{ config, lib, pkgs, nixpkgs, ... }: let environment = { ACME_ACCEPT_TERMS = "true"; ACME_EMAIL = "acme@dgnum.eu"; DNS_PROVIDER = "ovh"; OVH_ENDPOINT = "ovh-eu"; ENABLE_HTTP_SERVER = "false"; GITEA_ROOT = "https://git.dgnum.eu"; PORT = "8010"; PAGES_DOMAIN = "dgnum.page"; RAW_DOMAIN = "raw.dgnum.page"; PAGES_BRANCHES = "pages,main,master"; }; # Necessary until upstream cuts a new release because of # https://codeberg.org/Codeberg/pages-server/issues/235 # that is fixed on main package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: { src = pkgs.fetchFromGitea { domain = "codeberg.org"; owner = "Codeberg"; repo = "pages-server"; rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12"; hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8="; }; vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI="; }); in { systemd.services.codeberg-pages = { inherit environment; description = "Codeberg pages server"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; StateDirectory = "codeberg-pages"; EnvironmentFile = config.age.secrets."pages-environment_file".path; WorkingDirectory = "/var/lib/codeberg-pages"; DynamicUser = true; ExecStart = lib.getExe package; Restart = "on-failure"; ProtectHome = true; ProtectSystem = "strict"; PrivateTmp = true; PrivateDevices = true; ProtectHostname = true; ProtectClock = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectKernelLogs = true; ProtectControlGroups = true; NoNewPrivileges = true; RestrictRealtime = true; RestrictSUIDSGID = true; RemoveIPC = true; PrivateMounts = true; }; }; services.nginx = { streamConfig = '' map $ssl_preread_server_name $sni_upstream { hostnames; default 127.0.0.1:8010; ${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 127.0.0.1:8446;") ( lib.attrNames config.services.nginx.virtualHosts )} } server { listen [::]:443; ssl_preread on; proxy_pass $sni_upstream; } ''; defaultSSLListenPort = 8446; }; }