Cradicle Explorer
cboy-cloud
/ hosts / pgp-keyserver / configuration.nix
configuration.nix
  1  { inputs, config, pkgs, lib, modulesPath, hostname, modulespath, ... }:
  2  
  3  {
  4    imports = [
  5      ../../modules/virtualization/lxc/proxmox-lxc.nix
  6      (modulespath + /server/security/acme/cloudflare.nix)
  7      (modulespath + /server/web/nginx)
  8    ];
  9  
 10    home-manager = import ../../home-manager;
 11  
 12    modules.acme.certs = {
 13      "keys.spacetime.technology" = {
 14        domain = "keys.spacetime.technology";
 15      };
 16    };
 17  
 18    services = let
 19      srv = {
 20        DOMAIN = "keys.spacetime.technology";
 21        HTTP_PORT = 11371;
 22      };
 23    in {
 24      nginx.virtualHosts.${srv.DOMAIN} = {
 25        forceSSL = true;
 26        sslCertificate = "/var/lib/acme/" + srv.DOMAIN + "/cert.pem";
 27        sslCertificateKey = "/var/lib/acme/" + srv.DOMAIN + "/key.pem";
 28  
 29        http3 = true;
 30        http3_hq = true;
 31        quic = true;
 32        kTLS = true;
 33        reuseport = true;
 34  
 35        extraConfig = ''
 36          client_max_body_size 512M;
 37        '';
 38        locations."/" = {
 39          proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
 40          extraConfig = ''
 41            more_set_headers 'Onion-Location: http://hm3zkbzu2cwujjnktacpjvh2vk2jrp7pagx3zsoy5c5htehhotxpjvyd.onion:80$request_uri';
 42          '';
 43        };
 44      };
 45      hockeypuck = rec {
 46        enable = true;
 47        port = 11371;
 48        settings = {
 49          loglevel = "INFO";
 50          logfile = "/var/log/hockeypuck/hockeypuck.log";
 51          indexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl";
 52          vindexTemplate = "${pkgs.hockeypuck-web}/share/templates/index.html.tmpl";
 53          statsTemplate = "${pkgs.hockeypuck-web}/share/templates/stats.html.tmpl";
 54          webroot = "${pkgs.hockeypuck-web}/share/webroot";
 55  
 56          hkp.bind = ":${toString port}";
 57  
 58          openpgp.db = {
 59            driver = "postgres-jsonb";
 60            dsn = "database=hockeypuck host=/var/run/postgresql sslmode=disable";
 61          };
 62        };
 63      };
 64      postgresql = {
 65        enable = true;
 66        ensureDatabases = [ "hockeypuck" ];
 67        ensureUsers = [{
 68          name = "hockeypuck";
 69          ensureDBOwnership = true;
 70        }];
 71      };
 72  
 73      tor = {
 74        enable = true;
 75        #openFirewall = false;
 76        relay = {
 77          onionServices = {
 78            hockeypuck = {
 79              version = 3;
 80              map = [
 81              { port = 80; target = { addr = "127.0.0.1"; port = 11371; }; }
 82              ];
 83            };
 84          };
 85        };
 86      };
 87    };
 88  
 89  
 90    networking = {
 91      hostName = hostname;
 92      nameservers = [
 93        "192.168.10.112"
 94        "192.168.10.114"
 95      ];
 96      firewall = {
 97        enable = true;
 98        allowedTCPPorts = [ 80 443 ];
 99        allowedUDPPorts = [ 443 ];
100      };
101    };
102  }