diff --git a/systems/zap/default.nix b/systems/zap/default.nix index 3e37823..df81197 100644 --- a/systems/zap/default.nix +++ b/systems/zap/default.nix @@ -1,6 +1,9 @@ { config, pkgs, lib, modulesPath, ... }: { + imports = [ + ./wp-test.nix + ]; jopejoe1 = { local.enable = true; nix.enable = true; @@ -37,24 +40,13 @@ proxyPass = "http://localhost:8085/"; }; }; - "doc.missing.ninja" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:3000/"; - }; - }; - "testing.missing.ninja"= { - enableACME = true; - forceSSL = true; - }; - "db.missing.ninja" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://134.255.219.135:8000/"; - }; - }; + #"db.missing.ninja" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://134.255.219.135:8000/"; + # }; + # }; }; services.nginx.enable = true; @@ -63,19 +55,9 @@ defaults.email = "admin@missing.ninja"; }; - services.jitsi-meet = { - enable = false; - hostName = "meet.missing.ninja"; - nginx.enable = true; - }; - services.cloud-init.enable = true; services.cloud-init.network.enable = true; - services.rss-bridge.enable = false; - services.rss-bridge.virtualHost = "rss.missing.ninja"; - services.rss-bridge.whitelist = [ "*" ]; - services.forgejo = { enable = true; settings.server = { @@ -107,13 +89,6 @@ services.openssh.ports = [ 8081 22 ]; - services.hedgedoc = { - enable = false; - settings.domain = "doc.missing.ninja"; - settings.host = "localhost"; - settings.port = 3000; - settings.protocolUseSSL = true; - }; services.surrealdb.enable = false; services.surrealdb.host = "134.255.219.135"; @@ -146,17 +121,4 @@ }; }; }; - - services.wordpress = { - webserver = "nginx"; - sites."testing.missing.ninja" = { - languages = [ pkgs.wordpressPackages.languages.de_DE ]; - settings = { - WPLANG = "de_DE"; - }; - virtualHost = { - enableACME = true; - }; - }; - }; } diff --git a/systems/zap/wp-test.nix b/systems/zap/wp-test.nix new file mode 100644 index 0000000..865bd33 --- /dev/null +++ b/systems/zap/wp-test.nix @@ -0,0 +1,132 @@ +{}: + +{ + services.nginx = { + enable = true; + virtualHosts = { + "wp.missing.ninja" = { + serverName = "wp.missing.ninja"; + root = "/var/www/wordpress/"; + enableACME = true; + forceSSL = true; + extraConfig = '' + index index.php; + ''; + locations = { + "/" = { + priority = 200; + extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + }; + "~ \\.php$" = { + priority = 500; + extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools.wordpress.socket}; + fastcgi_index index.php; + include "${config.services.nginx.package}/conf/fastcgi.conf"; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; + # Mitigate https://httpoxy.org/ vulnerabilities + fastcgi_param HTTP_PROXY ""; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + fastcgi_connect_timeout 300; + fastcgi_send_timeout 300; + fastcgi_read_timeout 300; + ''; + }; + "~ /\\." = { + priority = 800; + extraConfig = "deny all;"; + }; + "~* /(?:uploads|files)/.*\\.php$" = { + priority = 900; + extraConfig = "deny all;"; + }; + "~* \\.(js|css|png|jpg|jpeg|gif|ico)$" = { + priority = 1000; + extraConfig = '' + expires max; + log_not_found off; + ''; + }; + }; + }; + }; + }; + + users.users.www-wordpress= { + isNormalUser = true; + group = "www-wordpress"; + packages = with pkgs; [ + git # maybe you want or need this + php82 # specify whatever version you want + php82.packages.composer + ]; + }; + + users.groups.www-wordpress = { }; + + services.phpfpm.pools.wordpress = { + phpPackage = pkgs.php82; + user = "www-wordpress"; + group = "www-wordpress"; + settings = { + "listen.owner" = config.services.nginx.user; # or nginx, httpd, etc... + "listen.group" = config.services.nginx.group; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + #ensureDatabases = [ "www-wordpress" ]; + #ensureUsers = [ + # { + # name = "www-wordpress"; + # ensurePermissions = { "www-wordpress.*" = "ALL PRIVILEGES"; }; + # } + #]; + }; + + systemd.services = + let + secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ]; + secretsScript = hostStateDir: '' + # The match in this line is not a typo, see https://github.com/NixOS/nixpkgs/pull/124839 + grep -q "LOOGGED_IN_KEY" "${hostStateDir}/secret-keys.php" && rm "${hostStateDir}/secret-keys.php" + if ! test -e "${hostStateDir}/secret-keys.php"; then + umask 0177 + echo "> "${hostStateDir}/secret-keys.php" + ${lib.concatMapStringsSep "\n" (var: '' + echo "define('${var}', '`tr -dc a-zA-Z0-9 > "${hostStateDir}/secret-keys.php" + '') secretsVars} + echo "?>" >> "${hostStateDir}/secret-keys.php" + chmod 440 "${hostStateDir}/secret-keys.php" + fi + ''; + in + { + "wordpress-init" = { + wantedBy = [ "multi-user.target" ]; + before = [ "phpfpm-wordpress.service" ]; + after = [ "mysql.service" ]; + script = secretsScript "/var/www/wordpress/"; + + serviceConfig = { + Type = "oneshot"; + User = "www-wordpress"; + Group = "nginx"; + }; + }; + }; +}