steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

nix/os/containers/webserver: use php56 and drop the chroot

Browse source
This commit is contained in:
steveej 2019-02-03 12:58:56 +01:00
parent 247096c808
commit 7bad36ed75
1 changed files with 47 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

147
nix/os/containers/webserver.nix
View file

@ -3,7 +3,7 @@
let let
in args // { in args // {
config = { pkgs, ... }: { config = { config, pkgs, ... }: {
imports = [ imports = [
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
]; ];
@ -15,124 +15,71 @@ in args // {
domain = "www.stefanjunker.de"; domain = "www.stefanjunker.de";
}; };
systemd.services.mysql-deprecated = { services.nginx.enable = true;
enable = true; services.nginx.virtualHosts."stefanjunker.de" = {
wantedBy = [ "multi-user.target" ]; default = true;
serviceConfig = { onlySSL = true;
RootDirectory="/var/lib/machines/webserver"; root = "/var/www/stefanjunker.de/htdocs";
MountAPIVFS="yes";
BindReadOnlyPaths="/nix"; sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
locations."/fi" = {
index = "index.php";
}; };
script = ''
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin locations."~ ^(.+\.php)(.*)$".extraConfig = ''
mkdir /var/run/mysqld -p fastcgi_split_path_info ^(.+\.php)(.*)$;
chown mysql /var/run/mysqld/
/usr/sbin/mysqld fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
''; '';
}; };
systemd.services.nginx-deprecated = { services.phpfpm.phpPackage = pkgs.php56;
services.phpfpm.poolConfigs.mypool = ''
listen = 127.0.0.1:9000
user = nobody
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 500
php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
'';
services.mysql = {
enable = true; enable = true;
wantedBy = [ "multi-user.target" ]; package = pkgs.mariadb;
description = "webserver-deprecated service";
serviceConfig = {
RootDirectory="/var/lib/machines/webserver";
MountAPIVFS="yes";
BindReadOnlyPaths="/nix";
};
script = ''
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
/usr/sbin/nginx -g "daemon off;"
'';
}; };
systemd.services.php-fpm-deprecated = {
enable = true;
wantedBy = [ "multi-user.target" ];
description = "webserver-deprecated service";
serviceConfig = {
RootDirectory="/var/lib/machines/webserver";
MountAPIVFS="yes";
BindReadOnlyPaths="/nix";
};
script = ''
export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
/usr/lib/php5.5/bin/php-fpm -y /etc/php/fpm-php5.5/php-fpm.conf --pid /run/php-fpm.pid -F
'';
};
## FIXME: make the following work instead of using the old Gentoo rootfs binaries
#
# services.nginx.enable = true;
# services.nginx.virtualHosts."stefanjunker.de" = {
# default = true;
# onlySSL = true;
# root = "/var/www/stefanjunker.de/htdocs";
# sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
# sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
# locations."/fi" = {
# index = "index.php";
# };
# locations."~ ^(.+\.php)(.*)$".extraConfig = ''
# fastcgi_split_path_info ^(.+\.php)(.*)$;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# '';
# };
# services.phpfpm.poolConfigs.mypool = ''
# listen = 127.0.0.1:9000
# user = nobody
# pm = dynamic
# pm.max_children = 5
# pm.start_servers = 2
# pm.min_spare_servers = 1
# pm.max_spare_servers = 3
# pm.max_requests = 500
# php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
# '';
# services.mysql = {
# enable = true;
# package = pkgs.mysql;
# };
}; };
autoStart = true; autoStart = true;
bindMounts = { bindMounts = {
"/var/lib/machines/webserver/" = { "/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-machines-webserver"; hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
isReadOnly = true;
};
"/var/www" = {
hostPath = "/var/lib/container-volumes/webserver/var-www";
isReadOnly = false; isReadOnly = false;
}; };
## FIXME: make the following work instead of using the old Gentoo rootfs "/var/lib/mysql" = {
# hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
# "/etc/secrets/" = { isReadOnly = false;
# hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; };
# isReadOnly = false;
# };
# "/var/www" = {
# hostPath = "/var/lib/container-volumes/webserver/var-www";
# isReadOnly = false;
# };
# "/var/lib/mysql" = {
# hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
# isReadOnly = false;
# };
}; };
privateNetwork = true; privateNetwork = true;
forwardPorts = [ forwardPorts = [
{ {
# https/custom # https
containerPort = 443; containerPort = 443;
hostPort = 443; hostPort = 443;
protocol = "tcp"; protocol = "tcp";