{ config, lib, pkgs, ... }: let inherit (lib) mkEnableOption mkIf mkOption; inherit (lib.types) anything attrsOf port; inherit (config.security.acme) certs; cfg = config.services.wp-containers; mkName = builtins.replaceStrings [ "." ] [ "-" ]; mkIp = ip: i: "${ip}.${builtins.toString i}"; mkHost = mkIp "10.31.41"; mkLocal = mkIp "10.0.0"; mkConfig = { name, value, i, }: { services.wordpress = { webserver = "nginx"; sites.${name} = value; }; services.nginx.virtualHosts.${name} = { onlySSL = true; sslCertificate = "${certs.${name}.directory}/fullchain.pem"; sslCertificateKey = "${certs.${name}.directory}/key.pem"; sslTrustedCertificate = "${certs.${name}.directory}/chain.pem"; }; networking = { hostName = mkName name; hosts.${mkLocal i} = [ name ]; firewall.allowedTCPPorts = [ 443 ]; }; environment.systemPackages = [ pkgs.wp-cli pkgs.neovim ]; system.stateVersion = "23.11"; }; mkContainer = i: site: { name = mkName site.name; value = { privateNetwork = true; forwardPorts = [ { containerPort = 443; hostPort = cfg.basePort + i; } ]; bindMounts.certs = { hostPath = certs.${site.name}.directory; mountPoint = certs.${site.name}.directory; }; hostAddress = mkHost i; localAddress = mkLocal i; autoStart = true; config = mkConfig (site // { inherit i; }); }; }; mkVhost = i: site: { inherit (site) name; value = { enableACME = true; forceSSL = true; locations."/".proxyPass = "https://${mkHost i}:${builtins.toString (cfg.basePort + i)}"; }; }; siteList = lib.attrsToList cfg.sites; in { options.services.wp-containers = { enable = mkEnableOption "wordpress sites in containers"; basePort = mkOption { type = port; default = 9090; }; sites = mkOption { type = attrsOf anything; default = { }; }; }; config = mkIf cfg.enable { containers = builtins.listToAttrs (lib.imap1 mkContainer siteList); services.nginx.virtualHosts = builtins.listToAttrs (lib.imap1 mkVhost siteList); }; }