From aa1393cdb81225829c85af43add39a30e37b574d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 28 Jan 2019 15:50:31 +0100 Subject: [PATCH] nix/os,CFB4ED74: add webserver container --- nix/os/containers/webserver.nix | 132 +++++++++++++++++++++++++++++ nix/os/devices/CFB4ED74/system.nix | 5 ++ 2 files changed, 137 insertions(+) create mode 100644 nix/os/containers/webserver.nix diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix new file mode 100644 index 0000000..276cc2f --- /dev/null +++ b/nix/os/containers/webserver.nix @@ -0,0 +1,132 @@ +{ ... } @ args: + +let + +in args // { + config = { pkgs, ... }: { + networking.firewall.enable = false; + + systemd.services.mysql-deprecated = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RootDirectory="/var/lib/machines/webserver"; + MountAPIVFS="yes"; + BindReadOnlyPaths="/nix"; + }; + script = '' + export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin + mkdir /var/run/mysqld -p + chown mysql /var/run/mysqld/ + /usr/sbin/mysqld + ''; + }; + + systemd.services.nginx-deprecated = { + enable = true; + wantedBy = [ "multi-user.target" ]; + description = "webserver-deprecated service"; + serviceConfig = { + RootDirectory="/var/lib/machines/webserver"; + MountAPIVFS="yes"; + BindReadOnlyPaths="/nix"; + }; + script = '' + export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin + /usr/sbin/nginx -g "daemon off;" + ''; + }; + + systemd.services.php-fpm-deprecated = { + enable = true; + wantedBy = [ "multi-user.target" ]; + description = "webserver-deprecated service"; + serviceConfig = { + RootDirectory="/var/lib/machines/webserver"; + MountAPIVFS="yes"; + BindReadOnlyPaths="/nix"; + }; + script = '' + export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin + /usr/lib/php5.5/bin/php-fpm -y /etc/php/fpm-php5.5/php-fpm.conf --pid /run/php-fpm.pid -F + ''; + }; + + ## FIXME: make the following work instead of using the old Gentoo rootfs binaries + # + # services.nginx.enable = true; + # services.nginx.virtualHosts."stefanjunker.de" = { + # default = true; + # onlySSL = true; + # root = "/var/www/stefanjunker.de/htdocs"; + + # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + # locations."/fi" = { + # index = "index.php"; + # }; + + # locations."~ ^(.+\.php)(.*)$".extraConfig = '' + # fastcgi_split_path_info ^(.+\.php)(.*)$; + + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # ''; + # }; + + # services.phpfpm.poolConfigs.mypool = '' + # listen = 127.0.0.1:9000 + # user = nobody + # pm = dynamic + # pm.max_children = 5 + # pm.start_servers = 2 + # pm.min_spare_servers = 1 + # pm.max_spare_servers = 3 + # pm.max_requests = 500 + + # php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED + # ''; + + # services.mysql = { + # enable = true; + # package = pkgs.mysql; + # }; + }; + + autoStart = true; + + bindMounts = { + "/var/lib/machines/webserver/" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-machines-webserver"; + isReadOnly = false; + }; + + ## FIXME: make the following work instead of using the old Gentoo rootfs + # + # "/etc/secrets/" = { + # hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + # isReadOnly = false; + # }; + + # "/var/www" = { + # hostPath = "/var/lib/container-volumes/webserver/var-www"; + # isReadOnly = false; + # }; + + # "/var/lib/mysql" = { + # hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; + # isReadOnly = false; + # }; + }; + + privateNetwork = true; + forwardPorts = [ + { + # https/custom + containerPort = 443; + hostPort = 443; + protocol = "tcp"; + } + ]; +} diff --git a/nix/os/devices/CFB4ED74/system.nix b/nix/os/devices/CFB4ED74/system.nix index 9aab114..e8c224b 100644 --- a/nix/os/devices/CFB4ED74/system.nix +++ b/nix/os/devices/CFB4ED74/system.nix @@ -69,5 +69,10 @@ in { hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; }; + + webserver = import ../../containers/webserver.nix { + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + }; }; }