{ config, lib, pkgs, ... }: with config.krebs.lib; let cfg = config.lass.wordpress; out = { options.lass.wordpress = api; config = imp; }; api = mkOption { type = with types; attrsOf (submodule ({ config, ... }: { options = { domain = mkOption { type = str; default = config._module.args.name; }; dbUser = mkOption { type = str; default = replaceStrings ["."] ["_"] config.domain; }; dbName = mkOption { type = str; default = replaceStrings ["."] ["_"] config.domain; }; folder = mkOption { type = str; default = "/srv/http/${config.domain}"; }; auto = mkOption { type = bool; default = false; }; charset = mkOption { type = str; default = "utf8mb4"; }; collate = mkOption { type = str; default = ""; }; debug = mkOption { type = bool; default = false; }; multiSite = mkOption { type = attrsOf str; default = {}; example = { "0" = "bla.testsite.de"; "1" = "test.testsite.de"; }; }; ssl = mkOption { type = with types; submodule ({ options = { enable = mkEnableOption "ssl"; certificate = mkOption { type = str; }; certificate_key = mkOption { type = str; }; ciphers = mkOption { type = str; default = "AES128+EECDH:AES128+EDH"; }; }; }); }; }; })); default = {}; }; user = config.services.nginx.user; group = config.services.nginx.group; imp = { #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) '' # map $http_host $blogid { # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)} # } #''; krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: { server-names = [ "${domain}" "www.${domain}" ]; #(mkIf (multiSite != {}) #) locations = (if (multiSite != {}) then [ (nameValuePair "~ ^/files/(.*)$" '' try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ; '') (nameValuePair "^~ /blogs.dir" '' internal; alias ${folder}/wp-content/blogs.dir ; access_log off; log_not_found off; expires max; '') ] else [] ) ++ [ (nameValuePair "/" '' try_files $uri $uri/ /index.php?$args; '') (nameValuePair "~ \.php$" '' fastcgi_pass unix:${folder}/phpfpm.pool; include ${pkgs.nginx}/conf/fastcgi.conf; '') (nameValuePair "~ /\\." '' deny all; '') #Directives to send expires headers and turn off 404 error logging. (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' access_log off; log_not_found off; expires max; '') ]; extraConfig = '' root ${folder}/; index index.php; access_log /tmp/nginx_acc.log; error_log /tmp/nginx_err.log; error_page 404 /404.html; error_page 500 502 503 504 /50x.html; ${if ssl.enable then '' ssl_certificate ${ssl.certificate}; ssl_certificate_key ${ssl.certificate_key}; '' else ""} ''; listen = (if ssl.enable then [ "80" "443 ssl" ] else "80" ); }); services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' listen = ${folder}/phpfpm.pool user = ${user} group = ${group} pm = dynamic pm.max_children = 5 pm.start_servers = 2 pm.min_spare_servers = 1 pm.max_spare_servers = 3 listen.owner = ${user} listen.group = ${group} # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes ''); systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: { name = "wordpressInit-${name}"; value = { path = [ pkgs.mysql pkgs.su pkgs.gawk pkgs.jq ]; requiredBy = [ "nginx.service" ]; serviceConfig = let php.define = name: value: "define(${php.newdoc name}, ${php.newdoc value});"; php.toString = x: "'${x}'"; php.newdoc = s: let b = "EOF${builtins.hashString "sha256" s}"; in ''<<<'${b}' ${s} ${b} ''; in { Type = "oneshot"; ExecStart = pkgs.writeScript "wordpressInit" '' #!/bin/sh set -euf wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"} db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) get_secret() { echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));" } to_php_string() { echo "base64_decode('$(base64)')" } { cat ${toString <secrets/mysql_rootPassword>} password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") # TODO as package pkgs.sqlHashPassword # TODO not using mysql # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") user=${shell.escape dbUser}@localhost database=${shell.escape dbName} cat << EOF CREATE DATABASE IF NOT EXISTS $database; GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; GRANT ALL PRIVILEGES ON $database.* TO $user; FLUSH PRIVILEGES; EOF } | mysql -u root -p # TODO nix2php for wp-config.php cat > ${folder}/wp-config.php << EOF <?php define('DB_PASSWORD', '$db_password'); define('DB_HOST', 'localhost'); ${concatStringsSep "\n" (mapAttrsToList (name: value: "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));" ) { DB_NAME = dbName; DB_USER = dbUser; DB_CHARSET = charset; DB_COLLATE = collate; })} ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ "AUTH_KEY" "SECURE_AUTH_KEY" "LOGGED_IN_KEY" "NONCE_KEY" "AUTH_SALT" "SECURE_AUTH_SALT" "LOGGED_IN_SALT" "NONCE_SALT" ]} \$table_prefix = 'wp_'; ${if (multiSite != {}) then "define('WP_ALLOW_MULTISITE', true);" else "" } define('WP_DEBUG', ${toJSON debug}); if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); /** Sets up WordPress vars and included files. */ require_once(ABSPATH . 'wp-settings.php'); EOF ''; }; }; }); users.users.nobody2 = mkDefault { uid = mkDefault (genid "nobody2"); useDefaultShell = mkDefault true; }; }; indent = replaceChars ["\n"] ["\n "]; in out