summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/bitlbee.nix153
-rw-r--r--lass/3modules/default.nix3
-rw-r--r--lass/3modules/dnsmasq.nix7
-rw-r--r--lass/3modules/go.nix61
-rw-r--r--lass/3modules/owncloud_nginx.nix215
-rw-r--r--lass/3modules/static_nginx.nix49
-rw-r--r--lass/3modules/wordpress_nginx.nix239
7 files changed, 504 insertions, 223 deletions
diff --git a/lass/3modules/bitlbee.nix b/lass/3modules/bitlbee.nix
deleted file mode 100644
index 8ce560146..000000000
--- a/lass/3modules/bitlbee.nix
+++ /dev/null
@@ -1,153 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-
-let
-
- inherit (lib)
- mkIf
- mkOption
- types
- singleton
- ;
-
- authModeCheck = v:
- v == "Open" ||
- v == "Closed" ||
- v == "Registered"
- ;
-
- bitlbeeConfig = pkgs.writeText "bitlbee.conf" ''
- [settings]
- RunMode = Daemon
- User = bitlbee
- ConfigDir = ${cfg.configDir}
- DaemonInterface = ${cfg.interface}
- DaemonPort = ${toString cfg.portNumber}
- AuthMode = ${cfg.authMode}
- ${lib.optionalString (cfg.hostName != "") "HostName = ${cfg.hostName}"}
- ${lib.optionalString (cfg.protocols != "") "Protocols = ${cfg.protocols}"}
- ${cfg.extraSettings}
-
- [defaults]
- ${cfg.extraDefaults}
- '';
-
- cfg = config.lass.bitlbee;
-
- out = {
- options.lass.bitlbee = api;
- config = mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkOption {
- default = false;
- description = ''
- Whether to run the BitlBee IRC to other chat network gateway.
- Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat
- networks via an IRC client.
- '';
- };
-
- interface = mkOption {
- default = "127.0.0.1";
- description = ''
- The interface the BitlBee deamon will be listening to. If `127.0.0.1',
- only clients on the local host can connect to it; if `0.0.0.0', clients
- can access it from any network interface.
- '';
- };
-
- portNumber = mkOption {
- default = 6667;
- description = ''
- Number of the port BitlBee will be listening to.
- '';
- };
-
- authMode = mkOption {
- default = "Open";
- type = types.addCheck types.str authModeCheck;
- description = ''
- The following authentication modes are available:
- Open -- Accept connections from anyone, use NickServ for user authentication.
- Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all.
- Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself.
- '';
- };
-
- hostName = mkOption {
- default = "";
- type = types.str;
- description = ''
- Normally, BitlBee gets a hostname using getsockname(). If you have a nicer
- alias for your BitlBee daemon, you can set it here and BitlBee will identify
- itself with that name instead.
- '';
- };
-
- configDir = mkOption {
- default = "/var/lib/bitlbee";
- type = types.path;
- description = ''
- Specify an alternative directory to store all the per-user configuration
- files.
- '';
- };
-
- protocols = mkOption {
- default = "";
- type = types.str;
- description = ''
- This option allows to remove the support of protocol, even if compiled
- in. If nothing is given, there are no restrictions.
- '';
- };
-
- extraSettings = mkOption {
- default = "";
- description = ''
- Will be inserted in the Settings section of the config file.
- '';
- };
-
- extraDefaults = mkOption {
- default = "";
- description = ''
- Will be inserted in the Default section of the config file.
- '';
- };
-
- bitlbeePkg = mkOption {
- default = pkgs.bitlbee;
- description = ''
- the bitlbee pkg to use.
- '';
- };
- };
-
- imp = {
- users.extraUsers = singleton {
- name = "bitlbee";
- uid = config.ids.uids.bitlbee;
- description = "BitlBee user";
- home = "/var/lib/bitlbee";
- createHome = true;
- };
-
- users.extraGroups = singleton {
- name = "bitlbee";
- gid = config.ids.gids.bitlbee;
- };
-
- systemd.services.bitlbee = {
- description = "BitlBee IRC to other chat networks gateway";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
- serviceConfig.User = "bitlbee";
- serviceConfig.ExecStart = "${cfg.bitlbeePkg}/sbin/bitlbee -F -n -c ${bitlbeeConfig}";
- };
- };
-
-in
-out
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index b081dc3cc..0dcad971c 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -2,12 +2,11 @@ _:
{
imports = [
./xresources.nix
- ./bitlbee.nix
./folderPerms.nix
- ./go.nix
./newsbot-js.nix
./per-user.nix
./urxvtd.nix
./xresources.nix
+ ./wordpress_nginx.nix
];
}
diff --git a/lass/3modules/dnsmasq.nix b/lass/3modules/dnsmasq.nix
index 99c165479..83a9cb180 100644
--- a/lass/3modules/dnsmasq.nix
+++ b/lass/3modules/dnsmasq.nix
@@ -25,13 +25,6 @@ let
configFile = pkgs.writeText "dnsmasq.conf" cfg.config;
imp = {
- #users.extraUsers.go = {
- # name = "go";
- # uid = 42774411; #genid go
- # description = "go url shortener user";
- # home = "/var/lib/go";
- # createHome = true;
- #};
systemd.services.dnsmasq = {
description = "dnsmasq";
diff --git a/lass/3modules/go.nix b/lass/3modules/go.nix
deleted file mode 100644
index aa900f118..000000000
--- a/lass/3modules/go.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with builtins;
-with lib;
-
-let
- cfg = config.lass.go;
-
- out = {
- options.lass.go = api;
- config = mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "Enable go url shortener";
- port = mkOption {
- type = types.str;
- default = "1337";
- description = "on which port go should run on";
- };
- redisKeyPrefix = mkOption {
- type = types.str;
- default = "go:";
- description = "change the Redis key prefix which defaults to `go:`";
- };
- };
-
- imp = {
- users.extraUsers.go = {
- name = "go";
- uid = 42774411; #genid go
- description = "go url shortener user";
- home = "/var/lib/go";
- createHome = true;
- };
-
- systemd.services.go = {
- description = "go url shortener";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
-
- path = with pkgs; [
- go
- ];
-
- environment = {
- PORT = cfg.port;
- REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
- };
-
- restartIfChanged = true;
-
- serviceConfig = {
- User = "go";
- Restart = "always";
- ExecStart = "${pkgs.go}/bin/go";
- };
- };
- };
-
-in out
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
new file mode 100644
index 000000000..a0db87b0b
--- /dev/null
+++ b/lass/3modules/owncloud_nginx.nix
@@ -0,0 +1,215 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.lass.owncloud;
+
+ out = {
+ options.lass.owncloud = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ type = with types; attrsOf (submodule ({ config, ... }: {
+ options = {
+ domain = mkOption {
+ type = str;
+ default = config._module.args.name;
+ };
+ dataDir = mkOption {
+ type = str;
+ default = "${config.folder}/data";
+ };
+ dbUser = mkOption {
+ type = str;
+ default = replaceStrings ["."] ["_"] config.domain;
+ };
+ dbName = mkOption {
+ type = str;
+ default = replaceStrings ["."] ["_"] config.domain;
+ };
+ dbType = mkOption {
+ # TODO: check for valid dbType
+ type = str;
+ default = "mysql";
+ };
+ folder = mkOption {
+ type = str;
+ default = "/srv/http/${config.domain}";
+ };
+ auto = mkOption {
+ type = bool;
+ default = false;
+ };
+ instanceid = mkOption {
+ type = str;
+ };
+ ssl = mkOption {
+ type = bool;
+ default = false;
+ };
+ };
+ }));
+ default = {};
+ };
+
+ user = config.services.nginx.user;
+ group = config.services.nginx.group;
+
+ imp = {
+ krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
+ server-names = [
+ "${domain}"
+ "www.${domain}"
+ ];
+ locations = [
+ (nameValuePair "/" ''
+ # The following 2 rules are only needed with webfinger
+ rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+ rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+ rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
+ rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
+
+ rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+
+ try_files $uri $uri/ /index.php;
+ '')
+ (nameValuePair "~ \.php$" ''
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_pass unix:${folder}/phpfpm.pool;
+ '')
+ (nameValuePair "~ /\\." ''
+ deny all;
+ '')
+ ];
+ extraConfig = ''
+ root ${folder}/;
+ #index index.php;
+ access_log /tmp/nginx_acc.log;
+ error_log /tmp/nginx_err.log;
+
+ # set max upload size
+ client_max_body_size 10G;
+ fastcgi_buffers 64 4K;
+
+ rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
+ rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
+ rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+
+ error_page 403 /core/templates/403.php;
+ error_page 404 /core/templates/404.php;
+ '';
+ });
+ services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
+ listen = ${folder}/phpfpm.pool
+ user = ${user}
+ group = ${group}
+ pm = dynamic
+ pm.max_children = 5
+ pm.start_servers = 2
+ pm.min_spare_servers = 1
+ pm.max_spare_servers = 3
+ listen.owner = ${user}
+ listen.group = ${group}
+ # errors to journal
+ php_admin_value[error_log] = 'stderr'
+ php_admin_flag[log_errors] = on
+ catch_workers_output = yes
+ '');
+ #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
+ # name = "owncloudInit-${name}";
+ # value = {
+ # path = [
+ # pkgs.mysql
+ # pkgs.su
+ # pkgs.gawk
+ # pkgs.jq
+ # ];
+ # requiredBy = [ "nginx.service" ];
+ # serviceConfig = let
+ # php.define = name: value:
+ # "define(${php.newdoc name}, ${php.newdoc value});";
+ # php.toString = x:
+ # "'${x}'";
+ # php.newdoc = s:
+ # let b = "EOF${builtins.hashString "sha256" s}"; in
+ # ''<<<'${b}'
+ # ${s}
+ # ${b}
+ # '';
+ # in {
+ # Type = "oneshot";
+ # ExecStart = pkgs.writeScript "wordpressInit" ''
+ # #!/bin/sh
+ # set -euf
+ # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
+ # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
+ # get_secret() {
+ # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
+ # }
+ # to_php_string() {
+ # echo "base64_decode('$(base64)')"
+ # }
+ # {
+ # cat ${toString <secrets/mysql_rootPassword>}
+ # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
+ # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
+ # # TODO as package pkgs.sqlHashPassword
+ # # TODO not using mysql
+ # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
+ # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
+ # user=${shell.escape dbUser}@localhost
+ # database=${shell.escape dbName}
+ # cat << EOF
+ # CREATE DATABASE IF NOT EXISTS $database;
+ # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
+ # GRANT ALL PRIVILEGES ON $database.* TO $user;
+ # FLUSH PRIVILEGES;
+ # EOF
+ # } | mysql -u root -p
+ # # TODO nix2php for wp-config.php
+ # mkdir -p ${folder}/config
+ # cat > ${folder}/config/config.php << EOF
+ # <?php
+ # \$CONFIG = array (
+ # 'dbhost' => 'localhost',
+ # 'dbtableprefix' => 'oc_',
+ # 'dbpassword' => '$db_password',
+ # 'installed' => 'true',
+ # 'trusted_domains' =>
+ # array (
+ # 0 => '${domain}',
+ # ),
+ # 'overwrite.cli.url' => 'http://${domain}',
+
+ # ${concatStringsSep "\n" (mapAttrsToList (name: value:
+ # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
+ # ) {
+ # instanceid = instanceid;
+ # datadirectory = dataDir;
+ # dbtype = dbType;
+ # dbname = dbName;
+ # dbuser = dbUser;
+ # })}
+
+ # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
+ # "secret"
+ # "passwordsalt"
+ # ]}
+ # );
+ # EOF
+ # '';
+ # };
+ # };
+ #});
+ users.users.nobody_oc = {
+ uid = 1651469147; # genid nobody_oc
+ useDefaultShell = true;
+ };
+ };
+
+in out
diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix
new file mode 100644
index 000000000..cc2641af2
--- /dev/null
+++ b/lass/3modules/static_nginx.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.lass.staticPage;
+
+ out = {
+ options.lass.staticPage = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ type = with types; attrsOf (submodule ({ config, ... }: {
+ options = {
+ domain = mkOption {
+ type = str;
+ default = config._module.args.name;
+ };
+ folder = mkOption {
+ type = str;
+ default = "/srv/http/${config.domain}";
+ };
+ };
+ }));
+ default = {};
+ };
+
+ user = config.services.nginx.user;
+ group = config.services.nginx.group;
+
+ imp = {
+ krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
+ server-names = [
+ "${domain}"
+ "www.${domain}"
+ ];
+ locations = [
+ (nameValuePair "/" ''
+ root ${folder};
+ '')
+ (nameValuePair "~ /\\." ''
+ deny all;
+ '')
+ ];
+ });
+ };
+
+in out
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
new file mode 100644
index 000000000..2f31f6e02
--- /dev/null
+++ b/lass/3modules/wordpress_nginx.nix
@@ -0,0 +1,239 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.lass.wordpress;
+
+ out = {
+ options.lass.wordpress = api;
+ config = imp;
+ };
+
+ api = mkOption {
+ type = with types; attrsOf (submodule ({ config, ... }: {
+ options = {
+ domain = mkOption {
+ type = str;
+ default = config._module.args.name;
+ };
+ dbUser = mkOption {
+ type = str;
+ default = replaceStrings ["."] ["_"] config.domain;
+ };
+ dbName = mkOption {
+ type = str;
+ default = replaceStrings ["."] ["_"] config.domain;
+ };
+ folder = mkOption {
+ type = str;
+ default = "/srv/http/${config.domain}";
+ };
+ auto = mkOption {
+ type = bool;
+ default = false;
+ };
+ charset = mkOption {
+ type = str;
+ default = "utf8mb4";
+ };
+ collate = mkOption {
+ type = str;
+ default = "";
+ };
+ debug = mkOption {
+ type = bool;
+ default = false;
+ };
+ multiSite = mkOption {
+ type = attrsOf str;
+ default = {};
+ example = {
+ "0" = "bla.testsite.de";
+ "1" = "test.testsite.de";
+ };
+ };
+ };
+ }));
+ default = {};
+ };
+
+ user = config.services.nginx.user;
+ group = config.services.nginx.group;
+
+ imp = {
+ #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
+ # map $http_host $blogid {
+ # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
+ # }
+ #'';
+
+ krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: {
+ server-names = [
+ "${domain}"
+ "www.${domain}"
+ ];
+ #(mkIf (multiSite != {})
+ #)
+ locations = (if (multiSite != {}) then
+ [
+ (nameValuePair "~ ^/files/(.*)$" ''
+ try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
+ '')
+ (nameValuePair "^~ /blogs.dir" ''
+ internal;
+ alias ${folder}/wp-content/blogs.dir ;
+ access_log off; log_not_found off; expires max;
+ '')
+ ]
+ else
+ []
+ ) ++
+ [
+ (nameValuePair "/" ''
+ try_files $uri $uri/ /index.php?$args;
+ '')
+ (nameValuePair "~ \.php$" ''
+ fastcgi_pass unix:${folder}/phpfpm.pool;
+ include ${pkgs.nginx}/conf/fastcgi.conf;
+ '')
+ (nameValuePair "~ /\\." ''
+ deny all;
+ '')
+ #Directives to send expires headers and turn off 404 error logging.
+ (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
+ access_log off;
+ log_not_found off;
+ expires max;
+ '')
+ ];
+ extraConfig = ''
+ root ${folder}/;
+ index index.php;
+ access_log /tmp/nginx_acc.log;
+ error_log /tmp/nginx_err.log;
+ error_page 404 /404.html;
+ error_page 500 502 503 504 /50x.html;
+ '';
+ });
+ services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
+ listen = ${folder}/phpfpm.pool
+ user = ${user}
+ group = ${group}
+ pm = dynamic
+ pm.max_children = 5
+ pm.start_servers = 2
+ pm.min_spare_servers = 1
+ pm.max_spare_servers = 3
+ listen.owner = ${user}
+ listen.group = ${group}
+ # errors to journal
+ php_admin_value[error_log] = 'stderr'
+ php_admin_flag[log_errors] = on
+ catch_workers_output = yes
+ '');
+ systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
+ name = "wordpressInit-${name}";
+ value = {
+ path = [
+ pkgs.mysql
+ pkgs.su
+ pkgs.gawk
+ pkgs.jq
+ ];
+ requiredBy = [ "nginx.service" ];
+ serviceConfig = let
+ php.define = name: value:
+ "define(${php.newdoc name}, ${php.newdoc value});";
+ php.toString = x:
+ "'${x}'";
+ php.newdoc = s:
+ let b = "EOF${builtins.hashString "sha256" s}"; in
+ ''<<<'${b}'
+ ${s}
+ ${b}
+ '';
+ in {
+ Type = "oneshot";
+ ExecStart = pkgs.writeScript "wordpressInit" ''
+ #!/bin/sh
+ set -euf
+ wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"}
+ db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
+ get_secret() {
+ echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));"
+ }
+ to_php_string() {
+ echo "base64_decode('$(base64)')"
+ }
+ {
+ cat ${toString <secrets/mysql_rootPassword>}
+ password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
+ # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
+ # TODO as package pkgs.sqlHashPassword
+ # TODO not using mysql
+ # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
+ passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
+ user=${shell.escape dbUser}@localhost
+ database=${shell.escape dbName}
+ cat << EOF
+ CREATE DATABASE IF NOT EXISTS $database;
+ GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
+ GRANT ALL PRIVILEGES ON $database.* TO $user;
+ FLUSH PRIVILEGES;
+ EOF
+ } | mysql -u root -p
+ # TODO nix2php for wp-config.php
+ cat > ${folder}/wp-config.php << EOF
+ <?php
+ define('DB_PASSWORD', '$db_password');
+ define('DB_HOST', 'localhost');
+
+ ${concatStringsSep "\n" (mapAttrsToList (name: value:
+ "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));"
+ ) {
+ DB_NAME = dbName;
+ DB_USER = dbUser;
+ DB_CHARSET = charset;
+ DB_COLLATE = collate;
+ })}
+
+ ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
+ "AUTH_KEY"
+ "SECURE_AUTH_KEY"
+ "LOGGED_IN_KEY"
+ "NONCE_KEY"
+ "AUTH_SALT"
+ "SECURE_AUTH_SALT"
+ "LOGGED_IN_SALT"
+ "NONCE_SALT"
+ ]}
+
+ \$table_prefix = 'wp_';
+
+ ${if (multiSite != {}) then
+ "define('WP_ALLOW_MULTISITE', true);"
+ else
+ ""
+ }
+
+ define('WP_DEBUG', ${toJSON debug});
+ if ( !defined('ABSPATH') )
+ define('ABSPATH', dirname(__FILE__) . '/');
+
+ /** Sets up WordPress vars and included files. */
+ require_once(ABSPATH . 'wp-settings.php');
+ EOF
+ '';
+ };
+ };
+ });
+ users.users.nobody2 = mkDefault {
+ uid = mkDefault 125816384; # genid nobody2
+ useDefaultShell = mkDefault true;
+ };
+ };
+
+ indent = replaceChars ["\n"] ["\n "];
+
+in out