From bc23fda1c202cfc2a9d64140e301f4566b23a6d4 Mon Sep 17 00:00:00 2001 From: catvayor Date: Sun, 27 Oct 2024 09:16:42 +0100 Subject: [PATCH] feat(wordpress): container --- kat/default.nix | 126 +++++++++++++++++--------------- machines/kat-orchid/default.nix | 70 ++++++++++++++++-- 2 files changed, 128 insertions(+), 68 deletions(-) diff --git a/kat/default.nix b/kat/default.nix index 1a74cee..9cc4c83 100644 --- a/kat/default.nix +++ b/kat/default.nix @@ -15,6 +15,9 @@ with lib; "${sources.disko}/module.nix" ]; options.kat = { + addArgs = mkEnableOption "the extra arguments" // { + default = true; + }; wireguardPubKey = mkOption { type = types.str; }; @@ -26,71 +29,74 @@ with lib; readOnly = true; }; }; - config = { - _module.args = { - ssh-keys = import ./ssh-keys { inherit lib; }; - kat-path = ./.; - }; - - kat = { - anywhere = pkgs.writeShellApplication { - name = "anywhere-deploy_${name}.sh"; - runtimeInputs = [ pkgs.nixos-anywhere ]; - # --kexec ${nodes.kat-kexec.config.system.build.kexecTarball}/${nodes.kat-kexec.config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz - text = '' - nixos-anywhere --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost} - ''; + config = mkMerge [ + (mkIf config.kat.addArgs { + _module.args = { + ssh-keys = import ./ssh-keys { inherit lib; }; + kat-path = ./.; + }; + }) + { + kat = { + anywhere = pkgs.writeShellApplication { + name = "anywhere-deploy_${name}.sh"; + runtimeInputs = [ pkgs.nixos-anywhere ]; + # --kexec ${nodes.kat-kexec.config.system.build.kexecTarball}/${nodes.kat-kexec.config.system.kexec-installer.name}-${pkgs.stdenv.hostPlatform.system}.tar.gz + text = '' + nixos-anywhere --store-paths ${config.system.build.diskoScriptNoDeps} ${config.system.build.toplevel} ${config.deployment.targetHost} + ''; + }; }; - }; - boot = { - tmp.useTmpfs = true; - supportedFilesystems.bcachefs = mkDefault true; - kernelPackages = pkgs.linuxPackages_latest; - }; + boot = { + tmp.useTmpfs = true; + supportedFilesystems.bcachefs = mkDefault true; + kernelPackages = pkgs.linuxPackages_latest; + }; - networking = { - useNetworkd = true; - nftables.enable = true; - }; - systemd.network.enable = true; + networking = { + useNetworkd = true; + nftables.enable = true; + }; + systemd.network.enable = true; - nix = { - nixPath = [ - "nixpkgs=${builtins.storePath pkgs.path}" - "nixos=${builtins.storePath pkgs.path}" + nix = { + nixPath = [ + "nixpkgs=${builtins.storePath pkgs.path}" + "nixos=${builtins.storePath pkgs.path}" + ]; + channel.enable = false; + settings.nix-path = config.nix.nixPath; + package = pkgs.lix; + }; + + time.timeZone = mkDefault "Europe/Paris"; + i18n.defaultLocale = "en_US.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = mkDefault "fr"; + }; + + environment.systemPackages = with pkgs; [ + tree + ranger + ripgrep + wget + git + lazygit + btop + screen + nix-search-cli + nix-output-monitor ]; - channel.enable = false; - settings.nix-path = config.nix.nixPath; - package = pkgs.lix; - }; - time.timeZone = mkDefault "Europe/Paris"; - i18n.defaultLocale = "en_US.UTF-8"; - console = { - font = "Lat2-Terminus16"; - keyMap = mkDefault "fr"; - }; - - environment.systemPackages = with pkgs; [ - tree - ranger - ripgrep - wget - git - lazygit - btop - screen - nix-search-cli - nix-output-monitor - ]; - - services = { - resolved.enable = !config.boot.isContainer; - openssh.settings = { - ClientAliveInterval = 60; - ClientAliveCountMax = 1; + services = { + resolved.enable = !config.boot.isContainer; + openssh.settings = { + ClientAliveInterval = 60; + ClientAliveCountMax = 1; + }; }; - }; - }; + } + ]; } diff --git a/machines/kat-orchid/default.nix b/machines/kat-orchid/default.nix index 7ccee6b..0f3fd1c 100644 --- a/machines/kat-orchid/default.nix +++ b/machines/kat-orchid/default.nix @@ -3,6 +3,9 @@ lib, pkgs, mods, + kat-path, + ssh-keys, + sources, ... }: { @@ -63,7 +66,10 @@ services.openssh.enable = true; - networking.firewall.enable = false; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; security.acme = { acceptTerms = true; @@ -79,8 +85,12 @@ "orchid.katvayor.net" = { enableACME = true; forceSSL = true; - locations."/static/" = { - alias = "/srv/orchid/"; + locations = { + "/static/".alias = "/srv/orchid/"; + "/" = { + recommendedProxySettings = true; + proxyPass = "https://192.168.123.2/"; + }; }; }; "simply-wise.fr" = { @@ -100,12 +110,56 @@ }; }; }; - services.wordpress = { - webserver = "nginx"; - sites."orchid.katvayor.net" = { - themes = { inherit (pkgs.wordpressPackages.themes) twentytwentythree; }; + containers.wordpress = + let + inherit (config.security.acme) certs; + in + { + privateNetwork = true; + bindMounts.certs = { + hostPath = certs."orchid.katvayor.net".directory; + mountPoint = certs."orchid.katvayor.net".directory; + isReadOnly = true; + }; + hostAddress = "192.168.123.1"; + localAddress = "192.168.123.2"; + autoStart = true; + specialArgs = { + inherit kat-path ssh-keys sources; + }; + config = { + imports = [ kat-path ]; + kat.addArgs = false; + boot.kernel.enable = false; + systemd.network.enable = lib.mkForce false; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + services = { + nginx = { + enable = true; + virtualHosts."orchid.katvayor.net" = { + addSSL = true; + sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem"; + sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem"; + sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem"; + }; + }; + openssh.enable = true; + wordpress = { + webserver = "nginx"; + sites."orchid.katvayor.net" = { + themes = { + inherit (pkgs.wordpressPackages.themes) twentytwentythree; + }; + }; + }; + }; + environment.systemPackages = [ pkgs.wp-cli ]; + system.stateVersion = "24.11"; + }; }; - }; fileSystems."/home/orchid/content/www" = { device = "/srv/orchid"; options = [ "bind" ];