Module pour lychee #4
3 changed files with 72 additions and 106 deletions
|
@ -3,5 +3,5 @@
|
|||
drone-server = ./servers/drone.nix;
|
||||
drone-exec-runner = ./servers/drone-exec-runner.nix;
|
||||
wordpress = ./web-apps/wordpress;
|
||||
lychee = ./web-apps/lychee.nix;
|
||||
lychee = ./web-apps/lychee;
|
||||
}
|
||||
|
|
|
@ -17,12 +17,12 @@ in
|
|||
};
|
||||
forceSSL = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
default = false;
|
||||
description = "Whether to force SSL for the nginx virtual host";
|
||||
};
|
||||
enableACME = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
default = false;
|
||||
description = "Whether to enableACME for the nginx virtual host";
|
||||
};
|
||||
upload_max_filesize = lib.mkOption {
|
||||
|
@ -40,38 +40,14 @@ in
|
|||
default = "lychee";
|
||||
description = "The user that will operate on mutable files";
|
||||
};
|
||||
stateDirectory = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/lychee";
|
||||
};
|
||||
settings = lib.mkOption {
|
||||
default = {};
|
||||
type = lib.types.submodule {
|
||||
freeformType = with lib.types; attrsOf str;
|
||||
options = {
|
||||
DB_DATABASE= lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${cfg.stateDirectory}/db.sqlite";
|
||||
};
|
||||
APP_NAME= lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "Lychee";
|
||||
};
|
||||
APP_ENV = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "production";
|
||||
};
|
||||
APP_DEBUG = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "\"false\"";
|
||||
};
|
||||
APP_URL = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "https://${cfg.website}";
|
||||
};
|
||||
DEBUGBAR_ENABLED = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "\"false\"";
|
||||
default = "http://${cfg.website}";
|
||||
};
|
||||
DB_CONNECTION = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
|
@ -81,10 +57,6 @@ in
|
|||
type = lib.types.str;
|
||||
default = "\"false\"";
|
||||
};
|
||||
LYCHEE_UPLOADS = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "${cfg.stateDirectory}/www/public/uploads";
|
||||
};
|
||||
CACHE_DRIVER = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "file";
|
||||
|
@ -117,28 +89,15 @@ in
|
|||
type = lib.types.str;
|
||||
default = "smtp";
|
||||
};
|
||||
TRUSTED_PROXIES = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "\"null\"";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
config = let srcDirsToBindMount = [
|
||||
"app"
|
||||
"bootstrap"
|
||||
"config"
|
||||
"resources"
|
||||
"routes"
|
||||
"scripts"
|
||||
"vendor"
|
||||
];
|
||||
in lib.mkIf cfg.enable {
|
||||
config = lib.mkIf cfg.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts.${cfg.website} = {
|
||||
root = cfg.stateDirectory + "/www/public/";
|
||||
root = "/var/lib/lychee/public/";
|
||||
forceSSL = lib.mkDefault cfg.forceSSL;
|
||||
enableACME = lib.mkDefault cfg.enableACME;
|
||||
locations = {
|
||||
|
@ -156,9 +115,6 @@ in
|
|||
"~ [^/]\.php(/|$)" = {
|
||||
return = "403";
|
||||
};
|
||||
"/uploads/" = {
|
||||
alias = cfg.settings.LYCHEE_UPLOADS;
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
index index.php;
|
||||
|
@ -170,61 +126,40 @@ in
|
|||
'';
|
||||
};
|
||||
};
|
||||
systemd.tmpfiles.rules = let srcDirToTmpFile = dir: "d ${cfg.stateDirectory}/www/${dir} 0750 ${cfg.user} ${config.services.nginx.group}";
|
||||
in [
|
||||
"d ${cfg.stateDirectory} 0750 ${cfg.user} ${config.services.nginx.group}"
|
||||
"d ${cfg.stateDirectory}/www 0750 ${cfg.user} ${config.services.nginx.group}"
|
||||
"C ${cfg.stateDirectory}/public - ${cfg.user} ${config.services.nginx.group} - ${src}/public"
|
||||
"Z ${cfg.stateDirectory}/public 0750 ${cfg.user} ${config.services.nginx.group} - -"
|
||||
"C ${cfg.stateDirectory}/database - ${cfg.user} ${config.services.nginx.group} - ${src}/database"
|
||||
"Z ${cfg.stateDirectory}/database 0750 ${cfg.user} ${config.services.nginx.group} - -"
|
||||
"C ${cfg.stateDirectory}/bootstrap-cache - ${cfg.user} ${config.services.nginx.group} - ${src}/bootstrap/cache"
|
||||
"Z ${cfg.stateDirectory}/bootstrap-cache 0750 ${cfg.user} ${config.services.nginx.group} - -"
|
||||
"C ${cfg.stateDirectory}/storage - ${cfg.user} ${config.services.nginx.group} - ${src}/storage"
|
||||
"Z ${cfg.stateDirectory}/storage 0750 ${cfg.user} ${config.services.nginx.group} - -"
|
||||
"C ${cfg.settings.LYCHEE_UPLOADS} - ${cfg.user} ${config.services.nginx.group} - ${src}/public/uploads"
|
||||
"Z ${cfg.settings.LYCHEE_UPLOADS} 0750 ${cfg.user} ${config.services.nginx.group} - -"
|
||||
"f ${cfg.settings.DB_DATABASE} 0750 ${cfg.user} ${cfg.user}"
|
||||
"L ${cfg.stateDirectory}/www/artisan - - - - ${src}/artisan"
|
||||
"L ${cfg.stateDirectory}/www/composer.json - - - - ${src}/composer.json"
|
||||
"L ${cfg.stateDirectory}/www/composer.lock - - - - ${src}/composer.lock"
|
||||
"L ${cfg.stateDirectory}/www/version.md - - - - ${src}/version.md"
|
||||
"L ${cfg.stateDirectory}/www/simple_error_template.html - - - - ${src}/simple_error_template.html"
|
||||
] ++ (builtins.map srcDirToTmpFile srcDirsToBindMount);
|
||||
systemd.mounts = let sourceDirToSystemdMount = dir: {
|
||||
before = [ "phpfpm-${cfg.website}.service" ];
|
||||
systemd.services."lychee-install" = {
|
||||
wantedBy = [ "phpfpm-${cfg.website}.service" ];
|
||||
what = "${src}/${dir}";
|
||||
where = cfg.stateDirectory + "/www/${dir}";
|
||||
options = "bind";
|
||||
script = let rsync = pkgs.rsync; in ''
|
||||
${rsync}/bin/rsync -a --ignore-existing ${src}/ $STATE_DIRECTORY
|
||||
chmod u+w $STATE_DIRECTORY/
|
||||
chmod u+w $STATE_DIRECTORY/.env
|
||||
chmod u+w $STATE_DIRECTORY/database/
|
||||
chmod u+w $STATE_DIRECTORY/database/database.sqlite
|
||||
chmod -R u+w $STATE_DIRECTORY/storage/
|
||||
chmod -R u+w $STATE_DIRECTORY/public/
|
||||
chmod -R u+w $STATE_DIRECTORY/bootstrap/cache/
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
StateDirectory = "lychee";
|
||||
User = cfg.user;
|
||||
Restart = "on-failure";
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
NoNewPrivileges = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RemoveIPC = true;
|
||||
PrivateMounts = true;
|
||||
};
|
||||
};
|
||||
in [{
|
||||
before = [ "phpfpm-${cfg.website}.service" ];
|
||||
wantedBy = [ "phpfpm-${cfg.website}.service" ];
|
||||
what = cfg.stateDirectory + "/storage";
|
||||
where = cfg.stateDirectory + "/www/storage";
|
||||
options = "bind";
|
||||
}] ++ (builtins.map sourceDirToSystemdMount srcDirsToBindMount) ++ [{
|
||||
before = [ "phpfpm-${cfg.website}.service" ];
|
||||
wantedBy = [ "phpfpm-${cfg.website}.service" ];
|
||||
what = cfg.stateDirectory + "/bootstrap-cache";
|
||||
where = cfg.stateDirectory + "/www/bootstrap/cache";
|
||||
options = "bind";
|
||||
}
|
||||
{
|
||||
before = [ "phpfpm-${cfg.website}.service" ];
|
||||
wantedBy = [ "phpfpm-${cfg.website}.service" ];
|
||||
what = cfg.stateDirectory + "/database";
|
||||
where = cfg.stateDirectory + "/www/database";
|
||||
options = "bind";
|
||||
}
|
||||
{
|
||||
before = [ "phpfpm-${cfg.website}.service" ];
|
||||
wantedBy = [ "phpfpm-${cfg.website}.service" ];
|
||||
what = cfg.stateDirectory + "/public";
|
||||
where = cfg.stateDirectory + "/www/public";
|
||||
options = "bind";
|
||||
}];
|
||||
services.phpfpm.pools.${cfg.website} = {
|
||||
user = cfg.user;
|
||||
phpPackage = pkgs.php81.withExtensions ({ enabled, all }:
|
||||
|
@ -248,9 +183,9 @@ in
|
|||
} // envConf;
|
||||
};
|
||||
users.users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
home = src;
|
||||
group = cfg.user;
|
||||
isSystemUser = lib.mkDefault true;
|
||||
home = lib.mkDefault src;
|
||||
group = lib.mkDefault cfg.user;
|
||||
};
|
||||
users.groups.${cfg.user} = { };
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
31
modules/web-apps/lychee/test.nix
Normal file
31
modules/web-apps/lychee/test.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{ pkgs ? import <nixpkgs> {}, myPkgs ? import ../.. {}}:
|
||||
pkgs.nixosTest ({
|
||||
# NixOS tests are run inside a virtual machine, and here we specify system of the machine.
|
||||
nodes = {
|
||||
server = { config, pkgs, ... }: {
|
||||
imports = [ myPkgs.modules.lychee ];
|
||||
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = "test@test.fr";
|
||||
services.lychee = {
|
||||
enable = true;
|
||||
package = myPkgs.lychee-gallery;
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
environment.systemPackages = [ pkgs.w3m ];
|
||||
|
||||
users = {
|
||||
mutableUsers = false;
|
||||
users = {
|
||||
# For ease of debugging the VM as the `root` user
|
||||
root.password = "";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
testScript = ''
|
||||
start_all()
|
||||
server.wait_for_unit("default.target")
|
||||
'';
|
||||
})
|
Loading…
Reference in a new issue