webserver: Use a hardened systemd unit instead of a container

2022-10-12 19:58:09 +01:00 · 2022-10-12 19:58:09 +01:00 · bf1d10f12a
commit bf1d10f12a
parent f2fd9cd121
5 changed files with 17 additions and 327 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -66,22 +66,6 @@
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";
-
-    virtualHosts = let
-      proxyPassToPort = port: extra:
-        lib.recursiveUpdate {
-          forceSSL = true;
-          enableACME = true;
-          locations."/".proxyPass = "http://127.0.0.1:${toString port}";
-          extraConfig = ''
-            add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-          '';
-        }
-        extra;
-      domain = config.services.nginx.domain;
-    in {
-      "${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
-    };
  };

  security.acme = {
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@ -1,47 +1,20 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  users = {
-    extraUsers.webserver = {
-      uid = config.ids.uids.webserver;
-      group = config.users.extraGroups.webserver.name;
-      isSystemUser = true;
-      description = "tlater.net web server user";
-    };
-    extraGroups.webserver = {gid = config.ids.gids.webserver;};
-  };
+{config, ...}: let
+  domain = config.services.nginx.domain;
+in {
+  services.tlaternet-webserver.enable = true;

-  virtualisation.oci-containers.containers.webserver = {
-    image = "tlaternet/webserver";
+  # Set up SSL
+  services.nginx.virtualHosts."${domain}" = let
+    inherit (config.services.tlaternet-webserver.listen) addr port;
+  in {
+    serverAliases = ["www.${domain}"];

-    imageFile = pkgs.dockerTools.buildImage {
-      name = "tlaternet/webserver";
-      tag = "latest";
-      contents = pkgs.tlaternet-webserver.webserver;
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    '';

-      config = let
-        uid = toString config.users.extraUsers.webserver.uid;
-        gid = toString config.users.extraGroups.webserver.gid;
-      in {
-        Cmd = ["tlaternet-webserver"];
-        Volumes = {"/srv/mail" = {};};
-        Env = [
-          "ROCKET_PORT=3002"
-          "ROCKET_TEMPLATE_DIR=${pkgs.tlaternet-templates.templates}/browser/"
-        ];
-        ExposedPorts = {"3002" = {};};
-        User = "${uid}:${gid}";
-      };
-    };
-
-    ports = ["3002:3002"];
-    volumes = ["tlaternet-mail:/srv/mail"];
-    extraOptions = [
-      "--hostname=tlater.net"
-      # Rocket 0.4 doesn't support SIGTERM anyway, so SIGKILL is the cleanest exit possible.
-      "--stop-signal=SIGKILL"
-    ];
+    locations."/".proxyPass = "http://${addr}:${toString port}";
  };
 }