diff --git a/hosts/milieu/configuration.nix b/hosts/milieu/configuration.nix index 2e0a913..b0904f4 100644 --- a/hosts/milieu/configuration.nix +++ b/hosts/milieu/configuration.nix @@ -6,7 +6,8 @@ { imports = - [ # Include the results of the hardware scan. + [ + # Include the results of the hardware scan. ./hardware-configuration.nix ../../profiles/shared-hackens ]; diff --git a/hosts/milieu/hardware-configuration.nix b/hosts/milieu/hardware-configuration.nix index f3b47cf..3c60783 100644 --- a/hosts/milieu/hardware-configuration.nix +++ b/hosts/milieu/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ + [ + ]; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "sd_mod" "sr_mod" ]; @@ -16,19 +17,20 @@ # boot.kernelParams = [ "nomodeset" ]; fileSystems."/" = - { device = "/dev/disk/by-label/nixos-root"; + { + device = "/dev/disk/by-label/nixos-root"; fsType = "btrfs"; options = [ "ssd" "noatime" "ssd_spread" "discard" "space_cache" ]; }; fileSystems."/boot" = - { device = "/dev/disk/by-label/BOOT"; + { + device = "/dev/disk/by-label/BOOT"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-label/SWAP"; } - ]; + [{ device = "/dev/disk/by-label/SWAP"; }]; nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "performance"; diff --git a/hosts/org/hardware-configuration.nix b/hosts/org/hardware-configuration.nix index 20d2692..6db90a9 100644 --- a/hosts/org/hardware-configuration.nix +++ b/hosts/org/hardware-configuration.nix @@ -5,7 +5,8 @@ { imports = - [ (modulesPath + "/profiles/qemu-guest.nix") + [ + (modulesPath + "/profiles/qemu-guest.nix") ]; boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "virtio_pci" "virtio_blk" ]; @@ -14,16 +15,18 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2"; + { + device = "/dev/disk/by-uuid/8deb32c9-ee6a-4de8-94da-239c8ec509a2"; fsType = "btrfs"; }; fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0795-75ED"; + { + device = "/dev/disk/by-uuid/0795-75ED"; fsType = "vfat"; }; swapDevices = - [ { device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; } ]; + [{ device = "/dev/disk/by-uuid/bd7c1c01-ce31-4db3-9c06-70716020e24a"; }]; } diff --git a/hosts/org/physical.nix b/hosts/org/physical.nix index f1174aa..dcb3f43 100644 --- a/hosts/org/physical.nix +++ b/hosts/org/physical.nix @@ -9,7 +9,7 @@ networking.useDHCP = false; networking.interfaces.eth0 = { - ipv4.addresses = [ { address = "129.199.129.76"; prefixLength = 24; } ]; + ipv4.addresses = [{ address = "129.199.129.76"; prefixLength = 24; }]; }; networking.defaultGateway = { address = "129.199.129.1"; interface = "eth0"; }; } diff --git a/profiles/shared-hackens/programs.nix b/profiles/shared-hackens/programs.nix index 6508c68..fc81a76 100644 --- a/profiles/shared-hackens/programs.nix +++ b/profiles/shared-hackens/programs.nix @@ -13,17 +13,20 @@ texlive.combined.scheme-full # Editors - vscodium emacs neovim + vscodium + emacs + neovim smartmontools wget - firefox ungoogled-chromium + firefox + ungoogled-chromium ripgrep fd nmap htop dnsutils - ncdu + ncdu lazygit # Networking diff --git a/profiles/shared-hackens/users.nix b/profiles/shared-hackens/users.nix index 529e041..6a1792f 100644 --- a/profiles/shared-hackens/users.nix +++ b/profiles/shared-hackens/users.nix @@ -12,11 +12,11 @@ in isNormalUser = true; extraGroups = [ "wheel" "dialout" "audio" "video" ]; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDcKULx/AgnqBsgwRX2BfV8waq6JXIkvZHhu9Y8paofM8awq6Om56BZoA7AV45YOcJxO/eFDOxSegXXmt22s4WjIf8I049aMdsW54BNpFpC/h18cMzm5ylKVGHl1ier/WXxpBsA8YU++YdRlGHPpKnhCtYLnBzD4Q5h+05GMIHismNZP1aGpE9s01FuP8eaDDkZUba7oSpn03AA77DBw4/2ZreSbqo96Z6WwiG09KeZvxFtEIk98EQtmiExB2fwsK3/JIxIBCoZHh4SzERcslxxGgzdppd6NhhSh7g523zhiihLaTAPNXBovGm5wcKOU9uWe+pUWEbwV04E+809aVbkJOdYBCtIf8M91meqpupA8jK38uquePHEFvpNr5UmY0qUlJCoqTvoqg9XgrfJVjlPEmYknj/QjQzkA4k19y8njsyEjnYOBL6tsztg6Igl+NZXjBAPuAzxCsfHOtWw1WM5gANwqOL0V9f7+14yST3HwweqjHRj4xky6ritxK+ujfc= hackens@hackens-desktop" ]; openssh.authorizedKeys.keyFiles = superadmins; - }; + }; users.users.root = { openssh.authorizedKeys.keyFiles = superadmins; diff --git a/shared/dokuwiki.nix b/shared/dokuwiki.nix index b3a4851..c999fce 100644 --- a/shared/dokuwiki.nix +++ b/shared/dokuwiki.nix @@ -18,29 +18,29 @@ stdenv.mkDerivation rec { }; preload = writeText "preload.php" '' - array( - 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), - ), - 'plainauth.users' => array( - 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), - 'protected' => "" // not used by default - ), - ); + $config_cascade = array( + 'acl' => array( + 'default' => getenv('DOKUWIKI_ACL_AUTH_CONFIG'), + ), + 'plainauth.users' => array( + 'default' => getenv('DOKUWIKI_USERS_AUTH_CONFIG'), + 'protected' => "" // not used by default + ), + ); ''; phpLocalConfig = writeText "local.php" '' - + ''; phpPluginsLocalConfig = writeText "plugins.local.php" '' - + ''; installPhase = '' @@ -56,26 +56,29 @@ stdenv.mkDerivation rec { ''; passthru = { - combine = { basePackage ? dokuwiki - , plugins ? [] - , templates ? [] + combine = + { basePackage ? dokuwiki + , plugins ? [ ] + , templates ? [ ] , localConfig ? null , pluginsConfig ? null , aclConfig ? null , pname ? (p: "${p.pname}-combined") - }: let - isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); - in basePackage.overrideAttrs (prev: { - pname = if builtins.isFunction pname then pname prev else pname; + }: + let + isNotEmpty = x: lib.optionalString (! builtins.elem x [ null "" ]); + in + basePackage.overrideAttrs (prev: { + pname = if builtins.isFunction pname then pname prev else pname; - postInstall = prev.postInstall or "" + '' - ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} - ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} - ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } - ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } - ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } - ''; - }); + postInstall = prev.postInstall or "" + '' + ${lib.concatMapStringsSep "\n" (tpl: "cp -r ${toString tpl} $out/share/dokuwiki/lib/tpl/${tpl.name}") templates} + ${lib.concatMapStringsSep "\n" (plugin: "cp -r ${toString plugin} $out/share/dokuwiki/lib/plugins/${plugin.name}") plugins} + ${isNotEmpty localConfig "ln -sf ${localConfig} $out/share/dokuwiki/conf/local.php" } + ${isNotEmpty pluginsConfig "ln -sf ${pluginsConfig} $out/share/dokuwiki/conf/plugins.local.php" } + ${isNotEmpty aclConfig "ln -sf ${aclConfig} $out/share/dokuwiki/acl.auth.php" } + ''; + }); tests = { inherit (nixosTests) dokuwiki; }; diff --git a/shared/dokuwiki_module.nix b/shared/dokuwiki_module.nix index d4d8839..f1f6548 100644 --- a/shared/dokuwiki_module.nix +++ b/shared/dokuwiki_module.nix @@ -9,23 +9,25 @@ let webserver = config.services.${cfg.webserver}; mkPhpIni = generators.toKeyValue { - mkKeyValue = generators.mkKeyValueDefault {} " = "; + mkKeyValue = generators.mkKeyValueDefault { } " = "; }; mkPhpPackage = cfg: cfg.phpPackage.buildEnv { extraConfig = mkPhpIni cfg.phpOptions; }; - dokuwikiAclAuthConfig = hostName: cfg: let - inherit (cfg) acl; - acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); - in pkgs.writeText "acl.auth-${hostName}.php" '' - # acl.auth.php - # - # - # Access Control Lists - # - ${if isString acl then acl else acl_gen acl} - ''; + dokuwikiAclAuthConfig = hostName: cfg: + let + inherit (cfg) acl; + acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); + in + pkgs.writeText "acl.auth-${hostName}.php" '' + # acl.auth.php + # + # + # Access Control Lists + # + ${if isString acl then acl else acl_gen acl} + ''; mergeConfig = cfg: { useacl = false; # Dokuwiki default @@ -38,9 +40,10 @@ let checkPhase = "${pkgs.php81}/bin/php --syntax-check $target"; }; - mkPhpValue = v: let - isHasAttr = s: isAttrs v && hasAttr s v; - in + mkPhpValue = v: + let + isHasAttr = s: isAttrs v && hasAttr s v; + in if isString v then escapeShellArg v # NOTE: If any value contains a , (comma) this will not get escaped else if isList v && any lib.strings.isCoercibleToString v then escapeShellArg (concatMapStringsSep "," toString v) @@ -52,26 +55,33 @@ let ; mkPhpAttrVals = v: flatten (mapAttrsToList mkPhpKeyVal v); - mkPhpKeyVal = k: v: let - values = if (isAttrs v && (hasAttr "_file" v || hasAttr "_raw" v )) || !isAttrs v then - [" = ${mkPhpValue v};"] - else - mkPhpAttrVals v; - in map (e: "[${escapeShellArg k}]${e}") (flatten values); + mkPhpKeyVal = k: v: + let + values = + if (isAttrs v && (hasAttr "_file" v || hasAttr "_raw" v)) || !isAttrs v then + [ " = ${mkPhpValue v};" ] + else + mkPhpAttrVals v; + in + map (e: "[${escapeShellArg k}]${e}") (flatten values); - dokuwikiLocalConfig = hostName: cfg: let - conf_gen = c: map (v: "$conf${v}") (mkPhpAttrVals c); - in writePhpFile "local-${hostName}.php" '' - ${concatStringsSep "\n" (conf_gen cfg.mergedConfig)} - ${toString cfg.extraConfig} - ''; + dokuwikiLocalConfig = hostName: cfg: + let + conf_gen = c: map (v: "$conf${v}") (mkPhpAttrVals c); + in + writePhpFile "local-${hostName}.php" '' + ${concatStringsSep "\n" (conf_gen cfg.mergedConfig)} + ${toString cfg.extraConfig} + ''; - dokuwikiPluginsLocalConfig = hostName: cfg: let - pc = cfg.pluginsConfig; - pc_gen = pc: concatStringsSep "\n" (mapAttrsToList (n: v: "$plugins['${n}'] = ${boolToString v};") pc); - in writePhpFile "plugins.local-${hostName}.php" '' - ${if isString pc then pc else pc_gen pc} - ''; + dokuwikiPluginsLocalConfig = hostName: cfg: + let + pc = cfg.pluginsConfig; + pc_gen = pc: concatStringsSep "\n" (mapAttrsToList (n: v: "$plugins['${n}'] = ${boolToString v};") pc); + in + writePhpFile "plugins.local-${hostName}.php" '' + ${if isString pc then pc else pc_gen pc} + ''; pkg = hostName: cfg: cfg.package.combine { @@ -82,7 +92,7 @@ let basePackage = cfg.package; localConfig = dokuwikiLocalConfig hostName cfg; pluginsConfig = dokuwikiPluginsLocalConfig hostName cfg; - aclConfig = let a = if cfg.aclUse && cfg.acl != null then dokuwikiAclAuthConfig hostName cfg else null; in builtins.trace a a; + aclConfig = let a = if cfg.aclUse && cfg.acl != null then dokuwikiAclAuthConfig hostName cfg else null; in builtins.trace a a; }; aclOpts = { ... }: { @@ -100,24 +110,26 @@ let example = "@external"; }; - level = let - available = { - "none" = 0; - "read" = 1; - "edit" = 2; - "create" = 4; - "upload" = 8; - "delete" = 16; + level = + let + available = { + "none" = 0; + "read" = 1; + "edit" = 2; + "create" = 4; + "upload" = 8; + "delete" = 16; + }; + in + mkOption { + type = types.enum ((attrValues available) ++ (attrNames available)); + apply = x: if isInt x then x else available.${x}; + description = '' + Permission level to restrict the actor(s) to. + See for explanation + ''; + example = "read"; }; - in mkOption { - type = types.enum ((attrValues available) ++ (attrNames available)); - apply = x: if isInt x then x else available.${x}; - description = '' - Permission level to restrict the actor(s) to. - See for explanation - ''; - example = "read"; - }; }; }; @@ -126,10 +138,10 @@ let { imports = [ # NOTE: These will sadly not print the absolute argument path but only the name. Related to #96006 - (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ] ) - (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ] ) - (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ] ) - ({ config, options, name, ...}: { + (mkRenamedOptionModule [ "aclUse" ] [ "settings" "useacl" ]) + (mkRenamedOptionModule [ "superUser" ] [ "settings" "superuser" ]) + (mkRenamedOptionModule [ "disableActions" ] [ "settings" "disableactions" ]) + ({ config, options, name, ... }: { config.warnings = (optional (isString config.pluginsConfig) '' Passing plain strings to services.dokuwiki.sites.${name}.pluginsConfig has been deprecated and will not be continue to be supported in the future. @@ -203,7 +215,7 @@ let }; pluginsConfig = mkOption { - type = with types; oneOf [lines (attrsOf bool)]; + type = with types; oneOf [ lines (attrsOf bool) ]; default = { authad = false; authldap = false; @@ -228,62 +240,62 @@ let mkpasswd -5 password `pwgen 8 1` Example: - ''; + ''; example = "/var/lib/dokuwiki/${name}/users.auth.php"; }; plugins = mkOption { type = types.listOf types.path; - default = []; + default = [ ]; description = lib.mdDoc '' - List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. + List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. - ::: {.note} - These plugins need to be packaged before use, see example. - ::: + ::: {.note} + These plugins need to be packaged before use, see example. + ::: ''; example = literalExpression '' - let - plugin-icalevents = pkgs.stdenv.mkDerivation rec { - name = "icalevents"; - version = "2017-06-16"; - src = pkgs.fetchzip { - stripRoot = false; - url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; - hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the plugin list like this: - in [ plugin-icalevents ] + let + plugin-icalevents = pkgs.stdenv.mkDerivation rec { + name = "icalevents"; + version = "2017-06-16"; + src = pkgs.fetchzip { + stripRoot = false; + url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; + hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the plugin list like this: + in [ plugin-icalevents ] ''; }; templates = mkOption { type = types.listOf types.path; - default = []; + default = [ ]; description = lib.mdDoc '' - List of path(s) to respective template(s) which are copied from the 'tpl' directory. + List of path(s) to respective template(s) which are copied from the 'tpl' directory. - ::: {.note} - These templates need to be packaged before use, see example. - ::: + ::: {.note} + These templates need to be packaged before use, see example. + ::: ''; example = literalExpression '' - let - template-bootstrap3 = pkgs.stdenv.mkDerivation rec { - name = "bootstrap3"; - version = "2022-07-27"; - src = pkgs.fetchFromGitHub { - owner = "giterlizzi"; - repo = "dokuwiki-template-bootstrap3"; - rev = "v''${version}"; - hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; - }; - installPhase = "mkdir -p $out; cp -R * $out/"; - }; - # And then pass this theme to the template list like this: - in [ template-bootstrap3 ] + let + template-bootstrap3 = pkgs.stdenv.mkDerivation rec { + name = "bootstrap3"; + version = "2022-07-27"; + src = pkgs.fetchFromGitHub { + owner = "giterlizzi"; + repo = "dokuwiki-template-bootstrap3"; + rev = "v''${version}"; + hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; + }; + installPhase = "mkdir -p $out; cp -R * $out/"; + }; + # And then pass this theme to the template list like this: + in [ template-bootstrap3 ] ''; }; @@ -315,18 +327,18 @@ let phpOptions = mkOption { type = types.attrsOf types.str; - default = {}; + default = { }; description = lib.mdDoc '' Options for PHP's php.ini file for this dokuwiki site. ''; example = literalExpression '' - { - "opcache.interned_strings_buffer" = "8"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "15"; - "opcache.fast_shutdown" = "1"; - } + { + "opcache.interned_strings_buffer" = "8"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "128"; + "opcache.revalidate_freq" = "15"; + "opcache.fast_shutdown" = "1"; + } ''; }; @@ -390,18 +402,18 @@ let ''; }; - # Required for the mkRenamedOptionModule - # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed - # or the aclUse, ... options are removed. - warnings = mkOption { - type = types.listOf types.unspecified; - default = [ ]; - visible = false; - internal = true; - }; + # Required for the mkRenamedOptionModule + # TODO: Remove me once https://github.com/NixOS/nixpkgs/issues/96006 is fixed + # or the aclUse, ... options are removed. + warnings = mkOption { + type = types.listOf types.unspecified; + default = [ ]; + visible = false; + internal = true; + }; + }; }; - }; in { options = { @@ -409,7 +421,7 @@ in sites = mkOption { type = types.attrsOf (types.submodule siteOpts); - default = {}; + default = { }; description = lib.mdDoc "Specification of one or more DokuWiki sites to serve"; }; @@ -431,159 +443,167 @@ in }; # implementation - config = mkIf (eachSite != {}) (mkMerge [{ + config = mkIf (eachSite != { }) (mkMerge [{ warnings = flatten (mapAttrsToList (_: cfg: cfg.warnings) eachSite); - assertions = flatten (mapAttrsToList (hostName: cfg: - [{ - assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); - message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; - } - { - assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; - message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; - } - ]) eachSite); - - services.phpfpm.pools = mapAttrs' (hostName: cfg: ( - nameValuePair "dokuwiki-${hostName}" { - inherit user; - group = webserver.group; - - phpPackage = mkPhpPackage cfg; - phpEnv = optionalAttrs (cfg.usersFile != null) { - DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; - } // optionalAttrs (cfg.mergedConfig.useacl) { - DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; - }; - - settings = { - "listen.owner" = webserver.user; - "listen.group" = webserver.group; - } // cfg.poolConfig; - } - )) eachSite; - - } - - { - systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ - "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" - "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" - ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" - ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" - ) eachSite); - - users.users.${user} = { - group = webserver.group; - isSystemUser = true; - }; - } - - (mkIf (cfg.webserver == "nginx") { - services.nginx = { - enable = true; - virtualHosts = mapAttrs (hostName: cfg: { - serverName = mkDefault hostName; - root = "${pkg hostName cfg}/share/dokuwiki"; - - locations = { - "~ /(conf/|bin/|inc/|install.php)" = { - extraConfig = "deny all;"; - }; - - "~ ^/data/" = { - root = "${cfg.stateDir}"; - extraConfig = "internal;"; - }; - - "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 365d;"; - }; - - "/" = { - priority = 1; - index = "doku.php"; - extraConfig = ''try_files $uri $uri/ @dokuwiki;''; - }; - - "@dokuwiki" = { - extraConfig = '' - # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; - - "~ \\.php$" = { - extraConfig = '' - try_files $uri $uri/ /doku.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; - ''; - }; - - }; - }) eachSite; - }; - }) - - (mkIf (cfg.webserver == "caddy") { - services.caddy = { - enable = true; - virtualHosts = mapAttrs' (hostName: cfg: ( - nameValuePair "http://${hostName}" { - extraConfig = '' - root * ${pkg hostName cfg}/share/dokuwiki - file_server - - encode zstd gzip - php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} - - @restrict_files { - path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php - } - - respond @restrict_files 404 - - @allow_media { - path_regexp path ^/_media/(.*)$ - } - rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} - - @allow_detail { - path /_detail* - } - rewrite @allow_detail /lib/exe/detail.php?media={path} - - @allow_export { - path /_export* - path_regexp export /([^/]+)/(.*) - } - rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} - - try_files {path} {path}/ /doku.php?id={path}&{query} - ''; + assertions = flatten (mapAttrsToList + (hostName: cfg: + [{ + assertion = cfg.mergedConfig.useacl -> (cfg.acl != null || cfg.aclFile != null); + message = "Either services.dokuwiki.sites.${hostName}.acl or services.dokuwiki.sites.${hostName}.aclFile is mandatory if settings.useacl is true"; } - )) eachSite; - }; - }) + { + assertion = cfg.usersFile != null -> cfg.mergedConfig.useacl != false; + message = "services.dokuwiki.sites.${hostName}.settings.useacl must must be true if usersFile is not null"; + }]) + eachSite); - ]); + services.phpfpm.pools = mapAttrs' + (hostName: cfg: ( + nameValuePair "dokuwiki-${hostName}" { + inherit user; + group = webserver.group; + + phpPackage = mkPhpPackage cfg; + phpEnv = optionalAttrs (cfg.usersFile != null) + { + DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; + } // optionalAttrs (cfg.mergedConfig.useacl) { + DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; + }; + + settings = { + "listen.owner" = webserver.user; + "listen.group" = webserver.group; + } // cfg.poolConfig; + } + )) + eachSite; + + } + + { + systemd.tmpfiles.rules = flatten (mapAttrsToList + (hostName: cfg: [ + "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" + "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" + ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" + ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" + ) + eachSite); + + users.users.${user} = { + group = webserver.group; + isSystemUser = true; + }; + } + + (mkIf (cfg.webserver == "nginx") { + services.nginx = { + enable = true; + virtualHosts = mapAttrs + (hostName: cfg: { + serverName = mkDefault hostName; + root = "${pkg hostName cfg}/share/dokuwiki"; + + locations = { + "~ /(conf/|bin/|inc/|install.php)" = { + extraConfig = "deny all;"; + }; + + "~ ^/data/" = { + root = "${cfg.stateDir}"; + extraConfig = "internal;"; + }; + + "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 365d;"; + }; + + "/" = { + priority = 1; + index = "doku.php"; + extraConfig = ''try_files $uri $uri/ @dokuwiki;''; + }; + + "@dokuwiki" = { + extraConfig = '' + # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + ''; + }; + + "~ \\.php$" = { + extraConfig = '' + try_files $uri $uri/ /doku.php; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; + ''; + }; + + }; + }) + eachSite; + }; + }) + + (mkIf (cfg.webserver == "caddy") { + services.caddy = { + enable = true; + virtualHosts = mapAttrs' + (hostName: cfg: ( + nameValuePair "http://${hostName}" { + extraConfig = '' + root * ${pkg hostName cfg}/share/dokuwiki + file_server + + encode zstd gzip + php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} + + @restrict_files { + path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php + } + + respond @restrict_files 404 + + @allow_media { + path_regexp path ^/_media/(.*)$ + } + rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} + + @allow_detail { + path /_detail* + } + rewrite @allow_detail /lib/exe/detail.php?media={path} + + @allow_export { + path /_export* + path_regexp export /([^/]+)/(.*) + } + rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} + + try_files {path} {path}/ /doku.php?id={path}&{query} + ''; + } + )) + eachSite; + }; + })]); meta.maintainers = with maintainers; [ _1000101