diff options
Diffstat (limited to 'vps-configuration.env.nix')
| -rw-r--r-- | vps-configuration.env.nix | 95 |
1 files changed, 91 insertions, 4 deletions
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix index 304c124..a08e50e 100644 --- a/vps-configuration.env.nix +++ b/vps-configuration.env.nix @@ -2,8 +2,10 @@ let envsubstConfiguration = { + TLD = "$TLD"; nextcloudTLD = "$NEXTCLOUD_TLD"; gitTLD = "$GIT_TLD"; + prosodyTLD = "$PROSODY_TLD"; letsencryptEmail = "$LETSENCRYPT_EMAIL"; authorizedKey = "$AUTHORIZED_KEY"; userPassword = "$USER_PASSWORD"; @@ -13,7 +15,12 @@ let nextcloudAdminPassword = "$NEXTCLOUD_ADMIN_PASSWORD"; nextcloudTablePrefix = "$NEXTCLOUD_TABLE_PREFIX"; gitRoot = "$GIT_ROOT"; + gitPort = "$GIT_PORT"; systemStateVersion = "$SYSTEM_STATE_VERSION"; + prosodyAdminUser = "$PROSODY_ADMIN_USER"; + prosodyMUCTLD = "$PROSODY_MUC_TLD"; + prosodyHTTPUploadTLD = "$PROSODY_HTTP_UPLOAD_TLD"; + prosodyPort = "$PROSODY_PORT"; }; in { imports = [ ./hardware-configuration.nix ]; @@ -31,11 +38,39 @@ in { environment.systemPackages = with pkgs; [ vim git ]; - networking.firewall.allowedTCPPorts = [ 80 443 22 ]; + networking.firewall.allowedTCPPorts = [ + # SSH: OpenSSH + 22 + + # HTTP and HTPPS: NGINX + 80 + 443 + + # XMPP: Prosody + # https://prosody.im/doc/ports + 5000 + 5222 + 5269 + 5280 + 5281 + 5347 + 5582 + ]; security.acme = { acceptTerms = true; email = envsubstConfiguration.letsencryptEmail; + certs = { + "${envsubstConfiguration.prosodyTLD}" = { + webroot = "/var/www/${envsubstConfiguration.prosodyTLD}"; + email = envsubstConfiguration.letsencryptEmail; + user = "prosody"; + extraDomains = { + "${envsubstConfiguration.prosodyMUCTLD}" = null; + "${envsubstConfiguration.prosodyHTTPUploadTLD}" = null; + }; + }; + }; }; services = { @@ -59,6 +94,9 @@ in { "${envsubstConfiguration.gitTLD}" = { forceSSL = true; enableACME = true; + locations."/" = { + proxyPass = "http://localhost:${envsubstConfiguration.gitPort}"; + }; }; }; }; @@ -92,11 +130,60 @@ in { adminpass = envsubstConfiguration.nextcloudAdminPassword; }; }; + + prosody = { + enable = false; + admins = [ envsubstConfiguration.prosodyAdminUser ]; + allowRegistration = true; + ssl = { + cert = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + }; + virtualHosts = { + "${envsubstConfiguration.prosodyTLD}" = { + enabled = true; + domain = "${envsubstConfiguration.prosodyTLD}"; + ssl = { + cert = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem"; + key = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem"; + }; + }; + }; + }; + + lighttpd = { + enable = true; + port = pkgs.lib.toInt envsubstConfiguration.gitPort; + cgit = { + enable = true; + subdir = ""; + configText = '' + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + scan-path=${envsubstConfiguration.gitRoot} + ''; + }; + }; }; - systemd.services."nextcloud-setup" = { - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; + systemd.services = { + "nextcloud-setup" = { + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + }; + "lighttpd-cgit-install" = { + enable = true; + description = "Setup folders and permissions for lighttpd and cgit"; + wantedBy = [ "multi-user.target" ]; + script = '' + mkdir -p ${envsubstConfiguration.gitRoot} + chown -R lighttpd:users ${envsubstConfiguration.gitRoot} + chmod -R 770 ${envsubstConfiguration.gitRoot} + ''; + serviceConfig = { + Type = "oneshot"; + }; + }; }; users.extraUsers.andreh = { |