ctucx.git: nixfiles

ctucx' nixfiles

path: /machines/hector/websites/photos.ctu.cx.nix 2.62 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
57 
58 
59 
60 
61 
62 
63 
64 
65 
66 
67 
68 
69 
70 
71 
72 
73 
74 
75 
76 
77 
78 
79 
80 
81 
82 
83 
84 
85 
86 
87 
88 
89 
90 
91 
92 
93 
94 
95 
96 
97 
98 
99 
100 
101 
102 
103 
104 
{ config, pkgs, lib, ... }:

let
  galleryConfig = {
    globalSection = {
      SourceDir  = "/mnt/photos.ctu.cx";
      TargetDir  = "/var/lib/ctucx-gallery";
      MogrifyCmd = "${pkgs.imagemagick}/bin/mogrify";
    };

    sections = {
      Thumbnails = {
        SmallHeight  = "200";
        SmallQuality = "90";
      };

      Site = {
        Author              = "ctucx";
        Name                = "ctucx.photos";
        Description         = "photos that i made";
        Tags                = "ctucx, ctucx bahnbilder";
        ShowOriginalsButton = "true";
        SymlinkOriginals    = "true";
        EnableJS            = "true";
      };
    };
  };

  galleryConfigFile = pkgs.writeText "gallery.ini" (lib.generators.toINIWithGlobalSection {} galleryConfig);

in {

  dns.zones."ctu.cx".subdomains.photos.CNAME = [ "${config.networking.fqdn}." ];

  fileSystems."/mnt/photos.ctu.cx" = {
    device = "/home/katja/syncthing/Pictures/photos.ctu.cx";
    options = [ "bind" "ro" ];
  };

  users = {
    users."ctucx-gallery" = {
      home = "/var/lib/ctucx-gallery";
      group = "ctucx-gallery";
      isSystemUser = true;
    };
    groups."ctucx-gallery" = {};
  };


  systemd.services.ctucx-gallery = {
    startAt  = "*-*-* *:0/10:00";
    wantedBy = [ "multi-user.target" ];
    requires = [ "local-fs.target" ];
    path     = [ pkgs.imagemagick ];

    serviceConfig = {
      Type           = "oneshot";
#      DynamicUser    = true;

      ExecStart      = "${pkgs.ctucx-gallery}/bin/gallery ${galleryConfigFile}";

      User  = "ctucx-gallery";
      Group = "ctucx-gallery";


      StateDirectory          = "ctucx-gallery";
      StateDirectoryMode      = "755";

      NoNewPrivileges         = true;
      PrivateTmp              = true;
      PrivateDevices          = true;

      RestrictAddressFamilies = "AF_INET AF_INET6";
      RestrictNamespaces      = true;
      RestrictRealtime        = true;

      ProtectSystem           = "full";
      ProtectControlGroups    = true;
      ProtectKernelModules    = true;
      ProtectKernelTunables   = true;

      DevicePolicy            = "closed";
      LockPersonality         = true;
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."photos.ctu.cx" = {
      enableACME = true;
      forceSSL   = true;
      kTLS       = true;
      root       = "/var/lib/ctucx-gallery";
      locations."~* \.html$".extraConfig = ''
        add_header Last-Modified $date_gmt;
        add_header Cache-Control 'private no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
        if_modified_since off;
        expires off;
        etag off;
      '';
    };
  };

}