zaphyra's git: nixfiles

zaphyra's nixfiles

path: /config/nixos/modules/websites/gomuks.zaphyra.eu.nix 2.25 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
{
  povSelf,
  inputs,
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "gomuks";
    };
  };

  config = lib.mkIf cfg.enable {

    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];

    modules.filesystem.impermanence.system.dirs = [ "/var/lib/private/gomuks-web" ];

    systemd.services.gomuks-web = {
      description = "gomuks-web";

      environment.GOMUKS_ROOT = "/var/lib/gomuks-web";

      wantedBy = [ "multi-user.target" ];
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];

      path = [ pkgs.ffmpeg-headless ];

      serviceConfig = {
        Type = "simple";
        ExecStart = lib.getExe (
          pkgs.tgc.gomuks-web.override {
            extraPatches = [
              inputs.self.resources.patches.gomuks-web-css
            ];
          }
        );

        DynamicUser = true;
        User = "gomuks-web";
        Group = "gomuks-web";

        StateDirectory = "gomuks-web";

        Restart = "on-failure";
        RestartSec = "30s";

        LockPersonality = true;
        NoNewPrivileges = true;

        PrivateDevices = true;
        PrivateTmp = true;
        PrivateUsers = true;

        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectSystem = "strict";

        RestrictRealtime = true;
        RestrictSUIDSGID = true;

        SystemCallArchitectures = "native";
        SystemCallErrorNumber = "EPERM";
        SystemCallFilter = [ "@system-service" ];
      };
    };

    services.nginx.virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
      useACMEHost = lib.mkDefault "${config.networking.fqdn}";
      forceSSL = lib.mkDefault true;
      kTLS = lib.mkDefault true;
      locations."/" = {
        proxyPass = "http://[::1]:29325";
        proxyWebsockets = true;
      };
    };
  };

}