cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/matomo: fix work with phpfpm-rootless mode

Browse source
This commit is contained in:
Izorkin 2019-06-15 17:43:09 +03:00
parent 5d3805487a
commit 08dae69741
1 changed files with 23 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
nixos/modules/services/web-apps/matomo.nix
View file

@ -4,13 +4,14 @@ let
cfg = config.services.matomo; cfg = config.services.matomo;
user = "matomo"; user = "matomo";
group = "matomo";
dataDir = "/var/lib/${user}"; dataDir = "/var/lib/${user}";
deprecatedDataDir = "/var/lib/piwik"; deprecatedDataDir = "/var/lib/piwik";
pool = user; pool = user;
# it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, # it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770,
# and therefore is not accessible by the web server. # and therefore is not accessible by the web server.
phpSocket = "/run/phpfpm-${pool}.sock"; phpSocket = "/run/phpfpm-${pool}/${pool}.sock";
phpExecutionUnit = "phpfpm-${pool}"; phpExecutionUnit = "phpfpm-${pool}";
databaseService = "mysql.service"; databaseService = "mysql.service";
@ -137,9 +138,12 @@ in {
isSystemUser = true; isSystemUser = true;
createHome = true; createHome = true;
home = dataDir; home = dataDir;
group = user; group = "${group}";
}; };
users.groups.${user} = {}; users.users.${config.services.nginx.user} = {
extraGroups = [ "${group}" ];
};
users.groups.${group} = {};
systemd.services.matomo-setup-update = { systemd.services.matomo-setup-update = {
# everything needs to set up and up to date before Matomo php files are executed # everything needs to set up and up to date before Matomo php files are executed
@ -169,7 +173,7 @@ in {
echo "Migrating from ${deprecatedDataDir} to ${dataDir}" echo "Migrating from ${deprecatedDataDir} to ${dataDir}"
mv -T ${deprecatedDataDir} ${dataDir} mv -T ${deprecatedDataDir} ${dataDir}
fi fi
chown -R ${user}:${user} ${dataDir} chown -R ${user}:${group} ${dataDir}
chmod -R ug+rwX,o-rwx ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir}
''; '';
script = '' script = ''
@ -225,22 +229,26 @@ in {
serviceConfig.UMask = "0007"; serviceConfig.UMask = "0007";
}; };
services.phpfpm.poolConfigs = let services.phpfpm.pools = let
# workaround for when both are null and need to generate a string, # workaround for when both are null and need to generate a string,
# which is illegal, but as assertions apparently are being triggered *after* config generation, # which is illegal, but as assertions apparently are being triggered *after* config generation,
# we have to avoid already throwing errors at this previous stage. # we have to avoid already throwing errors at this previous stage.
socketOwner = if (cfg.nginx != null) then config.services.nginx.user socketOwner = if (cfg.nginx != null) then config.services.nginx.user
else if (cfg.webServerUser != null) then cfg.webServerUser else ""; else if (cfg.webServerUser != null) then cfg.webServerUser else "";
in { in {
${pool} = '' ${pool} = {
listen = "${phpSocket}" socketName = "${pool}";
listen.owner = ${socketOwner} phpPackage = pkgs.php;
listen.group = root user = "${user}";
listen.mode = 0600 group = "${group}";
user = ${user} extraConfig = ''
env[PIWIK_USER_PATH] = ${dataDir} listen.owner = ${socketOwner}
${cfg.phpfpmProcessManagerConfig} listen.group = ${group}
''; listen.mode = 0600
env[PIWIK_USER_PATH] = ${dataDir}
${cfg.phpfpmProcessManagerConfig}
'';
};
}; };