From 43d1a9d79e7b0590a18174e186f5f44a79c40821 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Mon, 8 Jan 2024 14:16:11 +0100 Subject: [PATCH] feat(wordpress): Complete the bridge between the host and the container --- machines/web01/wordpress/lavoixduntexte.nix | 23 ---------- machines/web01/wordpress/module.nix | 47 ++++++++++++++++++--- 2 files changed, 40 insertions(+), 30 deletions(-) delete mode 100644 machines/web01/wordpress/lavoixduntexte.nix diff --git a/machines/web01/wordpress/lavoixduntexte.nix b/machines/web01/wordpress/lavoixduntexte.nix deleted file mode 100644 index bebe295..0000000 --- a/machines/web01/wordpress/lavoixduntexte.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, lib, ... }: - -let - host = "lavoixduntexte.normalesup.eu"; - - addons = import ./addons { inherit pkgs lib; }; -in { - services.wordpress.sites.${host} = { - themes = { inherit (addons.themes) avant; }; - plugins = { inherit (addons.plugins) wordpress-importer; }; - - languages = [ pkgs.wordpressPackages.languages.fr_FR ]; - - database.tablePrefix = "wp_lvdt_"; - - settings = { }; - }; - - services.nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - }; -} diff --git a/machines/web01/wordpress/module.nix b/machines/web01/wordpress/module.nix index 7d10e52..46181c5 100644 --- a/machines/web01/wordpress/module.nix +++ b/machines/web01/wordpress/module.nix @@ -1,30 +1,61 @@ -{ config, lib, options, ... }: +{ config, lib, ... }: let inherit (lib) mkEnableOption mkIf mkOption; inherit (lib.types) anything attrsOf port; + inherit (config.security.acme) certs; + cfg = config.services.wp-containers; + mkName = builtins.replaceStrings [ "." ] [ "-" ]; + mkConfig = { name, value }: { services.wordpress = { webserver = "nginx"; sites.${name} = value; }; - networking.hostName = builtins.replaceStrings [ "." ] [ "-" ] name; + security.acme = { + acceptTerms = true; + defaults.email = "acme@dgnum.eu"; + }; + + services.nginx.virtualHosts.${name} = { + onlySSL = true; + sslCertificate = "${certs.${name}.directory}/fullchain.pem"; + sslCertificateKey = "${certs.${name}.directory}/key.pem"; + sslTrustedCertificate = "${certs.${name}.directory}/chain.pem"; + }; + + networking.hostName = mkName name; + + networking.firewall.allowedTCPPorts = [ 443 ]; + + system.stateVersion = "23.11"; }; mkContainer = i: site: { - inherit (site) name; + name = mkName site.name; value = { privateNetwork = true; + forwardPorts = [{ - containerPort = 80; + containerPort = 443; hostPort = cfg.basePort + i; }]; + bindMounts.certs = { + hostPath = certs.${site.name}.directory; + mountPoint = certs.${site.name}.directory; + }; + + hostAddress = "10.31.41.${builtins.toString i}"; + localAddress = "10.0.0.1"; + + autoStart = true; + config = mkConfig site; }; }; @@ -35,8 +66,9 @@ let enableACME = true; forceSSL = true; - locations."/".proxyPass = - "http://127.0.0.1:${builtins.toString (cfg.basePort + i)}"; + locations."/".proxyPass = "https://10.31.41.${builtins.toString i}:${ + builtins.toString (cfg.basePort + i) + }"; }; }; @@ -59,6 +91,7 @@ in { config = mkIf cfg.enable { containers = builtins.listToAttrs (lib.imap0 mkContainer siteList); - services.nginx.virtualHosts = builtins.listToAttrs (lib.imap0 mkVhost siteList); + services.nginx.virtualHosts = + builtins.listToAttrs (lib.imap0 mkVhost siteList); }; }