79 lines
1.8 KiB
Nix
79 lines
1.8 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
flake-inputs,
|
|
...
|
|
}:
|
|
let
|
|
inherit (config.services.nginx) domain;
|
|
in
|
|
{
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
|
|
systemd.services.tlaternet-webserver = {
|
|
description = "tlater.net webserver";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
|
|
script = ''
|
|
${lib.getExe flake-inputs.self.packages.${pkgs.system}.webserver}
|
|
'';
|
|
|
|
environment = {
|
|
TLATERNET_NTFY_INSTANCE = "http://${config.services.ntfy-sh.settings.listen-http}";
|
|
LEPTOS_SITE_ADDR = "127.0.0.1:8000";
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "exec";
|
|
LoadCredential = "ntfy-topic:/run/secrets/tlaternet/ntfy-topic";
|
|
|
|
DynamicUser = true;
|
|
ProtectHome = true; # Override the default (read-only)
|
|
PrivateDevices = true;
|
|
PrivateIPC = true;
|
|
PrivateUsers = true;
|
|
ProtectHostname = true;
|
|
ProtectClock = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = [
|
|
"AF_UNIX"
|
|
"AF_INET"
|
|
"AF_INET6"
|
|
];
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@privileged @resources @setuid @keyring"
|
|
];
|
|
};
|
|
};
|
|
|
|
# Set up SSL
|
|
services.nginx.virtualHosts."${domain}" = {
|
|
serverAliases = [ "www.${domain}" ];
|
|
|
|
forceSSL = true;
|
|
useACMEHost = "tlater.net";
|
|
enableHSTS = true;
|
|
|
|
locations."/".proxyPass =
|
|
"http://${config.systemd.services.tlaternet-webserver.environment.LEPTOS_SITE_ADDR}";
|
|
};
|
|
|
|
sops.secrets = {
|
|
"tlaternet/ntfy-topic" = { };
|
|
};
|
|
}
|