From dc60431d5927946fbd76a605744c60f2fecee89f Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 15 Oct 2019 11:59:17 +0200 Subject: ma owncloud: re-enable secrets, add dummy secret --- makefu/2configs/deployment/owncloud.nix | 46 +++++++++++++++++---------------- 1 file changed, 24 insertions(+), 22 deletions(-) (limited to 'makefu/2configs/deployment') diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix index 6f073fd4c..6f041e1e0 100644 --- a/makefu/2configs/deployment/owncloud.nix +++ b/makefu/2configs/deployment/owncloud.nix @@ -171,27 +171,29 @@ in { networking.firewall.allowedTCPPorts = [ 80 443 ]; services.redis.enable = true; - services.mysql = { - enable = false; - package = pkgs.mariadb; - rootPassword = config.krebs.secret.files.mysql_rootPassword.path; - initialDatabases = [ - # Or use writeText instead of literalExample? - #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; } - { - name = "nextcloud"; - schema = pkgs.writeText "nextcloud.sql" - '' - create user if not exists 'nextcloud'@'localhost' identified by 'password'; - grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password'; - ''; - } - ]; - }; + + #services.mysql = { + # enable = false; + # package = pkgs.mariadb; + # rootPassword = config.krebs.secret.files.mysql_rootPassword.path; + # initialDatabases = [ + # # Or use writeText instead of literalExample? + # #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; } + # { + # name = "nextcloud"; + # schema = pkgs.writeText "nextcloud.sql" + # '' + # create user if not exists 'nextcloud'@'localhost' identified by 'password'; + # grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password'; + # ''; + # } + # ]; + #}; + # dataDir is only defined after mysql is enabled - # krebs.secret.files.mysql_rootPassword = { - # path = "${config.services.mysql.dataDir}/mysql_rootPassword"; - # owner.name = "root"; - # source-path = toString + "/mysql_rootPassword"; - # }; + #krebs.secret.files.mysql_rootPassword = { + # path = "${config.services.mysql.dataDir}/mysql_rootPassword"; + # owner.name = "root"; + # source-path = toString + "/mysql_rootPassword"; + #}; } -- cgit v1.3.1 From 44477523519b40d92c743c30792e1ca8c7bcc83b Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 15 Oct 2019 14:26:50 +0200 Subject: ma nginx/euer.wiki: poolConfigs -> pools --- makefu/2configs/deployment/owncloud.nix | 36 +++++++++++++++++---------------- makefu/2configs/nginx/euer.wiki.nix | 26 +++++++++++------------- 2 files changed, 31 insertions(+), 31 deletions(-) (limited to 'makefu/2configs/deployment') diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix index 6f041e1e0..38eed2fd9 100644 --- a/makefu/2configs/deployment/owncloud.nix +++ b/makefu/2configs/deployment/owncloud.nix @@ -118,23 +118,25 @@ let access_log off; ''; }; - services.phpfpm.poolConfigs."${domain}" = '' - listen = ${socket} - user = nginx - group = nginx - pm = dynamic - pm.max_children = 32 - pm.max_requests = 500 - pm.start_servers = 2 - pm.min_spare_servers = 2 - pm.max_spare_servers = 5 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - env[PATH] = ${lib.makeBinPath [ pkgs.php ]} - catch_workers_output = yes - ''; + services.phpfpm.pools."${domain}" = { + user = "nginx"; + group = "nginx"; + listen = socket; + settings = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + }; + extraConfig = '' + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + env[PATH] = ${lib.makeBinPath [ pkgs.php ]} + catch_workers_output = yes + ''; + }; services.phpfpm.phpOptions = '' opcache.enable=1 opcache.enable_cli=1 diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index 732c27784..56f44f9ad 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -23,20 +23,18 @@ let in { state = [ base-dir ]; services.phpfpm = { - # phpfpm does not have an enable option - poolConfigs = { - euer-wiki = '' - user = ${user} - group = ${group} - listen = ${fpm-socket} - listen.owner = ${user} - listen.group = ${group} - env[twconf] = ${base-cfg}; - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 + pools.euer-wiki = { + inherit user group; + listen = fpm-socket; + config = { + "pm" = "dynamic"; + "pm.max_children" = 5; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + }; + phpEnv.twconf = base-cfg; + extraConfig = '' chdir = / php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on -- cgit v1.3.1 From 3aa59e62745bf4d8f750f1e131548dbd53de010b Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 15 Oct 2019 22:41:08 +0200 Subject: ma nginx: make linter happy --- makefu/2configs/deployment/owncloud.nix | 4 ++++ makefu/2configs/nginx/euer.mon.nix | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'makefu/2configs/deployment') diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix index 38eed2fd9..59dfa3203 100644 --- a/makefu/2configs/deployment/owncloud.nix +++ b/makefu/2configs/deployment/owncloud.nix @@ -110,6 +110,10 @@ let add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; + add_header X-Frame-Options SAMEORIGIN; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + # Optional: Don't log access to assets access_log off; ''; diff --git a/makefu/2configs/nginx/euer.mon.nix b/makefu/2configs/nginx/euer.mon.nix index 765fef535..c9db15b73 100644 --- a/makefu/2configs/nginx/euer.mon.nix +++ b/makefu/2configs/nginx/euer.mon.nix @@ -32,7 +32,7 @@ in { auth_basic "Needs Autherization to visit"; auth_basic_user_file ${authFile}; proxy_http_version 1.1; - proxy_set_header Host $http_host; + proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; ''; -- cgit v1.3.1