# Pastebin 3qHQtp20
{ config, lib, pkgs, ... }:

with builtins;

let
  sites = [
    {
      name = "foo";
      dbName = "foo";
      dbUser = "foo";
      dbPassword = "foobar";
      domains = [ "example.com" ];
      enableACME = true;

      authKey        = "0000000000000000000000000000000000000000000000000000000000000000";
      secureAuthKey  = "0000000000000000000000000000000000000000000000000000000000000000";
      loggedInKey    = "0000000000000000000000000000000000000000000000000000000000000000";
      nonceKey       = "0000000000000000000000000000000000000000000000000000000000000000";
      authSalt       = "0000000000000000000000000000000000000000000000000000000000000000";
      secureAuthSalt = "0000000000000000000000000000000000000000000000000000000000000000";
      loggedInSalt   = "0000000000000000000000000000000000000000000000000000000000000000";
      nonceSalt      = "0000000000000000000000000000000000000000000000000000000000000000";
    }
  ];

  wordpressPackage = pkgs.fetchFromGitHub {
    owner = "WordPress";
    repo = "WordPress";
    rev = "5.2.2";
    sha256 = "1pq7b01y729lng816dn1qgfgzqf6smmrz8xp2q7ll9aqzjyxnhha";
    meta = {
      homepage = https://wordpress.org;
      description = "WordPress is open source software you can use to create a beautiful website, blog, or app.";
      license = lib.licenses.gpl2;
      maintainers = [ lib.maintainers.basvandijk ];
    };
  };

  maxFileUploadSize = "60M";
  maxExecutionTime = "300";

  php = pkgs.stdenv.mkDerivation {
    name = "php";
    src = pkgs.php;
    phases = ["postInstall"];
    postInstall = ''
      cp -r $src/ $out
      ls -la $out
      chmod +rwx $out/etc
      sed -i 's|upload_max_filesize = 2M|upload_max_filesize = ${maxFileUploadSize}|' $out/etc/php.ini
      sed -i 's|post_max_size = 8M|post_max_size = ${maxFileUploadSize}|' $out/etc/php.ini
      sed -i 's|max_execution_time = 30|max_execution_time = ${maxExecutionTime}|' $out/etc/php.ini
    '';
  };

  supportedLanguages = import ./wordpress_translations.nix;

  selectLanguages = map (lang:
    pkgs.stdenv.mkDerivation rec {
      name = "wp_${lang}";
      nativeBuildInputs = [ pkgs.unzip ];
      src = pkgs.fetchurl {
        url = supportedLanguages.${lang}.url;
        sha256 = supportedLanguages.${lang}.sha256;
      };
      unpackPhase = "unzip $src";
      installPhase = "mkdir -p $out; cp -R * $out/";
    }
  );
in {
  systemd.services.phpfpm-wordpress = {
    restartTriggers = [ wordpressPackage ];
    serviceConfig.UMask = "0007";
  };

  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
  networking.firewall.allowedUDPPorts = [ 22 80 443 ];

  systemd.services.nginx.preStart = foldl' (s: v: "\n${s}\n${v}") "#!/bin/sh" (map (site:
    ''
      mkdir -p /var/lib/${site.name}/{plugins,themes}
      chown -R ${config.services.nginx.user}:${config.services.nginx.group} /var/lib/${site.name}

      # we should use systemd dependencies here
      if [ ! -d ${config.services.mysql.dataDir}/${site.dbName} ]; then
        echo "Need to create the database '${site.dbName}' and grant permissions to user named '${site.dbUser}'."
        # Wait until MySQL is up
        while [ ! -e ${config.services.mysql.pidDir}/mysqld.pid ]; do
          sleep 1
        done
        ${pkgs.mariadb}/bin/mysql -e 'CREATE DATABASE ${site.dbName};'
        ${pkgs.mariadb}/bin/mysql -e "GRANT ALL ON ${site.dbName}.* TO ${site.dbUser}@localhost IDENTIFIED BY \"${site.dbPassword}\";"
      else
        echo "Good, no need to do anything database related."
      fi
    ''
  ) sites);

  services = {
    phpfpm = {
      phpPackage = php;

      phpOptions = ''
        upload_max_filesize ${maxFileUploadSize}
        post_max_size ${maxFileUploadSize}
        date.timezone = "CET"
      '';

      poolConfigs = listToAttrs (map (site:
        {
          name = site.name;
          value = ''
            listen = /run/phpfpm-${site.name}.sock
            listen.owner = ${config.services.nginx.user}
            listen.group = root
            listen.mode = 0600
            user = ${config.services.nginx.user}
            pm = dynamic
            pm.max_children = 75
            pm.start_servers = 10
            pm.min_spare_servers = 5
            pm.max_spare_servers = 20
            pm.max_requests = 500

            catch_workers_output = yes

            ; log worker's stdout, but this has a performance hit
            [global]
            log_level = notice ; alert, error, warning, notice, debug
            error_log = syslog
          '';
        }
      ) sites);
    };

    mysql = {
      enable = true;
      package = pkgs.mariadb;
      bind = "127.0.0.1";
    };

    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      upstreams = listToAttrs (map (site:
        {
          name = "php-${site.name}";
          value = {
            servers = {
              "unix:/run/phpfpm-${site.name}.sock" = {};
            };
          };
        }
      ) sites);

      clientMaxBodySize = maxFileUploadSize;

      commonHttpConfig = ''
        error_log syslog:server=unix:/dev/log;
        access_log syslog:server=unix:/dev/log;
      '';

      virtualHosts = foldl' (s: v: s // v) {} (map (site:
        listToAttrs (map (domain:
          {
            name = domain;
            value =
              let
                linkLanguages = lib.concatMapStrings (language:
                  "ln -s ${language}/*.mo ${language}/*.po $out/wp-content/languages/\n"
                ) (selectLanguages site.languages);

                wp-config = pkgs.writeText "wp-config.php" ''
                  <?php

                  define('AUTH_KEY',         '${site.authKey}');
                  define('SECURE_AUTH_KEY',  '${site.secureAuthKey}');
                  define('LOGGED_IN_KEY',    '${site.loggedInKey}');
                  define('NONCE_KEY',        '${site.nonceKey}');
                  define('AUTH_SALT',        '${site.authSalt}');
                  define('SECURE_AUTH_SALT', '${site.secureAuthSalt}');
                  define('LOGGED_IN_SALT',   '${site.loggedInSalt}');
                  define('NONCE_SALT',       '${site.nonceSalt}');

                  define('FS_METHOD', 'direct');
                  define('AUTOMATIC_UPDATER_DISABLED', true);

                  define('DB_NAME',     '${site.dbName}');
                  define('DB_USER',     '${site.dbUser}');
                  define('DB_PASSWORD', '${site.dbPassword}');
                  define('DB_HOST',     '127.0.0.1');
                  define('DB_CHARSET',  'utf8mb4');
                  $table_prefix  = 'wp_';
                  if ( !defined('ABSPATH') )
                    define('ABSPATH', dirname(__FILE__) . '/');
                  require_once(ABSPATH . 'wp-settings.php');
                '';

                directory = pkgs.stdenv.mkDerivation {
                  name = "wordpress-${site.name}-directory";
                  src = wordpressPackage;
                  installPhase = ''
                    mkdir -p $out
                    cp -R * $out/

                    ln -s ${wp-config} $out/wp-config.php
                    rm -rf $out/wp-content
                    # $ {linkLanguages}
                    ln -s /var/lib/${site.name} $out/wp-content
                  '';
                };
              in {
                forceSSL = site.enableACME;
                enableACME = site.enableACME;
                # serverAliases = tail site.domains;

                locations."/favicon.ico".extraConfig = ''
                  root ${directory};
                  index index.php;
                  log_not_found off;
                  access_log off;
                '';

                locations."/robots.txt".extraConfig = ''
                  root ${directory};
                  index index.php;
                  allow all;
                  log_not_found off;
                  access_log off;
                '';

                locations."/".extraConfig = ''
                  root ${directory};
                  index index.php;
                  # This is cool because no php is touched for static content.
                  # include the "?$args" part so non-default permalinks doesn't break when using query string
                  try_files $uri $uri/ /index.php?$args;
                '';

                locations."~ .php".extraConfig = ''
                  root ${directory};
                  index index.php;
                  include "${config.services.nginx.package}/conf/fastcgi.conf";
                  fastcgi_pass php-${site.name};
                '';

                locations."~* \.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
                  root ${directory};
                  index index.php;
                  expires max;
                  log_not_found off;
                '';
              };
            }
        ) site.domains)
      ) sites);
    };
  };
}