diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix new file mode 100644 index 0000000..ff45e49 --- /dev/null +++ b/config/hosts/eh22-wiki/configuration.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + networking.hostName = "eh22-wiki"; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix new file mode 100644 index 0000000..2d90c6b --- /dev/null +++ b/config/hosts/eh22-wiki/default.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./dokuwiki.nix + ./networking.nix + ]; +} diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix new file mode 100644 index 0000000..133e39a --- /dev/null +++ b/config/hosts/eh22-wiki/dokuwiki.nix @@ -0,0 +1,165 @@ +# Sources for this configuration: +# - https://www.dokuwiki.org/dokuwiki +# - https://www.dokuwiki.org/install +# - https://www.dokuwiki.org/requirements +# - https://www.dokuwiki.org/install:php +# - https://www.dokuwiki.org/security +# - https://www.dokuwiki.org/config:xsendfile +# - https://www.dokuwiki.org/install:nginx +# - https://www.dokuwiki.org/faq:uploadsize +# - https://nixos.wiki/wiki/Phpfpm +# - https://wiki.archlinux.org/title/Nginx#FastCGI +# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix +# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf +# - https://www.php.net/manual/en/install.fpm.php +# - https://www.php.net/manual/en/install.fpm.configuration.php + +{ config, pkgs, ... }: + +let + # This is also used for user and group names. + app = "dokuwiki"; + domain = "eh22.easterhegg.eu"; + dataDir = "/srv/www/${domain}"; +in { + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${app} ${app}" + ]; + + services.phpfpm.pools."${app}" = { + user = "${app}"; + group = "${app}"; + phpOptions = '' + short_open_tag = Off + open_basedir = + output_buffering = Off + output_handler = + zlib.output_compression = Off + implicit_flush = Off + allow_call_time_pass_reference = Off + max_execution_time = 30 + max_input_time = 60 + max_input_vars = 10000 + memory_limit = 128M + error_reporting = E_ALL & ~E_NOTICE + display_errors = Off + display_startup_errors = Off + log_errors = On + ; error_log should be handled by NixOS. + variables_order = "EGPCS" + register_argc_argv = Off + file_uploads = On + upload_max_filesize = 20M + post_max_size = 20M + session.use_cookies = 1 + ; Checked the default NixOS PHP extensions and the only one missing from + ; DokuWikis list of PHP extensions was bz2, so add that. + ; Checked with NixOS 23.11 on 2024-05-02. + extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so + ''; + extraConfig = '' + listen.owner = ${config.services.nginx.user}; + listen.group = ${config.services.nginx.group}; + pm = dynamic + pm.max_children = 32 + pm.start_servers = 2 + pm.min_spare_servers = 2 + pm.max_spare_servers = 4 + pm.max_requests = 500 + ''; + }; + + services.nginx = { + enable = true; + + virtualHosts."acme-${domain}" = { + default = true; + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."${domain}" = { + default = true; + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + locations = { + "~ /(conf|bin|inc|vendor)/" = { + extraConfig = "deny all;"; + }; + + "~ /install.php" = { + extraConfig = "deny all;"; + }; + + "~ ^/data/" = { + extraConfig = "internal;"; + }; + + "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 31d;"; + }; + + "/" = { + index = "doku.php"; + extraConfig = "try_files $uri $uri/ @dokuwiki;"; + }; + + "@dokuwiki" = { + extraConfig = '' + # Rewrites "doku.php/" out of the URLs if the userwrite setting is + # set to .htaccess in the DokuWiki config page. + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + ''; + }; + + "~ \\.php$" = { + extraConfig = '' + try_files $uri $uri/ /doku.php; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket}; + ''; + }; + }; + + extraConfig = '' + # Set maximum file upload size to 20MB (same as upload_max_filesize and + # post_max_size in the phpOptions). + client_max_body_size 20M; + client_body_buffer_size 128k; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; + + users.users."${app}" = { + isSystemUser = true; + group = "${app}"; + }; + users.groups."${app}" = { }; +} diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix new file mode 100644 index 0000000..44d478a --- /dev/null +++ b/config/hosts/eh22-wiki/networking.nix @@ -0,0 +1,23 @@ +# Sources for this configuration: +# - https://nixos.wiki/wiki/Networking + +{ ... }: + +{ + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.156"; + prefixLength = 25; + } + ]; + }; + networking.defaultGateway = "172.31.17.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:37:F0:AB"; + linkConfig.Name = "net0"; + }; +} diff --git a/flake.nix b/flake.nix index 5360d1f..d7d7fc9 100644 --- a/flake.nix +++ b/flake.nix @@ -211,6 +211,20 @@ ./config/hosts/ptouch-print-server ]; }; + + eh22-wiki = { + deployment = { + targetHost = "eh22-wiki-intern.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/eh22-wiki + ]; + }; }; packages.x86_64-linux = {