{ povSelf, inputs, config, pkgs, lib, ... }: let inherit (lib) types; cfg = lib.getAttrFromPath povSelf config; in { options = { enable = { type = types.bool; default = false; }; domain = { type = types.str; default = "zaphyra.eu"; }; subdomain = { type = types.str; default = "gomuks"; }; }; config = lib.mkIf cfg.enable { dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ]; modules.filesystem.impermanence.system.dirs = [ "/var/lib/private/gomuks-web" ]; systemd.services.gomuks-web = { description = "gomuks-web"; environment.GOMUKS_ROOT = "/var/lib/gomuks-web"; wantedBy = [ "multi-user.target" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; path = [ pkgs.ffmpeg-headless ]; serviceConfig = { Type = "simple"; ExecStart = lib.getExe ( pkgs.tgc.gomuks-web.override { extraPatches = [ inputs.self.resources.patches.gomuks-web-css ]; } ); DynamicUser = true; User = "gomuks-web"; Group = "gomuks-web"; StateDirectory = "gomuks-web"; Restart = "on-failure"; RestartSec = "30s"; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectSystem = "strict"; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; SystemCallFilter = [ "@system-service" ]; }; }; services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = { useACMEHost = lib.mkDefault "${config.networking.fqdn}"; forceSSL = lib.mkDefault true; kTLS = lib.mkDefault true; locations."/" = { proxyPass = "http://[::1]:29325"; proxyWebsockets = true; }; }; }; }