nixos-config/hosts/france/selby-forum.nix

{ config, lib, pkgs, ... }:

let
  hostname = "forum.test.selby.ca";

  mariadb-tag = "10";
  mariadb-port = "13306";
  mariadb-data-path = "/srv/selby-forum/mariadb-data";
  mariadb-root-env-file = "/srv/selby-forum/private/mariadb-env";
  mariadb-env-file = "/srv/selby-forum/private/mariadb-root-env";
  mariadb-username = "forum_selby_ca";
  mariadb-database = "forum_selby_ca";

  mariadb-password-file = "/srv/selby-forum/private/mariadb-user-passwd";

  smtp-password-file = "srv/selby-forum/private/smtp-passwd";

  fastcgi-params = "include ${pkgs.nginx}/conf/fastcgi_params";

  memcached-tag = "1.6-alpine";
  memcached-port = "11219";

  environment = pkgs.writeTextDir "/environment.php"
    (import ./forum-config/environment.php.nix {
      static-root = "${pkgs.vanilla-forum}";
      state-root = "/srv/selby-forum/state";
      config-root = "/etc/selby-forum";
    });

  index = pkgs.writeTextDir "/index.php" (import ./forum-config/index.php.nix {
    environment-file = "${environment}/environment.php";
    bootstrap-file = "${pkgs.vanilla-forum}/bootstrap.php";
  });

  selby-forum-pkg = pkgs.symlinkJoin {
    name = "selby-forum";
    paths = [ pkgs.vanilla-forum index ];
  };

in {
  config = {
    environment.etc = {
      "selby-forum/config-defaults.php" = {
        uid = config.users.users.nginx.uid;
        mode = "0600";
        source = ./forum-config/config-defaults.php;
      };
      "selby-forum/constants.php" = {
        uid = config.users.users.nginx.uid;
        mode = "0600";
        source = ./forum-config/constants.php;
      };
      "selby-forum/config.php" = {
        uid = config.users.users.nginx.uid;
        mode = "0600";
        text = import ./forum-config/config.php.nix {
          config = {
            database-host = "127.0.0.1:${mariadb-port}";
            database-name = mariadb-database;
            database-user = mariadb-username;
            database-password-file = mariadb-password-file;
            site-name = "Selby Forum";
            site-domain = "forum.selby.ca";
            smtp-host = "mail.fudo.org";
            smtp-user = "selby-forum";
            smtp-password-file = smtp-password-file;
            memcached-server = "127.0.0.1:${memcached-port}";
          };
        };
      };
    };

    docker-containers = {
      selby-forum-mariadb = {
        image = "mariadb:${mariadb-tag}";
        ports = [ "127.0.0.1:${mariadb-port}:3306" ];
        volumes = [ "${mariadb-data-path}:/var/lib/mysql" ];
        environment = {
          MYSQL_USER = mariadb-username;
          MYSQL_DATABASE = mariadb-database;
        };
        extraDockerOptions = [
          "--env-file=${mariadb-root-env-file}"
          "--env-file=${mariadb-env-file}"
        ];
      };
      selby-forum-memcached = {
        image = "memcached:${memcached-tag}";
        ports = [ "127.0.0.1:${memcached-port}:11211" ];
      };
    };

    security.acme.certs."${hostname}".email = "niten@fudo.org";

    services = {
      phpfpm = {
        pools.selby-forum = {
          user = "nginx";
          group = "nginx";

          settings = {
            "pm" = "dynamic";
            "pm.max_children" = 50;
            "pm.start_servers" = 5;
            "pm.min_spare_servers" = 1;
            "pm.max_spare_servers" = 8;
          };

          phpOptions = ''
            memory_limit = 500M
            file_uploads = On
            allow_url_fopen = On
            short_open_tag = On
            upload_max_filesize = 100M
            max_execution_time = 360
            date.timezone = America/Winnipeg
          '';
        };
      };

      nginx = {
        enable = true;

        virtualHosts = {
          "${hostname}" = let
            forbidden-rxs = [
              "^.htaccess$"
              "^/conf/"
              "^/cache/"
              "^/cgi-bin/"
              "^/uploads/imports/"
              "^/vendor/"
            ];

            forbidden-rx-entry = entry:
              lib.nameValuePair "~* ${entry}" {
                return = "403";
                extraConfig = "deny all;";
              };

            forbidden-rx-entries =
              builtins.listToAttrs (map forbidden-rx-entry forbidden-rxs);

          in {
            enableACME = true;
            forceSSL = true;

            root = "${selby-forum-pkg}/";

            locations = forbidden-rx-entries // {
              "/" = {
                index = "index.php";
                tryFiles = "$uri @vanilla";
              };

              "@vanilla" = {
                extraConfig = ''
                  rewrite ^ /index.php$request_uri last;
                '';
              };

              "~* ^/index.php($|/)" = {
                extraConfig = ''
                  expires -1;

                  ${fastcgi-params};

                  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                  fastcgi_param SCRIPT_NAME /index.php;
                  fastcgi_param SCRIPT_FILENAME $realpath_root/index.php;
                  fastcgi_param X_REWRITE 1;
                  fastcgi_pass unix:${config.services.phpfpm.pools.selby-forum.socket};
                '';
              };
            };
          };
        };
      };
    };

    systemd.services = {
      phpfpm-selby-forum-socket-perm = {
        wantedBy = [ "multi-user.target" "nginx.service" ];
        before = [ "nginx.service" ];
        description =
          "Change ownership of the phpfpm socket for selby forum once it's started.";
        requires = [ "phpfpm-selby-forum.service" ];
        after = [ "phpfpm.target" "phpfpm-selby-forum.service" ];
        serviceConfig = {
          ExecStart = ''
            ${pkgs.coreutils}/bin/chown nginx:nginx ${config.services.phpfpm.pools.selby-forum.socket}
          '';
        };
      };
    };
  };
}