Build new nix {module,package,flake}. Adapt to new config variables

Co-authored-by: h7x4 <h7x4@nani.wtf>
2024-03-23 21:03:21 +01:00
parent 310246dd20
commit f5a6868301
16 changed files with 1681 additions and 99 deletions
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -0,0 +1,254 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.pvv-nettsiden;
+  inherit (lib) mkDefault mkEnableOption mkPackageOption mkIf mkOption types mdDoc;
+  format = pkgs.formats.php { };
+in
+{
+  options.services.pvv-nettsiden = {
+    enable = mkEnableOption (lib.mdDoc "Enable pvv-nettsiden");
+
+    package = mkPackageOption pkgs "pvv-nettsiden" { };
+
+    user = mkOption {
+      type = types.str;
+      default = "pvv-nettsiden";
+      description = mdDoc "User to run php-fpm and own the image directories";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "pvv-nettsiden";
+      description = mdDoc "Group to run php-fpm and own the image directories";
+    };
+
+    domainName = mkOption {
+      type = types.str;
+      default = "www.pvv.no";
+      description = mdDoc "Domain name for the website";
+    };
+
+    enableNginx = mkEnableOption "nginx" // { default = true; };
+    useSSL = mkEnableOption "secure cookies" // { default = true; };
+
+    settings = mkOption {
+      description = "Settings for the website";
+      default = { };
+      type = types.submodule {
+        freeformType = format.type;
+        options = lib.mapAttrsRecursiveCond
+          (attrs: !(attrs ? "type"))
+          (_: option: option // { type = types.either option.type format.lib.types.raw; })
+        {
+          DOOR_SECRET = mkOption {
+            type = types.str;
+            description = mdDoc "Secret for the door sensor API";
+          };
+
+          GALLERY = {
+            DIR = mkOption {
+              type = types.path;
+              default = "/var/lib/pvv-nettsiden/gallery";
+              description = mdDoc "Directory where the gallery is located. See documentation at TODO";
+            };
+
+            SERVER_PATH = mkOption {
+              type = types.str;
+              default = "/static/gallery";
+              description = mdDoc "Path to the gallery on the server";
+            };
+          };
+
+          SLIDESHOW = {
+            DIR = mkOption {
+              type = types.path;
+              default = "/var/lib/pvv-nettsiden/slideshow";
+              description = mdDoc "Directory where the slideshow is located. See documentation at TODO";
+            };
+
+            SERVER_PATH = mkOption {
+              type = types.str;
+              default = "/static/slideshow";
+              description = mdDoc "Path to the slideshow on the server";
+            };
+          };
+
+          DB = {
+            DSN = mkOption {
+              type = types.str;
+              default = "sqlite:/var/lib/pvv-nettsiden/pvv-nettsiden.db";
+              example = "pgsql:host=localhost;port=5432;dbname=testdb;user=bruce;password=mypass";
+              description = mdDoc "Database connection string, see https://www.php.net/manual/en/pdo.construct.php";
+            };
+
+            USER = mkOption {
+              type = with types; nullOr str;
+              default = null;
+              example = "pvv-nettsiden";
+              description = mdDoc "Database user";
+            };
+
+            PASS = mkOption {
+              type = with types; nullOr str;
+              default = null;
+              description = mdDoc "Database password. Recommends: null, set in extraConfig";
+            };
+          };
+
+          SAML = {
+            COOKIE_SALT = mkOption {
+              type = types.str;
+              description = mdDoc "Salt for the SAML cookies";
+            };
+
+            COOKIE_SECURE = mkOption {
+              type = types.bool;
+              default = true;
+              description = mdDoc "Whether to set the secure flag on the SAML cookies";
+            };
+
+            ADMIN_NAME = mkOption {
+              type = types.str;
+              description = mdDoc "Name for the admin user";
+            };
+
+            ADMIN_EMAIL = mkOption {
+              type = types.str;
+              description = mdDoc "Email for the admin user";
+            };
+
+            ADMIN_PASSWORD = mkOption {
+              type = types.str;
+              description = mdDoc "Password for the admin user";
+            };
+
+            TRUSTED_DOMAINS = mkOption {
+              type = types.listOf types.str;
+              default = [ cfg.domainName ];
+              description = mdDoc "List of trusted domains for the SAML service";
+            };
+          };
+
+          CACHE_DIRECTORY = mkOption {
+            type = types.path;
+            default = "/var/cache/pvv-nettsiden/simplesamlphp";
+            description = mdDoc "List of trusted domains for the SAML service";
+          };
+        };
+      };
+    };
+  };
+
+
+  config = mkIf cfg.enable (let
+    # NOTE: This should absolutely not be necessary, but for some reason this file refuses to import
+    #       the toplevel configuration file.
+    # NOTE: Nvm, don't this this was the problem after all?
+    finalPackage = cfg.package.overrideAttrs (_: _: {
+      postInstall = let
+        f = x: lib.escapeShellArg (format.lib.valueToString x);
+      in cfg.package.postInstall + ''
+        substituteInPlace $out/${cfg.package.passthru.simplesamlphpPath}/config/config.php \
+          --replace '$SAML_COOKIE_SECURE'   ${f cfg.settings.SAML.COOKIE_SECURE} \
+          --replace '$SAML_COOKIE_SALT'     ${f cfg.settings.SAML.COOKIE_SALT} \
+          --replace '$SAML_ADMIN_PASSWORD'  ${f cfg.settings.SAML.ADMIN_PASSWORD} \
+          --replace '$SAML_ADMIN_NAME'      ${f cfg.settings.SAML.ADMIN_NAME} \
+          --replace '$SAML_ADMIN_EMAIL'     ${f cfg.settings.SAML.ADMIN_EMAIL} \
+          --replace '$SAML_TRUSTED_DOMAINS' ${f cfg.settings.SAML.TRUSTED_DOMAINS} \
+          --replace '$CACHE_DIRECTORY'      ${f cfg.settings.CACHE_DIRECTORY}
+      '';
+    });
+  in {
+    users.users = mkIf (cfg.user == "pvv-nettsiden") {
+      "pvv-nettsiden" = {
+        description = "PVV Website Service User";
+        group = cfg.group;
+        createHome = false;
+        isSystemUser = true;
+      };
+    };
+
+    users.groups = mkIf (cfg.group == "pvv-nettsiden") {
+      "pvv-nettsiden" = { };
+    };
+
+    systemd.tmpfiles.settings."10-pvv-nettsiden".${cfg.settings.CACHE_DIRECTORY}.d = {
+      inherit (cfg) user group;
+      mode = "0770";
+    };
+
+    services.nginx = mkIf cfg.enableNginx {
+      enable = true;
+
+      recommendedGzipSettings = mkDefault true;
+      recommendedProxySettings = mkDefault true;
+
+      virtualHosts."${cfg.domainName}" = {
+        forceSSL = mkDefault cfg.useSSL;
+        enableACME = mkDefault true;
+        locations = {
+          "/" = {
+            root = "${finalPackage}/share/php/pvv-nettsiden/www/";
+            index = "index.php";
+          };
+
+          "~ \\.php$".extraConfig = ''
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME ${finalPackage}/share/php/pvv-nettsiden/www$fastcgi_script_name;
+            fastcgi_pass unix:${config.services.phpfpm.pools."pvv-nettsiden".socket};
+          '';
+
+          # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
+          "^~ /simplesaml/" = {
+            alias = "${finalPackage}/${finalPackage.passthru.simplesamlphpPath}/public/";
+            index = "index.php";
+
+            extraConfig = ''
+              location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
+                include ${pkgs.nginx}/conf/fastcgi_params;
+                fastcgi_pass unix:${config.services.phpfpm.pools."pvv-nettsiden".socket};
+                fastcgi_param SCRIPT_FILENAME ${finalPackage}/${finalPackage.passthru.simplesamlphpPath}/public/$phpfile;
+
+                # Must be prepended with the baseurlpath
+                fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
+
+                fastcgi_param PATH_INFO $pathinfo if_not_empty;
+              }
+            '';
+          };
+
+          ${cfg.settings.GALLERY.SERVER_PATH} = {
+            root = cfg.settings.GALLERY.DIR;
+            extraConfig = ''
+              rewrite ^${cfg.settings.GALLERY.SERVER_PATH}/(.*)$ /$1 break;
+            '';
+          };
+
+          ${cfg.settings.SLIDESHOW.SERVER_PATH} = {
+            root = cfg.settings.SLIDESHOW.DIR;
+            extraConfig = ''
+              rewrite ^${cfg.settings.SLIDESHOW.SERVER_PATH}/(.*)$ /$1 break;
+            '';
+          };
+        };
+      };
+
+    };
+
+    services.phpfpm.pools.pvv-nettsiden = {
+      user = cfg.user;
+      group = cfg.group;
+
+      phpEnv.PVV_CONFIG_FILE = toString (format.generate "pvv-nettsiden-conf.php" cfg.settings);
+
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "pm" = mkDefault "ondemand";
+        "pm.max_children" = mkDefault 32;
+        "pm.process_idle_timeout" = mkDefault "10s";
+        "pm.max_requests" = mkDefault 500;
+      };
+    };
+  });
+}
--- a/nix/package.nix
+++ b/nix/package.nix
@@ -0,0 +1,28 @@
+{ lib
+, php
+, extra_files ? { }
+}:
+
+php.buildComposerProject rec {
+  src = ./..;
+  pname = "pvv-nettsiden";
+  version = "0.0.1";
+  vendorHash = "sha256-DSn0ifj7Hjjia1SF/1wfziD/IdsiOES8XNDVz3F/cTI=";
+
+  passthru.simplesamlphpPath = "share/php/pvv-nettsiden/vendor/simplesamlphp/simplesamlphp";
+
+  postInstall = ''
+    install -Dm644 dist/simplesamlphp-config.php      $out/${passthru.simplesamlphpPath}/config/config.php
+    install -Dm644 dist/simplesamlphp-authsources.php $out/${passthru.simplesamlphpPath}/config/authsources.php
+    install -Dm644 dist/simplesamlphp-idp.php         $out/${passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php
+    install -Dm644 dist/config.source-env.php         $out/share/php/pvv-nettsiden/config.php
+
+    ${lib.pipe extra_files [
+      (lib.mapAttrsToList (target_path: source_path: ''
+        mkdir -p $(dirname "$out/${target_path}")
+	cp -r "${source_path}" "$out/${target_path}"
+      ''))
+      (lib.concatStringsSep "\n")
+    ]}
+  '';
+}
--- a/nix/php-generator.nix
+++ b/nix/php-generator.nix
@@ -0,0 +1,62 @@
+{ pkgs, lib }:
+
+with lib;
+
+{ }: let
+  valueToString = val:
+    if val == null then
+      "null"
+    else if isString val then
+      builtins.toJSON val
+    else if isBool val then
+      boolToString val
+    else if isInt val || isFloat val then
+      toString val
+    else if isList val then
+      "array(${concatMapStringsSep ", " valueToString val})"
+    else if isAttrs val && val ? value && (val._type or "") == "raw" then
+      val.value
+    else if isAttrs val then
+      throw "Found unexpected attrs, that were not created by mkRaw. Have you put attrs in an array?\n${val}"
+    else throw "unsupported :')";
+in {
+  inherit (pkgs.formats.json { }) type;
+
+  generate = name: value: let
+    flattenStructuredSettings = attrs: let
+      partitionAttrs = pred: attrs: lib.pipe attrs [
+        attrsToList
+        (partition ({ name, value }: pred name value))
+        (mapAttrs (_: listToAttrs))
+      ];
+
+      partitionedAttrs = partitionAttrs (_: v: isAttrs v && !(v ? value && (v._type or "") == "raw")) attrs;
+
+      flattenedAttrs = lib.pipe partitionedAttrs.right [
+        (mapAttrs (n1: mapAttrs' (n2: v2: nameValuePair "${n1}_${n2}" v2)))
+        attrValues
+        (map flattenStructuredSettings)
+        (foldl recursiveUpdate { })
+      ];
+    in recursiveUpdate flattenedAttrs partitionedAttrs.wrong;
+
+    content = lib.pipe value [
+      flattenStructuredSettings
+      (mapAttrs (_: valueToString))
+      (mapAttrsToList (n: v: ''''$${n} = ${v};''))
+      (concatStringsSep "\n")
+      (content: "<?php\n${content}\n?>")
+    ];
+  in pkgs.writeText name content;
+
+  lib = {
+    inherit valueToString;
+
+    mkRaw = value: {
+      inherit value;
+      _type = "raw";
+    };
+
+    types.raw = lib.types.attrs;
+  };
+}
--- a/nix/shell.nix
+++ b/nix/shell.nix
@@ -0,0 +1,35 @@
+{ pkgs }:
+let
+  phpEnv = pkgs.php82.buildEnv {
+    extensions = { enabled, all }: enabled ++ (with all; [ iconv mbstring pdo_mysql pdo_sqlite ]);
+  };
+in
+pkgs.mkShellNoCC {
+  buildInputs = with pkgs; [
+    phpEnv
+    php82Packages.composer
+
+    sqlite
+    git
+  ];
+  shellHook = ''
+    alias runDev='php -S localhost:1080 -d error_reporting=E_ALL -d display_errors=1 -t www/'
+
+    # Prepare dev environment with sqlite and config files
+    test -e pvv.sqlite || sqlite3 pvv.sqlite < dist/pvv.sql
+    test -e config.php || cp -v dist/config.local.php config.php
+
+
+    if [ ! -d vendor ] ; then
+      composer install || exit $?
+
+      cp dist/simplesamlphp-authsources.php vendor/simplesamlphp/simplesamlphp/config/authsources.php
+      cp dist/simplesamlphp-idp.php vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
+      cp dist/simplesamlphp-config.php vendor/simplesamlphp/simplesamlphp/config/config.php
+
+      cp dist/config.local.php config.php
+
+      ln -s ../vendor/simplesamlphp/simplesamlphp/www/ www/simplesaml
+    fi
+  '';
+}