diff options
| author | Izorkin <izorkin@elven.pw> | 2019-06-15 17:43:09 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2019-06-16 12:33:51 +0300 |
| commit | 08dae69741a91e12a7a1910ee1339b48cf346611 (patch) | |
| tree | 1dd83d2ed95ff5afa5caa8bee43ed47b3185f553 /nixos/modules/services/web-apps/matomo.nix | |
| parent | 5d3805487a8b6172ce04604f2dc39902e4fcb286 (diff) | |
| download | nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.tar nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.tar.gz nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.tar.bz2 nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.tar.lz nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.tar.xz nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.tar.zst nixpkgs-08dae69741a91e12a7a1910ee1339b48cf346611.zip | |
nixos/matomo: fix work with phpfpm-rootless mode
Diffstat (limited to 'nixos/modules/services/web-apps/matomo.nix')
| -rw-r--r-- | nixos/modules/services/web-apps/matomo.nix | 38 |
1 files changed, 23 insertions, 15 deletions
diff --git a/nixos/modules/services/web-apps/matomo.nix b/nixos/modules/services/web-apps/matomo.nix index 14aca45a342..e058c18ad87 100644 --- a/nixos/modules/services/web-apps/matomo.nix +++ b/nixos/modules/services/web-apps/matomo.nix @@ -4,13 +4,14 @@ let cfg = config.services.matomo; user = "matomo"; + group = "matomo"; dataDir = "/var/lib/${user}"; deprecatedDataDir = "/var/lib/piwik"; pool = user; - # it's not possible to use /run/phpfpm/${pool}.sock because /run/phpfpm/ is root:root 0770, + # it's not possible to use /run/phpfpm-${pool}/${pool}.sock because /run/phpfpm/ is root:root 0770, # and therefore is not accessible by the web server. - phpSocket = "/run/phpfpm-${pool}.sock"; + phpSocket = "/run/phpfpm-${pool}/${pool}.sock"; phpExecutionUnit = "phpfpm-${pool}"; databaseService = "mysql.service"; @@ -137,9 +138,12 @@ in { isSystemUser = true; createHome = true; home = dataDir; - group = user; + group = "${group}"; }; - users.groups.${user} = {}; + users.users.${config.services.nginx.user} = { + extraGroups = [ "${group}" ]; + }; + users.groups.${group} = {}; systemd.services.matomo-setup-update = { # everything needs to set up and up to date before Matomo php files are executed @@ -169,7 +173,7 @@ in { echo "Migrating from ${deprecatedDataDir} to ${dataDir}" mv -T ${deprecatedDataDir} ${dataDir} fi - chown -R ${user}:${user} ${dataDir} + chown -R ${user}:${group} ${dataDir} chmod -R ug+rwX,o-rwx ${dataDir} ''; script = '' @@ -225,22 +229,26 @@ in { serviceConfig.UMask = "0007"; }; - services.phpfpm.poolConfigs = let + services.phpfpm.pools = let # workaround for when both are null and need to generate a string, # which is illegal, but as assertions apparently are being triggered *after* config generation, # we have to avoid already throwing errors at this previous stage. socketOwner = if (cfg.nginx != null) then config.services.nginx.user else if (cfg.webServerUser != null) then cfg.webServerUser else ""; in { - ${pool} = '' - listen = "${phpSocket}" - listen.owner = ${socketOwner} - listen.group = root - listen.mode = 0600 - user = ${user} - env[PIWIK_USER_PATH] = ${dataDir} - ${cfg.phpfpmProcessManagerConfig} - ''; + ${pool} = { + socketName = "${pool}"; + phpPackage = pkgs.php; + user = "${user}"; + group = "${group}"; + extraConfig = '' + listen.owner = ${socketOwner} + listen.group = ${group} + listen.mode = 0600 + env[PIWIK_USER_PATH] = ${dataDir} + ${cfg.phpfpmProcessManagerConfig} + ''; + }; }; |