webserver: Use a hardened systemd unit instead of a container

2022-10-12 19:58:09 +01:00 · 2022-10-12 19:58:09 +01:00 · 068e6d5d77
commit 068e6d5d77
parent b6594cea54
6 changed files with 321 additions and 401 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -1,5 +1,4 @@
 {
-  config,
  pkgs,
  lib,
  ...
@ -10,7 +9,6 @@
    ./services/webserver.nix
    ./services/starbound.nix
    ./services/postgres.nix
-    ./ids.nix
    ./sops.nix
  ];

@ -67,30 +65,12 @@
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";
-
-    virtualHosts = let
-      proxyPassToPort = port: extra:
-        lib.recursiveUpdate {
-          forceSSL = true;
-          enableACME = true;
-          locations."/".proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-          '';
-        }
-        extra;
-      domain = config.services.nginx.domain;
-    in {
-      "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
-    };
  };

  security.acme = {
-    email = "tm@tlater.net";
+    defaults.email = "tm@tlater.net";
    acceptTerms = true;
  };

-  virtualisation.oci-containers.backend = "podman";
-
  system.stateVersion = "20.09";
 }
--- a/configuration/ids.nix
+++ b/configuration/ids.nix
@ -1,11 +0,0 @@
-{...}: {
-  ids.uids = {
-    # System user ids start at 400 (see nixos/modules/programs/shadow.nix)
-    webserver = 400;
-    # The limit is 999
-  };
-
-  ids.gids = {
-    webserver = 400;
-  };
-}
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -1,47 +1,26 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  users = {
-    extraUsers.webserver = {
-      uid = config.ids.uids.webserver;
-      group = config.users.extraGroups.webserver.name;
-      isSystemUser = true;
-      description = "tlater.net web server user";
+{config, ...}: let
+  domain = config.services.nginx.domain;
+in {
+  services.tlaternet-webserver = {
+    enable = true;
+    listen = {
+      addr = "127.0.0.1";
+      port = 8000;
    };
-    extraGroups.webserver = {gid = config.ids.gids.webserver;};
  };

-  virtualisation.oci-containers.containers.webserver = {
-    image = "tlaternet/webserver";
+  # Set up SSL
+  services.nginx.virtualHosts."${domain}" = let
+    inherit (config.services.tlaternet-webserver.listen) addr port;
+  in {
+    serverAliases = ["www.${domain}"];

-    imageFile = pkgs.dockerTools.buildImage {
-      name = "tlaternet/webserver";
-      tag = "latest";
-      contents = pkgs.tlaternet-webserver.webserver;
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    '';

-      config = let
-        uid = toString config.users.extraUsers.webserver.uid;
-        gid = toString config.users.extraGroups.webserver.gid;
-      in {
-        Cmd = ["tlaternet-webserver"];
-        Volumes = {"/srv/mail" = {};};
-        Env = [
-          "ROCKET_PORT=3002"
-          "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
-        ];
-        ExposedPorts = {"3002" = {};};
-        User = "${uid}:${gid}";
-      };
-    };
-
-    ports = ["3002:3002"];
-    volumes = ["tlaternet-mail:/srv/mail"];
-    extraOptions = [
-      "--hostname=tlater.net"
-      # Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.
-      "--stop-signal=SIGKILL"
-    ];
+    locations."/".proxyPass = "http://${addr}:${toString port}";
  };
 }