Merge pull request #28749 from florianjacob/piwik-improve-config
nixos/piwik: Adjust to recent NixOS changes, use nginx's virtualHost instead of replicating [WIP]
This commit is contained in:
Franz Pletz
GitHub
commit
5393b0fc1d
@ -79,16 +79,6 @@
|
|||||||
You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
|
You can safely ignore this, unless you need a plugin that needs JavaScript tracker access.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>
|
|
||||||
Sending mail from piwik, e.g. for the password reset function, might not work out of the box:
|
|
||||||
There's a problem with using <command>sendmail</command> from <literal>php-fpm</literal> that is
|
|
||||||
being investigated at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/26611" />.
|
|
||||||
If you have (or don't have) this problem as well, please report it. You can enable SMTP as method
|
|
||||||
to send mail in piwik's <quote>General Settings</quote> > <quote>Mail Server Settings</quote> instead.
|
|
||||||
</para>
|
|
||||||
</listitem>
|
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|||||||
@ -24,14 +24,17 @@ in {
|
|||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Enable piwik web analytics with php-fpm backend.
|
Enable piwik web analytics with php-fpm backend.
|
||||||
|
Either the nginx option or the webServerUser option is mandatory.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
webServerUser = mkOption {
|
webServerUser = mkOption {
|
||||||
type = types.str;
|
type = types.nullOr types.str;
|
||||||
example = "nginx";
|
default = null;
|
||||||
|
example = "lighttpd";
|
||||||
description = ''
|
description = ''
|
||||||
Name of the owner of the ${phpSocket} fastcgi socket for piwik.
|
Name of the web server user that forwards requests to the ${phpSocket} fastcgi socket for piwik if the nginx
|
||||||
|
option is not used. Either this option or the nginx option is mandatory.
|
||||||
If you want to use another webserver than nginx, you need to set this to that server's user
|
If you want to use another webserver than nginx, you need to set this to that server's user
|
||||||
and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
|
and pass fastcgi requests to `index.php` and `piwik.php` to this socket.
|
||||||
'';
|
'';
|
||||||
@ -57,47 +60,35 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
nginx = mkOption {
|
nginx = mkOption {
|
||||||
# TODO: for maximum flexibility, it would be nice to use nginx's vhost_options module
|
type = types.nullOr (types.submodule (import ../web-servers/nginx/vhost-options.nix {
|
||||||
# but this only makes sense if we can somehow specify defaults suitable for piwik.
|
inherit config lib;
|
||||||
# But users can always copy the piwik nginx config to their configuration.nix and customize it.
|
}));
|
||||||
type = types.nullOr (types.submodule {
|
|
||||||
options = {
|
|
||||||
virtualHost = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "piwik.${config.networking.hostName}";
|
|
||||||
example = "piwik.$\{config.networking.hostName\}";
|
|
||||||
description = ''
|
|
||||||
Name of the nginx virtualhost to use and set up.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
enableSSL = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = "Whether to enable https.";
|
|
||||||
};
|
|
||||||
forceSSL = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = "Whether to always redirect to https.";
|
|
||||||
};
|
|
||||||
enableACME = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = "Whether to ask Let's Encrypt to sign a certificate for this vhost.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
default = null;
|
default = null;
|
||||||
example = { virtualHost = "stats.$\{config.networking.hostName\}"; };
|
example = {
|
||||||
|
serverName = "stats.$\{config.networking.hostName\}";
|
||||||
|
enableACME = false;
|
||||||
|
};
|
||||||
description = ''
|
description = ''
|
||||||
The options to use to configure an nginx virtualHost.
|
With this option, you can customize an nginx virtualHost which already has sensible defaults for piwik.
|
||||||
If null (the default), no nginx virtualHost will be configured.
|
Either this option or the webServerUser option is mandatory.
|
||||||
|
Set this to {} to just enable the virtualHost if you don't need any customization.
|
||||||
|
If enabled, then by default, the serverName is piwik.$\{config.networking.hostName\}, SSL is active,
|
||||||
|
and certificates are acquired via ACME.
|
||||||
|
If this is set to null (the default), no nginx virtualHost will be configured.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
warnings = mkIf (cfg.nginx != null && cfg.webServerUser != null) [
|
||||||
|
"If services.piwik.nginx is set, services.piwik.nginx.webServerUser is ignored and should be removed."
|
||||||
|
];
|
||||||
|
|
||||||
|
assertions = [ {
|
||||||
|
assertion = cfg.nginx != null || cfg.webServerUser != null;
|
||||||
|
message = "Either services.piwik.nginx or services.piwik.nginx.webServerUser is mandatory";
|
||||||
|
}];
|
||||||
|
|
||||||
users.extraUsers.${user} = {
|
users.extraUsers.${user} = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
@ -153,10 +144,16 @@ in {
|
|||||||
serviceConfig.UMask = "0007";
|
serviceConfig.UMask = "0007";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.phpfpm.poolConfigs = {
|
services.phpfpm.poolConfigs = let
|
||||||
|
# workaround for when both are null and need to generate a string,
|
||||||
|
# which is illegal, but as assertions apparently are being triggered *after* config generation,
|
||||||
|
# we have to avoid already throwing errors at this previous stage.
|
||||||
|
socketOwner = if (cfg.nginx != null) then config.services.nginx.user
|
||||||
|
else if (cfg.webServerUser != null) then cfg.webServerUser else "";
|
||||||
|
in {
|
||||||
${pool} = ''
|
${pool} = ''
|
||||||
listen = "${phpSocket}"
|
listen = "${phpSocket}"
|
||||||
listen.owner = ${cfg.webServerUser}
|
listen.owner = ${socketOwner}
|
||||||
listen.group = root
|
listen.group = root
|
||||||
listen.mode = 0600
|
listen.mode = 0600
|
||||||
user = ${user}
|
user = ${user}
|
||||||
@ -170,11 +167,14 @@ in {
|
|||||||
# References:
|
# References:
|
||||||
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
|
# https://fralef.me/piwik-hardening-with-nginx-and-php-fpm.html
|
||||||
# https://github.com/perusio/piwik-nginx
|
# https://github.com/perusio/piwik-nginx
|
||||||
${cfg.nginx.virtualHost} = {
|
"${user}.${config.networking.hostName}" = mkMerge [ cfg.nginx {
|
||||||
root = "${pkgs.piwik}/share";
|
# don't allow to override root, as it will almost certainly break piwik
|
||||||
enableSSL = cfg.nginx.enableSSL;
|
root = mkForce "${pkgs.piwik}/share";
|
||||||
enableACME = cfg.nginx.enableACME;
|
|
||||||
forceSSL = cfg.nginx.forceSSL;
|
# allow to override SSL settings if necessary, i.e. when using another method than ACME
|
||||||
|
# but enable them by default, as sensitive login and piwik data should not be transmitted in clear text.
|
||||||
|
forceSSL = mkDefault true;
|
||||||
|
enableACME = mkDefault true;
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
index = "index.php";
|
index = "index.php";
|
||||||
@ -208,7 +208,7 @@ in {
|
|||||||
locations."= /piwik.js".extraConfig = ''
|
locations."= /piwik.js".extraConfig = ''
|
||||||
expires 1M;
|
expires 1M;
|
||||||
'';
|
'';
|
||||||
};
|
}];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user