💾 Archived View for spam.works › users › emery › nixos-hosting.gmi captured on 2023-11-04 at 11:29:53. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-06-14)
-=-=-=-=-=-=-
NixOS has a module for configuring the Molly Brown server in nixos-unstable (the nixos-unstable sometime before nixos-20.09).
The Nix configuration for serving this gemlog is roughly as follows:
# gemini.nix { config, ... }: let fqdn = "gemini.spam.works"; in { networking.firewall.allowedTCPPorts = [ 80 443 config.services.molly-brown.settings.Port ]; services.kineto = { enable = true; port = 1967; geminiDomain = "gemini://${fqdn}"; }; services.molly-brown = { enable = true; hostName = fqdn; certPath = "/var/lib/acme/${fqdn}/cert.pem"; keyPath = "/var/lib/acme/${fqdn}/key.pem"; docBase = "/srv/gemini"; }; services.nginx = { enable = true; virtualHosts.${fqdn} = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:1967"; }; }; security.acme.certs.${fqdn}.allowKeysForGroup = true; systemd.services.molly-brown.serviceConfig.SupplementaryGroups = [ config.security.acme.certs.${fqdn}.group ]; }
And the flake.nix is something like this:
# flake.nix { inputs.gemini.url = "github:NixOS/nix-community/flake-gemini"; outputs = { self, c3d2, nixos-hardware, nixpkgs, gemini, upload_bot }: { nixosConfigurations.foo = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./configuration.nix ./gemini.nix gemini.nixosModules.kineto ]; }; }; }
The trick to getting TLS to work is to instantiate an nginx server that letsencrypt can hit and reuse that certificate.