Build new nix {module,package,flake}. Adapt to new config variables

Co-authored-by: h7x4 <h7x4@nani.wtf>
This commit is contained in:
Felix Albrigtsen 2024-03-23 21:03:21 +01:00 committed by h7x4
parent 57596b5404
commit 2e107c3753
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
16 changed files with 1681 additions and 99 deletions

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
/result
/config.php /config.php
*.sqlite *.sqlite
/test.sql /test.sql

11
dev.bat
View File

@ -1,11 +0,0 @@
REM php og sqlite3 må være tilgjengelig i PATH
IF EXIST "sql_config.php" goto config_end
cp sql_config_example.php sql_config.php
:config_end
IF EXIST "pvv.sqlite" goto sqlite_end
sqlite3 pvv.sqlite < pvv.sql
:sqlite_end
php -S [::1]:1080 -t www/ -c php.ini

18
dev.sh
View File

@ -1,18 +0,0 @@
#!/bin/sh
which sqlite3 > /dev/null 2>&1 || (echo ERROR: sqlite not found; false) || exit 1
test ! -e pvv.sqlite && sqlite3 pvv.sqlite < dist/pvv.sql
test ! -e sql_config.php && cp -v dist/sql_config_example.php sql_config.php
test -e composer.phar || curl -O https://getcomposer.org/composer.phar
if test ! -d vendor; then
php composer.phar install || exit $?
cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array('localhost:1080')/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
fi
php -S ${DOCKER_HOST:-[::1]}:${DOCKER_PORT:-1080} -d error_reporting=E_ALL -d display_errors=1 -t www/

View File

@ -1,15 +0,0 @@
<?php
$DB_DSN = 'sqlite:'.__DIR__.DIRECTORY_SEPARATOR.'pvv.sqlite';
$DB_USER = null;
$DB_PASSWORD = null;
$DOOR_SECRET = "changeme";
$GALLERY_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'gallery'.DIRECTORY_SEPARATOR.'pics';
$GALLERY_SERVER_PATH = '/images/gallery/';
$SLIDESHOW_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'gallery'.DIRECTORY_SEPARATOR.'pics';
$SLIDSHOW_SERVER_PATH = '/images/slideshow/';
?>

24
dist/config.local.php vendored Normal file
View File

@ -0,0 +1,24 @@
<?php
$DB_DSN = 'sqlite:'.__DIR__.DIRECTORY_SEPARATOR.'pvv.sqlite';
$DB_USER = null;
$DB_PASS = null;
$DOOR_SECRET = "changeme";
$GALLERY_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'galleri'.DIRECTORY_SEPARATOR.'bilder'.DIRECTORY_SEPARATOR.'gallery';
$GALLERY_SERVER_PATH = '/images/gallery/';
$SLIDESHOW_DIR = __DIR__.DIRECTORY_SEPARATOR.'www'.DIRECTORY_SEPARATOR.'galleri'.DIRECTORY_SEPARATOR.'bilder'.DIRECTORY_SEPARATOR.'slideshow';
$SLIDESHOW_SERVER_PATH = '/images/slideshow/';
$SAML_COOKIE_SALT = 'changeme';
$SAML_COOKIE_SECURE = false;
$SAML_TRUSTED_DOMAINS = array("localhost:1080");
$SAML_ADMIN_PASSWORD = "changeme";
$SAML_ADMIN_NAME = 'PVV Drift';
$SAML_ADMIN_EMAIL = 'drift@pvv.ntnu.no';
$CACHE_DIRECTORY = __DIR__.DIRECTORY_SEPARATOR.'cache';
?>

6
dist/config.source-env.php vendored Normal file
View File

@ -0,0 +1,6 @@
<?php
$configFile = getenv('PVV_CONFIG_FILE');
require_once($configFile);
?>

1248
dist/simplesamlphp-config.php vendored Normal file

File diff suppressed because it is too large Load Diff

View File

@ -12,62 +12,30 @@
"aarch64-linux" "aarch64-linux"
"aarch64-darwin" "aarch64-darwin"
]; ];
forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); forAllSystems = f: nixpkgs.lib.genAttrs systems (system: let
in {
packages = forAllSystems (system: let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
php = pkgs.php83; in f system pkgs);
in { in {
packages = forAllSystems (system: pkgs: {
default = self.packages.${system}.pvv-nettsiden; default = self.packages.${system}.pvv-nettsiden;
pvv-nettsiden = php.buildComposerProject (finalAttrs: { pvv-nettsiden = pkgs.callPackage ./nix/package.nix { php = pkgs.php82; };
src = ./.;
pname = "pvv-nettsiden";
version = "0.0.1";
vendorHash = "sha256-DSn0ifj7Hjjia1SF/1wfziD/IdsiOES8XNDVz3F/cTI=";
});
}); });
devShells = forAllSystems (system: rec {
pkgs = import nixpkgs { inherit system; };
default = pkgs.mkShellNoCC {
buildInputs = with pkgs; [
php82
(with php82Extensions; [
iconv
mbstring
pdo_mysql
pdo_sqlite
])
sqlite
git
];
shellHook = ''
export PHPHOST=localhost
export PHPPORT=1080
alias runDev='php -S $PHPHOST:$PHPPORT -d error_reporting=E_ALL -d display_errors=1 -t www/'
# Prepare dev environment with sqlite and config files
test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
test -e sql_config.php || cp -v dist/sql_config_example.php sql_config.php
test -e composer.phar || curl -O https://getcomposer.org/composer.phar
if [ ! -d vendor ] ; then
php composer.phar install || exit $?
cp -v dist/authsources_example.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
cp -v dist/saml20-idp-remote.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
cp -v vendor/simplesamlphp/simplesamlphp/config-templates/config.php vendor/simplesamlphp/simplesamlphp/config/config.php
sed -e "s/'trusted.url.domains' => array()/'trusted.url.domains' => array(\"$PHPHOST:$PHPPORT\")/g" < vendor/simplesamlphp/simplesamlphp/config-templates/config.php > vendor/simplesamlphp/simplesamlphp/config/config.php
ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
fi
'';
# TODO:
# - Make "trusted.url.domains" dynamic based on the current host:port
# - Do not download composer.phar with curl(!)
# - Relicense the project to GPL or something
# - Write a module for the project
overlays.default = final: prev: {
inherit (self.packages.${final.system}) pvv-nettsiden;
formats = prev.formats // {
php = import ./nix/php-generator.nix { pkgs = prev; lib = prev.lib; };
}; };
};
nixosModules.default = nix/module.nix;
devShells = forAllSystems (system: pkgs: {
default = pkgs.callPackage ./nix/shell.nix { inherit pkgs; };
}); });
# TODO:
# - Relicense the project to GPL or something
# - Write a module for the project
}; };
} }

254
nix/module.nix Normal file
View File

@ -0,0 +1,254 @@
{ config, lib, pkgs, ... }:
let
cfg = config.services.pvv-nettsiden;
inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc;
format = pkgs.formats.php { };
in
{
options.services.pvv-nettsiden = {
enable = mkEnableOption (lib.mdDoc "Enable pvv-nettsiden");
package = mkPackageOption pkgs "pvv-nettsiden" { };
user = mkOption {
type = types.str;
default = "pvv-nettsiden";
description = mdDoc "User to run php-fpm and own the image directories";
};
group = mkOption {
type = types.str;
default = "pvv-nettsiden";
description = mdDoc "Group to run php-fpm and own the image directories";
};
domainName = mkOption {
type = types.str;
default = "www.pvv.no";
description = mdDoc "Domain name for the website";
};
enableNginx = mkEnableOption "nginx" // { default = true; };
useSSL = mkEnableOption "secure cookies" // { default = true; };
settings = mkOption {
description = "Settings for the website";
default = { };
type = types.submodule {
freeformType = format.type;
options = lib.mapAttrsRecursiveCond
(attrs: !(attrs ? "type"))
(_: option: option // { type = types.either option.type format.lib.types.raw; })
{
DOOR_SECRET = mkOption {
type = types.str;
description = mdDoc "Secret for the door sensor API";
};
GALLERY = {
DIR = mkOption {
type = types.path;
default = "/var/lib/pvv-nettsiden/gallery";
description = mdDoc "Directory where the gallery is located. See documentation at TODO";
};
SERVER_PATH = mkOption {
type = types.str;
default = "/static/gallery";
description = mdDoc "Path to the gallery on the server";
};
};
SLIDESHOW = {
DIR = mkOption {
type = types.path;
default = "/var/lib/pvv-nettsiden/slideshow";
description = mdDoc "Directory where the slideshow is located. See documentation at TODO";
};
SERVER_PATH = mkOption {
type = types.str;
default = "/static/slideshow";
description = mdDoc "Path to the slideshow on the server";
};
};
DB = {
DSN = mkOption {
type = types.str;
default = "sqlite:/var/lib/pvv-nettsiden/pvv-nettsiden.db";
example = "pgsql:host=localhost;port=5432;dbname=testdb;user=bruce;password=mypass";
description = mdDoc "Database connection string, see https://www.php.net/manual/en/pdo.construct.php";
};
USER = mkOption {
type = with types; nullOr str;
default = null;
example = "pvv-nettsiden";
description = mdDoc "Database user";
};
PASS = mkOption {
type = with types; nullOr str;
default = null;
description = mdDoc "Database password. Recommends: null, set in extraConfig";
};
};
SAML = {
COOKIE_SALT = mkOption {
type = types.str;
description = mdDoc "Salt for the SAML cookies";
};
COOKIE_SECURE = mkOption {
type = types.bool;
default = true;
description = mdDoc "Whether to set the secure flag on the SAML cookies";
};
ADMIN_NAME = mkOption {
type = types.str;
description = mdDoc "Name for the admin user";
};
ADMIN_EMAIL = mkOption {
type = types.str;
description = mdDoc "Email for the admin user";
};
ADMIN_PASSWORD = mkOption {
type = types.str;
description = mdDoc "Password for the admin user";
};
TRUSTED_DOMAINS = mkOption {
type = types.listOf types.str;
default = [ cfg.domainName ];
description = mdDoc "List of trusted domains for the SAML service";
};
};
CACHE_DIRECTORY = mkOption {
type = types.path;
default = "/var/cache/pvv-nettsiden/simplesamlphp";
description = mdDoc "List of trusted domains for the SAML service";
};
};
};
};
};
config = mkIf cfg.enable (let
# NOTE: This should absolutely not be necessary, but for some reason this file refuses to import
# the toplevel configuration file.
# NOTE: Nvm, don't this this was the problem after all?
finalPackage = cfg.package.overrideAttrs (_: _: {
postInstall = let
f = x: lib.escapeShellArg (format.lib.valueToString x);
in cfg.package.postInstall + ''
substituteInPlace $out/${cfg.package.passthru.simplesamlphpPath}/config/config.php \
--replace '$SAML_COOKIE_SECURE' ${f cfg.settings.SAML.COOKIE_SECURE} \
--replace '$SAML_COOKIE_SALT' ${f cfg.settings.SAML.COOKIE_SALT} \
--replace '$SAML_ADMIN_PASSWORD' ${f cfg.settings.SAML.ADMIN_PASSWORD} \
--replace '$SAML_ADMIN_NAME' ${f cfg.settings.SAML.ADMIN_NAME} \
--replace '$SAML_ADMIN_EMAIL' ${f cfg.settings.SAML.ADMIN_EMAIL} \
--replace '$SAML_TRUSTED_DOMAINS' ${f cfg.settings.SAML.TRUSTED_DOMAINS} \
--replace '$CACHE_DIRECTORY' ${f cfg.settings.CACHE_DIRECTORY}
'';
});
in {
users.users = mkIf (cfg.user == "pvv-nettsiden") {
"pvv-nettsiden" = {
description = "PVV Website Service User";
group = cfg.group;
createHome = false;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "pvv-nettsiden") {
"pvv-nettsiden" = { };
};
systemd.tmpfiles.settings."10-pvv-nettsiden".${cfg.settings.CACHE_DIRECTORY}.d = {
inherit (cfg) user group;
mode = "0770";
};
services.nginx = mkIf cfg.enableNginx {
enable = true;
recommendedGzipSettings = mkDefault true;
recommendedProxySettings = mkDefault true;
virtualHosts."${cfg.domainName}" = {
forceSSL = mkDefault cfg.useSSL;
enableACME = mkDefault true;
locations = {
"/" = {
root = "${finalPackage}/share/php/pvv-nettsiden/www/";
index = "index.php";
};
"~ \\.php$".extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME ${finalPackage}/share/php/pvv-nettsiden/www$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools."pvv-nettsiden".socket};
'';
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"^~ /simplesaml/" = {
alias = "${finalPackage}/${finalPackage.passthru.simplesamlphpPath}/public/";
index = "index.php";
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools."pvv-nettsiden".socket};
fastcgi_param SCRIPT_FILENAME ${finalPackage}/${finalPackage.passthru.simplesamlphpPath}/public/$phpfile;
# Must be prepended with the baseurlpath
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
${cfg.settings.GALLERY.SERVER_PATH} = {
root = cfg.settings.GALLERY.DIR;
extraConfig = ''
rewrite ^${cfg.settings.GALLERY.SERVER_PATH}/(.*)$ /$1 break;
'';
};
${cfg.settings.SLIDESHOW.SERVER_PATH} = {
root = cfg.settings.SLIDESHOW.DIR;
extraConfig = ''
rewrite ^${cfg.settings.SLIDESHOW.SERVER_PATH}/(.*)$ /$1 break;
'';
};
};
};
};
services.phpfpm.pools.pvv-nettsiden = {
user = cfg.user;
group = cfg.group;
phpEnv.PVV_CONFIG_FILE = toString (format.generate "pvv-nettsiden-conf.php" cfg.settings);
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = mkDefault "ondemand";
"pm.max_children" = mkDefault 32;
"pm.process_idle_timeout" = mkDefault "10s";
"pm.max_requests" = mkDefault 500;
};
};
});
}

28
nix/package.nix Normal file
View File

@ -0,0 +1,28 @@
{ lib
, php
, extra_files ? { }
}:
php.buildComposerProject rec {
src = ./..;
pname = "pvv-nettsiden";
version = "0.0.1";
vendorHash = "sha256-DSn0ifj7Hjjia1SF/1wfziD/IdsiOES8XNDVz3F/cTI=";
passthru.simplesamlphpPath = "share/php/pvv-nettsiden/vendor/simplesamlphp/simplesamlphp";
postInstall = ''
install -Dm644 dist/simplesamlphp-config.php $out/${passthru.simplesamlphpPath}/config/config.php
install -Dm644 dist/simplesamlphp-authsources.php $out/${passthru.simplesamlphpPath}/config/authsources.php
install -Dm644 dist/simplesamlphp-idp.php $out/${passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php
install -Dm644 dist/config.source-env.php $out/share/php/pvv-nettsiden/config.php
${lib.pipe extra_files [
(lib.mapAttrsToList (target_path: source_path: ''
mkdir -p $(dirname "$out/${target_path}")
cp -r "${source_path}" "$out/${target_path}"
''))
(lib.concatStringsSep "\n")
]}
'';
}

62
nix/php-generator.nix Normal file
View File

@ -0,0 +1,62 @@
{ pkgs, lib }:
with lib;
{ }: let
valueToString = val:
if val == null then
"null"
else if isString val then
builtins.toJSON val
else if isBool val then
boolToString val
else if isInt val || isFloat val then
toString val
else if isList val then
"array(${concatMapStringsSep ", " valueToString val})"
else if isAttrs val && val ? value && (val._type or "") == "raw" then
val.value
else if isAttrs val then
throw "Found unexpected attrs, that were not created by mkRaw. Have you put attrs in an array?\n${val}"
else throw "unsupported :')";
in {
inherit (pkgs.formats.json { }) type;
generate = name: value: let
flattenStructuredSettings = attrs: let
partitionAttrs = pred: attrs: lib.pipe attrs [
attrsToList
(partition ({ name, value }: pred name value))
(mapAttrs (_: listToAttrs))
];
partitionedAttrs = partitionAttrs (_: v: isAttrs v && !(v ? value && (v._type or "") == "raw")) attrs;
flattenedAttrs = lib.pipe partitionedAttrs.right [
(mapAttrs (n1: mapAttrs' (n2: v2: nameValuePair "${n1}_${n2}" v2)))
attrValues
(map flattenStructuredSettings)
(foldl recursiveUpdate { })
];
in recursiveUpdate flattenedAttrs partitionedAttrs.wrong;
content = lib.pipe value [
flattenStructuredSettings
(mapAttrs (_: valueToString))
(mapAttrsToList (n: v: ''''$${n} = ${v};''))
(concatStringsSep "\n")
(content: "<?php\n${content}\n?>")
];
in pkgs.writeText name content;
lib = {
inherit valueToString;
mkRaw = value: {
inherit value;
_type = "raw";
};
types.raw = lib.types.attrs;
};
}

35
nix/shell.nix Normal file
View File

@ -0,0 +1,35 @@
{ pkgs }:
let
phpEnv = pkgs.php82.buildEnv {
extensions = { enabled, all }: enabled ++ (with all; [ iconv mbstring pdo_mysql pdo_sqlite ]);
};
in
pkgs.mkShellNoCC {
buildInputs = with pkgs; [
phpEnv
php82Packages.composer
sqlite
git
];
shellHook = ''
alias runDev='php -S localhost:1080 -d error_reporting=E_ALL -d display_errors=1 -t www/'
# Prepare dev environment with sqlite and config files
test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
test -e config.php || cp -v dist/config.local.php config.php
if [ ! -d vendor ] ; then
composer install || exit $?
cp dist/simplesamlphp-authsources.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
cp dist/simplesamlphp-idp.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
cp dist/simplesamlphp-config.php vendor/simplesamlphp/simplesamlphp/config/config.php
cp dist/config.local.php config.php
ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
fi
'';
}

View File

@ -19,7 +19,7 @@ if(!$loginname) {
} }
# Sourced from config.php through include.php # Sourced from config.php through include.php
$galleryDir = $GALLERY_DIRECTORY; $galleryDir = $GALLERY_DIR;
$serverPath = $GALLERY_SERVER_PATH; $serverPath = $GALLERY_SERVER_PATH;
$allowedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'bmp', 'svg', 'webp']; $allowedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'bmp', 'svg', 'webp'];

View File

@ -3,12 +3,12 @@
require __DIR__ . '/../../config.php'; require __DIR__ . '/../../config.php';
$searchDir = $SLIDESHOW_DIR; $searchDir = $SLIDESHOW_DIR;
$serverPath = $SLIDSHOW_SERVER_PATH; $serverPath = $SLIDESHOW_SERVER_PATH;
$splashImg = "/PNG/PVV-logo-big-bluebg.png"; $splashImg = "/PNG/PVV-logo-big-bluebg.png";
// Note: This does not support nested directories // Note: This does not support nested directories
$filenames = sCaNdIr(__DIR__ . $searchDir); $filenames = sCaNdIr($searchDir);
//Remove the expected non-images //Remove the expected non-images
foreach($filenames as $k => $value) { foreach($filenames as $k => $value) {
@ -17,7 +17,7 @@ foreach($filenames as $k => $value) {
} }
} }
function getFullPath($fname) { return ($GLOBALS["serverPath"] . $fname ); } function getFullPath($fname) { return ($GLOBALS["serverPath"] . "/" . $fname ); }
// Sort filenames alphabetically and prepend the path prefix to each item. // Sort filenames alphabetically and prepend the path prefix to each item.
asort($filenames); asort($filenames);