From 2df9344303698e9a3bb30f2d4d2bfa1dd335797d Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Tue, 17 Nov 2020 03:14:04 +0000 Subject: [PATCH] totoro: set up pancake --- ops/nixos/clouvider-fra01/default.nix | 2 +- ops/nixos/totoro/default.nix | 84 +++++++++++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/ops/nixos/clouvider-fra01/default.nix b/ops/nixos/clouvider-fra01/default.nix index aa6598b4ea..b2068f0c10 100644 --- a/ops/nixos/clouvider-fra01/default.nix +++ b/ops/nixos/clouvider-fra01/default.nix @@ -175,7 +175,7 @@ in { certs."int.lukegb.com" = { domain = "*.int.lukegb.com"; dnsProvider = "cloudflare"; - credentialsFile = machineSecrets.cloudflareCredentials; + credentialsFile = secrets.cloudflareCredentials; extraDomainNames = ["int.lukegb.com"]; postRun = '' systemctl reload nginx diff --git a/ops/nixos/totoro/default.nix b/ops/nixos/totoro/default.nix index c597e77b6b..90f9b867eb 100644 --- a/ops/nixos/totoro/default.nix +++ b/ops/nixos/totoro/default.nix @@ -83,6 +83,15 @@ in { packages = with depot.pkgs; [ irssi ]; extraGroups = lib.mkAfter [ "libvirtd" ]; }; + users.users.pancake = { + isSystemUser = true; + group = "pancake"; + home = "/srv/pancake"; + }; + users.users.nginx.extraGroups = lib.mkAfter [ "acme" ]; + users.groups.pancake = { + members = ["pancake" "nginx"]; + }; networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -90,6 +99,81 @@ in { "L /var/lib/export - - - - /export" ]; + services.nginx = { + enable = true; + virtualHosts = { + "invoices.lukegb.com" = let + fastcgi = { + extraConfig = '' + rewrite ^(.*)$ /index.php break; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + fastcgi_pass unix:${config.services.phpfpm.pools.pancake.socket}; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + ''; + }; + in { + root = "/srv/pancake/public_html"; + useACMEHost = "invoices.lukegb.com"; + forceSSL = true; + locations."/" = { + tryFiles = "$uri $uri/ @router"; + index = "index.html index.php"; + extraConfig = '' + error_page 403 = @router; + error_page 404 = @router; + ''; + }; + locations."~ (.php|\\/[^./]+)$" = fastcgi; + locations."@router" = fastcgi; + }; + }; + }; + services.phpfpm = let settingsBase = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + }; in { + pools.pancake = { + user = "pancake"; + group = "pancake"; + settings = settingsBase; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + }; + services.mysql = { + enable = true; + package = pkgs.mariadb; + ensureDatabases = ["pancake"]; + ensureUsers = [{ + name = "pancake"; + ensurePermissions = { + "pancake.*" = "ALL PRIVILEGES"; + }; + }]; + }; + + security.acme = { + acceptTerms = true; + email = "letsencrypt@lukegb.com"; + certs."invoices.lukegb.com" = { + domain = "invoices.lukegb.com"; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + postRun = '' + systemctl reload nginx + ''; + }; + }; + services.prometheus = { enable = true; stateDir = "export/monitoring/prometheus";