Wordpress improvements

nixos/doc/manual/from_md/release-notes/rl-2111.section.xml

@@ -727,6 +727,19 @@
  <literal>linuxPackages_5_10_hardened</literal>.
  </para>
  </listitem>
+ <listitem>
+ <para>
+ <literal>services.wordpress.$name.database.name</literal>
+ default value has changed from <literal>wordpress</literal> to
+ <literal>wordpress-${name}</literal> on NixOS installations
+ where <literal>system.stateVersion</literal> is
+ <literal>21.11</literal> or higher. This will break existing
+ installations if you don’t manually set
+ <literal>services.wordpress.$name.database.name</literal> back
+ to <literal>wordpress</literal> or rename the database
+ manually to the new name.
+ </para>
+ </listitem>
  </itemizedlist>
  </section>
  <section xml:id="sec-release-21.11-notable-changes">

nixos/doc/manual/release-notes/rl-2111.section.md

@@ -188,6 +188,9 @@ To be able to access the web UI this port needs to be opened in the firewall.
  a hardened kernel, please pin it explicitly with a versioned attribute such as
  `linuxPackages_5_10_hardened`.
 
+- `services.wordpress.$name.database.name` default value has changed from `wordpress` to `wordpress-${name}` on NixOS installations where `system.stateVersion` is `21.11` or higher.
+ This will break existing installations if you don't manually set `services.wordpress.$name.database.name` back to `wordpress` or rename the database manually to the new name.
+
 ## Other Notable Changes {#sec-release-21.11-notable-changes}
 
 - The setting [`services.openssh.logLevel`](options.html#opt-services.openssh.logLevel) `"VERBOSE"` `"INFO"`. This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.

nixos/modules/services/databases/mysql.nix

@@ -483,7 +483,7 @@ in
  ''
  ( echo "CREATE USER IF NOT EXISTS '${user.name}'@'localhost' IDENTIFIED WITH ${if isMariaDB then "unix_socket" else "auth_socket"};"
  ${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
- echo "GRANT ${permission} ON ${database} TO '${user.name}'@'localhost';"
+ echo 'GRANT ${permission} ON ${database} TO `${user.name}`@`localhost`;'
  '') user.ensurePermissions)}
  ) | ${cfg.package}/bin/mysql -N
  '') cfg.ensureUsers}

nixos/modules/services/web-apps/wordpress.nix

@@ -26,8 +26,16 @@ let
 
  # symlink the wordpress config
  ln -s ${wpConfig hostName cfg} $out/share/wordpress/wp-config.php
+
+ ${optionalString (!cfg.mutableWpContent) ''
  # symlink uploads directory
  ln -s ${cfg.uploadsDir} $out/share/wordpress/wp-content/uploads
+ ''}
+
+ ${optionalString cfg.mutableWpContent ''
+ rm -Rf $out/share/wordpress/wp-content
+ ln -s ${stateDir hostName} $out/share/wordpress/wp-content
+ ''}
 
  # https://github.com/NixOS/nixpkgs/pull/53399
  #
@@ -36,9 +44,11 @@ let
  # requests that look like: https://example.com/wp-content//nix/store/...plugin/path/some-file.js
  # Since hard linking directories is not allowed, copying is the next best thing.
 
+ ${optionalString (!cfg.mutableWpContent) ''
  # copy additional plugin(s) and theme(s)
  ${concatMapStringsSep "\n" (theme: "cp -r ${theme} $out/share/wordpress/wp-content/themes/${theme.name}") cfg.themes}
  ${concatMapStringsSep "\n" (plugin: "cp -r ${plugin} $out/share/wordpress/wp-content/plugins/${plugin.name}") cfg.plugins}
+ ''}
  '';
  };
 
@@ -53,9 +63,15 @@ let
 
  require_once('${stateDir hostName}/secret-keys.php');
 
+ ${optionalString (!cfg.mutableWpContent) ''
  # wordpress is installed onto a read-only file system
  define('DISALLOW_FILE_EDIT', true);
  define('AUTOMATIC_UPDATER_DISABLED', true);
+ ''}
+
+ ${optionalString cfg.mutableWpContent ''
+ define('FS_METHOD','direct');
+ ''}
 
  ${cfg.extraConfig}
 
@@ -87,7 +103,8 @@ let
  package = mkOption {
  type = types.package;
  default = pkgs.wordpress;
- description = "Which WordPress package to use.";
+ example = literalExample "pkgs.wordpress-core";
+ description = "Which WordPress package to use. Use pkgs.wordpress-core for a version without the default plugins and theme.";
  };
 
  uploadsDir = mkOption {
@@ -99,12 +116,18 @@ let
  '';
  };
 
+ mutableWpContent = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Allow any modification in the wp-content directory. This usually means adding, removing and updating plugins and themes in the web interface. This is helpful for testing which themes and plugins to use. It should only be used on a test server as migrating between mutable and readonly is not easily possible.";
+ };
+
  plugins = mkOption {
  type = types.listOf types.path;
  default = [];
  description = ''
  List of path(s) to respective plugin(s) which are copied from the 'plugins' directory.
- <note><para>These plugins need to be packaged before use, see example.</para></note>
+ <note><para>These plugins need to be packaged before use, see example. Using something like https://git.helsinki.tools/helsinki-systems/wp4nix may be a better option.</para></note>
  '';
  example = ''
  # Wordpress plugin 'embed-pdf-viewer' installation example
@@ -131,7 +154,7 @@ let
  default = [];
  description = ''
  List of path(s) to respective theme(s) which are copied from the 'theme' directory.
- <note><para>These themes need to be packaged before use, see example.</para></note>
+ <note><para>These themes need to be packaged before use, see example. Using something like https://git.helsinki.tools/helsinki-systems/wp4nix may be a better option.</para></note>
  '';
  example = ''
  # Let's package the responsive theme
@@ -168,7 +191,7 @@ let
 
  name = mkOption {
  type = types.str;
- default = "wordpress";
+ default = if lib.versionAtLeast config.system.stateVersion "21.11" then "wordpress-${name}" else "wordpress";
  description = "Database name.";
  };
 
@@ -314,7 +337,7 @@ in
  ensureDatabases = mapAttrsToList (hostName: cfg: cfg.database.name) eachSite;
  ensureUsers = mapAttrsToList (hostName: cfg:
  { name = cfg.database.user;
- ensurePermissions = { "${cfg.database.name}.*" = "ALL PRIVILEGES"; };
+ ensurePermissions = { "`${cfg.database.name}`.*" = "ALL PRIVILEGES"; };
  }
  ) eachSite;
  };
@@ -375,7 +398,15 @@ in
  "d '${stateDir hostName}' 0750 ${user} ${webserver.group} - -"
  "d '${cfg.uploadsDir}' 0750 ${user} ${webserver.group} - -"
  "Z '${cfg.uploadsDir}' 0750 ${user} ${webserver.group} - -"
- ]) eachSite);
+ ]
+ ++
+ (if cfg.mutableWpContent then [
+ "d '${stateDir hostName}/themes' 0750 ${user} ${webserver.group} - -"
+ "Z '${stateDir hostName}/themes' 0750 ${user} ${webserver.group} - -"
+ "d '${stateDir hostName}/plugins' 0750 ${user} ${webserver.group} - -"
+ "Z '${stateDir hostName}/plugins' 0750 ${user} ${webserver.group} - -"
+ ] else [])
+ ) eachSite);
 
  systemd.services = mkMerge [
  (mapAttrs' (hostName: cfg: (

pkgs/servers/web-apps/wordpress/default.nix

@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
  inherit (nixosTests) wordpress;
  };
 
+ passthru.updateScript = ./update.sh;
+
  meta = with lib; {
  homepage = "https://wordpress.org";
  description = "WordPress is open source software you can use to create a beautiful website, blog, or app";

pkgs/servers/web-apps/wordpress/update.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p common-updater-scripts jq
+
+set -eu -o pipefail
+
+version=$(curl --globoff "https://api.wordpress.org/core/version-check/1.7/" | jq -r '.offers[0].version')
+update-source-version wordpress $version

pkgs/servers/web-apps/wordpress/wordpress-core.nix

@@ -0,0 +1,10 @@
+{ wordpress }:
+
+wordpress.overrideAttrs (oldAttrs: {
+ pname = "wordpress-core";
+
+ installPhase = oldAttrs.installPhase + ''
+ rm -r $out/share/wordpress/wp-content/plugins/*
+ rm -r $out/share/wordpress/wp-content/themes/*
+ '';
+})

pkgs/top-level/all-packages.nix

@@ -32379,6 +32379,8 @@ with pkgs;
 
  wordpress = callPackage ../servers/web-apps/wordpress { };
 
+ wordpress-core = callPackage ../servers/web-apps/wordpress/wordpress-core.nix { };
+
  wprecon = callPackage ../tools/security/wprecon { };
 
  wraith = callPackage ../applications/networking/irc/wraith {