ctucx.git: nixfiles

configurations/nixos/websites: add `gomuks.ctu.cx` (and enable on node `briefkasten`)

diff --git a/configurations/nixos/websites/gomuks.ctu.cx.nix b/configurations/nixos/websites/gomuks.ctu.cx.nix
@@ -0,0 +1,48 @@
+{ secrets, config, ... }:
+
+{
+
+  dns.zones."ctu.cx".subdomains.gomuks.CNAME = [ "${config.networking.fqdn}." ];
+
+  age.secrets.gomuksWebEnv.file = secrets."${config.networking.hostName}".gomuksWebEnv;
+
+  services.gomuks-web = {
+    enable = true;
+    environmentFile = config.age.secrets.gomuksWebEnv.path;
+    settings = {
+      web.listen_address    = "[::1]:8180";
+      web.username          = "$USERNAME";
+      web.password_hash     = "$PASSWORD";
+      web.token_key         = "$TOKEN_KEY";
+      web.debug_endpoints   = false;
+      web.event_buffer_size = 512;
+      web.origin_patterns   = [ "gomuks.ctu.cx:*" ];
+      matrix.disable_http2  = false;
+      push.fcm_gateway      = "https://push.gomuks.app";
+      media.thumbnail_size  = 120;
+      logging.min_level     = "debug";
+      logging.writers       =  [{ type = "stdout"; format = "pretty-colored"; }];
+    };
+  };
+
+  services.nginx = {
+    enable       = true;
+    virtualHosts = {
+      "gomuks.ctu.cx" = {
+        useACMEHost = "${config.networking.fqdn}";
+        forceSSL    = true;
+        kTLS        = true;
+#        extraConfig = ''
+#          ssl_crl /etc/ctucxCA.crl;
+#          ssl_client_certificate ${../../secrets/certs/rootCA.crt};
+#          ssl_verify_client on;
+#        '';
+        locations."/" = {
+          proxyPass       = "http://${config.services.gomuks-web.settings.web.listen_address}";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+  
+}+
\ No newline at end of file

diff --git a/nodes/briefkasten/default.nix b/nodes/briefkasten/default.nix
@@ -31,6 +31,7 @@
       ctucxConfig.websites."music.home.ctu.cx"
       ctucxConfig.websites."audiobooks.home.ctu.cx"
       ctucxConfig.websites."fedi.home.ctu.cx"
+      ctucxConfig.websites."gomuks.ctu.cx"
 
       # syncthing (and it's backup)
       ./syncthing.nix

diff --git a/secrets/briefkasten/gomuksWebEnv.age b/secrets/briefkasten/gomuksWebEnv.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkN2FhdXBkdFBIeVpyTXJD
+d3dlUkxSTGZjemZQTUdBY1dUZ3loTkdOU0hNCjhzVnZUZkdyeTNEYVYvdy96cHpp
+YzVLbHY1UzZpV1hxSy9HdjFGbW96RkUKLT4gc3NoLWVkMjU1MTkgNGhLQ013IHBJ
+MTEvTzYwR0tCNUxzZEd5V3VjbGtPNTJNNjBBdUJsSkErRDgwL2VDd3cKY0VrWXlX
+Wko5R1FtdFhxNFFBbVEya0pPVjZ1K01WMU90VFF5dkUvOHZ2VQotPiBMclROKi1n
+cmVhc2UKd25vNXdWdU9OYzQySkFJRzZqVE11SGtEY0lGaWRPV0tlMFlNaUVWZVFk
+Z2hneXBsTWYyS0tvZwotLS0gS1o0aDBrcnRVeTNCZDN4eVkxRkMzYzBlajRLMmJy
+eVkwMnVZUm40NkNKTQrsQVwnejjeoNIZRz98DlNjjJPH0e0AkWeXYHKTPgLR2YGN
+72AxSfKGbakw92D0ECOWKgtMRNtADPp2nAriXgpt5qCKpI3iwS/xak8TE6jJKNDV
+GHuazlUlqdfNyMWwHGiodAcJMOcTxSXcdbAlA6YPeonh5jNvveGllpnzGbmtXi5G
+YpmC5veT19xQW+nc4a/DdA8CWn+uYUaWvKoc65Nf3t2JJABtEotUP3dUyqcSY+bX
+sUEz7YcKgZYGp+gZFn0zg0ulIQ==
+-----END AGE ENCRYPTED FILE-----