diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index 3952e7cc27..a2d302d3e6 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -11,6 +11,7 @@ in { ../lib/zfs.nix ../lib/bgp.nix ../lib/whitby-distributed.nix + ../lib/quotes.bfob.gg.nix ]; boot.initrd = { @@ -205,6 +206,7 @@ in { enable = true; virtualHosts = { "clouvider-lon01.as205479.net" = { + default = true; listen = [ {addr = "185.198.188.29"; port = 80; ssl = false;} {addr = "[2a0a:54c0:0:17::2]"; port = 80; ssl = false;} diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 1fbcbf4330..795a970b06 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -170,5 +170,12 @@ in system.nixos.tags = lib.mkBefore [ depot.version ]; + + services.nginx = { + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + }; }; } diff --git a/ops/nixos/lib/quotes.bfob.gg.nix b/ops/nixos/lib/quotes.bfob.gg.nix new file mode 100644 index 0000000000..d794ce5466 --- /dev/null +++ b/ops/nixos/lib/quotes.bfob.gg.nix @@ -0,0 +1,64 @@ +{ config, depot, lib, ... }: + +let + inherit (depot.ops) secrets; + pkg = depot.web.quotes; + + sock = "/run/quotesdb/gunicorn.sock"; +in +{ + config = { + security.acme = { + acceptTerms = true; + email = lib.mkDefault "letsencrypt@lukegb.com"; + certs."bfob.gg" = { + group = config.services.nginx.group; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + extraDomainNames = ["*.bfob.gg"]; + }; + }; + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."qdb.bfob.gg" = { + useACMEHost = "bfob.gg"; + globalRedirect = "quotes.bfob.gg"; + forceSSL = true; + }; + virtualHosts."quotes.bfob.gg" = { + useACMEHost = "bfob.gg"; + forceSSL = true; + locations."/static" = { + root = "${pkg}/share"; + }; + locations."/" = { + proxyPass = "http://unix:${sock}"; + }; + }; + }; + + services.postgresql = { + enable = lib.mkDefault true; + ensureDatabases = lib.mkAfter [ "quotesdb" ]; + ensureUsers = lib.mkAfter [{ + name = "quotesdb"; + ensurePermissions = { + "DATABASE quotesdb" = "ALL PRIVILEGES"; + }; + }]; + }; + + systemd.services.quotesdb = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + EnvironmentFile = secrets.quotesdb.environment; + RuntimeDirectory = "quotesdb"; + ExecStart = "${pkg}/bin/quotes --workers 3 --bind unix:${sock}"; + DynamicUser = true; + Group = "nginx"; + UMask = "0007"; + }; + }; + }; +} diff --git a/ops/nixos/porcorosso/default.nix b/ops/nixos/porcorosso/default.nix index e094ac5db6..8858bce0d4 100644 --- a/ops/nixos/porcorosso/default.nix +++ b/ops/nixos/porcorosso/default.nix @@ -20,6 +20,8 @@ in { ../lib/zfs.nix ../lib/graphical-client.nix ../lib/whitby-distributed.nix + + ../lib/quotes.bfob.gg.nix ]; boot.initrd.availableKernelModules = [ @@ -270,7 +272,6 @@ in { mandatoryFeatures = [ ]; }]; - # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you