From fdca8770960fc5f67ce3a2d609838a806fe70ba5 Mon Sep 17 00:00:00 2001 From: naturallaw77 Date: Fri, 27 Mar 2026 14:58:45 -0500 Subject: [PATCH] set services to default retooling --- custom.nix | 16 +- modules/bitcoinecosystem.nix | 135 ++++++-------- modules/core/role-logic.nix | 26 +-- modules/core/roles.nix | 39 +++- modules/modules.nix | 34 +--- modules/nextcloud.nix | 348 ++++++++++++++++------------------- modules/personalization.nix | 24 --- modules/synapse.nix | 208 ++++++++------------- modules/vaultwarden.nix | 32 +--- modules/wordpress.nix | 303 ++++++++++++++---------------- 10 files changed, 485 insertions(+), 680 deletions(-) delete mode 100755 modules/personalization.nix diff --git a/custom.nix b/custom.nix index ca605ed..ce46153 100644 --- a/custom.nix +++ b/custom.nix @@ -1,8 +1,10 @@ -{ config, pkgs, lib, ... }: { - # Only enable what this machine needs - sovran_systemsOS.services.wordpress.enable = true; - sovran_systemsOS.services.nextcloud.enable = true; - sovran_systemsOS.services.synapse.enable = true; - # btcpayserver is NOT enabled — no domain file needed, no vhost created -} \ No newline at end of file + # ── Disable services you don't want ───────────── + sovran_systemsOS.services.wordpress = false; + sovran_systemsOS.services.nextcloud = false; + + # ── Enable features you do want ───────────────── + sovran_systemsOS.features.haven = true; + sovran_systemsOS.features.element-calling = true; + sovran_systemsOS.nostr_npub = "npub1abc123..."; +} diff --git a/modules/bitcoinecosystem.nix b/modules/bitcoinecosystem.nix index a468d85..e7d1912 100755 --- a/modules/bitcoinecosystem.nix +++ b/modules/bitcoinecosystem.nix @@ -1,95 +1,72 @@ { config, pkgs, lib, ... }: -lib.mkIf config.sovran_systemsOS.features.bitcoin { - - ## Bitcoind - - services.bitcoind = { - enable = true; +lib.mkIf config.sovran_systemsOS.services.bitcoin { + + services.bitcoind = { + enable = true; package = config.nix-bitcoin.pkgs.bitcoind-knots; - dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"; - txindex = true; - tor.proxy = true; + dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"; + txindex = true; + tor.proxy = true; tor.enforce = true; - disablewallet = true; - extraConfig = '' - peerbloomfilters=1 - server=1 - ''; - }; + disablewallet = true; + extraConfig = '' + peerbloomfilters=1 + server=1 + ''; + }; - nix-bitcoin.onionServices.bitcoind.enable = true; - nix-bitcoin.onionServices.electrs.enable = true; - nix-bitcoin.onionServices.rtl.enable = true; + nix-bitcoin.onionServices.bitcoind.enable = true; + nix-bitcoin.onionServices.electrs.enable = true; + nix-bitcoin.onionServices.rtl.enable = true; + services.electrs = { + enable = true; + tor.enforce = true; + dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data"; + }; - ## Electrs - - services.electrs = { - enable = true; - tor.enforce = true; - dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data"; - }; + services.lnd = { + enable = true; + tor.enforce = true; + tor.proxy = true; + extraConfig = '' + protocol.option-scid-alias=true + ''; + }; + nix-bitcoin.onionServices.lnd.public = true; - ## LND - - services.lnd = { - enable = true; - tor.enforce = true; - tor.proxy = true; - extraConfig = '' - protocol.option-scid-alias=true - ''; - }; + services.lnd.lndconnect = { + enable = true; + onion = true; + }; - nix-bitcoin.onionServices.lnd.public = true; + services.rtl = { + enable = true; + tor.enforce = true; + port = 3050; + nightTheme = true; + nodes = { + lnd = { + enable = true; + }; + }; + }; + services.btcpayserver = { + enable = true; + }; - ## LNDconnect + services.btcpayserver.lightningBackend = "lnd"; - services.lnd.lndconnect = { - enable = true; - onion = true; - }; + nix-bitcoin.generateSecrets = true; + nix-bitcoin.nodeinfo.enable = true; - - ## RTL - - services.rtl = { - enable = true; - tor.enforce = true; - port = 3050; - nightTheme = true; - nodes = { - lnd = { - enable = true; - }; - - }; - }; + nix-bitcoin.operator = { + enable = true; + name = "free"; + }; - - ## BTCpayserver - - services.btcpayserver = { - enable = true; - }; - - services.btcpayserver.lightningBackend = "lnd"; - - - ## System - - nix-bitcoin.generateSecrets = true; - - nix-bitcoin.nodeinfo.enable = true; - - nix-bitcoin.operator = { - enable = true; - name = "free"; - }; - - nix-bitcoin.useVersionLockedPkgs = false; - + nix-bitcoin.useVersionLockedPkgs = false; } diff --git a/modules/core/role-logic.nix b/modules/core/role-logic.nix index e52331b..d560210 100755 --- a/modules/core/role-logic.nix +++ b/modules/core/role-logic.nix @@ -3,20 +3,11 @@ { config = lib.mkMerge [ - # Server-Desktop Role most services enabled + # Server-Desktop Role — services already default to on, + # so we only need to set features here (lib.mkIf config.sovran_systemsOS.roles.server-desktop { - sovran_systemsOS.features = { - synapse = true; - bitcoin = true; - coturn = true; - vaultwarden = true; - haven = false; - mempool = false; - bip110 = false; - element-calling = false; - bitcoin-core = false; - rdp = false; - }; + # All services are default=true, nothing to set + # All features are default=false, nothing to set }) # Desktop role @@ -25,11 +16,14 @@ services.desktopManager.gnome.enable = true; }) - # Bitcoin node role + # Bitcoin node role — only bitcoin, disable other services (lib.mkIf config.sovran_systemsOS.roles.node { - sovran_systemsOS.features = { + sovran_systemsOS.services = { bitcoin = true; - bip110 = false; + synapse = false; + vaultwarden = false; + wordpress = false; + nextcloud = false; }; }) diff --git a/modules/core/roles.nix b/modules/core/roles.nix index 01ae202..9a5ba31 100755 --- a/modules/core/roles.nix +++ b/modules/core/roles.nix @@ -11,11 +11,37 @@ node = lib.mkEnableOption "Bitcoin Node Only Role"; }; + # ── Services (default ON — user can disable in custom.nix) ── + services = { + synapse = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Matrix Synapse homeserver"; + }; + bitcoin = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Bitcoin Ecosystem (bitcoind, electrs, lnd, rtl, btcpay)"; + }; + vaultwarden = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Vaultwarden password manager"; + }; + wordpress = lib.mkOption { + type = lib.types.bool; + default = true; + description = "WordPress (raw PHP served by Caddy)"; + }; + nextcloud = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Nextcloud (raw PHP served by Caddy)"; + }; + }; + + # ── Features (default OFF — user can enable in custom.nix) ── features = { - coturn = lib.mkEnableOption "TURN server"; - synapse = lib.mkEnableOption "Matrix Synapse"; - bitcoin = lib.mkEnableOption "Bitcoin Ecosystem"; - vaultwarden = lib.mkEnableOption "Vaultwarden"; haven = lib.mkEnableOption "Haven NOSTR relay"; bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money"; mempool = lib.mkEnableOption "Bitcoin Mempool Explorer"; @@ -29,5 +55,10 @@ default = ""; description = "Nostr public key (npub1...) for Haven relay"; }; + + packages.bip110 = lib.mkOption { + type = lib.types.package; + description = "BIP-110 bitcoind-knots package"; + }; }; } diff --git a/modules/modules.nix b/modules/modules.nix index 8450ef3..2ce083f 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -1,46 +1,30 @@ { config, pkgs, lib, ... }: { -<<<<<<< HEAD imports = [ + # ── Core (always loaded) ────────────────────────────────── ./core/roles.nix ./core/role-logic.nix ./core/caddy.nix ./core/sovran-manage.nix - ./php.nix - ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix - ./synapse.nix - ./coturn.nix - ./wordpress.nix - ./nextcloud.nix - ./btcpayserver.nix -======= - - imports = [ - - ./core/roles.nix - ./core/role-logic.nix + + # ── Always on (no flag) ─────────────────────────────────── ./php.nix ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix - # Always imported feature modules + # ── Services (default ON — disable in custom.nix) ───────── ./synapse.nix - ./coturn.nix - ./bitcoinecosystem.nix ->>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 + ./wordpress.nix + ./nextcloud.nix ./vaultwarden.nix + ./bitcoinecosystem.nix + + # ── Features (default OFF — enable in custom.nix) ───────── ./haven.nix ./bip110.nix ./element-calling.nix ./mempool.nix ./bitcoin-core.nix ./rdp.nix -<<<<<<< HEAD - ./bitcoinecosystem.nix ]; -======= - - ]; - ->>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 } diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 3c7e933..3c24cf6 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,224 +1,186 @@ { config, pkgs, lib, ... }: -let - cfg = config.sovran_systemsOS.services.nextcloud; -in -{ - options.sovran_systemsOS.services.nextcloud = { - enable = lib.mkEnableOption "Nextcloud (raw PHP served by Caddy)"; +lib.mkIf config.sovran_systemsOS.services.nextcloud { + + # ── PostgreSQL database ─────────────────────────────────── + services.postgresql = { + enable = true; }; - config = lib.mkIf cfg.enable { + # ── Auto-generate DB password and initialize ────────────── + systemd.services.nextcloud-db-init = { + description = "Initialize Nextcloud PostgreSQL database with auto-generated password"; + after = [ "postgresql.service" ]; + requires = [ "postgresql.service" ]; + before = [ "nextcloud-init.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ]; + script = '' + set -euo pipefail - # ── Caddy vhost is now handled centrally in caddy.nix ───── + SECRET_FILE="/var/lib/secrets/nextclouddb" - # ── PostgreSQL database ─────────────────────────────────── - services.postgresql = { - enable = true; + if [ ! -f "$SECRET_FILE" ]; then + mkdir -p /var/lib/secrets + pwgen -s 64 1 > "$SECRET_FILE" + chmod 600 "$SECRET_FILE" + fi + + DB_PASS=$(cat "$SECRET_FILE") + + psql -U postgres < "$SECRET_FILE" - chmod 600 "$SECRET_FILE" - fi - - DB_PASS=$(cat "$SECRET_FILE") - - # Create role if it doesn't exist, update password either way - psql -U postgres </dev/null; then + echo "Database ready." + break + fi + sleep 2 + done - # ── Create data directory ─────────────────────── - mkdir -p "$DATA_DIR" + echo "Running Nextcloud installation..." + su -s /bin/sh caddy -c " + php $INSTALL_DIR/occ maintenance:install \ + --database 'pgsql' \ + --database-name '$DB_NAME' \ + --database-user '$DB_USER' \ + --database-pass '$DB_PASS' \ + --database-host '$DB_HOST' \ + --admin-user '$ADMIN_USER' \ + --admin-pass '$ADMIN_PASS' \ + --data-dir '$DATA_DIR' + " - # ── Set permissions ───────────────────────────── - chown -R caddy:root "$INSTALL_DIR" - chown -R caddy:root "$DATA_DIR" - find "$INSTALL_DIR" -type d -exec chmod 750 {} \; - find "$INSTALL_DIR" -type f -exec chmod 640 {} \; - chmod -R 770 "$INSTALL_DIR/apps" - chmod -R 770 "$INSTALL_DIR/config" - chmod -R 770 "$DATA_DIR" + su -s /bin/sh caddy -c " + php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN' + php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN' + php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https' + " - # ── Wait for database ─────────────────────────── - echo "Waiting for PostgreSQL..." - for i in $(seq 1 30); do - if su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then - echo "Database ready." - break - fi - sleep 2 - done + su -s /bin/sh caddy -c " + php $INSTALL_DIR/occ config:system:set default_phone_region --value='US' + php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu' + php $INSTALL_DIR/occ background:cron + " - # ── Run Nextcloud install via occ ─────────────── - echo "Running Nextcloud installation..." - su -s /bin/sh caddy -c " - php $INSTALL_DIR/occ maintenance:install \ - --database 'pgsql' \ - --database-name '$DB_NAME' \ - --database-user '$DB_USER' \ - --database-pass '$DB_PASS' \ - --database-host '$DB_HOST' \ - --admin-user '$ADMIN_USER' \ - --admin-pass '$ADMIN_PASS' \ - --data-dir '$DATA_DIR' - " + su -s /bin/sh caddy -c " + php $INSTALL_DIR/occ app:install calendar || true + php $INSTALL_DIR/occ app:install contacts || true + php $INSTALL_DIR/occ app:install tasks || true + php $INSTALL_DIR/occ app:install notes || true + php $INSTALL_DIR/occ app:install deck || true + php $INSTALL_DIR/occ app:enable calendar || true + php $INSTALL_DIR/occ app:enable contacts || true + php $INSTALL_DIR/occ app:enable tasks || true + php $INSTALL_DIR/occ app:enable notes || true + php $INSTALL_DIR/occ app:enable deck || true + " - # ── Configure trusted domains ─────────────────── - echo "Configuring trusted domains..." - su -s /bin/sh caddy -c " - php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN' - php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN' - php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https' - " - - # ── Set recommended settings ─��────────────────── - echo "Applying recommended settings..." - su -s /bin/sh caddy -c " - php $INSTALL_DIR/occ config:system:set default_phone_region --value='US' - php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu' - php $INSTALL_DIR/occ background:cron - " - - # ── Install default apps ──────────────────────── - echo "Installing default apps..." - su -s /bin/sh caddy -c " - php $INSTALL_DIR/occ app:install calendar || true - php $INSTALL_DIR/occ app:install contacts || true - php $INSTALL_DIR/occ app:install tasks || true - php $INSTALL_DIR/occ app:install notes || true - php $INSTALL_DIR/occ app:install deck || true - php $INSTALL_DIR/occ app:enable calendar || true - php $INSTALL_DIR/occ app:enable contacts || true - php $INSTALL_DIR/occ app:enable tasks || true - php $INSTALL_DIR/occ app:enable notes || true - php $INSTALL_DIR/occ app:enable deck || true - " - - # ── Save admin credentials ────────────────────── - CREDS_FILE="/var/lib/secrets/nextcloud-admin" - cat > "$CREDS_FILE" << CREDS + CREDS_FILE="/var/lib/secrets/nextcloud-admin" + cat > "$CREDS_FILE" << CREDS Nextcloud Admin Credentials ═══════════════════════════ URL: https://$DOMAIN/ Username: $ADMIN_USER Password: $ADMIN_PASS CREDS - chmod 600 "$CREDS_FILE" + chmod 600 "$CREDS_FILE" - echo "" - echo "══════════════════════════════════════════════" - echo " Nextcloud installation complete!" - echo "" - echo " URL: https://$DOMAIN/" - echo " Username: $ADMIN_USER" - echo " Password: $ADMIN_PASS" - echo "" - echo " Installed apps: Calendar, Contacts, Tasks," - echo " Notes, Deck" - echo "" - echo " Credentials saved to: $CREDS_FILE" - echo "══════════════════════════════════════════════" - ''; - }; - - # ── Cron ────────────────────────────────────────────────── - services.cron.systemCronJobs = [ - "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php" - ]; - - # ── Ensure directories ──────────────────────────────────── - systemd.tmpfiles.rules = [ - "d /var/lib/www 0755 caddy root -" - "d /var/lib/www/nextcloud 0750 caddy root -" - "d /var/lib/www/nextcloud-data 0770 caddy root -" - ]; - - environment.systemPackages = with pkgs; [ - unzip - ]; + echo "" + echo "══════════════════════════════════════════════" + echo " Nextcloud installation complete!" + echo " Credentials saved to: $CREDS_FILE" + echo "══════════════════════════════════════════════" + ''; }; + + services.cron.systemCronJobs = [ + "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php" + ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/www 0755 caddy root -" + "d /var/lib/www/nextcloud 0750 caddy root -" + "d /var/lib/www/nextcloud-data 0770 caddy root -" + ]; + + environment.systemPackages = with pkgs; [ unzip ]; } diff --git a/modules/personalization.nix b/modules/personalization.nix deleted file mode 100755 index f828a53..0000000 --- a/modules/personalization.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - -matrix_url = builtins.readFile /var/lib/domains/matrix; -wordpress_url = builtins.readFile /var/lib/domains/wordpress; -nextcloud_url = builtins.readFile /var/lib/domains/nextcloud; -btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver; -caddy_email_for_acme = builtins.readFile /var/lib/domains/sslemail; -vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden; -haven_url = builtins.readFile /var/lib/domains/haven; -element-calling_url = builtins.readFile /var/lib/domains/element-calling; - -## - -external_ip_secret = builtins.readFile /var/lib/secrets/external_ip; -coturn_static_auth_secret = builtins.readFile /var/lib/secrets/turn; - -## - -matrixdb = builtins.readFile /var/lib/secrets/matrixdb; -nextclouddb = builtins.readFile /var/lib/secrets/nextclouddb; -wordpressdb = builtins.readFile /var/lib/secrets/wordpressdb; - - -} diff --git a/modules/synapse.nix b/modules/synapse.nix index d978b61..d172924 100644 --- a/modules/synapse.nix +++ b/modules/synapse.nix @@ -1,7 +1,7 @@ { config, pkgs, lib, ... }: -<<<<<<< HEAD -{ +lib.mkIf config.sovran_systemsOS.services.synapse { + # ── PostgreSQL database for Matrix ────────────────────────── services.postgresql = { enable = true; @@ -27,6 +27,8 @@ }; path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ]; script = '' + set -euo pipefail + SECRET_DIR="/var/lib/secrets" SECRET_FILE="$SECRET_DIR/matrix_db_secret" @@ -48,7 +50,7 @@ ''; }; - # ── Generate Synapse runtime config from /var/lib/domains ─── + # ── Generate Synapse runtime config from domain files ─────── systemd.services.matrix-synapse-runtime-config = { description = "Generate Matrix Synapse runtime config from domain files"; before = [ "matrix-synapse.service" ]; @@ -61,13 +63,27 @@ }; path = [ pkgs.coreutils ]; script = '' + set -euo pipefail + MATRIX=$(cat /var/lib/domains/matrix) RUNTIME_DIR="/run/matrix-synapse" mkdir -p "$RUNTIME_DIR" - cat > "$RUNTIME_DIR/runtime-config.yaml" < "$RUNTIME_DIR/runtime-config.yaml" < "$RUNTIME_DIR/runtime-config.yaml" <>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 + }; } diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 00b0e54..8c4775e 100755 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -1,11 +1,7 @@ { config, pkgs, lib, ... }: -<<<<<<< HEAD -lib.mkIf config.sovran_systemsOS.features.vaultwarden { +lib.mkIf config.sovran_systemsOS.services.vaultwarden { - # ── Caddy vhost is now handled centrally in caddy.nix ───── - - # ── Generate Vaultwarden runtime config from domain files ── systemd.services.vaultwarden-runtime-config = { description = "Generate Vaultwarden runtime config from domain files"; before = [ "vaultwarden.service" ]; @@ -22,8 +18,8 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden { mkdir -p /run/vaultwarden cat > /run/vaultwarden/runtime.env <>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8 } diff --git a/modules/wordpress.nix b/modules/wordpress.nix index 5e614dc..ad454b3 100644 --- a/modules/wordpress.nix +++ b/modules/wordpress.nix @@ -1,167 +1,146 @@ { config, pkgs, lib, ... }: -let - cfg = config.sovran_systemsOS.services.wordpress; -in -{ - options.sovran_systemsOS.services.wordpress = { - enable = lib.mkEnableOption "WordPress (raw PHP served by Caddy)"; +lib.mkIf config.sovran_systemsOS.services.wordpress { + + # ── MariaDB database ────────────────────────────────────── + services.mysql = { + enable = true; + package = pkgs.mariadb; }; - config = lib.mkIf cfg.enable { + # ── Auto-generate DB password and initialize ────────���───── + systemd.services.wordpress-db-init = { + description = "Initialize WordPress MariaDB database with auto-generated password"; + after = [ "mysql.service" ]; + requires = [ "mysql.service" ]; + before = [ "wordpress-init.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + path = [ config.services.mysql.package pkgs.pwgen pkgs.coreutils ]; + script = '' + set -euo pipefail - # ── Caddy vhost is now handled centrally in caddy.nix ───── + SECRET_FILE="/var/lib/secrets/wordpressdb" - # ── MariaDB database ────────────────────────────────────── - services.mysql = { - enable = true; - package = pkgs.mariadb; + if [ ! -f "$SECRET_FILE" ]; then + mkdir -p /var/lib/secrets + pwgen -s 64 1 > "$SECRET_FILE" + chmod 600 "$SECRET_FILE" + fi + + DB_PASS=$(cat "$SECRET_FILE") + + mysql -u root < "$SECRET_FILE" - chmod 600 "$SECRET_FILE" - fi - - DB_PASS=$(cat "$SECRET_FILE") - - mysql -u root </dev/null; then + break + fi + sleep 2 + done - # ── Set permissions ───────────────────────────── - chown -R caddy:root "$INSTALL_DIR" - find "$INSTALL_DIR" -type d -exec chmod 755 {} \; - find "$INSTALL_DIR" -type f -exec chmod 644 {} \; - chmod -R 775 "$INSTALL_DIR/wp-content" + echo "Running WordPress core install..." + su -s /bin/sh caddy -c " + wp core install \ + --url='https://$DOMAIN' \ + --title='Sovran_SystemsOS' \ + --admin_user='$ADMIN_USER' \ + --admin_password='$ADMIN_PASS' \ + --admin_email='$ADMIN_EMAIL' \ + --skip-email + " - # ── Generate wp-config.php ────────────────────── - echo "Generating wp-config.php..." - cd "$INSTALL_DIR" - su -s /bin/sh caddy -c " - wp config create \ - --dbname='$DB_NAME' \ - --dbuser='$DB_USER' \ - --dbpass='$DB_PASS' \ - --dbhost='$DB_HOST' \ - --skip-check - " + su -s /bin/sh caddy -c " + wp option update blogdescription 'Powered by Sovran_SystemsOS' + wp option update permalink_structure '/%postname%/' + wp option update default_ping_status 'closed' + wp option update default_comment_status 'closed' + wp rewrite flush + " - # ── Wait for database to be ready ─────────────── - echo "Waiting for database..." - for i in $(seq 1 30); do - if su -s /bin/sh caddy -c "wp db check" 2>/dev/null; then - break - fi - sleep 2 - done + su -s /bin/sh caddy -c " + wp config set DISALLOW_FILE_EDIT true --raw + wp config set WP_AUTO_UPDATE_CORE true --raw + wp config set FORCE_SSL_ADMIN true --raw + " - # ── Run WordPress install ─────────────────────── - echo "Running WordPress core install..." - su -s /bin/sh caddy -c " - wp core install \ - --url='https://$DOMAIN' \ - --title='Sovran_SystemsOS' \ - --admin_user='$ADMIN_USER' \ - --admin_password='$ADMIN_PASS' \ - --admin_email='$ADMIN_EMAIL' \ - --skip-email - " - - # ── Configure WordPress settings ──────────────── - echo "Configuring WordPress..." - su -s /bin/sh caddy -c " - wp option update blogdescription 'Powered by Sovran_SystemsOS' - wp option update permalink_structure '/%postname%/' - wp option update default_ping_status 'closed' - wp option update default_comment_status 'closed' - wp rewrite flush - " - - # ── Security hardening ────────────────────────── - echo "Applying security settings..." - su -s /bin/sh caddy -c " - wp config set DISALLOW_FILE_EDIT true --raw - wp config set WP_AUTO_UPDATE_CORE true --raw - wp config set FORCE_SSL_ADMIN true --raw - " - - # ── Save admin credentials ────────────────────── - CREDS_FILE="/var/lib/secrets/wordpress-admin" - cat > "$CREDS_FILE" << CREDS + CREDS_FILE="/var/lib/secrets/wordpress-admin" + cat > "$CREDS_FILE" << CREDS WordPress Admin Credentials ═══════════════════════════ URL: https://$DOMAIN/wp-admin/ @@ -169,30 +148,20 @@ Username: $ADMIN_USER Password: $ADMIN_PASS Email: $ADMIN_EMAIL CREDS - chmod 600 "$CREDS_FILE" + chmod 600 "$CREDS_FILE" - echo "" - echo "══════════════════════════════════════════════" - echo " WordPress installation complete!" - echo "" - echo " URL: https://$DOMAIN/wp-admin/" - echo " Username: $ADMIN_USER" - echo " Password: $ADMIN_PASS" - echo "" - echo " Credentials saved to: $CREDS_FILE" - echo "══════════════════════════════════════════════" - ''; - }; - - # ── Ensure directories ──────────────────────────────────── - systemd.tmpfiles.rules = [ - "d /var/lib/www 0755 caddy root -" - "d /var/lib/www/wordpress 0755 caddy root -" - ]; - - environment.systemPackages = with pkgs; [ - wp-cli - unzip - ]; + echo "" + echo "══════════════════════════════════════════════" + echo " WordPress installation complete!" + echo " Credentials saved to: $CREDS_FILE" + echo "══════════════════════════════════════════════" + ''; }; + + systemd.tmpfiles.rules = [ + "d /var/lib/www 0755 caddy root -" + "d /var/lib/www/wordpress 0755 caddy root -" + ]; + + environment.systemPackages = with pkgs; [ wp-cli unzip ]; }