{ config, lib, ... }: let inherit (lib) mkEnableOption mkIf mkOption; inherit (lib.types) anything attrsOf port; inherit (config.security.acme) certs; cfg = config.services.wp-containers; mkName = builtins.replaceStrings [ "." ] [ "-" ]; mkConfig = { name, value }: { services.wordpress = { webserver = "nginx"; sites.${name} = value; }; security.acme = { acceptTerms = true; defaults.email = "acme@dgnum.eu"; }; services.nginx.virtualHosts.${name} = { onlySSL = true; sslCertificate = "${certs.${name}.directory}/fullchain.pem"; sslCertificateKey = "${certs.${name}.directory}/key.pem"; sslTrustedCertificate = "${certs.${name}.directory}/chain.pem"; }; networking.hostName = mkName name; networking.firewall.allowedTCPPorts = [ 443 ]; system.stateVersion = "23.11"; }; mkContainer = i: site: { name = mkName site.name; value = { privateNetwork = true; forwardPorts = [{ containerPort = 443; hostPort = cfg.basePort + i; }]; bindMounts.certs = { hostPath = certs.${site.name}.directory; mountPoint = certs.${site.name}.directory; }; hostAddress = "10.31.41.${builtins.toString i}"; localAddress = "10.0.0.1"; autoStart = true; config = mkConfig site; }; }; mkVhost = i: site: { inherit (site) name; value = { enableACME = true; forceSSL = true; locations."/".proxyPass = "https://10.31.41.${builtins.toString i}:${ builtins.toString (cfg.basePort + i) }"; }; }; siteList = lib.attrsToList cfg.sites; in { options.services.wp-containers = { enable = mkEnableOption "wordpress sites in containers"; basePort = mkOption { type = port; default = 9090; }; sites = mkOption { type = attrsOf anything; default = { }; }; }; config = mkIf cfg.enable { containers = builtins.listToAttrs (lib.imap0 mkContainer siteList); services.nginx.virtualHosts = builtins.listToAttrs (lib.imap0 mkVhost siteList); }; }