102 lines
3.7 KiB
Nix
102 lines
3.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
phppoolName = "postfixadmin_pool";
|
|
pfaGroup = config.variables.pfaGroup;
|
|
pfaUser = config.variables.pfaUser;
|
|
postfixadminpkg = config.variables.postfixadminpkg;
|
|
pfadminDataDir = config.variables.pfadminDataDir;
|
|
cacheDir = config.variables.postfixadminpkgCacheDir;
|
|
phpfpmHostPort = config.variables.pfaPhpfpmHostPort;
|
|
in
|
|
{
|
|
# Setup the user and group
|
|
users.groups."${pfaGroup}" = { };
|
|
users.users."${pfaUser}" = {
|
|
isSystemUser = true;
|
|
group = "${pfaGroup}";
|
|
extraGroups = [ "dovecot2" ];
|
|
description = "PHP User for postfixadmin";
|
|
};
|
|
|
|
# Setup nginx
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
services.nginx.enable = true;
|
|
services.nginx.virtualHosts."${config.variables.pfaDomain}" = {
|
|
forceSSL = config.variables.useSSL;
|
|
enableACME = config.variables.useSSL;
|
|
root = "${postfixadminpkg}/public";
|
|
extraConfig = ''
|
|
charset utf-8;
|
|
|
|
etag off;
|
|
add_header etag "\"${builtins.substring 11 32 postfixadminpkg}\"";
|
|
add_header Permissions-Policy "interest-cohort=()" always;
|
|
|
|
index index.php;
|
|
|
|
location ~* \.php$ {
|
|
add_header Permissions-Policy "interest-cohort=()" always;
|
|
# Zero-day exploit defense.
|
|
# http://forum.nginx.org/read.php?2,88845,page=3
|
|
# Won't work properly (404 error) if the file is not stored on this
|
|
# server, which is entirely possible with php-fpm/php-fcgi.
|
|
# Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
|
|
# another machine. And then cross your fingers that you won't get hacked.
|
|
try_files $uri =404;
|
|
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
# With php5-cgi alone:
|
|
fastcgi_pass unix:${config.services.phpfpm.pools."${phppoolName}".socket};
|
|
fastcgi_index index.php;
|
|
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
|
|
fastcgi_param SERVER_SOFTWARE nginx;
|
|
fastcgi_param QUERY_STRING $query_string;
|
|
fastcgi_param REQUEST_METHOD $request_method;
|
|
fastcgi_param CONTENT_TYPE $content_type;
|
|
fastcgi_param CONTENT_LENGTH $content_length;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
|
|
fastcgi_param REQUEST_URI $request_uri;
|
|
fastcgi_param DOCUMENT_URI $document_uri;
|
|
fastcgi_param DOCUMENT_ROOT $document_root;
|
|
fastcgi_param SERVER_PROTOCOL $server_protocol;
|
|
fastcgi_param REMOTE_ADDR $remote_addr;
|
|
fastcgi_param REMOTE_PORT $remote_port;
|
|
fastcgi_param SERVER_ADDR $server_addr;
|
|
fastcgi_param SERVER_PORT $server_port;
|
|
fastcgi_param SERVER_NAME $server_name;
|
|
fastcgi_param HTTP_PROXY "";
|
|
}
|
|
'';
|
|
};
|
|
systemd.services."postfixadmin-setup" = {
|
|
serviceConfig.Type = "oneshot";
|
|
wantedBy = [ "multi-user.target" ];
|
|
script = ''
|
|
# Setup the data directory with the database and the cache directory
|
|
mkdir -p ${pfadminDataDir}
|
|
chmod -c 751 ${pfadminDataDir}
|
|
chown -c ${pfaUser}:${pfaGroup} ${pfadminDataDir}
|
|
|
|
mkdir -p ${cacheDir}/templates_c
|
|
chown -Rc ${pfaUser}:${pfaGroup} ${cacheDir}/templates_c
|
|
chmod -Rc 751 ${cacheDir}/templates_c
|
|
'';
|
|
};
|
|
services.phpfpm.pools."${phppoolName}" = {
|
|
user = "${pfaUser}";
|
|
group = "${pfaGroup}";
|
|
settings = {
|
|
"pm" = "dynamic";
|
|
"pm.max_children" = 75;
|
|
"pm.min_spare_servers" = 5;
|
|
"pm.max_spare_servers" = 20;
|
|
"pm.max_requests" = 10;
|
|
"catch_workers_output" = 1;
|
|
"listen.owner" = "nginx";
|
|
"listen.group" = "nginx";
|
|
};
|
|
};
|
|
}
|