diff options
23 files changed, 438 insertions, 822 deletions
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 2d1819dee..6f79aea0e 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -298,6 +298,7 @@ with import <stockholm/lib>; ''; }; }; + secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj"; }; diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index 1564bd94a..f9eae8c92 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -24,7 +24,7 @@ let daymap = mkOption { type = types.str; - default = "http://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png"; + default = "https://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png"; }; cloudmap = mkOption { diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/git-hooks/default.nix index 6f2cb8b6a..9355a878c 100644 --- a/krebs/5pkgs/git-hooks/default.nix +++ b/krebs/5pkgs/git-hooks/default.nix @@ -108,67 +108,5 @@ let fi ''; - irc-announce-script = pkgs.writeDash "irc-announce-script" '' - set -euf - - export PATH=${makeSearchPath "bin" (with pkgs; [ - coreutils - gawk - gnused - netcat - nettools - ])} - - IRC_SERVER=$1 - IRC_PORT=$2 - IRC_NICK=$3$$ - IRC_CHANNEL=$4 - message=$5 - - export IRC_CHANNEL # for privmsg_cat - - # echo2 and cat2 are used output to both, stdout and stderr - # This is used to see what we send to the irc server. (debug output) - echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } - - # privmsg_cat transforms stdin to a privmsg - privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } - - # ircin is used to feed the output of netcat back to the "irc client" - # so we can implement expect-like behavior with sed^_^ - # XXX mkselfdestructingtmpfifo would be nice instead of this cruft - tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" - cd "$tmpdir" - mkfifo ircin - trap " - rm ircin - cd '$OLDPWD' - rmdir '$tmpdir' - trap - EXIT INT QUIT - " EXIT INT QUIT - - { - echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" - echo2 "NICK $IRC_NICK" - - # wait for MODE message - sed -n '/^:[^ ]* MODE /q' - - echo2 "JOIN $IRC_CHANNEL" - - printf '%s' "$message" \ - | privmsg_cat \ - | cat2 - - echo2 "PART $IRC_CHANNEL" - - # wait for PART confirmation - sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' - - echo2 'QUIT :Gone to have lunch' - } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin - ''; - + irc-announce-script = "${pkgs.irc-announce}/bin/irc-announce"; in out diff --git a/krebs/5pkgs/irc-announce/default.nix b/krebs/5pkgs/irc-announce/default.nix new file mode 100644 index 000000000..af6b35ec6 --- /dev/null +++ b/krebs/5pkgs/irc-announce/default.nix @@ -0,0 +1,68 @@ +{ pkgs, lib, ... }: + +with lib; + +pkgs.writeDashBin "irc-announce" '' + set -euf + + export PATH=${makeSearchPath "bin" (with pkgs; [ + coreutils + gawk + gnused + netcat + nettools + ])} + + IRC_SERVER=$1 + IRC_PORT=$2 + IRC_NICK=$3$$ + IRC_CHANNEL=$4 + message=$5 + + export IRC_CHANNEL # for privmsg_cat + + # echo2 and cat2 are used output to both, stdout and stderr + # This is used to see what we send to the irc server. (debug output) + echo2() { echo "$*"; echo "$*" >&2; } + cat2() { tee /dev/stderr; } + + # privmsg_cat transforms stdin to a privmsg + privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + + # we cd to /tmp here to be able to create a tmpdir in the first place + cd /tmp + # ircin is used to feed the output of netcat back to the "irc client" + # so we can implement expect-like behavior with sed^_^ + # XXX mkselfdestructingtmpfifo would be nice instead of this cruft + tmpdir="$(mktemp -d irc-announce_XXXXXXXX)" + cd "$tmpdir" + mkfifo ircin + trap " + rm ircin + cd '$OLDPWD' + rmdir '$tmpdir' + trap - EXIT INT QUIT + " EXIT INT QUIT + + { + echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" + echo2 "NICK $IRC_NICK" + + # wait for MODE message + sed -n '/^:[^ ]* MODE /q' + + echo2 "JOIN $IRC_CHANNEL" + + printf '%s' "$message" \ + | privmsg_cat \ + | cat2 + + echo2 "PART $IRC_CHANNEL" + + # wait for PART confirmation + sed -n '/:'"$IRC_NICK"'![^ ]* PART /q' + + echo2 'QUIT :Gone to have lunch' + } < ircin \ + | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin +'' diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 4553cc15b..3498f662b 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -17,7 +17,6 @@ with import <stockholm/lib>; ../2configs/steam.nix ../2configs/wine.nix ../2configs/git.nix - ../2configs/skype.nix ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix #../2configs/c-base.nix @@ -66,20 +65,18 @@ with import <stockholm/lib>; }; } { - krebs.nginx = { + services.nginx = { enable = true; - servers.default = { - server-names = [ + virtualHosts.default = { + serverAliases = [ "localhost" "${config.krebs.build.host.name}" "${config.krebs.build.host.name}.r" "${config.krebs.build.host.name}.retiolum" ]; - locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + ''; }; }; } @@ -89,6 +86,137 @@ with import <stockholm/lib>; { virtualisation.libvirtd.enable = true; } + { + services.nginx = { + enable = mkDefault true; + virtualHosts = { + "stats.mors" = { + locations = { + "/" = { + proxyPass = "http://localhost:3000/"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; + }; + + services.grafana = { + enable = true; + addr = "127.0.0.1"; + users.allowSignUp = false; + users.allowOrgCreate = false; + users.autoAssignOrg = false; + auth.anonymous.enable = true; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; + + services.graphite = { + api = { + enable = true; + listenAddress = "127.0.0.1"; + port = 18080; + }; + carbon = { + enableCache = true; + # save disk usage by restricting to 1 bulk update per second + config = '' + [cache] + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1 + MAX_CREATES_PER_MINUTE = 500 + ''; + storageSchemas = '' + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [elchos] + patterhn = ^elchos\. + retentions = 10s:30d,60s:3y + + [default] + pattern = .* + retentions = 30s:30d,300s:1y + ''; + }; + }; + + services.collectd = { + enable = true; + include = [ (toString (pkgs.writeText "collectd-graphite-cfg" '' + LoadPlugin write_graphite + <Plugin "write_graphite"> + <Carbon> + Host "localhost" + Port "2003" + EscapeCharacter "_" + StoreRates false + AlwaysAppendDS false + </Carbon> + </Plugin> + '')) + ]; + extraConfig = '' + LoadPlugin interface + LoadPlugin battery + LoadPlugin load + LoadPlugin cpu + LoadPlugin entropy + LoadPlugin write_graphite + <Plugin "interface"> + Interface "et0" + Interface "wl0" + Interface "retiolum" + </Plugin> + ''; + }; + services.graphite.beacon = { + enable = true; + config = { + graphite_url = "http://localhost:18080"; + cli = { + command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' ''; + }; + smtp = { + from = "beacon@mors.r"; + to = [ + "lass@mors.r" + ]; + }; + normal_handlers = [ + "smtp" + "cli" + ]; + warning_handlers = [ + "smtp" + "cli" + ]; + critical_handlers = [ + "smtp" + "cli" + ]; + alerts = [ + { + name = "testbattery"; + query = "*.battery-0.capacity"; + method = "last_value"; + interval = "1minute"; + logging = "info"; + repeat_interval = "5minute"; + rules = [ + "warning: < 30.0" + "critical: < 10.0" + ]; + } + ]; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.mors; @@ -238,8 +366,4 @@ with import <stockholm/lib>; krebs.repo-sync.timerConfig = { OnCalendar = "00:37"; }; - - services.mongodb = { - enable = true; - }; } diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 6c11a2f62..39026d102 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -24,6 +24,8 @@ in { ../2configs/repo-sync.nix ../2configs/binary-cache/server.nix ../2configs/iodined.nix + ../2configs/libvirt.nix + ../2configs/hfos.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories @@ -178,11 +180,9 @@ in { imports = [ ../2configs/realwallpaper.nix ]; - krebs.nginx.servers."lassul.us".locations = [ - (lib.nameValuePair "/wallpaper.png" '' - alias /tmp/wallpaper.png; - '') - ]; + services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + alias /tmp/wallpaper.png; + ''; } { environment.systemPackages = with pkgs; [ @@ -202,16 +202,13 @@ in { }; } { - krebs.nginx = { + services.nginx = { enable = true; - servers.public = { - listen = [ "8088" ]; - server-names = [ "default" ]; - locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + virtualHosts.public = { + port = 8088; + locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' + alias /home/$1/public_html$2; + ''; }; }; krebs.iptables.tables.filter.INPUT.rules = [ @@ -228,10 +225,6 @@ in { enable = true; }; } - { - virtualisation.libvirtd.enable = true; - users.users.mainUser.extraGroups = [ "libvirtd" ]; - } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index 22ec04307..991bbeb54 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -17,13 +17,13 @@ owner.name = "nix-serve"; source-path = toString <secrets> + "/nix-serve.key"; }; - krebs.nginx = { + services.nginx = { enable = true; - servers.nix-serve = { - server-names = [ "cache.prism.r" ]; - locations = lib.singleton (lib.nameValuePair "/" '' + virtualHosts.nix-serve = { + serverAliases = [ "cache.prism.r" ]; + locations."/".extraConfig = '' proxy_pass http://localhost:${toString config.services.nix-serve.port}; - ''); + ''; }; }; } diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index ca0aded78..27b6d22d5 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -40,9 +40,8 @@ with import <stockholm/lib>; enable = true; web = { enable = true; - enableAuth = true; - listenAddress = "9091"; - authfile = <secrets/torrent-authfile>; + port = 9091; + basicAuth = import <secrets/torrent-auth>; }; rutorrent.enable = true; enableXMLRPC = true; diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix index f6ddbe96d..8e31f050f 100644 --- a/lass/2configs/go.nix +++ b/lass/2configs/go.nix @@ -8,16 +8,14 @@ with import <stockholm/lib>; krebs.go = { enable = true; }; - krebs.nginx = { + services.nginx = { enable = true; - servers.go = { - locations = [ - (nameValuePair "/" '' - proxy_set_header Host go; - proxy_pass http://localhost:1337; - '') - ]; - server-names = [ + virtualHosts.go = { + locations."/".extraConfig = '' + proxy_set_header Host go; + proxy_pass http://localhost:1337; + ''; + serverAliases = [ "go" "go.retiolum" ]; diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix new file mode 100644 index 000000000..f6f09e226 --- /dev/null +++ b/lass/2configs/hfos.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +{ + users.users.riot = { + uid = genid "riot"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange" + config.krebs.users.lass.pubkey + ]; + }; + + networking.interfaces.et0.ip4 = [ + { + address = "213.239.205.246"; + prefixLength = 24; + } + ]; + + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + ]; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index e739d2f79..a71638323 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -1,23 +1,30 @@ { config, lib, pkgs, ... }: -let - mainUser = config.users.extraUsers.mainUser; - inherit (import <stockholm/lib>) genid; - -in { +{ + users.users.mainUser.extraGroups = [ "libvirtd" ]; virtualisation.libvirtd.enable = true; - users.extraUsers = { - libvirt = { - uid = genid "libvirt"; - description = "user for running libvirt stuff"; - home = "/home/libvirt"; - useDefaultShell = true; - extraGroups = [ "libvirtd" "audio" ]; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL - ''; + krebs.iptables.tables.filter.INPUT.rules = [ + { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; } + { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; } + { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; } + { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; } + { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; } + ]; + krebs.iptables.tables.filter.OUTPUT.rules = [ + { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } + { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; } + { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } + { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } + ]; } diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index e2bdd5755..6885ef59d 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -2,7 +2,7 @@ { krebs.build.source.nixpkgs.git = { - url = https://github.com/nixos/nixpkgs; - ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905"; + url = https://github.com/lassulus/nixpkgs; + ref = "819c1ab486a9c81d6a6b76c759aedece2df39037"; }; } diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix index 88e826683..18574471e 100644 --- a/lass/2configs/radio.nix +++ b/lass/2configs/radio.nix @@ -156,7 +156,7 @@ in { }) ]; }; - krebs.nginx.servers."lassul.us".locations = let + services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let html = pkgs.writeText "index.html" '' <!DOCTYPE html> <html lang="en"> @@ -175,10 +175,8 @@ in { </body> </html> ''; - in [ - (nameValuePair "/the_playlist" '' - default_type "text/html"; - alias ${html}; - '') - ]; + in '' + default_type "text/html"; + alias ${html}; + ''; } diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index 2ab52ed92..cf9795071 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -9,15 +9,13 @@ let in { krebs.realwallpaper.enable = true; - krebs.nginx.servers.wallpaper = { - server-names = [ + services.nginx.virtualHosts.wallpaper = { + serverAliases = [ hostname ]; - locations = [ - (nameValuePair "/wallpaper.png" '' - root /tmp/; - '') - ]; + locations."/wallpaper.png".extraConfig = '' + root /tmp/; + ''; }; krebs.iptables = { diff --git a/lass/2configs/tests/dummy-secrets/torrent-auth b/lass/2configs/tests/dummy-secrets/torrent-auth new file mode 100644 index 000000000..f167e71f9 --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/torrent-auth @@ -0,0 +1,3 @@ +{ + x = "xxx"; +} diff --git a/lass/2configs/tests/dummy-secrets/torrent-authfile b/lass/2configs/tests/dummy-secrets/torrent-authfile deleted file mode 100644 index 93a8e1fed..000000000 --- a/lass/2configs/tests/dummy-secrets/torrent-authfile +++ /dev/null @@ -1 +0,0 @@ -"xxx" diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 76e13412b..2bbfe7333 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -35,10 +35,10 @@ in { (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ]) (ssl [ "pixelpocket.de" ]) - (servePage [ "pixelpocket.de" "www.pixelpocket.de" ]) + (servePage [ "pixelpocket.de" ]) (ssl [ "o.ubikmedia.de" ]) - (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ]) + (serveOwncloud [ "o.ubikmedia.de" ]) (ssl [ "ubikmedia.de" @@ -88,15 +88,12 @@ in { "www.illucloud.eu" "www.illucloud.de" "www.illucloud.com" - "*.ubikmedia.de" ]) ]; - krebs.nginx.servers."ubikmedia.de".locations = [ - (lib.nameValuePair "/piwik" '' - try_files $uri $uri/ /index.php?$args; - '') - ]; + services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; lass.mysqlBackup.config.all.databases = [ "ubikmedia_de" diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 52914f444..f9035dd13 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -7,7 +7,6 @@ let head ; inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) - manageCerts ssl servePage serveWordpress @@ -26,8 +25,6 @@ let in { imports = [ ./sqlBackup.nix - (ssl [ "biostase.de" "www.biostase.de" ]) - (serveWordpress [ "biostase.de" "www.biostase.de" ]) (ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ]) (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ]) @@ -50,30 +47,17 @@ in { (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) - (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ]) + (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ]) (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ]) ]; lass.mysqlBackup.config.all.databases = [ - "biostase_de" "eastuttgart_de" "radical_dreamers_de" "spielwaren_kern_de" "ttf_kleinaspach_de" ]; - #password protect some dirs - krebs.nginx.servers."biostase.de".locations = [ - (nameValuePair "/old_biostase.de" '' - auth_basic "Administrator Login"; - auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd; - '') - (nameValuePair "/mysqldumper" '' - auth_basic "Administrator Login"; - auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd; - '') - ]; - users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.fritz.pubkey ]; diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 29374e97d..cfdda05db 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -14,7 +14,7 @@ in { security.acme = { certs."lassul.us" = { email = "lass@lassul.us"; - webroot = "/var/lib/acme/challenges/lassul.us"; + webroot = "/var/lib/acme/acme-challenges"; plugins = [ "account_key.json" "key.pem" @@ -26,7 +26,7 @@ in { }; certs."cgit.lassul.us" = { email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/challenges/cgit.lassul.us"; + webroot = "/var/lib/acme/acme-challenges"; plugins = [ "account_key.json" "key.pem" @@ -69,59 +69,54 @@ in { "nginx" ]; - krebs.nginx.servers."lassul.us" = { - server-names = [ "lassul.us" ]; - locations = [ - (nameValuePair "/" '' - root /srv/http/lassul.us; - '') - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/lassul.us/; - '') - (nameValuePair "= /retiolum-hosts.tar.bz2" '' - alias ${config.krebs.tinc.retiolum.hostsArchive}; - '') - (nameValuePair "/tinc" '' - alias ${config.krebs.tinc_graphs.workingDir}/external; - '') - (let - script = pkgs.writeBash "test" '' - echo "hello world" - ''; - #script = pkgs.execve "ddate-wrapper" { - # filename = "${pkgs.ddate}/bin/ddate"; - # argv = []; - #}; - in nameValuePair "= /ddate" '' - gzip off; - fastcgi_pass unix:/var/run/lass-stuff.socket; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param DOCUMENT_ROOT /var/empty; - fastcgi_param SCRIPT_FILENAME ${script}; - fastcgi_param SCRIPT_NAME ${script}; - '') - ]; - ssl = { - enable = true; - certificate = "/var/lib/acme/lassul.us/fullchain.pem"; - certificate_key = "/var/lib/acme/lassul.us/key.pem"; - }; + services.nginx.virtualHosts."lassul.us" = { + serverAliases = [ "lassul.us" ]; + locations."/".extraConfig = '' + root /srv/http/lassul.us; + ''; + locations."/.well-known/acme-challenge".extraConfig = '' + root /var/lib/acme/challenges/lassul.us/; + ''; + locations."= /retiolum-hosts.tar.bz2".extraConfig = '' + alias ${config.krebs.tinc.retiolum.hostsArchive}; + ''; + locations."/tinc".extraConfig = '' + alias ${config.krebs.tinc_graphs.workingDir}/external; + ''; + locations."= /ddate".extraConfig = let + script = pkgs.writeBash "test" '' + echo "hello world" + ''; + #script = pkgs.execve "ddate-wrapper" { + # filename = "${pkgs.ddate}/bin/ddate"; + # argv = []; + #}; + in '' + gzip off; + fastcgi_pass unix:/var/run/lass-stuff.socket; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param DOCUMENT_ROOT /var/empty; + fastcgi_param SCRIPT_FILENAME ${script}; + fastcgi_param SCRIPT_NAME ${script}; + ''; + + enableSSL = true; + extraConfig = "listen 80;"; + sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/lassul.us/key.pem"; }; - krebs.nginx.servers.cgit = { - server-names = [ + services.nginx.virtualHosts.cgit = { + serverAliases = [ "cgit.lassul.us" ]; - locations = [ - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/cgit.lassul.us/; - '') - ]; - ssl = { - enable = true; - certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem"; - }; + locations."/.well-known/acme-challenge".extraConfig = '' + root /var/lib/acme/acme-challenges; + ''; + enableSSL = true; + extraConfig = "listen 80;"; + sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; }; users.users.blog = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 0b2a6faac..6e236ab63 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -4,66 +4,24 @@ with lib; rec { - manageCerts = domains: + ssl = domains : let domain = head domains; in { - #security.acme = { - # certs."${domain}" = { - # email = "lassulus@gmail.com"; - # webroot = "/var/lib/acme/challenges/${domain}"; - # plugins = [ - # "account_key.json" - # "key.pem" - # "fullchain.pem" - # ]; - # group = "nginx"; - # allowKeysForGroup = true; - # extraDomains = genAttrs domains (_: null); - # }; - #}; - - krebs.nginx.servers."${domain}" = { - ssl.acmeEnable = true; - server-names = domains; - #locations = [ - # (nameValuePair "/.well-known/acme-challenge" '' - # root /var/lib/acme/challenges/${domain}/; - # '') - #]; - }; - }; - - ssl = domains: - { - imports = [ - ( manageCerts domains ) - #( activateACME (head domains) ) - ]; - }; - - activateACME = domain: - { - krebs.nginx.servers.${domain} = { - ssl = { - enable = true; - certificate = "/var/lib/acme/${domain}/fullchain.pem"; - certificate_key = "/var/lib/acme/${domain}/key.pem"; - }; - }; }; servePage = domains: let domain = head domains; in { - krebs.nginx.servers.${domain} = { - server-names = domains; - locations = [ - (nameValuePair "/" '' - root /srv/http/${domain}; - '') - ]; + services.nginx.virtualHosts.${domain} = { + enableACME = true; + enableSSL = true; + extraConfig = "listen 80;"; + serverAliases = domains; + locations."/".extraConfig = '' + root /srv/http/${domain}; + ''; }; }; @@ -71,9 +29,13 @@ rec { let domain = head domains; in { - krebs.nginx.servers."${domain}" = { - server-names = domains; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + enableSSL = true; + serverAliases = domains; extraConfig = '' + listen 80; + # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; @@ -109,56 +71,53 @@ rec { rewrite ^/.well-known/host-meta /public.php?service=host-meta last; rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; ''; - locations = [ - (nameValuePair "/robots.txt" '' - allow all; - log_not_found off; - access_log off; - '') - (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' - deny all; - '') - - (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' - deny all; - '') - - (nameValuePair "/" '' - rewrite ^/remote/(.*) /remote.php last; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - '') - - (nameValuePair "~ \.php(?:$|/)" '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - '') - - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - (nameValuePair "~* \.(?:css|js)$" '' - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - # Optional: Don't log access to assets - access_log off; - '') - - # Optional: Don't log access to other assets - (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' - access_log off; - '') - ]; + locations."/robots.txt".extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = '' + deny all; + ''; + + locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = '' + deny all; + ''; + + locations."/".extraConfig = '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + ''; + + locations."~ \.php(?:$|/)".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + ''; + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + locations."~* \.(?:css|js)$".extraConfig = '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + ''; + # Optional: Don't log access to other assets + locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = '' + access_log off; + ''; }; services.phpfpm.poolConfigs."${domain}" = '' listen = /srv/http/${domain}/phpfpm.pool @@ -183,9 +142,12 @@ rec { domain = head domains; in { - krebs.nginx.servers."${domain}" = { - server-names = domains; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + enableSSL = true; + serverAliases = domains; extraConfig = '' + listen 80; root /srv/http/${domain}/; index index.php; access_log /tmp/nginx_acc.log; @@ -194,24 +156,19 @@ rec { error_page 500 502 503 504 /50x.html; client_max_body_size 100m; ''; - locations = [ - (nameValuePair "/" '' - try_files $uri $uri/ /index.php?$args; - '') - (nameValuePair "~ \.php$" '' - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - include ${pkgs.nginx}/conf/fastcgi.conf; - '') - #(nameValuePair "~ /\\." '' - # deny all; - #'') - #Directives to send expires headers and turn off 404 error logging. - (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' - access_log off; - log_not_found off; - expires max; - '') - ]; + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; + locations."~ \.php$".extraConfig = '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + ''; + #Directives to send expires headers and turn off 404 error logging. + locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' + access_log off; + log_not_found off; + expires max; + ''; }; services.phpfpm.poolConfigs."${domain}" = '' listen = /srv/http/${domain}/phpfpm.pool diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 6588ca0d3..b169fea40 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -8,7 +8,6 @@ _: ./umts.nix ./urxvtd.nix ./usershadow.nix - ./wordpress_nginx.nix ./xresources.nix ]; } diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix deleted file mode 100644 index 01e07ae66..000000000 --- a/lass/3modules/owncloud_nginx.nix +++ /dev/null @@ -1,210 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; - -let - cfg = config.lass.owncloud; - - out = { - options.lass.owncloud = api; - config = imp; - }; - - api = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - domain = mkOption { - type = str; - default = config._module.args.name; - }; - dataDir = mkOption { - type = str; - default = "${config.folder}/data"; - }; - dbUser = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - dbName = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - dbType = mkOption { - # TODO: check for valid dbType - type = str; - default = "mysql"; - }; - folder = mkOption { - type = str; - default = "/srv/http/${config.domain}"; - }; - auto = mkOption { - type = bool; - default = false; - }; - instanceid = mkOption { - type = str; - }; - }; - })); - default = {}; - }; - - user = config.services.nginx.user; - group = config.services.nginx.group; - - imp = { - krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - # The following 2 rules are only needed with webfinger - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; - - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - - try_files $uri $uri/ /index.php; - '') - (nameValuePair "~ \.php$" '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_pass unix:${folder}/phpfpm.pool; - '') - (nameValuePair "~ /\\." '' - deny all; - '') - ]; - extraConfig = '' - root ${folder}/; - #index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; - - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - ''; - }); - services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' - listen = ${folder}/phpfpm.pool - user = ${user} - group = ${group} - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - listen.owner = ${user} - listen.group = ${group} - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''); - #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: { - # name = "owncloudInit-${name}"; - # value = { - # path = [ - # pkgs.mysql - # pkgs.su - # pkgs.gawk - # pkgs.jq - # ]; - # requiredBy = [ "nginx.service" ]; - # serviceConfig = let - # php.define = name: value: - # "define(${php.newdoc name}, ${php.newdoc value});"; - # php.toString = x: - # "'${x}'"; - # php.newdoc = s: - # let b = "EOF${builtins.hashString "sha256" s}"; in - # ''<<<'${b}' - # ${s} - # ${b} - # ''; - # in { - # Type = "oneshot"; - # ExecStart = pkgs.writeScript "wordpressInit" '' - # #!/bin/sh - # set -euf - # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"} - # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) - # get_secret() { - # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string)," - # } - # to_php_string() { - # echo "base64_decode('$(base64)')" - # } - # { - # cat ${toString <secrets/mysql_rootPassword>} - # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) - # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") - # # TODO as package pkgs.sqlHashPassword - # # TODO not using mysql - # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; - # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") - # user=${shell.escape dbUser}@localhost - # database=${shell.escape dbName} - # cat << EOF - # CREATE DATABASE IF NOT EXISTS $database; - # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; - # GRANT ALL PRIVILEGES ON $database.* TO $user; - # FLUSH PRIVILEGES; - # EOF - # } | mysql -u root -p - # # TODO nix2php for wp-config.php - # mkdir -p ${folder}/config - # cat > ${folder}/config/config.php << EOF - # <?php - # \$CONFIG = array ( - # 'dbhost' => 'localhost', - # 'dbtableprefix' => 'oc_', - # 'dbpassword' => '$db_password', - # 'installed' => 'true', - # 'trusted_domains' => - # array ( - # 0 => '${domain}', - # ), - # 'overwrite.cli.url' => 'http://${domain}', - - # ${concatStringsSep "\n" (mapAttrsToList (name: value: - # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string)," - # ) { - # instanceid = instanceid; - # datadirectory = dataDir; - # dbtype = dbType; - # dbname = dbName; - # dbuser = dbUser; - # })} - - # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ - # "secret" - # "passwordsalt" - # ]} - # ); - # EOF - # ''; - # }; - # }; - #}); - users.users.nobody_oc = { - uid = genid "nobody_oc"; - useDefaultShell = true; - }; - }; - -in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix deleted file mode 100644 index 5d88e3fde..000000000 --- a/lass/3modules/wordpress_nginx.nix +++ /dev/null @@ -1,265 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; - -let - cfg = config.lass.wordpress; - - out = { - options.lass.wordpress = api; - config = imp; - }; - - api = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - domain = mkOption { - type = str; - default = config._module.args.name; - }; - dbUser = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - dbName = mkOption { - type = str; - default = replaceStrings ["."] ["_"] config.domain; - }; - folder = mkOption { - type = str; - default = "/srv/http/${config.domain}"; - }; - auto = mkOption { - type = bool; - default = false; - }; - charset = mkOption { - type = str; - default = "utf8mb4"; - }; - collate = mkOption { - type = str; - default = ""; - }; - debug = mkOption { - type = bool; - default = false; - }; - multiSite = mkOption { - type = attrsOf str; - default = {}; - example = { - "0" = "bla.testsite.de"; - "1" = "test.testsite.de"; - }; - }; - ssl = mkOption { - type = with types; submodule ({ - options = { - enable = mkEnableOption "ssl"; - certificate = mkOption { - type = str; - }; - certificate_key = mkOption { - type = str; - }; - ciphers = mkOption { - type = str; - default = "AES128+EECDH:AES128+EDH"; - }; - }; - }); - }; - }; - })); - default = {}; - }; - - user = config.services.nginx.user; - group = config.services.nginx.group; - - imp = { - #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) '' - # map $http_host $blogid { - # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)} - # } - #''; - - krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: { - server-names = [ - "${domain}" - "www.${domain}" - ]; - #(mkIf (multiSite != {}) - #) - locations = (if (multiSite != {}) then - [ - (nameValuePair "~ ^/files/(.*)$" '' - try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ; - '') - (nameValuePair "^~ /blogs.dir" '' - internal; - alias ${folder}/wp-content/blogs.dir ; - access_log off; log_not_found off; expires max; - '') - ] - else - [] - ) ++ - [ - (nameValuePair "/" '' - try_files $uri $uri/ /index.php?$args; - '') - (nameValuePair "~ \.php$" '' - fastcgi_pass unix:${folder}/phpfpm.pool; - include ${pkgs.nginx}/conf/fastcgi.conf; - '') - (nameValuePair "~ /\\." '' - deny all; - '') - #Directives to send expires headers and turn off 404 error logging. - (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' - access_log off; - log_not_found off; - expires max; - '') - ]; - extraConfig = '' - root ${folder}/; - index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - ${if ssl.enable then '' - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - '' else ""} - - ''; - listen = (if ssl.enable then - [ "80" "443 ssl" ] - else - "80" - ); - }); - services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' - listen = ${folder}/phpfpm.pool - user = ${user} - group = ${group} - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - listen.owner = ${user} - listen.group = ${group} - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''); - systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: { - name = "wordpressInit-${name}"; - value = { - path = [ - pkgs.mysql - pkgs.su - pkgs.gawk - pkgs.jq - ]; - requiredBy = [ "nginx.service" ]; - serviceConfig = let - php.define = name: value: - "define(${php.newdoc name}, ${php.newdoc value});"; - php.toString = x: - "'${x}'"; - php.newdoc = s: - let b = "EOF${builtins.hashString "sha256" s}"; in - ''<<<'${b}' - ${s} - ${b} - ''; - in { - Type = "oneshot"; - ExecStart = pkgs.writeScript "wordpressInit" '' - #!/bin/sh - set -euf - wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"} - db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) - get_secret() { - echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));" - } - to_php_string() { - echo "base64_decode('$(base64)')" - } - { - cat ${toString <secrets/mysql_rootPassword>} - password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) - # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") - # TODO as package pkgs.sqlHashPassword - # TODO not using mysql - # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; - passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") - user=${shell.escape dbUser}@localhost - database=${shell.escape dbName} - cat << EOF - CREATE DATABASE IF NOT EXISTS $database; - GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; - GRANT ALL PRIVILEGES ON $database.* TO $user; - FLUSH PRIVILEGES; - EOF - } | mysql -u root -p - # TODO nix2php for wp-config.php - cat > ${folder}/wp-config.php << EOF - <?php - define('DB_PASSWORD', '$db_password'); - define('DB_HOST', 'localhost'); - - ${concatStringsSep "\n" (mapAttrsToList (name: value: - "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));" - ) { - DB_NAME = dbName; - DB_USER = dbUser; - DB_CHARSET = charset; - DB_COLLATE = collate; - })} - - ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ - "AUTH_KEY" - "SECURE_AUTH_KEY" - "LOGGED_IN_KEY" - "NONCE_KEY" - "AUTH_SALT" - "SECURE_AUTH_SALT" - "LOGGED_IN_SALT" - "NONCE_SALT" - ]} - - \$table_prefix = 'wp_'; - - ${if (multiSite != {}) then - "define('WP_ALLOW_MULTISITE', true);" - else - "" - } - - define('WP_DEBUG', ${toJSON debug}); - if ( !defined('ABSPATH') ) - define('ABSPATH', dirname(__FILE__) . '/'); - - /** Sets up WordPress vars and included files. */ - require_once(ABSPATH . 'wp-settings.php'); - EOF - ''; - }; - }; - }); - users.users.nobody2 = mkDefault { - uid = mkDefault (genid "nobody2"); - useDefaultShell = mkDefault true; - }; - }; - - indent = replaceChars ["\n"] ["\n "]; - -in out |