nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git

2,844 bytes raw

{
  config,
  pkgs,
  ...
}: let
  domain = "git.tonybtw.com";
  git_root = "/srv/git";
  app_root = "/www/sites/git-btw";
  php_user = "git-btw";
  php_group = "git-btw";
in {
  services.phpfpm.pools.git-btw = {
    user = php_user;
    group = php_group;
    settings = {
      "listen.owner" = config.services.nginx.user;
      "listen.group" = config.services.nginx.group;
      "pm" = "ondemand";
      "pm.max_children" = 8;
      "pm.process_idle_timeout" = "10s";
    };
  };

  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;

    root = "${app_root}/public";
    index = "index.php";

    locations."/" = {
      tryFiles = "$uri $uri/ /index.php?$query_string";
    };

    locations."~ \\.php$" = {
      extraConfig = ''
        fastcgi_pass unix:${config.services.phpfpm.pools.git-btw.socket};
        fastcgi_index index.php;
        include ${pkgs.nginx}/conf/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param GIT_ROOT ${git_root};
      '';
    };

    locations."/css/" = {
      root = "${app_root}/public";
    };

    locations."/js/" = {
      root = "${app_root}/public";
    };

    locations."~ ^/([^/]+\\.git)/(HEAD|info/refs|objects|git-upload-pack)$" = {
      fastcgiParams = {
        GIT_HTTP_EXPORT_ALL = "";
        GIT_PROJECT_ROOT = git_root;
        PATH_INFO = "$uri";
      };
      extraConfig = ''
        fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};
      '';
    };

    locations."~ ^/([^/]+\\.git)/git-receive-pack$" = {
      fastcgiParams = {
        GIT_HTTP_EXPORT_ALL = "";
        GIT_PROJECT_ROOT = git_root;
        PATH_INFO = "$uri";
      };
      extraConfig = ''
        auth_basic "git push";
        auth_basic_user_file /srv/git/.htpasswd;
        fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};
      '';
    };
  };

  services.fcgiwrap.instances.git = {
    process.user = "git";
    process.group = "git";
    socket = {inherit (config.services.nginx) user group;};
  };

  systemd.services.git-daemon = {
    description = "Git daemon";
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    serviceConfig = {
      ExecStart = "${pkgs.git}/bin/git daemon --reuseaddr --base-path=${git_root} --export-all --verbose ${git_root}";
      User = "git";
      Group = "git";
    };
  };

  users.users.git = {
    isSystemUser = true;
    group = "git";
    home = git_root;
    shell = "${pkgs.git}/bin/git-shell";
  };
  users.groups.git = {};

  users.users.${php_user} = {
    isSystemUser = true;
    group = php_group;
    extraGroups = ["git"];
  };
  users.groups.${php_group} = {};

  systemd.tmpfiles.rules = [
    "d ${git_root} 0755 git git -"
  ];

  networking.firewall.allowedTCPPorts = [9418];
}

1	`{`
2	`config,`
3	`pkgs,`
4	`...`
5	`}: let`
6	`domain = "git.tonybtw.com";`
7	`git_root = "/srv/git";`
8	`app_root = "/www/sites/git-btw";`
9	`php_user = "git-btw";`
10	`php_group = "git-btw";`
11	`in {`
12	`services.phpfpm.pools.git-btw = {`
13	`user = php_user;`
14	`group = php_group;`
15	`settings = {`
16	`"listen.owner" = config.services.nginx.user;`
17	`"listen.group" = config.services.nginx.group;`
18	`"pm" = "ondemand";`
19	`"pm.max_children" = 8;`
20	`"pm.process_idle_timeout" = "10s";`
21	`};`
22	`};`
23
24	`services.nginx.virtualHosts.${domain} = {`
25	`enableACME = true;`
26	`forceSSL = true;`
27
28	`root = "${app_root}/public";`
29	`index = "index.php";`
30
31	`locations."/" = {`
32	`tryFiles = "$uri $uri/ /index.php?$query_string";`
33	`};`
34
35	`locations."~ \\.php$" = {`
36	`extraConfig = ''`
37	`fastcgi_pass unix:${config.services.phpfpm.pools.git-btw.socket};`
38	`fastcgi_index index.php;`
39	`include ${pkgs.nginx}/conf/fastcgi_params;`
40	`fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;`
41	`fastcgi_param GIT_ROOT ${git_root};`
42	`'';`
43	`};`
44
45	`locations."/css/" = {`
46	`root = "${app_root}/public";`
47	`};`
48
49	`locations."/js/" = {`
50	`root = "${app_root}/public";`
51	`};`
52
53	`locations."~ ^/([^/]+\\.git)/(HEAD\|info/refs\|objects\|git-upload-pack)$" = {`
54	`fastcgiParams = {`
55	`GIT_HTTP_EXPORT_ALL = "";`
56	`GIT_PROJECT_ROOT = git_root;`
57	`PATH_INFO = "$uri";`
58	`};`
59	`extraConfig = ''`
60	`fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};`
61	`'';`
62	`};`
63
64	`locations."~ ^/([^/]+\\.git)/git-receive-pack$" = {`
65	`fastcgiParams = {`
66	`GIT_HTTP_EXPORT_ALL = "";`
67	`GIT_PROJECT_ROOT = git_root;`
68	`PATH_INFO = "$uri";`
69	`};`
70	`extraConfig = ''`
71	`auth_basic "git push";`
72	`auth_basic_user_file /srv/git/.htpasswd;`
73	`fastcgi_pass unix:${config.services.fcgiwrap.instances.git.socket.path};`
74	`'';`
75	`};`
76	`};`
77
78	`services.fcgiwrap.instances.git = {`
79	`process.user = "git";`
80	`process.group = "git";`
81	`socket = {inherit (config.services.nginx) user group;};`
82	`};`
83
84	`systemd.services.git-daemon = {`
85	`description = "Git daemon";`
86	`wantedBy = ["multi-user.target"];`
87	`after = ["network.target"];`
88	`serviceConfig = {`
89	`ExecStart = "${pkgs.git}/bin/git daemon --reuseaddr --base-path=${git_root} --export-all --verbose ${git_root}";`
90	`User = "git";`
91	`Group = "git";`
92	`};`
93	`};`
94
95	`users.users.git = {`
96	`isSystemUser = true;`
97	`group = "git";`
98	`home = git_root;`
99	`shell = "${pkgs.git}/bin/git-shell";`
100	`};`
101	`users.groups.git = {};`
102
103	`users.users.${php_user} = {`
104	`isSystemUser = true;`
105	`group = php_group;`
106	`extraGroups = ["git"];`
107	`};`
108	`users.groups.${php_group} = {};`
109
110	`systemd.tmpfiles.rules = [`
111	`"d ${git_root} 0755 git git -"`
112	`];`
113
114	`networking.firewall.allowedTCPPorts = [9418];`
115	`}`