From 81979fccae11ab32fa1024ea8fec588e95a51647 Mon Sep 17 00:00:00 2001 From: Ranomier <> Date: Tue, 20 May 2025 01:40:29 +0200 Subject: [PATCH] wip: interims solution --- hosts/ext-julia/default.nix | 11 +- .../hosting/wordpress-simple/kiezpalme.nix | 113 ++++++++++++++++++ modules/hosting/wordpress-simple/pertineo.nix | 113 ++++++++++++++++++ modules/software/audio_video/audio_video.nix | 1 + modules/software/packages/extended.nix | 1 + system_profiles/server.nix | 1 - 6 files changed, 235 insertions(+), 5 deletions(-) create mode 100644 modules/hosting/wordpress-simple/kiezpalme.nix create mode 100644 modules/hosting/wordpress-simple/pertineo.nix diff --git a/hosts/ext-julia/default.nix b/hosts/ext-julia/default.nix index af92053..f3953c0 100644 --- a/hosts/ext-julia/default.nix +++ b/hosts/ext-julia/default.nix @@ -1,17 +1,20 @@ -{config, pkgs, ...}:{ +{pkgs, ...}:{ imports = [ ./boot.nix ./hardware-configuration.nix - - ../../modules/hosting/wordpress.nix + + ../../modules/hosting/wordpress-simple/kiezpalme.nix + ../../modules/hosting/wordpress-simple/pertineo.nix ../../modules/sec_auth/ssh-server.nix ../../system_profiles/server.nix ]; - services.cWordpress = { + services.mysql = { enable = true; + package = pkgs.mariadb; }; + services.openssh.ports = [11522]; users = let username = "root"; diff --git a/modules/hosting/wordpress-simple/kiezpalme.nix b/modules/hosting/wordpress-simple/kiezpalme.nix new file mode 100644 index 0000000..636cc00 --- /dev/null +++ b/modules/hosting/wordpress-simple/kiezpalme.nix @@ -0,0 +1,113 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteName = "shop.kiezpalme.de"; + sitePort = 80; + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) +} diff --git a/modules/hosting/wordpress-simple/pertineo.nix b/modules/hosting/wordpress-simple/pertineo.nix new file mode 100644 index 0000000..2a83ad5 --- /dev/null +++ b/modules/hosting/wordpress-simple/pertineo.nix @@ -0,0 +1,113 @@ +{ + config, + pkgs, + lib, + ... +}: let + siteName = "pertineo.de"; + sitePort = 81; + siteDataDir = "/srv/http/${siteName}"; + siteUser = "user-${siteName}"; + siteGroup = config.services.nginx.user; + siteUserPhp = "${siteUser}-php"; + siteGroupPhp = siteUserPhp; + sitePhpPool = "wordpress-${siteName}"; +in { + users = { + users = { + "${siteUser}" = { + isSystemUser = true; + group = siteGroup; + home = siteDataDir; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + + "${siteUserPhp}" = { + isSystemUser = true; + group = siteGroupPhp; + home = "/var/empty"; + createHome = false; + shell = "${pkgs.shadow}/bin/nologin"; + }; + }; + + groups = { + "${siteGroup}" = {}; + "${siteGroupPhp}" = {}; + }; + }; + + services = { + + phpfpm.pools."${sitePhpPool}" = { + user = siteUserPhp; + group = siteGroupPhp; + + settings = { + # Socket ownership so Nginx can connect + "listen.owner" = config.services.nginx.user; + "listen.group" = siteGroupPhp; + "listen.mode" = "0660"; + + # Dynamic process management tuned for small sites + pm = "dynamic"; + "pm.max_children" = "5"; + "pm.start_servers" = "2"; + "pm.min_spare_servers" = "1"; + "pm.max_spare_servers" = "3"; + + # Logging + "catch_workers_output" = true; + "php_admin_flag[log_errors]" = true; + }; + }; + + nginx = { + enable = true; + virtualHosts."${siteName}" = { + default = true; + root = siteDataDir; + + listen = [ + { + addr = "0.0.0.0"; + port = sitePort; + ssl = false; + } + ]; + + # Fallback for pretty permalinks + locations."/" = { + tryFiles = "$uri $uri/ /index.php?$args"; + }; + + extraConfig = '' + index index.php; + ''; + + # Handle PHP scripts + locations."~ \\.php$" = { + extraConfig = '' + fastcgi_split_path_info ^(.+\\.php)(/.+)$; + fastcgi_pass unix:${config.services.phpfpm.pools."${sitePhpPool}".socket}; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include ${pkgs.nginx}/conf/fastcgi_params; + ''; + }; + }; + }; + }; + + # Bootstrap WordPress on activation + environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here? + system.activationScripts."setupWordpress-${siteName}".text = '' + mkdir -p ${siteDataDir} + if [ ! -f ${siteDataDir}/wp-config.php ]; then + cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/ + chown -R ${siteUser}:${siteGroup} ${siteDataDir} + chmod -R 755 ${siteDataDir} + fi + ''; # TODO: tighten permissions (not 755) +} diff --git a/modules/software/audio_video/audio_video.nix b/modules/software/audio_video/audio_video.nix index e878b5a..a3b1784 100644 --- a/modules/software/audio_video/audio_video.nix +++ b/modules/software/audio_video/audio_video.nix @@ -16,6 +16,7 @@ }; }; + # only for more system kinda packages not editing and such environment.systemPackages = with pkgs; [ helvum pwvucontrol diff --git a/modules/software/packages/extended.nix b/modules/software/packages/extended.nix index 7e1b447..028ac4d 100644 --- a/modules/software/packages/extended.nix +++ b/modules/software/packages/extended.nix @@ -55,5 +55,6 @@ rustdesk-flutter timer unstable.prusa-slicer + tenacity ]; } diff --git a/system_profiles/server.nix b/system_profiles/server.nix index b242b27..65d54d6 100644 --- a/system_profiles/server.nix +++ b/system_profiles/server.nix @@ -6,6 +6,5 @@ ../modules/customisation.nix ../modules/software/neovim.nix ../modules/software/packages/core.nix - ]; }