{ config, ... }: let rootDomain = config.networking.domain; ports = import ./Ports.nix; in { networking.firewall = { allowedTCPPorts = [ ports.ssh ports.git ports.http ports.https ports.sabten ports.gemini ports.radicale ports.znc ]; }; services = { radicale = { enable = true; settings = { server = { hosts = [ "0.0.0.0:${toString ports.radicale}" "[::]:${toString ports.radicale}" ]; }; auth = { type = "htpasswd"; htpasswd_filename = "/etc/radicale/users"; htpasswd_encryption = "plain"; }; }; }; gmnisrv = { enable = true; settings = { listen = "0.0.0.0:${toString ports.gemini} [::]:${toString ports.gemini}"; ":tls" = { store = "/var/lib/gmnisrv"; }; "bsima.me" = { "root" = "/var/web/ben"; }; "simatime.com" = { "root" = "/var/web/simatime.com"; "cgi" = "on"; }; }; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; statusPage = true; user = "nginx"; group = "nginx"; virtualHosts = { ${rootDomain} = { forceSSL = true; enableACME = true; locations = { # the nginx/cgit module puts a '/' at the end of 'location', so we need to # redirect '/git' to '/git/' "/git".return = "301 https://$host/git/"; # disabled for nixpert test #"/" = { # root = "/var/web/simatime.com"; # extraConfig = '' # autoindex on; # ''; #}; # serve /~$USER paths "~ ^/~(.+?)(/.*)?$" = { alias = "/var/web/$1$2"; index = "index.html index.htm"; extraConfig = '' autoindex on; ''; }; }; }; "bsima.me" = { locations."/" = { root = "/var/web/ben"; index = "index.html index.htm"; extraConfig = '' autoindex on; ''; }; serverAliases = [ "www.bsima.me" ]; forceSSL = true; useACMEHost = rootDomain; }; "hoogle.${rootDomain}" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.hoogle}"; forceSSL = true; useACMEHost = rootDomain; }; "tv.${rootDomain}" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.jellyfin}"; forceSSL = true; useACMEHost = rootDomain; }; "cal.${rootDomain}" = { locations."/".proxyPass = "http://localhost:${toString ports.radicale}"; forceSSL = true; useACMEHost = rootDomain; }; "devalloc.io" = { forceSSL = true; useACMEHost = rootDomain; globalRedirect = "dragons.dev"; }; "dragons.dev" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.dragons}"; forceSSL = true; useACMEHost = rootDomain; }; "dandel-rovbur.${rootDomain}" = { locations."/".proxyPass = "http://${ports.bensIp}:${toString ports.dandel-rovbur}"; forceSSL = true; useACMEHost = rootDomain; }; "sabten.${rootDomain}" = { locations."/".proxyPass = "http://localhost:${toString ports.sabten}"; forceSSL = true; useACMEHost = rootDomain; }; "notebook.simatime.com" = { forceSSL = true; useACMEHost = rootDomain; locations = { "/" = { proxyPass = "http://${ports.bensIp}:${toString ports.jupyter}"; proxyWebsockets = true; extraConfig = '' proxy_buffering off; proxy_read_timeout 86400; ''; }; "/(api/kernels/[^/]+/channels|terminals/websocket)/" = { proxyPass = "http://${ports.bensIp}:${toString ports.jupyter}"; proxyWebsockets = true; }; }; }; }; }; }; # This must contain all of the other domains we host security.acme.certs.${rootDomain}.extraDomainNames = [ "bsima.me" "www.bsima.me" "dragons.dev" "devalloc.io" "nixpert.chat" ] ++ map (sub: "${sub}.${rootDomain}") [ "tv" "matrix" "chat" "hoogle" "dandel-rovbur" "sabten" "cal" "notebook" ]; }