From f27f124a8fa38d795086eadb8f03ceef0fcef00a Mon Sep 17 00:00:00 2001 From: h7x4 Date: Fri, 30 Jan 2026 02:04:19 +0900 Subject: [PATCH] WIP --- hosts/temmie/services/nfs-mounts.nix | 5 +- hosts/temmie/services/userweb.nix | 199 ++++++++++++++++++++++++++- 2 files changed, 194 insertions(+), 10 deletions(-) diff --git a/hosts/temmie/services/nfs-mounts.nix b/hosts/temmie/services/nfs-mounts.nix index dd3b751..7fe7956 100644 --- a/hosts/temmie/services/nfs-mounts.nix +++ b/hosts/temmie/services/nfs-mounts.nix @@ -1,7 +1,7 @@ { lib, values, ... }: let # See microbel:/etc/exports - letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; + letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; in { systemd.targets."pvv-homedirs" = { @@ -53,9 +53,6 @@ in # TODO: are there cgi scripts that modify stuff in peoples homedirs? # "ro" "rw" - - # TODO: can we enable this and still run cgi stuff? - # "noexec" ]; }) letters) ++ [{ diff --git a/hosts/temmie/services/userweb.nix b/hosts/temmie/services/userweb.nix index 3cfcebb..327ff61 100644 --- a/hosts/temmie/services/userweb.nix +++ b/hosts/temmie/services/userweb.nix @@ -1,27 +1,214 @@ -{ ... }: +{ config, lib, pkgs, ... }: +let + cfg = config.services.httpd; + + # https://nixos.org/manual/nixpkgs/stable/#ssec-php-user-guide-installing-with-extensions + phpEnv = pkgs.php.buildEnv { + extensions = { all, ... }: with all; [ + imagick + opcache + ]; + + extraConfig = '' + display_errors=0 + post_max_size = 40M + upload_max_filesize = 40M + extension=sysvsem.so + ''; + }; + + perlEnv = pkgs.perl.withPackages (ps: with ps; [ + TextPDF + ]); + + # https://nixos.org/manual/nixpkgs/stable/#python.buildenv-function + pythonEnv = pkgs.python3.buildEnv.override { + extraLibs = with pkgs.python3Packages; [ + matplotlib + requests + ]; + ignoreCollisions = true; + }; + + # https://nixos.org/manual/nixpkgs/stable/#sec-building-environment + fhsEnv = pkgs.buildEnv { + name = "userweb-env"; + paths = with pkgs; [ + bash + coreutils-full + + perlEnv + phpEnv + pythonEnv + + gnused + gawk + file + diffutils + gnugrep + util-linux + iproute2 + curl + less + + gnuplot + system-sendmail + ]; + + extraOutputsToInstall = [ + "man" + "doc" + ]; + }; +in { services.httpd = { enable = true; + adminAddr = "drift@pvv.ntnu.no"; - # extraModules = []; + # TODO: consider upstreaming systemd support + package = pkgs.apacheHttpd.overrideAttrs (prev: { + nativeBuildInputs = prev.nativeBuildInputs ++ [ pkgs.pkg-config ]; + buildInputs = prev.buildInputs ++ [ pkgs.systemdLibs ]; + configureFlags = prev.configureFlags ++ [ "--enable-systemd" ]; + }); + + enablePHP = true; + phpPackage = phpEnv; + + enablePerl = true; + + extraModules = [ + "systemd" + "userdir" + # TODO: I think the compilation steps of pkgs.apacheHttpdPackages.mod_perl might have some + # incorrect or restrictive assumptions upstream, either nixpkgs or source + # { + # name = "perl"; + # path = let + # mod_perl = pkgs.apacheHttpdPackages.mod_perl.override { + # apacheHttpd = cfg.package.out; + # perl = perlEnv; + # }; + # in "${mod_perl}/modules/mod_perl.so"; + # } + ]; # virtualHosts."userweb.pvv.ntnu.no" = { virtualHosts."temmie.pvv.ntnu.no" = { - forceSSL = true; enableACME = true; + + extraConfig = '' + UserDir /home/pvv-merged/*/web-docs + UserDir disabled root + UserDir enabled oysteikt + AddHandler cgi-script .cgi + + + Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec + AllowOverride All + Require all granted + + ''; }; }; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + systemd.sockets.httpd = { + wantedBy = [ "sockets.target" ]; + description = "HTTPD socket"; + listenStreams = [ + "0.0.0.0:80" + "0.0.0.0:443" + ]; + }; + systemd.services.httpd = { after = [ "pvv-homedirs.target" ]; requires = [ "pvv-homedirs.target" ]; + environment = { + PATH = lib.mkForce "/usr/bin"; + }; + serviceConfig = { - ProtectHome = "tmpfs"; + Type = lib.mkForce "notify"; + + ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start"; + ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful"; + ExecStop = lib.mkForce ""; + KillMode = "mixed"; + + ConfigurationDirectory = [ "httpd" ]; + LogsDirectory = [ "httpd" ]; + + LockPersonality = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectSystem = true; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + "AF_NETLINK" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SocketBindDeny = "any"; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + ]; + + RuntimeDirectory = [ "httpd/root-mnt" ]; + RootDirectory = "/run/httpd/root-mnt"; + MountAPIVFS = true; + BindReadOnlyPaths = [ + builtins.storeDir + "/etc" + "/var/lib/acme" + + "${fhsEnv}/bin:/bin" + "${fhsEnv}/sbin:/sbin" + "${fhsEnv}/lib:/lib" + "${fhsEnv}/share:/share" + ] ++ (lib.mapCartesianProduct ({ parent, child }: "${fhsEnv}${child}:${parent}${child}") { + parent = [ + "/local" + "/opt" + "/opt/local" + "/store" + "/store/gnu" + "/usr" + "/usr/local" + ]; + child = [ + "/bin" + "/sbin" + "/lib" + "/libexec" + "/include" + "/share" + ]; + }); BindPaths = let - letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; - in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters; + homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ]; + in (map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters) ++ [ + "/run/pvv-home-mounts-merged:/home/pvv-merged/" + ]; }; };