pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / web-apps / privatebin.nix
at 25.11-pre 6.6 kB view raw
1{ 2 pkgs, 3 config, 4 lib, 5 ... 6}: 7 8let 9 cfg = config.services.privatebin; 10 11 customToINI = lib.generators.toINI { 12 mkKeyValue = lib.generators.mkKeyValueDefault { 13 mkValueString = 14 v: 15 if v == true then 16 ''true'' 17 else if v == false then 18 ''false'' 19 else if builtins.isInt v then 20 ''${builtins.toString v}'' 21 else if builtins.isPath v then 22 ''"${builtins.toString v}"'' 23 else if builtins.isString v then 24 ''"${v}"'' 25 else 26 lib.generators.mkValueStringDefault { } v; 27 } "="; 28 }; 29 30 privatebinSettings = pkgs.writeTextDir "conf.php" (customToINI cfg.settings); 31 32 user = cfg.user; 33 group = cfg.group; 34 35 defaultUser = "privatebin"; 36 defaultGroup = "privatebin"; 37 38in 39{ 40 41 options.services.privatebin = { 42 43 enable = lib.mkEnableOption "Privatebin: A minimalist, open source online 44 pastebin where the server has zero knowledge of pasted data."; 45 46 user = lib.mkOption { 47 type = lib.types.str; 48 default = defaultUser; 49 description = "User account under which privatebin runs."; 50 }; 51 52 group = lib.mkOption { 53 type = lib.types.str; 54 default = if cfg.enableNginx then "nginx" else defaultGroup; 55 defaultText = lib.literalExpression "if config.services.privatebin.enableNginx then \"nginx\" else \"${defaultGroup}\""; 56 description = '' 57 Group under which privatebin runs. It is best to set this to the group 58 of whatever webserver is being used as the frontend. 59 ''; 60 }; 61 62 dataDir = lib.mkOption { 63 type = lib.types.path; 64 default = "/var/lib/privatebin"; 65 description = '' 66 The place where privatebin stores its state. 67 ''; 68 }; 69 70 package = lib.mkPackageOption pkgs "privatebin" { }; 71 72 enableNginx = lib.mkOption { 73 type = lib.types.bool; 74 default = false; 75 description = '' 76 Whether to enable nginx or not. If enabled, an nginx virtual host will 77 be created for access to privatebin. If not enabled, then you may use 78 `''${config.services.privatebin.package}` as your document root in 79 whichever webserver you wish to setup. 80 ''; 81 }; 82 83 virtualHost = lib.mkOption { 84 type = lib.types.str; 85 default = "localhost"; 86 description = '' 87 The hostname at which you wish privatebin to be served. If you have 88 enabled nginx using `services.privatebin.enableNginx` then this will 89 be used. 90 ''; 91 }; 92 93 poolConfig = lib.mkOption { 94 type = lib.types.attrsOf ( 95 lib.types.oneOf [ 96 lib.types.str 97 lib.types.int 98 lib.types.bool 99 ] 100 ); 101 defaultText = lib.literalExpression '' 102 { 103 "pm" = "dynamic"; 104 "pm.max_children" = 32; 105 "pm.start_servers" = 2; 106 "pm.min_spare_servers" = 2; 107 "pm.max_spare_servers" = 4; 108 "pm.max_requests" = 500; 109 } 110 ''; 111 default = { }; 112 description = '' 113 Options for the PrivateBin PHP pool. See the documentation on <literal>php-fpm.conf</literal> 114 for details on configuration directives. 115 ''; 116 }; 117 118 settings = lib.mkOption { 119 default = { }; 120 description = '' 121 Options for privatebin configuration. Refer to 122 <https://github.com/PrivateBin/PrivateBin/wiki/Configuration> for 123 details on supported values. 124 ''; 125 example = lib.literalExpression '' 126 { 127 main = { 128 name = "NixOS Based Privatebin"; 129 discussion = false; 130 defaultformatter = "plalib.types.intext"; 131 qrcode = true 132 }; 133 model.class = "Filesystem"; 134 model_options.dir = "/var/lib/privatebin/data"; 135 } 136 ''; 137 type = lib.types.submodule { freeformType = lib.types.attrsOf lib.types.anything; }; 138 }; 139 }; 140 141 config = lib.mkIf cfg.enable { 142 services.privatebin.settings = { 143 main = lib.mkDefault { }; 144 model.class = lib.mkDefault "Filesystem"; 145 model_options.dir = lib.mkDefault "${cfg.dataDir}/data"; 146 purge.dir = lib.mkDefault "${cfg.dataDir}/purge"; 147 traffic = { 148 dir = lib.mkDefault "${cfg.dataDir}/traffic"; 149 header = "X_FORWARDED_FOR"; 150 }; 151 }; 152 153 services.phpfpm.pools.privatebin = { 154 inherit user group; 155 phpPackage = pkgs.php83; 156 phpOptions = '' 157 log_errors = on 158 ''; 159 settings = { 160 "listen.mode" = lib.mkDefault "0660"; 161 "listen.owner" = lib.mkDefault user; 162 "listen.group" = lib.mkDefault group; 163 "pm" = lib.mkDefault "dynamic"; 164 "pm.max_children" = lib.mkDefault 32; 165 "pm.start_servers" = lib.mkDefault 2; 166 "pm.min_spare_servers" = lib.mkDefault 2; 167 "pm.max_spare_servers" = lib.mkDefault 4; 168 "pm.max_requests" = lib.mkDefault 500; 169 }; 170 phpEnv.CONFIG_PATH = lib.strings.removeSuffix "/conf.php" (builtins.toString privatebinSettings); 171 }; 172 173 services.nginx = lib.mkIf cfg.enableNginx { 174 enable = true; 175 recommendedTlsSettings = lib.mkDefault true; 176 recommendedOptimisation = lib.mkDefault true; 177 recommendedGzipSettings = lib.mkDefault true; 178 virtualHosts.${cfg.virtualHost} = { 179 root = "${cfg.package}"; 180 locations = { 181 "/" = { 182 tryFiles = "$uri $uri/ /index.php?$query_string"; 183 index = "index.php"; 184 extraConfig = '' 185 sendfile off; 186 ''; 187 }; 188 "~ \\.php$" = { 189 extraConfig = '' 190 include ${config.services.nginx.package}/conf/fastcgi_params ; 191 fastcgi_param SCRIPT_FILENAME $request_filename; 192 fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice 193 fastcgi_pass unix:${config.services.phpfpm.pools.privatebin.socket}; 194 ''; 195 }; 196 }; 197 }; 198 }; 199 200 systemd.tmpfiles.settings."10-privatebin" = 201 lib.attrsets.genAttrs 202 [ 203 "${cfg.dataDir}/data" 204 "${cfg.dataDir}/traffic" 205 "${cfg.dataDir}/purge" 206 ] 207 (n: { 208 d = { 209 group = group; 210 mode = "0750"; 211 user = user; 212 }; 213 }); 214 215 users = { 216 users = lib.mkIf (user == defaultUser) { 217 ${defaultUser} = { 218 description = "Privatebin service user"; 219 inherit group; 220 isSystemUser = true; 221 home = cfg.dataDir; 222 }; 223 }; 224 groups = lib.mkIf (group == defaultGroup) { ${defaultGroup} = { }; }; 225 }; 226 }; 227}