From f755bc31292ad92bab07f4ad16617d07abd436b0 Mon Sep 17 00:00:00 2001
From: EuAndreh <eu@euandre.org>
Date: Fri, 14 Mar 2025 06:30:12 -0300
Subject: system.scm: Enable cgit and nginx services

---
 src/guix/system.scm | 49 +++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 45 insertions(+), 4 deletions(-)

diff --git a/src/guix/system.scm b/src/guix/system.scm
index 470bb1d..a325f37 100644
--- a/src/guix/system.scm
+++ b/src/guix/system.scm
@@ -1,5 +1,4 @@
 (use-modules
-  ((ice-9 match) #:prefix m:)
   ((srfi srfi-1) #:prefix s1:)
   ((xyz euandreh heredoc) #:prefix heredoc:)
   ((org euandre papo) #:prefix papo:)
@@ -10,7 +9,8 @@
   (guix packages)
   (guix transformations)
   (guix utils))
-(use-package-modules)
+(use-package-modules
+  version-control)
 (use-service-modules
   certbot
   cgit
@@ -18,8 +18,8 @@
   mail
   networking
   security
-  shepherd
-  ssh)
+  ssh
+  web)
 (heredoc:enable-syntax)
 
 
@@ -154,6 +154,47 @@
           (pkg:users->keys +users+)))
       (service certbot-service-type
         (q:tld-certbot-configuration +tld+))
+      (service nginx-service-type
+        (nginx-configuration
+          (server-blocks
+            (list
+             (nginx-server-configuration
+               (server-name (list +tld+))
+               (listen '("[::]:443 ssl" "443 ssl"))
+               (root "/srv/www")
+               (ssl-certificate     (pkg:fmt "/etc/letsencrypt/live/~a/fullchain.pem" +tld+))
+               (ssl-certificate-key (pkg:fmt "/etc/letsencrypt/live/~a/privkey.pem"   +tld+))
+               (locations
+                 (list
+                  (nginx-location-configuration
+                    (uri "/git/static/")
+                    (body
+                      (list
+                       (list "alias " cgit "/share/cgit/;"))))
+                  (nginx-location-configuration
+                    (uri "/git/")
+                    (body
+                      (list
+                       (list "fastcgi_param SCRIPT_FILENAME " cgit "/lib/cgit/cgit.cgi;")
+                       #"-
+                         fastcgi_param PATH_INFO $uri;
+                         fastcgi_param QUERY_STRING $args;
+                         fastcgi_param HTTP_HOST $server_name;
+                         fastcgi_pass localhost:9000;
+                         rewrite /git(.*) $1 break;
+                         "#)))))
+               (raw-content
+                 '(#"-
+                     ssl_protocols TLSv1.3;
+                     ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
+                     ssl_prefer_server_ciphers on;
+                     gzip off;  # Disable dynamic compression altogether due to BREACH
+                     gzip_static on;
+                     charset utf-8;
+                     autoindex on;
+                     add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains' always;
+                     "#)))))))
+      (service cgit-service-type q:cgit-pre-configuration)
       (service pkg:syskeep-service-type
         (pkg:syskeep-configuration
           (tld +tld+)))
-- 
cgit v1.2.3