{ config, pkgs, lib, ... }: { users.users.www-kinealbrigtsen-no = { isSystemUser = true; group = "www-kinealbrigtsen-no"; }; users.groups.www-kinealbrigtsen-no = { }; services.mysql.ensureDatabases = [ "www_kinealbrigtsen_no" ]; services.mysql.ensureUsers = [ { name = "www-kinealbrigtsen-no"; ensurePermissions = { # "www_kinealbrigtsen_no.*" = "ALL PRIVILEGES"; # For upgrades and special procedures "www_kinealbrigtsen_no.*" = "SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX"; }; } ]; services.phpfpm.pools.www-kinealbrigtsen-no = { user = "www-kinealbrigtsen-no"; group = "www-kinealbrigtsen-no"; phpOptions = lib.generators.toKeyValue {} { upload_max_filesize = "1000M"; post_max_size = "1000M"; memory_limit = "1000M"; }; settings = { "listen.owner" = config.services.nginx.user; "listen.group" = config.services.nginx.group; "pm" = "dynamic"; "pm.max_children" = 32; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; "pm.process_idle_timeout" = "10s"; "pm.max_requests" = 1000; }; }; services.nginx.virtualHosts."kinealbrigtsen.no" = { serverAliases = [ "www.kinealbrigtsen.no" ]; root = "/var/www/www-kinealbrigtsen-no"; locations = { "/".extraConfig = '' try_files $uri $uri/ /index.php?$args; ''; "~ \\.php$".extraConfig = '' include ${config.services.nginx.package}/conf/fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:${config.services.phpfpm.pools.www-kinealbrigtsen-no.socket}; ''; "~ /\\.ht".extraConfig = '' deny all; ''; "/favicon.ico".extraConfig = '' log_not_found off; access_log off; ''; "/robots.txt".extraConfig = '' allow all; log_not_found off; access_log off; ''; "~* \\.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = '' expires max; log_not_found off; ''; }; extraConfig = '' index index.php index.html; set_real_ip_from 192.168.11.0/24; real_ip_header X-Forwarded-For; add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ''; }; # TODO: # - Configure a mailer so wp_mail() works # - Enable periodic backups }