diff options
| author | lassulus <git@lassul.us> | 2023-09-07 12:26:31 +0200 |
|---|---|---|
| committer | lassulus <git@lassul.us> | 2023-09-07 12:40:43 +0200 |
| commit | 2e5167de1560ad0d7b8e294c72e1913f694160c2 (patch) | |
| tree | b618daa9f125650e9276bae7848f854c48d6c95e /lass/2configs/websites | |
| parent | 6a3a423dad19264c0c42821c7676e85ecc122d21 (diff) | |
lass: migrate awayriplass
Diffstat (limited to 'lass/2configs/websites')
| -rw-r--r-- | lass/2configs/websites/default.nix | 20 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 454 | ||||
| -rw-r--r-- | lass/2configs/websites/flix.lassul.us.nix | 13 | ||||
| -rw-r--r-- | lass/2configs/websites/lassulus.nix | 74 | ||||
| -rw-r--r-- | lass/2configs/websites/ref.ptkk.de/default.nix | 89 | ||||
| -rw-r--r-- | lass/2configs/websites/sqlBackup.nix | 30 | ||||
| -rw-r--r-- | lass/2configs/websites/util.nix | 246 |
7 files changed, 0 insertions, 926 deletions
diff --git a/lass/2configs/websites/default.nix b/lass/2configs/websites/default.nix deleted file mode 100644 index f74845a56..000000000 --- a/lass/2configs/websites/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, ... }: - -{ - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - - enableReload = true; - - virtualHosts.default = { - locations."= /etc/os-release".extraConfig = '' - default_type text/plain; - alias /etc/os-release; - ''; - }; - }; -} - diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix deleted file mode 100644 index 71f7f8111..000000000 --- a/lass/2configs/websites/domsen.nix +++ /dev/null @@ -1,454 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - - inherit (import <stockholm/lib>) - genid - genid_uint31 - ; - inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) - servePage - serveOwncloud - serveWordpress; - - msmtprc = pkgs.writeText "msmtprc" '' - account localhost - host localhost - account default: localhost - ''; - - sendmail = pkgs.writeDash "msmtp" '' - exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" - ''; - -in { - imports = [ - ./default.nix - ./sqlBackup.nix - (servePage [ "aldonasiech.com" "www.aldonasiech.com" ]) - (servePage [ "apanowicz.de" "www.apanowicz.de" ]) - (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ "illustra.de" "www.illustra.de" ]) - (servePage [ "event-extra.de" "www.event-extra.de" ]) - # (servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ]) - (servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ]) - (servePage [ "karlaskop.de" ]) - (servePage [ - "freemonkey.art" - "www.freemonkey.art" - ]) - (serveOwncloud [ "o.ubikmedia.de" ]) - (serveWordpress [ - "ubikmedia.de" - "ubikmedia.eu" - "youthtube.xyz" - "joemisch.com" - "weirdwednesday.de" - "jarugadesign.de" - "beesmooth.ch" - - "www.ubikmedia.eu" - "www.youthtube.xyz" - "www.ubikmedia.de" - "www.joemisch.com" - "www.weirdwednesday.de" - "www.jarugadesign.de" - "www.beesmooth.ch" - - "aldona2.ubikmedia.de" - "cinevita.ubikmedia.de" - "factscloud.ubikmedia.de" - "illucloud.ubikmedia.de" - "joemisch.ubikmedia.de" - "nb.ubikmedia.de" - "youthtube.ubikmedia.de" - "weirdwednesday.ubikmedia.de" - "freemonkey.ubikmedia.de" - "jarugadesign.ubikmedia.de" - "crypto4art.ubikmedia.de" - "jarugadesign.ubikmedia.de" - "beesmooth.ubikmedia.de" - ]) - ]; - - # https://github.com/nextcloud/server/issues/25436 - services.mysql.settings.mysqld.innodb_read_only_compressed = 0; - - services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ]; - services.mysql.ensureUsers = [ - { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; } - { ensurePermissions = { "o_ubikmedia_de.*" = "ALL"; }; name = "nginx"; } - ]; - - services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - - lass.mysqlBackup.config.all.databases = [ - "ubikmedia_de" - "o_ubikmedia_de" - ]; - - services.phpfpm.phpOptions = '' - sendmail_path = ${sendmail} -t - upload_max_filesize = 100M - post_max_size = 100M - file_uploads = on - ''; - - systemd.services.nextcloud-setup.after = [ "secret-nextcloud_pw.service" ]; - krebs.secret.files.nextcloud_pw = { - path = "/run/nextcloud.pw"; - owner.name = "nextcloud"; - group-name = "nextcloud"; - source-path = toString <secrets> + "/nextcloud_pw"; - }; - services.nextcloud = { - enable = true; - enableBrokenCiphersForSSE = false; - hostName = "o.xanf.org"; - package = pkgs.nextcloud25; - config = { - adminpassFile = "/run/nextcloud.pw"; - overwriteProtocol = "https"; - }; - https = true; - }; - services.nginx.virtualHosts."o.xanf.org" = { - enableACME = true; - forceSSL = true; - }; - - # MAIL STUFF - # TODO: make into its own module - - services.roundcube = { - enable = true; - hostName = "mail.lassul.us"; - extraConfig = '' - $config['smtp_debug'] = true; - $config['smtp_host'] = "localhost:25"; - ''; - }; - services.dovecot2 = { - enable = true; - showPAMFailure = true; - mailLocation = "maildir:~/Mail"; - sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; - sslServerKey = "/var/lib/acme/lassul.us/key.pem"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } - { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } - ]; - - environment.systemPackages = [ - (pkgs.writers.writeDashBin "debug_exim" '' - set -ef - export PATH="${lib.makeBinPath [ pkgs.coreutils ]}" - echo "$@" >> /tmp/xxx - /run/wrappers/bin/shadow_verify_arg "${config.lass.usershadow.pattern}" "$2" "$3" 2>>/tmp/xxx1 - echo "ok" >> /tmp/yyy - exit 23 - '') - ]; - - krebs.exim-smarthost = { - authenticators.PLAIN = '' - driver = plaintext - public_name = PLAIN - server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} - ''; - authenticators.LOGIN = '' - driver = plaintext - public_name = LOGIN - server_prompts = "Username:: : Password::" - server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} - # server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} - ''; - internet-aliases = [ - { from = "dma@ubikmedia.de"; to = "domsen"; } - { from = "dma@ubikmedia.eu"; to = "domsen"; } - { from = "mail@habsys.de"; to = "domsen"; } - { from = "mail@habsys.eu"; to = "domsen"; } - { from = "hallo@apanowicz.de"; to = "domsen"; } - { from = "bruno@apanowicz.de"; to = "bruno"; } - { from = "mail@jla-trading.com"; to = "jla-trading"; } - { from = "jms@ubikmedia.eu"; to = "jms"; } - { from = "ms@ubikmedia.eu"; to = "ms"; } - { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } - { from = "kontakt@alewis.de"; to ="klabusterbeere"; } - { from = "hallo@jarugadesign.de"; to ="kasia"; } - { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } - - { from = "testuser@lassul.us"; to = "testuser"; } - { from = "testuser@ubikmedia.eu"; to = "testuser"; } - ]; - sender_domains = [ - "jla-trading.com" - "ubikmedia.eu" - "ubikmedia.de" - "apanowicz.de" - "alewis.de" - "jarugadesign.de" - "beesmooth.ch" - "event-extra.de" - ]; - dkim = [ - { domain = "ubikmedia.eu"; } - { domain = "apanowicz.de"; } - { domain = "beesmooth.ch"; } - ]; - }; - services.borgbackup.jobs.hetzner.paths = [ - "/home/xanf" - "/home/domsen" - "/home/bruno" - "/home/jla-trading" - "/home/jms" - "/home/ms" - "/home/bui" - "/home/klabusterbeere" - "/home/akayguen" - "/home/kasia" - "/home/dif" - "/home/lavafilms" - "/home/movematchers" - "/home/blackphoton" - "/home/avada" - "/home/sts" - "/home/familienrat" - ]; - users.users.UBIK-SFTP = { - uid = genid_uint31 "UBIK-SFTP"; - home = "/home/UBIK-SFTP"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.xanf = { - uid = genid_uint31 "xanf"; - group = "xanf"; - home = "/home/xanf"; - useDefaultShell = true; - createHome = false; # creathome forces permissions - isNormalUser = true; - }; - - users.users.domsen = { - uid = genid_uint31 "domsen"; - description = "maintenance acc for domsen"; - home = "/home/domsen"; - useDefaultShell = true; - extraGroups = [ "syncthing" "download" "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.bruno = { - uid = genid_uint31 "bruno"; - home = "/home/bruno"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.jla-trading = { - uid = genid_uint31 "jla-trading"; - home = "/home/jla-trading"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.jms = { - uid = genid_uint31 "jms"; - home = "/home/jms"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.ms = { - uid = genid_uint31 "ms"; - home = "/home/ms"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.testuser = { - uid = genid_uint31 "testuser"; - home = "/home/testuser"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - #users.users.akayguen = { - # uid = genid_uint31 "akayguen"; - # home = "/home/akayguen"; - # useDefaultShell = true; - # createHome = true; - # isNormalUser = true; - #}; - - users.users.bui = { - uid = genid_uint31 "bui"; - home = "/home/bui"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.klabusterbeere = { - uid = genid_uint31 "klabusterbeere"; - home = "/home/klabusterbeere"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.kasia = { - uid = genid_uint31 "kasia"; - home = "/home/kasia"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.XANF_TEAM = { - uid = genid_uint31 "XANF_TEAM"; - group = "xanf"; - home = "/home/XANF_TEAM"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.dif = { - uid = genid_uint31 "dif"; - home = "/home/dif"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.lavafilms = { - uid = genid_uint31 "lavafilms"; - home = "/home/lavafilms"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.movematchers = { - uid = genid_uint31 "movematchers"; - home = "/home/movematchers"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.blackphoton = { - uid = genid_uint31 "blackphoton"; - home = "/home/blackphoton"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.line = { - uid = genid_uint31 "line"; - home = "/home/line"; - useDefaultShell = true; - # extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.avada = { - uid = genid_uint31 "avada"; - home = "/home/avada"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.sts = { - uid = genid_uint31 "sts"; - home = "/home/sts"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.familienrat = { - uid = genid_uint31 "familienrat"; - home = "/home/familienrat"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {}; - krebs.acl."/srv/http"."u:familienrat:X" = { - default = false; - recursive = false; - }; - - users.groups.xanf = {}; - - krebs.on-failure.plans.restic-backups-domsen = { - journalctl = { - lines = 1000; - }; - }; - - services.restic.backups.domsen = { - initialize = true; - repository = "/backups/domsen"; - passwordFile = toString <secrets> + "/domsen_backup_pw"; - timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; - paths = [ - "/home/domsen/Mail" - "/home/ms/Mail" - "/home/klabusterbeere/Mail" - "/home/jms/Mail" - "/home/kasia/Mail" - "/home/bruno/Mail" - "/home/akayguen/Mail" - "/backups/sql_dumps" - ]; - }; - - services.syncthing.declarative.folders = { - domsen-backups = { - path = "/backups/domsen"; - devices = [ "domsen-backup" ]; - }; - domsen-backup-srv-http = { - path = "/srv/http"; - devices = [ "domsen-backup" ]; - }; - }; - - system.activationScripts.domsen-backups = '' - ${pkgs.coreutils}/bin/chmod 750 /backups - ''; - - # takes too long!! - # krebs.acl."/srv/http"."u:syncthing:rwX" = {}; - # krebs.acl."/srv/http"."u:nginx:rwX" = {}; - # krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {}; - krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {}; - krebs.acl."/home/xanf"."g:xanf:X" = { - default = false; - recursive = false; - }; -} - diff --git a/lass/2configs/websites/flix.lassul.us.nix b/lass/2configs/websites/flix.lassul.us.nix deleted file mode 100644 index 27a7f75e8..000000000 --- a/lass/2configs/websites/flix.lassul.us.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: -{ - services.nginx.virtualHosts."flix.lassul.us" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://yellow.r:8096"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; -} - diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix deleted file mode 100644 index 9440413aa..000000000 --- a/lass/2configs/websites/lassulus.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; -let - inherit (import <stockholm/lib>) - genid_uint31 - ; - -in { - imports = [ - ./default.nix - ]; - - security.acme = { - email = "acme@lassul.us"; - acceptTerms = true; - certs."lassul.us" = { - group = "lasscert"; - }; - }; - - users.groups.lasscert.members = [ - "dovecot2" - "exim" - "nginx" - ]; - - services.nginx.virtualHosts."lassul.us" = { - addSSL = true; - enableACME = true; - default = true; - locations."/".extraConfig = '' - root /srv/http/lassul.us; - ''; - locations."= /retiolum-hosts.tar.bz2".extraConfig = '' - alias ${config.krebs.tinc.retiolum.hostsArchive}; - ''; - locations."= /hosts".extraConfig = '' - alias ${pkgs.krebs-hosts_combined}; - ''; - locations."= /retiolum.hosts".extraConfig = '' - alias ${pkgs.krebs-hosts-retiolum}; - ''; - locations."= /wireguard-key".extraConfig = '' - alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey}; - ''; - locations."= /krebspage".extraConfig = '' - default_type "text/html"; - alias ${pkgs.krebspage}/index.html; - ''; - locations."= /init".extraConfig = let - initscript = pkgs.init.override { - pubkey = config.krebs.users.lass.pubkey; - }; - in '' - alias ${initscript}/bin/init; - ''; - locations."= /blue.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey}; - ''; - locations."= /ssh.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey}; - ''; - locations."= /gpg.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; - ''; - locations."= /ip".extraConfig = '' - return 200 '$remote_addr'; - ''; - }; - - - -} diff --git a/lass/2configs/websites/ref.ptkk.de/default.nix b/lass/2configs/websites/ref.ptkk.de/default.nix deleted file mode 100644 index 14ce58b8e..000000000 --- a/lass/2configs/websites/ref.ptkk.de/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.nginx.virtualHosts."ref.ptkk.de" = { - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:4626"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_cache_bypass $http_upgrade; - ''; - }; - locations."/static/" = { - alias = "/var/lib/ref.ptkk.de/static/"; - }; - forceSSL = true; - }; - systemd.services."ref.ptkk.de" = { - wantedBy = [ "multi-user.target" ]; - environment = { - PRODUCTION = "yip"; - DATA_DIR = "/var/lib/ref.ptkk.de/data"; - PORT = "4626"; - STATIC_ROOT = "/var/lib/ref.ptkk.de/static"; - }; - path = with pkgs; [ - git - gnutar - gzip - nix - ]; - serviceConfig = { - ExecStartPre = [ - "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data" - "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code" - "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static" - ]; - ExecStart = pkgs.writers.writeDash "nixify" '' - cd code - if test -e shell.nix; then - ${pkgs.nix}/bin/nix-shell -I /var/src --run serve - else - echo 'no shell.nix, bailing out' - exit 0 - fi - ''; - LoadCredential = [ - "django-secret.key:${toString <secrets>}/ref.ptkk.de-django.key" - ]; - User = "ref.ptkk.de"; - WorkingDirectory = "/var/lib/ref.ptkk.de"; - StateDirectory = "ref.ptkk.de"; - Restart = "always"; - RestartSec = "100s"; - }; - }; - systemd.services."ref.ptkk.de-restarter" = { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service"; - }; - }; - systemd.paths."ref.ptkk.de-restarter" = { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = [ - "/var/lib/ref.ptkk.de/code" - "/var/src/nixpkgs" - ]; - }; - - users.users."ref.ptkk.de" = { - isSystemUser = true; - uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com" - config.krebs.users.lass.pubkey - ]; - group = "nginx"; - home = "/var/lib/ref.ptkk.de"; - useDefaultShell = true; - }; -} diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix deleted file mode 100644 index c9783bece..000000000 --- a/lass/2configs/websites/sqlBackup.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.secret.files.mysql_rootPassword = { - path = "${config.services.mysql.dataDir}/mysql_rootPassword"; - owner.name = "mysql"; - source-path = toString <secrets> + "/mysql_rootPassword"; - }; - - services.mysql = { - enable = true; - dataDir = "/var/mysql"; - package = pkgs.mariadb; - }; - - systemd.services.mysql = { - after = [ - config.krebs.secret.files.mysql_rootPassword.service - ]; - partOf = [ - config.krebs.secret.files.mysql_rootPassword.service - ]; - }; - - lass.mysqlBackup = { - enable = true; - config.all = {}; - }; -} - diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix deleted file mode 100644 index bffa1036b..000000000 --- a/lass/2configs/websites/util.nix +++ /dev/null @@ -1,246 +0,0 @@ -{ lib, pkgs, ... }: - -with lib; - -rec { - - ssl = domains : - let - domain = head domains; - in { - }; - - servePage = domains: - let - domain = head domains; - in { - services.nginx.virtualHosts.${domain} = { - enableACME = true; - addSSL = true; - serverAliases = domains; - locations."/".extraConfig = '' - root /srv/http/${domain}; - ''; - }; - }; - - servephpBB = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - serverAliases = domains; - extraConfig = '' - index index.php; - root /srv/http/${domain}/; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - extraConfig = '' - listen = /srv/http/${domain}/phpfpm.pool - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - }; - - serveOwncloud = domains: - let - domain = head domains; - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - addSSL = true; - serverAliases = domains; - extraConfig = '' - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - - # Path to the root of your installation - root /srv/http/${domain}/; - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - fastcgi_read_timeout 120; - - # Disable gzip to avoid the removal of the ETag header - gzip off; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - index index.php; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - - rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; - rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''; - locations."/robots.txt".extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = '' - deny all; - ''; - - locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = '' - deny all; - ''; - - locations."/".extraConfig = '' - rewrite ^/remote/(.*) /remote.php last; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - ''; - - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - locations."~* \.(?:css|js)$".extraConfig = '' - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - # Optional: Don't log access to assets - access_log off; - ''; - # Optional: Don't log access to other assets - locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = '' - access_log off; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - extraConfig = '' - listen = /srv/http/${domain}/phpfpm.pool - pm = dynamic - pm.max_children = 32 - pm.max_requests = 500 - pm.start_servers = 2 - pm.min_spare_servers = 2 - pm.max_spare_servers = 5 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - }; - - serveWordpress = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - serverAliases = domains; - extraConfig = '' - root /srv/http/${domain}/; - index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php$".extraConfig = '' - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_read_timeout 120; - include ${pkgs.nginx}/conf/fastcgi.conf; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - extraConfig = '' - listen = /srv/http/${domain}/phpfpm.pool - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - }; - -} |