💾 Archived View for spam.works › users › emery › nixos-hosting.gmi captured on 2023-07-22 at 21:39:13. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-06-14)
-=-=-=-=-=-=-
NixOS has a module for configuring the Molly Brown server in nixos-unstable (the nixos-unstable sometime before nixos-20.09).
The Nix configuration for serving this gemlog is roughly as follows:
# gemini.nix
{ config, ... }:
let fqdn = "gemini.spam.works";
in {
networking.firewall.allowedTCPPorts =
[ 80 443 config.services.molly-brown.settings.Port ];
services.kineto = {
enable = true;
port = 1967;
geminiDomain = "gemini://${fqdn}";
};
services.molly-brown = {
enable = true;
hostName = fqdn;
certPath = "/var/lib/acme/${fqdn}/cert.pem";
keyPath = "/var/lib/acme/${fqdn}/key.pem";
docBase = "/srv/gemini";
};
services.nginx = {
enable = true;
virtualHosts.${fqdn} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:1967";
};
};
security.acme.certs.${fqdn}.allowKeysForGroup = true;
systemd.services.molly-brown.serviceConfig.SupplementaryGroups =
[ config.security.acme.certs.${fqdn}.group ];
}
And the flake.nix is something like this:
# flake.nix
{
inputs.gemini.url = "github:NixOS/nix-community/flake-gemini";
outputs = { self, c3d2, nixos-hardware, nixpkgs, gemini, upload_bot }: {
nixosConfigurations.foo = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules =
[ ./configuration.nix
./gemini.nix
gemini.nixosModules.kineto
];
};
};
}
The trick to getting TLS to work is to instantiate an nginx server that letsencrypt can hit and reuse that certificate.