nixos/wordpress: Use https by default for caddy
Previously, `http://` scheme was hard coded into the caddy config if `webserver = "caddy"` was chosen. This is fine for local testing, but is problematic if you want your nixos host to be public facing. In the public facing case, you generally want to be using TLS. But since the wordpress module generates the caddyfile rule, the user's nixos config cannot easily change it to also allow https. An alternative would be to reverse proxy an https rule to the generated http rule, but that's somewhat questionable as there's not an internal http endpoint to proxy to. It might be possible but I couldn't figure it out. So simplify by omitting the scheme. This causes caddy to use https by default and 301 redirect any http requests to the https endpoint. Caddy will just do the right thing if it's being hosted on a local/internal hostname (self sign certificates). This should be backwards compatible with previous default if users are using reasonable browsers/tools. Signed-off-by: Daniel Xu <dxu@dxuuu.xyz>
This commit is contained in:
		
							parent
							
								
									f76a822fae
								
							
						
					
					
						commit
						f1c4d339a5
					
				| @ -445,6 +445,10 @@ | |||||||
|   For those unable to upgrade yet, there is a [v0 compatibility mode](https://www.openpolicyagent.org/docs/v1.0.1/v0-compatibility/) |   For those unable to upgrade yet, there is a [v0 compatibility mode](https://www.openpolicyagent.org/docs/v1.0.1/v0-compatibility/) | ||||||
|   available too. |   available too. | ||||||
| 
 | 
 | ||||||
|  | - Wordpress with the Caddy webserver (`services.wordpress.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only. | ||||||
|  |   Given a site example.com, http://example.com now 301 redirects to https://example.com. | ||||||
|  |   To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`. | ||||||
|  | 
 | ||||||
| - `vscode-utils.buildVscodeExtension` now requires pname as an argument | - `vscode-utils.buildVscodeExtension` now requires pname as an argument | ||||||
| 
 | 
 | ||||||
| - The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore. | - The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore. | ||||||
|  | |||||||
| @ -545,7 +545,7 @@ in | |||||||
|     services.caddy = { |     services.caddy = { | ||||||
|       enable = true; |       enable = true; | ||||||
|       virtualHosts = mapAttrs' (hostName: cfg: ( |       virtualHosts = mapAttrs' (hostName: cfg: ( | ||||||
|         nameValuePair "http://${hostName}" { |         nameValuePair hostName { | ||||||
|           extraConfig = '' |           extraConfig = '' | ||||||
|             root    * /${pkg hostName cfg}/share/wordpress |             root    * /${pkg hostName cfg}/share/wordpress | ||||||
|             file_server |             file_server | ||||||
|  | |||||||
| @ -75,7 +75,7 @@ rec { | |||||||
|               }; |               }; | ||||||
|             }; |             }; | ||||||
| 
 | 
 | ||||||
|             networking.firewall.allowedTCPPorts = [ 80 ]; |             networking.firewall.allowedTCPPorts = [ 80 443 ]; | ||||||
|             networking.hosts."127.0.0.1" = [ |             networking.hosts."127.0.0.1" = [ | ||||||
|               "site1.local" |               "site1.local" | ||||||
|               "site2.local" |               "site2.local" | ||||||
| @ -106,7 +106,7 @@ rec { | |||||||
|             machine.wait_for_unit(f"phpfpm-wordpress-{site_name}") |             machine.wait_for_unit(f"phpfpm-wordpress-{site_name}") | ||||||
| 
 | 
 | ||||||
|             with subtest("website returns welcome screen"): |             with subtest("website returns welcome screen"): | ||||||
|                 assert "Welcome to the famous" in machine.succeed(f"curl -L {site_name}") |                 assert "Welcome to the famous" in machine.succeed(f"curl -k -L {site_name}") | ||||||
| 
 | 
 | ||||||
|             with subtest("wordpress-init went through"): |             with subtest("wordpress-init went through"): | ||||||
|                 info = machine.get_unit_info(f"wordpress-init-{site_name}") |                 info = machine.get_unit_info(f"wordpress-init-{site_name}") | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Daniel Xu
						Daniel Xu