From 0f4ed105cbb20cb424279d8a7def4a0fc5e7c4ab Mon Sep 17 00:00:00 2001 From: Jeremy Penner Date: Tue, 14 Nov 2023 22:07:01 -0500 Subject: [PATCH] Refactor to use flakes, continue to work on latest nixos default.nix should continue to work, but module.nix now needs to be passed a system-agnostic reference to the php52 package. --- README.md | 3 ++ default.nix | 127 +++------------------------------------------------- flake.lock | 61 +++++++++++++++++++++++++ flake.nix | 18 ++++++++ lib.nix | 69 ++++++++++++++++++++++++++++ module.nix | 5 +-- php52.nix | 54 ++++++++++++++++++++++ 7 files changed, 214 insertions(+), 123 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 lib.nix create mode 100644 php52.nix diff --git a/README.md b/README.md index 7124caf..cdfda2b 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,9 @@ I host a community site that is based on Drupal 5, which can't be upgraded without throwing the whole thing in the bin and starting from scratch. Maybe someday I will do that, but in the meantime, people use it, and I have promised those people that I am not going to delete their stuff. +This repo now uses flakes but I haven't bothered to update this readme with usage information, sorry. Hopefully the flake itself is reasonable +documentation for what the repo provides. If anybody depends on this besides me, sorry I broke your site. + # Usage I'm probably doing this wrong! I'm very new to NixOS. Bug reports or pull requests to make things more standard welcome. I think eventually I'll want this to diff --git a/default.nix b/default.nix index f516760..7467e53 100644 --- a/default.nix +++ b/default.nix @@ -1,120 +1,7 @@ -{ pkgs ? import {}, lib ? import , ... }: -with pkgs; let - mergedLib = lib: name: - derivation { - inherit name coreutils; - system = builtins.currentSystem; - builder = "${bash}/bin/bash"; - args = [ ./merge.sh "${lib.out}/*" "${lib.dev}/*" ]; - }; - m_libjpeg = mergedLib libjpeg "m_libjpeg"; - m_libpng = mergedLib libpng "m_libpng"; - php52 = stdenv.mkDerivation { - name = "php52"; - src = ./php-5.2.17.tar.bz2; - patches = [ ./php52-backports-security-20130717.patch ./php-5.2.17-fpm.patch ./suhosin-patch-5.2.16-0.9.7.patch ]; - configureFlags = [ - "--enable-fastcgi" - "--with-zlib=${zlib.dev}" - "--with-bz2=${bzip2.dev}" - "--enable-calendar" - "--with-curl=${curl.dev}" - "--enable-exif" - "--with-gd" - "--with-mcrypt=${libmcrypt}" - "--with-mysql=${mysql57}" - "--enable-zip" - "--with-pear" - "--enable-force-cgi-redirect" - "--enable-debug" - "--enable-mbstring" - "--enable-fastcgi" - "--with-fpm-log=/var/log/php52-fpm/php-fpm.log" - "--with-fpm-pid=/run/php52-fpm/php-fpm.pid" - "--enable-fpm" - "--with-libxml-dir=${libxml2.dev}" - "--with-jpeg-dir=${m_libjpeg}" - "--with-png-dir=${m_libpng}" - ]; - postInstall = '' - cp ./php.ini-recommended "$out/lib/php.ini" - tar xf ${./suhosin-0.9.31.tgz} - cd suhosin-0.9.31 - PATH="$out/bin:$PATH" phpize - PATH="$out/bin:$PATH" ./configure --enable-suhosin - make install - cd .. - sed -i 's:^extension_dir = .*:extension_dir = "'$("$out/bin/php-config" --extension-dir)'":' "$out/lib/php.ini" - sed -i 's:^upload_max_filesize = .*:upload_max_filesize = 200M:' "$out/lib/php.ini" - sed -i 's:^post_max_size = .*:post_max_size = 200M:' "$out/lib/php.ini" - echo "extension=suhosin.so" >> "$out/lib/php.ini" - echo "sendmail_path=/run/wrappers/bin/sendmail -t -i" >> "$out/lib/php.ini" - ''; - buildInputs = [ zlib bzip2 curlFull libmcrypt mysql57 libxml2 lzma m_libjpeg m_libpng autoconf automake ]; - }; -in - php52 // rec { - vhost = cfg: lib.recursiveUpdate { - extraConfig = '' - client_max_body_size 200m; - index index.php index.html index.htm; - '' + cfg.extraConfig or ""; - locations = { - "/favicon.ico" = { - extraConfig = '' - log_not_found off; - access_log off; - ''; - }; - "/robots.txt" = { - extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - }; - "~ \\..*/.*\\.php$" = { return = "403"; }; - "~ ^/sites/.*/private/" = { return = "403"; }; - - # Block access to "hidden" files and directories whose names begin with a - # period. This includes directories used by version control systems such - # as Subversion or Git to store control files. - "~ (^|/)\\.(?!well-known/)" = { return = "403"; }; - "~ \\.php$" = { - extraConfig = '' - client_max_body_size 200m; - - fastcgi_split_path_info ^(.+\.php)(/.+)$; - if (!-f $document_root$fastcgi_script_name) { - return 404; - } - - fastcgi_pass 127.0.0.1:9000; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param HTTP_PROXY ""; - ''; - }; - "~ /\.ht" = { - extraConfig = '' - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - deny all; - ''; - }; - }; - } (builtins.removeAttrs cfg [ "extraConfig" ]); - vhostDrupal = cfg: vhost (lib.recursiveUpdate cfg { - locations = { - "/" = { tryFiles = "$uri @rewrite"; }; - "@rewrite" = { - extraConfig = '' - # For Drupal 6 and bwlow: - # Some modules enforce no slash (/) at the end of the URL - # Else this rewrite block wouldn't be needed (GlobalRedirect) - rewrite ^/(.*)$ /index.php?q=$1; - ''; - }; - }; - }); - } \ No newline at end of file +{ pkgs ? import {}, ...}: +let pkgs22_05 = (builtins.fetchTarball { + url = "https://nixos.org/channels/nixos-22.05/nixexprs.tar.xz"; + }) {}; + php52 = import ./php52.nix pkgs22_05; + lib = import ./lib.nix pkgs; +in php52 // lib diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8af2787 --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1685573264, + "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "380be19fbd2d9079f677978361792cb25e8a3635", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..3213d10 --- /dev/null +++ b/flake.nix @@ -0,0 +1,18 @@ +{ + inputs = { + # build currently fails in 22.11 due to flex inserting some unexpected definition :/ + nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { nixpkgs, flake-utils, ... }: + let packages = flake-utils.lib.eachDefaultSystem (system: + { + packages.default = import ./php52.nix { pkgs = import nixpkgs { inherit system; }; }; + }); + in { + inherit (packages) packages; + lib = import ./lib.nix; + nixosModules.default = import ./module.nix packages.packages; + }; +} \ No newline at end of file diff --git a/lib.nix b/lib.nix new file mode 100644 index 0000000..abe333f --- /dev/null +++ b/lib.nix @@ -0,0 +1,69 @@ +pkgs: let + lib = pkgs.lib; + vhost = cfg: lib.recursiveUpdate { + extraConfig = '' + client_max_body_size 200m; + index index.php index.html index.htm; + '' + cfg.extraConfig or ""; + locations = { + "/favicon.ico" = { + extraConfig = '' + log_not_found off; + access_log off; + ''; + }; + "/robots.txt" = { + extraConfig = '' + allow all; + log_not_found off; + access_log off; + ''; + }; + "~ \\..*/.*\\.php$" = { return = "403"; }; + "~ ^/sites/.*/private/" = { return = "403"; }; + + # Block access to "hidden" files and directories whose names begin with a + # period. This includes directories used by version control systems such + # as Subversion or Git to store control files. + "~ (^|/)\\.(?!well-known/)" = { return = "403"; }; + "~ \\.php$" = { + extraConfig = '' + client_max_body_size 200m; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param HTTP_PROXY ""; + ''; + }; + "~ /\.ht" = { + extraConfig = '' + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + deny all; + ''; + }; + }; + } (builtins.removeAttrs cfg [ "extraConfig" ]); + vhostDrupal = cfg: vhost (lib.recursiveUpdate cfg { + locations = { + "/" = { tryFiles = "$uri @rewrite"; }; + "@rewrite" = { + extraConfig = '' + # For Drupal 6 and bwlow: + # Some modules enforce no slash (/) at the end of the URL + # Else this rewrite block wouldn't be needed (GlobalRedirect) + rewrite ^/(.*)$ /index.php?q=$1; + ''; + }; + }; + }); +in +{ + inherit vhost vhostDrupal; +} diff --git a/module.nix b/module.nix index 0fc46c1..494ddff 100644 --- a/module.nix +++ b/module.nix @@ -1,8 +1,7 @@ -{ config, lib, pkgs, ...}@args: +packages: { config, lib, pkgs, ...}@args: with lib; let cfg = config.services.php52-fpm; - php52 = import ./default.nix args; in { options.services.php52-fpm = { enable = mkOption { @@ -25,7 +24,7 @@ in { serviceConfig = { Type = "forking"; PIDFile = "/run/php52-fpm/php-fpm.pid"; - ExecStart = "${php52}/bin/php-cgi -x"; + ExecStart = "${packages."${pkgs.system}".default}/bin/php-cgi -x"; User = "nginx"; Group = "nginx"; RuntimeDirectory = "php52-fpm"; diff --git a/php52.nix b/php52.nix new file mode 100644 index 0000000..8968e2a --- /dev/null +++ b/php52.nix @@ -0,0 +1,54 @@ +{ pkgs, ... }: +let mergedLib = lib: name: + derivation { + inherit name; + system = pkgs.system; + coreutils = pkgs.coreutils; + builder = "${pkgs.bash}/bin/bash"; + args = [ ./merge.sh "${lib.out}/*" "${lib.dev}/*" ]; + }; + m_libjpeg = mergedLib pkgs.libjpeg "m_libjpeg"; + m_libpng = mergedLib pkgs.libpng "m_libpng"; +in with pkgs; stdenv.mkDerivation { + name = "php52"; + src = ./php-5.2.17.tar.bz2; + patches = [ ./php52-backports-security-20130717.patch ./php-5.2.17-fpm.patch ./suhosin-patch-5.2.16-0.9.7.patch ]; + configureFlags = [ + "--enable-fastcgi" + "--with-zlib=${zlib.dev}" + "--with-bz2=${bzip2.dev}" + "--enable-calendar" + "--with-curl=${curl.dev}" + "--enable-exif" + "--with-gd" + "--with-mcrypt=${libmcrypt}" + "--with-mysql=${mysql57}" + "--enable-zip" + "--with-pear" + "--enable-force-cgi-redirect" + "--enable-debug" + "--enable-mbstring" + "--enable-fastcgi" + "--with-fpm-log=/var/log/php52-fpm/php-fpm.log" + "--with-fpm-pid=/run/php52-fpm/php-fpm.pid" + "--enable-fpm" + "--with-libxml-dir=${libxml2.dev}" + "--with-jpeg-dir=${m_libjpeg}" + "--with-png-dir=${m_libpng}" + ]; + postInstall = '' + cp ./php.ini-recommended "$out/lib/php.ini" + tar xf ${./suhosin-0.9.31.tgz} + cd suhosin-0.9.31 + PATH="$out/bin:$PATH" phpize + PATH="$out/bin:$PATH" ./configure --enable-suhosin + make install + cd .. + sed -i 's:^extension_dir = .*:extension_dir = "'$("$out/bin/php-config" --extension-dir)'":' "$out/lib/php.ini" + sed -i 's:^upload_max_filesize = .*:upload_max_filesize = 200M:' "$out/lib/php.ini" + sed -i 's:^post_max_size = .*:post_max_size = 200M:' "$out/lib/php.ini" + echo "extension=suhosin.so" >> "$out/lib/php.ini" + echo "sendmail_path=/run/wrappers/bin/sendmail -t -i" >> "$out/lib/php.ini" + ''; + buildInputs = [ zlib bzip2 curlFull libmcrypt mysql57 libxml2 lzma m_libjpeg m_libpng autoconf automake ]; + }