add php config and glue caddy to ttrss

2022-09-14 20:46:14 -07:00 · 2022-09-14 20:46:14 -07:00 · dccf16115b
commit dccf16115b
parent 66c20993a9
8 changed files with 184 additions and 17 deletions
--- a/all-packages.nix
+++ b/all-packages.nix
@ -20,6 +20,8 @@ let
    CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;};
    mkCaddySiteConfig = callPackage ./caddy/mksiteconfig.nix {inherit CaddySiteConfig;};

+    PHPConfig = callPackage ./php/config.nix {inherit utils;};
+
    PHPFPMConfig = callPackage ./php-fpm/config.nix {inherit utils;};
    PHPFPMService = callPackage ./php-fpm/unit.nix {inherit utils;};
    PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;};
@ -29,6 +31,7 @@ let
    TtrssConfig = callPackage ./ttrss/config.nix {};
    TtrssUpdateService = callPackage ./ttrss/update.nix {inherit utils;};
    TtrssUpgradeDBService = callPackage ./ttrss/dbupgrade.nix {};
+    TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
  };
 in
 self
--- a/caddy/mksiteconfig.nix
+++ b/caddy/mksiteconfig.nix
@ -6,19 +6,19 @@
 , port
 , siteName
 , siteRoot
-, siteSocket ? ""
+, phpFpmSiteSocket ? ""
 }:
 rec {
  inherit name;
  caddySocket = "${CaddyService.runtimeDirectory}/${siteName}.sock";
  pkg = CaddySiteConfig rec {
    inherit (CaddyConfig) siteConfigDir;
+    inherit phpFpmSiteSocket;

    portBinding = port;
    bindService = siteName;
    siteSocket = caddySocket;
    serviceRoot = siteRoot;
-    phpFpmSiteSocket = siteSocket;
  };
  type = "fileset";
 }
--- a/php-fpm/config.nix
+++ b/php-fpm/config.nix
@ -7,6 +7,8 @@
 , siteConfigDir ? "${configFile}/conf.d"
 , logLevel ? "notice"
 }:
+{ ... # Depends on whatever
+}:

 utils.mkConfigFile {
  name = configFile;
--- a/php-fpm/mksiteconfig.nix
+++ b/php-fpm/mksiteconfig.nix
@ -3,18 +3,20 @@
 { PHPFPMConfig
 , PHPFPMService
 , name
+, phpConfigDir
 , siteName
 , siteRoot
 , socketUser
 , socketGroup
+, dependsOn
 }:
 rec {
-  inherit name;
-  siteSocket = "/run/php-fpm/${name}.sock";
+  inherit name dependsOn;
+  siteSocket = "/run/php-fpm/${siteName}.sock";
  pkg = PHPFPMSiteConfig {
    inherit (PHPFPMConfig) siteConfigDir;
    inherit (PHPFPMService) user group;
-    inherit siteSocket socketUser socketGroup;
+    inherit siteSocket phpConfigDir socketUser socketGroup;

    service = siteName;
    serviceRoot = siteRoot;
--- a/php-fpm/siteconfig.nix
+++ b/php-fpm/siteconfig.nix
@ -2,7 +2,8 @@
 , pkgs
 , utils
 }:
-{ siteConfigDir
+{ phpConfigDir
+, siteConfigDir
 , service
 , serviceRoot ? "/usr/share/webapps/${service}"
 , user
@ -18,12 +19,8 @@
 , minSpareServers ? 1
 , maxSpareServers ? 3
 }:
-  
-  # user = ${user}
-  # group = ${group}
-  # 
-  # listen.owner = ${socketUser}
-  # listen.group = ${socketGroup}
+{ ... # Depends on whatever
+}:

 utils.mkConfigFile {
  name = "${service}.conf";
@ -31,8 +28,12 @@ utils.mkConfigFile {
  content = ''
  [${service}]
  
+  user = ${user}
+  group = ${group}
  listen = ${siteSocket}
  listen.allowed_clients = ${allowedClients}
+  listen.owner = ${socketUser}
+  listen.group = ${socketGroup}
  
  env[PATH] = /usr/local/bin:/usr/bin:/bin
  env[TMP] = /tmp
--- a/php-fpm/unit.nix
+++ b/php-fpm/unit.nix
@ -4,8 +4,8 @@
 }:
 { user ? "http"
 , group ? "http"
-, configDir ? "/etc/php"
-, configFile ? "php-fpm.conf"
+, configFile ? "/etc/php/php-fpm.conf"
+, phpIni ? "/etc/php/php.ini"
 }:
 {...}:

@ -19,10 +19,10 @@ utils.systemd.mkService rec {
  
  [Service]
  Type=notify
-  User=${user}
-  Group=${group}
+  # User=${user}
+  # Group=${group}
  PIDFile=/run/php-fpm/php-fpm.pid
-  ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configDir}/${configFile}
+  ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configFile} --php-ini ${phpIni}
  ExecReload=/bin/kill -USR2 $MAINPID
  RuntimeDirectory=php-fpm
  # ReadWritePaths=/usr/share/webapps/nextcloud/apps
--- a/php/config.nix
+++ b/php/config.nix
@ -0,0 +1,105 @@
+{ stdenv
+, pkgs
+, lib
+, utils
+}:
+{ configDir ? "/etc/php"
+, configFile ? "php.ini"
+, prependFile ? null
+}:
+{ ... # Depends on whatever
+}:
+
+let
+
+  extensions = [
+  #  "bcmath"
+  #  "curl"
+  #  "gd"
+  #  "gmp"
+  #  "iconv"
+  #  "imagick"
+  #  "intl"
+  #  "ldap"
+  #  "pdo_pgsql"
+  #  "pdo_sqlite"
+  #  "pgsql"
+  #  "soap"
+  #  "sqlite3"
+  #  "zip"
+  ];
+
+  zend_extensions = [
+  #  "opcache"
+  ];
+
+  concatWithPrefix = prefix: content:
+    lib.strings.concatMapStrings
+      (x: prefix + x + "\n")
+      content;
+in
+
+utils.mkConfigFile {
+  name = configFile;
+  dir = configDir;
+  content = ''
+  [PHP]
+  engine = On
+  short_open_tag = Off
+  precision = 14
+  output_buffering = 4096
+  zlib.output_compression = Off
+  implicit_flush = Off
+  serialize_precision = -1
+  zend.enable_gc = On
+  zend.exception_ignore_args = On
+  expose_php = Off
+  max_execution_time = 30 ; seconds
+  max_input_time = 60
+  memory_limit = 1024M
+  error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+  display_errors = Off
+  display_startup_errors = Off
+  log_errors = On
+  log_errors_max_len = 1024
+  ignore_repeated_errors = On
+  ignore_repeated_source = On
+  report_memleaks = On
+  error_log = syslog
+  syslog.ident = php
+
+  post_max_size = 8M
+
+  auto_prepend_file = "${if prependFile == null then "" else prependFile}"
+  auto_append_file =
+
+  extension_dir = "/usr/lib/php/modules/"
+
+  ${concatWithPrefix "extension=" extensions}
+  ${concatWithPrefix "zend_extension=" zend_extensions}
+
+  [CLI Server]
+  cli_server.color = On
+
+  ; [PostgreSQL]
+  ; pgsql.allow_persistent = On
+  ; pgsql.auto_reset_persistent = Off
+  ; pgsql.max_persistent = -1
+  ; pgsql.max_links = -1
+  ; pgsql.ignore_notice = 0
+  ; pgsql.log_notice = 0
+
+  ; [Session]
+  ; session.save_handler = redis
+  ; session.save_path = "unix:///run/redis/redis.sock?database=1"
+  ; session.use_strict_mode = 1
+  ; session.use_cookies = 1
+  ; session.use_only_cookies = 1
+
+  ; [opcache]
+  ; opcache.enable=1
+  ; opcache.memory_consumption=128
+  ; opcache.interned_strings_buffer=16
+  ; opcache.max_accelerated_files=20000
+  '';
+}
--- a/ttrss/normalize-headers.nix
+++ b/ttrss/normalize-headers.nix
@ -0,0 +1,54 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ configDir ? "/etc/php"
+, configFile ? "normalize-headers.php"
+}:
+
+utils.mkConfigFile {
+  name = configFile;
+  dir = configDir;
+  content = ''
+  <?php
+  
+  $trustedProxies = array(
+    '127.0.0.1',
+    '@'
+  );
+  
+  # phpinfo(INFO_VARIABLES);
+  
+  if (isSet($_SERVER['REMOTE_ADDR'])) {
+  
+    $remote = $_SERVER['REMOTE_ADDR'];
+  
+    $allowedHeaders = array(
+      'HTTP_X_FORWARDED_FOR' => 'REMOTE_ADDR',
+      'HTTP_X_REAL_IP' => 'REMOTE_HOST',
+      'HTTP_X_FORWARDED_PORT' => 'REMOTE_PORT',
+      'HTTP_X_FORWARDED_HTTPS' => 'HTTPS',
+      'HTTP_X_FORWARDED_SERVER_ADDR' => 'SERVER_ADDR',
+      'HTTP_X_FORWARDED_SERVER_NAME' => 'SERVER_NAME',
+      'HTTP_X_FORWARDED_SERVER_PORT' => 'SERVER_PORT',
+      'HTTP_X_FORWARDED_PREFERRED_USERNAME' => 'REMOTE_USER',
+    );
+  
+    if(in_array($remote, $trustedProxies)) {
+      foreach($allowedHeaders as $header => $serverVar) {
+        if(isSet($_SERVER[$header])) {
+          if(isSet($_SERVER[$serverVar])) {
+            $_SERVER["ORIGINAL_$serverVar"] = $_SERVER[$serverVar];
+          }
+  
+          $_SERVER[$serverVar] = explode(',', $_SERVER[$header], 2)[0];
+        }
+      }
+    }
+  
+  }
+
+  # print_r($_REQUEST);
+  
+  '';
+}