about summary refs log tree commit diff
path: root/static.nix
diff options
context:
space:
mode:
Diffstat (limited to 'static.nix')
-rw-r--r--static.nix69
1 files changed, 69 insertions, 0 deletions
diff --git a/static.nix b/static.nix
new file mode 100644
index 0000000..7924aad
--- /dev/null
+++ b/static.nix
@@ -0,0 +1,69 @@
+# Static web and gemini hosting
+# Copyright (C) 2022  Nguyễn Gia Phong
+#
+# This file is part of loang configuration.
+#
+# Loang configuration is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Loang configuration is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with loang configuration.  If not, see <https://www.gnu.org/licenses/>.
+
+{ config, lib, pkgs, ... }:
+let
+  certs = config.security.acme.certs.${domain};
+  domain = config.networking.domain;
+  bindUserDirs = sources: target: lib.mapAttrs' (user: dir: {
+    name = target + user;
+    value = {
+      device = "${config.users.users.${user}.home}/${dir}";
+      options = [ "bind" ];
+    };
+  }) sources;
+in {
+  fileSystems = bindUserDirs {
+    cnx = "www";
+  } "${config.services.nginx.virtualHosts.${domain}.root}/~";
+
+  networking.firewall.allowedTCPPorts = [
+    80 # HTTP
+    443 # TLS
+    1965 # Gemini
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "mcsinyx@disroot.org";
+  };
+
+  services = {
+    molly-brown = {
+      certPath = "${certs.directory}/cert.pem";
+      docBase = "/var/lib/gemini/${domain}";
+      enable = true;
+      hostName = domain;
+      keyPath = "${certs.directory}/key.pem";
+    };
+
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      virtualHosts.${domain} = {
+        enableACME = true;
+        forceSSL = true;
+        root = "/var/lib/www/${domain}";
+      };
+    };
+  };
+
+  systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [
+    certs.group
+  ];
+}