infra/nix/os/containers/webserver.nix

{ ... } @ args:

let

in args // {
  config = { config, pkgs, ... }: {
    imports = [
      ../profiles/containers/configuration.nix
    ];

    networking.firewall.enable = false;

    services.ddclientovh = {
        enable = true;
        domain = "www.stefanjunker.de";
    };

    services.nginx.enable = true;
    services.nginx.virtualHosts."stefanjunker.de" = {
      default = true;
      onlySSL = true;
      root = "/var/www/stefanjunker.de/htdocs";

      sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt";
      sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key";

      locations."/fi" = {
        index = "index.php";
      };

      locations."~ ^(.+\.php)(.*)$".extraConfig = ''
        fastcgi_split_path_info  ^(.+\.php)(.*)$;

        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
      '';
    };

    services.phpfpm.phpPackage = pkgs.php56;

    services.phpfpm.poolConfigs.mypool = ''
      listen = 127.0.0.1:9000
      user = nobody
      pm = dynamic
      pm.max_children = 5
      pm.start_servers = 2
      pm.min_spare_servers = 1
      pm.max_spare_servers = 3
      pm.max_requests = 500

      php_admin_value[error_reporting] = E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED
    '';

    services.mysql = {
      enable = true;
      package = pkgs.mariadb;
    };
  };

  autoStart = true;

  bindMounts = {
    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
      isReadOnly = true;
    };

    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";
      isReadOnly = false;
    };

    "/var/lib/mysql" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
      isReadOnly = false;
    };
  };

  privateNetwork = true;
  forwardPorts = [
    {
      # https
      containerPort = 443;
      hostPort = 443;
      protocol = "tcp";
    }
  ];
}