infra/nix/os/containers/webserver.nix

{
  hostAddress,
  localAddress,
  httpPort ? 80,
  httpsPort ? 443,
  autoStart ? false,
}: let
  passwords = import ../../variables/passwords.crypt.nix;
in {
  config = {
    config,
    pkgs,
    lib,
    ...
  }: {
    system.stateVersion = "22.05"; # Did you read the comment?

    imports = [../profiles/containers/configuration.nix];

    networking.firewall.enable = false;

    services.ddclientovh = {
      enable = true;
      domain = "www.stefanjunker.de";
    };

    security.acme = {
      acceptTerms = true;
      certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
      preliminarySelfsigned = true;

      # can be used for debugging
      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
    };

    services.nginx.enable = true;
    services.nginx.recommendedProxySettings = true;
    services.nginx.virtualHosts."www.stefanjunker.de" = {
      default = true;
      addSSL = true;
      listen = [
        {
          addr = "0.0.0.0";
          port = httpPort;
          ssl = false;
        }
        {
          addr = "0.0.0.0";
          port = httpsPort;
          ssl = true;
        }
      ];

      root = "/var/www/stefanjunker.de/htdocs";

      enableACME = true;

      locations."/hedgedoc/" = {proxyPass = "http://[::1]:3000/";};

      locations."/hedgedoc/socket.io/" = {
        proxyPass = "http://[::1]:3000/socket.io/";
        proxyWebsockets = true;
      };
    };

    services.hedgedoc = {
      enable = true;
      settings = {
        domain = "www.stefanjunker.de";
        urlPath = "hedgedoc";
        protocolUseSSL = true;
        db = {
          dialect = "sqlite";
          storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
        };

        allowAnonymous = false;
        allowAnonymousEdits = false;
        allowGravatar = false;
        allowFreeURL = false;
        defaultPermission = "private";
        allowEmailRegister = false;

        # oauth2 provider config
        inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox;

        uploadsPath = "/var/lib/hedgedoc/uploads";
      };
    };
  };

  inherit autoStart;

  bindMounts = {
    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/webserver/etc-secrets";
      isReadOnly = true;
    };

    "/var/www" = {
      hostPath = "/var/lib/container-volumes/webserver/var-www";
      isReadOnly = false;
    };

    "/var/lib/mysql" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
      isReadOnly = false;
    };

    "/var/lib/hedgedoc" = {
      hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc";
      isReadOnly = false;
    };
  };

  extraFlags = ["--resolv-conf=bind-host"];

  privateNetwork = true;
  forwardPorts = [
    {
      # http
      containerPort = 80;
      hostPort = httpPort;
      protocol = "tcp";
    }
    {
      # https
      containerPort = 443;
      hostPort = httpsPort;
      protocol = "tcp";
    }
  ];

  inherit hostAddress localAddress;
}