diff --git a/modules/kanboard.nix b/modules/kanboard.nix index 6b40ab4..5eb155c 100644 --- a/modules/kanboard.nix +++ b/modules/kanboard.nix @@ -1,33 +1,65 @@ -{ config, pkgs, ... }: +{ pkgs, config, lib, ... }: let domain = "kanboard.${config.networking.domain}"; domain_short = "kb.${config.networking.domain}"; + user = "kanboard"; + group = "kanboard"; in { - sops.secrets."kanboard_env" = { }; + users.users.${user} = { + group = group; + isSystemUser = true; + }; + users.groups.${group} = { }; - virtualisation.oci-containers = { - containers.kanboard = { - image = "ghcr.io/kanboard/kanboard:v1.2.39"; - volumes = [ - "kanboard_data:/var/www/app/data" - "kanboard_plugins:/var/www/app/plugins" - ]; - ports = [ "127.0.0.1:8045:80" ]; - environmentFiles = [ - config.sops.secrets."kanboard_env".path - ]; + services.phpfpm.pools.kanboard = { + user = "kanboard"; + group = "kanboard"; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; }; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; }; + + + services.nginx.enable = true; services.nginx = { virtualHosts."${domain_short}" = { locations."/".return = "301 $scheme://${domain}$request_uri"; }; virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:8045"; + root = "/srv/web/kanboard"; + extraConfig = '' + index index.html index.php; + ''; + + locations = { + "/" = { + tryFiles = "$uri $uri/ =404"; + }; + "~ \.php$" = { + extraConfig = '' + try_files $uri =404; + fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket}; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_index index.php; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; + ''; + }; + "/data".return = "403"; }; }; };