Ranomier/NixToSee
Ranomier/NixToSee
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip: random expiriments

Browse source
This commit is contained in:
Ranomier 2025-05-24 12:17:49 +02:00
parent 413726d368
commit 7eb4cac5ff
7 changed files with 662 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

19
hosts/ext-julia/default.nix
View file

@ -3,16 +3,27 @@
./boot.nix ./boot.nix
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/hosting/wordpress-simple/kiezpalme.nix #../../modules/hosting/wordpress-simple/kiezpalme.nix
../../modules/hosting/wordpress-simple/pertineo.nix #../../modules/hosting/wordpress-simple/pertineo.nix
../../modules/hosting/wordpress.nix
../../modules/sec_auth/ssh-server.nix ../../modules/sec_auth/ssh-server.nix
../../system_profiles/server.nix ../../system_profiles/server.nix
]; ];
services.mysql = { #services.mysql = {
# enable = true;
# package = pkgs.mariadb;
#};
services.cWordpress."example-site" = {
enable = true; enable = true;
package = pkgs.mariadb; sitePort = 80;
};
services.cWordpress."example-site2" = {
enable = true;
sitePort = 81;
}; };
services.openssh.ports = [11522]; services.openssh.ports = [11522];

3
modules/game/server/luanti/cleanup-and-pull.nix Normal file
View file

@ -0,0 +1,3 @@
{pkgs, ...}: {
}

95
modules/hosting/wordpress.nix
View file

@ -1,33 +1,84 @@
{config, pkgs, lib, ...}: {
config,
let pkgs,
cfg = config.services.cWordpress; lib,
in { ...
}: let
siteOpts = lib.types.submodule ({
options = { options = {
services.cWordpress = {
enable = lib.mkEnableOption "custom WordPress service"; enable = lib.mkEnableOption "custom WordPress service";
siteName = lib.mkOption { siteName = lib.mkOption {
type = lib.types.str; type = lib.types.nullOr lib.types.str;
default = "example-name"; default = null;
description = ""; # TODO:
}; };
sitePort = lib.mkOption { sitePort = lib.mkOption {
type = lib.types.port; type = lib.types.port;
default = 80; default = 80;
description = ""; # TODO: description = ""; # TODO:
}; };
#siteDataDir = lib.mkOption {
# type = lib.types.str;
# default = "/srv/http/${siteName}";
#};
#siteUser = lib.mkOption {
# type = lib.types.str;
# default = "user-${siteName}";
#};
#siteGroup = lib.mkOption {
# type = lib.types.str;
# default = config.services.nginx.user;
#};
#siteUserPhp = lib.mkOption {
# type = lib.types.str;
# default = "${siteUser}-php";
#};
#siteGroupPhp = lib.mkOption {
# type = lib.types.str;
# default = siteUserPhp;
#};
#sitePhpPool = lib.mkOption {
# type = lib.types.str;
# default = "wordpress-${siteName}";
#};
};
});
#sites = builtins.mapAttrs (siteName2: siteConfig:
# let
# siteName = if siteConfig.siteName != null then siteConfig.siteName else siteName2;
# in siteConfig // {siteName = siteName;}
#) cfg;
#
#enabledSites = lib.filterAttrs (name: config: config.enable) cfg;
#magie = banana: builtins.mapAttrs (siteName: site: banana) enabledSites;
mkMergeTopLevel = names: attrs:
lib.getAttrs names (
lib.mapAttrs (k: v: lib.mkMerge v) (lib.foldAttrs (n: a: [n] ++ a) [] attrs)
);
cfg = config.services.cWordpress;
in {
options = {
services.cWordpress = lib.mkOption {
type = lib.types.attrsOf siteOpts;
default = {};
description = ""; # TODO:
}; };
}; };
config = let config = mkMergeTopLevel ["users" "services" "environment" "system"] (lib.mapAttrsToList (
siteDataDir = "/srv/http/${cfg.siteName}"; siteName: opts: let
siteUser = "user-${cfg.siteName}"; siteDataDir = "/srv/http/${siteName}";
siteUser = "user-${siteName}";
siteGroup = config.services.nginx.user; siteGroup = config.services.nginx.user;
siteUserPhp = "${siteUser}-php"; siteUserPhp = "${siteUser}-php";
siteGroupPhp = siteUserPhp; siteGroupPhp = siteUserPhp;
sitePhpPool = "wordpress-${cfg.siteName}"; sitePhpPool = "wordpress-${siteName}";
in lib.mkIf cfg.enable { in {
users = { users = {
users = { users = {
"${siteUser}" = { "${siteUser}" = {
@ -38,7 +89,6 @@ in {
shell = "${pkgs.shadow}/bin/nologin"; shell = "${pkgs.shadow}/bin/nologin";
}; };
### 3) Service account for PHP-FPM pool
"${siteUserPhp}" = { "${siteUserPhp}" = {
isSystemUser = true; isSystemUser = true;
group = siteGroupPhp; group = siteGroupPhp;
@ -85,14 +135,14 @@ in {
nginx = { nginx = {
enable = true; enable = true;
virtualHosts."${cfg.siteName}" = { virtualHosts."${siteName}" = {
default = true; default = true;
root = siteDataDir; root = siteDataDir;
listen = [ listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = cfg.sitePort; port = opts.sitePort;
ssl = false; ssl = false;
} }
]; ];
@ -101,11 +151,12 @@ in {
locations."/" = { locations."/" = {
tryFiles = "$uri $uri/ /index.php?$args"; tryFiles = "$uri $uri/ /index.php?$args";
}; };
extraConfig = '' extraConfig = ''
index index.php; index index.php;
''; '';
# 6.2 Handle PHP scripts # Handle PHP scripts
locations."~ \\.php$" = { locations."~ \\.php$" = {
extraConfig = '' extraConfig = ''
fastcgi_split_path_info ^(.+\\.php)(/.+)$; fastcgi_split_path_info ^(.+\\.php)(/.+)$;
@ -121,13 +172,15 @@ in {
# Bootstrap WordPress on activation # Bootstrap WordPress on activation
environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here?
system.activationScripts."setupWordpress-${cfg.siteName}".text = '' system.activationScripts."setupWordpress-${siteName}".text = ''
mkdir -p ${siteDataDir} mkdir -p ${siteDataDir}
if [ ! -f ${siteDataDir}/wp-config.php ]; then if [ ! -f ${siteDataDir}/wp-config.php ]; then
cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/
chown -R ${siteUser}:${siteGroup} ${siteDataDir} chown -R ${siteUser}:${siteGroup} ${siteDataDir}
chmod -R 755 ${siteDataDir} chmod -R 755 ${siteDataDir}
fi fi
''; ''; # TODO: tighten permissions (not 755)
}; }
)
cfg);
} }

186
modules/hosting/wordpress_from_krebs.nix Normal file
View file

@ -0,0 +1,186 @@
{
config,
pkgs,
lib,
...
}: let
siteOpts = lib.types.submodule ({name, ...}: {
options = {
enable = lib.mkEnableOption "custom WordPress service";
siteName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
sitePort = lib.mkOption {
type = lib.types.port;
default = 80;
description = ""; # TODO:
};
#siteDataDir = lib.mkOption {
# type = lib.types.str;
# default = "/srv/http/${siteName}";
#};
#siteUser = lib.mkOption {
# type = lib.types.str;
# default = "user-${siteName}";
#};
#siteGroup = lib.mkOption {
# type = lib.types.str;
# default = config.services.nginx.user;
#};
#siteUserPhp = lib.mkOption {
# type = lib.types.str;
# default = "${siteUser}-php";
#};
#siteGroupPhp = lib.mkOption {
# type = lib.types.str;
# default = siteUserPhp;
#};
#sitePhpPool = lib.mkOption {
# type = lib.types.str;
# default = "wordpress-${siteName}";
#};
};
});
#sites = builtins.mapAttrs (siteName2: siteConfig:
# let
# siteName = if siteConfig.siteName != null then siteConfig.siteName else siteName2;
# in siteConfig // {siteName = siteName;}
#) cfg;
#
#enabledSites = lib.filterAttrs (name: config: config.enable) cfg;
#magie = banana: builtins.mapAttrs (siteName: site: banana) enabledSites;
mkMergeTopLevel = names: attrs:
lib.getAttrs names (
lib.mapAttrs (k: v: lib.mkMerge v) (lib.foldAttrs (n: a: [n] ++ a) [] attrs)
);
cfg = config.services.cWordpress;
opts = siteName: {
siteDataDir = "/srv/http/${siteName}";
siteUser = "user-${siteName}";
siteGroup = config.services.nginx.user;
siteUserPhp = "${siteUser}-php";
siteGroupPhp = siteUserPhp;
sitePhpPool = "wordpress-${siteName}";
};
in {
options = {
services.cWordpress = lib.mkOption {
type = lib.types.attrsOf siteOpts;
default = {};
description = ""; # TODO:
};
};
config = {
users.users = lib.mapAttrs' (siteName: siteConfig: {
"user-${siteName}" = {
isSystemUser = true;
group = config.services.nginx.user;
home = "/srv/http/${siteName}";
createHome = false;
shell = "${pkgs.shadow}/bin/nologin";
};
"user-${siteName}-php" = {
isSystemUser = true;
group = "user-${siteName}-php";
home = "/var/empty";
createHome = false;
shell = "${pkgs.shadow}/bin/nologin";
};
}) cfg;
users.groups = lib.mapAttrs' (siteName: siteConfig: {
${config.services.nginx.user} = {};
"user-${siteName}-php" = {};
}) cfg;
services = {
mysql = {
enable = true;
package = pkgs.mariadb;
};
phpfpm.pools."${sitePhpPool}" = {
user = siteUserPhp;
group = siteGroupPhp;
settings = {
# Socket ownership so Nginx can connect
"listen.owner" = config.services.nginx.user;
"listen.group" = siteGroupPhp;
"listen.mode" = "0660";
# Dynamic process management tuned for small sites
pm = "dynamic";
"pm.max_children" = "5";
"pm.start_servers" = "2";
"pm.min_spare_servers" = "1";
"pm.max_spare_servers" = "3";
# Logging
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
};
};
nginx = {
enable = true;
virtualHosts."${siteName}" = {
default = true;
root = siteDataDir;
listen = [
{
addr = "0.0.0.0";
port = opts.sitePort;
ssl = false;
}
];
# Fallback for pretty permalinks
locations."/" = {
tryFiles = "$uri $uri/ /index.php?$args";
};
extraConfig = ''
index index.php;
'';
# Handle PHP scripts
locations."~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include ${pkgs.nginx}/conf/fastcgi_params;
'';
};
};
};
};
# Bootstrap WordPress on activation
environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here?
system.activationScripts."setupWordpress-${siteName}".text = ''
mkdir -p ${siteDataDir}
if [ ! -f ${siteDataDir}/wp-config.php ]; then
cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/
chown -R ${siteUser}:${siteGroup} ${siteDataDir}
chmod -R 755 ${siteDataDir}
fi
''; # TODO: tighten permissions (not 755)
}
)
cfg);
}

138
modules/hosting/wordpress_new.nix Normal file
View file

@ -0,0 +1,138 @@
{
config,
pkgs,
lib,
...
}: let
cfg = config.services.cWordpress;
in {
options = {
services.cWordpress = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule {
options.enable = lib.mkEnableOption "custom WordPress service";
options.sitePort = lib.mkOption {
type = lib.types.port;
default = 80;
description = ""; # TODO:
};
});
default = {};
description = ""; # TODO: per-site WordPress configs
};
};
config = lib.foldAttrs' (siteName: cfg: let
siteDataDir = "/srv/http/${siteName}";
siteUser = "user-${siteName}";
siteGroup = config.services.nginx.user;
siteUserPhp = "${siteUser}-php";
siteGroupPhp= siteUserPhp;
sitePhpPool = "wordpress-${siteName}";
in
lib.mkIf cfg.enable {
users = {
users = {
"${siteUser}" = {
isSystemUser = true;
group = siteGroup;
home = siteDataDir;
createHome = false;
shell = "${pkgs.shadow}/bin/nologin";
};
### 3) Service account for PHP-FPM pool
"${siteUserPhp}" = {
isSystemUser = true;
group = siteGroupPhp;
home = "/var/empty";
createHome = false;
shell = "${pkgs.shadow}/bin/nologin";
};
};
groups = {
"${siteGroup}" = {};
"${siteGroupPhp}" = {};
};
};
services = {
mysql = {
enable = true;
package = pkgs.mariadb;
};
phpfpm.pools."${sitePhpPool}" = {
user = siteUserPhp;
group = siteGroupPhp;
settings = {
# Socket ownership so Nginx can connect
"listen.owner" = config.services.nginx.user;
"listen.group" = siteGroupPhp;
"listen.mode" = "0660";
# Dynamic process management tuned for small sites
pm = "dynamic";
"pm.max_children" = "5";
"pm.start_servers" = "2";
"pm.min_spare_servers" = "1";
"pm.max_spare_servers" = "3";
# Logging
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
};
};
nginx = {
enable = true;
virtualHosts."${siteName}" = {
default = true;
root = siteDataDir;
listen = [
{
addr = "0.0.0.0";
port = cfg.sitePort;
ssl = false;
}
];
# Fallback for pretty permalinks
locations."/" = {
tryFiles = "$uri $uri/ /index.php?$args";
};
extraConfig = ''
index index.php;
'';
# Handle PHP scripts
locations."~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket};
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include ${pkgs.nginx}/conf/fastcgi_params;
'';
};
};
};
};
# Bootstrap WordPress on activation
environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here?
system.activationScripts."setupWordpress-${siteName}".text = ''
mkdir -p ${siteDataDir}
if [ ! -f ${siteDataDir}/wp-config.php ]; then
cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/
chown -R ${siteUser}:${siteGroup} ${siteDataDir}
chmod -R 755 ${siteDataDir}
fi
'';
}}) {} cfg;
}

145
modules/hosting/wordpress_refactor.nix Normal file
View file

@ -0,0 +1,145 @@
{
config,
pkgs,
lib,
...
}: let
siteOpts = lib.types.submodule ({...}: {
options = {
enable = lib.mkEnableOption "custom WordPress service";
siteName = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
sitePort = lib.mkOption {
type = lib.types.port;
default = 80;
description = ""; # TODO:
};
};
});
cfg = config.services.cWordpress;
opts = siteName: rec {
siteDataDir = "/srv/http/${siteName}";
siteUser = "user-${siteName}";
siteGroup = config.services.nginx.user;
siteUserPhp = "${siteUser}-php";
siteGroupPhp = siteUserPhp;
sitePhpPool = "wordpress-${siteName}";
};
in {
options = {
services.cWordpress = lib.mkOption {
type = lib.types.attrsOf siteOpts;
default = {};
description = ""; # TODO:
};
};
config = {
users.users = lib.mapAttrs' (siteName: siteConfig: {
"user-${siteName}" = {
isSystemUser = true;
group = config.services.nginx.user;
home = "/srv/http/${siteName}";
createHome = false;
shell = "${pkgs.shadow}/bin/nologin";
};
"user-${siteName}-php" = {
isSystemUser = true;
group = "user-${siteName}-php";
home = "/var/empty";
createHome = false;
shell = "${pkgs.shadow}/bin/nologin";
};
}) cfg;
users.groups = lib.mapAttrs' (siteName: siteConfig: {
${config.services.nginx.user} = {};
"user-${siteName}-php" = {};
}) cfg;
# services = {
# mysql = {
# enable = true;
# package = pkgs.mariadb;
# };
#
# phpfpm.pools."${sitePhpPool}" = {
# user = siteUserPhp;
# group = siteGroupPhp;
#
# settings = {
# # Socket ownership so Nginx can connect
# "listen.owner" = config.services.nginx.user;
# "listen.group" = siteGroupPhp;
# "listen.mode" = "0660";
#
# # Dynamic process management tuned for small sites
# pm = "dynamic";
# "pm.max_children" = "5";
# "pm.start_servers" = "2";
# "pm.min_spare_servers" = "1";
# "pm.max_spare_servers" = "3";
#
# # Logging
# "catch_workers_output" = true;
# "php_admin_flag[log_errors]" = true;
# };
# };
#
# nginx = {
# enable = true;
# virtualHosts."${siteName}" = {
# default = true;
# root = siteDataDir;
#
# listen = [
# {
# addr = "0.0.0.0";
# port = opts.sitePort;
# ssl = false;
# }
# ];
#
# # Fallback for pretty permalinks
# locations."/" = {
# tryFiles = "$uri $uri/ /index.php?$args";
# };
#
# extraConfig = ''
# index index.php;
# '';
#
# # Handle PHP scripts
# locations."~ \\.php$" = {
# extraConfig = ''
# fastcgi_split_path_info ^(.+\\.php)(/.+)$;
# fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket};
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# include ${pkgs.nginx}/conf/fastcgi_params;
# '';
# };
# };
# };
# };
#
# # Bootstrap WordPress on activation
# environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here?
# system.activationScripts."setupWordpress-${siteName}".text = ''
# mkdir -p ${siteDataDir}
# if [ ! -f ${siteDataDir}/wp-config.php ]; then
# cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/
# chown -R ${siteUser}:${siteGroup} ${siteDataDir}
# chmod -R 755 ${siteDataDir}
# fi
# ''; # TODO: tighten permissions (not 755)
};
}

6
outputs.nix
View file

@ -17,12 +17,12 @@ in {
#jitsi = {stateVersion = "24.11";}; #jitsi = {stateVersion = "24.11";};
# game-luanti = { #game-luanti = {
# stateVersion = "25.05"; # stateVersion = "25.05";
# unstable = true; # unstable = true;
# }; #};
ext-julia = {stateVersion = "24.11";}; #ext-julia = {stateVersion = "24.11";};
}; };
# Your custom packages # Your custom packages