fruitbasket/modules/web/userdir.nix

{ config, pkgs, ... }:
let
  domain = "users.${config.networking.domain}";
  port = 8083;
  apacheUser = config.services.httpd.user;
in
{
  # home directory setup
  systemd.tmpfiles.rules = [
    "d /etc/skel"
  ];
  environment.extraInit = /*sh*/ ''
    if [[ "$HOME" != "/" && "$UID" != 0 ]]; then
      umask 002

      # home dir: apache may traverse only, creation mode is rw(x)------
      setfacl -m u:${apacheUser}:x,d:u::rwx,d:g::-,d:o::- $HOME

      mkdir -p $HOME/public_html
      # public_html dir: apache and $USER have rwx on everything inside
      setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:''${USER}:rwx $HOME/public_html
    fi
  '';

  services.httpd = {
    enable = true;
    enablePHP = true;
    maxClients = 10;
    mpm = "prefork";
    extraModules = [ "userdir" ];

    virtualHosts.${domain} = {
      extraConfig = ''
        UserDir disabled root
        UserDir /home/users/*/public_html/
        <Directory "/home/users/*/public_html">
          Options -Indexes +MultiViews +SymLinksIfOwnerMatch +IncludesNoExec
          DirectoryIndex index.php index.html
          AllowOverride FileInfo AuthConfig Limit Indexes Options=Indexes
          <Limit GET POST OPTIONS>
            Require all granted
          </Limit>
          <LimitExcept GET POST OPTIONS>
            Require all denied
          </LimitExcept>
        </Directory>
      '';
      listen = [{
        ip = "127.0.0.1";
        inherit port;
      }];
    };

    phpPackage = pkgs.php.buildEnv {
      extraConfig = ''
        display_errors=0
        post_max_size = 40M
        upload_max_filesize = 40M
      '';
    };
  };

  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;

    locations."/" = {
      proxyPass = "http://localhost:${toString port}";
      extraConfig = ''
        proxy_intercept_errors on;
        error_page 403 404 =404 /404.html;
        client_max_body_size 40M;
      '';
    };

    locations."/robots.txt" = {
      extraConfig = ''
        add_header  Content-Type  text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
      '';
    };

  };
}
userdir, zsh fixes 2023-09-20 14:07:50 +02:00			`{ config, pkgs, ... }:`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`let`
refactor: fsr.domain -> networking.domain 2023-09-17 20:10:55 +02:00			`domain = "users.${config.networking.domain}";`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`port = 8083;`
			`apacheUser = config.services.httpd.user;`
			`in`
			`{`
			`# home directory setup`
			`systemd.tmpfiles.rules = [`
			`"d /etc/skel"`
			`];`
			`environment.extraInit = /sh/ ''`
			`if [[ "$HOME" != "/" && "$UID" != 0 ]]; then`
			`umask 002`

			`# home dir: apache may traverse only, creation mode is rw(x)------`
			`setfacl -m u:${apacheUser}:x,d:u::rwx,d:g::-,d:o::- $HOME`

			`mkdir -p $HOME/public_html`
			`# public_html dir: apache and $USER have rwx on everything inside`
userdir, zsh fixes 2023-09-20 14:07:50 +02:00			`setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:''${USER}:rwx $HOME/public_html`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`fi`
			`'';`

			`services.httpd = {`
			`enable = true;`
			`enablePHP = true;`
httpd: limit number of spawned processes 2023-10-28 17:35:14 +02:00			`maxClients = 10;`
			`mpm = "prefork";`
userdir, zsh fixes 2023-09-20 14:07:50 +02:00			`extraModules = [ "userdir" ];`
Serve public_html directory 2023-06-30 13:57:21 +02:00
			`virtualHosts.${domain} = {`
			`extraConfig = ''`
userdir, zsh fixes 2023-09-20 14:07:50 +02:00			`UserDir disabled root`
			`UserDir /home/users/*/public_html/`
userdir: fix autoindex 2023-09-16 19:39:09 +02:00			`<Directory "/home/users/*/public_html">`
userdir: fix 403 2023-09-17 14:28:13 +02:00			`Options -Indexes +MultiViews +SymLinksIfOwnerMatch +IncludesNoExec`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`DirectoryIndex index.php index.html`
			`AllowOverride FileInfo AuthConfig Limit Indexes Options=Indexes`
userdir: fix 403 2023-09-17 14:28:13 +02:00			`<Limit GET POST OPTIONS>`
			`Require all granted`
			`</Limit>`
			`<LimitExcept GET POST OPTIONS>`
			`Require all denied`
			`</LimitExcept>`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`</Directory>`
			`'';`
			`listen = [{`
			`ip = "127.0.0.1";`
			`inherit port;`
			`}];`
			`};`
userdir: disable php error display 2023-10-01 19:17:29 +02:00
			`phpPackage = pkgs.php.buildEnv {`
			`extraConfig = ''`
			`display_errors=0`
userdir: increase upload size limit 2023-11-28 18:34:51 +01:00			`post_max_size = 40M`
			`upload_max_filesize = 40M`
userdir: disable php error display 2023-10-01 19:17:29 +02:00			`'';`
			`};`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`};`

			`services.nginx.virtualHosts.${domain} = {`
			`enableACME = true;`
			`forceSSL = true;`

			`locations."/" = {`
			`proxyPass = "http://localhost:${toString port}";`
userdir, zsh fixes 2023-09-20 14:07:50 +02:00			`extraConfig = ''`
			`proxy_intercept_errors on;`
			`error_page 403 404 =404 /404.html;`
userdir: increase upload size limit 2023-11-28 18:34:51 +01:00			`client_max_body_size 40M;`
userdir, zsh fixes 2023-09-20 14:07:50 +02:00			`'';`
Serve public_html directory 2023-06-30 13:57:21 +02:00			`};`
userdir: add robots.txt 2023-12-15 15:48:40 +01:00
			`locations."/robots.txt" = {`
			`extraConfig = ''`
			`add_header Content-Type text/plain;`
			`return 200 "User-agent: *\nDisallow: /\n";`
			`'';`
			`};`

Serve public_html directory 2023-06-30 13:57:21 +02:00			`};`
			`}`