Setting up a WordPress dev environment. AKA... Trying to run before I can walk

aanderse · June 28, 2024, 6:01pm

on your lamp.php include this:

environment.systemPackages = [ php' ];

as for permissions you should create a php script to crawl around the file system and see what is visible and what is not… maybe this will shed some light on the issue

aanderse · June 28, 2024, 11:22pm

specifically what i mean by this is create a file called something like test.php at the root of one of your sites and in this file you should try to list out some paths on the file system and see if you can access them… then, when you access test.php from your web browser the script will be executed under the constrained systemd environment and you will see exactly what paths are available and what paths are not… try a bunch of paths like: /run, /run/media, /run/media/sergio, /run/media/sergio/vault, /run/media/sergio/vault/www, /run/media/sergio/vault/www/example.org, and you can see where the phpfpm engine loses access… maybe this will give us some hints?

Seedsca · June 29, 2024, 1:20am

I think the server can read all the directories fine:

<?php
$dirs = [
  "/run",
  "/run/media",
  "/run/media/sergio",
  "/run/media/sergio/vault",
  "/run/media/sergio/vault/www",
  "/run/media/sergio/vault/www/nerdpress",
];

foreach ( $dirs as $dir ) {
  if ( is_array( scandir($dir ) ) ){
    echo "<p> $dir is readable</p>";
  }
}

Though I seem to have two mount points?

[sergio@samara:/run/media/sergio/vault/www/nerdpress]$ mount | grep vault
systemd-1 on /run/media/sergio/vault type autofs (rw,relatime,fd=294,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=13241)
192.168.1.10:/mnt/btr-vault/vault on /run/media/sergio/vault type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.128,local_lock=none,addr=192.168.1.10,x-systemd.automount,x-systemd.after=network-online.target,x-systemd.mount-timeout=90)

aanderse · June 29, 2024, 1:24pm

interesting… let’s add the following configuration in addition to what you already have:

  services.phpfpm.pools."example.org" = {
    settings = {
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = true;
      "catch_workers_output" = true;
    };

now switch back to the directory structure giving you problems and watch the phpfpm log via sudo journalctl -f -u phpfpm-example.org.service

hitting your sites should generate some error logs…

Seedsca · June 29, 2024, 6:44pm

I’m not seeing anything show up on the command line, or was there a log created that I should be looking at?

[sergio@samara:~/.nixos]$ sudo journalctl -f -u phpfpm-example.org.service
Jun 29 11:26:58 samara php-fpm[967]: [NOTICE] Terminating ...
Jun 29 11:26:58 samara systemd[1]: Stopping PHP FastCGI Process Manager service for pool example.org...
Jun 29 11:26:58 samara php-fpm[967]: [NOTICE] exiting, bye-bye!
Jun 29 11:26:58 samara systemd[1]: phpfpm-example.org.service: Deactivated successfully.
Jun 29 11:26:59 samara systemd[1]: Stopped PHP FastCGI Process Manager service for pool example.org.
Jun 29 11:27:01 samara systemd[1]: Starting PHP FastCGI Process Manager service for pool example.org...
Jun 29 11:27:01 samara php-fpm[32404]: [NOTICE] fpm is running, pid 32404
Jun 29 11:27:01 samara php-fpm[32404]: [NOTICE] ready to handle connections
Jun 29 11:27:01 samara php-fpm[32404]: [NOTICE] systemd monitor interval set to 10000ms
Jun 29 11:27:01 samara systemd[1]: Started PHP FastCGI Process Manager service for pool example.org.

This is my current lamp.nix:

{ config, pkgs, lib, ... }:
let
  # php 8.1 is the easiest option - if you need  php 7.x then we can discuss https://github.com/fossar/nix-phps/ as an option
  php' = pkgs.php83.buildEnv {
    extensions = ({ enabled, all }: enabled ++ (with all; [
      xdebug
      imagick
    ]));
    # any customizations to your `php.ini` go here
    extraConfig = ''
      memory_limit = 1024M
      xdebug.mode = debug
      xdebug.start_with_request = yes
      xdebug.idekey = gdbp
    '';
  };
  # webPath = "/var/www";
  webPath = "/run/media/sergio/vault/www";
  # php' = import ./php.nix;

  sites = [
    "example.org"
  ];
in
{
  networking.hosts = {
    # convenient if you're going to work on multiple sites
    "127.0.0.1" = [
      "example.org"
    ];
  };

  services.mysql.enable = true;
  services.mysql.package = pkgs.mariadb;
  services.mysql.ensureDatabases = [
    # list a database for every site you want and they will be automatically created
    "example.org"
  ];
  services.mysql.ensureUsers = [
    # NOTE: it is important that `name` matches your `$USER` name, this allows us to avoid password authentication
    { name = "sergio";
      ensurePermissions = {
        "*.*" = "ALL PRIVILEGES";
      };
    }
  ];

  services.phpfpm.pools."example.org" = {
    user = "sergio";
    group = "users";
    phpPackage = php';
    settings = {
      "listen.owner" = config.services.caddy.user;
      "listen.group" = config.services.caddy.group;
      "pm" = "dynamic";
      "pm.max_children" = 5;
      "pm.start_servers" = 2;
      "pm.min_spare_servers" = 1;
      "pm.max_spare_servers" = 5;
      "php_admin_value[error_log]" = "stderr";
      "php_admin_flag[log_errors]" = true;
      "catch_workers_output" = true;
    };
  };

  services.caddy.enable = true;

  services.caddy.virtualHosts."http://example.org:80".extraConfig = ''
    root * ${webPath}/example.org
    php_fastcgi unix/${config.services.phpfpm.pools."example.org".socket}
    file_server
  '';

  # automatically create a directory for each site you will work on with appropriate ownership+permissions
  systemd.tmpfiles.rules = [
    "d ${webPath}/example.org 0755 sergio users"
  ];

  systemd.services."phpfpm-example.org".serviceConfig = {
    PrivateDevices = lib.mkForce false;
    PrivateTmp = lib.mkForce false;
    ProtectSystem = lib.mkForce "off";
    ProtectHome = lib.mkForce false;
  };
}

aanderse · June 29, 2024, 7:07pm

at this point in troubleshooting i would probably resort to systemd-run

at this point you have a systemd issue, though, not NixOS

maybe start a new thread and someone else has some ideas

Seedsca · June 29, 2024, 10:30pm

Thanks for the time and energy! I’m currently wondering why the test.php file loaded fine, but not WordPress and MySQL… I’ll poke around at that a bit, since I do know those well. But will certainly move towards systemd-run if I don’t find anything.

I’ll report back either way.

Seedsca · July 3, 2024, 2:40am

Hopefully something comes out of this one…
https://discourse.nixos.org/t/using-nfs-share-as-web-server-errors-systemd/48285/4

If not, I also may be looking at this setup the wrong way.

Do I really need the dev env files to be on an NFS share?

aanderse · July 3, 2024, 2:49am

oh caddy is hardened too… add this and see if it does anything:

systemd.services.caddy.serviceConfig = {
  PrivateDevices = lib.mkForce false;
  ProtectHome = lib.mkForce false;
};

Seedsca · July 3, 2024, 4:45pm

It does seem like it is Caddy… Looks like there is some kind of permission problem?

If you’re running Caddy as a systemd service, reading files from /home will not work, because the caddy user does not have “executable” permission on the /home directory (necessary for traversal). It’s recommended that you place your files in /srv or /var/www/html instead.

How would I give the caddy user permission on the /mnt/vault/www directory? Though both /var/www and /mnt/vault/www have sergio:users permissions… I did just test and set permissions to 777 and nothing seemed to change.

Seedsca · July 3, 2024, 9:13pm

Some progress(?) I mounted the NFS share in /var/www and set it to anongid=239 which is caddy’s user id. Then changed the group permissions to the caddy user on the files in the directory and now getting a 500 error instead…

Jul 03 14:06:20 samara caddy[198357]: {"level":"error","ts":1720040780.7734408,"logger":"http.log.error.log0","msg":
"stat /var/www/nerdpress: stale NFS file handle","request":{"remote_ip":"127.0.0.1","remote_port":"47282","client_ip
":"127.0.0.1","proto":"HTTP/2.0","method":"GET","host":"nerdpress.localhost","uri":"/","headers":{"Accept":["text/ht
ml,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"
Dnt":["1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0"],"Accept-Encoding"
:["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Te":["trailers"],"Cookie":
[],"Sec-Fetch-Site":["none"],"Sec-Gpc":["1"],"Cache-Control":["no-cache"],"Accept-Language":["en-US,en;q=0.5"],"Sec-
Fetch-User":["?1"],"Priority":["u=1"],"Pragma":["no-cache"]},"tls":{"resumed":false,"version":772,"cipher_suite":486
5,"proto":"h2","server_name":"nerdpress.localhost"}},"duration":0.067328291,"status":500,"err_id":"pews5m8v9","err_t
race":"fileserver.(*FileServer).ServeHTTP (staticfiles.go:284)"}

aanderse · July 3, 2024, 9:24pm

did you cross post on caddy forums? they are super helpful over there… they’ve worked with some members of our community before and i believe everyone was pretty happy with the results

Seedsca · July 5, 2024, 11:00pm

Some, weird, progress…

Looks like I can access WordPress, somewhat. But some files give me 500 errors and others don’t. Seems kinda random at this point. I got things to load by using .php URLs. Maybe something to do with redirects or the lack of .htaccess rules.

Seedsca · July 8, 2024, 2:59pm

Looks like PHP files are loaded fine but not JS or CSS. This renders the site, “broken”, but gives me hope.

hansemschnokeloch · July 8, 2024, 3:47pm

Hi,

I’m using caddy for my local php dev environment.
I posted a working config here Local dev stack for php

aanderse · July 8, 2024, 4:04pm

this implies the phpfpm service has access to your files but the caddy service does not

what are the permissions on your mount?

Seedsca · July 8, 2024, 5:02pm

Thanks! I’ll have a look later today. Not sure this will change my problem, since I can run what I have just fine if the files are local to the computer. It only has issues when loading them from an NFS mount.

Seedsca · July 8, 2024, 5:11pm

-rw-rw-r-- 1 sergio caddy 3573 Jul 5 15:43 wp-config.php
drwxr-xr-x 1 sergio caddy 286 Jul 5 15:54 wp-content

Here is the mount:

  fileSystems."/mnt/www" = {
    device = "192.168.1.10:/mnt/btr-vault/vault/www";
    fsType = "nfs";
    options = [ "nfsvers=4.2" "x-systemd.automount" "noauto" "nofail" "x-systemd.after=network-online.target" "x-systemd.mount-timeout=90" ];
    label = "www-nfs";
  };

NFS exportfs -v output from server:

/mnt/btr-vault/vault/www 192.168.0.0/16 (sync,wdelay,hide,no_subtree_check,anonuid=1000,anongid=239,sec=sys,rw,secure,root_squash,all_squash)

mount output:

192.168.1.10:/mnt/btr-vault/vault/www on /var/www type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.128,local_lock=none,addr=192.168.1.10,x-systemd.automount,x-systemd.after=network-online.target,x-systemd.mount-timeout=90)

I’ve been looking into that exact thing… How does caddy vs phpfpm access the files and how are their permissions/users set.

aanderse · July 8, 2024, 5:28pm

at this point i think you should try:

services.caddy.user = "sergio";
services.caddy.group = "users";

also if that doesn’t work maybe you can PM me and we can setup a call to resolve this and introduce you to devenv

Seedsca · July 24, 2024, 1:35am

Seems the issue was having sub-shares with NFS. I moved them all to the same directory and shared them individually. Now I am serving from the /mnt/www NFS share with no problems. Thanks very much for your help with this!

I’ll be tweaking this configuration further soon… Now that I have some free time in the near future.