-
-
Save joseph-long/948699f35649793f3044c85894a29923 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Edit this configuration file to define what should be installed on | |
# your system. Help is available in the configuration.nix(5) man page | |
# and in the NixOS manual (accessible by running ‘nixos-help’). | |
{ config, pkgs, ... }: | |
let | |
fqdn = "magao-x.org"; | |
ssl = true; | |
webRoot = "/srv/www"; | |
in | |
{ | |
imports = | |
[ | |
# Include the results of the hardware scan. | |
./hardware-configuration.nix | |
]; | |
networking.hostName = "magao-x"; # Define your hostname. | |
# Select internationalisation properties. | |
i18n = { | |
defaultLocale = "en_US.UTF-8"; | |
}; | |
# Set your time zone. | |
time.timeZone = "America/Phoenix"; | |
# List packages installed in system profile. To search by name, run: | |
# $ nix-env -qaP | grep wget | |
environment.systemPackages = with pkgs; [ | |
wget vim emacs curl screen git mosh python3 gnumake unzip | |
]; | |
# Open ports in the firewall. Note that enabling services won't | |
# automatically open their ports. | |
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS | |
networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; # mosh | |
# List services that you want to enable: | |
# MySQL for Wordpress | |
services.mysql = { | |
enable = true; | |
package = pkgs.mariadb; | |
}; | |
# Enable the OpenSSH daemon. | |
services.openssh.enable = true; | |
services.openssh.permitRootLogin = "no"; | |
services.openssh.passwordAuthentication = false; | |
# Enable the locate command | |
services.locate.enable = true; | |
programs.bash.enableCompletion = true; | |
# Enable nginx | |
services.nginx = { | |
enable = true; | |
recommendedGzipSettings = true; | |
recommendedOptimisation = true; | |
recommendedProxySettings = true; | |
recommendedTlsSettings = true; | |
}; | |
# Who needs a password anyway? | |
security.sudo.wheelNeedsPassword = false; | |
# Enable automatic garbage collection | |
nix.gc.automatic = true; | |
nix.gc.dates = "03:15"; | |
# This value determines the NixOS release with which your system is to be | |
# compatible, in order to avoid breaking some software such as database | |
# servers. You should change this only after NixOS release notes say you | |
# should. | |
system.stateVersion = "17.09"; # Did you read the comment? | |
# Use the GRUB 2 boot loader. | |
boot.loader.grub.enable = true; | |
boot.loader.grub.version = 2; | |
# Define on which hard drive you want to install Grub. | |
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only | |
# Production web server config | |
services.nginx.virtualHosts = { | |
"${fqdn}" = { | |
serverAliases = [ "www.${fqdn}" ]; | |
enableACME = ssl; | |
forceSSL = ssl; | |
locations = { | |
"/" = { | |
root = webRoot; | |
extraConfig = '' | |
rewrite ^/gmagaox/?$ /gmagao-x/ permanent; | |
''; | |
}; | |
}; | |
locations."~ [^/]\.php(/|$)".extraConfig = '' | |
# Mitigate https://httpoxy.org/ vulnerabilities | |
fastcgi_param HTTP_PROXY ""; | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_index index.php; | |
''; | |
}; | |
"visao.as.arizona.edu" = { | |
enableACME = false; | |
forceSSL = false; | |
locations = { | |
"/" = { | |
root = webRoot; | |
extraConfig = '' | |
return 301 $scheme://magao-x.org$request_uri; | |
''; | |
}; | |
}; | |
}; | |
}; | |
services.phpfpm.poolConfigs.mypool = '' | |
listen = 127.0.0.1:9000 | |
user = nobody | |
pm = dynamic | |
pm.max_children = 5 | |
pm.start_servers = 2 | |
pm.min_spare_servers = 1 | |
pm.max_spare_servers = 3 | |
pm.max_requests = 500 | |
''; | |
systemd.services.webpermissions = { | |
wantedBy = [ "multi-user.target" ]; | |
before = [ "nginx.service" ]; | |
serviceConfig = { | |
Type = "oneshot"; | |
RemainAfterExit = true; | |
}; | |
script = '' | |
mkdir -p ${webRoot} | |
chown -R ${config.services.nginx.user}:${config.services.nginx.group} ${webRoot} | |
chmod -R u=rwX,g=rwX,o=rX ${webRoot} | |
find ${webRoot} -type d -exec chmod g+s {} \; | |
''; | |
}; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment