Merge branch 'feature/nix-package-module'
This commit is contained in:
commit
b1281be699
19 changed files with 996 additions and 10 deletions
28
backend/app/Auth/AuthCookieSettings.php
Normal file
28
backend/app/Auth/AuthCookieSettings.php
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
<?php
|
||||
|
||||
namespace App\Auth;
|
||||
|
||||
class AuthCookieSettings
|
||||
{
|
||||
public function __construct(
|
||||
private bool $secure,
|
||||
private ?string $domain,
|
||||
private string $sameSite,
|
||||
) {
|
||||
}
|
||||
|
||||
public function isSecure(): bool
|
||||
{
|
||||
return $this->secure;
|
||||
}
|
||||
|
||||
public function getDomain(): ?string
|
||||
{
|
||||
return $this->domain;
|
||||
}
|
||||
|
||||
public function getSameSite(): string
|
||||
{
|
||||
return $this->sameSite;
|
||||
}
|
||||
}
|
||||
36
backend/app/Console/Commands/EnsureInitialAdminCommand.php
Normal file
36
backend/app/Console/Commands/EnsureInitialAdminCommand.php
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
<?php
|
||||
|
||||
namespace App\Console\Commands;
|
||||
|
||||
use App\User\InitialAdminCredentialsProvider;
|
||||
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdmin;
|
||||
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdminRequest;
|
||||
use Illuminate\Console\Command;
|
||||
|
||||
class EnsureInitialAdminCommand extends Command
|
||||
{
|
||||
protected $signature = 'rabbi-gerzi:ensure-initial-admin';
|
||||
|
||||
protected $description = 'Create the configured initial admin if missing';
|
||||
|
||||
public function __construct(
|
||||
private EnsureInitialAdmin $ensureInitialAdmin,
|
||||
private InitialAdminCredentialsProvider $credentialsProvider,
|
||||
) {
|
||||
parent::__construct();
|
||||
}
|
||||
|
||||
public function handle(): int
|
||||
{
|
||||
$credentials = $this->credentialsProvider->getCredentials();
|
||||
|
||||
$this->ensureInitialAdmin->execute(new EnsureInitialAdminRequest(
|
||||
email: $credentials->getEmail(),
|
||||
password: $credentials->getPassword(),
|
||||
));
|
||||
|
||||
$this->info('initial admin is ready');
|
||||
|
||||
return self::SUCCESS;
|
||||
}
|
||||
}
|
||||
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
namespace App\Controllers;
|
||||
|
||||
use App\Auth\AuthCookieSettings;
|
||||
use App\Auth\UseCases\AuthenticateUser\AuthenticateUser;
|
||||
use App\Auth\UseCases\AuthenticateUser\AuthenticateUserRequest;
|
||||
use App\Auth\UseCases\CreateSession\CreateSession;
|
||||
|
|
@ -20,6 +21,7 @@ class AuthController
|
|||
private AuthenticateUser $authenticateUser,
|
||||
private CreateSession $createSession,
|
||||
private Logout $logout,
|
||||
private AuthCookieSettings $cookieSettings,
|
||||
) {
|
||||
}
|
||||
|
||||
|
|
@ -55,11 +57,11 @@ class AuthController
|
|||
value: $session->getToken(),
|
||||
expire: $session->getExpiresAt()->getTimestamp(),
|
||||
path: '/',
|
||||
domain: null,
|
||||
secure: false,
|
||||
domain: $this->cookieSettings->getDomain(),
|
||||
secure: $this->cookieSettings->isSecure(),
|
||||
httpOnly: true,
|
||||
raw: false,
|
||||
sameSite: Cookie::SAMESITE_LAX,
|
||||
sameSite: $this->cookieSettings->getSameSite(),
|
||||
));
|
||||
}
|
||||
|
||||
|
|
@ -98,11 +100,11 @@ class AuthController
|
|||
value: '',
|
||||
expire: 1,
|
||||
path: '/',
|
||||
domain: null,
|
||||
secure: false,
|
||||
domain: $this->cookieSettings->getDomain(),
|
||||
secure: $this->cookieSettings->isSecure(),
|
||||
httpOnly: true,
|
||||
raw: false,
|
||||
sameSite: Cookie::SAMESITE_LAX,
|
||||
sameSite: $this->cookieSettings->getSameSite(),
|
||||
));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
namespace App\Providers;
|
||||
|
||||
use App\Auth\AuthCookieSettings;
|
||||
use App\Auth\BcryptPasswordHasher;
|
||||
use App\Auth\Clock;
|
||||
use App\Auth\PasswordHasher;
|
||||
|
|
@ -10,6 +11,8 @@ use App\Auth\SystemClock;
|
|||
use App\Auth\TokenGenerator;
|
||||
use App\Shared\Files\Filesystem;
|
||||
use App\Shared\Files\LaravelFilesystem;
|
||||
use App\User\EnvironmentInitialAdminCredentialsProvider;
|
||||
use App\User\InitialAdminCredentialsProvider;
|
||||
use Illuminate\Support\ServiceProvider;
|
||||
|
||||
class AppServiceProvider extends ServiceProvider
|
||||
|
|
@ -32,5 +35,49 @@ class AppServiceProvider extends ServiceProvider
|
|||
Filesystem::class,
|
||||
LaravelFilesystem::class,
|
||||
);
|
||||
$this->app->bind(
|
||||
InitialAdminCredentialsProvider::class,
|
||||
EnvironmentInitialAdminCredentialsProvider::class,
|
||||
);
|
||||
$this->app->bind(
|
||||
AuthCookieSettings::class,
|
||||
function (): AuthCookieSettings {
|
||||
$secureCookie = config('session.secure');
|
||||
$sessionDomain = config('session.domain');
|
||||
$sameSite = config('session.same_site');
|
||||
|
||||
return new AuthCookieSettings(
|
||||
secure: $this->booleanConfig($secureCookie),
|
||||
domain: $this->nullableStringConfig($sessionDomain),
|
||||
sameSite: is_string($sameSite) ? $sameSite : 'lax',
|
||||
);
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
private function booleanConfig(mixed $value): bool
|
||||
{
|
||||
if (is_bool($value)) {
|
||||
return $value;
|
||||
}
|
||||
|
||||
if (is_int($value)) {
|
||||
return $value === 1;
|
||||
}
|
||||
|
||||
if (is_string($value)) {
|
||||
return in_array(strtolower($value), ['1', 'true'], true);
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private function nullableStringConfig(mixed $value): ?string
|
||||
{
|
||||
if (! is_string($value) || trim($value) === '') {
|
||||
return null;
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,31 @@
|
|||
<?php
|
||||
|
||||
namespace App\User;
|
||||
|
||||
use RuntimeException;
|
||||
|
||||
class EnvironmentInitialAdminCredentialsProvider implements
|
||||
InitialAdminCredentialsProvider
|
||||
{
|
||||
public function getCredentials(): InitialAdminCredentials
|
||||
{
|
||||
return new InitialAdminCredentials(
|
||||
email: $this->requiredEnvironmentValue(
|
||||
'RABBI_GERZI_INITIAL_ADMIN_EMAIL',
|
||||
),
|
||||
password: $this->requiredEnvironmentValue(
|
||||
'RABBI_GERZI_INITIAL_ADMIN_PASSWORD',
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
private function requiredEnvironmentValue(string $key): string
|
||||
{
|
||||
$value = getenv($key);
|
||||
if (! is_string($value) || trim($value) === '') {
|
||||
throw new RuntimeException("$key is required");
|
||||
}
|
||||
|
||||
return $value;
|
||||
}
|
||||
}
|
||||
22
backend/app/User/InitialAdminCredentials.php
Normal file
22
backend/app/User/InitialAdminCredentials.php
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
<?php
|
||||
|
||||
namespace App\User;
|
||||
|
||||
class InitialAdminCredentials
|
||||
{
|
||||
public function __construct(
|
||||
private string $email,
|
||||
private string $password,
|
||||
) {
|
||||
}
|
||||
|
||||
public function getEmail(): string
|
||||
{
|
||||
return $this->email;
|
||||
}
|
||||
|
||||
public function getPassword(): string
|
||||
{
|
||||
return $this->password;
|
||||
}
|
||||
}
|
||||
8
backend/app/User/InitialAdminCredentialsProvider.php
Normal file
8
backend/app/User/InitialAdminCredentialsProvider.php
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
<?php
|
||||
|
||||
namespace App\User;
|
||||
|
||||
interface InitialAdminCredentialsProvider
|
||||
{
|
||||
public function getCredentials(): InitialAdminCredentials;
|
||||
}
|
||||
|
|
@ -0,0 +1,31 @@
|
|||
<?php
|
||||
|
||||
namespace App\User\UseCases\EnsureInitialAdmin;
|
||||
|
||||
use App\Auth\PasswordHasher;
|
||||
use App\Shared\ValueObject\EmailAddress;
|
||||
use App\User\CreateUserDto;
|
||||
use App\User\UserRepository;
|
||||
|
||||
class EnsureInitialAdmin
|
||||
{
|
||||
public function __construct(
|
||||
private UserRepository $userRepository,
|
||||
private PasswordHasher $passwordHasher,
|
||||
) {
|
||||
}
|
||||
|
||||
public function execute(EnsureInitialAdminRequest $request): void
|
||||
{
|
||||
$email = new EmailAddress($request->email);
|
||||
$existingUser = $this->userRepository->findByEmail($email);
|
||||
if ($existingUser !== null) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->userRepository->create(new CreateUserDto(
|
||||
email: $email,
|
||||
passwordHash: $this->passwordHasher->hash($request->password),
|
||||
));
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
<?php
|
||||
|
||||
namespace App\User\UseCases\EnsureInitialAdmin;
|
||||
|
||||
class EnsureInitialAdminRequest
|
||||
{
|
||||
public function __construct(
|
||||
public string $email,
|
||||
public string $password,
|
||||
) {
|
||||
}
|
||||
}
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
<?php
|
||||
|
||||
use App\Console\Commands\EnsureInitialAdminCommand;
|
||||
use Illuminate\Foundation\Application;
|
||||
use Illuminate\Foundation\Configuration\Exceptions;
|
||||
use Illuminate\Foundation\Configuration\Middleware;
|
||||
|
|
@ -10,6 +11,9 @@ return Application::configure(basePath: dirname(__DIR__))
|
|||
commands: __DIR__ . '/../routes/console.php',
|
||||
health: '/up',
|
||||
)
|
||||
->withCommands([
|
||||
EnsureInitialAdminCommand::class,
|
||||
])
|
||||
->withMiddleware(function (Middleware $middleware): void {
|
||||
//
|
||||
})
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
namespace Tests\Unit\Controllers;
|
||||
|
||||
use App\Auth\AuthCookieSettings;
|
||||
use App\Auth\UseCases\AuthenticateUser\AuthenticateUser;
|
||||
use App\Auth\UseCases\CreateSession\CreateSession;
|
||||
use App\Auth\UseCases\Logout\Logout;
|
||||
|
|
@ -60,6 +61,11 @@ class AuthControllerTest extends TestCase
|
|||
$authenticateUser,
|
||||
$createSession,
|
||||
$logout,
|
||||
new AuthCookieSettings(
|
||||
secure: false,
|
||||
domain: null,
|
||||
sameSite: 'lax',
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -104,6 +110,32 @@ class AuthControllerTest extends TestCase
|
|||
);
|
||||
}
|
||||
|
||||
public function testLoginUsesConfiguredCookieSettings(): void
|
||||
{
|
||||
$this->controller = $this->controllerWithCookieSettings(
|
||||
new AuthCookieSettings(
|
||||
secure: true,
|
||||
domain: '.example.com',
|
||||
sameSite: 'none',
|
||||
)
|
||||
);
|
||||
$this->seedStartupUser('user@example.com', 'password');
|
||||
|
||||
$request = new Request([
|
||||
'email' => 'user@example.com',
|
||||
'password' => 'password',
|
||||
]);
|
||||
$response = $this->controller->login($request);
|
||||
|
||||
$cookies = $response->headers->getCookies();
|
||||
$this->assertCount(1, $cookies);
|
||||
$cookie = $cookies[0];
|
||||
|
||||
$this->assertTrue($cookie->isSecure());
|
||||
$this->assertSame('.example.com', $cookie->getDomain());
|
||||
$this->assertSame('none', $cookie->getSameSite());
|
||||
}
|
||||
|
||||
public function testLoginReturns400WhenEmailMissing(): void
|
||||
{
|
||||
$request = new Request(['password' => 'correctpassword']);
|
||||
|
|
@ -160,6 +192,38 @@ class AuthControllerTest extends TestCase
|
|||
$this->assertSame('', $cookies[0]->getValue());
|
||||
}
|
||||
|
||||
public function testLogoutUsesConfiguredCookieSettings(): void
|
||||
{
|
||||
$this->controller = $this->controllerWithCookieSettings(
|
||||
new AuthCookieSettings(
|
||||
secure: true,
|
||||
domain: '.example.com',
|
||||
sameSite: 'none',
|
||||
)
|
||||
);
|
||||
$this->seedStartupUser('user@example.com', 'correctpassword');
|
||||
$loginRequest = new Request([
|
||||
'email' => 'user@example.com',
|
||||
'password' => 'correctpassword',
|
||||
]);
|
||||
$this->controller->login($loginRequest);
|
||||
|
||||
$logoutRequest = new Request();
|
||||
$logoutRequest->cookies->set(
|
||||
AuthMiddleware::COOKIE_NAME,
|
||||
'session-token-1'
|
||||
);
|
||||
$response = $this->controller->logout($logoutRequest);
|
||||
|
||||
$cookies = $response->headers->getCookies();
|
||||
$this->assertCount(1, $cookies);
|
||||
$cookie = $cookies[0];
|
||||
|
||||
$this->assertTrue($cookie->isSecure());
|
||||
$this->assertSame('.example.com', $cookie->getDomain());
|
||||
$this->assertSame('none', $cookie->getSameSite());
|
||||
}
|
||||
|
||||
public function testMeReturns200WithUserWhenAuthenticated(): void
|
||||
{
|
||||
$email = 'me@example.com';
|
||||
|
|
@ -180,4 +244,26 @@ class AuthControllerTest extends TestCase
|
|||
$this->assertSame($user->getId(), $body['user']['id']);
|
||||
$this->assertSame($email, $body['user']['email']);
|
||||
}
|
||||
|
||||
private function controllerWithCookieSettings(
|
||||
AuthCookieSettings $cookieSettings,
|
||||
): AuthController {
|
||||
$authenticateUser = new AuthenticateUser(
|
||||
$this->userRepo,
|
||||
$this->hasher,
|
||||
);
|
||||
$createSession = new CreateSession(
|
||||
$this->sessionRepo,
|
||||
$this->tokenGenerator,
|
||||
$this->clock,
|
||||
);
|
||||
$logout = new Logout($this->sessionRepo);
|
||||
|
||||
return new AuthController(
|
||||
$authenticateUser,
|
||||
$createSession,
|
||||
$logout,
|
||||
$cookieSettings,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,83 @@
|
|||
<?php
|
||||
|
||||
namespace Tests\Unit\User\UseCases;
|
||||
|
||||
use App\Console\Commands\EnsureInitialAdminCommand;
|
||||
use App\Shared\ValueObject\EmailAddress;
|
||||
use App\User\InitialAdminCredentials;
|
||||
use App\User\InitialAdminCredentialsProvider;
|
||||
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdmin;
|
||||
use Illuminate\Container\Container;
|
||||
use Symfony\Component\Console\Tester\CommandTester;
|
||||
use Tests\Fakes\FakeHasher;
|
||||
use Tests\Fakes\FakeUserRepository;
|
||||
use Tests\TestCase;
|
||||
|
||||
class EnsureInitialAdminCommandTest extends TestCase
|
||||
{
|
||||
public function testCommandCreatesInitialAdminFromProvider(): void
|
||||
{
|
||||
$userRepository = new FakeUserRepository();
|
||||
$passwordHasher = new FakeHasher();
|
||||
$command = new EnsureInitialAdminCommand(
|
||||
new EnsureInitialAdmin($userRepository, $passwordHasher),
|
||||
$this->credentialsProvider(
|
||||
'admin@example.com',
|
||||
'secret-password',
|
||||
),
|
||||
);
|
||||
$command->setLaravel($this->consoleContainer());
|
||||
|
||||
$commandTester = new CommandTester($command);
|
||||
$statusCode = $commandTester->execute([]);
|
||||
|
||||
$createdUser = $userRepository->findByEmail(
|
||||
new EmailAddress('admin@example.com')
|
||||
);
|
||||
|
||||
$this->assertSame(0, $statusCode);
|
||||
$this->assertNotNull($createdUser);
|
||||
$this->assertSame(
|
||||
'hashed-secret-password',
|
||||
$createdUser->getPasswordHash(),
|
||||
);
|
||||
$this->assertStringContainsString(
|
||||
'initial admin is ready',
|
||||
$commandTester->getDisplay(),
|
||||
);
|
||||
}
|
||||
|
||||
private function credentialsProvider(
|
||||
string $email,
|
||||
string $password,
|
||||
): InitialAdminCredentialsProvider {
|
||||
return new class ($email, $password) implements
|
||||
InitialAdminCredentialsProvider
|
||||
{
|
||||
public function __construct(
|
||||
private string $email,
|
||||
private string $password,
|
||||
) {
|
||||
}
|
||||
|
||||
public function getCredentials(): InitialAdminCredentials
|
||||
{
|
||||
return new InitialAdminCredentials(
|
||||
email: $this->email,
|
||||
password: $this->password,
|
||||
);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
private function consoleContainer(): Container
|
||||
{
|
||||
return new class extends Container
|
||||
{
|
||||
public function runningUnitTests(): bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
78
backend/tests/Unit/User/UseCases/EnsureInitialAdminTest.php
Normal file
78
backend/tests/Unit/User/UseCases/EnsureInitialAdminTest.php
Normal file
|
|
@ -0,0 +1,78 @@
|
|||
<?php
|
||||
|
||||
namespace Tests\Unit\User\UseCases;
|
||||
|
||||
use App\Auth\PasswordHasher;
|
||||
use App\Shared\ValueObject\EmailAddress;
|
||||
use App\User\CreateUserDto;
|
||||
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdmin;
|
||||
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdminRequest;
|
||||
use Tests\Fakes\FakeHasher;
|
||||
use Tests\Fakes\FakeUserRepository;
|
||||
use Tests\TestCase;
|
||||
|
||||
class EnsureInitialAdminTest extends TestCase
|
||||
{
|
||||
private FakeUserRepository $userRepository;
|
||||
|
||||
private PasswordHasher $passwordHasher;
|
||||
|
||||
private EnsureInitialAdmin $ensureInitialAdmin;
|
||||
|
||||
protected function setUp(): void
|
||||
{
|
||||
$this->userRepository = new FakeUserRepository();
|
||||
$this->passwordHasher = new FakeHasher();
|
||||
$this->ensureInitialAdmin = new EnsureInitialAdmin(
|
||||
$this->userRepository,
|
||||
$this->passwordHasher,
|
||||
);
|
||||
}
|
||||
|
||||
public function testCreatesInitialAdminWhenEmailIsMissing(): void
|
||||
{
|
||||
$this->ensureInitialAdmin->execute(
|
||||
new EnsureInitialAdminRequest(
|
||||
email: 'admin@example.com',
|
||||
password: 'secret-password',
|
||||
)
|
||||
);
|
||||
|
||||
$createdUser = $this->userRepository->findByEmail(
|
||||
new EmailAddress('admin@example.com')
|
||||
);
|
||||
|
||||
$this->assertNotNull($createdUser);
|
||||
$this->assertSame(
|
||||
'hashed-secret-password',
|
||||
$createdUser->getPasswordHash(),
|
||||
);
|
||||
}
|
||||
|
||||
public function testLeavesExistingAdminPasswordUnchanged(): void
|
||||
{
|
||||
$this->userRepository->create(
|
||||
new CreateUserDto(
|
||||
email: new EmailAddress('admin@example.com'),
|
||||
passwordHash: 'existing-password-hash',
|
||||
)
|
||||
);
|
||||
|
||||
$this->ensureInitialAdmin->execute(
|
||||
new EnsureInitialAdminRequest(
|
||||
email: 'admin@example.com',
|
||||
password: 'new-secret-password',
|
||||
)
|
||||
);
|
||||
|
||||
$existingUser = $this->userRepository->findByEmail(
|
||||
new EmailAddress('admin@example.com')
|
||||
);
|
||||
|
||||
$this->assertNotNull($existingUser);
|
||||
$this->assertSame(
|
||||
'existing-password-hash',
|
||||
$existingUser->getPasswordHash(),
|
||||
);
|
||||
}
|
||||
}
|
||||
32
flake.nix
32
flake.nix
|
|
@ -4,11 +4,32 @@
|
|||
utils.url = "github:numtide/flake-utils";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, utils }:
|
||||
utils.lib.eachDefaultSystem (system:
|
||||
outputs =
|
||||
{
|
||||
self,
|
||||
nixpkgs,
|
||||
utils,
|
||||
}:
|
||||
let
|
||||
nixosModule = import ./nix/nixos-module.nix;
|
||||
in
|
||||
utils.lib.eachDefaultSystem (
|
||||
system:
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
in {
|
||||
packages = import ./nix/packages { inherit pkgs; };
|
||||
in
|
||||
{
|
||||
inherit packages;
|
||||
|
||||
checks = {
|
||||
inherit (packages) backend frontend;
|
||||
module-eval = pkgs.callPackage ./nix/checks/module-eval.nix {
|
||||
inherit nixpkgs system;
|
||||
module = nixosModule;
|
||||
};
|
||||
};
|
||||
|
||||
devShells.default = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
onefetch
|
||||
|
|
@ -44,5 +65,8 @@
|
|||
'';
|
||||
};
|
||||
}
|
||||
);
|
||||
)
|
||||
// {
|
||||
nixosModules.default = nixosModule;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
37
nix/checks/module-eval.nix
Normal file
37
nix/checks/module-eval.nix
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
{
|
||||
lib,
|
||||
nixpkgs,
|
||||
module,
|
||||
pkgs,
|
||||
system,
|
||||
}:
|
||||
|
||||
let
|
||||
evaluatedHostName =
|
||||
(nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
module
|
||||
{
|
||||
system.stateVersion = "26.05";
|
||||
|
||||
services.rabbi-gerzi = {
|
||||
enable = true;
|
||||
frontend.hostName = "www.example.test";
|
||||
backend = {
|
||||
hostName = "api.example.test";
|
||||
environmentFile = "/run/secrets/rabbi-gerzi.env";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
}).config.services.rabbi-gerzi.backend.hostName;
|
||||
in
|
||||
pkgs.runCommand "rabbi-gerzi-module-eval"
|
||||
{
|
||||
value = evaluatedHostName;
|
||||
preferLocalBuild = true;
|
||||
}
|
||||
''
|
||||
echo "$value" > $out
|
||||
''
|
||||
349
nix/nixos-module.nix
Normal file
349
nix/nixos-module.nix
Normal file
|
|
@ -0,0 +1,349 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
cfg = config.services.rabbi-gerzi;
|
||||
|
||||
backendPackage = cfg.backend.package;
|
||||
frontendPackage = cfg.frontend.package;
|
||||
appDir = "${backendPackage}/share/php/rabbi-gerzi-backend";
|
||||
phpPackage = backendPackage.passthru.php;
|
||||
poolName = "rabbi-gerzi";
|
||||
storagePath = "${cfg.stateDir}/storage";
|
||||
cachePath = "${cfg.cacheDir}/bootstrap-cache";
|
||||
setupService = "rabbi-gerzi-setup";
|
||||
phpfpmService = "phpfpm-${poolName}";
|
||||
|
||||
appEnvironment = {
|
||||
APP_ENV = "production";
|
||||
APP_DEBUG = "false";
|
||||
APP_URL = cfg.backend.publicUrl;
|
||||
APP_CONFIG_CACHE = "${cachePath}/config.php";
|
||||
APP_EVENTS_CACHE = "${cachePath}/events.php";
|
||||
APP_PACKAGES_CACHE = "${cachePath}/packages.php";
|
||||
APP_ROUTES_CACHE = "${cachePath}/routes.php";
|
||||
APP_SERVICES_CACHE = "${cachePath}/services.php";
|
||||
CACHE_STORE = "file";
|
||||
CORS_ALLOWED_ORIGINS = lib.concatStringsSep "," cfg.backend.corsAllowedOrigins;
|
||||
DB_CONNECTION = "pgsql";
|
||||
DB_DATABASE = cfg.database.name;
|
||||
DB_HOST = "/run/postgresql";
|
||||
DB_PASSWORD = "";
|
||||
DB_PORT = "5432";
|
||||
DB_USERNAME = cfg.database.user;
|
||||
FILESYSTEM_DISK = "public";
|
||||
LARAVEL_STORAGE_PATH = storagePath;
|
||||
LOG_CHANNEL = "single";
|
||||
MAIL_MAILER = "log";
|
||||
QUEUE_CONNECTION = "sync";
|
||||
SESSION_DRIVER = "database";
|
||||
SESSION_DOMAIN = cfg.backend.cookieDomain;
|
||||
SESSION_SAME_SITE = cfg.backend.cookieSameSite;
|
||||
SESSION_SECURE_COOKIE = lib.boolToString cfg.backend.cookieSecure;
|
||||
};
|
||||
|
||||
fpmEnvironment = appEnvironment // {
|
||||
APP_KEY = "$APP_KEY";
|
||||
};
|
||||
|
||||
artisan = "${phpPackage}/bin/php ${appDir}/artisan";
|
||||
|
||||
makeDirectoryRule = path: "d ${path} 0750 ${cfg.user} ${cfg.group} - -";
|
||||
in
|
||||
{
|
||||
options.services.rabbi-gerzi = {
|
||||
enable = lib.mkEnableOption "the Rabbi Gerzi application";
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "rabbi-gerzi";
|
||||
description = "User used to run the Rabbi Gerzi backend.";
|
||||
};
|
||||
|
||||
group = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "rabbi-gerzi";
|
||||
description = "Group used to run the Rabbi Gerzi backend.";
|
||||
};
|
||||
|
||||
stateDir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/rabbi-gerzi";
|
||||
description = "Writable state directory for uploads and storage.";
|
||||
};
|
||||
|
||||
cacheDir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/cache/rabbi-gerzi";
|
||||
description = "Writable cache directory for Laravel cache files.";
|
||||
};
|
||||
|
||||
database = {
|
||||
name = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = cfg.user;
|
||||
description = "PostgreSQL database name.";
|
||||
};
|
||||
|
||||
user = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = cfg.user;
|
||||
description = "PostgreSQL database user.";
|
||||
};
|
||||
};
|
||||
|
||||
frontend = {
|
||||
hostName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Frontend nginx virtual host name.";
|
||||
};
|
||||
|
||||
publicUrl = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "https://${cfg.frontend.hostName}";
|
||||
description = "Public frontend origin.";
|
||||
};
|
||||
|
||||
apiBaseUrl = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = cfg.backend.publicUrl;
|
||||
description = "API origin baked into the frontend build.";
|
||||
};
|
||||
|
||||
package = lib.mkOption {
|
||||
type = lib.types.package;
|
||||
default = pkgs.callPackage ./packages/frontend.nix {
|
||||
inherit (cfg.frontend) apiBaseUrl;
|
||||
};
|
||||
description = "Frontend package to serve.";
|
||||
};
|
||||
|
||||
nginx = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
default = { };
|
||||
description = "Extra nginx virtual host options for the frontend.";
|
||||
};
|
||||
};
|
||||
|
||||
backend = {
|
||||
hostName = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Backend nginx virtual host name.";
|
||||
};
|
||||
|
||||
publicUrl = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "https://${cfg.backend.hostName}";
|
||||
description = "Public backend origin.";
|
||||
};
|
||||
|
||||
environmentFile = lib.mkOption {
|
||||
type = lib.types.nullOr lib.types.str;
|
||||
default = null;
|
||||
description = "Runtime dotenv file containing APP_KEY and admin secrets.";
|
||||
};
|
||||
|
||||
package = lib.mkOption {
|
||||
type = lib.types.package;
|
||||
default = pkgs.callPackage ./packages/backend.nix { };
|
||||
description = "Backend package to run.";
|
||||
};
|
||||
|
||||
corsAllowedOrigins = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
default = [ cfg.frontend.publicUrl ];
|
||||
description = "Allowed CORS origins for the backend API.";
|
||||
};
|
||||
|
||||
cookieSecure = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "Whether auth cookies require HTTPS.";
|
||||
};
|
||||
|
||||
cookieDomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = "Auth cookie domain. Empty means host-only cookies.";
|
||||
};
|
||||
|
||||
cookieSameSite = lib.mkOption {
|
||||
type = lib.types.enum [
|
||||
"lax"
|
||||
"none"
|
||||
"strict"
|
||||
];
|
||||
default = "none";
|
||||
description = "SameSite value for auth cookies.";
|
||||
};
|
||||
|
||||
nginx = lib.mkOption {
|
||||
type = lib.types.attrs;
|
||||
default = { };
|
||||
description = "Extra nginx virtual host options for the backend.";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
assertions = [
|
||||
{
|
||||
assertion = cfg.backend.environmentFile != null;
|
||||
message = "services.rabbi-gerzi.backend.environmentFile is required.";
|
||||
}
|
||||
{
|
||||
assertion = cfg.backend.cookieSameSite != "none" || cfg.backend.cookieSecure;
|
||||
message = "SameSite=None auth cookies require cookieSecure = true.";
|
||||
}
|
||||
{
|
||||
assertion = cfg.database.name == cfg.database.user;
|
||||
message = "Managed PostgreSQL database and user names must match.";
|
||||
}
|
||||
];
|
||||
|
||||
users.groups.${cfg.group} = { };
|
||||
users.users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
group = cfg.group;
|
||||
home = cfg.stateDir;
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ cfg.database.name ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = cfg.database.user;
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = map makeDirectoryRule [
|
||||
cfg.stateDir
|
||||
cfg.cacheDir
|
||||
storagePath
|
||||
"${storagePath}/app"
|
||||
"${storagePath}/app/private"
|
||||
"${storagePath}/app/public"
|
||||
"${storagePath}/framework"
|
||||
"${storagePath}/framework/cache"
|
||||
"${storagePath}/framework/cache/data"
|
||||
"${storagePath}/framework/sessions"
|
||||
"${storagePath}/framework/views"
|
||||
"${storagePath}/logs"
|
||||
cachePath
|
||||
];
|
||||
|
||||
services.phpfpm.pools.${poolName} = {
|
||||
inherit (cfg) user group;
|
||||
inherit phpPackage;
|
||||
phpEnv = fpmEnvironment;
|
||||
settings = {
|
||||
"catch_workers_output" = true;
|
||||
"clear_env" = "no";
|
||||
"listen.group" = config.services.nginx.group;
|
||||
"listen.mode" = "0660";
|
||||
"listen.owner" = cfg.user;
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = 16;
|
||||
"pm.max_requests" = 500;
|
||||
"pm.max_spare_servers" = 4;
|
||||
"pm.min_spare_servers" = 1;
|
||||
"pm.start_servers" = 2;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.${setupService} = {
|
||||
description = "Prepare Rabbi Gerzi backend";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
before = [ "${phpfpmService}.service" ];
|
||||
after = [ "postgresql.service" ];
|
||||
requires = [ "postgresql.service" ];
|
||||
path = [ phpPackage ];
|
||||
environment = appEnvironment;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
UMask = "0077";
|
||||
WorkingDirectory = appDir;
|
||||
EnvironmentFile = cfg.backend.environmentFile;
|
||||
ReadWritePaths = [
|
||||
cfg.stateDir
|
||||
cfg.cacheDir
|
||||
];
|
||||
};
|
||||
script = ''
|
||||
${artisan} migrate --force
|
||||
${artisan} rabbi-gerzi:ensure-initial-admin
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.${phpfpmService} = {
|
||||
after = [ "${setupService}.service" ];
|
||||
requires = [ "${setupService}.service" ];
|
||||
serviceConfig = {
|
||||
EnvironmentFile = cfg.backend.environmentFile;
|
||||
ReadWritePaths = [
|
||||
cfg.stateDir
|
||||
cfg.cacheDir
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = lib.mkDefault true;
|
||||
recommendedGzipSettings = lib.mkDefault true;
|
||||
recommendedOptimisation = lib.mkDefault true;
|
||||
recommendedProxySettings = lib.mkDefault true;
|
||||
recommendedTlsSettings = lib.mkDefault true;
|
||||
|
||||
virtualHosts = {
|
||||
${cfg.frontend.hostName} = lib.mkMerge [
|
||||
cfg.frontend.nginx
|
||||
{
|
||||
root = "${frontendPackage}";
|
||||
locations."/" = {
|
||||
tryFiles = "$uri $uri/ /index.html";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
${cfg.backend.hostName} = lib.mkMerge [
|
||||
cfg.backend.nginx
|
||||
{
|
||||
root = "${appDir}/public";
|
||||
locations = {
|
||||
"/" = {
|
||||
index = "index.php";
|
||||
tryFiles = "$uri $uri/ /index.php?$query_string";
|
||||
};
|
||||
|
||||
"/storage/" = {
|
||||
alias = "${storagePath}/app/public/";
|
||||
extraConfig = ''
|
||||
expires 30d;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
|
||||
"~ \\.php$" = {
|
||||
extraConfig = ''
|
||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_pass unix:${config.services.phpfpm.pools.${poolName}.socket};
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
55
nix/packages/backend.nix
Normal file
55
nix/packages/backend.nix
Normal file
|
|
@ -0,0 +1,55 @@
|
|||
{
|
||||
lib,
|
||||
makeWrapper,
|
||||
php,
|
||||
}:
|
||||
|
||||
let
|
||||
phpPackage = php.withExtensions (
|
||||
{ enabled, all }:
|
||||
enabled
|
||||
++ [
|
||||
all.pdo_pgsql
|
||||
]
|
||||
);
|
||||
in
|
||||
phpPackage.buildComposerProject2 (finalAttrs: {
|
||||
pname = "rabbi-gerzi-backend";
|
||||
version = "0.0.0";
|
||||
|
||||
src = lib.cleanSourceWith {
|
||||
src = ../../backend;
|
||||
filter =
|
||||
path: type:
|
||||
let
|
||||
relativePath = lib.removePrefix (toString ../../backend + "/") (toString path);
|
||||
in
|
||||
!(
|
||||
lib.hasPrefix ".env" relativePath
|
||||
|| lib.hasPrefix "vendor/" relativePath
|
||||
|| lib.hasPrefix ".phpunit" relativePath
|
||||
|| lib.hasPrefix "storage/logs/" relativePath
|
||||
|| lib.hasPrefix "storage/framework/views/" relativePath
|
||||
|| lib.hasSuffix "~" relativePath
|
||||
);
|
||||
};
|
||||
|
||||
php = phpPackage;
|
||||
nativeBuildInputs = [ makeWrapper ];
|
||||
vendorHash = "sha256-EhBxKo3qjEuVTlxK/F+vx6ZBGbApBjcgOK8+3u8UiNk=";
|
||||
|
||||
postInstall = ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${phpPackage}/bin/php $out/bin/rabbi-gerzi-artisan \
|
||||
--add-flags "$out/share/php/${finalAttrs.pname}/artisan"
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
php = phpPackage;
|
||||
};
|
||||
|
||||
meta = {
|
||||
description = "Rabbi Gerzi Laravel backend";
|
||||
mainProgram = "rabbi-gerzi-artisan";
|
||||
};
|
||||
})
|
||||
7
nix/packages/default.nix
Normal file
7
nix/packages/default.nix
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
{ pkgs }:
|
||||
|
||||
rec {
|
||||
backend = pkgs.callPackage ./backend.nix { };
|
||||
frontend = pkgs.callPackage ./frontend.nix { };
|
||||
default = frontend;
|
||||
}
|
||||
46
nix/packages/frontend.nix
Normal file
46
nix/packages/frontend.nix
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
buildNpmPackage,
|
||||
lib,
|
||||
apiBaseUrl ? "",
|
||||
}:
|
||||
|
||||
buildNpmPackage {
|
||||
pname = "rabbi-gerzi-frontend";
|
||||
version = "0.0.0";
|
||||
|
||||
src = lib.cleanSourceWith {
|
||||
src = ../../frontend/rabbi_gerzi;
|
||||
filter =
|
||||
path: type:
|
||||
let
|
||||
relativePath = lib.removePrefix (toString ../../frontend/rabbi_gerzi + "/") (toString path);
|
||||
in
|
||||
!(
|
||||
lib.hasPrefix ".env" relativePath
|
||||
|| lib.hasPrefix "node_modules/" relativePath
|
||||
|| lib.hasPrefix "dist/" relativePath
|
||||
|| lib.hasPrefix "coverage/" relativePath
|
||||
|| lib.hasSuffix ".tsbuildinfo" relativePath
|
||||
|| lib.hasSuffix ".timestamp-" relativePath
|
||||
);
|
||||
};
|
||||
|
||||
npmDepsHash = "sha256-SF6YRzLySEkYAnwr5YYsftyvwbohtHQo0UpelHmJ7CY=";
|
||||
npmFlags = [ "--legacy-peer-deps" ];
|
||||
|
||||
CYPRESS_INSTALL_BINARY = "0";
|
||||
VITE_API_BASE_URL = apiBaseUrl;
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out
|
||||
cp -R dist/* $out/
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = {
|
||||
description = "Rabbi Gerzi Vue frontend";
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue