = {
+ User = poolOpts.user;
+ Group = poolOpts.group;
+ };
+ };
};
+
+ units = mapAttrs' unitsFor (filterAttrs (_: pool: pool.enable) cfg.pools);
+ in {
+ sockets = mapAttrs (_: unit: unit.socket) units;
+ services = mapAttrs (_: unit: unit.service) units;
+ };
}
diff --git a/sys/web/sites/home.nix b/sys/web/sites/home.nix
index 616bf94..fed9b84 100644
--- a/sys/web/sites/home.nix
+++ b/sys/web/sites/home.nix
@@ -1,9 +1,12 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ ...
+}:
with lib; let
cfg = config.local.web.sites.home;
inherit (config.local) domains;
-in
-{
+in {
options.local.web.sites.home = {
enable = mkEnableOption "home site";
@@ -15,7 +18,7 @@ in
config = mkIf cfg.enable {
local.web = {
enable = mkDefault true;
- ownedCerts = [ "home" ];
+ ownedCerts = ["home"];
};
services.nginx.virtualHosts.${domains.home.main} = {
diff --git a/sys/web/sites/host.nix b/sys/web/sites/host.nix
index 32ef1a6..ea6cc23 100644
--- a/sys/web/sites/host.nix
+++ b/sys/web/sites/host.nix
@@ -1,4 +1,8 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ ...
+}:
with lib; let
cfg = config.local.web.sites.host;
@@ -10,15 +14,15 @@ with lib; let
hostDomainName = "host-${hostname}";
userCerts = flatten (flatten (mapAttrsToList
- (name: user: map
+ (name: user:
+ map
(cert: {
fprint = config.local.pki.byPath.${cert}.fingerprint.sha1-lower;
inherit name;
})
user.mail.certs)
users));
-in
-{
+in {
options.local.web.sites.host = {
enable = mkEnableOption "host site, restricted to per-user client certs";
};
@@ -26,7 +30,7 @@ in
config = mkIf cfg.enable {
local.web = {
enable = mkDefault true;
- ownedCerts = [ hostDomainName ];
+ ownedCerts = [hostDomainName];
};
services = {
@@ -53,31 +57,36 @@ in
#}
'';
- locations = {
- "/".return = 403;
- } // concatMapAttrs
- (name: user:
- let
- userLocation = config: {
- extraConfig = ''
+ locations =
+ {
+ "/".return = 403;
+ }
+ // concatMapAttrs
+ (name: user: let
+ userLocation = config: {
+ extraConfig =
+ ''
if ($host_user_from_fprint != "${name}") {
return 403;
}
- '' + config;
- };
+ ''
+ + config;
+ };
- userLocations = {
+ userLocations =
+ {
"/${name}" = ''
return 404;
'';
- } // optionalAttrs user.mail.dav {
+ }
+ // optionalAttrs user.mail.dav {
"/${name}/dav" = ''
proxy_pass http://unix:/run/host-www/${name}/dav.sock;
'';
};
- in
+ in
mapAttrs (_: userLocation) userLocations)
- (filterAttrs (_: user: user.mail.certs != [ ]) users);
+ (filterAttrs (_: user: user.mail.certs != []) users);
};
};
};
@@ -85,13 +94,13 @@ in
systemd.tmpfiles.settings."10-run-host-www" =
concatMapAttrs
- (name: _: {
- "/run/host-www/${name}".d = {
- mode = "0750";
- user = name;
- group = "nginx";
- };
- })
- users;
+ (name: _: {
+ "/run/host-www/${name}".d = {
+ mode = "0750";
+ user = name;
+ group = "nginx";
+ };
+ })
+ users;
};
}
diff --git a/sys/web/sites/portal.nix b/sys/web/sites/portal.nix
index 2365ba1..fe96cfb 100644
--- a/sys/web/sites/portal.nix
+++ b/sys/web/sites/portal.nix
@@ -1,9 +1,12 @@
-{ config, lib, ... }:
+{
+ config,
+ lib,
+ ...
+}:
with lib; let
cfg = config.local.web.sites.portal;
inherit (config.local) domains;
-in
-{
+in {
options.local.web.sites.portal = {
enable = mkEnableOption "public non-fqdn portal";
};
@@ -11,7 +14,7 @@ in
config = mkIf cfg.enable {
local.web = {
enable = mkDefault true;
- ownedCerts = [ "host" "exdev" ];
+ ownedCerts = ["host" "exdev"];
defaultACMEHost = domains.host.main;
};
@@ -19,13 +22,13 @@ in
${domains.host.www} = {
forceSSL = true;
useACMEHost = domains.host.main;
- serverAliases = [ domains.host.main ];
+ serverAliases = [domains.host.main];
};
${domains.exdev.main} = {
forceSSL = true;
useACMEHost = domains.exdev.main;
- serverAliases = [ domains.exdev.www ];
+ serverAliases = [domains.exdev.www];
locations."/fsociety".return = "301 https://meet.posixlycorrect.com/%C6%92%C6%A8%C5%8F%C4%8B%D3%80%C9%99%CF%AE%D0%A3";
};
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-10 11:25:10 +0000