mail2-nixos-config/postfixadmin.nix

103 lines
3.7 KiB
Nix
Raw Normal View History

2019-05-10 23:21:28 +02:00
{ config, lib, pkgs, ... }:
let
phppoolName = "postfixadmin_pool";
pfaGroup = config.variables.pfaGroup;
pfaUser = config.variables.pfaUser;
postfixadminpkg = config.variables.postfixadminpkg;
pfadminDataDir = config.variables.pfadminDataDir;
cacheDir = config.variables.postfixadminpkgCacheDir;
phpfpmHostPort = config.variables.pfaPhpfpmHostPort;
in
{
# Setup the user and group
users.groups."${pfaGroup}" = { };
users.users."${pfaUser}" = {
isSystemUser = true;
group = "${pfaGroup}";
description = "PHP User for postfixadmin";
};
# Setup nginx
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = true;
services.nginx.virtualHosts."${config.variables.pfaDomain}" = {
forceSSL = config.variables.useSSL;
enableACME = config.variables.useSSL;
default = true;
root = "${postfixadminpkg}/public";
extraConfig = ''
access_log /tmp/nginx/log/$host combined;
charset utf-8;
etag off;
add_header etag "\"${builtins.substring 11 32 postfixadminpkg}\"";
index index.php;
location ~* \.php$ {
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this
# server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
# another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
fastcgi_pass ${phpfpmHostPort};
fastcgi_index index.php;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTP_PROXY "";
}
'';
};
systemd.services."postfixadmin-setup" = {
serviceConfig.Type = "oneshot";
wantedBy = [ "multi-user.target" ];
script = ''
# Setup the data directory with the database and the cache directory
mkdir -p ${pfadminDataDir}
chmod -c 751 ${pfadminDataDir}
chown -c ${pfaUser}:${pfaGroup} ${pfadminDataDir}
mkdir -p ${cacheDir}/templates_c
chown -Rc ${pfaUser}:${pfaGroup} ${cacheDir}/templates_c
chmod -Rc 751 ${cacheDir}/templates_c
'';
};
services.phpfpm.pools."${phppoolName}" = {
listen = phpfpmHostPort;
extraConfig = ''
user = ${pfaUser}
pm = dynamic
pm.max_children = 75
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 10
catch_workers_output = 1
php_admin_value[upload_max_filesize] = 42M
php_admin_value[post_max_size] = 42M
php_admin_value[memory_limit] = 128M
php_admin_value[cgi.fix_pathinfo] = 1
'';
};
}