muon/flake
1
0
Fork 0
mirror of https://codeberg.org/muon/home.git synced 2026-03-08 03:25:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add embedded syntax hl

Browse source
This commit is contained in:
muon 2025-12-26 10:48:31 +00:00
parent 5bdf9e3a2c
commit fc14a394aa
5 changed files with 284 additions and 250 deletions
Download patch file Download diff file Expand all files Collapse all files

197
modules/nixos/server/grav/service.nix
View file

@ -1,10 +1,20 @@
{ config, lib, pkgs, ... }:
let
inherit (lib)
generators mapAttrs mkDefault mkEnableOption mkIf mkPackageOption mkOption
types;
{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
generators
mapAttrs
mkDefault
mkEnableOption
mkIf
mkPackageOption
mkOption
types
;
cfg = config.mods.services.grav;
@ -12,9 +22,9 @@ let
poolName = "grav";
pkgs_grav = pkgs.callPackage ./package.nix { };
pkgs_grav = pkgs.callPackage ./package.nix {};
servedRoot = pkgs.runCommand "grav-served-root" { } ''
servedRoot = pkgs.runCommand "grav-served-root" {} ''
cp --reflink=auto --no-preserve=mode -r ${pkgs_grav} $out
for p in assets images user system/config; do
@ -22,10 +32,8 @@ let
ln -sf /var/lib/grav/$p $out/$p
done
'';
# systemSettingsYaml =
# yamlFormat.generate "grav-settings.yaml" cfg.systemSettings;
in {
options.mods.services.grav = {
enable = mkEnableOption "grav";
@ -70,7 +78,7 @@ in {
default = 3000;
};
phpPackage = mkPackageOption pkgs "php" { };
phpPackage = mkPackageOption pkgs "php" {};
maxUploadSize = mkOption {
type = types.str;
@ -97,7 +105,10 @@ in {
group = "grav";
phpPackage = cfg.phpPackage.buildEnv {
extensions = { all, enabled }:
extensions = {
all,
enabled,
}:
with all; [
apcu
ctype
@ -115,27 +126,28 @@ in {
zip
];
extraConfig = generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault { } " = ";
} {
output_buffering = "0";
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL";
display_errors = "stderr";
"opcache.interned_strings_buffer" = "8";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
extraConfig =
generators.toKeyValue {
mkKeyValue = generators.mkKeyValueDefault {} " = ";
} {
output_buffering = "0";
short_open_tag = "Off";
expose_php = "Off";
error_reporting = "E_ALL";
display_errors = "stderr";
"opcache.interned_strings_buffer" = "8";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.fast_shutdown" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
upload_max_filesize = cfg.maxUploadSize;
post_max_size = cfg.maxUploadSize;
memory_limit = cfg.maxUploadSize;
"apc.enable_cli" = "1";
};
upload_max_filesize = cfg.maxUploadSize;
post_max_size = cfg.maxUploadSize;
memory_limit = cfg.maxUploadSize;
"apc.enable_cli" = "1";
};
};
phpEnv = {
@ -169,10 +181,12 @@ in {
${cfg.virtualHost} = {
root = "${servedRoot}";
listen = [{
addr = cfg.addr;
port = cfg.port;
}];
listen = [
{
addr = cfg.addr;
port = cfg.port;
}
];
locations = {
"= /robots.txt" = {
@ -202,31 +216,28 @@ in {
};
# deny running scripts inside core system folders
"~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" =
{
priority = 300;
extraConfig = ''
return 403;
'';
};
"~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = {
priority = 300;
extraConfig = ''
return 403;
'';
};
# deny running scripts inside user folder
"~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" =
{
priority = 300;
extraConfig = ''
return 403;
'';
};
"~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = {
priority = 300;
extraConfig = ''
return 403;
'';
};
# deny access to specific files in the root folder
"~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" =
{
priority = 300;
extraConfig = ''
return 403;
'';
};
"~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" = {
priority = 300;
extraConfig = ''
return 403;
'';
};
# deny all files and folder beginning with a dot (hidden files & folders)
"~ (^|/)\\." = {
@ -245,41 +256,45 @@ in {
};
};
extraConfig = ''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
'';
extraConfig =
# sh
''
index index.php index.html /index.php$request_uri;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag "noindex, nofollow";
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Frame-Options sameorigin;
add_header Referrer-Policy no-referrer;
client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
'';
};
};
};
systemd.tmpfiles.rules = let datadir = "/var/lib/grav";
in map (dir: "d '${dir}' 0750 grav grav - -") [
"/var/cache/grav"
"${datadir}/assets"
"${datadir}/backup"
"${datadir}/images"
"${datadir}/system/config"
"${datadir}/user/accounts"
"${datadir}/user/config"
"${datadir}/user/data"
"/var/log/grav"
];
systemd.tmpfiles.rules = let
datadir = "/var/lib/grav";
in
map (dir: "d '${dir}' 0750 grav grav - -") [
"/var/cache/grav"
"${datadir}/assets"
"${datadir}/backup"
"${datadir}/images"
"${datadir}/system/config"
"${datadir}/user/accounts"
"${datadir}/user/config"
"${datadir}/user/data"
"/var/log/grav"
];
# ++ [
# "L+ ${datadir}/user/config/system.yaml - - - - ${systemSettingsYaml}"
# ];
@ -287,7 +302,7 @@ in {
systemd.services = {
"phpfpm-${poolName}" = mkIf (cfg.pool == "${poolName}") {
# restartTriggers = [ servedRoot systemSettingsYaml ];
restartTriggers = [ servedRoot ];
restartTriggers = [servedRoot];
serviceConfig = {
ExecStartPre = pkgs.writeShellScript "grav-pre-start" ''
@ -329,6 +344,6 @@ in {
group = "grav";
};
users.groups.grav = { members = [ config.services.nginx.user ]; };
users.groups.grav = {members = [config.services.nginx.user];};
};
}