nix/os/containers/webserver: use php56 and drop the chroot

2019-02-03 12:58:56 +01:00 · 2019-02-03 12:58:56 +01:00 · 7bad36ed75
commit 7bad36ed75
parent 247096c808
1 changed files with 47 additions and 100 deletions
--- a/nix/os/containers/webserver.nix
+++ b/nix/os/containers/webserver.nix
@ -3,7 +3,7 @@
 let

 in args // {
-  config = { pkgs, ... }: {
+  config = { config, pkgs, ... }: {
    imports = [
      ../profiles/containers/configuration.nix
    ];
@ -15,124 +15,71 @@ in args // {
        domain = "www.stefanjunker.de";
    };

-    systemd.services.mysql-deprecated = {
-      enable = true;
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        RootDirectory="/var/lib/machines/webserver";
-        MountAPIVFS="yes";
-        BindReadOnlyPaths="/nix";
+    services.nginx.enable = true;
+    services.nginx.virtualHosts."stefanjunker.de" = {
+      default = true;
+      onlySSL = true;
+      root = "/var/www/stefanjunker.de/htdocs";
+
+      sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
+      sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
+
+      locations."/fi" = {
+        index = "index.php";
      };
-      script = ''
-        export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
-        mkdir /var/run/mysqld -p
-        chown mysql /var/run/mysqld/
-        /usr/sbin/mysqld
+
+      locations."~ ^(.+\.php)(.*)$".extraConfig = ''
+        fastcgi_split_path_info  ^(.+\.php)(.*)$;
+
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
      '';
    };

-    systemd.services.nginx-deprecated = {
+    services.phpfpm.phpPackage = pkgs.php56;
+
+    services.phpfpm.poolConfigs.mypool = ''
+      listen = 127.0.0.1:9000
+      user = nobody
+      pm = dynamic
+      pm.max_children = 5
+      pm.start_servers = 2
+      pm.min_spare_servers = 1
+      pm.max_spare_servers = 3
+      pm.max_requests = 500
+
+      php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+    '';
+
+    services.mysql = {
      enable = true;
-      wantedBy = [ "multi-user.target" ];
-      description = "webserver-deprecated service";
-      serviceConfig = {
-        RootDirectory="/var/lib/machines/webserver";
-        MountAPIVFS="yes";
-        BindReadOnlyPaths="/nix";
-      };
-      script = ''
-        export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
-        /usr/sbin/nginx -g "daemon off;"
-      '';
+      package = pkgs.mariadb;
    };
-
-    systemd.services.php-fpm-deprecated = {
-      enable = true;
-      wantedBy = [ "multi-user.target" ];
-      description = "webserver-deprecated service";
-      serviceConfig = {
-        RootDirectory="/var/lib/machines/webserver";
-        MountAPIVFS="yes";
-        BindReadOnlyPaths="/nix";
-      };
-      script = ''
-        export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
-        /usr/lib/php5.5/bin/php-fpm -y /etc/php/fpm-php5.5/php-fpm.conf --pid /run/php-fpm.pid -F
-      '';
-    };
-
-    ## FIXME: make the following work instead of using the old Gentoo rootfs binaries
-    #
-    # services.nginx.enable = true;
-    # services.nginx.virtualHosts."stefanjunker.de" = {
-    #   default = true;
-    #   onlySSL = true;
-    #   root = "/var/www/stefanjunker.de/htdocs";
-
-    #   sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
-    #   sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
-
-    #   locations."/fi" = {
-    #     index = "index.php";
-    #   };
-
-    #   locations."~ ^(.+\.php)(.*)$".extraConfig = ''
-    #     fastcgi_split_path_info  ^(.+\.php)(.*)$;
-
-    #     fastcgi_pass 127.0.0.1:9000;
-    #     fastcgi_index index.php;
-    #   '';
-    # };
-
-    # services.phpfpm.poolConfigs.mypool = ''
-    #   listen = 127.0.0.1:9000
-    #   user = nobody
-    #   pm = dynamic
-    #   pm.max_children = 5
-    #   pm.start_servers = 2 
-    #   pm.min_spare_servers = 1 
-    #   pm.max_spare_servers = 3
-    #   pm.max_requests = 500
-
-    #   php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
-    # '';
-
-    # services.mysql = {
-    #   enable = true;
-    #   package = pkgs.mysql;
-    # };
  };

  autoStart = true;

  bindMounts = {
-    "/var/lib/machines/webserver/" = {
-      hostPath = "/var/lib/container-volumes/webserver/var-lib-machines-webserver";
+    "/etc/secrets/" = {
+      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
+      isReadOnly = true;
+    };
+
+    "/var/www" = {
+      hostPath = "/var/lib/container-volumes/webserver/var-www";
      isReadOnly = false;
    };

-    ## FIXME: make the following work instead of using the old Gentoo rootfs
-    #
-    # "/etc/secrets/" = { 
-    #   hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
-    #   isReadOnly = false;
-    # };
-
-    # "/var/www" = { 
-    #   hostPath = "/var/lib/container-volumes/webserver/var-www";
-    #   isReadOnly = false;
-    # };
-
-    # "/var/lib/mysql" = { 
-    #   hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
-    #   isReadOnly = false;
-    # };
+    "/var/lib/mysql" = {
+      hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
+      isReadOnly = false;
+    };
  };

  privateNetwork = true;
  forwardPorts = [
    {
-      # https/custom
+      # https
      containerPort = 443;
      hostPort = 443;
      protocol = "tcp";