Declaratively serving a PHP package (derivation result) using Nginx

MatejaMaric · May 7, 2024, 4:26pm

Hello, I’m packaging my Laravel (PHP) project using Flakes.

packages: a derivation that fetches dependencies (composer and npm packages) and builds the project
overlays: a overlay for easy adding of my package to nixpkgs instance
nixosModules: a NixOS Module that configures a LEMP (Linux, Nginx, MySQL, PHP) stack that serves my package (this part doesn’t work)
nixosConfigurations: a configuration for a NixOS Container that I use for testing the above

If you run the test container provided by my flake, you’ll see that the problem is that Nginx doesn’t have necessary permission to show my application (it returns 403 Forbidden).

To recreate the issue you can run:

# Create a container
sudo nixos-container create yotalaravel --flake .#testContainer

# Start a container
sudo nixos-container start yotalaravel

# Show container ip address
sudo nixos-container show-ip yotalaravel

# Show the 403 page served by a container with IP 10.233.1.2
curl http://10.233.1.2 # You can also use firefox to open the page

If I understood correctly, a derivation result (package) is a read-only (immutable) instance in a Nix Store?
That’s surely a problem (or at least a part of it) when serving my Laravel application since it requests storage and bootstrap/cache directories to be writable.
Also, my Laravel app saves uploaded images (to storage directory, if I remember correctly) in it’s work directory, which further doesn’t align with the concept of immutability.

My guess is that I should somehow declaratively copy my derivation result to some directory outside the Nix Store which will then be accessed by Nginx.
And I also have to set the necessary permissions.
How can I do that?

Bonus question would also be how to declaratively manage upgrade, but that’s probably an entirely different problem by itself.

I would say this isn’t only a PHP/Laravel specific issue, so I you have an example in some other language/framework that you can share, please do.
I started using Nix around 6 months ago and I’m learning a lot, especially recently when I stared to write a configuration that I plan to use for my server.
So, I’m very grateful for all answers/explanations.

jtojnar · May 7, 2024, 4:42pm

That is possible, though I prefer having the source immutable and patching it to use different directories in standard system locations:

github.com

jtojnar/nixfiles/blob/f294de47b8b5272f39301ee80b9f9988f227401f/hosts/azazel/ogion.cz/bag/default.nix#L6-L10


      
          patches = builtins.filter (patch: builtins.baseNameOf patch != "wallabag-data.patch") attrs.patches ++ [
            # Out of the box, Wallabag wants to write to various subdirectories of the project directory.
            # Let’s replace references to such paths with designated systemd locations
            # so that the project source can remain immutable.
            ./wallabag-data.patch

The paths are managed by systemd and passed to the app through environment variables:

github.com

jtojnar/nixfiles/blob/f294de47b8b5272f39301ee80b9f9988f227401f/hosts/azazel/ogion.cz/bag/default.nix#L89-L98


      
          commonServiceConfig = {
            CacheDirectory = "wallabag";
            # Stores sessions.
            CacheDirectoryMode = "700";
            ConfigurationDirectory = "wallabag";
            LogsDirectory = "wallabag";
            StateDirectory = "wallabag";
            # Stores site-credentials-secret-key.txt.
            StateDirectoryMode = "700";
          };

aanderse · May 7, 2024, 4:55pm

i’ll have to dig a bit as i can’t recall at the moment (and don’t currently have the time to check) but we have a few laravel applications in nixpkgs already so you could see what they do

i believe there are environment variables that can change the cache directory, etc…

aanderse · May 7, 2024, 11:59pm

here is a nixos module for some software written using laravel: nixpkgs/nixos/modules/services/web-apps/pixelfed.nix at 57443256a0191e0d9f5f6cd130e930096581be48 · NixOS/nixpkgs · GitHub

another option might be to use a different driver for caching, like memcache… but it’s been too long since i worked with laravel to recall if that would work

if you have any trouble with this feel free to keep posting questions

MatejaMaric · May 8, 2024, 7:22am

@aanderse @jtojnar Thanks a lot guys!

if you have any trouble with this feel free to keep posting questions

I’ll definitely need some time to go through all this, so I’ll keep this topic open for now.

MatejaMaric · May 16, 2024, 6:36pm

So, I definitely needed some time to figure everything out, but I managed to do everything I wanted.
Basically, all path that Laravel expect to be writable are simlinked (in derivation’s postInstall hook) to system paths (for example /var/lib/yota-laravel) that are in turn configured by a systemd service.
Here are the final links to my project if somebody is interested:

I’ll mark @aanderse answer as a solution since I took most of the code from his example.