fruitbasket/modules/web/ifsrde.nix

77 lines
2.5 KiB
Nix
Raw Permalink Normal View History

2023-08-16 13:24:56 +02:00
{ config, pkgs, lib, ... }:
let
user = "fsr-web";
group = "fsr-web";
in
{
users.users.${user} = {
group = group;
isSystemUser = true;
};
users.groups.${group} = { };
users.users.nginx = {
extraGroups = [ group ];
};
2023-08-16 13:24:56 +02:00
services.phpfpm.pools.ifsrde = {
user = user;
group = group;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
2023-08-16 13:57:10 +02:00
services.nginx = {
2023-08-16 14:51:01 +02:00
virtualHosts."www.${config.networking.domain}" = {
locations."/".return = "301 $scheme://ifsr.de$request_uri";
};
virtualHosts."${config.networking.domain}" = {
2023-08-16 13:24:56 +02:00
root = "/srv/web/ifsrde";
2023-08-16 15:11:27 +02:00
extraConfig = ''
index index.html index.php;
'';
2023-08-17 13:50:57 +02:00
2023-08-16 13:24:56 +02:00
locations = {
2023-08-16 13:57:10 +02:00
"/" = {
tryFiles = "$uri $uri/ /index.php?$query_string";
2023-08-16 13:24:56 +02:00
};
"~ \.php$" = {
extraConfig = ''
try_files $uri =404;
fastcgi_pass unix:${config.services.phpfpm.pools.ifsrde.socket};
2023-08-16 13:57:10 +02:00
fastcgi_split_path_info ^(.+\.php)(/.+)$;
2023-08-16 13:24:56 +02:00
fastcgi_index index.php;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
2023-08-16 13:57:10 +02:00
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
2023-08-16 13:24:56 +02:00
'';
};
2023-08-24 16:28:07 +02:00
"~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
2023-08-28 19:19:19 +02:00
"/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
2023-08-29 12:29:22 +02:00
"/kpp".return = "301 https://kpp.ifsr.de";
2024-05-06 22:59:48 +02:00
"/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
2023-08-16 13:57:10 +02:00
# security
"~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
# deny running scripts inside core system folders
"~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
# deny running scripts inside user folder
"~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
# deny access to specific files in the root folder
"~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)".return = "403";
## End - Security
2023-08-16 13:24:56 +02:00
};
};
};
}