{ config, pkgs, ... }: let sources = import ../npins; phps = import sources.nix-phps; in { nixpkgs.overlays = [ (self: super: { switchwayf = super.callPackage ../pkgs/switchwayf.nix { }; }) ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts."sso.federez.net" = { enableACME = true; forceSSL = true; root = "${pkgs.switchwayf}/www/"; locations."~ \\.php" = { root = "${pkgs.switchwayf}/www/"; extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index WAYF.php; fastcgi_pass unix:${config.services.phpfpm.pools.switchwayf.socket}; include ${config.services.nginx.package}/conf/fastcgi.conf; include ${config.services.nginx.package}/conf/fastcgi_params; ''; }; # locations."~ /wayf/\\.php".extraConfig = '' # fastcgi_split_path_info ^(.+\.php)(/.+)$; # fastcgi_pass unix:${config.services.phpfpm.pools.switchwayf.socket}; # include ${config.services.nginx.package}/conf/fastcgi.conf; # include ${config.services.nginx.package}/conf/fastcgi_params; # ''; }; }; users.users.switchwayf = { isSystemUser = true; group = "nginx"; }; users.groups.nginx = {}; services.phpfpm.pools.switchwayf = { user = "switchwayf"; group = "nginx"; settings = { pm = "dynamic"; "listen.owner" = "nginx"; "pm.max_children" = 10; "pm.start_servers" = 1; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 1; }; # XXX(raitobezarius): I don't allow anyone to go in real production with this. phpPackage = phps.packages.${builtins.currentSystem}.php74; phpEnv = { backupIDPConfigFile = "/var/lib/switchwayf/IDProvider.conf.php"; metadataIDPFile = "/var/lib/switchwayf/IDProvider.metadata.conf.php"; metadataSPFile = "/var/lib/switchwayf/SProvider.metadata.conf.php"; WAYFLogFile = "/var/log/switchwayf/wayf.log"; SWITCHWAYF_CONFIG = "/etc/config.php"; # SWITCHWAYF_CONFIG = pkgs.writeText "switch_config.php" # (builtins.readFile ./switch-config.php); }; }; }