{ config, pkgs, lib, ... }: with lib; let inherit (lib.options) showOption showFiles; cfg = config.services.dokuwiki; eachSite = cfg.sites; user = "dokuwiki"; webserver = config.services.${cfg.webserver}; mkPhpIni = generators.toKeyValue { mkKeyValue = generators.mkKeyValueDefault {} " = "; }; mkPhpPackage = cfg: cfg.phpPackage.buildEnv { extraConfig = mkPhpIni cfg.phpOptions; }; # "you're escaped" -> "'you\'re escaped'" # https://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single toPhpString = s: "'${escape [ "'" "\\" ] s}'"; dokuwikiAclAuthConfig = hostName: cfg: let inherit (cfg) acl; acl_gen = concatMapStringsSep "\n" (l: "${l.page} \t ${l.actor} \t ${toString l.level}"); in pkgs.writeText "acl.auth-${hostName}.php" '' # acl.auth.php # # # Access Control Lists # ${if isString acl then acl else acl_gen acl} ''; mergeConfig = cfg: { useacl = false; # Dokuwiki default savedir = cfg.stateDir; } // cfg.settings; writePhpFile = name: text: pkgs.writeTextFile { inherit name; text = " for explanation ''; example = "read"; }; }; }; siteOpts = { options, config, lib, name, ... }: { options = { enable = mkEnableOption "DokuWiki web application"; package = mkPackageOption pkgs "dokuwiki" { }; stateDir = mkOption { type = types.path; default = "/var/lib/dokuwiki/${name}/data"; description = "Location of the DokuWiki state directory."; }; acl = mkOption { type = with types; nullOr (listOf (submodule aclOpts)); default = null; example = literalExpression '' [ { page = "start"; actor = "@external"; level = "read"; } { page = "*"; actor = "@users"; level = "upload"; } ] ''; description = '' Access Control Lists: see Mutually exclusive with services.dokuwiki.aclFile Set this to a value other than null to take precedence over aclFile option. Warning: Consider using aclFile instead if you do not want to store the ACL in the world-readable Nix store. ''; }; aclFile = mkOption { type = with types; nullOr str; default = if (config.mergedConfig.useacl && config.acl == null) then "/var/lib/dokuwiki/${name}/acl.auth.php" else null; description = '' Location of the dokuwiki acl rules. Mutually exclusive with services.dokuwiki.acl Mutually exclusive with services.dokuwiki.acl which is preferred. Consult documentation for further instructions. Example: ''; example = "/var/lib/dokuwiki/${name}/acl.auth.php"; }; pluginsConfig = mkOption { type = with types; attrsOf bool; default = { authad = false; authldap = false; authmysql = false; authpgsql = false; }; description = '' List of the dokuwiki (un)loaded plugins. ''; }; usersFile = mkOption { type = with types; nullOr str; default = if config.mergedConfig.useacl then "/var/lib/dokuwiki/${name}/users.auth.php" else null; description = '' Location of the dokuwiki users file. List of users. Format: login:passwordhash:Real Name:email:groups,comma,separated Create passwordHash easily by using: mkpasswd -5 password `pwgen 8 1` Example: ''; example = "/var/lib/dokuwiki/${name}/users.auth.php"; }; plugins = mkOption { type = types.listOf types.path; default = []; description = '' List of path(s) to respective plugin(s) which are copied from the 'plugin' directory. ::: {.note} These plugins need to be packaged before use, see example. ::: ''; example = literalExpression '' let plugin-icalevents = pkgs.stdenv.mkDerivation rec { name = "icalevents"; version = "2017-06-16"; src = pkgs.fetchzip { stripRoot = false; url = "https://github.com/real-or-random/dokuwiki-plugin-icalevents/releases/download/''${version}/dokuwiki-plugin-icalevents-''${version}.zip"; hash = "sha256-IPs4+qgEfe8AAWevbcCM9PnyI0uoyamtWeg4rEb+9Wc="; }; installPhase = "mkdir -p $out; cp -R * $out/"; }; # And then pass this theme to the plugin list like this: in [ plugin-icalevents ] ''; }; templates = mkOption { type = types.listOf types.path; default = []; description = '' List of path(s) to respective template(s) which are copied from the 'tpl' directory. ::: {.note} These templates need to be packaged before use, see example. ::: ''; example = literalExpression '' let template-bootstrap3 = pkgs.stdenv.mkDerivation rec { name = "bootstrap3"; version = "2022-07-27"; src = pkgs.fetchFromGitHub { owner = "giterlizzi"; repo = "dokuwiki-template-bootstrap3"; rev = "v''${version}"; hash = "sha256-B3Yd4lxdwqfCnfmZdp+i/Mzwn/aEuZ0ovagDxuR6lxo="; }; installPhase = "mkdir -p $out; cp -R * $out/"; }; # And then pass this theme to the template list like this: in [ template-bootstrap3 ] ''; }; poolConfig = mkOption { type = with types; attrsOf (oneOf [ str int bool ]); default = { "pm" = "dynamic"; "pm.max_children" = 32; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; "pm.max_requests" = 500; }; description = '' Options for the DokuWiki PHP pool. See the documentation on `php-fpm.conf` for details on configuration directives. ''; }; phpPackage = mkPackageOption pkgs "php" { default = "php81"; example = "php82"; }; phpOptions = mkOption { type = types.attrsOf types.str; default = {}; description = '' Options for PHP's php.ini file for this dokuwiki site. ''; example = literalExpression '' { "opcache.interned_strings_buffer" = "8"; "opcache.max_accelerated_files" = "10000"; "opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "15"; "opcache.fast_shutdown" = "1"; } ''; }; settings = mkOption { type = types.attrsOf types.anything; default = { useacl = true; superuser = "admin"; }; description = '' Structural DokuWiki configuration. Refer to for details and supported values. Settings can either be directly set from nix, loaded from a file using `._file` or obtained from any PHP function calls using `._raw`. ''; example = literalExpression '' { title = "My Wiki"; userewrite = 1; disableactions = [ "register" ]; # Will be concatenated with commas plugin.smtp = { smtp_pass._file = "/var/run/secrets/dokuwiki/smtp_pass"; smtp_user._raw = "getenv('DOKUWIKI_SMTP_USER')"; }; } ''; }; mergedConfig = mkOption { readOnly = true; default = mergeConfig config; defaultText = literalExpression '' { useacl = true; } ''; description = '' Read only representation of the final configuration. ''; }; }; }; in { options = { services.dokuwiki = { sites = mkOption { type = types.attrsOf (types.submodule siteOpts); default = {}; description = "Specification of one or more DokuWiki sites to serve"; }; webserver = mkOption { type = types.enum [ "nginx" "caddy" ]; default = "nginx"; description = '' Whether to use nginx or caddy for virtual host management. Further nginx configuration can be done by adapting `services.nginx.virtualHosts.`. See [](#opt-services.nginx.virtualHosts) for further information. Further caddy configuration can be done by adapting `services.caddy.virtualHosts.`. See [](#opt-services.caddy.virtualHosts) for further information. ''; }; }; }; # implementation config = mkIf (eachSite != {}) (mkMerge [{ services.phpfpm.pools = mapAttrs' (hostName: cfg: ( nameValuePair "dokuwiki-${hostName}" { inherit user; group = webserver.group; phpPackage = mkPhpPackage cfg; phpEnv = optionalAttrs (cfg.usersFile != null) { DOKUWIKI_USERS_AUTH_CONFIG = "${cfg.usersFile}"; } // optionalAttrs (cfg.mergedConfig.useacl) { DOKUWIKI_ACL_AUTH_CONFIG = if (cfg.acl != null) then "${dokuwikiAclAuthConfig hostName cfg}" else "${toString cfg.aclFile}"; }; settings = { "listen.owner" = webserver.user; "listen.group" = webserver.group; } // cfg.poolConfig; } )) eachSite; } { systemd.tmpfiles.rules = flatten (mapAttrsToList (hostName: cfg: [ "d ${cfg.stateDir}/attic 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/cache 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/index 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/locks 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/log 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/media 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/media_attic 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/media_meta 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/meta 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/pages 0750 ${user} ${webserver.group} - -" "d ${cfg.stateDir}/tmp 0750 ${user} ${webserver.group} - -" ] ++ lib.optional (cfg.aclFile != null) "C ${cfg.aclFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/acl.auth.php.dist" ++ lib.optional (cfg.usersFile != null) "C ${cfg.usersFile} 0640 ${user} ${webserver.group} - ${pkg hostName cfg}/share/dokuwiki/conf/users.auth.php.dist" ) eachSite); users.users.${user} = { group = webserver.group; isSystemUser = true; }; } (mkIf (cfg.webserver == "nginx") { services.nginx = { enable = true; virtualHosts = mapAttrs (hostName: cfg: { serverName = mkDefault hostName; root = "${pkg hostName cfg}/share/dokuwiki"; locations = { "~ /(conf/|bin/|inc/|install.php)" = { extraConfig = "deny all;"; }; "~ ^/data/" = { root = "${cfg.stateDir}"; extraConfig = "internal;"; }; "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { extraConfig = "expires 365d;"; }; "/" = { priority = 1; index = "doku.php"; extraConfig = ''try_files $uri $uri/ @dokuwiki;''; }; "@dokuwiki" = { extraConfig = '' # rewrites "doku.php/" out of the URLs if you set the userwrite setting to .htaccess in dokuwiki config page rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; rewrite ^/(.*) /doku.php?id=$1&$args last; ''; }; "~ \\.php$" = { extraConfig = '' try_files $uri $uri/ /doku.php; include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param REDIRECT_STATUS 200; fastcgi_pass unix:${config.services.phpfpm.pools."dokuwiki-${hostName}".socket}; ''; }; }; }) eachSite; }; }) (mkIf (cfg.webserver == "caddy") { services.caddy = { enable = true; virtualHosts = mapAttrs' (hostName: cfg: ( nameValuePair "http://${hostName}" { extraConfig = '' root * ${pkg hostName cfg}/share/dokuwiki file_server encode zstd gzip php_fastcgi unix/${config.services.phpfpm.pools."dokuwiki-${hostName}".socket} @restrict_files { path /data/* /conf/* /bin/* /inc/* /vendor/* /install.php } respond @restrict_files 404 @allow_media { path_regexp path ^/_media/(.*)$ } rewrite @allow_media /lib/exe/fetch.php?media=/{http.regexp.path.1} @allow_detail { path /_detail* } rewrite @allow_detail /lib/exe/detail.php?media={path} @allow_export { path /_export* path_regexp export /([^/]+)/(.*) } rewrite @allow_export /doku.php?do=export_{http.regexp.export.1}&id={http.regexp.export.2} try_files {path} {path}/ /doku.php?id={path}&{query} ''; } )) eachSite; }; }) ]); meta.maintainers = with maintainers; [ _1000101 onny dandellion e1mo ]; }