Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
7fc3c3db631ad0dc5d35a92dc1665fc6701cbd46
nixos/hosts/web-arm/modules/web/typo3.nix
Dominik Polakovics 9a5a28098c changes
2025-04-25 20:35:33 +02:00

450 lines
16 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.typo3;
instanceOpts = { name, ... }:
{
options = {
user = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
User of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domain = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Domain of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domainAliases = mkOption {
type = types.listOf types.str;
default = [];
example = [ "www.example.org" "example.org" ];
description = lib.mdDoc ''
Additional domains served by this typo3 instance.
'';
};
phpPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.php";
description = lib.mdDoc ''
Which PHP package to use in this typo3 instance.
'';
};
authorizedKeys = mkOption {
type = types.listOf types.str;
default = null;
description = lib.mdDoc ''
Authorized keys for the typo3 instance ssh user.
'';
};
acmeRoot = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Directory for the ACME challenge, which is public. Dont put certs or keys in here. Set to null to inherit from config.security.acme.
'';
};
};
};
in
{
options.services.typo3 = {
dataDir = mkOption {
type = types.path;
default = "/var/www";
description = lib.mdDoc ''
The data directory for MySQL.
::: {.note}
If left as the default value of `/var/www` this directory will automatically be created before the web
server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.
:::
'';
};
instances = mkOption {
type = types.attrsOf (types.submodule instanceOpts);
default = {};
description = lib.mdDoc "Create vhosts for typo3";
example = literalExpression ''
{
"typo3.example.com" = {
domain = "example.com";
domainAliases = [ "www.example.com" ];
phpPackage = pkgs.php82;
authorizedKeys = [
"ssh-rsa AZA=="
];
};
};
'';
};
};
config = {
# systemd.services = mapAttrs' (instance: instanceOpts:
# let
# domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
# in
# nameValuePair "phpfpm-${domain}" {
# serviceConfig = {
# ProtectHome = lib.mkForce "tmpfs";
# BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}";
# };
# }
# ) cfg.instances;
systemd.timers = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair ("typo3-cron-" + domain) {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "05:00";
Unit = "typo3-cron-" + domain + ".service";
};
}
) cfg.instances;
systemd.services = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair ("typo3-cron-" + domain) {
script = ''
set -eu
${instanceOpts.phpPackage}/bin/php /var/www/${domain}/current/bin/typo3 scheduler:run
${instanceOpts.phpPackage}/bin/php /var/www/${domain}/current/bin/typo3 ke_search:indexing
'';
serviceConfig = {
Type = "oneshot";
User = user;
};
}
) cfg.instances;
services.phpfpm.pools = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
user = user;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "syslog";
"php_admin_value[max_execution_time]" = 240;
"php_admin_value[max_input_vars]" = 1500;
"php_admin_value[upload_max_filesize]" = "256M";
"php_admin_value[post_max_size]" = "256M";
"access.log" = "/var/log/$pool.access.log";
};
phpOptions = ''
opcache.enable=1
opcache.memory_consumption=128
opcache.validate_timestamps=0
opcache.revalidate_path=0
'';
phpPackage = instanceOpts.phpPackage;
phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ];
}
) cfg.instances;
};
config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
forceSSL = true;
enableACME = true;
acmeRoot = instanceOpts.acmeRoot;
root = cfg.dataDir + "/" + domain + "/current/public";
serverAliases = instanceOpts.domainAliases;
extraConfig = ''
if ($host != '${domain}') {
return 301 $scheme://${domain}$request_uri;
}
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
# Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal;
set $upstream_authelia http://127.0.0.1:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
# locations."/typo3/login" = {
# extraConfig = ''
# # Basic Authelia Config
# # Send a subsequent request to Authelia to verify if the user is authenticated
# # and has the right permissions to access the resource.
# auth_request /authelia;
# # Set the `target_url` variable based on the request. It will be used to build the portal
# # URL with the correct redirection parameter.
# auth_request_set $target_url $scheme://$http_host$request_uri;
# # Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# # returned by Authelia for the backends which can consume them.
# # This is not safe, as the backend must make sure that they come from the
# # proxy. In the future, it's gonna be safe to just use OAuth.
# auth_request_set $user $upstream_http_remote_user;
# auth_request_set $groups $upstream_http_remote_groups;
# auth_request_set $name $upstream_http_remote_name;
# auth_request_set $email $upstream_http_remote_email;
# proxy_set_header Remote-User $user;
# proxy_set_header Remote-Groups $groups;
# proxy_set_header Remote-Name $name;
# proxy_set_header Remote-Email $email;
# # If Authelia returns 401, then nginx redirects the user to the login portal.
# # If it returns 200, then the request pass through to the backend.
# # For other type of errors, nginx will handle them as usual.
# error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
#
# fastcgi_param REMOTE_USER $user;
#
# include ${pkgs.nginx}/conf/fastcgi.conf;
# fastcgi_buffer_size 32k;
# fastcgi_buffers 8 16k;
# fastcgi_connect_timeout 240s;
# fastcgi_read_timeout 240s;
# fastcgi_send_timeout 240s;
# fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
# fastcgi_param SCRIPT_FILENAME ${cfg.dataDir}/${domain}/public/typo3/index.php;
# '';
# };
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
# TYPO3 - Block access to composer files
locations."~* composer\\.(?:json|lock)".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to flexform files
locations."~* flexform[^.]*\\.xml".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to language files
locations."~* locallang[^.]*\\.(?:xml|xlf)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to static typoscript files
locations."~* ext_conf_template\\.txt|ext_typoscript_constants\\.txt|ext_typoscript_setup\\.txt".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to miscellaneous protected files
locations."~* /.*\\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = ''
deny all;
'';
# locations."~* /.*\.(?:bak|cfg|co?nf|ya?ml|ts)$".extraConfig = ''
# deny all;
# '';
# TYPO3 - Block access to recycler and temporary directories
locations."~ _(?:recycler|temp)_/".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to configuration files stored in fileadmin
locations."~ fileadmin/(?:templates)/.*\\.(?:txt|ts|typoscript)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to libraries, source and temporary compiled data
locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to protected extension directories
locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = ''
deny all;
'';
# Cache.appcache, your document html and data
locations."~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = ''
expires -1;
# access_log logs/static.log; # I don't usually include a static log
'';
# Feed
locations."~* \\.(?:rss|atom)$".extraConfig = ''
expires 1h;
add_header Cache-Control "public";
'';
# Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts
locations."~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|webp|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
locations."/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
# TYPO3 Backend URLs
locations."/typo3$".extraConfig = ''
rewrite ^ /typo3/;
'';
locations."/typo3/".extraConfig = ''
try_files $uri /typo3/index.php$is_args$args;
'';
locations."~ [^/]\\.php(/|$)".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
}
) cfg.instances;
config.users.users = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair user {
isNormalUser = true;
createHome = true;
home = "/var/www/" + domain;
homeMode= "770";
group = config.services.nginx.group;
openssh.authorizedKeys.keys = instanceOpts.authorizedKeys;
}
) cfg.instances;
config.users.groups = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in nameValuePair user {}) cfg.instances;
config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
{
name = user;
ensurePermissions = {
"${user}.*" = "ALL PRIVILEGES";
};
}) cfg.instances;
config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
user
) cfg.instances;
config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
user
) cfg.instances;
}
Reference in New Issue View Git Blame Copy Permalink