72 lines
2.2 KiB
Nix
72 lines
2.2 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
user = "fsr-web";
|
|
group = "fsr-web";
|
|
in
|
|
{
|
|
|
|
users.users.${user} = {
|
|
group = group;
|
|
isSystemUser = true;
|
|
};
|
|
users.groups.${group} = { };
|
|
|
|
services.phpfpm.pools.ifsrde = {
|
|
user = user;
|
|
group = group;
|
|
settings = {
|
|
"listen.owner" = config.services.nginx.user;
|
|
"pm" = "dynamic";
|
|
"pm.max_children" = 32;
|
|
"pm.max_requests" = 500;
|
|
"pm.start_servers" = 2;
|
|
"pm.min_spare_servers" = 2;
|
|
"pm.max_spare_servers" = 5;
|
|
"php_admin_value[error_log]" = "stderr";
|
|
"php_admin_flag[log_errors]" = true;
|
|
"catch_workers_output" = true;
|
|
};
|
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
|
};
|
|
|
|
services.nginx = {
|
|
|
|
virtualHosts."www.${config.fsr.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/".return = "301 $scheme://ifsr.de$request_uri";
|
|
|
|
};
|
|
virtualHosts."${config.fsr.domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
root = "/srv/web/ifsrde";
|
|
locations = {
|
|
"/" = {
|
|
tryFiles = "$uri $uri/ /index.php?$query_string";
|
|
};
|
|
"~ \.php$" = {
|
|
extraConfig = ''
|
|
try_files $uri =404;
|
|
fastcgi_pass unix:${config.services.phpfpm.pools.ifsrde.socket};
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_index index.php;
|
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
|
'';
|
|
};
|
|
# security
|
|
"~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
|
|
# deny running scripts inside core system folders
|
|
"~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
|
|
# deny running scripts inside user folder
|
|
"~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
|
|
# deny access to specific files in the root folder
|
|
"~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)".return = "403";
|
|
## End - Security
|
|
};
|
|
};
|
|
};
|
|
}
|