aboutsummaryrefslogtreecommitdiff
path: root/vps-configuration.env.nix
diff options
context:
space:
mode:
authorEuAndreh <eu@euandre.org>2020-08-14 08:36:23 -0300
committerEuAndreh <eu@euandre.org>2020-08-14 08:36:23 -0300
commitdcd53d253715d0794a239c9a4b679f9286555211 (patch)
tree670c8caf46d61c8f95efc72397cb5eb55da9d20e /vps-configuration.env.nix
parentAdd .tfplan extension to Terraform plan files (diff)
downloadserver-dcd53d253715d0794a239c9a4b679f9286555211.tar.gz
server-dcd53d253715d0794a239c9a4b679f9286555211.tar.xz
Setup cgit and Prosody
The TLS setup for Prosody is broken, though.
Diffstat (limited to 'vps-configuration.env.nix')
-rw-r--r--vps-configuration.env.nix95
1 files changed, 91 insertions, 4 deletions
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix
index 304c124..a08e50e 100644
--- a/vps-configuration.env.nix
+++ b/vps-configuration.env.nix
@@ -2,8 +2,10 @@
let
envsubstConfiguration = {
+ TLD = "$TLD";
nextcloudTLD = "$NEXTCLOUD_TLD";
gitTLD = "$GIT_TLD";
+ prosodyTLD = "$PROSODY_TLD";
letsencryptEmail = "$LETSENCRYPT_EMAIL";
authorizedKey = "$AUTHORIZED_KEY";
userPassword = "$USER_PASSWORD";
@@ -13,7 +15,12 @@ let
nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD";
nextcloudTablePrefix = "$NEXTCLOUD_TABLE_PREFIX";
gitRoot = "$GIT_ROOT";
+ gitPort = "$GIT_PORT";
systemStateVersion = "$SYSTEM_STATE_VERSION";
+ prosodyAdminUser = "$PROSODY_ADMIN_USER";
+ prosodyMUCTLD = "$PROSODY_MUC_TLD";
+ prosodyHTTPUploadTLD = "$PROSODY_HTTP_UPLOAD_TLD";
+ prosodyPort = "$PROSODY_PORT";
};
in {
imports = [ ./hardware-configuration.nix ];
@@ -31,11 +38,39 @@ in {
environment.systemPackages = with pkgs; [ vim git ];
- networking.firewall.allowedTCPPorts = [ 80 443 22 ];
+ networking.firewall.allowedTCPPorts = [
+ # SSH: OpenSSH
+ 22
+
+ # HTTP and HTPPS: NGINX
+ 80
+ 443
+
+ # XMPP: Prosody
+ # https://prosody.im/doc/ports
+ 5000
+ 5222
+ 5269
+ 5280
+ 5281
+ 5347
+ 5582
+ ];
security.acme = {
acceptTerms = true;
email = envsubstConfiguration.letsencryptEmail;
+ certs = {
+ "${envsubstConfiguration.prosodyTLD}" = {
+ webroot = "/var/www/${envsubstConfiguration.prosodyTLD}";
+ email = envsubstConfiguration.letsencryptEmail;
+ user = "prosody";
+ extraDomains = {
+ "${envsubstConfiguration.prosodyMUCTLD}" = null;
+ "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null;
+ };
+ };
+ };
};
services = {
@@ -59,6 +94,9 @@ in {
"${envsubstConfiguration.gitTLD}" = {
forceSSL = true;
enableACME = true;
+ locations."/" = {
+ proxyPass = "http://localhost:${envsubstConfiguration.gitPort}";
+ };
};
};
};
@@ -92,11 +130,60 @@ in {
adminpass = envsubstConfiguration.nextcloudAdminPassword;
};
};
+
+ prosody = {
+ enable = false;
+ admins = [ envsubstConfiguration.prosodyAdminUser ];
+ allowRegistration = true;
+ ssl = {
+ cert = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
+ key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+ };
+ virtualHosts = {
+ "${envsubstConfiguration.prosodyTLD}" = {
+ enabled = true;
+ domain = "${envsubstConfiguration.prosodyTLD}";
+ ssl = {
+ cert = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
+ key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+ };
+ };
+ };
+ };
+
+ lighttpd = {
+ enable = true;
+ port = pkgs.lib.toInt envsubstConfiguration.gitPort;
+ cgit = {
+ enable = true;
+ subdir = "";
+ configText = ''
+ source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
+ about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
+ scan-path=${envsubstConfiguration.gitRoot}
+ '';
+ };
+ };
};
- systemd.services."nextcloud-setup" = {
- requires = [ "postgresql.service" ];
- after = [ "postgresql.service" ];
+ systemd.services = {
+ "nextcloud-setup" = {
+ requires = [ "postgresql.service" ];
+ after = [ "postgresql.service" ];
+ };
+ "lighttpd-cgit-install" = {
+ enable = true;
+ description = "Setup folders and permissions for lighttpd and cgit";
+ wantedBy = [ "multi-user.target" ];
+ script = ''
+ mkdir -p ${envsubstConfiguration.gitRoot}
+ chown -R lighttpd:users ${envsubstConfiguration.gitRoot}
+ chmod -R 770 ${envsubstConfiguration.gitRoot}
+ '';
+ serviceConfig = {
+ Type = "oneshot";
+ };
+ };
};
users.extraUsers.andreh = {