wip: interims solution

2025-05-20 01:40:29 +02:00 · 2025-05-20 01:40:29 +02:00 · 81979fccae
commit 81979fccae
parent 2ef666ad65
6 changed files with 235 additions and 5 deletions
--- a/hosts/ext-julia/default.nix
+++ b/hosts/ext-julia/default.nix
@ -1,17 +1,20 @@
-{config, pkgs, ...}:{
+{pkgs, ...}:{
  imports = [
    ./boot.nix
    ./hardware-configuration.nix
-    ../../modules/hosting/wordpress.nix
+    ../../modules/hosting/wordpress-simple/kiezpalme.nix
    ../../modules/hosting/wordpress-simple/pertineo.nix
    ../../modules/sec_auth/ssh-server.nix
    ../../system_profiles/server.nix
  ];
-  services.cWordpress = {
+  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };
  services.openssh.ports = [11522];
  users = let
    username = "root";
--- a/modules/hosting/wordpress-simple/kiezpalme.nix
+++ b/modules/hosting/wordpress-simple/kiezpalme.nix
@ -0,0 +1,113 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  siteName = "shop.kiezpalme.de";
  sitePort = 80;
  siteDataDir = "/srv/http/${siteName}";
  siteUser = "user-${siteName}";
  siteGroup = config.services.nginx.user;
  siteUserPhp = "${siteUser}-php";
  siteGroupPhp = siteUserPhp;
  sitePhpPool = "wordpress-${siteName}";
 in {
  users = {
    users = {
      "${siteUser}" = {
        isSystemUser = true;
        group = siteGroup;
        home = siteDataDir;
        createHome = false;
        shell = "${pkgs.shadow}/bin/nologin";
      };
      "${siteUserPhp}" = {
        isSystemUser = true;
        group = siteGroupPhp;
        home = "/var/empty";
        createHome = false;
        shell = "${pkgs.shadow}/bin/nologin";
      };
    };
    groups = {
      "${siteGroup}" = {};
      "${siteGroupPhp}" = {};
    };
  };
  services = {
    phpfpm.pools."${sitePhpPool}" = {
      user = siteUserPhp;
      group = siteGroupPhp;
      settings = {
        # Socket ownership so Nginx can connect
        "listen.owner" = config.services.nginx.user;
        "listen.group" = siteGroupPhp;
        "listen.mode" = "0660";
        # Dynamic process management tuned for small sites
        pm = "dynamic";
        "pm.max_children" = "5";
        "pm.start_servers" = "2";
        "pm.min_spare_servers" = "1";
        "pm.max_spare_servers" = "3";
        # Logging
        "catch_workers_output" = true;
        "php_admin_flag[log_errors]" = true;
      };
    };
    nginx = {
      enable = true;
      virtualHosts."${siteName}" = {
        default = true;
        root = siteDataDir;
        listen = [
          {
            addr = "0.0.0.0";
            port = sitePort;
            ssl = false;
          }
        ];
        # Fallback for pretty permalinks
        locations."/" = {
          tryFiles = "$uri $uri/ /index.php?$args";
        };
        extraConfig = ''
          index index.php;
        '';
        # Handle PHP scripts
        locations."~ \\.php$" = {
          extraConfig = ''
            fastcgi_split_path_info ^(.+\\.php)(/.+)$;
            fastcgi_pass          unix:${config.services.phpfpm.pools."${sitePhpPool}".socket};
            fastcgi_index         index.php;
            fastcgi_param         SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include               ${pkgs.nginx}/conf/fastcgi_params;
          '';
        };
      };
    };
  };
  # Bootstrap WordPress on activation
  environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here?
  system.activationScripts."setupWordpress-${siteName}".text = ''
    mkdir -p ${siteDataDir}
    if [ ! -f ${siteDataDir}/wp-config.php ]; then
      cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/
      chown -R ${siteUser}:${siteGroup} ${siteDataDir}
      chmod -R 755 ${siteDataDir}
    fi
  ''; # TODO: tighten permissions (not 755)
 }
--- a/modules/hosting/wordpress-simple/pertineo.nix
+++ b/modules/hosting/wordpress-simple/pertineo.nix
@ -0,0 +1,113 @@
 {
  config,
  pkgs,
  lib,
  ...
 }: let
  siteName = "pertineo.de";
  sitePort = 81;
  siteDataDir = "/srv/http/${siteName}";
  siteUser = "user-${siteName}";
  siteGroup = config.services.nginx.user;
  siteUserPhp = "${siteUser}-php";
  siteGroupPhp = siteUserPhp;
  sitePhpPool = "wordpress-${siteName}";
 in {
  users = {
    users = {
      "${siteUser}" = {
        isSystemUser = true;
        group = siteGroup;
        home = siteDataDir;
        createHome = false;
        shell = "${pkgs.shadow}/bin/nologin";
      };
      "${siteUserPhp}" = {
        isSystemUser = true;
        group = siteGroupPhp;
        home = "/var/empty";
        createHome = false;
        shell = "${pkgs.shadow}/bin/nologin";
      };
    };
    groups = {
      "${siteGroup}" = {};
      "${siteGroupPhp}" = {};
    };
  };
  services = {
    phpfpm.pools."${sitePhpPool}" = {
      user = siteUserPhp;
      group = siteGroupPhp;
      settings = {
        # Socket ownership so Nginx can connect
        "listen.owner" = config.services.nginx.user;
        "listen.group" = siteGroupPhp;
        "listen.mode" = "0660";
        # Dynamic process management tuned for small sites
        pm = "dynamic";
        "pm.max_children" = "5";
        "pm.start_servers" = "2";
        "pm.min_spare_servers" = "1";
        "pm.max_spare_servers" = "3";
        # Logging
        "catch_workers_output" = true;
        "php_admin_flag[log_errors]" = true;
      };
    };
    nginx = {
      enable = true;
      virtualHosts."${siteName}" = {
        default = true;
        root = siteDataDir;
        listen = [
          {
            addr = "0.0.0.0";
            port = sitePort;
            ssl = false;
          }
        ];
        # Fallback for pretty permalinks
        locations."/" = {
          tryFiles = "$uri $uri/ /index.php?$args";
        };
        extraConfig = ''
          index index.php;
        '';
        # Handle PHP scripts
        locations."~ \\.php$" = {
          extraConfig = ''
            fastcgi_split_path_info ^(.+\\.php)(/.+)$;
            fastcgi_pass          unix:${config.services.phpfpm.pools."${sitePhpPool}".socket};
            fastcgi_index         index.php;
            fastcgi_param         SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include               ${pkgs.nginx}/conf/fastcgi_params;
          '';
        };
      };
    };
  };
  # Bootstrap WordPress on activation
  environment.systemPackages = [pkgs.unzip]; # TODO: why is unzip needed here?
  system.activationScripts."setupWordpress-${siteName}".text = ''
    mkdir -p ${siteDataDir}
    if [ ! -f ${siteDataDir}/wp-config.php ]; then
      cp -R ${pkgs.wordpress}/share/wordpress/* ${siteDataDir}/
      chown -R ${siteUser}:${siteGroup} ${siteDataDir}
      chmod -R 755 ${siteDataDir}
    fi
  ''; # TODO: tighten permissions (not 755)
 }
--- a/modules/software/audio_video/audio_video.nix
+++ b/modules/software/audio_video/audio_video.nix
@ -16,6 +16,7 @@
    };
  };
  # only for more system kinda packages not editing and such
  environment.systemPackages = with pkgs; [
    helvum
    pwvucontrol
--- a/modules/software/packages/extended.nix
+++ b/modules/software/packages/extended.nix
@ -55,5 +55,6 @@
    rustdesk-flutter
    timer
    unstable.prusa-slicer
    tenacity
  ];
 }
--- a/system_profiles/server.nix
+++ b/system_profiles/server.nix
@ -6,6 +6,5 @@
    ../modules/customisation.nix
    ../modules/software/neovim.nix
    ../modules/software/packages/core.nix
  ];
 }