diff options
author | tv <tv@krebsco.de> | 2015-12-20 19:37:46 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2015-12-20 19:37:46 +0100 |
commit | c89907175546aa0c39bc6b2c4960f0ea6e6db8c9 (patch) | |
tree | 158bf1a5938fc37efc466b00b3f0906ac2a50d9f /lass/3modules | |
parent | c09bc6a29f21f1c6bd21575e385b8b3bc5c89b8a (diff) | |
parent | 5821d8438578db623a3e248c52fefa424fad0b51 (diff) |
Merge remote-tracking branch 'gum/master'
Diffstat (limited to 'lass/3modules')
-rw-r--r-- | lass/3modules/bitlbee.nix | 153 | ||||
-rw-r--r-- | lass/3modules/default.nix | 3 | ||||
-rw-r--r-- | lass/3modules/dnsmasq.nix | 7 | ||||
-rw-r--r-- | lass/3modules/go.nix | 61 | ||||
-rw-r--r-- | lass/3modules/owncloud_nginx.nix | 215 | ||||
-rw-r--r-- | lass/3modules/static_nginx.nix | 49 | ||||
-rw-r--r-- | lass/3modules/wordpress_nginx.nix | 239 |
7 files changed, 504 insertions, 223 deletions
diff --git a/lass/3modules/bitlbee.nix b/lass/3modules/bitlbee.nix deleted file mode 100644 index 8ce560146..000000000 --- a/lass/3modules/bitlbee.nix +++ /dev/null @@ -1,153 +0,0 @@ -{ config, lib, pkgs, ... }: - - -let - - inherit (lib) - mkIf - mkOption - types - singleton - ; - - authModeCheck = v: - v == "Open" || - v == "Closed" || - v == "Registered" - ; - - bitlbeeConfig = pkgs.writeText "bitlbee.conf" '' - [settings] - RunMode = Daemon - User = bitlbee - ConfigDir = ${cfg.configDir} - DaemonInterface = ${cfg.interface} - DaemonPort = ${toString cfg.portNumber} - AuthMode = ${cfg.authMode} - ${lib.optionalString (cfg.hostName != "") "HostName = ${cfg.hostName}"} - ${lib.optionalString (cfg.protocols != "") "Protocols = ${cfg.protocols}"} - ${cfg.extraSettings} - - [defaults] - ${cfg.extraDefaults} - ''; - - cfg = config.lass.bitlbee; - - out = { - options.lass.bitlbee = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkOption { - default = false; - description = '' - Whether to run the BitlBee IRC to other chat network gateway. - Running it allows you to access the MSN, Jabber, Yahoo! and ICQ chat - networks via an IRC client. - ''; - }; - - interface = mkOption { - default = "127.0.0.1"; - description = '' - The interface the BitlBee deamon will be listening to. If `127.0.0.1', - only clients on the local host can connect to it; if `0.0.0.0', clients - can access it from any network interface. - ''; - }; - - portNumber = mkOption { - default = 6667; - description = '' - Number of the port BitlBee will be listening to. - ''; - }; - - authMode = mkOption { - default = "Open"; - type = types.addCheck types.str authModeCheck; - description = '' - The following authentication modes are available: - Open -- Accept connections from anyone, use NickServ for user authentication. - Closed -- Require authorization (using the PASS command during login) before allowing the user to connect at all. - Registered -- Only allow registered users to use this server; this disables the register- and the account command until the user identifies himself. - ''; - }; - - hostName = mkOption { - default = ""; - type = types.str; - description = '' - Normally, BitlBee gets a hostname using getsockname(). If you have a nicer - alias for your BitlBee daemon, you can set it here and BitlBee will identify - itself with that name instead. - ''; - }; - - configDir = mkOption { - default = "/var/lib/bitlbee"; - type = types.path; - description = '' - Specify an alternative directory to store all the per-user configuration - files. - ''; - }; - - protocols = mkOption { - default = ""; - type = types.str; - description = '' - This option allows to remove the support of protocol, even if compiled - in. If nothing is given, there are no restrictions. - ''; - }; - - extraSettings = mkOption { - default = ""; - description = '' - Will be inserted in the Settings section of the config file. - ''; - }; - - extraDefaults = mkOption { - default = ""; - description = '' - Will be inserted in the Default section of the config file. - ''; - }; - - bitlbeePkg = mkOption { - default = pkgs.bitlbee; - description = '' - the bitlbee pkg to use. - ''; - }; - }; - - imp = { - users.extraUsers = singleton { - name = "bitlbee"; - uid = config.ids.uids.bitlbee; - description = "BitlBee user"; - home = "/var/lib/bitlbee"; - createHome = true; - }; - - users.extraGroups = singleton { - name = "bitlbee"; - gid = config.ids.gids.bitlbee; - }; - - systemd.services.bitlbee = { - description = "BitlBee IRC to other chat networks gateway"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "bitlbee"; - serviceConfig.ExecStart = "${cfg.bitlbeePkg}/sbin/bitlbee -F -n -c ${bitlbeeConfig}"; - }; - }; - -in -out diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index b081dc3cc..0dcad971c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -2,12 +2,11 @@ _: { imports = [ ./xresources.nix - ./bitlbee.nix ./folderPerms.nix - ./go.nix ./newsbot-js.nix ./per-user.nix ./urxvtd.nix ./xresources.nix + ./wordpress_nginx.nix ]; } diff --git a/lass/3modules/dnsmasq.nix b/lass/3modules/dnsmasq.nix index 99c165479..83a9cb180 100644 --- a/lass/3modules/dnsmasq.nix +++ b/lass/3modules/dnsmasq.nix @@ -25,13 +25,6 @@ let configFile = pkgs.writeText "dnsmasq.conf" cfg.config; imp = { - #users.extraUsers.go = { - # name = "go"; - # uid = 42774411; #genid go - # description = "go url shortener user"; - # home = "/var/lib/go"; - # createHome = true; - #}; systemd.services.dnsmasq = { description = "dnsmasq"; diff --git a/lass/3modules/go.nix b/lass/3modules/go.nix deleted file mode 100644 index aa900f118..000000000 --- a/lass/3modules/go.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.lass.go; - - out = { - options.lass.go = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "Enable go url shortener"; - port = mkOption { - type = types.str; - default = "1337"; - description = "on which port go should run on"; - }; - redisKeyPrefix = mkOption { - type = types.str; - default = "go:"; - description = "change the Redis key prefix which defaults to `go:`"; - }; - }; - - imp = { - users.extraUsers.go = { - name = "go"; - uid = 42774411; #genid go - description = "go url shortener user"; - home = "/var/lib/go"; - createHome = true; - }; - - systemd.services.go = { - description = "go url shortener"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - go - ]; - - environment = { - PORT = cfg.port; - REDIS_KEY_PREFIX = cfg.redisKeyPrefix; - }; - - restartIfChanged = true; - - serviceConfig = { - User = "go"; - Restart = "always"; - ExecStart = "${pkgs.go}/bin/go"; - }; - }; - }; - -in out diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix new file mode 100644 index 000000000..a0db87b0b --- /dev/null +++ b/lass/3modules/owncloud_nginx.nix @@ -0,0 +1,215 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.owncloud; + + out = { + options.lass.owncloud = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + dataDir = mkOption { + type = str; + default = "${config.folder}/data"; + }; + dbUser = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbName = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbType = mkOption { + # TODO: check for valid dbType + type = str; + default = "mysql"; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + auto = mkOption { + type = bool; + default = false; + }; + instanceid = mkOption { + type = str; + }; + ssl = mkOption { + type = bool; + default = false; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ /index.php; + '') + (nameValuePair "~ \.php$" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:${folder}/phpfpm.pool; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + extraConfig = '' + root ${folder}/; + #index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + ''; + }); + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' + listen = ${folder}/phpfpm.pool + user = ${user} + group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = ${user} + listen.group = ${group} + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''); + #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: { + # name = "owncloudInit-${name}"; + # value = { + # path = [ + # pkgs.mysql + # pkgs.su + # pkgs.gawk + # pkgs.jq + # ]; + # requiredBy = [ "nginx.service" ]; + # serviceConfig = let + # php.define = name: value: + # "define(${php.newdoc name}, ${php.newdoc value});"; + # php.toString = x: + # "'${x}'"; + # php.newdoc = s: + # let b = "EOF${builtins.hashString "sha256" s}"; in + # ''<<<'${b}' + # ${s} + # ${b} + # ''; + # in { + # Type = "oneshot"; + # ExecStart = pkgs.writeScript "wordpressInit" '' + # #!/bin/sh + # set -euf + # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"} + # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) + # get_secret() { + # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string)," + # } + # to_php_string() { + # echo "base64_decode('$(base64)')" + # } + # { + # cat ${toString <secrets/mysql_rootPassword>} + # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) + # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") + # # TODO as package pkgs.sqlHashPassword + # # TODO not using mysql + # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; + # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") + # user=${shell.escape dbUser}@localhost + # database=${shell.escape dbName} + # cat << EOF + # CREATE DATABASE IF NOT EXISTS $database; + # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; + # GRANT ALL PRIVILEGES ON $database.* TO $user; + # FLUSH PRIVILEGES; + # EOF + # } | mysql -u root -p + # # TODO nix2php for wp-config.php + # mkdir -p ${folder}/config + # cat > ${folder}/config/config.php << EOF + # <?php + # \$CONFIG = array ( + # 'dbhost' => 'localhost', + # 'dbtableprefix' => 'oc_', + # 'dbpassword' => '$db_password', + # 'installed' => 'true', + # 'trusted_domains' => + # array ( + # 0 => '${domain}', + # ), + # 'overwrite.cli.url' => 'http://${domain}', + + # ${concatStringsSep "\n" (mapAttrsToList (name: value: + # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string)," + # ) { + # instanceid = instanceid; + # datadirectory = dataDir; + # dbtype = dbType; + # dbname = dbName; + # dbuser = dbUser; + # })} + + # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ + # "secret" + # "passwordsalt" + # ]} + # ); + # EOF + # ''; + # }; + # }; + #}); + users.users.nobody_oc = { + uid = 1651469147; # genid nobody_oc + useDefaultShell = true; + }; + }; + +in out diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix new file mode 100644 index 000000000..cc2641af2 --- /dev/null +++ b/lass/3modules/static_nginx.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.staticPage; + + out = { + options.lass.staticPage = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root ${folder}; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + }); + }; + +in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix new file mode 100644 index 000000000..2f31f6e02 --- /dev/null +++ b/lass/3modules/wordpress_nginx.nix @@ -0,0 +1,239 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.wordpress; + + out = { + options.lass.wordpress = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + dbUser = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbName = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + auto = mkOption { + type = bool; + default = false; + }; + charset = mkOption { + type = str; + default = "utf8mb4"; + }; + collate = mkOption { + type = str; + default = ""; + }; + debug = mkOption { + type = bool; + default = false; + }; + multiSite = mkOption { + type = attrsOf str; + default = {}; + example = { + "0" = "bla.testsite.de"; + "1" = "test.testsite.de"; + }; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) '' + # map $http_host $blogid { + # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)} + # } + #''; + + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + #(mkIf (multiSite != {}) + #) + locations = (if (multiSite != {}) then + [ + (nameValuePair "~ ^/files/(.*)$" '' + try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ; + '') + (nameValuePair "^~ /blogs.dir" '' + internal; + alias ${folder}/wp-content/blogs.dir ; + access_log off; log_not_found off; expires max; + '') + ] + else + [] + ) ++ + [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:${folder}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + extraConfig = '' + root ${folder}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + }); + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' + listen = ${folder}/phpfpm.pool + user = ${user} + group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = ${user} + listen.group = ${group} + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''); + systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: { + name = "wordpressInit-${name}"; + value = { + path = [ + pkgs.mysql + pkgs.su + pkgs.gawk + pkgs.jq + ]; + requiredBy = [ "nginx.service" ]; + serviceConfig = let + php.define = name: value: + "define(${php.newdoc name}, ${php.newdoc value});"; + php.toString = x: + "'${x}'"; + php.newdoc = s: + let b = "EOF${builtins.hashString "sha256" s}"; in + ''<<<'${b}' + ${s} + ${b} + ''; + in { + Type = "oneshot"; + ExecStart = pkgs.writeScript "wordpressInit" '' + #!/bin/sh + set -euf + wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"} + db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) + get_secret() { + echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));" + } + to_php_string() { + echo "base64_decode('$(base64)')" + } + { + cat ${toString <secrets/mysql_rootPassword>} + password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) + # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") + # TODO as package pkgs.sqlHashPassword + # TODO not using mysql + # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; + passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") + user=${shell.escape dbUser}@localhost + database=${shell.escape dbName} + cat << EOF + CREATE DATABASE IF NOT EXISTS $database; + GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; + GRANT ALL PRIVILEGES ON $database.* TO $user; + FLUSH PRIVILEGES; + EOF + } | mysql -u root -p + # TODO nix2php for wp-config.php + cat > ${folder}/wp-config.php << EOF + <?php + define('DB_PASSWORD', '$db_password'); + define('DB_HOST', 'localhost'); + + ${concatStringsSep "\n" (mapAttrsToList (name: value: + "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));" + ) { + DB_NAME = dbName; + DB_USER = dbUser; + DB_CHARSET = charset; + DB_COLLATE = collate; + })} + + ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ + "AUTH_KEY" + "SECURE_AUTH_KEY" + "LOGGED_IN_KEY" + "NONCE_KEY" + "AUTH_SALT" + "SECURE_AUTH_SALT" + "LOGGED_IN_SALT" + "NONCE_SALT" + ]} + + \$table_prefix = 'wp_'; + + ${if (multiSite != {}) then + "define('WP_ALLOW_MULTISITE', true);" + else + "" + } + + define('WP_DEBUG', ${toJSON debug}); + if ( !defined('ABSPATH') ) + define('ABSPATH', dirname(__FILE__) . '/'); + + /** Sets up WordPress vars and included files. */ + require_once(ABSPATH . 'wp-settings.php'); + EOF + ''; + }; + }; + }); + users.users.nobody2 = mkDefault { + uid = mkDefault 125816384; # genid nobody2 + useDefaultShell = mkDefault true; + }; + }; + + indent = replaceChars ["\n"] ["\n "]; + +in out |