nix/os,CFB4ED74: add webserver container

nix/os/containers/webserver.nix

@@ -0,0 +1,132 @@
+{ ... } @ args:
+
+let
+
+in args // {
+  config = { pkgs, ... }: {
+    networking.firewall.enable = false;
+
+    systemd.services.mysql-deprecated = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        RootDirectory="/var/lib/machines/webserver";
+        MountAPIVFS="yes";
+        BindReadOnlyPaths="/nix";
+      };
+      script = ''
+        export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
+        mkdir /var/run/mysqld -p
+        chown mysql /var/run/mysqld/
+        /usr/sbin/mysqld
+      '';
+    };
+
+    systemd.services.nginx-deprecated = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      description = "webserver-deprecated service";
+      serviceConfig = {
+        RootDirectory="/var/lib/machines/webserver";
+        MountAPIVFS="yes";
+        BindReadOnlyPaths="/nix";
+      };
+      script = ''
+        export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
+        /usr/sbin/nginx -g "daemon off;"
+      '';
+    };
+
+    systemd.services.php-fpm-deprecated = {
+      enable = true;
+      wantedBy = [ "multi-user.target" ];
+      description = "webserver-deprecated service";
+      serviceConfig = {
+        RootDirectory="/var/lib/machines/webserver";
+        MountAPIVFS="yes";
+        BindReadOnlyPaths="/nix";
+      };
+      script = ''
+        export PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin
+        /usr/lib/php5.5/bin/php-fpm -y /etc/php/fpm-php5.5/php-fpm.conf --pid /run/php-fpm.pid -F
+      '';
+    };
+
+    ## FIXME: make the following work instead of using the old Gentoo rootfs binaries
+    #
+    # services.nginx.enable = true;
+    # services.nginx.virtualHosts."stefanjunker.de" = {
+    #   default = true;
+    #   onlySSL = true;
+    #   root = "/var/www/stefanjunker.de/htdocs";
+
+    #   sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
+    #   sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";
+
+    #   locations."/fi" = {
+    #     index = "index.php";
+    #   };
+
+    #   locations."~ ^(.+\.php)(.*)$".extraConfig = ''
+    #     fastcgi_split_path_info  ^(.+\.php)(.*)$;
+
+    #     fastcgi_pass 127.0.0.1:9000;
+    #     fastcgi_index index.php;
+    #   '';
+    # };
+
+    # services.phpfpm.poolConfigs.mypool = ''
+    #   listen = 127.0.0.1:9000
+    #   user = nobody
+    #   pm = dynamic
+    #   pm.max_children = 5
+    #   pm.start_servers = 2 
+    #   pm.min_spare_servers = 1 
+    #   pm.max_spare_servers = 3
+    #   pm.max_requests = 500
+
+    #   php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
+    # '';
+
+    # services.mysql = {
+    #   enable = true;
+    #   package = pkgs.mysql;
+    # };
+  };
+
+  autoStart = true;
+
+  bindMounts = {
+    "/var/lib/machines/webserver/" = {
+      hostPath = "/var/lib/container-volumes/webserver/var-lib-machines-webserver";
+      isReadOnly = false;
+    };
+
+    ## FIXME: make the following work instead of using the old Gentoo rootfs
+    #
+    # "/etc/secrets/" = { 
+    #   hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
+    #   isReadOnly = false;
+    # };
+
+    # "/var/www" = { 
+    #   hostPath = "/var/lib/container-volumes/webserver/var-www";
+    #   isReadOnly = false;
+    # };
+
+    # "/var/lib/mysql" = { 
+    #   hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
+    #   isReadOnly = false;
+    # };
+  };
+
+  privateNetwork = true;
+  forwardPorts = [
+    {
+      # https/custom
+      containerPort = 443;
+      hostPort = 443;
+      protocol = "tcp";
+    }
+  ];
+}

nix/os/devices/CFB4ED74/system.nix

@@ -69,5 +69,10 @@ in {
       hostAddress = "192.168.100.10";
       localAddress = "192.168.100.11";
     };
+
+    webserver = import ../../containers/webserver.nix {
+      hostAddress = "192.168.100.12";
+      localAddress = "192.168.100.13";
+    };
   };
 }