# Static web and gemini hosting # Copyright (C) 2022 Nguyễn Gia Phong # # This file is part of loang configuration. # # Loang configuration is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published # by the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Loang configuration is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with loang configuration. If not, see . { config, lib, pkgs, ... }: let certs = config.security.acme.certs.${domain}; domain = config.networking.domain; bindUserDirs = sources: target: lib.mapAttrs' (user: dir: { name = target + user; value = { device = "${config.users.users.${user}.home}/${dir}"; options = [ "bind" ]; }; }) sources; phylactery = config.services.phylactery; in { fileSystems = bindUserDirs { cnx = "www"; } "${config.services.nginx.virtualHosts.${domain}.root}/~"; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # TLS 1965 # Gemini ]; security.acme = { acceptTerms = true; defaults.email = "mcsinyx@disroot.org"; }; services = { molly-brown = { certPath = "${certs.directory}/cert.pem"; docBase = "/var/lib/gemini/${domain}"; enable = true; hostName = domain; keyPath = "${certs.directory}/key.pem"; }; nginx = { enable = true; enableReload = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { ${domain} = { enableACME = true; forceSSL = true; locations."/".index = "index.xhtml"; root = "/var/lib/www/${domain}"; }; "xem.${domain}" = let address = "http://${phylactery.host}:${toString phylactery.port}"; in { enableACME = true; forceSSL = true; locations."/".proxyPass = address; }; "cnx.gdn" = { enableACME = true; forceSSL = true; root = "/var/lib/www/cnx.gdn"; }; "px.cnx.gdn" = { enableACME = true; forceSSL = true; locations = { "/".index = "index.xhtml"; "~ /index.xhtml$".extraConfig = '' expires -1; ''; }; root = "/var/lib/www/px.cnx.gdn"; }; "septagram.suricrasia.online" = { enableACME = true; extraConfig = '' autoindex on; ''; forceSSL = true; root = "/var/lib/www/septagram.suricrasia.online"; }; }; }; phylactery = { enable = true; library = "/mnt/nas/comix"; port = 42069; }; }; systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [ certs.group ]; }