{ pkgs, lib, config, ... }: let settings = { ACME_ACCEPT_TERMS = "true"; ACME_EMAIL = "acme@dgnum.eu"; DNS_PROVIDER = "ovh"; OVH_ENDPOINT = "ovh-eu"; ENABLE_HTTP_SERVER = "false"; GITEA_ROOT = "https://git.dgnum.eu"; PORT = "8010"; PAGES_DOMAIN = "dgnum.page"; RAW_DOMAIN = "raw.dgnum.page"; }; # Necessary until upstream cuts a new release because of # https://codeberg.org/Codeberg/pages-server/issues/235 # that is fixed on main package = pkgs.callPackage ./codeberg-pages-custom.nix { }; in { age-secrets.autoMatch = [ "pages_env_file" ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; systemd.services.codeberg-pages = { description = "Codeberg pages server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = settings; serviceConfig = { Type = "simple"; StateDirectory = "codeberg-pages"; EnvironmentFile = config.age.secrets."pages_env_file".path; WorkingDirectory = "/var/lib/codeberg-pages"; DynamicUser = true; ExecStart = "${package}/bin/pages"; Restart = "on-failure"; ProtectHome = true; ProtectSystem = "strict"; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; NoNewPrivileges = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; PrivateMounts = true; }; }; services.nginx = { enable = true; streamConfig = '' map $ssl_preread_server_name $sni_upstream { hostnames; default 0.0.0.0:8010; ${lib.concatStringsSep "\n" ( map (vhost: " ${vhost} 0.0.0.0:8443;") (lib.attrNames config.services.nginx.virtualHosts) )} } server { listen [::]:443; ssl_preread on; proxy_pass $sni_upstream; } ''; defaultSSLListenPort = 8443; }; }