commit 41ec4515f16ec4c940536c9e697298114a6297f6
parent 8449896d5fcc527c000a2329179f5a218a933a56
Author: Katja (zaphyra) <git@ctu.cx>
Date: Fri, 23 May 2025 22:28:26 +0200
parent 8449896d5fcc527c000a2329179f5a218a933a56
Author: Katja (zaphyra) <git@ctu.cx>
Date: Fri, 23 May 2025 22:28:26 +0200
config/nixos/modules/websites: add `flauschehorn.zaphyra.eu` (and enable on host `novus`)
4 files changed, 129 insertions(+), 0 deletions(-)
A
|
103
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config/nixos/modules/websites/flauschehorn.zaphyra.eu.nix b/config/nixos/modules/websites/flauschehorn.zaphyra.eu.nix @@ -0,0 +1,103 @@ +{ + povSelf, + hostConfig, + config, + pkgs, + lib, + ... +}: + +let + inherit (lib) types; + cfg = lib.getAttrFromPath povSelf config; + +in +{ + + options = { + enable = { + type = types.bool; + default = false; + }; + domain = { + type = types.str; + default = "zaphyra.eu"; + }; + subdomain = { + type = types.str; + default = "flauschehorn"; + }; + }; + + config = lib.mkIf cfg.enable { + dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ]; + + systemd.services.flauschehornFetcher = { + environment.DB_PATH = "/var/lib/flauschehorn/db.sqlite"; + startAt = "*-*-* 3:00:00"; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + serviceConfig = { + Type = "oneshot"; + + ExecStart = "${pkgs.flauschehorn-sexy}/bin/mastofetch"; + + DynamicUser = true; + User = "flauschehorn"; + Group = "flauschehorn"; + + StateDirectory = "flauschehorn"; + StateDirectoryMode = "755"; + UMask = "022"; + + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + + ProtectSystem = "full"; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + + DevicePolicy = "closed"; + LockPersonality = true; + }; + }; + + systemd.services.fcgiwrap-flauschehorn.serviceConfig = { + DynamicUser = true; + User = "flauschehorn"; + Group = "flauschehorn"; + + StateDirectory = "flauschehorn"; + StateDirectoryMode = "555"; + }; + + services.fcgiwrap.instances.flauschehorn = { + socket.user = config.services.nginx.user; + socket.group = config.services.nginx.group; + }; + + services.nginx = { + enable = true; + virtualHosts."${cfg.subdomain}.${cfg.domain}" = { + # serverAliases = [ "flauschehorn.sexy" ]; + useACMEHost = "${config.networking.fqdn}"; + forceSSL = true; + kTLS = true; + locations."/".extraConfig = '' + include "${pkgs.nginx}/conf/fastcgi_params"; + fastcgi_param SCRIPT_FILENAME "${pkgs.flauschehorn-sexy}/bin/website"; + fastcgi_param DB_PATH "${config.systemd.services.flauschehornFetcher.environment.DB_PATH}"; + fastcgi_param QUERY_STRING $args; + fastcgi_pass unix:${config.services.fcgiwrap.instances.flauschehorn.socket.address}; + ''; + }; + }; + }; + +}
diff --git a/flake.lock b/flake.lock @@ -214,6 +214,26 @@ "type": "github" } }, + "flauschehornSexy": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1742232024, + "narHash": "sha256-jBcb/B2OUgfyFA9VIUD6Er7Whhlc/8E8wMVuiQgGlh4=", + "ref": "refs/heads/master", + "rev": "527a66cb5616ddae4ef737f060c8ea6856249cba", + "revCount": 8, + "type": "git", + "url": "https://git.zaphyra.eu/flauschehorn.sexy" + }, + "original": { + "type": "git", + "url": "https://git.zaphyra.eu/flauschehorn.sexy" + } + }, "gitignore": { "inputs": { "nixpkgs": [ @@ -489,6 +509,7 @@ "flakeParts": "flakeParts", "flakeUtils": "flakeUtils", "flakeyProfile": "flakeyProfile", + "flauschehornSexy": "flauschehornSexy", "haumea": "haumea", "homeManager": "homeManager", "homeManagerUnstable": "homeManagerUnstable",
diff --git a/flake.nix b/flake.nix @@ -80,6 +80,7 @@ inputs.self.overlays.nixpkgsUnstable inputs.ctucxWebsite.overlays.default inputs.stagit.overlays.default + inputs.flauschehornSexy.overlays.default ]; } @@ -187,6 +188,9 @@ stagit.url = "git+https://git.zaphyra.eu/stagit"; stagit.inputs.nixpkgs.follows = "nixpkgs"; + flauschehornSexy.url = "git+https://git.zaphyra.eu/flauschehorn.sexy"; + flauschehornSexy.inputs.nixpkgs.follows = "nixpkgs"; + firefoxGnomeTheme.flake = false; firefoxGnomeTheme.url = "github:rafaelmardojai/firefox-gnome-theme/v137"; };
diff --git a/hosts/novus/default.nix b/hosts/novus/default.nix @@ -55,6 +55,7 @@ websites = { "restic.novus.infra.zaphyra.eu".enable = true; + "flauschehorn.zaphyra.eu".enable = true; "ip.zaphyra.eu".enable = true; };