add php config and glue caddy to ttrss

all-packages.nix

@@ -20,6 +20,8 @@ let
     CaddySiteConfig = callPackage ./caddy/siteconfig.nix {inherit utils;};
     mkCaddySiteConfig = callPackage ./caddy/mksiteconfig.nix {inherit CaddySiteConfig;};
 
+    PHPConfig = callPackage ./php/config.nix {inherit utils;};
+
     PHPFPMConfig = callPackage ./php-fpm/config.nix {inherit utils;};
     PHPFPMService = callPackage ./php-fpm/unit.nix {inherit utils;};
     PHPFPMSiteConfig = callPackage ./php-fpm/siteconfig.nix {inherit utils;};
@@ -29,6 +31,7 @@ let
     TtrssConfig = callPackage ./ttrss/config.nix {};
     TtrssUpdateService = callPackage ./ttrss/update.nix {inherit utils;};
     TtrssUpgradeDBService = callPackage ./ttrss/dbupgrade.nix {};
+    TtrssPHPNormalizeHeaders = callPackage ./ttrss/normalize-headers.nix {inherit utils;};
   };
 in
 self

caddy/mksiteconfig.nix

@@ -6,19 +6,19 @@
 , port
 , siteName
 , siteRoot
-, siteSocket ? ""
+, phpFpmSiteSocket ? ""
 }:
 rec {
   inherit name;
   caddySocket = "${CaddyService.runtimeDirectory}/${siteName}.sock";
   pkg = CaddySiteConfig rec {
     inherit (CaddyConfig) siteConfigDir;
+    inherit phpFpmSiteSocket;
 
     portBinding = port;
     bindService = siteName;
     siteSocket = caddySocket;
     serviceRoot = siteRoot;
-    phpFpmSiteSocket = siteSocket;
   };
   type = "fileset";
 }

php-fpm/config.nix

@@ -7,6 +7,8 @@
 , siteConfigDir ? "${configFile}/conf.d"
 , logLevel ? "notice"
 }:
+{ ... # Depends on whatever
+}:
 
 utils.mkConfigFile {
   name = configFile;

php-fpm/mksiteconfig.nix

@@ -3,18 +3,20 @@
 { PHPFPMConfig
 , PHPFPMService
 , name
+, phpConfigDir
 , siteName
 , siteRoot
 , socketUser
 , socketGroup
+, dependsOn
 }:
 rec {
-  inherit name;
+  inherit name dependsOn;
-  siteSocket = "/run/php-fpm/${name}.sock";
+  siteSocket = "/run/php-fpm/${siteName}.sock";
   pkg = PHPFPMSiteConfig {
     inherit (PHPFPMConfig) siteConfigDir;
     inherit (PHPFPMService) user group;
-    inherit siteSocket socketUser socketGroup;
+    inherit siteSocket phpConfigDir socketUser socketGroup;
 
     service = siteName;
     serviceRoot = siteRoot;

php-fpm/siteconfig.nix

@@ -2,7 +2,8 @@
 , pkgs
 , utils
 }:
-{ siteConfigDir
+{ phpConfigDir
+, siteConfigDir
 , service
 , serviceRoot ? "/usr/share/webapps/${service}"
 , user
@@ -18,12 +19,8 @@
 , minSpareServers ? 1
 , maxSpareServers ? 3
 }:
-  
+{ ... # Depends on whatever
-  # user = ${user}
+}:
-  # group = ${group}
-  # 
-  # listen.owner = ${socketUser}
-  # listen.group = ${socketGroup}
 
 utils.mkConfigFile {
   name = "${service}.conf";
@@ -31,8 +28,12 @@ utils.mkConfigFile {
   content = ''
   [${service}]
   
+  user = ${user}
+  group = ${group}
   listen = ${siteSocket}
   listen.allowed_clients = ${allowedClients}
+  listen.owner = ${socketUser}
+  listen.group = ${socketGroup}
   
   env[PATH] = /usr/local/bin:/usr/bin:/bin
   env[TMP] = /tmp

php-fpm/unit.nix

@@ -4,8 +4,8 @@
 }:
 { user ? "http"
 , group ? "http"
-, configDir ? "/etc/php"
+, configFile ? "/etc/php/php-fpm.conf"
-, configFile ? "php-fpm.conf"
+, phpIni ? "/etc/php/php.ini"
 }:
 {...}:
 
@@ -19,10 +19,10 @@ utils.systemd.mkService rec {
   
   [Service]
   Type=notify
-  User=${user}
+  # User=${user}
-  Group=${group}
+  # Group=${group}
   PIDFile=/run/php-fpm/php-fpm.pid
-  ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configDir}/${configFile}
+  ExecStart=${pkgs.php}/bin/php-fpm --nodaemonize --fpm-config ${configFile} --php-ini ${phpIni}
   ExecReload=/bin/kill -USR2 $MAINPID
   RuntimeDirectory=php-fpm
   # ReadWritePaths=/usr/share/webapps/nextcloud/apps

php/config.nix

@@ -0,0 +1,105 @@
+{ stdenv
+, pkgs
+, lib
+, utils
+}:
+{ configDir ? "/etc/php"
+, configFile ? "php.ini"
+, prependFile ? null
+}:
+{ ... # Depends on whatever
+}:
+
+let
+
+  extensions = [
+  #  "bcmath"
+  #  "curl"
+  #  "gd"
+  #  "gmp"
+  #  "iconv"
+  #  "imagick"
+  #  "intl"
+  #  "ldap"
+  #  "pdo_pgsql"
+  #  "pdo_sqlite"
+  #  "pgsql"
+  #  "soap"
+  #  "sqlite3"
+  #  "zip"
+  ];
+
+  zend_extensions = [
+  #  "opcache"
+  ];
+
+  concatWithPrefix = prefix: content:
+    lib.strings.concatMapStrings
+      (x: prefix + x + "\n")
+      content;
+in
+
+utils.mkConfigFile {
+  name = configFile;
+  dir = configDir;
+  content = ''
+  [PHP]
+  engine = On
+  short_open_tag = Off
+  precision = 14
+  output_buffering = 4096
+  zlib.output_compression = Off
+  implicit_flush = Off
+  serialize_precision = -1
+  zend.enable_gc = On
+  zend.exception_ignore_args = On
+  expose_php = Off
+  max_execution_time = 30 ; seconds
+  max_input_time = 60
+  memory_limit = 1024M
+  error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+  display_errors = Off
+  display_startup_errors = Off
+  log_errors = On
+  log_errors_max_len = 1024
+  ignore_repeated_errors = On
+  ignore_repeated_source = On
+  report_memleaks = On
+  error_log = syslog
+  syslog.ident = php
+
+  post_max_size = 8M
+
+  auto_prepend_file = "${if prependFile == null then "" else prependFile}"
+  auto_append_file =
+
+  extension_dir = "/usr/lib/php/modules/"
+
+  ${concatWithPrefix "extension=" extensions}
+  ${concatWithPrefix "zend_extension=" zend_extensions}
+
+  [CLI Server]
+  cli_server.color = On
+
+  ; [PostgreSQL]
+  ; pgsql.allow_persistent = On
+  ; pgsql.auto_reset_persistent = Off
+  ; pgsql.max_persistent = -1
+  ; pgsql.max_links = -1
+  ; pgsql.ignore_notice = 0
+  ; pgsql.log_notice = 0
+
+  ; [Session]
+  ; session.save_handler = redis
+  ; session.save_path = "unix:///run/redis/redis.sock?database=1"
+  ; session.use_strict_mode = 1
+  ; session.use_cookies = 1
+  ; session.use_only_cookies = 1
+
+  ; [opcache]
+  ; opcache.enable=1
+  ; opcache.memory_consumption=128
+  ; opcache.interned_strings_buffer=16
+  ; opcache.max_accelerated_files=20000
+  '';
+}

ttrss/normalize-headers.nix

@@ -0,0 +1,54 @@
+{ stdenv
+, pkgs
+, utils
+}:
+{ configDir ? "/etc/php"
+, configFile ? "normalize-headers.php"
+}:
+
+utils.mkConfigFile {
+  name = configFile;
+  dir = configDir;
+  content = ''
+  <?php
+  
+  $trustedProxies = array(
+    '127.0.0.1',
+    '@'
+  );
+  
+  # phpinfo(INFO_VARIABLES);
+  
+  if (isSet($_SERVER['REMOTE_ADDR'])) {
+  
+    $remote = $_SERVER['REMOTE_ADDR'];
+  
+    $allowedHeaders = array(
+      'HTTP_X_FORWARDED_FOR' => 'REMOTE_ADDR',
+      'HTTP_X_REAL_IP' => 'REMOTE_HOST',
+      'HTTP_X_FORWARDED_PORT' => 'REMOTE_PORT',
+      'HTTP_X_FORWARDED_HTTPS' => 'HTTPS',
+      'HTTP_X_FORWARDED_SERVER_ADDR' => 'SERVER_ADDR',
+      'HTTP_X_FORWARDED_SERVER_NAME' => 'SERVER_NAME',
+      'HTTP_X_FORWARDED_SERVER_PORT' => 'SERVER_PORT',
+      'HTTP_X_FORWARDED_PREFERRED_USERNAME' => 'REMOTE_USER',
+    );
+  
+    if(in_array($remote, $trustedProxies)) {
+      foreach($allowedHeaders as $header => $serverVar) {
+        if(isSet($_SERVER[$header])) {
+          if(isSet($_SERVER[$serverVar])) {
+            $_SERVER["ORIGINAL_$serverVar"] = $_SERVER[$serverVar];
+          }
+  
+          $_SERVER[$serverVar] = explode(',', $_SERVER[$header], 2)[0];
+        }
+      }
+    }
+  
+  }
+
+  # print_r($_REQUEST);
+  
+  '';
+}