Build new nix {module,package,flake}. Adapt to new config variables

Co-authored-by: h7x4 <h7x4@nani.wtf>

.gitignore

@@ -1,3 +1,4 @@
+/result
 /config.php
 *.sqlite
 /test.sql

dev.bat

@@ -1,11 +0,0 @@
-REM php og sqlite3 må være tilgjengelig i PATH
-
-IF EXIST "sql_config.php" goto config_end
-cp sql_config_example.php sql_config.php 
-:config_end
-
-IF EXIST "pvv.sqlite" goto sqlite_end
-sqlite3 pvv.sqlite < pvv.sql
-:sqlite_end
-
-php -S [::1]:1080 -t www/ -c php.ini

dev.sh

@@ -1,18 +0,0 @@
-#!/bin/sh
-
-which sqlite3 > /dev/null 2>&1 || (echo ERROR: sqlite not found; false) || exit 1
-test ! -e pvv.sqlite && sqlite3 pvv.sqlite < dist/pvv.sql
-test ! -e sql_config.php && cp -v dist/sql_config_example.php sql_config.php
-
-test -e composer.phar || curl -O https://getcomposer.org/composer.phar
-
-if test ! -d vendor; then
-	php composer.phar install || exit $?
-	cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
-	cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-	cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
-	sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array('localhost:1080')/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
-	ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
-fi
-
-php -S ${DOCKER_HOST:-[::1]}:${DOCKER_PORT:-1080} -d error_reporting=E_ALL -d display_errors=1 -t www/

dist/config.example.php

@@ -1,15 +0,0 @@
-<?php
-
-$DB_DSN = 'sqlite:'.__DIR__.DIRECTORY_SEPARATOR.'pvv.sqlite';
-$DB_USER = null;
-$DB_PASSWORD = null;
-
-$DOOR_SECRET = "changeme";
-
-$GALLERY_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'gallery'.DIRECTORY_SEPARATOR.'pics';
-$GALLERY_SERVER_PATH = '/images/gallery/';
-
-$SLIDESHOW_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'gallery'.DIRECTORY_SEPARATOR.'pics';
-$SLIDSHOW_SERVER_PATH = '/images/slideshow/';
-
-?>

dist/config.local.php

@@ -0,0 +1,24 @@
+<?php
+
+$DB_DSN = 'sqlite:'.__DIR__.DIRECTORY_SEPARATOR.'pvv.sqlite';
+$DB_USER = null;
+$DB_PASS = null;
+
+$DOOR_SECRET = "changeme";
+
+$GALLERY_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'galleri'.DIRECTORY_SEPARATOR.'bilder'.DIRECTORY_SEPARATOR.'gallery';
+$GALLERY_SERVER_PATH = '/images/gallery/';
+
+$SLIDESHOW_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'galleri'.DIRECTORY_SEPARATOR.'bilder'.DIRECTORY_SEPARATOR.'slideshow';
+$SLIDESHOW_SERVER_PATH = '/images/slideshow/';
+
+$SAML_COOKIE_SALT = 'changeme';
+$SAML_COOKIE_SECURE = false;
+$SAML_TRUSTED_DOMAINS = array("localhost:1080");
+$SAML_ADMIN_PASSWORD = "changeme";
+$SAML_ADMIN_NAME = 'PVV Drift';
+$SAML_ADMIN_EMAIL = 'drift@pvv.ntnu.no';
+
+$CACHE_DIRECTORY = __DIR__.DIRECTORY_SEPARATOR.'cache';
+
+?>

dist/config.source-env.php

@@ -0,0 +1,6 @@
+<?php
+
+$configFile = getenv('PVV_CONFIG_FILE');
+require_once($configFile);
+
+?>

flake.nix

@@ -12,62 +12,30 @@
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);
-  in {
-    packages = forAllSystems (system: let
+    forAllSystems = f: nixpkgs.lib.genAttrs systems (system: let
       pkgs = nixpkgs.legacyPackages.${system};
-      php = pkgs.php83;
-    in {
+    in f system pkgs);
+  in {
+    packages = forAllSystems (system: pkgs: {
       default = self.packages.${system}.pvv-nettsiden;
-      pvv-nettsiden = php.buildComposerProject (finalAttrs: {
-        src = ./.;
-        pname = "pvv-nettsiden";
-        version = "0.0.1";
-        vendorHash = "sha256-DSn0ifj7Hjjia1SF/1wfziD/IdsiOES8XNDVz3F/cTI=";
-      });
+      pvv-nettsiden = pkgs.callPackage ./nix/package.nix { php = pkgs.php82; };
     });
-    devShells = forAllSystems (system: rec {
-      pkgs = import nixpkgs { inherit system; };
-      default = pkgs.mkShellNoCC {
-        buildInputs = with pkgs; [
-          php82
-          (with php82Extensions; [
-            iconv
-            mbstring
-            pdo_mysql
-            pdo_sqlite
-          ])
-          sqlite
-          git
-        ];
-        shellHook = ''
-          export PHPHOST=localhost
-          export PHPPORT=1080
-          alias runDev='php -S $PHPHOST:$PHPPORT -d error_reporting=E_ALL -d display_errors=1 -t www/'
-
-          # Prepare dev environment with sqlite and config files
-          test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
-          test -e sql_config.php || cp -v dist/sql_config_example.php sql_config.php
-
-          test -e composer.phar || curl -O https://getcomposer.org/composer.phar
-
-          if [ ! -d vendor ] ; then
-            php composer.phar install || exit $?
-            cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
-            cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
-            cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
-            sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array(\"$PHPHOST:$PHPPORT\")/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
-            ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
-          fi
-        '';
-
-        # TODO:
-        # - Make "trusted.url.domains" dynamic based on the current host:port
-        # - Do not download composer.phar with curl(!)
-        # - Relicense the project to GPL or something
-        # - Write a module for the project
 
+    overlays.default = final: prev: {
+      inherit (self.packages.${final.system}) pvv-nettsiden;
+      formats = prev.formats // {
+        php = import ./nix/php-generator.nix { pkgs = prev; lib = prev.lib; };
       };
+    };
+
+    nixosModules.default = nix/module.nix;
+
+    devShells = forAllSystems (system: pkgs: {
+      default = pkgs.callPackage ./nix/shell.nix { inherit pkgs; };
     });
+
+    # TODO:
+    # - Relicense the project to GPL or something
+    # - Write a module for the project
   };
 }

nix/module.nix

@@ -0,0 +1,252 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.pvv-nettsiden;
+  inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc;
+  format = pkgs.formats.php { };
+in
+{
+  options.services.pvv-nettsiden = {
+    enable = mkEnableOption (lib.mdDoc "Enable pvv-nettsiden");
+
+    package = mkPackageOption pkgs "pvv-nettsiden" { };
+
+    user = mkOption {
+      type = types.str;
+      default = "pvv-nettsiden";
+      description = mdDoc "User to run php-fpm and own the image directories";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "pvv-nettsiden";
+      description = mdDoc "Group to run php-fpm and own the image directories";
+    };
+
+    domainName = mkOption {
+      type = types.str;
+      default = "www.pvv.no";
+      description = mdDoc "Domain name for the website";
+    };
+
+    enableNginx = mkEnableOption "nginx" // { default = true; };
+    useSSL = mkEnableOption "secure cookies" // { default = true; };
+
+    settings = mkOption {
+      description = "Settings for the website";
+      default = { };
+      type = types.submodule {
+        freeformType = format.type;
+        options = lib.mapAttrsRecursiveCond
+          (attrs: !(attrs ? "type"))
+          (_: option: option // { type = types.either option.type format.lib.types.raw; })
+        {
+          DOOR_SECRET = mkOption {
+            type = types.str;
+            description = mdDoc "Secret for the door sensor API";
+          };
+
+          GALLERY = {
+            DIR = mkOption {
+              type = types.path;
+              default = "/var/lib/pvv-nettsiden/gallery";
+              description = mdDoc "Directory where the gallery is located. See documentation at TODO";
+            };
+
+            SERVER_PATH = mkOption {
+              type = types.str;
+              default = "/static/gallery";
+              description = mdDoc "Path to the gallery on the server";
+            };
+          };
+
+          SLIDESHOW = {
+            DIR = mkOption {
+              type = types.path;
+              default = "/var/lib/pvv-nettsiden/slideshow";
+              description = mdDoc "Directory where the slideshow is located. See documentation at TODO";
+            };
+
+            SERVER_PATH = mkOption {
+              type = types.str;
+              default = "/static/slideshow";
+              description = mdDoc "Path to the slideshow on the server";
+            };
+          };
+
+          DB = {
+            DSN = mkOption {
+              type = types.str;
+              default = "sqlite:/var/lib/pvv-nettsiden/pvv-nettsiden.db";
+              example = "pgsql:host=localhost;port=5432;dbname=testdb;user=bruce;password=mypass";
+              description = mdDoc "Database connection string, see https://www.php.net/manual/en/pdo.construct.php";
+            };
+
+            USER = mkOption {
+              type = with types; nullOr str;
+              default = null;
+              example = "pvv-nettsiden";
+              description = mdDoc "Database user";
+            };
+
+            PASS = mkOption {
+              type = with types; nullOr str;
+              default = null;
+              description = mdDoc "Database password. Recommends: null, set in extraConfig";
+            };
+          };
+
+          SAML = {
+            COOKIE_SALT = mkOption {
+              type = types.str;
+              description = mdDoc "Salt for the SAML cookies";
+            };
+
+            COOKIE_SECURE = mkOption {
+              type = types.bool;
+              default = true;
+              description = mdDoc "Whether to set the secure flag on the SAML cookies";
+            };
+
+            ADMIN_NAME = mkOption {
+              type = types.str;
+              description = mdDoc "Name for the admin user";
+            };
+
+            ADMIN_EMAIL = mkOption {
+              type = types.str;
+              description = mdDoc "Email for the admin user";
+            };
+
+            ADMIN_PASSWORD = mkOption {
+              type = types.str;
+              description = mdDoc "Password for the admin user";
+            };
+
+            TRUSTED_DOMAINS = mkOption {
+              type = types.listOf types.str;
+              default = [ cfg.domainName ];
+              description = mdDoc "List of trusted domains for the SAML service";
+            };
+          };
+
+          CACHE_DIRECTORY = mkOption {
+            type = types.path;
+            default = "/var/cache/pvv-nettsiden/simplesamlphp";
+            description = mdDoc "List of trusted domains for the SAML service";
+          };
+        };
+      };
+    };
+  };
+
+
+  config = mkIf cfg.enable (let
+    # NOTE: This should absolutely not be necessary, but for some reason this file refuses to import
+    #       the toplevel configuration file.
+    # NOTE: Nvm, don't this this was the problem after all?
+    finalPackage = cfg.package.overrideAttrs (_: _: {
+      postInstall = cfg.package.postInstall + ''
+        substituteInPlace $out/${cfg.package.passthru.simplesamlphpPath}/config/config.php \
+          --replace '$SAML_COOKIE_SECURE' '${format.lib.valueToString cfg.settings.SAML.COOKIE_SECURE}' \
+          --replace '$SAML_COOKIE_SALT' '${format.lib.valueToString cfg.settings.SAML.COOKIE_SALT}' \
+          --replace '$SAML_ADMIN_PASSWORD' '${format.lib.valueToString cfg.settings.SAML.ADMIN_PASSWORD}' \
+          --replace '$SAML_ADMIN_NAME' '${format.lib.valueToString cfg.settings.SAML.ADMIN_NAME}' \
+          --replace '$SAML_ADMIN_EMAIL' '${format.lib.valueToString cfg.settings.SAML.ADMIN_EMAIL}' \
+          --replace '$SAML_TRUSTED_DOMAINS' '${format.lib.valueToString cfg.settings.SAML.TRUSTED_DOMAINS}' \
+          --replace '$CACHE_DIRECTORY' '${format.lib.valueToString cfg.settings.CACHE_DIRECTORY}'
+      '';
+    });
+  in {
+    users.users = mkIf (cfg.user == "pvv-nettsiden") {
+      "pvv-nettsiden" = {
+        description = "PVV Website Service User";
+        group = cfg.group;
+        createHome = false;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "pvv-nettsiden") {
+      "pvv-nettsiden" = { };
+    };
+
+    systemd.tmpfiles.settings."10-pvv-nettsiden".${cfg.settings.CACHE_DIRECTORY}.d = {
+      inherit (cfg) user group;
+      mode = "0770";
+    };
+
+    services.nginx = mkIf cfg.enableNginx {
+      enable = true;
+
+      recommendedGzipSettings = mkDefault true;
+      recommendedProxySettings = mkDefault true;
+
+      virtualHosts."${cfg.domainName}" = {
+        forceSSL = mkDefault cfg.useSSL;
+        enableACME = mkDefault true;
+        locations = {
+          "/" = {
+            root = "${finalPackage}/share/php/pvv-nettsiden/www/";
+            index = "index.php";
+          };
+
+          "~ \\.php$".extraConfig = ''
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME ${finalPackage}/share/php/pvv-nettsiden/www$fastcgi_script_name;
+            fastcgi_pass unix:${config.services.phpfpm.pools."pvv-nettsiden".socket};
+          '';
+
+          # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+          "^~ /simplesaml/" = {
+            alias = "${finalPackage}/${finalPackage.passthru.simplesamlphpPath}/public/";
+            index = "index.php";
+
+            extraConfig = ''
+              location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+                include ${pkgs.nginx}/conf/fastcgi_params;
+                fastcgi_pass unix:${config.services.phpfpm.pools."pvv-nettsiden".socket};
+                fastcgi_param SCRIPT_FILENAME ${finalPackage}/${finalPackage.passthru.simplesamlphpPath}/public/$phpfile;
+
+                # Must be prepended with the baseurlpath
+                fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+                fastcgi_param PATH_INFO $pathinfo if_not_empty;
+              }
+            '';
+          };
+
+          ${cfg.settings.GALLERY.SERVER_PATH} = {
+            root = cfg.settings.GALLERY.DIR;
+            extraConfig = ''
+              rewrite ^${cfg.settings.GALLERY.SERVER_PATH}/(.*)$ /$1 break;
+            '';
+          };
+
+          ${cfg.settings.SLIDESHOW.SERVER_PATH} = {
+            root = cfg.settings.SLIDESHOW.DIR;
+            extraConfig = ''
+              rewrite ^${cfg.settings.SLIDESHOW.SERVER_PATH}/(.*)$ /$1 break;
+            '';
+          };
+        };
+      };
+
+    };
+
+    services.phpfpm.pools.pvv-nettsiden = {
+      user = cfg.user;
+      group = cfg.group;
+
+      phpEnv.PVV_CONFIG_FILE = toString (format.generate "pvv-nettsiden-conf.php" cfg.settings);
+
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "pm" = mkDefault "ondemand";
+        "pm.max_children" = mkDefault 32;
+        "pm.process_idle_timeout" = mkDefault "10s";
+        "pm.max_requests" = mkDefault 500;
+      };
+    };
+  });
+}

nix/package.nix

@@ -0,0 +1,28 @@
+{ lib
+, php
+, extra_files ? { }
+}:
+
+php.buildComposerProject rec {
+  src = ./..;
+  pname = "pvv-nettsiden";
+  version = "0.0.1";
+  vendorHash = "sha256-DSn0ifj7Hjjia1SF/1wfziD/IdsiOES8XNDVz3F/cTI=";
+
+  passthru.simplesamlphpPath = "share/php/pvv-nettsiden/vendor/simplesamlphp/simplesamlphp";
+
+  postInstall = ''
+    install -Dm644 dist/simplesamlphp-config.php      $out/${passthru.simplesamlphpPath}/config/config.php
+    install -Dm644 dist/simplesamlphp-authsources.php $out/${passthru.simplesamlphpPath}/config/authsources.php
+    install -Dm644 dist/simplesamlphp-idp.php         $out/${passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php
+    install -Dm644 dist/config.source-env.php         $out/share/php/pvv-nettsiden/config.php
+
+    ${lib.pipe extra_files [
+      (lib.mapAttrsToList (target_path: source_path: ''
+        mkdir -p $(dirname "$out/${target_path}")
+	cp -r "${source_path}" "$out/${target_path}"
+      ''))
+      (lib.concatStringsSep "\n")
+    ]}
+  '';
+}

nix/php-generator.nix

@@ -0,0 +1,62 @@
+{ pkgs, lib }:
+
+with lib;
+
+{ }: let
+  valueToString = val:
+    if val == null then
+      "null"
+    else if isString val then
+      builtins.toJSON val
+    else if isBool val then
+      boolToString val
+    else if isInt val || isFloat val then
+      toString val
+    else if isList val then
+      "array(${concatMapStringsSep ", " valueToString val})"
+    else if isAttrs val && val ? value && (val._type or "") == "raw" then
+      val.value
+    else if isAttrs val then
+      throw "Found unexpected attrs, that were not created by mkRaw. Have you put attrs in an array?\n${val}"
+    else throw "unsupported :')";
+in {
+  inherit (pkgs.formats.json { }) type;
+
+  generate = name: value: let
+    flattenStructuredSettings = attrs: let
+      partitionAttrs = pred: attrs: lib.pipe attrs [
+        attrsToList
+        (partition ({ name, value }: pred name value))
+        (mapAttrs (_: listToAttrs))
+      ];
+
+      partitionedAttrs = partitionAttrs (_: v: isAttrs v && !(v ? value && (v._type or "") == "raw")) attrs;
+
+      flattenedAttrs = lib.pipe partitionedAttrs.right [
+        (mapAttrs (n1: mapAttrs' (n2: v2: nameValuePair "${n1}_${n2}" v2)))
+        attrValues
+        (map flattenStructuredSettings)
+        (foldl recursiveUpdate { })
+      ];
+    in recursiveUpdate flattenedAttrs partitionedAttrs.wrong;
+
+    content = lib.pipe value [
+      flattenStructuredSettings
+      (mapAttrs (_: valueToString))
+      (mapAttrsToList (n: v: ''''$${n} = ${v};''))
+      (concatStringsSep "\n")
+      (content: "<?php\n${content}\n?>")
+    ];
+  in pkgs.writeText name content;
+
+  lib = {
+    inherit valueToString;
+
+    mkRaw = value: {
+      inherit value;
+      _type = "raw";
+    };
+
+    types.raw = lib.types.attrs;
+  };
+}

nix/shell.nix

@@ -0,0 +1,35 @@
+{ pkgs }:
+let
+  phpEnv = pkgs.php82.buildEnv {
+    extensions = { enabled, all }: enabled ++ (with all; [ iconv mbstring pdo_mysql pdo_sqlite ]);
+  };
+in
+pkgs.mkShellNoCC {
+  buildInputs = with pkgs; [
+    phpEnv
+    php82Packages.composer
+
+    sqlite
+    git
+  ];
+  shellHook = ''
+    alias runDev='php -S localhost:1080 -d error_reporting=E_ALL -d display_errors=1 -t www/'
+
+    # Prepare dev environment with sqlite and config files
+    test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
+    test -e config.php || cp -v dist/config.local.php config.php
+
+
+    if [ ! -d vendor ] ; then
+      composer install || exit $?
+
+      cp dist/simplesamlphp-authsources.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
+      cp dist/simplesamlphp-idp.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
+      cp dist/simplesamlphp-config.php vendor/simplesamlphp/simplesamlphp/config/config.php
+
+      cp dist/config.local.php config.php
+
+      ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
+    fi
+  '';
+}

www/galleri/index.php

@@ -19,7 +19,7 @@ if(!$loginname) {
 }
 
 # Sourced from config.php through include.php
-$galleryDir = $GALLERY_DIRECTORY;
+$galleryDir = $GALLERY_DIR;
 $serverPath = $GALLERY_SERVER_PATH;
 
 $allowedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'bmp', 'svg', 'webp'];

www/galleri/slideshow.php

@@ -3,12 +3,12 @@
 require __DIR__ . '/../../config.php';
 
 $searchDir = $SLIDESHOW_DIR;
-$serverPath = $SLIDSHOW_SERVER_PATH;
+$serverPath = $SLIDESHOW_SERVER_PATH;
 
 $splashImg = "/PNG/PVV-logo-big-bluebg.png";
 
 // Note: This does not support nested directories
-$filenames = sCaNdIr(__DIR__ . $searchDir);
+$filenames = sCaNdIr($searchDir);
 
 //Remove the expected non-images
 foreach($filenames as $k => $value) {
@@ -17,7 +17,7 @@ foreach($filenames as $k => $value) {
     }
 }
 
-function getFullPath($fname) { return ($GLOBALS["serverPath"] . $fname );	}
+function getFullPath($fname) { return ($GLOBALS["serverPath"] . "/" . $fname );	}
 
 // Sort filenames alphabetically and prepend the path prefix to each item.
 asort($filenames);