mail2-nixos-config/postfixadmin.nix

101 lines
3.7 KiB
Nix
Raw Normal View History

2019-05-10 23:21:28 +02:00
{ config, lib, pkgs, ... }:
let
phppoolName = "postfixadmin_pool";
pfaGroup = config.variables.pfaGroup;
pfaUser = config.variables.pfaUser;
postfixadminpkg = config.variables.postfixadminpkg;
pfadminDataDir = config.variables.pfadminDataDir;
cacheDir = config.variables.postfixadminpkgCacheDir;
phpfpmHostPort = config.variables.pfaPhpfpmHostPort;
in
{
# Setup the user and group
users.groups."${pfaGroup}" = { };
users.users."${pfaUser}" = {
isSystemUser = true;
group = "${pfaGroup}";
description = "PHP User for postfixadmin";
};
# Setup nginx
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.enable = true;
services.nginx.virtualHosts."${config.variables.pfaDomain}" = {
forceSSL = config.variables.useSSL;
enableACME = config.variables.useSSL;
root = "${postfixadminpkg}/public";
extraConfig = ''
charset utf-8;
etag off;
add_header etag "\"${builtins.substring 11 32 postfixadminpkg}\"";
2021-05-01 18:42:06 +02:00
add_header Permissions-Policy "interest-cohort=()" always;
2019-05-10 23:21:28 +02:00
index index.php;
location ~* \.php$ {
2021-05-01 18:42:06 +02:00
add_header Permissions-Policy "interest-cohort=()" always;
2019-05-10 23:21:28 +02:00
# Zero-day exploit defense.
# http://forum.nginx.org/read.php?2,88845,page=3
# Won't work properly (404 error) if the file is not stored on this
# server, which is entirely possible with php-fpm/php-fcgi.
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
# another machine. And then cross your fingers that you won't get hacked.
try_files $uri =404;
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
2019-11-29 20:48:13 +01:00
fastcgi_pass unix:${config.services.phpfpm.pools."${phppoolName}".socket};
2019-05-10 23:21:28 +02:00
fastcgi_index index.php;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTP_PROXY "";
}
'';
};
systemd.services."postfixadmin-setup" = {
serviceConfig.Type = "oneshot";
wantedBy = [ "multi-user.target" ];
script = ''
# Setup the data directory with the database and the cache directory
mkdir -p ${pfadminDataDir}
chmod -c 751 ${pfadminDataDir}
chown -c ${pfaUser}:${pfaGroup} ${pfadminDataDir}
mkdir -p ${cacheDir}/templates_c
chown -Rc ${pfaUser}:${pfaGroup} ${cacheDir}/templates_c
chmod -Rc 751 ${cacheDir}/templates_c
'';
};
services.phpfpm.pools."${phppoolName}" = {
2019-10-11 20:44:59 +02:00
user = "${pfaUser}";
group = "${pfaGroup}";
settings = {
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 10;
"catch_workers_output" = 1;
"listen.owner" = "nginx";
"listen.group" = "nginx";
};
2019-05-10 23:21:28 +02:00
};
}