fruitbasket/modules/web/ifsrde.nix

{ config, pkgs, lib, ... }:
let
  user = "fsr-web";
  group = "fsr-web";
in
{

  users.users.${user} = {
    group = group;
    isSystemUser = true;
  };
  users.groups.${group} = { };
  users.users.nginx = {
    extraGroups = [ group ];
  };
  services.phpfpm.pools.ifsrde = {
    user = user;
    group = group;
    settings = {
      "listen.owner" = config.services.nginx.user;
      "pm" = "dynamic";
      "pm.max_children" = 32;
      "pm.max_requests" = 500;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 2;
      "pm.max_spare_servers" = 5;
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = true;
      "catch_workers_output" = true;
    };
    phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
  };

  services.nginx = {

    virtualHosts."www.${config.networking.domain}" = {
      locations."/".return = "301 $scheme://ifsr.de$request_uri";
    };
    virtualHosts."${config.networking.domain}" = {
      root = "/srv/web/ifsrde";
      extraConfig = ''
        index index.html index.php;
      '';

      locations = {
        "/" = {
          tryFiles = "$uri $uri/ /index.php?$query_string";
        };
        "~ \.php$" = {
          extraConfig = ''
            try_files $uri =404;
            fastcgi_pass unix:${config.services.phpfpm.pools.ifsrde.socket};
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_index index.php;
            include ${pkgs.nginx}/conf/fastcgi_params;
            include ${pkgs.nginx}/conf/fastcgi.conf;
            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
          '';
        };
        "~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
        "/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
        "/kpp".return = "301 https://kpp.ifsr.de";
        "/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
        # security
        "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
        # deny running scripts inside core system folders
        "~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
        # deny running scripts inside user folder
        "~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
        # deny access to specific files in the root folder
        "~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)".return = "403";
        ## End - Security
      };
    };
  };
}
initial website configuration 2023-08-16 13:24:56 +02:00			`{ config, pkgs, lib, ... }:`
			`let`
			`user = "fsr-web";`
			`group = "fsr-web";`
			`in`
			`{`

			`users.users.${user} = {`
			`group = group;`
			`isSystemUser = true;`
			`};`
			`users.groups.${group} = { };`
fixing user groups for websides Co-authored-by: fugi <me@fugi.dev> Co-authored-by: tenksom <joachim@stramke.com> 2024-03-28 15:56:38 +01:00			`users.users.nginx = {`
			`extraGroups = [ group ];`
			`};`
initial website configuration 2023-08-16 13:24:56 +02:00			`services.phpfpm.pools.ifsrde = {`
			`user = user;`
			`group = group;`
			`settings = {`
			`"listen.owner" = config.services.nginx.user;`
			`"pm" = "dynamic";`
			`"pm.max_children" = 32;`
			`"pm.max_requests" = 500;`
			`"pm.start_servers" = 2;`
			`"pm.min_spare_servers" = 2;`
			`"pm.max_spare_servers" = 5;`
			`"php_admin_value[error_log]" = "stderr";`
			`"php_admin_flag[log_errors]" = true;`
			`"catch_workers_output" = true;`
			`};`
			`phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];`
			`};`

include uptsream nginx config for grav 2023-08-16 13:57:10 +02:00			`services.nginx = {`
remove the vm 2023-08-16 14:51:01 +02:00
refactor: fsr.domain -> networking.domain 2023-09-17 20:10:55 +02:00			`virtualHosts."www.${config.networking.domain}" = {`
on-metal updates - grav fixes - course management migration 2023-08-16 14:21:56 +02:00			`locations."/".return = "301 $scheme://ifsr.de$request_uri";`
			`};`
refactor: fsr.domain -> networking.domain 2023-09-17 20:10:55 +02:00			`virtualHosts."${config.networking.domain}" = {`
initial website configuration 2023-08-16 13:24:56 +02:00			`root = "/srv/web/ifsrde";`
fixed ifsrde index 2023-08-16 15:11:27 +02:00			`extraConfig = ''`
			`index index.html index.php;`
			`'';`
stream: move to ifsr.de 2023-08-17 13:50:57 +02:00
initial website configuration 2023-08-16 13:24:56 +02:00			`locations = {`
include uptsream nginx config for grav 2023-08-16 13:57:10 +02:00			`"/" = {`
on-metal updates - grav fixes - course management migration 2023-08-16 14:21:56 +02:00			`tryFiles = "$uri $uri/ /index.php?$query_string";`
initial website configuration 2023-08-16 13:24:56 +02:00			`};`
			`"~ \.php$" = {`
			`extraConfig = ''`
			`try_files $uri =404;`
			`fastcgi_pass unix:${config.services.phpfpm.pools.ifsrde.socket};`
include uptsream nginx config for grav 2023-08-16 13:57:10 +02:00			`fastcgi_split_path_info ^(.+\.php)(/.+)$;`
initial website configuration 2023-08-16 13:24:56 +02:00			`fastcgi_index index.php;`
			`include ${pkgs.nginx}/conf/fastcgi_params;`
			`include ${pkgs.nginx}/conf/fastcgi.conf;`
include uptsream nginx config for grav 2023-08-16 13:57:10 +02:00			`fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;`
initial website configuration 2023-08-16 13:24:56 +02:00			`'';`
			`};`
nginx: fix regexes 2023-08-24 16:28:07 +02:00			`"~ ^/cmd(/?[^\\n\|\\r]*)$".return = "301 https://pad.ifsr.de$1";`
website: add bbb redirect 2023-08-28 19:19:19 +02:00			`"/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";`
kpp: add redirect 2023-08-29 12:29:22 +02:00			`"/kpp".return = "301 https://kpp.ifsr.de";`
ifsr.de: add sso redirect 2024-05-06 22:59:48 +02:00			`"/sso".return = "301 https://sso.ifsr.de/realms/internal/account";`
include uptsream nginx config for grav 2023-08-16 13:57:10 +02:00			`# security`
			`"~* /(\.git\|cache\|bin\|logs\|backup\|tests)/.*$".return = "403";`
			`# deny running scripts inside core system folders`
			`"~* /(system\|vendor)/.*\.(txt\|xml\|md\|html\|json\|yaml\|yml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$".return = "403";`
			`# deny running scripts inside user folder`
			`"~* /user/.*\.(txt\|md\|json\|yaml\|yml\|php\|pl\|py\|cgi\|twig\|sh\|bat)$".return = "403";`
			`# deny access to specific files in the root folder`
			`"~ /(LICENSE\.txt\|composer\.lock\|composer\.json\|nginx\.conf\|web\.config\|htaccess\.txt\|\.htaccess)".return = "403";`
			`## End - Security`
initial website configuration 2023-08-16 13:24:56 +02:00			`};`
			`};`
			`};`
			`}`