From d7ff4757a0dadcb3ee68026f2f18cf0b5d97ea72 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sat, 5 Mar 2022 01:14:41 +0100
Subject: [PATCH] c3d2-web: switch gemini server from molly-brown to agate

the had been a reason... a few hours and many builds ago...
---
 flake.nix                             |  1 +
 hosts/containers/c3d2-web/default.nix | 57 +++++++++++++++++++++------
 2 files changed, 45 insertions(+), 13 deletions(-)

diff --git a/flake.nix b/flake.nix
index 93061afa..48e277be 100644
--- a/flake.nix
+++ b/flake.nix
@@ -450,6 +450,7 @@
         };
 
         c3d2-web = nixosSystem' {
+          nixpkgs = inputs.nixpkgs-unstable;
           modules = [
             ./config/lxc-container.nix
             ./hosts/containers/c3d2-web
diff --git a/hosts/containers/c3d2-web/default.nix b/hosts/containers/c3d2-web/default.nix
index 53f4872e..74b7ce86 100644
--- a/hosts/containers/c3d2-web/default.nix
+++ b/hosts/containers/c3d2-web/default.nix
@@ -1,4 +1,4 @@
-{ zentralwerk, nixpkgs, config, pkgs, ... }:
+{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
 let
   webroot = "/var/www";
   geminiRoot = "/var/gemini";
@@ -15,12 +15,17 @@ in
   }];
   networking.defaultGateway = "172.20.73.1";
   networking.firewall.allowedTCPPorts = [
-    # nginx
+    # http/https
     80 443
-    # molly-brown
+    # gemini
     1965
   ];
 
+  security.acme.certs = {
+    # agate cannot load "ec256" keys
+    "www.c3d2.de".keyType = "rsa4096";
+  };
+
   # Web server
   services.nginx = {
     enable = true;
@@ -83,19 +88,45 @@ in
     };
   };
   # Gemini server
-  services.molly-brown = {
+  services.agate = {
     enable = true;
-    hostName = "c3d2.de";
-    certPath = "/var/lib/acme/www.c3d2.de/cert.pem";
-    keyPath = "/var/lib/acme/www.c3d2.de/key.pem";
-    docBase = geminiRoot;
-    settings = {
-      DefaultLang = "de";
-      ReadMollyFiles = true;
+    addresses = [
+      # sysctl net.ipv6.bindv6only = 0
+      "[::]:1965"
+    ];
+    certificatesDir = "/var/lib/agate/certificates";
+    contentDir = geminiRoot;
+    language = "de";
+  };
+  # let agate access the tls certs
+  systemd.services.agate = {
+    requires = [ "agate-keys.service" ];
+    after = [ "agate-keys.service" ];
+    serviceConfig = {
+      Group = "keys";
+    };
+  };
+  systemd.services.agate-keys = {
+    path = with pkgs; [ openssl ];
+    script = let
+      stateDir = "/var/lib/agate/certificates";
+    in ''
+      mkdir -p ${stateDir}
+      openssl x509 \
+          -in /var/lib/acme/www.c3d2.de/cert.pem \
+          -out ${stateDir}/cert.der \
+          -outform DER
+      openssl rsa \
+          -in /var/lib/acme/www.c3d2.de/key.pem \
+          -out ${stateDir}/key.der \
+          -outform DER
+      chown root:keys ${stateDir}/*
+      chmod 0640 ${stateDir}/*
+    '';
+    serviceConfig = {
+      Type = "oneshot";
     };
   };
-  # let molly-brown access the tls certs
-  systemd.services.molly-brown.serviceConfig.Group = config.services.nginx.group;
 
   # Build user
   users.groups.c3d2-web = {};