nixos-configs/hosts/lufta/when-then-zen.nix

{ pkgs, ... }:

let
  port = 38471;
  config = pkgs.writeTextFile {
    name = "Caddyfile";
    text = ''
      when-then-zen.christine.website:${toString port} {
          tls off
          errors syslog

          root /srv/http/when-then-zen.christine.website

          internal /README.md
          internal /templates
          internal /LICENSE
          internal /Caddyfile

          ext .md

          browse /bonus
          browse /meditation /srv/http/when-then-zen.christine.website/templates/index.html
          browse /skills /srv/http/when-then-zen.christine.website/templates/index.html

          markdown / {
                  template templates/page.html
          }
      }

      xena.greedo.xeserv.us:${toString port} {
          tls off
          errors syslog

          header / X-Clacks-Overhead "GNU Ashlynn"

          root /srv/http/xena.greedo.xeserv.us
          markdown / {
                  template blog templates/blog.html
                  template index templates/index.html
          }

          browse
      }

      xn--u7hz981o.ws:${toString port} {
          tls off
          errors syslog

          header / X-Clacks-Overhead "GNU Ashlynn"

          internal /templates

          root /srv/http/xn--u7hz981o.ws
          markdown / {
              template index templates/index.html
              template page templates/page.html
          }
      }
    '';
  };
  caddyPkg = pkgs.stdenv.mkDerivation {
    pname = "caddy";
    version = "1.0.4";
    src = builtins.fetchurl {
      url =
        "https://github.com/caddyserver/caddy/releases/download/v1.0.4/caddy_v1.0.4_linux_amd64.tar.gz";
      sha256 = "0cmlwkp3cjx5yw3947y91wymsr398knq92q3iwc57bdzdi33fzwy";
    };

    phases = "unpackPhase installPhase";

    installPhase = ''
      tar zxf $src
      mkdir -p $out/bin
      cp ./caddy $out/bin/caddy
    '';
  };
in {
  age.secrets.mi-token = {
    file = ../../secret/lufta.aws.env.age;
    path = "/var/lib/nginx/mi-token";
    mode = "600";
    owner = "nginx";
    group = "nginx";
  };

  services.fcgiwrap.enable = true;
  services.nginx.virtualHosts = {
    "home.cetacean.club" = {
      locations."/front".extraConfig = ''
        root /tmp;
        fastcgi_param   QUERY_STRING            $query_string;
        fastcgi_param   REQUEST_METHOD          $request_method;
        fastcgi_param   CONTENT_TYPE            $content_type;
        fastcgi_param   CONTENT_LENGTH          $content_length;

        fastcgi_param   PATH_INFO               $fastcgi_path_info;
        fastcgi_param   PATH_TRANSLATED         $document_root$fastcgi_path_info;
        fastcgi_param   REQUEST_URI             $request_uri;
        fastcgi_param   DOCUMENT_URI            $document_uri;
        fastcgi_param   DOCUMENT_ROOT           /srv/http/home.cetacean.club;
        fastcgi_param   SERVER_PROTOCOL         $server_protocol;

        fastcgi_param   GATEWAY_INTERFACE       CGI/1.1;
        fastcgi_param   SERVER_SOFTWARE         nginx/$nginx_version;

        fastcgi_param   REMOTE_ADDR             $remote_addr;
        fastcgi_param   REMOTE_PORT             $remote_port;
        fastcgi_param   SERVER_ADDR             $server_addr;
        fastcgi_param   SERVER_PORT             $server_port;
        fastcgi_param   SERVER_NAME             $server_name;

        fastcgi_param   HTTPS                   $https;

        # PHP only, required if PHP was built with --enable-force-cgi-redirect
        fastcgi_param   REDIRECT_STATUS         200;
        fastcgi_param MI_TOKEN_PATH /var/lib/nginx/mi-token;
        fastcgi_param SCRIPT_FILENAME ${pkgs.xeserv.whoisfront};
        fastcgi_pass unix:/run/fcgiwrap.sock;
      '';
      forceSSL = true;
      useACMEHost = "cetacean.club";
      extraConfig = ''
        access_log /var/log/nginx/home.cetacean.club.access.log;
      '';
    };

    "when-then-zen.christine.website" = {
      locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
      forceSSL = true;
      useACMEHost = "christine.website";
      extraConfig = ''
        access_log /var/log/nginx/when-then-zen.access.log;
      '';
    };

    "xena.greedo.xeserv.us" = {
      locations."/".proxyPass = "http://127.0.0.1:${toString port}";
      forceSSL = true;
      useACMEHost = "xeserv.us";
      extraConfig = ''
        access_log /var/log/nginx/xenafiles.access.log;
      '';
    };

    "xn--u7hz981o.ws" = {
      locations."/".proxyPass = "http://127.0.0.1:${toString port}";
      forceSSL = true;
      useACMEHost = "xn--u7hz981o.ws";
    };
  };

  systemd.services.caddy = {
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      User = "nginx";
      Group = "within";
      Restart = "on-failure";
      RestartSec = "30s";
    };

    script = ''
      exec ${caddyPkg}/bin/caddy -conf ${config} -port ${toString port} -agree
    '';
  };
}