{ pkgs, config, lib, ... }: { services.nginx = { enable = true; virtualHosts = { "wp.missing.ninja" = { serverName = "wp.missing.ninja"; root = "/var/www/wordpress/"; enableACME = true; forceSSL = true; extraConfig = '' index index.php; ''; locations = { "/" = { priority = 200; extraConfig = '' try_files $uri $uri/ /index.php$is_args$args; ''; }; "~ \\.php$" = { priority = 500; extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.wordpress.socket}; fastcgi_index index.php; include "${config.services.nginx.package}/conf/fastcgi.conf"; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; # Mitigate https://httpoxy.org/ vulnerabilities fastcgi_param HTTP_PROXY ""; fastcgi_intercept_errors off; fastcgi_buffer_size 16k; fastcgi_buffers 4 16k; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; ''; }; "~ /\\." = { priority = 800; extraConfig = "deny all;"; }; "~* /(?:uploads|files)/.*\\.php$" = { priority = 900; extraConfig = "deny all;"; }; "~* \\.(js|css|png|jpg|jpeg|gif|ico)$" = { priority = 1000; extraConfig = '' expires max; log_not_found off; ''; }; }; }; }; }; users.users.www-wordpress = { isNormalUser = true; group = "www-wordpress"; packages = with pkgs; [ git # maybe you want or need this php82 # specify whatever version you want php82.packages.composer ]; }; users.groups.www-wordpress = { }; services.phpfpm.pools.wordpress = { phpPackage = pkgs.php82; user = "www-wordpress"; group = "www-wordpress"; settings = { "listen.owner" = config.services.nginx.user; # or nginx, httpd, etc... "listen.group" = config.services.nginx.group; "pm" = "dynamic"; "pm.max_children" = 32; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; "pm.max_requests" = 500; }; }; services.mysql = { enable = true; package = pkgs.mariadb; #ensureDatabases = [ "www-wordpress" ]; #ensureUsers = [ # { # name = "www-wordpress"; # ensurePermissions = { "www-wordpress.*" = "ALL PRIVILEGES"; }; # } #]; }; systemd.services = let secretsVars = [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ]; secretsScript = hostStateDir: '' # The match in this line is not a typo, see https://github.com/NixOS/nixpkgs/pull/124839 grep -q "LOOGGED_IN_KEY" "${hostStateDir}/secret-keys.php" && rm "${hostStateDir}/secret-keys.php" if ! test -e "${hostStateDir}/secret-keys.php"; then umask 0177 echo "> "${hostStateDir}/secret-keys.php" ${ lib.concatMapStringsSep "\n" (var: '' echo "define('${var}', '`tr -dc a-zA-Z0-9 > "${hostStateDir}/secret-keys.php" '') secretsVars } echo "?>" >> "${hostStateDir}/secret-keys.php" chmod 440 "${hostStateDir}/secret-keys.php" fi ''; in { "wordpress-init" = { wantedBy = [ "multi-user.target" ]; before = [ "phpfpm-wordpress.service" ]; after = [ "mysql.service" ]; script = secretsScript "/var/www/wordpress/"; serviceConfig = { Type = "oneshot"; User = "www-wordpress"; Group = "nginx"; }; }; }; }