Update the nginx configs to include an fpm config

modules/nginx-acme-base/default.nix

@@ -1,6 +1,7 @@
 { ... }:
 {
   networking.firewall.allowedTCPPorts = [
+    80
     443
   ];
   security.acme = {
@@ -9,8 +10,31 @@
   };
   services.nginx = {
     enable = true;
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=63072000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
     recommendedOptimisation = true;
-    recommendedProxySettings = true;
     recommendedTlsSettings = true;
   };
 }

modules/nginx-acme/default.nix

@@ -1,43 +0,0 @@
-{ domain, inputs, port ? "8080", ... }:
-{
-  imports = [
-    "${inputs.self}/modules/nginx-acme-base"
-  ];
-  services.nginx = {
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=63072000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-    '';
-    virtualHosts."${domain}" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${port}";
-        proxyWebsockets = true; # needed if you need to use WebSocket
-      };
-    };
-  };
-}

modules/nginx-fpm/default.nix

@@ -0,0 +1,28 @@
+{ dataDir, documentRoot ? "/var/www/html", domain, inputs, pkgs, port ? "9000", ... }:
+{
+  imports = [
+    "${inputs.self}/modules/nginx-acme-base"
+  ];
+  services.nginx = {
+    appendHttpConfig = ''
+      index index.php;
+    '';
+    virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      root = dataDir;
+      locations = {
+        "~ \\.php$" = {
+          extraConfig = ''
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            include ${pkgs.nginx}/conf/fastcgi.conf;
+            fastcgi_param  SCRIPT_FILENAME  ${documentRoot}$fastcgi_script_name;
+            fastcgi_index index.php;
+            fastcgi_pass 127.0.0.1:${port};
+          '';
+        };
+      };
+    };
+  };
+}

modules/nginx-proxy/default.nix

@@ -0,0 +1,20 @@
+{ domain, inputs, port ? "8080", ... }: {
+  imports = [
+    "${inputs.self}/modules/nginx-acme-base"
+  ];
+  services.nginx = {
+    appendHttpConfig = ''
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+    '';
+    recommendedProxySettings = true;
+    virtualHosts."${domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${port}";
+        proxyWebsockets = true; # needed if you need to use WebSocket
+      };
+    };
+  };
+}

systems/git/default.nix

@@ -8,7 +8,7 @@
     (import "${inputs.self}/modules/restic-server-mysql-client" {
       time = "03:00"; inherit custom hostname inputs pkgs;
     })
-    (import "${inputs.self}/modules/nginx-acme" {
+    (import "${inputs.self}/modules/nginx-proxy" {
       domain = "git.2li.ch"; inherit inputs;
     })
     "${inputs.self}/modules/docker"

systems/mail/default.nix

@@ -8,7 +8,7 @@
     (import "${inputs.self}/modules/restic-server-client" {
       time = "04:30"; inherit custom hostname inputs pkgs;
     })
-    (import "${inputs.self}/modules/nginx-acme" {
+    (import "${inputs.self}/modules/nginx-proxy" {
       domain = "mail.zweili.org"; inherit inputs;
     })
     "${inputs.self}/modules/docker"

systems/nextcloud/default.nix

@@ -14,34 +14,11 @@
   ];
 
   services.nginx = {
-    commonHttpConfig = ''
-      # Add HSTS header with preloading to HTTPS requests.
-      # Adding this header to HTTP requests is discouraged
-      map $scheme $hsts_header {
-          https   "max-age=63072000; includeSubdomains; preload";
-      }
-      add_header Strict-Transport-Security $hsts_header;
-
-      # Enable CSP for your services.
-      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
-
-      # Minimize information leaked to other domains
-      add_header 'Referrer-Policy' 'origin-when-cross-origin';
-
+    appendHttpConfig = ''
       # Allow embedding from same domain
       add_header X-Frame-Options SAMEORIGIN;
-
-      # Prevent injection of code in other mime types (XSS Attacks)
-      add_header X-Content-Type-Options nosniff;
-
-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
-      # This might create errors
-      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
-
     '';
+    clientMaxBodySize = "20G";
     virtualHosts."nextcloud.2li.ch" = {
       enableACME = true;
       forceSSL = true;
@@ -52,7 +29,6 @@
       extraConfig = ''
         # Required for large downloads
         proxy_buffering off;
-        client_max_body_size 20G;
       '';
     };
   };

systems/raspi-test/default.nix

@@ -1,15 +1,30 @@
 { hostname, inputs, pkgs, ... }:
+let
+  domain = "test.2li.ch";
+in
 {
   imports = [
     (import "${inputs.self}/systems/raspi4" {
       ip = "10.7.89.150";
       inherit hostname inputs pkgs;
     })
-    (import "${inputs.self}/modules/nginx-acme" {
-      domain = "test.2li.ch";
-      inherit inputs;
+    (import "${inputs.self}/modules/nginx-fpm" {
+      dataDir = "/var/www/ttrss/app";
+      inherit domain inputs pkgs;
     })
     "${inputs.self}/modules/docker"
     "${inputs.self}/modules/tmux"
   ];
+  services.nginx.virtualHosts."${domain}".locations = {
+    "/".extraConfig = ''
+      try_files $uri $uri/ = 404;
+    '';
+    "/tt-rss/cache".extraConfig = ''
+      aio threads;
+      internal;
+    '';
+    "/tt-rss/backups".extraConfig = ''
+      internal;
+    '';
+  };
 }

systems/ttrss/default.nix

@@ -5,7 +5,7 @@
       ip = "10.7.89.115";
       inherit hostname inputs;
     })
-    (import "${inputs.self}/modules/nginx-acme" {
+    (import "${inputs.self}/modules/nginx-proxy" {
       domain = "ttrss.2li.ch"; inherit inputs;
     })
     (import "${inputs.self}/modules/restic-server-mysql-client" {