c3d2-web: switch gemini server from molly-brown to agate
the had been a reason... a few hours and many builds ago...
This commit is contained in:
parent
3edf2da774
commit
d7ff4757a0
|
|
@ -450,6 +450,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
c3d2-web = nixosSystem' {
|
c3d2-web = nixosSystem' {
|
||||||
|
nixpkgs = inputs.nixpkgs-unstable;
|
||||||
modules = [
|
modules = [
|
||||||
./config/lxc-container.nix
|
./config/lxc-container.nix
|
||||||
./hosts/containers/c3d2-web
|
./hosts/containers/c3d2-web
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
{ zentralwerk, nixpkgs, config, pkgs, ... }:
|
{ zentralwerk, nixpkgs, config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
webroot = "/var/www";
|
webroot = "/var/www";
|
||||||
geminiRoot = "/var/gemini";
|
geminiRoot = "/var/gemini";
|
||||||
|
|
@ -15,12 +15,17 @@ in
|
||||||
}];
|
}];
|
||||||
networking.defaultGateway = "172.20.73.1";
|
networking.defaultGateway = "172.20.73.1";
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
# nginx
|
# http/https
|
||||||
80 443
|
80 443
|
||||||
# molly-brown
|
# gemini
|
||||||
1965
|
1965
|
||||||
];
|
];
|
||||||
|
|
||||||
|
security.acme.certs = {
|
||||||
|
# agate cannot load "ec256" keys
|
||||||
|
"www.c3d2.de".keyType = "rsa4096";
|
||||||
|
};
|
||||||
|
|
||||||
# Web server
|
# Web server
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -83,19 +88,45 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# Gemini server
|
# Gemini server
|
||||||
services.molly-brown = {
|
services.agate = {
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = "c3d2.de";
|
addresses = [
|
||||||
certPath = "/var/lib/acme/www.c3d2.de/cert.pem";
|
# sysctl net.ipv6.bindv6only = 0
|
||||||
keyPath = "/var/lib/acme/www.c3d2.de/key.pem";
|
"[::]:1965"
|
||||||
docBase = geminiRoot;
|
];
|
||||||
settings = {
|
certificatesDir = "/var/lib/agate/certificates";
|
||||||
DefaultLang = "de";
|
contentDir = geminiRoot;
|
||||||
ReadMollyFiles = true;
|
language = "de";
|
||||||
|
};
|
||||||
|
# let agate access the tls certs
|
||||||
|
systemd.services.agate = {
|
||||||
|
requires = [ "agate-keys.service" ];
|
||||||
|
after = [ "agate-keys.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Group = "keys";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.services.agate-keys = {
|
||||||
|
path = with pkgs; [ openssl ];
|
||||||
|
script = let
|
||||||
|
stateDir = "/var/lib/agate/certificates";
|
||||||
|
in ''
|
||||||
|
mkdir -p ${stateDir}
|
||||||
|
openssl x509 \
|
||||||
|
-in /var/lib/acme/www.c3d2.de/cert.pem \
|
||||||
|
-out ${stateDir}/cert.der \
|
||||||
|
-outform DER
|
||||||
|
openssl rsa \
|
||||||
|
-in /var/lib/acme/www.c3d2.de/key.pem \
|
||||||
|
-out ${stateDir}/key.der \
|
||||||
|
-outform DER
|
||||||
|
chown root:keys ${stateDir}/*
|
||||||
|
chmod 0640 ${stateDir}/*
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# let molly-brown access the tls certs
|
|
||||||
systemd.services.molly-brown.serviceConfig.Group = config.services.nginx.group;
|
|
||||||
|
|
||||||
# Build user
|
# Build user
|
||||||
users.groups.c3d2-web = {};
|
users.groups.c3d2-web = {};
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user