{ hostAddress, localAddress, httpPort ? 80, httpsPort ? 443 }: let passwords = import ../../variables/passwords.crypt.nix; in { config = { config, pkgs, lib, ... }: { system.stateVersion = "22.05"; # Did you read the comment? imports = [ ../profiles/containers/configuration.nix ]; networking.firewall.enable = false; services.ddclientovh = { enable = true; domain = "www.stefanjunker.de"; }; security.acme = { acceptTerms = true; certs."www.stefanjunker.de".email = "mail@stefanjunker.de"; preliminarySelfsigned = true; # can be used for debugging # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; }; services.nginx.enable = true; services.nginx.recommendedProxySettings = true; services.nginx.virtualHosts."www.stefanjunker.de" = { default = true; addSSL = true; listen = [ { addr = "0.0.0.0"; port = httpPort; ssl = false; } { addr = "0.0.0.0"; port = httpsPort; ssl = true; } ]; root = "/var/www/stefanjunker.de/htdocs"; enableACME = true; # serverAliases = [ # "www.stefanjunker.de" # ]; # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; locations."/fi" = { index = "index.php"; }; locations."~ ^(.+.php)(.*)$".extraConfig = '' fastcgi_split_path_info ^(.+\.php)(.*)$; fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; fastcgi_index index.php; ''; locations."/hedgedoc/" = { proxyPass = "http://127.0.0.1:3000/"; }; locations."/hedgedoc/socket.io/" = { proxyPass = "http://127.0.0.1:3000/socket.io/"; proxyWebsockets = true; }; }; services.phpfpm.pools.mypool = { user = "nobody"; phpPackage = pkgs.php5; settings = { "listen.owner" = config.services.nginx.user; "pm" = "dynamic"; "pm.max_children" = 5; "pm.start_servers" = 2; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 3; "pm.max_requests" = 500; "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED"; }; }; # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work systemd.services."phpfpm-mypool" = { serviceConfig = { Type = lib.mkForce "simple"; }; }; services.mysql = { enable = true; package = pkgs.mariadb_104; }; services.hedgedoc = { enable = true; configuration = { domain = "www.stefanjunker.de"; urlPath = "hedgedoc"; protocolUseSSL = true; db = { dialect = "sqlite"; storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; allowAnonymous = false; allowAnonymousEdits = false; allowGravatar = false; allowFreeURL = false; defaultPermission = "private"; allowEmailRegister = false; # oauth2 provider config inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox; uploadsPath = "/var/lib/codimd/uploads"; }; }; }; autoStart = true; bindMounts = { "/etc/secrets/" = { hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; isReadOnly = true; }; "/var/www" = { hostPath = "/var/lib/container-volumes/webserver/var-www"; isReadOnly = false; }; "/var/lib/mysql" = { hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; isReadOnly = false; }; "/var/lib/hedgedoc" = { hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc"; isReadOnly = false; }; }; privateNetwork = true; forwardPorts = [ { # http containerPort = 80; hostPort = httpPort; protocol = "tcp"; } { # https containerPort = 443; hostPort = httpsPort; protocol = "tcp"; } ]; inherit hostAddress localAddress; }