nixos/applications/skynet_users.nix

{
  config,
  pkgs,
  lib,
  inputs,
  ...
}:
with lib; let
  cfg = config.services.skynet_users;
  php_pool = "skynet_users";
in {
  imports = [
    ./acme.nix
    ./dns.nix
    ./nginx.nix
  ];

  options.services.skynet_users = {
    host = {
      ip = mkOption {
        type = types.str;
      };
      name = mkOption {
        type = types.str;
      };
    };
  };

  config = {
    # ssh access

    # allow more than admins access
    services.skynet_ldap_client = {
      groups = [
        "skynet-admins-linux"
        "skynet-users-linux"
      ];
    };

    # Website config
    skynet_acme.domains = [
      "users.skynet.ie"
      "*.users.skynet.ie"
    ];

    skynet_dns.records = [
      {
        record = "users";
        r_type = "CNAME";
        value = cfg.host.name;
      }
      {
        record = "*.users";
        r_type = "CNAME";
        value = cfg.host.name;
      }
    ];

    environment.systemPackages = with pkgs; [
      vim
      php
    ];

    networking = {
      defaultGateway = {
        address = lib.mkDefault "193.1.96.161";
        interface = lib.mkDefault "eth1";
      };
    };

    # normally services cannot read home dirs
    systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
    systemd.services."phpfpm-${php_pool}".serviceConfig.ProtectHome = lib.mkForce "read-only";

    services.phpfpm.pools.${php_pool} = {
      user = config.services.nginx.user;
      group = config.services.nginx.group;
      settings = {
        "listen.owner" = config.services.nginx.user;
        "pm" = "dynamic";
        "pm.max_children" = 32;
        "pm.max_requests" = 500;
        "pm.start_servers" = 2;
        "pm.min_spare_servers" = 2;
        "pm.max_spare_servers" = 5;
        "php_admin_value[error_log]" = "stderr";
        "php_admin_flag[log_errors]" = true;
        "catch_workers_output" = true;
      };
      phpEnv."PATH" = lib.makeBinPath [pkgs.php];
    };

    services.nginx.virtualHosts = {
      "${cfg.host.ip}" = {
        forceSSL = true;
        useACMEHost = "skynet";
        locations."/".return = "307 https://skynet.ie";
      };

      # main site
      "*.users.skynet.ie" = {
        forceSSL = true;
        useACMEHost = "skynet";
        serverName = "~^(?<user>.+)\.users\.skynet\.ie";

        # username.users.skynet.ie/
        # user goes:
        #   chmod 711 ~
        #   chmod -R 755 ~/public_html

        locations."/" = {
          alias = "/home/$user/public_html/";
          index = "index.html index.php";
          extraConfig = ''
            autoindex on;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
            include ${pkgs.nginx}/conf/fastcgi.conf;
          '';
          tryFiles = "$uri$args $uri$args/ /index.html /index.php";
        };
      };
    };
  };
}
feat: added a formatter and some instructions 2023-09-17 19:51:08 +00:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`inputs,`
			`...`
			`}:`
			`with lib; let`
			`cfg = config.services.skynet_users;`
feat: got php working for the user server 2024-04-20 02:18:13 +00:00			`php_pool = "skynet_users";`
feat: added a formatter and some instructions 2023-09-17 19:51:08 +00:00			`in {`
feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00			`imports = [`
			`./acme.nix`
			`./dns.nix`
			`./nginx.nix`
			`];`

			`options.services.skynet_users = {`
			`host = {`
			`ip = mkOption {`
			`type = types.str;`
			`};`
			`name = mkOption {`
			`type = types.str;`
			`};`
			`};`
			`};`

			`config = {`
			`# ssh access`

			`# allow more than admins access`
			`services.skynet_ldap_client = {`
			`groups = [`
			`"skynet-admins-linux"`
			`"skynet-users-linux"`
			`];`
			`};`

			`# Website config`
			`skynet_acme.domains = [`
feat: added a formatter and some instructions 2023-09-17 19:51:08 +00:00			`"users.skynet.ie"`
feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00			`"*.users.skynet.ie"`
			`];`

			`skynet_dns.records = [`
feat: added a formatter and some instructions 2023-09-17 19:51:08 +00:00			`{`
			`record = "users";`
			`r_type = "CNAME";`
			`value = cfg.host.name;`
			`}`
			`{`
			`record = "*.users";`
			`r_type = "CNAME";`
			`value = cfg.host.name;`
			`}`
feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00			`];`

feat: add php to the skynet users server 2024-02-28 09:10:57 +00:00			`environment.systemPackages = with pkgs; [`
			`vim`
			`php`
			`];`
add vim 2023-09-28 10:59:51 +00:00
fix: ensure networking remains good 2023-12-22 15:52:34 +00:00			`networking = {`
			`defaultGateway = {`
			`address = lib.mkDefault "193.1.96.161";`
			`interface = lib.mkDefault "eth1";`
			`};`
			`};`
feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00
			`# normally services cannot read home dirs`
feat: added a formatter and some instructions 2023-09-17 19:51:08 +00:00			`systemd.services.nginx.serviceConfig.ProtectHome = "read-only";`
feat: got php working for the user server 2024-04-20 02:18:13 +00:00			`systemd.services."phpfpm-${php_pool}".serviceConfig.ProtectHome = lib.mkForce "read-only";`

			`services.phpfpm.pools.${php_pool} = {`
			`user = config.services.nginx.user;`
			`group = config.services.nginx.group;`
			`settings = {`
			`"listen.owner" = config.services.nginx.user;`
			`"pm" = "dynamic";`
			`"pm.max_children" = 32;`
			`"pm.max_requests" = 500;`
			`"pm.start_servers" = 2;`
			`"pm.min_spare_servers" = 2;`
			`"pm.max_spare_servers" = 5;`
			`"php_admin_value[error_log]" = "stderr";`
			`"php_admin_flag[log_errors]" = true;`
			`"catch_workers_output" = true;`
			`};`
			`phpEnv."PATH" = lib.makeBinPath [pkgs.php];`
			`};`
feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00
			`services.nginx.virtualHosts = {`
fix: redirect root IP's in nginx to skynet.ie 2024-01-31 15:43:18 +00:00			`"${cfg.host.ip}" = {`
			`forceSSL = true;`
			`useACMEHost = "skynet";`
			`locations."/".return = "307 https://skynet.ie";`
			`};`

feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00			`# main site`
			`"*.users.skynet.ie" = {`
			`forceSSL = true;`
			`useACMEHost = "skynet";`
			`serverName = "~^(?<user>.+)\.users\.skynet\.ie";`

			`# username.users.skynet.ie/`
			`# user goes:`
			`# chmod 711 ~`
			`# chmod -R 755 ~/public_html`

			`locations."/" = {`
			`alias = "/home/$user/public_html/";`
feat: got php working for the user server 2024-04-20 02:18:13 +00:00			`index = "index.html index.php";`
			`extraConfig = ''`
			`autoindex on;`
			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`
			`fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};`
			`include ${pkgs.nginx}/conf/fastcgi.conf;`
			`'';`
			`tryFiles = "$uri$args $uri$args/ /index.html /index.php";`
feat: skynet user stuff is now segregated to a server that is untrusted 2023-09-15 23:04:39 +00:00			`};`
			`};`
			`};`
			`};`
feat: added a formatter and some instructions 2023-09-17 19:51:08 +00:00			`}`