zaphyra's git: nixfiles

zaphyra's nixfiles

path: /nixosModules/zpha/websites/flauschehorn.zaphyra.eu.nix 2.65 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
{
  config,
  pkgs,
  lib,
  ...
}:

{

  options.zpha.websites."flauschehorn.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."flauschehorn.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."flauschehorn".CNAME = [
      "${config.networking.fqdn}."
    ];

    # required because this subdomain is still set in the flauschehorn.sexy-zone
    dns.zones."ctu.cx".subdomains."63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme".CNAME = [
      "63bc37c61bda3c1f4fa1f270f8890c7f89c24353.acme.fc9f.de."
    ];

    common.configure.persist.system.dirs = [
      "/var/lib/private/flauschehorn"
    ];

    systemd.services.flauschehornFetcher = {
      environment.DB_PATH = "/var/lib/flauschehorn/db.sqlite";
      startAt = "*-*-* 3:00:00";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      serviceConfig = {
        Type = "oneshot";

        ExecStart = "${pkgs.zpha.flauschehorn-sexy}/bin/mastofetch";

        DynamicUser = true;
        User = "flauschehorn";
        Group = "flauschehorn";

        StateDirectory = "flauschehorn";
        StateDirectoryMode = "755";
        UMask = "022";

        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;

        RestrictAddressFamilies = "AF_INET AF_INET6";
        RestrictNamespaces = true;
        RestrictRealtime = true;

        ProtectSystem = "full";
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;

        DevicePolicy = "closed";
        LockPersonality = true;
      };
    };

    systemd.services.fcgiwrap-flauschehorn.serviceConfig = {
      DynamicUser = true;
      User = "flauschehorn";
      Group = "flauschehorn";

      StateDirectory = "flauschehorn";
      StateDirectoryMode = "555";
    };

    services.fcgiwrap.instances.flauschehorn = {
      socket.user = config.services.nginx.user;
      socket.group = config.services.nginx.group;
    };

    services.nginx = {
      enable = true;
      virtualHosts."flauschehorn.zaphyra.eu" = {
        serverAliases = [ "flauschehorn.sexy" ];
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        locations."/".extraConfig = ''
          include "${pkgs.nginx}/conf/fastcgi_params";
          fastcgi_param SCRIPT_FILENAME "${pkgs.zpha.flauschehorn-sexy}/bin/website";
          fastcgi_param DB_PATH         "${config.systemd.services.flauschehornFetcher.environment.DB_PATH}";
          fastcgi_param QUERY_STRING    $args;
          fastcgi_pass  unix:${config.services.fcgiwrap.instances.flauschehorn.socket.address};
        '';
      };
    };
  };

}