summaryrefslogtreecommitdiffstats
path: root/lass/2configs/websites/lassulus.nix
blob: b9811221c2c11f8cb39cc41c0d3d4398d2c66300 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
{ config, pkgs, lib, ... }:

with lib;
let
  inherit (import <stockholm/lib>)
    genid
  ;

in {
  imports = [
    ./default.nix
    ../git.nix
    (servephpBB [ "rote-allez-fraktion.de" ])
  ];

  security.acme = {
    certs."lassul.us" = {
      allowKeysForGroup = true;
      group = "lasscert";
    };
  };

  krebs.tinc_graphs.enable = true;

  users.users.lass-stuff = {
    uid = genid "lass-stuff";
    description = "lassul.us blog cgi stuff";
    home = "/var/empty";
  };

  services.phpfpm.poolConfigs."lass-stuff" = ''
    listen = /var/run/lass-stuff.socket
    user = lass-stuff
    group = nginx
    pm = dynamic
    pm.max_children = 5
    pm.start_servers = 1
    pm.min_spare_servers = 1
    pm.max_spare_servers = 1
    listen.owner = lass-stuff
    listen.group = nginx
    php_admin_value[error_log] = 'stderr'
    php_admin_flag[log_errors] = on
    catch_workers_output = yes
    security.limit_extensions =
  '';

  users.groups.lasscert.members = [
    "dovecot2"
    "ejabberd"
    "exim"
    "nginx"
  ];

  services.nginx.virtualHosts."lassul.us" = {
    addSSL = true;
    enableACME = true;
    locations."/".extraConfig = ''
      root /srv/http/lassul.us;
    '';
    locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
      alias ${config.krebs.tinc.retiolum.hostsArchive};
    '';
    locations."= /retiolum.hosts".extraConfig = ''
      alias ${pkgs.retiolum-hosts};
    '';
    locations."/tinc".extraConfig = ''
      alias ${config.krebs.tinc_graphs.workingDir}/external;
    '';
    # TODO make this work!
    locations."= /ddate".extraConfig = let
      script = pkgs.writeBash "test" ''
        echo "hello world"
      '';
      #script = pkgs.execve "ddate-wrapper" {
      #  filename = "${pkgs.ddate}/bin/ddate";
      #  argv = [];
      #};
    in ''
      gzip off;
      fastcgi_pass unix:/var/run/lass-stuff.socket;
      include ${pkgs.nginx}/conf/fastcgi_params;
      fastcgi_param DOCUMENT_ROOT /var/empty;
      fastcgi_param SCRIPT_FILENAME ${script};
      fastcgi_param SCRIPT_NAME ${script};
    '';

    locations."/init".extraConfig = let
      initscript = pkgs.init.override {
        pubkey = config.krebs.users.lass.pubkey;
      };
    in ''
      alias ${initscript};
    '';
    locations."/pub".extraConfig = ''
      alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey};
    '';
  };

  security.acme.certs."cgit.lassul.us" = {
    email = "lassulus@lassul.us";
    webroot = "/var/lib/acme/acme-challenge";
    plugins = [
      "account_key.json"
      "fullchain.pem"
      "key.pem"
    ];
    group = "nginx";
    user = "nginx";
  };


  services.nginx.virtualHosts.cgit = {
    serverName = "cgit.lassul.us";
    addSSL = true;
    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
    locations."/.well-known/acme-challenge".extraConfig = ''
      root /var/lib/acme/acme-challenge;
    '';
  };

  users.users.blog = {
    uid = genid "blog";
    description = "lassul.us blog deployment";
    home = "/srv/http/lassul.us";
    useDefaultShell = true;
    createHome = true;
    openssh.authorizedKeys.keys = [
      config.krebs.users.lass.pubkey
    ];
  };
}