all the broken

2025-10-04 20:35:06 +02:00
parent 67e83e3e4e
commit 123dfd7605
21 changed files with 408 additions and 304 deletions
--- a/modules/server/lib.nix
+++ b/modules/server/lib.nix
@@ -0,0 +1,148 @@
+# from @jtojnar
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  mkVirtualHost = {
+    path ? null,
+    config ? "",
+    acme ? null,
+    redirect ? null,
+    ...
+  } @ args:
+    (
+      if lib.isString acme
+      then {
+        useACMEHost = acme;
+        forceSSL = true;
+      }
+      else {}
+    )
+    // (
+      if lib.isBool acme
+      then {
+        enableACME = acme;
+        forceSSL = true;
+      }
+      else {}
+    )
+    // (
+      if redirect != null
+      then {
+        globalRedirect = redirect;
+      }
+      else {}
+    )
+    // (
+      if path != null
+      then {
+        root = "/var/www/" + path;
+      }
+      else {}
+    )
+    // {
+      extraConfig = config;
+    }
+    // builtins.removeAttrs args [
+      "path"
+      "config"
+      "acme"
+      "redirect"
+    ];
+  mkPhpPool = {
+    user,
+    debug ? false,
+    settings ? {},
+    ...
+  } @ args:
+    {
+      inherit user;
+      settings =
+        {
+          "listen.owner" = "nginx";
+          "listen.group" = "root";
+          "pm" = "dynamic";
+          "pm.max_children" = 5;
+          "pm.start_servers" = 2;
+          "pm.min_spare_servers" = 1;
+          "pm.max_spare_servers" = 3;
+        }
+        // (
+          lib.optionalAttrs debug {
+            # log worker's stdout, but this has a performance hit
+            "catch_workers_output" = true;
+          }
+          // settings
+        );
+    }
+    // builtins.removeAttrs args [
+      "user"
+      "debug"
+      "settings"
+    ];
+  enablePHP = sockName: ''
+    fastcgi_pass unix:${config.services.phpfpm.pools.${sockName}.socket};
+    include ${config.services.nginx.package}/conf/fastcgi.conf;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
+  '';
+
+  /*
+  Adds extra options to ssh key that will only allow it to be used for rsync.
+  See sshd(8) manual page for details.
+  */
+  restrictToRsync = directory: key: ''command="${pkgs.rrsync}/bin/rrsync -wo ${directory}",restrict ${key}'';
+
+  /*
+  Emulate systemd credentials.
+  Those will only be available to the user the service is running under,
+  not being aware of dropped euid.
+  http://systemd.io/CREDENTIALS/
+  */
+  emulateCredentials = let
+    parseCredential = credential: let
+      matches = builtins.match "(.+):(.+)" credential;
+    in
+      assert lib.assertMsg (matches != null) "A credential needs to match “id:value” format"; {
+        id = builtins.elemAt matches 0;
+        value = builtins.elemAt matches 1;
+      };
+
+    parseCredentials = credentials:
+      builtins.map parseCredential (
+        if builtins.isList credentials
+        then credentials
+        else lib.splitString "," credentials
+      );
+  in
+    serviceConfig:
+      lib.mkMerge [
+        (builtins.removeAttrs serviceConfig [
+          "SetCredential"
+          "LoadCredential"
+        ])
+        {
+          Environment = [
+            "CREDENTIALS_DIRECTORY=${
+              pkgs.runCommand "credentials" {} ''
+                mkdir "$out"
+                ${lib.concatMapStringsSep "\n" ({
+                  id,
+                  value,
+                }: ''ln -s "${value}" "$out/${id}"'') (
+                  parseCredentials serviceConfig.LoadCredential or []
+                )}
+                ${lib.concatMapStringsSep "\n" ({
+                  id,
+                  value,
+                }: ''echo -n "${value}" > "$out/${id}"'') (
+                  parseCredentials serviceConfig.SetCredential or []
+                )}
+              ''
+            }"
+          ];
+        }
+      ];
+}