archtechx/nix
1
0
Fork 0
mirror of https://github.com/archtechx/nix.git synced 2025-12-12 03:24:02 +00:00
Code Activity

Firewall settings (open 80 and 443), sudo rule for checking queue status, simplify ssh keygen

Browse source
This commit is contained in:
Samuel Štancl 2025-07-24 01:17:19 +02:00
parent 04812f9a98
commit 2bd75fef39
1 changed files with 15 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

21
laravel.nix
View file

@ -18,12 +18,12 @@
let let
mkUsername = siteName: "laravel-${siteName}"; mkUsername = siteName: "laravel-${siteName}";
in { in {
# Ensure nginx is enabled
services.nginx.enable = true; services.nginx.enable = true;
# Setup ACME if SSL is enabled
security.acme.acceptTerms = lib.mkIf ssl true; security.acme.acceptTerms = lib.mkIf ssl true;
# This doesn't override the array, only merges 80 and potentially 443 into it
networking.firewall.allowedTCPPorts = [ 80 ] ++ lib.optionals ssl [ 443 ];
# Create welcome message for user # Create welcome message for user
environment.etc."laravel-${name}-bashrc".text = '' environment.etc."laravel-${name}-bashrc".text = ''
# Laravel site welcome message # Laravel site welcome message
@ -33,6 +33,7 @@ in {
echo "Site: /srv/${name}" echo "Site: /srv/${name}"
echo "Restart php-fpm: sudo systemctl reload phpfpm-${name}" echo "Restart php-fpm: sudo systemctl reload phpfpm-${name}"
${lib.optionalString queue ''echo "Restart queue: php artisan queue:restart"''} ${lib.optionalString queue ''echo "Restart queue: php artisan queue:restart"''}
${lib.optionalString queue ''echo "Queue status: sudo systemctl status laravel-queue-${name}"''}
${lib.optionalString generateSshKey ''echo "SSH public key: cat ~/.ssh/id_ed25519.pub"''} ${lib.optionalString generateSshKey ''echo "SSH public key: cat ~/.ssh/id_ed25519.pub"''}
echo "---" echo "---"
''; '';
@ -45,7 +46,6 @@ in {
"C /home/${mkUsername name}/.bashrc 0644 ${mkUsername name} ${mkUsername name} - /etc/laravel-${name}-bashrc" "C /home/${mkUsername name}/.bashrc 0644 ${mkUsername name} ${mkUsername name} - /etc/laravel-${name}-bashrc"
]; ];
# Laravel cron job for scheduler
services.cron.systemCronJobs = [ services.cron.systemCronJobs = [
"* * * * * ${mkUsername name} cd /srv/${name} && ${phpPackage}/bin/php artisan schedule:run > /dev/null 2>&1" "* * * * * ${mkUsername name} cd /srv/${name} && ${phpPackage}/bin/php artisan schedule:run > /dev/null 2>&1"
]; ];
@ -87,7 +87,7 @@ in {
if [[ ! -f "$KEY_FILE" ]]; then if [[ ! -f "$KEY_FILE" ]]; then
echo "Generating SSH key for ${mkUsername name}" echo "Generating SSH key for ${mkUsername name}"
mkdir -p "$SSH_DIR" mkdir -p "$SSH_DIR"
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$KEY_FILE" -N "" -C "${mkUsername name}@$(hostname)" ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$KEY_FILE" -N "" -C "${mkUsername name}"
chown -R ${mkUsername name}:${mkUsername name} "$SSH_DIR" chown -R ${mkUsername name}:${mkUsername name} "$SSH_DIR"
chmod 700 "$SSH_DIR" chmod 700 "$SSH_DIR"
chmod 600 "$KEY_FILE" chmod 600 "$KEY_FILE"
@ -173,7 +173,7 @@ in {
# Add site group to nginx service # Add site group to nginx service
systemd.services.nginx.serviceConfig.SupplementaryGroups = [ (mkUsername name) ]; systemd.services.nginx.serviceConfig.SupplementaryGroups = [ (mkUsername name) ];
# Sudo rule for reloading PHP-FPM # Sudo rules for service management
security.sudo.extraRules = [{ security.sudo.extraRules = [{
users = [ (mkUsername name) ]; users = [ (mkUsername name) ];
commands = [ commands = [
@ -185,6 +185,15 @@ in {
command = "/run/current-system/sw/bin/systemctl reload phpfpm-${name}.service"; command = "/run/current-system/sw/bin/systemctl reload phpfpm-${name}.service";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
} }
] ++ lib.optionals queue [
{
command = "/run/current-system/sw/bin/systemctl status laravel-queue-${name}";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/systemctl status laravel-queue-${name}.service";
options = [ "NOPASSWD" ];
}
]; ];
}]; }];
} }