c3d2-web: switch gemini server from molly-brown to agate

the had been a reason... a few hours and many builds ago...
2022-03-05 01:14:41 +01:00 · 2022-03-05 01:14:41 +01:00 · d7ff4757a0
parent 3edf2da774
commit d7ff4757a0
2 changed files with 45 additions and 13 deletions
--- a/flake.nix
+++ b/flake.nix
@ -450,6 +450,7 @@
        };

        c3d2-web = nixosSystem' {
+          nixpkgs = inputs.nixpkgs-unstable;
          modules = [
            ./config/lxc-container.nix
            ./hosts/containers/c3d2-web
--- a/hosts/containers/c3d2-web/default.nix
+++ b/hosts/containers/c3d2-web/default.nix
@ -1,4 +1,4 @@
-{ zentralwerk, nixpkgs, config, pkgs, ... }:
+{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
 let
  webroot = "/var/www";
  geminiRoot = "/var/gemini";
@ -15,12 +15,17 @@ in
  }];
  networking.defaultGateway = "172.20.73.1";
  networking.firewall.allowedTCPPorts = [
-    # nginx
+    # http/https
    80 443
-    # molly-brown
+    # gemini
    1965
  ];

+  security.acme.certs = {
+    # agate cannot load "ec256" keys
+    "www.c3d2.de".keyType = "rsa4096";
+  };
+
  # Web server
  services.nginx = {
    enable = true;
@ -83,19 +88,45 @@ in
    };
  };
  # Gemini server
-  services.molly-brown = {
+  services.agate = {
    enable = true;
-    hostName = "c3d2.de";
-    certPath = "/var/lib/acme/www.c3d2.de/cert.pem";
-    keyPath = "/var/lib/acme/www.c3d2.de/key.pem";
-    docBase = geminiRoot;
-    settings = {
-      DefaultLang = "de";
-      ReadMollyFiles = true;
+    addresses = [
+      # sysctl net.ipv6.bindv6only = 0
+      "[::]:1965"
+    ];
+    certificatesDir = "/var/lib/agate/certificates";
+    contentDir = geminiRoot;
+    language = "de";
+  };
+  # let agate access the tls certs
+  systemd.services.agate = {
+    requires = [ "agate-keys.service" ];
+    after = [ "agate-keys.service" ];
+    serviceConfig = {
+      Group = "keys";
+    };
+  };
+  systemd.services.agate-keys = {
+    path = with pkgs; [ openssl ];
+    script = let
+      stateDir = "/var/lib/agate/certificates";
+    in ''
+      mkdir -p ${stateDir}
+      openssl x509 \
+          -in /var/lib/acme/www.c3d2.de/cert.pem \
+          -out ${stateDir}/cert.der \
+          -outform DER
+      openssl rsa \
+          -in /var/lib/acme/www.c3d2.de/key.pem \
+          -out ${stateDir}/key.der \
+          -outform DER
+      chown root:keys ${stateDir}/*
+      chmod 0640 ${stateDir}/*
+    '';
+    serviceConfig = {
+      Type = "oneshot";
    };
  };
-  # let molly-brown access the tls certs
-  systemd.services.molly-brown.serviceConfig.Group = config.services.nginx.group;

  # Build user
  users.groups.c3d2-web = {};