add wp test zap

systems/zap/default.nix

@@ -1,6 +1,9 @@
 { config, pkgs, lib, modulesPath, ... }:
 
 {
+  imports = [
+    ./wp-test.nix
+  ];
   jopejoe1 = {
     local.enable = true;
     nix.enable = true;
@@ -37,24 +40,13 @@
         proxyPass = "http://localhost:8085/";
       };
     };
-    "doc.missing.ninja" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://localhost:3000/";
-      };
-    };
-    "testing.missing.ninja"= {
-      enableACME = true;
-      forceSSL = true;
-    };
-    "db.missing.ninja" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://134.255.219.135:8000/";
-      };
-    };
+    #"db.missing.ninja" = {
+    #  enableACME = true;
+    #  forceSSL = true;
+   #   locations."/" = {
+    #    proxyPass = "http://134.255.219.135:8000/";
+   #   };
+   # };
   };
 
   services.nginx.enable = true;
@@ -63,19 +55,9 @@
     defaults.email = "admin@missing.ninja";
   };
 
-  services.jitsi-meet = {
-    enable = false;
-    hostName = "meet.missing.ninja";
-    nginx.enable = true;
-  };
-
   services.cloud-init.enable = true;
   services.cloud-init.network.enable = true;
 
-  services.rss-bridge.enable = false;
-  services.rss-bridge.virtualHost = "rss.missing.ninja";
-  services.rss-bridge.whitelist = [ "*" ];
-
   services.forgejo = {
     enable = true;
     settings.server = {
@@ -107,13 +89,6 @@
 
   services.openssh.ports = [ 8081 22 ];
 
-  services.hedgedoc = {
-    enable = false;
-    settings.domain = "doc.missing.ninja";
-    settings.host = "localhost";
-    settings.port = 3000;
-    settings.protocolUseSSL = true;
-  };
   services.surrealdb.enable = false;
   services.surrealdb.host = "134.255.219.135";
 
@@ -146,17 +121,4 @@
       };
     };
   };
-
-  services.wordpress = {
-    webserver = "nginx";
-    sites."testing.missing.ninja" = {
-      languages = [ pkgs.wordpressPackages.languages.de_DE ];
-      settings = {
-        WPLANG = "de_DE";
-      };
-      virtualHost = {
-        enableACME = true; 
-      };
-    };
-  };
 }

systems/zap/wp-test.nix

@@ -0,0 +1,132 @@
+{}:
+
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "wp.missing.ninja" = {
+        serverName = "wp.missing.ninja";
+        root = "/var/www/wordpress/";
+        enableACME = true;
+        forceSSL = true;
+        extraConfig = ''
+          index index.php;
+        '';
+        locations = {
+          "/" = {
+            priority = 200;
+            extraConfig = ''
+              try_files $uri $uri/ /index.php$is_args$args;
+            '';
+          };
+          "~ \\.php$" = {
+            priority = 500;
+            extraConfig = ''
+              fastcgi_split_path_info ^(.+\.php)(/.+)$;
+              fastcgi_pass unix:${config.services.phpfpm.pools.wordpress.socket};
+              fastcgi_index index.php;
+              include "${config.services.nginx.package}/conf/fastcgi.conf";
+              fastcgi_param PATH_INFO $fastcgi_path_info;
+              fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
+              # Mitigate https://httpoxy.org/ vulnerabilities
+              fastcgi_param HTTP_PROXY "";
+              fastcgi_intercept_errors off;
+              fastcgi_buffer_size 16k;
+              fastcgi_buffers 4 16k;
+              fastcgi_connect_timeout 300;
+              fastcgi_send_timeout 300;
+              fastcgi_read_timeout 300;
+            '';
+          };
+          "~ /\\." = {
+            priority = 800;
+            extraConfig = "deny all;";
+          };
+          "~* /(?:uploads|files)/.*\\.php$" = {
+            priority = 900;
+            extraConfig = "deny all;";
+          };
+          "~* \\.(js|css|png|jpg|jpeg|gif|ico)$" = {
+            priority = 1000;
+            extraConfig = ''
+              expires max;
+              log_not_found off;
+            '';
+          };
+        };
+      };
+    };
+  };
+
+  users.users.www-wordpress= {
+    isNormalUser = true;
+    group = "www-wordpress";
+    packages = with pkgs; [
+      git # maybe you want or need this
+      php82 # specify whatever version you want
+      php82.packages.composer
+    ];
+  };
+
+  users.groups.www-wordpress = { };
+
+  services.phpfpm.pools.wordpress = {
+    phpPackage = pkgs.php82;
+    user = "www-wordpress";
+    group = "www-wordpress";
+    settings = {
+      "listen.owner" = config.services.nginx.user; # or nginx, httpd, etc...
+      "listen.group" = config.services.nginx.group;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      "pm.start_servers" = 2;
+      "pm.min_spare_servers" = 2;
+      "pm.max_spare_servers" = 4;
+      "pm.max_requests" = 500;
+    };
+  };
+
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    #ensureDatabases = [ "www-wordpress" ];
+    #ensureUsers = [
+    #  {
+    #    name = "www-wordpress";
+    #    ensurePermissions = { "www-wordpress.*" = "ALL PRIVILEGES"; };
+    #  }
+    #];
+   };
+
+   systemd.services =
+   let
+    secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ];
+    secretsScript = hostStateDir: ''
+      # The match in this line is not a typo, see https://github.com/NixOS/nixpkgs/pull/124839
+      grep -q "LOOGGED_IN_KEY" "${hostStateDir}/secret-keys.php" && rm "${hostStateDir}/secret-keys.php"
+      if ! test -e "${hostStateDir}/secret-keys.php"; then
+        umask 0177
+        echo "<?php" >> "${hostStateDir}/secret-keys.php"
+        ${lib.concatMapStringsSep "\n" (var: ''
+          echo "define('${var}', '`tr -dc a-zA-Z0-9 </dev/urandom | head -c 64`');" >> "${hostStateDir}/secret-keys.php"
+        '') secretsVars}
+        echo "?>" >> "${hostStateDir}/secret-keys.php"
+        chmod 440 "${hostStateDir}/secret-keys.php"
+      fi
+    '';
+   in
+   {
+    "wordpress-init" = {
+      wantedBy = [ "multi-user.target" ];
+      before = [ "phpfpm-wordpress.service" ];
+      after = [ "mysql.service" ];
+      script = secretsScript "/var/www/wordpress/";
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "www-wordpress";
+        Group = "nginx";
+      };
+    };
+  };
+}