WIP

hosts/temmie/services/nfs-mounts.nix

@@ -1,60 +1,76 @@
 { lib, values, ... }:
 let
   # See microbel:/etc/exports
-  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+  letters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
 in
 {
   systemd.targets."pvv-homedirs" = {
     description = "PVV Homedir Partitions";
   };
 
-  systemd.mounts = map (l: {
-    description = "PVV Homedir Partition ${l}";
+  systemd.mounts =
+    (map (l: {
+      description = "PVV Homedir Partition ${l}";
 
-    before = [ "remote-fs.target" ];
-    wantedBy = [ "multi-user.target" ];
-    requiredBy = [ "pvv-homedirs.target" ];
+      before = [ "remote-fs.target" ];
+      wantedBy = [ "multi-user.target" ];
+      requiredBy = [ "pvv-homedirs.target" ];
 
-    type = "nfs";
-    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
-    where = "/run/pvv-home-mounts/${l}";
+      type = "nfs";
+      what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
+      where = "/run/pvv-home-mounts/${l}";
 
-    options = lib.concatStringsSep "," [
-      "nfsvers=3"
+      options = lib.concatStringsSep "," [
+        "nfsvers=3"
 
-      # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
-      #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
-      #       NFS which exact address to use here, despite it being specified in the `what` attr :\
-      "proto=tcp"
-      "addr=${values.hosts.microbel.ipv4}"
-      "mountproto=tcp"
-      "mounthost=${values.hosts.microbel.ipv4}"
-      "port=2049"
+        # NOTE: this is a bit unfortunate. The address above seems to resolve to IPv6 sometimes,
+        #       and it doesn't seem possible to specify proto=tcp,tcp6, meaning we have to tell
+        #       NFS which exact address to use here, despite it being specified in the `what` attr :\
+        "proto=tcp"
+        "addr=${values.hosts.microbel.ipv4}"
+        "mountproto=tcp"
+        "mounthost=${values.hosts.microbel.ipv4}"
+        "port=2049"
 
-      # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
-      #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
-      #       quite sure how to fix it. Living life on dangerous mode for now.
-      "nolock"
+        # NOTE: this is yet more unfortunate. When enabling locking, it will sometimes complain about connection failed.
+        #       dmesg(1) reveals that it has something to do with registering the lockdv1 RPC service (errno: 111), not
+        #       quite sure how to fix it. Living life on dangerous mode for now.
+        "nolock"
 
-      # Don't wait on every read/write
-      "async"
+        # Don't wait on every read/write
+        "async"
 
-      # Always keep mounted
-      "noauto"
+        # Always keep mounted
+        "noauto"
 
-      # We don't want to update access time constantly
-      "noatime"
+        # We don't want to update access time constantly
+        "noatime"
 
-      # No SUID/SGID, no special devices
-      "nosuid"
-      "nodev"
+        # No SUID/SGID, no special devices
+        "nosuid"
+        "nodev"
 
-      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
-      # "ro"
-      "rw"
+        # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+        # "ro"
+        "rw"
 
-      # TODO: can we enable this and still run cgi stuff?
-      # "noexec"
-    ];
-  }) letters;
+        # TODO: can we enable this and still run cgi stuff?
+        # "noexec"
+      ];
+    }) letters)
+    ++ [{
+      description = "PVV Merged Homedir OverlayFS";
+
+      after = [ "remote-fs.target" ];
+      wantedBy = [ "multi-user.target" ];
+      requiredBy = [ "pvv-homedirs.target" ];
+
+      type = "overlay";
+      what = "overlay";
+      where = "/run/pvv-home-mounts-merged";
+
+      options = lib.concatStringsSep "," [
+        "lowerdir=${lib.concatMapStringsSep ":" (l: "/run/pvv-home-mounts/${l}") letters}"
+      ];
+    }];
 }

hosts/temmie/services/userweb.nix

@@ -1,18 +1,51 @@
-{ ... }:
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.httpd;
+in
 {
   services.httpd = {
     enable = true;
+    adminAddr = "drift@pvv.ntnu.no";
 
-    # extraModules = [];
+    enablePHP = true;
+    phpPackage = pkgs.php.buildEnv {
+      extraConfig = ''
+        display_errors=0
+        post_max_size = 40M
+        upload_max_filesize = 40M
+        extension=sysvsem.so
+      '';
+    };
+
+    # enablePerl = true;
+
+    extraModules = [ "userdir" ];
 
     # virtualHosts."userweb.pvv.ntnu.no" = {
     virtualHosts."temmie.pvv.ntnu.no" = {
-
       forceSSL = true;
       enableACME = true;
+
+      extraConfig = ''
+        UserDir /home/pvv-merged/*/web-docs
+        UserDir disabled root
+        UserDir enabled oysteikt
+        AddHandler cgi-script .cgi
+
+        <Directory "/home/pvv-merged/*/web-docs">
+          Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI IncludesNoExec
+          AllowOverride All
+          Require all granted
+        </Directory>
+      '';
     };
   };
 
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
   systemd.services.httpd = {
     after = [ "pvv-homedirs.target" ];
     requires = [ "pvv-homedirs.target" ];
@@ -20,8 +53,10 @@
     serviceConfig = {
       ProtectHome = "tmpfs";
       BindPaths = let
-        letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
-      in map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") letters;
+        homeLetters = [ "a" "b" "c" "d" "h" "i" "j" "k" "l" "m" "z" ];
+      in (map (l: "/run/pvv-home-mounts/${l}:/home/pvv/${l}") homeLetters) ++ [
+        "/run/pvv-home-mounts-merged:/home/pvv-merged/"
+      ];
     };
   };