# Static web and gemini hosting # Copyright (C) 2022 Nguyễn Gia Phong # # This file is part of loang configuration. # # Loang configuration is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published # by the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Loang configuration is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with loang configuration. If not, see . { config, lib, pkgs, ... }: let inherit (config.networking) domain; inherit (config.services) phylactery; phylacteryAddress = "http://${phylactery.host}:${toString phylactery.port}"; in { networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # TLS 1965 # Gemini ]; security = { acme = { acceptTerms = true; defaults.email = "mcsinyx@disroot.org"; }; pam.services.nginx.setEnvironment = false; }; services = { molly-brown = let certDir = config.security.acme.certs.${domain}.directory; in { certPath = "${certDir}/cert.pem"; docBase = "/var/lib/gemini/${domain}"; enable = true; hostName = domain; keyPath = "${certDir}/key.pem"; }; nginx = { additionalModules = [ pkgs.nginxModules.pam ]; appendHttpConfig = '' access_log off; ''; enable = true; enableReload = true; logError = "/dev/null"; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { ${domain} = { enableACME = true; extraConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ''; forceSSL = true; http2 = false; locations."/".index = "index.html index.xhtml"; root = "/var/lib/www/${domain}"; }; "khoanh.${domain}" = { enableACME = true; forceSSL = true; locations."/".index = "index.xhtml"; root = "/var/lib/www/khoanh.${domain}"; }; "xem.${domain}" = { enableACME = true; forceSSL = true; locations."/" = { extraConfig = '' auth_pam "Password Required"; auth_pam_service_name "nginx"; ''; proxyPass = phylacteryAddress; }; }; "striproman.pirate" = { addSSL = true; useACMEHost = "xem.${domain}"; locations."/".proxyPass = phylacteryAddress; }; "cercle.libre" = { addSSL = true; useACMEHost = "khoanh.${domain}"; locations."/".index = "index.xhtml"; root = "/var/lib/www/cercle.libre"; }; "adol.pw" = { enableACME = true; forceSSL = true; root = "/var/lib/www/adol.pw"; }; "septagram.suricrasia.online" = { enableACME = true; extraConfig = '' autoindex on; ''; forceSSL = true; root = "/var/lib/www/septagram.suricrasia.online"; }; "xrvs.net" = { enableACME = true; extraConfig = '' autoindex on; ''; forceSSL = true; root = "/var/lib/www/xrvs.net"; }; "pd.books.xrvs.net" = { enableACME = true; extraConfig = '' autoindex on; ''; forceSSL = true; root = "/var/lib/www/pd.books.xrvs.net"; }; "xrvs.geek".root = "/var/lib/www/xrvs.geek"; } // (let aliasOpenNIC = openNIC: icann: config: { ${openNIC} = { # https://wiki.opennic.org/opennic/tls addSSL = true; useACMEHost = icann; } // config; ${icann} = { enableACME = true; forceSSL = true; } // config; }; in (aliasOpenNIC "sinyx.indy" "cnx.gdn" { root = "/var/lib/www/cnx.gdn"; }) // (aliasOpenNIC "brutalmaze.sinyx.indy" "brutalmaze.cnx.gdn" { root = "/var/lib/www/brutalmaze.cnx.gdn"; }) // (aliasOpenNIC "pix.sinyx.indy" "px.cnx.gdn" { locations = { "/".index = "index.xhtml"; "~ /index.xhtml$".extraConfig = '' expires -1; ''; }; root = "/mnt/nas/www/px.cnx.gdn"; })); }; phylactery = { enable = true; library = "/mnt/nas/www/striproman.pirate"; port = 42069; }; }; systemd.services = { molly-brown.serviceConfig.SupplementaryGroups = [ config.security.acme.certs.${domain}.group ]; nginx.serviceConfig = { SupplementaryGroups = [ "shadow" ]; # https://discourse.nixos.org/t/nginx-worker-processes-exit-with-signal-31-when-running-via-systemd/13471/6 SystemCallFilter = lib.mkForce ""; }; }; }