nixpkgs/nixos/tests/wordpress.nix
Daniel Xu f1c4d339a5 nixos/wordpress: Use https by default for caddy
Previously, `http://` scheme was hard coded into the caddy config if
`webserver = "caddy"` was chosen. This is fine for local testing, but is
problematic if you want your nixos host to be public facing.

In the public facing case, you generally want to be using TLS. But since
the wordpress module generates the caddyfile rule, the user's nixos
config cannot easily change it to also allow https.

An alternative would be to reverse proxy an https rule to the generated
http rule, but that's somewhat questionable as there's not an internal
http endpoint to proxy to. It might be possible but I couldn't figure
it out.

So simplify by omitting the scheme. This causes caddy to use https by
default and 301 redirect any http requests to the https endpoint. Caddy
will just do the right thing if it's being hosted on a local/internal
hostname (self sign certificates).

This should be backwards compatible with previous default if users are
using reasonable browsers/tools.

Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
2025-03-29 15:10:35 -06:00

121 lines
3.3 KiB
Nix

{ lib, config, ... }:
rec {
name = "wordpress";
meta = with lib.maintainers; {
maintainers = [
flokli
grahamc # under duress!
mmilata
];
};
nodes =
lib.foldl
(
a: version:
let
package = config.node.pkgs."wordpress_${version}";
in
a
// {
"wp${version}_httpd" = _: {
services.httpd.adminAddr = "webmaster@site.local";
services.httpd.logPerVirtualHost = true;
services.wordpress.webserver = "httpd";
services.wordpress.sites = {
"site1.local" = {
database.tablePrefix = "site1_";
inherit package;
};
"site2.local" = {
database.tablePrefix = "site2_";
inherit package;
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
networking.hosts."127.0.0.1" = [
"site1.local"
"site2.local"
];
};
"wp${version}_nginx" = _: {
services.wordpress.webserver = "nginx";
services.wordpress.sites = {
"site1.local" = {
database.tablePrefix = "site1_";
inherit package;
};
"site2.local" = {
database.tablePrefix = "site2_";
inherit package;
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
networking.hosts."127.0.0.1" = [
"site1.local"
"site2.local"
];
};
"wp${version}_caddy" = _: {
services.wordpress.webserver = "caddy";
services.wordpress.sites = {
"site1.local" = {
database.tablePrefix = "site1_";
inherit package;
};
"site2.local" = {
database.tablePrefix = "site2_";
inherit package;
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.hosts."127.0.0.1" = [
"site1.local"
"site2.local"
];
};
}
)
{ }
[
"6_7"
];
testScript = ''
import re
start_all()
${lib.concatStrings (
lib.mapAttrsToList (name: value: ''
${name}.wait_for_unit("${(value null).services.wordpress.webserver}")
'') nodes
)}
site_names = ["site1.local", "site2.local"]
for machine in (${lib.concatStringsSep ", " (builtins.attrNames nodes)}):
for site_name in site_names:
machine.wait_for_unit(f"phpfpm-wordpress-{site_name}")
with subtest("website returns welcome screen"):
assert "Welcome to the famous" in machine.succeed(f"curl -k -L {site_name}")
with subtest("wordpress-init went through"):
info = machine.get_unit_info(f"wordpress-init-{site_name}")
assert info["Result"] == "success"
with subtest("secret keys are set"):
pattern = re.compile(r"^define.*NONCE_SALT.{64,};$", re.MULTILINE)
assert pattern.search(
machine.succeed(f"cat /var/lib/wordpress/{site_name}/secret-keys.php")
)
'';
}