zaphyra's git: nixfiles

zaphyra and void's nixfiles

path: /config/nixos/modules/websites/flauschehorn.zaphyra.eu.nix 2.86 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
105 
106 
107 
108 
109 
{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "flauschehorn";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
    # required because this subdomain is still set in the flauschehorn.sexy-zone
    dns.zones."ctu.cx".subdomains."63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme".CNAME = [
      "63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.infra.zaphyra.eu."
    ];

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/private/flauschehorn" ];

    systemd.services.flauschehornFetcher = {
      environment.DB_PATH = "/var/lib/flauschehorn/db.sqlite";
      startAt = "*-*-* 3:00:00";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";

        ExecStart = "${pkgs.flauschehorn-sexy}/bin/mastofetch";

        DynamicUser = true;
        User = "flauschehorn";
        Group = "flauschehorn";

        StateDirectory = "flauschehorn";
        StateDirectoryMode = "755";
        UMask = "022";

        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;

        RestrictAddressFamilies = "AF_INET AF_INET6";
        RestrictNamespaces = true;
        RestrictRealtime = true;

        ProtectSystem = "full";
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;

        DevicePolicy = "closed";
        LockPersonality = true;
      };
    };

    systemd.services.fcgiwrap-flauschehorn.serviceConfig = {
      DynamicUser = true;
      User = "flauschehorn";
      Group = "flauschehorn";

      StateDirectory = "flauschehorn";
      StateDirectoryMode = "555";
    };

    services.fcgiwrap.instances.flauschehorn = {
      socket.user = config.services.nginx.user;
      socket.group = config.services.nginx.group;
    };

    services.nginx = {
      enable = true;
      virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
        serverAliases = [ "flauschehorn.sexy" ];
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        locations."/".extraConfig = ''
          include "${pkgs.nginx}/conf/fastcgi_params";
          fastcgi_param SCRIPT_FILENAME "${pkgs.flauschehorn-sexy}/bin/website";
          fastcgi_param DB_PATH         "${config.systemd.services.flauschehornFetcher.environment.DB_PATH}";
          fastcgi_param QUERY_STRING    $args;
          fastcgi_pass  unix:${config.services.fcgiwrap.instances.flauschehorn.socket.address};
        '';
      };
    };
  };

}