zaphyra's git: nixfiles

zaphyra's nixfiles

commit b98f10774b36f023b36b21d0194af106327a99c2
parent 22b7a748e03ad95bfcf37d1dea8142c318d544dd
Author: Katja Ramona Sophie Kwast (zaphyra) <git@zaphyra.eu>
Date: Wed, 30 Jul 2025 18:43:55 +0200

config/nixos/modules/websites: add `gomuks.zaphyra.eu`

2 files changed, 101 insertions(+), 0 deletions(-)
A
config/nixos/modules/websites/gomuks.zaphyra.eu.nix
|
100
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
hosts/morio/default.nix
|
1
+
diff --git a/config/nixos/modules/websites/gomuks.zaphyra.eu.nix b/config/nixos/modules/websites/gomuks.zaphyra.eu.nix
@@ -0,0 +1,100 @@
+{
+  name,
+  povSelf,
+  hostConfig,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+  cfgWebsites = lib.getAttrFromPath (lib.remove name povSelf) config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    domain = {
+      type = types.str;
+      default = "zaphyra.eu";
+    };
+    subdomain = {
+      type = types.str;
+      default = "gomuks";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
+
+    systemd.services.gomuks-web = {
+      description = "gomuks-web";
+
+      environment.GOMUKS_ROOT = "/var/lib/gomuks-web";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+
+      path = [ pkgs.ffmpeg-headless ];
+
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = lib.getExe (pkgs.gomuks-web.override {
+          withGoolm = true;
+        });
+
+        DynamicUser = true;
+        User  = "gomuks-web";
+        Group = "gomuks-web";
+
+        StateDirectory   = "gomuks-web";
+
+        Restart = "on-failure";
+        RestartSec = "30s";
+
+        LockPersonality = true;
+        NoNewPrivileges = true;
+
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectSystem = "strict";
+
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+
+        SystemCallArchitectures = "native";
+        SystemCallErrorNumber = "EPERM";
+        SystemCallFilter = [ "@system-service" ];
+      };
+    };
+
+    services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
+      useACMEHost = lib.mkDefault "${config.networking.fqdn}";
+      forceSSL = lib.mkDefault true;
+      kTLS = lib.mkDefault true;
+      locations."/" = {
+        proxyPass = "http://[::1]:29325";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+}

diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix
@@ -111,6 +111,7 @@
           "dav.zaphyra.eu".enable = true;
           "gts.zaphyra.eu".enable = true;
           "grapevine.zaphyra.eu".enable = true;
+          "gomuks.zaphyra.eu".enable = true;
           "vault.zaphyra.eu".enable = true;
           "oeffi.zaphyra.eu".enable = true;
           "things.zaphyra.eu".enable = true;