{ config, lib, ... }: let rootDomain = config.networking.domain; ports = import ./Ports.nix; in { services = { radicale = { enable = true; config = '' [server] hosts = 0.0.0.0:${toString ports.radicale}, [::]:${toString ports.radicale} [auth] type = htpasswd htpasswd_filename = /etc/radicale/users htpasswd_encryption = plain ''; }; gmnisrv = { enable = true; settings = { listen = "0.0.0.0:${toString ports.gemini} [::]:${toString ports.gemini}"; ":tls" = { store = "/var/lib/gmnisrv"; }; "bsima.me" = { "root" = "/srv/www/ben"; }; "simatime.com" = { "root" = "/srv/www/simatime.com"; "cgi" = "on"; }; }; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; statusPage = true; user = "nginx"; group = "nginx"; virtualHosts = { ${rootDomain} = { forceSSL = true; enableACME = true; locations = { "/" = { root = "/srv/www/simatime.com"; extraConfig = '' autoindex on; ''; }; # serve /~$USER paths "~ ^/~(.+?)(/.*)?$" = { alias = "/srv/www/$1$2"; index = "index.html index.htm"; extraConfig = '' autoindex on; ''; }; }; cgit = { enable = true; location = "/git"; virtual-root = "/git"; css = "/git/cgit.css"; logo = "/git/cgit.png"; root-title = "ben's git repos"; root-desc = "building"; enable-git-config = 1; clone-url = lib.strings.concatStringsSep " " [ "https://$HTTP_HOST/git/$CGIT_REPO_URL" "git://$HTTP_HOST/$CGIT_REPO_URL" "git@$HTTP_HOST:$CGIT_REPO_URL" ]; include = [ # these depend on order, scan-path must come last (builtins.toFile "cgitrc" '' strict-export=git-daemon-export-ok scan-path=/srv/git/repositories '') ]; }; }; "bsima.me" = { locations."/" = { root = "/srv/www/ben"; index = "index.html index.htm"; extraConfig = '' autoindex on; ''; }; serverAliases = [ "www.bsima.me" ]; forceSSL = true; useACMEHost = rootDomain; }; "hoogle.${rootDomain}" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.hoogle}"; forceSSL = true; useACMEHost = rootDomain; }; "tv.${rootDomain}" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.jellyfin}"; forceSSL = true; useACMEHost = rootDomain; }; "cal.${rootDomain}" = { locations."/".proxyPass = "http://localhost:${toString ports.radicale}"; forceSSL = true; useACMEHost = rootDomain; }; "devalloc.io" = { forceSSL = true; useACMEHost = rootDomain; globalRedirect = "dragons.dev"; }; "dragons.dev" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.dragons}"; forceSSL = true; useACMEHost = rootDomain; }; "dandel-rovbur.${rootDomain}" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.dandel-rovbur}"; forceSSL = true; useACMEHost = rootDomain; }; "sabten.${rootDomain}" = { locations."/".proxyPass = "http://localhost:${toString ports.sabten}"; forceSSL = true; useACMEHost = rootDomain; }; "notebook.simatime.com" = { forceSSL = true; useACMEHost = rootDomain; locations = { "/" = { proxyPass = "http://${ports.bensIp}:${toString ports.jupyter}"; proxyWebsockets = true; extraConfig = '' proxy_buffering off; proxy_read_timeout 86400; ''; }; "/(api/kernels/[^/]+/channels|terminals/websocket)/" = { proxyPass = "http://${ports.bensIp}:${toString ports.jupyter}"; proxyWebsockets = true; }; }; }; "grocy.${rootDomain}" = { useACMEHost = rootDomain; forceSSL = true; }; }; }; }; # This must contain all of the other domains we host security.acme.certs.${rootDomain}.extraDomainNames = [ "bsima.me" "www.bsima.me" "dragons.dev" "devalloc.io" ] ++ map (sub: "${sub}.${rootDomain}") [ "tv" "matrix" "chat" "hoogle" "dandel-rovbur" "sabten" "cal" "notebook" "grocy" ]; }