c3d2-web: switch gemini server from molly-brown to agate
the had been a reason... a few hours and many builds ago...
This commit is contained in:
parent
3edf2da774
commit
d7ff4757a0
|
@ -450,6 +450,7 @@
|
|||
};
|
||||
|
||||
c3d2-web = nixosSystem' {
|
||||
nixpkgs = inputs.nixpkgs-unstable;
|
||||
modules = [
|
||||
./config/lxc-container.nix
|
||||
./hosts/containers/c3d2-web
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ zentralwerk, nixpkgs, config, pkgs, ... }:
|
||||
{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
|
||||
let
|
||||
webroot = "/var/www";
|
||||
geminiRoot = "/var/gemini";
|
||||
|
@ -15,12 +15,17 @@ in
|
|||
}];
|
||||
networking.defaultGateway = "172.20.73.1";
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
# nginx
|
||||
# http/https
|
||||
80 443
|
||||
# molly-brown
|
||||
# gemini
|
||||
1965
|
||||
];
|
||||
|
||||
security.acme.certs = {
|
||||
# agate cannot load "ec256" keys
|
||||
"www.c3d2.de".keyType = "rsa4096";
|
||||
};
|
||||
|
||||
# Web server
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
@ -83,19 +88,45 @@ in
|
|||
};
|
||||
};
|
||||
# Gemini server
|
||||
services.molly-brown = {
|
||||
services.agate = {
|
||||
enable = true;
|
||||
hostName = "c3d2.de";
|
||||
certPath = "/var/lib/acme/www.c3d2.de/cert.pem";
|
||||
keyPath = "/var/lib/acme/www.c3d2.de/key.pem";
|
||||
docBase = geminiRoot;
|
||||
settings = {
|
||||
DefaultLang = "de";
|
||||
ReadMollyFiles = true;
|
||||
addresses = [
|
||||
# sysctl net.ipv6.bindv6only = 0
|
||||
"[::]:1965"
|
||||
];
|
||||
certificatesDir = "/var/lib/agate/certificates";
|
||||
contentDir = geminiRoot;
|
||||
language = "de";
|
||||
};
|
||||
# let agate access the tls certs
|
||||
systemd.services.agate = {
|
||||
requires = [ "agate-keys.service" ];
|
||||
after = [ "agate-keys.service" ];
|
||||
serviceConfig = {
|
||||
Group = "keys";
|
||||
};
|
||||
};
|
||||
systemd.services.agate-keys = {
|
||||
path = with pkgs; [ openssl ];
|
||||
script = let
|
||||
stateDir = "/var/lib/agate/certificates";
|
||||
in ''
|
||||
mkdir -p ${stateDir}
|
||||
openssl x509 \
|
||||
-in /var/lib/acme/www.c3d2.de/cert.pem \
|
||||
-out ${stateDir}/cert.der \
|
||||
-outform DER
|
||||
openssl rsa \
|
||||
-in /var/lib/acme/www.c3d2.de/key.pem \
|
||||
-out ${stateDir}/key.der \
|
||||
-outform DER
|
||||
chown root:keys ${stateDir}/*
|
||||
chmod 0640 ${stateDir}/*
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
};
|
||||
};
|
||||
# let molly-brown access the tls certs
|
||||
systemd.services.molly-brown.serviceConfig.Group = config.services.nginx.group;
|
||||
|
||||
# Build user
|
||||
users.groups.c3d2-web = {};
|
||||
|
|
Loading…
Reference in New Issue