Compare commits

...

8 commits

19 changed files with 996 additions and 10 deletions

View file

@ -0,0 +1,28 @@
<?php
namespace App\Auth;
class AuthCookieSettings
{
public function __construct(
private bool $secure,
private ?string $domain,
private string $sameSite,
) {
}
public function isSecure(): bool
{
return $this->secure;
}
public function getDomain(): ?string
{
return $this->domain;
}
public function getSameSite(): string
{
return $this->sameSite;
}
}

View file

@ -0,0 +1,36 @@
<?php
namespace App\Console\Commands;
use App\User\InitialAdminCredentialsProvider;
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdmin;
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdminRequest;
use Illuminate\Console\Command;
class EnsureInitialAdminCommand extends Command
{
protected $signature = 'rabbi-gerzi:ensure-initial-admin';
protected $description = 'Create the configured initial admin if missing';
public function __construct(
private EnsureInitialAdmin $ensureInitialAdmin,
private InitialAdminCredentialsProvider $credentialsProvider,
) {
parent::__construct();
}
public function handle(): int
{
$credentials = $this->credentialsProvider->getCredentials();
$this->ensureInitialAdmin->execute(new EnsureInitialAdminRequest(
email: $credentials->getEmail(),
password: $credentials->getPassword(),
));
$this->info('initial admin is ready');
return self::SUCCESS;
}
}

View file

@ -2,6 +2,7 @@
namespace App\Controllers; namespace App\Controllers;
use App\Auth\AuthCookieSettings;
use App\Auth\UseCases\AuthenticateUser\AuthenticateUser; use App\Auth\UseCases\AuthenticateUser\AuthenticateUser;
use App\Auth\UseCases\AuthenticateUser\AuthenticateUserRequest; use App\Auth\UseCases\AuthenticateUser\AuthenticateUserRequest;
use App\Auth\UseCases\CreateSession\CreateSession; use App\Auth\UseCases\CreateSession\CreateSession;
@ -20,6 +21,7 @@ class AuthController
private AuthenticateUser $authenticateUser, private AuthenticateUser $authenticateUser,
private CreateSession $createSession, private CreateSession $createSession,
private Logout $logout, private Logout $logout,
private AuthCookieSettings $cookieSettings,
) { ) {
} }
@ -55,11 +57,11 @@ class AuthController
value: $session->getToken(), value: $session->getToken(),
expire: $session->getExpiresAt()->getTimestamp(), expire: $session->getExpiresAt()->getTimestamp(),
path: '/', path: '/',
domain: null, domain: $this->cookieSettings->getDomain(),
secure: false, secure: $this->cookieSettings->isSecure(),
httpOnly: true, httpOnly: true,
raw: false, raw: false,
sameSite: Cookie::SAMESITE_LAX, sameSite: $this->cookieSettings->getSameSite(),
)); ));
} }
@ -98,11 +100,11 @@ class AuthController
value: '', value: '',
expire: 1, expire: 1,
path: '/', path: '/',
domain: null, domain: $this->cookieSettings->getDomain(),
secure: false, secure: $this->cookieSettings->isSecure(),
httpOnly: true, httpOnly: true,
raw: false, raw: false,
sameSite: Cookie::SAMESITE_LAX, sameSite: $this->cookieSettings->getSameSite(),
)); ));
} }
} }

View file

@ -2,6 +2,7 @@
namespace App\Providers; namespace App\Providers;
use App\Auth\AuthCookieSettings;
use App\Auth\BcryptPasswordHasher; use App\Auth\BcryptPasswordHasher;
use App\Auth\Clock; use App\Auth\Clock;
use App\Auth\PasswordHasher; use App\Auth\PasswordHasher;
@ -10,6 +11,8 @@ use App\Auth\SystemClock;
use App\Auth\TokenGenerator; use App\Auth\TokenGenerator;
use App\Shared\Files\Filesystem; use App\Shared\Files\Filesystem;
use App\Shared\Files\LaravelFilesystem; use App\Shared\Files\LaravelFilesystem;
use App\User\EnvironmentInitialAdminCredentialsProvider;
use App\User\InitialAdminCredentialsProvider;
use Illuminate\Support\ServiceProvider; use Illuminate\Support\ServiceProvider;
class AppServiceProvider extends ServiceProvider class AppServiceProvider extends ServiceProvider
@ -32,5 +35,49 @@ class AppServiceProvider extends ServiceProvider
Filesystem::class, Filesystem::class,
LaravelFilesystem::class, LaravelFilesystem::class,
); );
$this->app->bind(
InitialAdminCredentialsProvider::class,
EnvironmentInitialAdminCredentialsProvider::class,
);
$this->app->bind(
AuthCookieSettings::class,
function (): AuthCookieSettings {
$secureCookie = config('session.secure');
$sessionDomain = config('session.domain');
$sameSite = config('session.same_site');
return new AuthCookieSettings(
secure: $this->booleanConfig($secureCookie),
domain: $this->nullableStringConfig($sessionDomain),
sameSite: is_string($sameSite) ? $sameSite : 'lax',
);
}
);
}
private function booleanConfig(mixed $value): bool
{
if (is_bool($value)) {
return $value;
}
if (is_int($value)) {
return $value === 1;
}
if (is_string($value)) {
return in_array(strtolower($value), ['1', 'true'], true);
}
return false;
}
private function nullableStringConfig(mixed $value): ?string
{
if (! is_string($value) || trim($value) === '') {
return null;
}
return $value;
} }
} }

View file

@ -0,0 +1,31 @@
<?php
namespace App\User;
use RuntimeException;
class EnvironmentInitialAdminCredentialsProvider implements
InitialAdminCredentialsProvider
{
public function getCredentials(): InitialAdminCredentials
{
return new InitialAdminCredentials(
email: $this->requiredEnvironmentValue(
'RABBI_GERZI_INITIAL_ADMIN_EMAIL',
),
password: $this->requiredEnvironmentValue(
'RABBI_GERZI_INITIAL_ADMIN_PASSWORD',
),
);
}
private function requiredEnvironmentValue(string $key): string
{
$value = getenv($key);
if (! is_string($value) || trim($value) === '') {
throw new RuntimeException("$key is required");
}
return $value;
}
}

View file

@ -0,0 +1,22 @@
<?php
namespace App\User;
class InitialAdminCredentials
{
public function __construct(
private string $email,
private string $password,
) {
}
public function getEmail(): string
{
return $this->email;
}
public function getPassword(): string
{
return $this->password;
}
}

View file

@ -0,0 +1,8 @@
<?php
namespace App\User;
interface InitialAdminCredentialsProvider
{
public function getCredentials(): InitialAdminCredentials;
}

View file

@ -0,0 +1,31 @@
<?php
namespace App\User\UseCases\EnsureInitialAdmin;
use App\Auth\PasswordHasher;
use App\Shared\ValueObject\EmailAddress;
use App\User\CreateUserDto;
use App\User\UserRepository;
class EnsureInitialAdmin
{
public function __construct(
private UserRepository $userRepository,
private PasswordHasher $passwordHasher,
) {
}
public function execute(EnsureInitialAdminRequest $request): void
{
$email = new EmailAddress($request->email);
$existingUser = $this->userRepository->findByEmail($email);
if ($existingUser !== null) {
return;
}
$this->userRepository->create(new CreateUserDto(
email: $email,
passwordHash: $this->passwordHasher->hash($request->password),
));
}
}

View file

@ -0,0 +1,12 @@
<?php
namespace App\User\UseCases\EnsureInitialAdmin;
class EnsureInitialAdminRequest
{
public function __construct(
public string $email,
public string $password,
) {
}
}

View file

@ -1,5 +1,6 @@
<?php <?php
use App\Console\Commands\EnsureInitialAdminCommand;
use Illuminate\Foundation\Application; use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions; use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware; use Illuminate\Foundation\Configuration\Middleware;
@ -10,6 +11,9 @@ return Application::configure(basePath: dirname(__DIR__))
commands: __DIR__ . '/../routes/console.php', commands: __DIR__ . '/../routes/console.php',
health: '/up', health: '/up',
) )
->withCommands([
EnsureInitialAdminCommand::class,
])
->withMiddleware(function (Middleware $middleware): void { ->withMiddleware(function (Middleware $middleware): void {
// //
}) })

View file

@ -2,6 +2,7 @@
namespace Tests\Unit\Controllers; namespace Tests\Unit\Controllers;
use App\Auth\AuthCookieSettings;
use App\Auth\UseCases\AuthenticateUser\AuthenticateUser; use App\Auth\UseCases\AuthenticateUser\AuthenticateUser;
use App\Auth\UseCases\CreateSession\CreateSession; use App\Auth\UseCases\CreateSession\CreateSession;
use App\Auth\UseCases\Logout\Logout; use App\Auth\UseCases\Logout\Logout;
@ -60,6 +61,11 @@ class AuthControllerTest extends TestCase
$authenticateUser, $authenticateUser,
$createSession, $createSession,
$logout, $logout,
new AuthCookieSettings(
secure: false,
domain: null,
sameSite: 'lax',
),
); );
} }
@ -104,6 +110,32 @@ class AuthControllerTest extends TestCase
); );
} }
public function testLoginUsesConfiguredCookieSettings(): void
{
$this->controller = $this->controllerWithCookieSettings(
new AuthCookieSettings(
secure: true,
domain: '.example.com',
sameSite: 'none',
)
);
$this->seedStartupUser('user@example.com', 'password');
$request = new Request([
'email' => 'user@example.com',
'password' => 'password',
]);
$response = $this->controller->login($request);
$cookies = $response->headers->getCookies();
$this->assertCount(1, $cookies);
$cookie = $cookies[0];
$this->assertTrue($cookie->isSecure());
$this->assertSame('.example.com', $cookie->getDomain());
$this->assertSame('none', $cookie->getSameSite());
}
public function testLoginReturns400WhenEmailMissing(): void public function testLoginReturns400WhenEmailMissing(): void
{ {
$request = new Request(['password' => 'correctpassword']); $request = new Request(['password' => 'correctpassword']);
@ -160,6 +192,38 @@ class AuthControllerTest extends TestCase
$this->assertSame('', $cookies[0]->getValue()); $this->assertSame('', $cookies[0]->getValue());
} }
public function testLogoutUsesConfiguredCookieSettings(): void
{
$this->controller = $this->controllerWithCookieSettings(
new AuthCookieSettings(
secure: true,
domain: '.example.com',
sameSite: 'none',
)
);
$this->seedStartupUser('user@example.com', 'correctpassword');
$loginRequest = new Request([
'email' => 'user@example.com',
'password' => 'correctpassword',
]);
$this->controller->login($loginRequest);
$logoutRequest = new Request();
$logoutRequest->cookies->set(
AuthMiddleware::COOKIE_NAME,
'session-token-1'
);
$response = $this->controller->logout($logoutRequest);
$cookies = $response->headers->getCookies();
$this->assertCount(1, $cookies);
$cookie = $cookies[0];
$this->assertTrue($cookie->isSecure());
$this->assertSame('.example.com', $cookie->getDomain());
$this->assertSame('none', $cookie->getSameSite());
}
public function testMeReturns200WithUserWhenAuthenticated(): void public function testMeReturns200WithUserWhenAuthenticated(): void
{ {
$email = 'me@example.com'; $email = 'me@example.com';
@ -180,4 +244,26 @@ class AuthControllerTest extends TestCase
$this->assertSame($user->getId(), $body['user']['id']); $this->assertSame($user->getId(), $body['user']['id']);
$this->assertSame($email, $body['user']['email']); $this->assertSame($email, $body['user']['email']);
} }
private function controllerWithCookieSettings(
AuthCookieSettings $cookieSettings,
): AuthController {
$authenticateUser = new AuthenticateUser(
$this->userRepo,
$this->hasher,
);
$createSession = new CreateSession(
$this->sessionRepo,
$this->tokenGenerator,
$this->clock,
);
$logout = new Logout($this->sessionRepo);
return new AuthController(
$authenticateUser,
$createSession,
$logout,
$cookieSettings,
);
}
} }

View file

@ -0,0 +1,83 @@
<?php
namespace Tests\Unit\User\UseCases;
use App\Console\Commands\EnsureInitialAdminCommand;
use App\Shared\ValueObject\EmailAddress;
use App\User\InitialAdminCredentials;
use App\User\InitialAdminCredentialsProvider;
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdmin;
use Illuminate\Container\Container;
use Symfony\Component\Console\Tester\CommandTester;
use Tests\Fakes\FakeHasher;
use Tests\Fakes\FakeUserRepository;
use Tests\TestCase;
class EnsureInitialAdminCommandTest extends TestCase
{
public function testCommandCreatesInitialAdminFromProvider(): void
{
$userRepository = new FakeUserRepository();
$passwordHasher = new FakeHasher();
$command = new EnsureInitialAdminCommand(
new EnsureInitialAdmin($userRepository, $passwordHasher),
$this->credentialsProvider(
'admin@example.com',
'secret-password',
),
);
$command->setLaravel($this->consoleContainer());
$commandTester = new CommandTester($command);
$statusCode = $commandTester->execute([]);
$createdUser = $userRepository->findByEmail(
new EmailAddress('admin@example.com')
);
$this->assertSame(0, $statusCode);
$this->assertNotNull($createdUser);
$this->assertSame(
'hashed-secret-password',
$createdUser->getPasswordHash(),
);
$this->assertStringContainsString(
'initial admin is ready',
$commandTester->getDisplay(),
);
}
private function credentialsProvider(
string $email,
string $password,
): InitialAdminCredentialsProvider {
return new class ($email, $password) implements
InitialAdminCredentialsProvider
{
public function __construct(
private string $email,
private string $password,
) {
}
public function getCredentials(): InitialAdminCredentials
{
return new InitialAdminCredentials(
email: $this->email,
password: $this->password,
);
}
};
}
private function consoleContainer(): Container
{
return new class extends Container
{
public function runningUnitTests(): bool
{
return true;
}
};
}
}

View file

@ -0,0 +1,78 @@
<?php
namespace Tests\Unit\User\UseCases;
use App\Auth\PasswordHasher;
use App\Shared\ValueObject\EmailAddress;
use App\User\CreateUserDto;
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdmin;
use App\User\UseCases\EnsureInitialAdmin\EnsureInitialAdminRequest;
use Tests\Fakes\FakeHasher;
use Tests\Fakes\FakeUserRepository;
use Tests\TestCase;
class EnsureInitialAdminTest extends TestCase
{
private FakeUserRepository $userRepository;
private PasswordHasher $passwordHasher;
private EnsureInitialAdmin $ensureInitialAdmin;
protected function setUp(): void
{
$this->userRepository = new FakeUserRepository();
$this->passwordHasher = new FakeHasher();
$this->ensureInitialAdmin = new EnsureInitialAdmin(
$this->userRepository,
$this->passwordHasher,
);
}
public function testCreatesInitialAdminWhenEmailIsMissing(): void
{
$this->ensureInitialAdmin->execute(
new EnsureInitialAdminRequest(
email: 'admin@example.com',
password: 'secret-password',
)
);
$createdUser = $this->userRepository->findByEmail(
new EmailAddress('admin@example.com')
);
$this->assertNotNull($createdUser);
$this->assertSame(
'hashed-secret-password',
$createdUser->getPasswordHash(),
);
}
public function testLeavesExistingAdminPasswordUnchanged(): void
{
$this->userRepository->create(
new CreateUserDto(
email: new EmailAddress('admin@example.com'),
passwordHash: 'existing-password-hash',
)
);
$this->ensureInitialAdmin->execute(
new EnsureInitialAdminRequest(
email: 'admin@example.com',
password: 'new-secret-password',
)
);
$existingUser = $this->userRepository->findByEmail(
new EmailAddress('admin@example.com')
);
$this->assertNotNull($existingUser);
$this->assertSame(
'existing-password-hash',
$existingUser->getPasswordHash(),
);
}
}

View file

@ -4,11 +4,32 @@
utils.url = "github:numtide/flake-utils"; utils.url = "github:numtide/flake-utils";
}; };
outputs = { self, nixpkgs, utils }: outputs =
utils.lib.eachDefaultSystem (system: {
self,
nixpkgs,
utils,
}:
let
nixosModule = import ./nix/nixos-module.nix;
in
utils.lib.eachDefaultSystem (
system:
let let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
in { packages = import ./nix/packages { inherit pkgs; };
in
{
inherit packages;
checks = {
inherit (packages) backend frontend;
module-eval = pkgs.callPackage ./nix/checks/module-eval.nix {
inherit nixpkgs system;
module = nixosModule;
};
};
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
onefetch onefetch
@ -44,5 +65,8 @@
''; '';
}; };
} }
); )
// {
nixosModules.default = nixosModule;
};
} }

View file

@ -0,0 +1,37 @@
{
lib,
nixpkgs,
module,
pkgs,
system,
}:
let
evaluatedHostName =
(nixpkgs.lib.nixosSystem {
inherit system;
modules = [
module
{
system.stateVersion = "26.05";
services.rabbi-gerzi = {
enable = true;
frontend.hostName = "www.example.test";
backend = {
hostName = "api.example.test";
environmentFile = "/run/secrets/rabbi-gerzi.env";
};
};
}
];
}).config.services.rabbi-gerzi.backend.hostName;
in
pkgs.runCommand "rabbi-gerzi-module-eval"
{
value = evaluatedHostName;
preferLocalBuild = true;
}
''
echo "$value" > $out
''

349
nix/nixos-module.nix Normal file
View file

@ -0,0 +1,349 @@
{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.rabbi-gerzi;
backendPackage = cfg.backend.package;
frontendPackage = cfg.frontend.package;
appDir = "${backendPackage}/share/php/rabbi-gerzi-backend";
phpPackage = backendPackage.passthru.php;
poolName = "rabbi-gerzi";
storagePath = "${cfg.stateDir}/storage";
cachePath = "${cfg.cacheDir}/bootstrap-cache";
setupService = "rabbi-gerzi-setup";
phpfpmService = "phpfpm-${poolName}";
appEnvironment = {
APP_ENV = "production";
APP_DEBUG = "false";
APP_URL = cfg.backend.publicUrl;
APP_CONFIG_CACHE = "${cachePath}/config.php";
APP_EVENTS_CACHE = "${cachePath}/events.php";
APP_PACKAGES_CACHE = "${cachePath}/packages.php";
APP_ROUTES_CACHE = "${cachePath}/routes.php";
APP_SERVICES_CACHE = "${cachePath}/services.php";
CACHE_STORE = "file";
CORS_ALLOWED_ORIGINS = lib.concatStringsSep "," cfg.backend.corsAllowedOrigins;
DB_CONNECTION = "pgsql";
DB_DATABASE = cfg.database.name;
DB_HOST = "/run/postgresql";
DB_PASSWORD = "";
DB_PORT = "5432";
DB_USERNAME = cfg.database.user;
FILESYSTEM_DISK = "public";
LARAVEL_STORAGE_PATH = storagePath;
LOG_CHANNEL = "single";
MAIL_MAILER = "log";
QUEUE_CONNECTION = "sync";
SESSION_DRIVER = "database";
SESSION_DOMAIN = cfg.backend.cookieDomain;
SESSION_SAME_SITE = cfg.backend.cookieSameSite;
SESSION_SECURE_COOKIE = lib.boolToString cfg.backend.cookieSecure;
};
fpmEnvironment = appEnvironment // {
APP_KEY = "$APP_KEY";
};
artisan = "${phpPackage}/bin/php ${appDir}/artisan";
makeDirectoryRule = path: "d ${path} 0750 ${cfg.user} ${cfg.group} - -";
in
{
options.services.rabbi-gerzi = {
enable = lib.mkEnableOption "the Rabbi Gerzi application";
user = lib.mkOption {
type = lib.types.str;
default = "rabbi-gerzi";
description = "User used to run the Rabbi Gerzi backend.";
};
group = lib.mkOption {
type = lib.types.str;
default = "rabbi-gerzi";
description = "Group used to run the Rabbi Gerzi backend.";
};
stateDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/rabbi-gerzi";
description = "Writable state directory for uploads and storage.";
};
cacheDir = lib.mkOption {
type = lib.types.str;
default = "/var/cache/rabbi-gerzi";
description = "Writable cache directory for Laravel cache files.";
};
database = {
name = lib.mkOption {
type = lib.types.str;
default = cfg.user;
description = "PostgreSQL database name.";
};
user = lib.mkOption {
type = lib.types.str;
default = cfg.user;
description = "PostgreSQL database user.";
};
};
frontend = {
hostName = lib.mkOption {
type = lib.types.str;
description = "Frontend nginx virtual host name.";
};
publicUrl = lib.mkOption {
type = lib.types.str;
default = "https://${cfg.frontend.hostName}";
description = "Public frontend origin.";
};
apiBaseUrl = lib.mkOption {
type = lib.types.str;
default = cfg.backend.publicUrl;
description = "API origin baked into the frontend build.";
};
package = lib.mkOption {
type = lib.types.package;
default = pkgs.callPackage ./packages/frontend.nix {
inherit (cfg.frontend) apiBaseUrl;
};
description = "Frontend package to serve.";
};
nginx = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "Extra nginx virtual host options for the frontend.";
};
};
backend = {
hostName = lib.mkOption {
type = lib.types.str;
description = "Backend nginx virtual host name.";
};
publicUrl = lib.mkOption {
type = lib.types.str;
default = "https://${cfg.backend.hostName}";
description = "Public backend origin.";
};
environmentFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Runtime dotenv file containing APP_KEY and admin secrets.";
};
package = lib.mkOption {
type = lib.types.package;
default = pkgs.callPackage ./packages/backend.nix { };
description = "Backend package to run.";
};
corsAllowedOrigins = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ cfg.frontend.publicUrl ];
description = "Allowed CORS origins for the backend API.";
};
cookieSecure = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether auth cookies require HTTPS.";
};
cookieDomain = lib.mkOption {
type = lib.types.str;
default = "";
description = "Auth cookie domain. Empty means host-only cookies.";
};
cookieSameSite = lib.mkOption {
type = lib.types.enum [
"lax"
"none"
"strict"
];
default = "none";
description = "SameSite value for auth cookies.";
};
nginx = lib.mkOption {
type = lib.types.attrs;
default = { };
description = "Extra nginx virtual host options for the backend.";
};
};
};
config = lib.mkIf cfg.enable {
assertions = [
{
assertion = cfg.backend.environmentFile != null;
message = "services.rabbi-gerzi.backend.environmentFile is required.";
}
{
assertion = cfg.backend.cookieSameSite != "none" || cfg.backend.cookieSecure;
message = "SameSite=None auth cookies require cookieSecure = true.";
}
{
assertion = cfg.database.name == cfg.database.user;
message = "Managed PostgreSQL database and user names must match.";
}
];
users.groups.${cfg.group} = { };
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.stateDir;
};
services.postgresql = {
enable = true;
ensureDatabases = [ cfg.database.name ];
ensureUsers = [
{
name = cfg.database.user;
ensureDBOwnership = true;
}
];
};
systemd.tmpfiles.rules = map makeDirectoryRule [
cfg.stateDir
cfg.cacheDir
storagePath
"${storagePath}/app"
"${storagePath}/app/private"
"${storagePath}/app/public"
"${storagePath}/framework"
"${storagePath}/framework/cache"
"${storagePath}/framework/cache/data"
"${storagePath}/framework/sessions"
"${storagePath}/framework/views"
"${storagePath}/logs"
cachePath
];
services.phpfpm.pools.${poolName} = {
inherit (cfg) user group;
inherit phpPackage;
phpEnv = fpmEnvironment;
settings = {
"catch_workers_output" = true;
"clear_env" = "no";
"listen.group" = config.services.nginx.group;
"listen.mode" = "0660";
"listen.owner" = cfg.user;
"pm" = "dynamic";
"pm.max_children" = 16;
"pm.max_requests" = 500;
"pm.max_spare_servers" = 4;
"pm.min_spare_servers" = 1;
"pm.start_servers" = 2;
};
};
systemd.services.${setupService} = {
description = "Prepare Rabbi Gerzi backend";
wantedBy = [ "multi-user.target" ];
before = [ "${phpfpmService}.service" ];
after = [ "postgresql.service" ];
requires = [ "postgresql.service" ];
path = [ phpPackage ];
environment = appEnvironment;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
User = cfg.user;
Group = cfg.group;
UMask = "0077";
WorkingDirectory = appDir;
EnvironmentFile = cfg.backend.environmentFile;
ReadWritePaths = [
cfg.stateDir
cfg.cacheDir
];
};
script = ''
${artisan} migrate --force
${artisan} rabbi-gerzi:ensure-initial-admin
'';
};
systemd.services.${phpfpmService} = {
after = [ "${setupService}.service" ];
requires = [ "${setupService}.service" ];
serviceConfig = {
EnvironmentFile = cfg.backend.environmentFile;
ReadWritePaths = [
cfg.stateDir
cfg.cacheDir
];
};
};
services.nginx = {
enable = lib.mkDefault true;
recommendedGzipSettings = lib.mkDefault true;
recommendedOptimisation = lib.mkDefault true;
recommendedProxySettings = lib.mkDefault true;
recommendedTlsSettings = lib.mkDefault true;
virtualHosts = {
${cfg.frontend.hostName} = lib.mkMerge [
cfg.frontend.nginx
{
root = "${frontendPackage}";
locations."/" = {
tryFiles = "$uri $uri/ /index.html";
};
}
];
${cfg.backend.hostName} = lib.mkMerge [
cfg.backend.nginx
{
root = "${appDir}/public";
locations = {
"/" = {
index = "index.php";
tryFiles = "$uri $uri/ /index.php?$query_string";
};
"/storage/" = {
alias = "${storagePath}/app/public/";
extraConfig = ''
expires 30d;
access_log off;
'';
};
"~ \\.php$" = {
extraConfig = ''
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.${poolName}.socket};
'';
};
};
}
];
};
};
};
}

55
nix/packages/backend.nix Normal file
View file

@ -0,0 +1,55 @@
{
lib,
makeWrapper,
php,
}:
let
phpPackage = php.withExtensions (
{ enabled, all }:
enabled
++ [
all.pdo_pgsql
]
);
in
phpPackage.buildComposerProject2 (finalAttrs: {
pname = "rabbi-gerzi-backend";
version = "0.0.0";
src = lib.cleanSourceWith {
src = ../../backend;
filter =
path: type:
let
relativePath = lib.removePrefix (toString ../../backend + "/") (toString path);
in
!(
lib.hasPrefix ".env" relativePath
|| lib.hasPrefix "vendor/" relativePath
|| lib.hasPrefix ".phpunit" relativePath
|| lib.hasPrefix "storage/logs/" relativePath
|| lib.hasPrefix "storage/framework/views/" relativePath
|| lib.hasSuffix "~" relativePath
);
};
php = phpPackage;
nativeBuildInputs = [ makeWrapper ];
vendorHash = "sha256-EhBxKo3qjEuVTlxK/F+vx6ZBGbApBjcgOK8+3u8UiNk=";
postInstall = ''
mkdir -p $out/bin
makeWrapper ${phpPackage}/bin/php $out/bin/rabbi-gerzi-artisan \
--add-flags "$out/share/php/${finalAttrs.pname}/artisan"
'';
passthru = {
php = phpPackage;
};
meta = {
description = "Rabbi Gerzi Laravel backend";
mainProgram = "rabbi-gerzi-artisan";
};
})

7
nix/packages/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs }:
rec {
backend = pkgs.callPackage ./backend.nix { };
frontend = pkgs.callPackage ./frontend.nix { };
default = frontend;
}

46
nix/packages/frontend.nix Normal file
View file

@ -0,0 +1,46 @@
{
buildNpmPackage,
lib,
apiBaseUrl ? "",
}:
buildNpmPackage {
pname = "rabbi-gerzi-frontend";
version = "0.0.0";
src = lib.cleanSourceWith {
src = ../../frontend/rabbi_gerzi;
filter =
path: type:
let
relativePath = lib.removePrefix (toString ../../frontend/rabbi_gerzi + "/") (toString path);
in
!(
lib.hasPrefix ".env" relativePath
|| lib.hasPrefix "node_modules/" relativePath
|| lib.hasPrefix "dist/" relativePath
|| lib.hasPrefix "coverage/" relativePath
|| lib.hasSuffix ".tsbuildinfo" relativePath
|| lib.hasSuffix ".timestamp-" relativePath
);
};
npmDepsHash = "sha256-SF6YRzLySEkYAnwr5YYsftyvwbohtHQo0UpelHmJ7CY=";
npmFlags = [ "--legacy-peer-deps" ];
CYPRESS_INSTALL_BINARY = "0";
VITE_API_BASE_URL = apiBaseUrl;
installPhase = ''
runHook preInstall
mkdir -p $out
cp -R dist/* $out/
runHook postInstall
'';
meta = {
description = "Rabbi Gerzi Vue frontend";
};
}