From cdfc2b380e254ce073c13b4a274166e8dcaf5f27 Mon Sep 17 00:00:00 2001 From: sinavir Date: Tue, 13 Dec 2022 21:25:44 +0100 Subject: [PATCH] lychee module improvment --- modules/default.nix | 2 +- .../{lychee.nix => lychee/default.nix} | 145 +++++------------- modules/web-apps/lychee/test.nix | 31 ++++ 3 files changed, 72 insertions(+), 106 deletions(-) rename modules/web-apps/{lychee.nix => lychee/default.nix} (50%) create mode 100644 modules/web-apps/lychee/test.nix diff --git a/modules/default.nix b/modules/default.nix index c2e7b57..2c5da97 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -3,5 +3,5 @@ drone-server = ./servers/drone.nix; drone-exec-runner = ./servers/drone-exec-runner.nix; wordpress = ./web-apps/wordpress; - lychee = ./web-apps/lychee.nix; + lychee = ./web-apps/lychee; } diff --git a/modules/web-apps/lychee.nix b/modules/web-apps/lychee/default.nix similarity index 50% rename from modules/web-apps/lychee.nix rename to modules/web-apps/lychee/default.nix index da7a24a..1387f34 100644 --- a/modules/web-apps/lychee.nix +++ b/modules/web-apps/lychee/default.nix @@ -17,12 +17,12 @@ in }; forceSSL = lib.mkOption { type = lib.types.bool; - default = true; + default = false; description = "Whether to force SSL for the nginx virtual host"; }; enableACME = lib.mkOption { type = lib.types.bool; - default = true; + default = false; description = "Whether to enableACME for the nginx virtual host"; }; upload_max_filesize = lib.mkOption { @@ -40,38 +40,14 @@ in default = "lychee"; description = "The user that will operate on mutable files"; }; - stateDirectory = lib.mkOption { - type = lib.types.path; - default = "/var/lib/lychee"; - }; settings = lib.mkOption { default = {}; type = lib.types.submodule { freeformType = with lib.types; attrsOf str; options = { - DB_DATABASE= lib.mkOption { - type = lib.types.str; - default = "${cfg.stateDirectory}/db.sqlite"; - }; - APP_NAME= lib.mkOption { - type = lib.types.str; - default = "Lychee"; - }; - APP_ENV = lib.mkOption { - type = lib.types.str; - default = "production"; - }; - APP_DEBUG = lib.mkOption { - type = lib.types.str; - default = "\"false\""; - }; APP_URL = lib.mkOption { type = lib.types.str; - default = "https://${cfg.website}"; - }; - DEBUGBAR_ENABLED = lib.mkOption { - type = lib.types.str; - default = "\"false\""; + default = "http://${cfg.website}"; }; DB_CONNECTION = lib.mkOption { type = lib.types.str; @@ -81,10 +57,6 @@ in type = lib.types.str; default = "\"false\""; }; - LYCHEE_UPLOADS = lib.mkOption { - type = lib.types.path; - default = "${cfg.stateDirectory}/www/public/uploads"; - }; CACHE_DRIVER = lib.mkOption { type = lib.types.str; default = "file"; @@ -117,28 +89,15 @@ in type = lib.types.str; default = "smtp"; }; - TRUSTED_PROXIES = lib.mkOption { - type = lib.types.str; - default = "\"null\""; - }; }; }; }; }; - config = let srcDirsToBindMount = [ - "app" - "bootstrap" - "config" - "resources" - "routes" - "scripts" - "vendor" - ]; - in lib.mkIf cfg.enable { + config = lib.mkIf cfg.enable { services.nginx = { enable = true; virtualHosts.${cfg.website} = { - root = cfg.stateDirectory + "/www/public/"; + root = "/var/lib/lychee/public/"; forceSSL = lib.mkDefault cfg.forceSSL; enableACME = lib.mkDefault cfg.enableACME; locations = { @@ -156,9 +115,6 @@ in "~ [^/]\.php(/|$)" = { return = "403"; }; - "/uploads/" = { - alias = cfg.settings.LYCHEE_UPLOADS; - }; }; extraConfig = '' index index.php; @@ -170,61 +126,40 @@ in ''; }; }; - systemd.tmpfiles.rules = let srcDirToTmpFile = dir: "d ${cfg.stateDirectory}/www/${dir} 0750 ${cfg.user} ${config.services.nginx.group}"; - in [ - "d ${cfg.stateDirectory} 0750 ${cfg.user} ${config.services.nginx.group}" - "d ${cfg.stateDirectory}/www 0750 ${cfg.user} ${config.services.nginx.group}" - "C ${cfg.stateDirectory}/public - ${cfg.user} ${config.services.nginx.group} - ${src}/public" - "Z ${cfg.stateDirectory}/public 0750 ${cfg.user} ${config.services.nginx.group} - -" - "C ${cfg.stateDirectory}/database - ${cfg.user} ${config.services.nginx.group} - ${src}/database" - "Z ${cfg.stateDirectory}/database 0750 ${cfg.user} ${config.services.nginx.group} - -" - "C ${cfg.stateDirectory}/bootstrap-cache - ${cfg.user} ${config.services.nginx.group} - ${src}/bootstrap/cache" - "Z ${cfg.stateDirectory}/bootstrap-cache 0750 ${cfg.user} ${config.services.nginx.group} - -" - "C ${cfg.stateDirectory}/storage - ${cfg.user} ${config.services.nginx.group} - ${src}/storage" - "Z ${cfg.stateDirectory}/storage 0750 ${cfg.user} ${config.services.nginx.group} - -" - "C ${cfg.settings.LYCHEE_UPLOADS} - ${cfg.user} ${config.services.nginx.group} - ${src}/public/uploads" - "Z ${cfg.settings.LYCHEE_UPLOADS} 0750 ${cfg.user} ${config.services.nginx.group} - -" - "f ${cfg.settings.DB_DATABASE} 0750 ${cfg.user} ${cfg.user}" - "L ${cfg.stateDirectory}/www/artisan - - - - ${src}/artisan" - "L ${cfg.stateDirectory}/www/composer.json - - - - ${src}/composer.json" - "L ${cfg.stateDirectory}/www/composer.lock - - - - ${src}/composer.lock" - "L ${cfg.stateDirectory}/www/version.md - - - - ${src}/version.md" - "L ${cfg.stateDirectory}/www/simple_error_template.html - - - - ${src}/simple_error_template.html" - ] ++ (builtins.map srcDirToTmpFile srcDirsToBindMount); - systemd.mounts = let sourceDirToSystemdMount = dir: { - before = [ "phpfpm-${cfg.website}.service" ]; + systemd.services."lychee-install" = { wantedBy = [ "phpfpm-${cfg.website}.service" ]; - what = "${src}/${dir}"; - where = cfg.stateDirectory + "/www/${dir}"; - options = "bind"; + script = let rsync = pkgs.rsync; in '' + ${rsync}/bin/rsync -a --ignore-existing ${src}/ $STATE_DIRECTORY + chmod u+w $STATE_DIRECTORY/ + chmod u+w $STATE_DIRECTORY/.env + chmod u+w $STATE_DIRECTORY/database/ + chmod u+w $STATE_DIRECTORY/database/database.sqlite + chmod -R u+w $STATE_DIRECTORY/storage/ + chmod -R u+w $STATE_DIRECTORY/public/ + chmod -R u+w $STATE_DIRECTORY/bootstrap/cache/ + ''; + serviceConfig = { + Type = "oneshot"; + StateDirectory = "lychee"; + User = cfg.user; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; }; - in [{ - before = [ "phpfpm-${cfg.website}.service" ]; - wantedBy = [ "phpfpm-${cfg.website}.service" ]; - what = cfg.stateDirectory + "/storage"; - where = cfg.stateDirectory + "/www/storage"; - options = "bind"; - }] ++ (builtins.map sourceDirToSystemdMount srcDirsToBindMount) ++ [{ - before = [ "phpfpm-${cfg.website}.service" ]; - wantedBy = [ "phpfpm-${cfg.website}.service" ]; - what = cfg.stateDirectory + "/bootstrap-cache"; - where = cfg.stateDirectory + "/www/bootstrap/cache"; - options = "bind"; - } - { - before = [ "phpfpm-${cfg.website}.service" ]; - wantedBy = [ "phpfpm-${cfg.website}.service" ]; - what = cfg.stateDirectory + "/database"; - where = cfg.stateDirectory + "/www/database"; - options = "bind"; - } - { - before = [ "phpfpm-${cfg.website}.service" ]; - wantedBy = [ "phpfpm-${cfg.website}.service" ]; - what = cfg.stateDirectory + "/public"; - where = cfg.stateDirectory + "/www/public"; - options = "bind"; - }]; services.phpfpm.pools.${cfg.website} = { user = cfg.user; phpPackage = pkgs.php81.withExtensions ({ enabled, all }: @@ -248,9 +183,9 @@ in } // envConf; }; users.users.${cfg.user} = { - isSystemUser = true; - home = src; - group = cfg.user; + isSystemUser = lib.mkDefault true; + home = lib.mkDefault src; + group = lib.mkDefault cfg.user; }; users.groups.${cfg.user} = { }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/modules/web-apps/lychee/test.nix b/modules/web-apps/lychee/test.nix new file mode 100644 index 0000000..9ab0608 --- /dev/null +++ b/modules/web-apps/lychee/test.nix @@ -0,0 +1,31 @@ +{ pkgs ? import {}, myPkgs ? import ../.. {}}: +pkgs.nixosTest ({ + # NixOS tests are run inside a virtual machine, and here we specify system of the machine. + nodes = { + server = { config, pkgs, ... }: { + imports = [ myPkgs.modules.lychee ]; + + security.acme.acceptTerms = true; + security.acme.defaults.email = "test@test.fr"; + services.lychee = { + enable = true; + package = myPkgs.lychee-gallery; + forceSSL = true; + enableACME = true; + }; + environment.systemPackages = [ pkgs.w3m ]; + + users = { + mutableUsers = false; + users = { + # For ease of debugging the VM as the `root` user + root.password = ""; + }; + }; + }; + }; + testScript = '' + start_all() + server.wait_for_unit("default.target") + ''; +})