diff --git a/Ttrss/update.nix b/Ttrss/update.nix index 9180fa1..204d501 100644 --- a/Ttrss/update.nix +++ b/Ttrss/update.nix @@ -4,13 +4,13 @@ , utils }: { document_root +, user +, group , readOnlyPaths ? [] , readWritePaths ? [] , postgresServiceName }: -{ TtrssConfig -, TtrssPostgresDB -, ... +{ ... }: # Assumptions: @@ -33,8 +33,8 @@ utils.systemd.mkService rec { After=network.target ${postgresServiceName} [Service] - User=${TtrssConfig.user} - Group=${TtrssConfig.group} + User=${user} + Group=${group} ExecStart=${pkgs.php}/bin/php ${fullPath}/update_daemon2.php RuntimeDirectory=${name} diff --git a/all-packages.nix b/all-packages.nix index 44ef6ed..7ec426e 100644 --- a/all-packages.nix +++ b/all-packages.nix @@ -11,6 +11,10 @@ let self = { PostgresDB = callPackage ./PostgresDB {}; + CaddyConfig = callPackage ./caddy/config.nix {inherit utils;}; + CaddyService = callPackage ./caddy/unit.nix {inherit utils;}; + CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;}; + TtrssEnvironment = callPackage ./Ttrss/environment.nix {}; TtrssConfig = callPackage ./Ttrss/config.nix {}; TtrssUpdateService = callPackage ./Ttrss/update.nix {inherit utils;}; diff --git a/caddy/config.nix b/caddy/config.nix new file mode 100644 index 0000000..857c0e0 --- /dev/null +++ b/caddy/config.nix @@ -0,0 +1,22 @@ +{ stdenv +, pkgs +, utils +}: +{ configDir ? "/etc/caddy" +, configFile ? "Caddyfile" +, siteConfigDir +}: + +utils.mkConfigFile { + name = configFile; + dir = configDir; + content = '' + { + # Disable auto https + http_port 10001 + https_port 10002 + } + + import ${siteConfigDir}/* + ''; +} diff --git a/caddy/siteconfig.nix b/caddy/siteconfig.nix new file mode 100644 index 0000000..df687a1 --- /dev/null +++ b/caddy/siteconfig.nix @@ -0,0 +1,51 @@ +{ stdenv +, pkgs +, utils +}: +{ siteConfigDir +, runtimeDirectory +, portBinding +, bindService +, useSocket ? false +, serviceRoot ? "/usr/share/webapps/${bindService}" +, phpFpmRuntimeDirectory ? "/run/php-fpm" +, phpFastcgi ? null +, logLevel ? "WARN" +}: + +let + content = + [ + "root * ${serviceRoot}" + "file_server" + ] + ++ ( + if useSocket + then [ + "bind unix/${runtimeDirectory}/${bindService}.sock" + ] + else [] + ) + ++ ( + if phpFastcgi + then [ + "php_fastcgi unix/${phpFpmRuntimeDirectory}/${bindService}.sock" + ] + else [] + ); +in + +utils.mkConfigFile { + name = "${bindService}.config"; + dir = siteConfigDir; + content = '' + :${builtins.toString portBinding} { + ${builtins.concatStringsSep "\n " content} + + log { + output stderr + level ${logLevel} + } + } + ''; +} diff --git a/caddy/unit.nix b/caddy/unit.nix new file mode 100644 index 0000000..60c3242 --- /dev/null +++ b/caddy/unit.nix @@ -0,0 +1,81 @@ +{ stdenv +, pkgs +, utils +}: +{ user ? "http" +, group ? "http" +, configDir ? "/etc/caddy" +, configFile ? "Caddyfile" +}: +{...}: + +utils.systemd.mkService rec { + name = "caddy"; + + content = '' + [Unit] + Description=Caddy webserver + Documentation=https://caddyserver.com/docs/ + + After=network.target network-online.target + Wants=network-online.target systemd-networkd-wait-online.target + + StartLimitInterval=14400 + StartLimitBurst=10 + + [Service] + Type=notify + User=${user} + Group=${group} + # Environment=XDG_DATA_HOME=/var/lib + # Environment=XDG_CONFIG_HOME=${configDir} + ExecStart=${pkgs.caddy}/bin/caddy run --environ --config ${configDir}/${configFile} + ExecReload=${pkgs.caddy}/bin/caddy reload --config ${configDir}/${configFile} + + # Restart=on-abnormal + # # RuntimeDirectory=caddy + + # KillMode=mixed + # KillSignal=SIGQUIT + TimeoutStopSec=5s + + LimitNOFILE=1048576 + LimitNPROC=512 + + # PrivateDevices=true + PrivateTmp=true + # ProtectKernelTunables=true + # ProtectKernelModules=true + # ProtectControlGroups=true + # ProtectKernelLogs=true + # ProtectHome=true + # ProtectHostname=true + # ProtectClock=true + # RestrictSUIDSGID=true + # LockPersonality=true + # NoNewPrivileges=true + + # CapabilityBoundingSet=CAP_NET_BIND_SERVICE + AmbientCapabilities=CAP_NET_BIND_SERVICE + + # ProtectSystem=strict + ProtectSystem=full + # ReadWritePaths=/var/lib/caddy /var/log/caddy + + [Install] + WantedBy=multi-user.target + ''; +} + + +# Put this in /etc/caddy/Caddyfile + +# { +# # debug +# +# # Disable auto https +# http_port 10001 +# https_port 10002 +# } +# +# import conf.d/*