diff options
author | makefu <github@syntax-fehler.de> | 2015-11-14 01:51:36 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2015-11-14 01:51:36 +0100 |
commit | 773a67a983cbe1928da6c524db24a25229a6f5fe (patch) | |
tree | 2a00ed5a39f85b837578625cf49d193f4d308f14 /lass/3modules | |
parent | a0fbe917ac45cda4de0f16bced3ce3ebfc556fe8 (diff) | |
parent | e7d22252dcad25fd5594e9a431f5a39aa620906d (diff) |
Merge remote-tracking branch 'cloudkrebs/master' into pre-merge
Diffstat (limited to 'lass/3modules')
-rw-r--r-- | lass/3modules/default.nix | 2 | ||||
-rw-r--r-- | lass/3modules/go.nix | 61 | ||||
-rw-r--r-- | lass/3modules/wordpress_nginx.nix | 195 |
3 files changed, 196 insertions, 62 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index b081dc3cc..7c85af3a4 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -4,10 +4,10 @@ _: ./xresources.nix ./bitlbee.nix ./folderPerms.nix - ./go.nix ./newsbot-js.nix ./per-user.nix ./urxvtd.nix ./xresources.nix + ./wordpress_nginx.nix ]; } diff --git a/lass/3modules/go.nix b/lass/3modules/go.nix deleted file mode 100644 index aa900f118..000000000 --- a/lass/3modules/go.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ config, lib, pkgs, ... }: - -with builtins; -with lib; - -let - cfg = config.lass.go; - - out = { - options.lass.go = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "Enable go url shortener"; - port = mkOption { - type = types.str; - default = "1337"; - description = "on which port go should run on"; - }; - redisKeyPrefix = mkOption { - type = types.str; - default = "go:"; - description = "change the Redis key prefix which defaults to `go:`"; - }; - }; - - imp = { - users.extraUsers.go = { - name = "go"; - uid = 42774411; #genid go - description = "go url shortener user"; - home = "/var/lib/go"; - createHome = true; - }; - - systemd.services.go = { - description = "go url shortener"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - go - ]; - - environment = { - PORT = cfg.port; - REDIS_KEY_PREFIX = cfg.redisKeyPrefix; - }; - - restartIfChanged = true; - - serviceConfig = { - User = "go"; - Restart = "always"; - ExecStart = "${pkgs.go}/bin/go"; - }; - }; - }; - -in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix new file mode 100644 index 000000000..65170698f --- /dev/null +++ b/lass/3modules/wordpress_nginx.nix @@ -0,0 +1,195 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.wordpress; + + out = { + options.lass.wordpress = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + dbUser = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbName = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + auto = mkOption { + type = bool; + default = false; + }; + charset = mkOption { + type = str; + default = "utf8mb4"; + }; + collate = mkOption { + type = str; + default = ""; + }; + debug = mkOption { + type = bool; + default = false; + }; + }; + })); + default = {}; + }; + + dataFolder = "/srv/http"; + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:${dataFolder}/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + extraConfig = '' + root ${dataFolder}/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + }); + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, ... }: '' + listen = ${dataFolder}/${domain}/phpfpm.pool + user = ${user} + group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = ${user} + listen.group = ${group} + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''); + systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, ... }: { + name = "wordpressInit-${name}"; + value = { + path = [ + pkgs.mysql + pkgs.su + pkgs.gawk + pkgs.jq + ]; + requiredBy = [ "nginx.service" ]; + serviceConfig = let + php.define = name: value: + "define(${php.newdoc name}, ${php.newdoc value});"; + php.toString = x: + "'${x}'"; + php.newdoc = s: + let b = "EOF${builtins.hashString "sha256" s}"; in + ''<<<'${b}' + ${s} + ${b} + ''; + in { + Type = "oneshot"; + ExecStart = pkgs.writeScript "wordpressInit" '' + #!/bin/sh + set -euf + wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"} + db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) + get_secret() { + echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));" + } + to_php_string() { + echo "base64_decode('$(base64)')" + } + { + cat ${toString <secrets/mysql_rootPassword>} + password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) + # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") + # TODO as package pkgs.sqlHashPassword + # TODO not using mysql + # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; + passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") + user=${shell.escape dbUser}@localhost + database=${shell.escape dbName} + cat << EOF + CREATE DATABASE IF NOT EXISTS $database; + GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; + GRANT ALL PRIVILEGES ON $database.* TO $user; + FLUSH PRIVILEGES; + EOF + } | mysql -u root -p + # TODO nix2php for wp-config.php + cat > ${folder}/wp-config.php << EOF + <?php + define('DB_PASSWORD', '$db_password'); + define('DB_HOST', 'localhost'); + + ${concatStringsSep "\n" (mapAttrsToList (name: value: + "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));" + ) { + DB_NAME = dbName; + DB_USER = dbUser; + DB_CHARSET = charset; + DB_COLLATE = collate; + })} + + ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ + "AUTH_KEY" + "SECURE_AUTH_KEY" + "LOGGED_IN_KEY" + "NONCE_KEY" + "AUTH_SALT" + "SECURE_AUTH_SALT" + "LOGGED_IN_SALT" + "NONCE_SALT" + ]} + + \$table_prefix = 'wp_'; + define('WP_DEBUG', ${toJSON debug}); + if ( !defined('ABSPATH') ) + define('ABSPATH', dirname(__FILE__) . '/'); + + /** Sets up WordPress vars and included files. */ + require_once(ABSPATH . 'wp-settings.php'); + EOF + ''; + }; + }; + }); + users.users.nobody2 = { + uid = 125816384; # genid nobody2 + useDefaultShell = true; + }; + }; + +in out |