nixfmt; better phpfpm settings; working systemd unit

This commit is contained in:
sinavir 2022-12-13 21:53:13 +01:00
parent cdfc2b380e
commit 5000b09caa
2 changed files with 24 additions and 32 deletions

View file

@ -3,8 +3,7 @@ let
cfg = config.services.lychee; cfg = config.services.lychee;
src = cfg.package; src = cfg.package;
envConf = cfg.settings; envConf = cfg.settings;
in in {
{
options.services.lychee = { options.services.lychee = {
enable = lib.mkEnableOption "Whether to enable lychee"; enable = lib.mkEnableOption "Whether to enable lychee";
website = lib.mkOption { website = lib.mkOption {
@ -12,9 +11,7 @@ in
default = "localhost"; default = "localhost";
example = "www.example.com"; example = "www.example.com";
}; };
package = lib.mkOption { package = lib.mkOption { type = lib.types.path; };
type = lib.types.path;
};
forceSSL = lib.mkOption { forceSSL = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = false; default = false;
@ -41,7 +38,7 @@ in
description = "The user that will operate on mutable files"; description = "The user that will operate on mutable files";
}; };
settings = lib.mkOption { settings = lib.mkOption {
default = {}; default = { };
type = lib.types.submodule { type = lib.types.submodule {
freeformType = with lib.types; attrsOf str; freeformType = with lib.types; attrsOf str;
options = { options = {
@ -55,7 +52,7 @@ in
}; };
DB_LOG_SQL = lib.mkOption { DB_LOG_SQL = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "\"false\""; default = ''"false"'';
}; };
CACHE_DRIVER = lib.mkOption { CACHE_DRIVER = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -71,15 +68,15 @@ in
}; };
SECURITY_HEADER_HSTS_ENABLE = lib.mkOption { SECURITY_HEADER_HSTS_ENABLE = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "\"false\""; default = ''"false"'';
}; };
SESSION_SECURE_COOKIE = lib.mkOption { SESSION_SECURE_COOKIE = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "\"false\""; default = ''"false"'';
}; };
REDIS_PASSWORD = lib.mkOption { REDIS_PASSWORD = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "\"null\""; default = ''"null"'';
}; };
REDIS_PORT = lib.mkOption { REDIS_PORT = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@ -107,14 +104,16 @@ in
}; };
extraConfig = '' extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:${config.services.phpfpm.pools."${cfg.website}".socket}; fastcgi_pass unix:${
config.services.phpfpm.pools."${cfg.website}".socket
};
fastcgi_index index.php; fastcgi_index index.php;
client_max_body_size ${builtins.toString cfg.upload_max_filesize}M; client_max_body_size ${
builtins.toString cfg.upload_max_filesize
}M;
''; '';
}; };
"~ [^/]\.php(/|$)" = { "~ [^/].php(/|$)" = { return = "403"; };
return = "403";
};
}; };
extraConfig = '' extraConfig = ''
index index.php; index index.php;
@ -128,7 +127,9 @@ in
}; };
systemd.services."lychee-install" = { systemd.services."lychee-install" = {
wantedBy = [ "phpfpm-${cfg.website}.service" ]; wantedBy = [ "phpfpm-${cfg.website}.service" ];
script = let rsync = pkgs.rsync; in '' before = [ "phpfpm-${cfg.website}.service" ];
script = let rsync = pkgs.rsync;
in ''
${rsync}/bin/rsync -a --ignore-existing ${src}/ $STATE_DIRECTORY ${rsync}/bin/rsync -a --ignore-existing ${src}/ $STATE_DIRECTORY
chmod u+w $STATE_DIRECTORY/ chmod u+w $STATE_DIRECTORY/
chmod u+w $STATE_DIRECTORY/.env chmod u+w $STATE_DIRECTORY/.env
@ -163,24 +164,16 @@ in
services.phpfpm.pools.${cfg.website} = { services.phpfpm.pools.${cfg.website} = {
user = cfg.user; user = cfg.user;
phpPackage = pkgs.php81.withExtensions ({ enabled, all }: phpPackage = pkgs.php81.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick all.bcmath all.mbstring all.gd]); enabled ++ [ all.imagick all.bcmath all.mbstring all.gd ]);
phpOptions = '' phpOptions = ''
upload_max_filesize = ${builtins.toString cfg.upload_max_filesize}M upload_max_filesize = ${builtins.toString cfg.upload_max_filesize}M
post_max_size = ${builtins.toString cfg.post_max_size}M post_max_size = ${builtins.toString cfg.post_max_size}M
''; '';
settings = { settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"listen.owner" = config.services.nginx.user; "listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group; "listen.group" = config.services.nginx.group;
}; };
phpEnv = { phpEnv = { "PATH" = lib.makeBinPath [ pkgs.ffmpeg ]; } // envConf;
"PATH" = lib.makeBinPath [ pkgs.ffmpeg ];
} // envConf;
}; };
users.users.${cfg.user} = { users.users.${cfg.user} = {
isSystemUser = lib.mkDefault true; isSystemUser = lib.mkDefault true;
@ -188,7 +181,6 @@ in
group = lib.mkDefault cfg.user; group = lib.mkDefault cfg.user;
}; };
users.groups.${cfg.user} = { }; users.groups.${cfg.user} = { };
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

View file

@ -1,4 +1,4 @@
{ pkgs ? import <nixpkgs> {}, myPkgs ? import ../.. {}}: { pkgs ? import <nixpkgs> { }, myPkgs ? import ../.. { } }:
pkgs.nixosTest ({ pkgs.nixosTest ({
# NixOS tests are run inside a virtual machine, and here we specify system of the machine. # NixOS tests are run inside a virtual machine, and here we specify system of the machine.
nodes = { nodes = {
@ -26,6 +26,6 @@ pkgs.nixosTest ({
}; };
testScript = '' testScript = ''
start_all() start_all()
server.wait_for_unit("default.target") server.wait_for_unit("phpfpm-localhost.service")
''; '';
}) })