nixos/fcgiwrap: add option migration instruction errors

  The option `services.fgciwrap` now takes an attribute set of the

  configuration of each individual instance.

  This requires migrating any previous configuration keys from

  `services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.

  `services.fcgiwrap.*` to `services.fcgiwrap.instances.some-instance.*`.

  The ownership and mode of the UNIX sockets created by this service are now

  configurable and private by default.

  Processes also now run as a dynamically allocated user by default instead of

    ];

    services = {

      fcgiwrap.zoneminder = lib.mkIf useNginx {

      fcgiwrap.instances.zoneminder = lib.mkIf useNginx {

        process.prefork = cfg.cameras;

        process.user = user;

        process.group = group;

                  fastcgi_param HTTP_PROXY "";

                  fastcgi_intercept_errors on;

                  fastcgi_pass unix:${config.services.fcgiwrap.zoneminder.socket.address};

                  fastcgi_pass unix:${config.services.fcgiwrap.instances.zoneminder.socket.address};

                }

                location /cache/ {

      fastcgi_split_path_info ^(${regexLocation cfg})(/.+)$;

      fastcgi_param PATH_INFO $fastcgi_path_info;

    ''

    }fastcgi_pass unix:${config.services.fcgiwrap."cgit-${name}".socket.address};

    }fastcgi_pass unix:${config.services.fcgiwrap.instances."cgit-${name}".socket.address};

  '';

  cgitrcLine = name: value: "${name}=${

      groups.${cfg.group} = { };

    }));

    services.fcgiwrap = flip mapAttrs' cfgs (name: cfg:

    services.fcgiwrap.instances = flip mapAttrs' cfgs (name: cfg:

      nameValuePair "cgit-${name}" {

        process = { inherit (cfg) user group; };

        socket = { inherit (config.services.nginx) user group; };

    };

    # use nginx to serve the smokeping web service

    services.fcgiwrap.smokeping = mkIf cfg.webService {

    services.fcgiwrap.instances.smokeping = mkIf cfg.webService {

      process.user = cfg.user;

      process.group = cfg.user;

      socket = { inherit (config.services.nginx) user group; };

        locations."/smokeping.fcgi" = {

          extraConfig = ''

            include ${config.services.nginx.package}/conf/fastcgi_params;

            fastcgi_pass unix:${config.services.fcgiwrap.smokeping.socket.address};

            fastcgi_pass unix:${config.services.fcgiwrap.instances.smokeping.socket.address};

            fastcgi_param SCRIPT_FILENAME ${smokepingHome}/smokeping.fcgi;

            fastcgi_param DOCUMENT_ROOT ${smokepingHome};

          '';

with lib;

let

  forEachInstance = f: flip mapAttrs' config.services.fcgiwrap (name: cfg:

    nameValuePair "fcgiwrap-${name}" (f cfg)

  forEachInstance = f: flip mapAttrs' config.services.fcgiwrap.instances (

    name: cfg: nameValuePair "fcgiwrap-${name}" (f cfg)

  );

in {

  options.services.fcgiwrap = mkOption {

  imports = forEach [

    "enable"

    "user"

    "group"

    "socketType"

    "socketAddress"

    "preforkProcesses"

  ] (attr: mkRemovedOptionModule [ "services" "fcgiwrap" attr ] ''

      The global shared fcgiwrap instance is no longer supported due to

      security issues.

      Isolated instances should instead be configured through

      `services.fcgiwrap.instances.*'.

  '');

  options.services.fcgiwrap.instances = mkOption {

    description = "Configuration for fcgiwrap instances.";

    default = { };

    type = types.attrsOf (types.submodule ({ config, ... }: { options = {

        assertion = cfg.socket.mode != null -> cfg.socket.type == "unix";

        message = "Socket mode can only be set for the UNIX socket type.";

      }

    ]) config.services.fcgiwrap);

    ]) config.services.fcgiwrap.instances);

    systemd.services = forEachInstance (cfg: {

      after = [ "nss-user-lookup.target" ];