diff --git a/systems/LoutreOS/hardware-configuration.nix b/systems/LoutreOS/hardware-configuration.nix index 68e20bb..4984718 100644 --- a/systems/LoutreOS/hardware-configuration.nix +++ b/systems/LoutreOS/hardware-configuration.nix @@ -163,6 +163,11 @@ fsType = "zfs"; }; + fileSystems."/mnt/webdav" = + { device = "loutrepool/webdav"; + fsType = "zfs"; + }; + swapDevices = [ { diff --git a/systems/LoutreOS/web.nix b/systems/LoutreOS/web.nix index 0f63412..a1499b4 100644 --- a/systems/LoutreOS/web.nix +++ b/systems/LoutreOS/web.nix @@ -48,30 +48,56 @@ in acceptTerms = true; }; - users.groups.work = {}; - users.users.work = { - isSystemUser = true; - group = config.users.groups.work.name; + users.groups = { + work = {}; + webdav = {}; + }; + users.users = { + work = { + isSystemUser = true; + group = config.users.groups.work.name; + }; + webdav = { + isSystemUser = true; + group = config.users.groups.webdav.name; + }; }; services = { - phpfpm.pools.work = { - user = config.users.users.work.name; - phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]); - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 75; - "pm.start_servers" = 10; - "pm.min_spare_servers" = 5; - "pm.max_spare_servers" = 20; - "pm.max_requests" = 500; + phpfpm.pools = { + work = { + user = config.users.users.work.name; + phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]); + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + }; + }; + drive = { + user = config.users.users.webdav.name; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + }; + phpOptions = '' + output_buffering=off + ''; }; }; nginx = { enable = true; package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ dav ]; + modules = with pkgs.nginxModules; [ dav moreheaders ]; }; recommendedGzipSettings = true; recommendedOptimisation = true; @@ -83,8 +109,6 @@ in } add_header Strict-Transport-Security $hsts_header; add_header Referrer-Policy origin-when-cross-origin; - - error_page 500 502 503 504 https://nyanlout.re/errorpages/50x.html; ''; sso = { enable = true; @@ -128,34 +152,47 @@ in }; virtualHosts = let base = locations: { - inherit locations; + locations = locations // { + "@maintenance" = { + root = "/var/www/errorpages/"; + extraConfig = '' + rewrite ^(.*)$ /50x.html break; + ''; + }; + }; forceSSL = true; enableACME = true; + extraConfig = '' + error_page 500 502 503 504 = @maintenance; + ''; }; simpleReverse = rport: base { "/" = { proxyPass = "http://127.0.0.1:${toString(rport)}/"; }; }; - authReverse = rport: base { - "/" = { - proxyPass = "http://127.0.0.1:${toString(rport)}/"; + authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [ + (base { + "/" = { + proxyPass = "http://127.0.0.1:${toString(rport)}/"; + extraConfig = '' + auth_request_set $cookie $upstream_http_set_cookie; + add_header Set-Cookie $cookie; + ''; + }; + }) + { extraConfig = '' - auth_request_set $cookie $upstream_http_set_cookie; - add_header Set-Cookie $cookie; + include ${nginxSsoAuth}; ''; - }; - } // { - extraConfig = '' - include ${nginxSsoAuth}; - ''; - }; + } + ]; in { "nyanlout.re" = base { "/" = { alias = "/var/www/site-perso/"; }; - "/errorpages/" = { + "/maintenance/" = { alias = "/var/www/errorpages/"; }; "/.well-known/openpgpkey/" = { @@ -194,7 +231,11 @@ in "jackett.nyanlout.re" = authReverse 9117; "pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port; "matrix.nyanlout.re" = simpleReverse 8008; - "emby.nyanlout.re" = simpleReverse 8096; + "emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) { + locations."/" = { + proxyWebsockets = true; + }; + }; "ci.nyanlout.re" = simpleReverse 52350; "gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort; "musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port; @@ -203,27 +244,58 @@ in proxyWebsockets = true; }; }; - "work.rezom.eu" = base { + # "work.rezom.eu" = base { + # "/" = { + # index = "/_h5ai/public/index.php"; + # extraConfig = '' + # dav_ext_methods PROPFIND OPTIONS; + # ''; + # }; + # "~ ^/(_h5ai/public/index|random).php" = { + # extraConfig = '' + # fastcgi_split_path_info ^(.+\.php)(/.+)$; + # fastcgi_pass unix:${config.services.phpfpm.pools.work.socket}; + # include ${pkgs.nginx}/conf/fastcgi_params; + # include ${pkgs.nginx}/conf/fastcgi.conf; + # ''; + # }; + # } // { + # root = "/mnt/medias/iso_linux"; + # extraConfig = '' + # access_log /var/log/nginx/$host.log; + # ''; + # }; + "drive.nyanlout.re" = base { "/" = { - index = "/_h5ai/public/index.php"; - extraConfig = '' - dav_ext_methods PROPFIND OPTIONS; - ''; - }; - "~ ^/(_h5ai/public/index|random).php" = { + index = "/index.php"; extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.work.socket}; + fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket}; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; + + client_max_body_size 0; ''; }; } // { - root = "/mnt/medias/iso_linux"; - extraConfig = '' - access_log /var/log/nginx/$host.log; - ''; + root = "/mnt/webdav"; }; + "rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [ + (base { + "/" = { + proxyPass = "http://unix:/run/rspamd/worker-controller.sock"; + extraConfig = '' + auth_request_set $cookie $upstream_http_set_cookie; + add_header Set-Cookie $cookie; + ''; + }; + }) + { + extraConfig = '' + include ${nginxSsoAuth}; + ''; + } + ]; }; }; @@ -279,7 +351,10 @@ in }; systemd.services.nginx.serviceConfig = { - ReadWritePaths = "/var/www/hls"; + ReadWritePaths = [ + "/var/www/hls" + "/mnt/webdav" + ]; }; systemd.services.phpfpm-work.serviceConfig = {