nix-infra/config/hosts/eh22-wiki/dokuwiki.nix

167 lines
4.8 KiB
Nix
Raw Permalink Normal View History

2024-05-17 20:42:48 +02:00
# Sources for this configuration:
# - https://www.dokuwiki.org/dokuwiki
# - https://www.dokuwiki.org/install
# - https://www.dokuwiki.org/requirements
# - https://www.dokuwiki.org/install:php
# - https://www.dokuwiki.org/security
# - https://www.dokuwiki.org/config:xsendfile
# - https://www.dokuwiki.org/install:nginx
# - https://www.dokuwiki.org/faq:uploadsize
# - https://nixos.wiki/wiki/Phpfpm
# - https://wiki.archlinux.org/title/Nginx#FastCGI
# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
# - https://www.php.net/manual/en/install.fpm.php
# - https://www.php.net/manual/en/install.fpm.configuration.php
{ config, pkgs, ... }:
let
# This is also used for user and group names.
app = "dokuwiki";
domain = "eh22.easterhegg.eu";
dataDir = "/srv/www/${domain}";
2024-11-05 22:52:02 +01:00
in
{
2024-05-17 20:42:48 +02:00
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${app} ${app}"
];
services.phpfpm.pools."${app}" = {
user = "${app}";
group = "${app}";
phpOptions = ''
short_open_tag = Off
open_basedir =
output_buffering = Off
output_handler =
zlib.output_compression = Off
implicit_flush = Off
allow_call_time_pass_reference = Off
max_execution_time = 30
max_input_time = 60
max_input_vars = 10000
memory_limit = 128M
error_reporting = E_ALL & ~E_NOTICE
display_errors = Off
display_startup_errors = Off
log_errors = On
; error_log should be handled by NixOS.
variables_order = "EGPCS"
register_argc_argv = Off
file_uploads = On
upload_max_filesize = 20M
post_max_size = 20M
session.use_cookies = 1
; Checked the default NixOS PHP extensions and the only one missing from
; DokuWikis list of PHP extensions was bz2, so add that.
; Checked with NixOS 23.11 on 2024-05-02.
extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
'';
settings = {
"listen.owner" = "${config.services.nginx.user}";
"listen.group" = "${config.services.nginx.group}";
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
2024-05-17 20:42:48 +02:00
};
services.nginx = {
enable = true;
virtualHosts."acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
2024-11-05 22:52:02 +01:00
2024-05-17 20:42:48 +02:00
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
locations = {
"~ /(conf|bin|inc|vendor)/" = {
extraConfig = "deny all;";
};
"~ /install.php" = {
extraConfig = "deny all;";
};
"~ ^/data/" = {
extraConfig = "internal;";
};
"~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 31d;";
};
"/" = {
index = "doku.php";
extraConfig = "try_files $uri $uri/ @dokuwiki;";
};
"@dokuwiki" = {
extraConfig = ''
# Rewrites "doku.php/" out of the URLs if the userwrite setting is
# set to .htaccess in the DokuWiki config page.
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
'';
};
"~ \\.php$" = {
extraConfig = ''
try_files $uri $uri/ /doku.php;
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
'';
};
};
extraConfig = ''
# Set maximum file upload size to 20MB (same as upload_max_filesize and
# post_max_size in the phpOptions).
client_max_body_size 20M;
client_body_buffer_size 128k;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
users.users."${app}" = {
isSystemUser = true;
group = "${app}";
};
users.groups."${app}" = { };
}