Setting up a NixOS server on Linode to run Wordpress

After listening to:

… and needing to set up a new Wordpress server to replace my aging one, I thought this might be a good exercise to try Nix.

Linode has a nice writeup on how to install Nix. About half way through it, but this is proving to be a good exercise on how to use the low level aspects of the Linode platform (booting from ISO installer image, etc). The Linode platform seems very flexible. Here is a screen shot of the NixOS installer boot menu displayed in the Linode Glish terminal:

image1016×761 65.6 KB

Stay tuned …

Finished install, and everything pretty much worked as advertised.

I really like being able to declaritively configure everything. Appears there are caddy packages, so working on that next …

Some notes on things learned today …

Wanted to symlink vi → nvim – turns out there is a config for that:

programs.neovim.enable = true;
programs.neovim.viAlias = true;

thanks @khem

I then explored installing the Caddy web server.

To date, I’ve been installing apps by adding to /etc/nixos/configuration.nix section as shown below:

  environment.systemPackages = with pkgs; [
    htop
    neovim
    inetutils
    mtr
    sysstat
    git
  ];

Then running nixos-rebuid switch. This puts binaries in locations like:

[root@nixos:/etc]# which nvim
/run/current-system/sw/bin/nvim

I’ve been reading you can also use nix-env to install stuff, so I tried:

[root@nixos:/etc]# nix-env --install caddy
Killed

It appears to be running the machine out of memory. According to this thread, this is common on low memory machines and you can do the following instead:

nix-env -iA nixos.caddy

That works, and now caddy is located in:

[root@nixos:/etc]# which caddy
/root/.nix-profile/bin/caddy

[root@nixos:/etc]# which nvim
/run/current-system/sw/bin/nvim

Contrasting the install location of caddy with nvim is interesting – it appears nix-env populates binaries for that user only.

So where did it store this configuration information about install caddy for the user? Perhaps /root/.nix-profile/manifest.nix?

I cloned the pkg repo so I could more easily search and then found a configuration for a caddy service:

[cbrake@ariel nixpkgs]$ find -name caddy*
./nixos/tests/caddy.nix
./nixos/modules/services/web-servers/caddy
./pkgs/servers/caddy

Its interesting this service is in the nixos/ directory, where the caddy service recipe is in the pkgs/ directory. This indicates you could install the caddy binary via nix on any OS, but to leverage the service configuration, you need to be running nixos – makes sense.

Now, to figure out how to use this …

with the following in my /etc/nixos/configuration.nix:

  services.caddy = {
    enable = true;
    config = ''
        localhost

        respond "Hello, world!"
    '';
  };

I can get a response on localhost:

image1065×513 59.7 KB

However, getting errors when trying to fetch externally in browser.

After a few more fixes in the configuration, we’re up and running:

diff --git a/nixos/configuration.nix b/nixos/configuration.nix
index 8aa6bd8..10715c1 100644
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@@ -131,7 +131,7 @@
   # networking.firewall.allowedUDPPorts = [ ... ];
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
-  networking.firewall.allowedTCPPorts = [ 80 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
@@ -144,9 +144,9 @@
   services.caddy = {
     enable = true;
     config = ''
-       localhost
-
-       respond "Hello, world!"
+       web2.bec-systems.com {
+         respond "Hello, world!"
+       }
     '';
   };
 }

Looking at the journal, it appears Caddy got certs for web2.

> May 05 22:10:39 nixos caddy[1996124]: {"level":"info","ts":1651788639.4773624,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"web2.bec-systems.com"}

Now, I can fetch a secure Hello, world remotely:

image731×205 7.6 KB

On to wordpress, mariadb, php, …

After a long delay, returning to this. Updated to Nixos 22.05 with the following commands:

nix-channel --add https://nixos.org/channels/nixos-18.09 nixos
nixos-rebuild --upgrade boot

Rebooted, and it came back up and Caddy still works!

Got wordpress working:

image1881×1547 153 KB

Here is the config:

  services.caddy = {
    enable = true;
    extraConfig = ''
        hello.bec-systems.com {
          respond "Hello, world!"
        }
    '';
  };

  services.wordpress = {
    webserver = "caddy";
  };

  services.wordpress.sites."web2.bec-systems.com" = {
    database.createLocally = true;  # name is set to `wordpress` by default

    virtualHost = {
      adminAddr = "cbrake@bec-systems.com";
      serverAliases = [ "web2.bec-systems.com" ];
    };
  };

  services.wordpress.sites."miles.bec-systems.com" = {
    database.createLocally = true;  # name is set to `wordpress` by default
    database.name = "wp_miles";

    virtualHost = {
      adminAddr = "miles@bec-systems.com";
      serverAliases = [ "miles.bec-systems.com" ];
    };
  };

Its pretty neat that with this bit of declarative config, we set up a database, PHP, wordpress, webserver, accounts, and who knows what else. Notice how easy it is to add a 2nd site …

Https is still not working yet as Nixos is generating the following Caddyfile:

[root@nixos:/home/cbrake]# more /nix/store/sa37k4v6qrrhhfz52pwkfyfx3l52rm7y-Caddyfile-formatted
{
        acme_ca https://acme-v02.api.letsencrypt.org/directory
        log {
                level ERROR
        }
}
hello.bec-systems.com {
        respond "Hello, world!"
}

http://miles.bec-systems.com {
        bind

        log {
                output file /var/log/caddy/access-http://miles.bec-systems.com.log
        }

        root * //nix/store/3z0hm7nxrrkjc0h2ff60bnh457cavvgr-wordpress-miles.bec-systems.com-5.9.3/share/wordpress
        file_server

        php_fastcgi unix//run/phpfpm/wordpress-miles.bec-systems.com.sock

        @uploads {
                path_regexp path /uploads\/(.*)\.php
        }
        rewrite @uploads /

        @wp-admin {
                path not ^\/wp-admin/*
        }
        rewrite @wp-admin {path}/index.php?{query}
}

http://web2.bec-systems.com {
        bind

        log {
                output file /var/log/caddy/access-http://web2.bec-systems.com.log
        }

        root * //nix/store/pzhi3vzh235c01rm7mkpb8iqidcsfrzp-wordpress-web2.bec-systems.com-5.9.3/share/wordpress
        file_server

        php_fastcgi unix//run/phpfpm/wordpress-web2.bec-systems.com.sock

        @uploads {
                path_regexp path /uploads\/(.*)\.php
        }
        rewrite @uploads /

        @wp-admin {
                path not ^\/wp-admin/*
        }
        rewrite @wp-admin {path}/index.php?{query}
}

Here is where the caddyfile is being generated:

Will need to figure out how to remove the http:// …

from the forum:

I’d say the main ethos to Nix/NixOS is “putting in effort now, in order to save putting in effort later”.

Credit vs debit cards

Been a while since I worked on this, so first updated to the latest version of NixOS:

nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
nixos-rebuild --upgrade boot

That took several minutes. I then executed reboot, but it seemed to get stuck. I bounced the machine in Linode and it came up running:

UG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
BUILD_ID="22.11.1008.0938d73bb14"
DOCUMENTATION_URL="https://nixos.org/learn.html"
HOME_URL="https://nixos.org/"
ID=nixos
LOGO="nix-snowflake"
NAME=NixOS
PRETTY_NAME="NixOS 22.11 (Raccoon)"
SUPPORT_END="2023-06-30"
SUPPORT_URL="https://nixos.org/community.html"
VERSION="22.11 (Raccoon)"
VERSION_CODENAME=raccoon
VERSION_ID="22.11"

And Wordpress was updated from 5.9.3 to 6.0.3. However, there is Wordpress v6.1.1 out.

Kernel is:

[root@nixos:~]# cat /proc/version 
Linux version 5.15.83 (nixbld@localhost) (gcc (GCC) 11.3.0, GNU ld (GNU Binutils) 2.39) #1-NixOS SMP Wed Dec 14 10:37:31 UTC 2022

6.0 kernel is out, but perhaps they stick with longterm releases?

Appears we still have the HTTPS issue with wordpress/caddy, so back to debugging that.

Upgrade was pretty slick – still trying to decide if this makes sense for managing my production web server.

You can set boot.kernelPackages = pkgs.linuxPackages_latest; in configuration.nix to get latest kernel, otherwise you get LTS.

Nixos caddy support in wordpress

regarding version I guess its just matter of getting newer nixos perhaps normal lag. It maybe more than archlinux.

Thanks @khem – that worked:

[cbrake@nixos:~]$ cat /proc/version 
Linux version 6.1.0 (nixbld@localhost) (gcc (GCC) 11.3.0, GNU ld (GNU Binutils) 2.39) #1-NixOS SMP PREEMPT_DYNAMIC Sun Dec 11 22:15:18 UTC 2022

I also watched the terminal during shutdown, and getting a significant delay in DHCP client shutting down:

image1764×275 95 KB

On subsequent reboots, I did not see this delay, so likely some strange interaction with nixos dhcp client and Linode DHCP server.

I then backed out boot.kernelPackages = pkgs.linuxPackages_latest; and it went back to 5.15.83 after reboot. Guess I’ll leave it there for now.

on a positive note, see how easy the reverts are

Yeah, super easy to change stuff!