From af3c9491814739f88cfc8630a71d5587c0cd757b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 7 Jun 2023 21:58:05 +0200 Subject: [PATCH] wip: working vm --- flake.nix | 6 +- nginx-erpnext-conf.nix | 213 +++++++++++++++++++------------------- test-vm/configuration.nix | 13 +-- 3 files changed, 114 insertions(+), 118 deletions(-) diff --git a/flake.nix b/flake.nix index 5971ac1..1feac9d 100644 --- a/flake.nix +++ b/flake.nix @@ -30,9 +30,9 @@ inherit pkgs; run-erpnext = pkgs.run-erpnext; pip2nix = import "${pip2nix}/default.nix" { inherit pkgs; pythonPackages = "python310Packages"; }; - erpnext = pkgs.python3.pkgs.erpnext; - bench = pkgs.python3.pkgs.bench; - pythonPkgs = pkgs.python3.pkgs; + erpnext = pkgs.python3-erpnext.pkgs.erpnext; + bench = pkgs.python3-erpnext.pkgs.bench; + pythonPkgs = pkgs.python3-erpnext.pkgs; }); nixosConfigurations = { test-vm = nixpkgs.lib.nixosSystem { diff --git a/nginx-erpnext-conf.nix b/nginx-erpnext-conf.nix index 2d6cfae..9da5395 100644 --- a/nginx-erpnext-conf.nix +++ b/nginx-erpnext-conf.nix @@ -1,6 +1,7 @@ # From https://github.com/frappe/frappe_docker/blob/main/resources/nginx-template.conf { writeText , nginx +, frappe-erpnext-assets }: let backend = "127.0.0.1:9090"; @@ -13,125 +14,119 @@ let proxy_read_timeout = "120"; in writeText "erpnext.conf" '' -events { - worker_connections 1024; +upstream backend-server { + server ${backend} fail_timeout=0; } -http { - upstream backend-server { - server ${backend} fail_timeout=0; +upstream socketio-server { + server ${socketio} fail_timeout=0; +} + +# Parse the X-Forwarded-Proto header - if set - defaulting to $scheme. +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $scheme; + https https; +} + +server { + listen 8081; + server_name ${frappe_site_name_header}; + root ${frappe-erpnext-assets}/share/sites; + + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin"; + + set_real_ip_from ${upstream_real_ip_address}; + real_ip_header ${upstream_real_ip_header}; + real_ip_recursive ${upstream_real_ip_recursive}; + + location /assets { + try_files $uri =404; } - upstream socketio-server { - server ${socketio} fail_timeout=0; + location ~ ^/protected/(.*) { + internal; + try_files /${frappe_site_name_header}/$1 =404; } - # Parse the X-Forwarded-Proto header - if set - defaulting to $scheme. - map $http_x_forwarded_proto $proxy_x_forwarded_proto { - default $scheme; - https https; + location /socket.io { + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header}; + proxy_set_header Origin $scheme://${frappe_site_name_header}; + proxy_set_header Host $host; + + proxy_pass http://socketio-server; } - server { - listen 8081; - server_name ${frappe_site_name_header}; - root /tmp/erpnext/sites; + location / { + rewrite ^(.+)/$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; + rewrite ^(.+)/index\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; + rewrite ^(.+)\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; + location ~ ^/files/.*.(htm|html|svg|xml) { + # TODO: Figure out how to do this. + # add_header Content-disposition "attachment"; + try_files /${frappe_site_name_header}/public/$uri @webserver; + } - add_header X-Frame-Options "SAMEORIGIN"; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin"; - - set_real_ip_from ${upstream_real_ip_address}; - real_ip_header ${upstream_real_ip_header}; - real_ip_recursive ${upstream_real_ip_recursive}; - - location /assets { - try_files $uri =404; - } - - location ~ ^/protected/(.*) { - internal; - try_files /${frappe_site_name_header}/$1 =404; - } - - location /socket.io { - proxy_http_version 1.1; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header}; - proxy_set_header Origin $scheme://${frappe_site_name_header}; - proxy_set_header Host $host; - - proxy_pass http://socketio-server; - } - - location / { - rewrite ^(.+)/$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; - rewrite ^(.+)/index\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; - rewrite ^(.+)\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; - - location ~ ^/files/.*.(htm|html|svg|xml) { - # TODO: Figure out how to do this. - # add_header Content-disposition "attachment"; - try_files /${frappe_site_name_header}/public/$uri @webserver; - } - - try_files /${frappe_site_name_header}/public/$uri @webserver; - } - - location @webserver { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; - proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header}; - proxy_set_header Host $host; - proxy_set_header X-Use-X-Accel-Redirect True; - proxy_read_timeout ${proxy_read_timeout}; - proxy_redirect off; - - proxy_pass http://backend-server; - } - - # optimizations - sendfile on; - keepalive_timeout 15; - client_max_body_size ${client_max_body_size}; - client_body_buffer_size 16K; - client_header_buffer_size 1k; - - # enable gzip compression - # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge - gzip on; - gzip_http_version 1.1; - gzip_comp_level 5; - gzip_min_length 256; - gzip_proxied any; - gzip_vary on; - gzip_types - application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/font-woff - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/x-component; - # text/html is always compressed by HttpGzipModule + try_files /${frappe_site_name_header}/public/$uri @webserver; } + + location @webserver { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header}; + proxy_set_header Host $host; + proxy_set_header X-Use-X-Accel-Redirect True; + proxy_read_timeout ${proxy_read_timeout}; + proxy_redirect off; + + proxy_pass http://backend-server; + } + + # optimizations + sendfile on; + keepalive_timeout 15; + client_max_body_size ${client_max_body_size}; + client_body_buffer_size 16K; + client_header_buffer_size 1k; + + # enable gzip compression + # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge + gzip on; + gzip_http_version 1.1; + gzip_comp_level 5; + gzip_min_length 256; + gzip_proxied any; + gzip_vary on; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/font-woff + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component; + # text/html is always compressed by HttpGzipModule } '' diff --git a/test-vm/configuration.nix b/test-vm/configuration.nix index 278bc12..7027cdf 100644 --- a/test-vm/configuration.nix +++ b/test-vm/configuration.nix @@ -110,10 +110,9 @@ wantedBy = [ "erpnext.service" ]; partOf = [ "erpnext.service" ]; script = '' - cd /var/lib/erpnext - mkdir bench - cd bench - mkdir -p apps sites config/pids logs + for subdir in apps sites config/pids logs; do + mkdir -p /var/lib/erpnext/bench/$subdir + done ''; serviceConfig = { RemainAfterExit = true; @@ -124,7 +123,7 @@ services.nginx = { enable = true; - config = builtins.readFile "${pkgs.erpnext-nginx-conf}"; + appendHttpConfig = builtins.readFile "${pkgs.erpnext-nginx-conf}"; }; systemd.services.erpnext = @@ -173,7 +172,7 @@ # Upstream initializes the DB with this command # TODO: Make this idempotent cd /var/lib/erpnext/bench/sites - bench new-site localhost --mariadb-root-password password --admin-password admin + bench new-site localhost --mariadb-root-password password --admin-password admin || true bench --site localhost install-app erpnext # TODO: Run these as systemd units @@ -186,7 +185,9 @@ Type = "simple"; BindReadOnlyPaths = [ "/etc/hosts:/etc/hosts" + "${pkgs.frappe-app}:${pkgs.frappe-app}" "${pkgs.frappe-app}/share/apps/frappe:/var/lib/erpnext/bench/apps/frappe" + "${pkgs.erpnext-app}:${pkgs.erpnext-app}" "${pkgs.erpnext-app}/share/apps/erpnext:/var/lib/erpnext/bench/apps/erpnext" "${pkgs.frappe-erpnext-assets}/share/sites/assets:/var/lib/erpnext/bench/sites/assets" "${appsFile}:/var/lib/erpnext/bench/sites/apps.txt"