xeiaso.net / site
The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

add nixos module

Signed-off-by: Xe Iaso <me@christine.website>

Xe Iaso 0562aff1 3890085b

+162
+162
nix/xesite.nix
··· 1 + self: 2 + { config, lib, pkgs, ... }: 3 + with lib; 4 + let cfg = config.within.services.xesite; 5 + in { 6 + options.within.services.xesite = { 7 + enable = mkEnableOption "Activates my personal website"; 8 + useACME = mkEnableOption "Enables ACME for cert stuff"; 9 + 10 + port = mkOption { 11 + type = types.port; 12 + default = 32837; 13 + example = 9001; 14 + description = "The port number xesite should listen on for HTTP traffic"; 15 + }; 16 + 17 + domain = mkOption { 18 + type = types.str; 19 + default = "xesite.akua"; 20 + example = "christine.website"; 21 + description = 22 + "The domain name that nginx should check against for HTTP hostnames"; 23 + }; 24 + 25 + sockPath = mkOption rec { 26 + type = types.str; 27 + default = "/srv/within/run/xesite.sock"; 28 + example = default; 29 + description = "The unix domain socket that xesite should listen on"; 30 + }; 31 + }; 32 + 33 + config = mkIf cfg.enable { 34 + users.users.xesite = { 35 + createHome = true; 36 + description = "github.com/Xe/site"; 37 + isSystemUser = true; 38 + group = "within"; 39 + home = "/srv/within/xesite"; 40 + extraGroups = [ "keys" ]; 41 + }; 42 + 43 + within.secrets.xesite = { 44 + source = ./secrets/xesite.env; 45 + dest = "/srv/within/xesite/.env"; 46 + owner = "xesite"; 47 + group = "within"; 48 + permissions = "0400"; 49 + }; 50 + 51 + systemd.services.xesite = { 52 + wantedBy = [ "multi-user.target" ]; 53 + after = [ "xesite-key.service" "mi.service" ]; 54 + wants = [ "xesite-key.service" "mi.service" ]; 55 + 56 + serviceConfig = { 57 + User = "xesite"; 58 + Group = "within"; 59 + Restart = "on-failure"; 60 + WorkingDirectory = "/srv/within/xesite"; 61 + RestartSec = "30s"; 62 + Type = "notify"; 63 + 64 + # Security 65 + CapabilityBoundingSet = ""; 66 + DeviceAllow = [ ]; 67 + NoNewPrivileges = "true"; 68 + ProtectControlGroups = "true"; 69 + ProtectClock = "true"; 70 + PrivateDevices = "true"; 71 + PrivateUsers = "true"; 72 + ProtectHome = "true"; 73 + ProtectHostname = "true"; 74 + ProtectKernelLogs = "true"; 75 + ProtectKernelModules = "true"; 76 + ProtectKernelTunables = "true"; 77 + ProtectSystem = "true"; 78 + ProtectProc = "invisible"; 79 + RemoveIPC = "true"; 80 + RestrictSUIDSGID = "true"; 81 + RestrictRealtime = "true"; 82 + SystemCallArchitectures = "native"; 83 + SystemCallFilter = [ 84 + "~@reboot" 85 + "~@module" 86 + "~@mount" 87 + "~@swap" 88 + "~@resources" 89 + "~@cpu-emulation" 90 + "~@obsolete" 91 + "~@debug" 92 + "~@privileged" 93 + ]; 94 + UMask = "007"; 95 + }; 96 + 97 + script = let site = self.packages.${pkgs.system}.default; 98 + in '' 99 + export $(cat /srv/within/xesite/.env | xargs) 100 + export SOCKPATH=${cfg.sockPath} 101 + export PORT=${toString cfg.port} 102 + export DOMAIN=${toString cfg.domain} 103 + cd ${site} 104 + exec ${site}/bin/xesite 105 + ''; 106 + }; 107 + 108 + services.cfdyndns = mkIf cfg.useACME { records = [ "xeiaso.net" ]; }; 109 + 110 + services.nginx.virtualHosts."xeiaso.net" = { 111 + locations."/" = { 112 + proxyPass = "http://unix:${toString cfg.sockPath}"; 113 + proxyWebsockets = true; 114 + }; 115 + forceSSL = cfg.useACME; 116 + useACMEHost = "xeiaso.net"; 117 + extraConfig = '' 118 + access_log /var/log/nginx/xesite.access.log; 119 + ''; 120 + }; 121 + 122 + services.nginx.virtualHosts."xelaso.net" = let proxyOld = { 123 + proxyPass = "http://unix:${toString cfg.sockPath}"; 124 + proxyWebsockets = true; 125 + }; in { 126 + locations."/jsonfeed" = proxyOld; 127 + locations."/.within/health" = proxyOld; 128 + locations."/.within/website.within.xesite/new_post" = proxyOld; 129 + locations."/blog.rss" = proxyOld; 130 + locations."/blog.atom" = proxyOld; 131 + locations."/blog.json" = proxyOld; 132 + locations."/".extraConfig = '' 133 + return 301 https://xeiaso.net$request_uri; 134 + ''; 135 + forceSSL = cfg.useACME; 136 + useACMEHost = "xeiaso.net"; 137 + extraConfig = '' 138 + access_log /var/log/nginx/xesite_old.access.log; 139 + ''; 140 + }; 141 + 142 + services.nginx.virtualHosts."christine.website" = let proxyOld = { 143 + proxyPass = "http://unix:${toString cfg.sockPath}"; 144 + proxyWebsockets = true; 145 + }; in { 146 + locations."/jsonfeed" = proxyOld; 147 + locations."/.within/health" = proxyOld; 148 + locations."/.within/website.within.xesite/new_post" = proxyOld; 149 + locations."/blog.rss" = proxyOld; 150 + locations."/blog.atom" = proxyOld; 151 + locations."/blog.json" = proxyOld; 152 + locations."/".extraConfig = '' 153 + return 301 https://xeiaso.net$request_uri; 154 + ''; 155 + forceSSL = cfg.useACME; 156 + useACMEHost = "christine.website"; 157 + extraConfig = '' 158 + access_log /var/log/nginx/xesite_old.access.log; 159 + ''; 160 + }; 161 + }; 162 + }