webserver: Use a hardened systemd unit instead of a container

configuration/services/webserver.nix

@@ -1,47 +1,26 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  users = {
-    extraUsers.webserver = {
-      uid = config.ids.uids.webserver;
-      group = config.users.extraGroups.webserver.name;
-      isSystemUser = true;
-      description = "tlater.net web server user";
+{config, ...}: let
+  domain = config.services.nginx.domain;
+in {
+  services.tlaternet-webserver = {
+    enable = true;
+    listen = {
+      addr = "127.0.0.1";
+      port = 8000;
     };
-    extraGroups.webserver = {gid = config.ids.gids.webserver;};
   };
 
-  virtualisation.oci-containers.containers.webserver = {
-    image = "tlaternet/webserver";
+  # Set up SSL
+  services.nginx.virtualHosts."${domain}" = let
+    inherit (config.services.tlaternet-webserver.listen) addr port;
+  in {
+    serverAliases = ["www.${domain}"];
 
-    imageFile = pkgs.dockerTools.buildImage {
-      name = "tlaternet/webserver";
-      tag = "latest";
-      contents = pkgs.tlaternet-webserver.webserver;
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    '';
 
-      config = let
-        uid = toString config.users.extraUsers.webserver.uid;
-        gid = toString config.users.extraGroups.webserver.gid;
-      in {
-        Cmd = ["tlaternet-webserver"];
-        Volumes = {"/srv/mail" = {};};
-        Env = [
-          "ROCKET_PORT=3002"
-          "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
-        ];
-        ExposedPorts = {"3002" = {};};
-        User = "${uid}:${gid}";
-      };
-    };
-
-    ports = ["3002:3002"];
-    volumes = ["tlaternet-mail:/srv/mail"];
-    extraOptions = [
-      "--hostname=tlater.net"
-      # Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.
-      "--stop-signal=SIGKILL"
-    ];
+    locations."/".proxyPass = "http://${addr}:${toString port}";
   };
 }