103 lines
3.7 KiB
Nix
103 lines
3.7 KiB
Nix
|
{ config, lib, pkgs, ... }:
|
||
|
|
||
|
let
|
||
|
phppoolName = "postfixadmin_pool";
|
||
|
pfaGroup = config.variables.pfaGroup;
|
||
|
pfaUser = config.variables.pfaUser;
|
||
|
postfixadminpkg = config.variables.postfixadminpkg;
|
||
|
pfadminDataDir = config.variables.pfadminDataDir;
|
||
|
cacheDir = config.variables.postfixadminpkgCacheDir;
|
||
|
phpfpmHostPort = config.variables.pfaPhpfpmHostPort;
|
||
|
in
|
||
|
{
|
||
|
# Setup the user and group
|
||
|
users.groups."${pfaGroup}" = { };
|
||
|
users.users."${pfaUser}" = {
|
||
|
isSystemUser = true;
|
||
|
group = "${pfaGroup}";
|
||
|
description = "PHP User for postfixadmin";
|
||
|
};
|
||
|
|
||
|
# Setup nginx
|
||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||
|
services.nginx.enable = true;
|
||
|
services.nginx.virtualHosts."${config.variables.pfaDomain}" = {
|
||
|
forceSSL = config.variables.useSSL;
|
||
|
enableACME = config.variables.useSSL;
|
||
|
default = true;
|
||
|
root = "${postfixadminpkg}/public";
|
||
|
extraConfig = ''
|
||
|
access_log /tmp/nginx/log/$host combined;
|
||
|
charset utf-8;
|
||
|
|
||
|
etag off;
|
||
|
add_header etag "\"${builtins.substring 11 32 postfixadminpkg}\"";
|
||
|
|
||
|
index index.php;
|
||
|
|
||
|
location ~* \.php$ {
|
||
|
# Zero-day exploit defense.
|
||
|
# http://forum.nginx.org/read.php?2,88845,page=3
|
||
|
# Won't work properly (404 error) if the file is not stored on this
|
||
|
# server, which is entirely possible with php-fpm/php-fcgi.
|
||
|
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
|
||
|
# another machine. And then cross your fingers that you won't get hacked.
|
||
|
try_files $uri =404;
|
||
|
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||
|
# With php5-cgi alone:
|
||
|
fastcgi_pass ${phpfpmHostPort};
|
||
|
fastcgi_index index.php;
|
||
|
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
||
|
fastcgi_param SERVER_SOFTWARE nginx;
|
||
|
fastcgi_param QUERY_STRING $query_string;
|
||
|
fastcgi_param REQUEST_METHOD $request_method;
|
||
|
fastcgi_param CONTENT_TYPE $content_type;
|
||
|
fastcgi_param CONTENT_LENGTH $content_length;
|
||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||
|
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
||
|
fastcgi_param REQUEST_URI $request_uri;
|
||
|
fastcgi_param DOCUMENT_URI $document_uri;
|
||
|
fastcgi_param DOCUMENT_ROOT $document_root;
|
||
|
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
||
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
||
|
fastcgi_param REMOTE_PORT $remote_port;
|
||
|
fastcgi_param SERVER_ADDR $server_addr;
|
||
|
fastcgi_param SERVER_PORT $server_port;
|
||
|
fastcgi_param SERVER_NAME $server_name;
|
||
|
fastcgi_param HTTP_PROXY "";
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
systemd.services."postfixadmin-setup" = {
|
||
|
serviceConfig.Type = "oneshot";
|
||
|
wantedBy = [ "multi-user.target" ];
|
||
|
script = ''
|
||
|
# Setup the data directory with the database and the cache directory
|
||
|
mkdir -p ${pfadminDataDir}
|
||
|
chmod -c 751 ${pfadminDataDir}
|
||
|
chown -c ${pfaUser}:${pfaGroup} ${pfadminDataDir}
|
||
|
|
||
|
mkdir -p ${cacheDir}/templates_c
|
||
|
chown -Rc ${pfaUser}:${pfaGroup} ${cacheDir}/templates_c
|
||
|
chmod -Rc 751 ${cacheDir}/templates_c
|
||
|
'';
|
||
|
};
|
||
|
services.phpfpm.pools."${phppoolName}" = {
|
||
|
listen = phpfpmHostPort;
|
||
|
extraConfig = ''
|
||
|
user = ${pfaUser}
|
||
|
pm = dynamic
|
||
|
pm.max_children = 75
|
||
|
pm.min_spare_servers = 5
|
||
|
pm.max_spare_servers = 20
|
||
|
pm.max_requests = 10
|
||
|
catch_workers_output = 1
|
||
|
php_admin_value[upload_max_filesize] = 42M
|
||
|
php_admin_value[post_max_size] = 42M
|
||
|
php_admin_value[memory_limit] = 128M
|
||
|
php_admin_value[cgi.fix_pathinfo] = 1
|
||
|
'';
|
||
|
};
|
||
|
}
|