{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; boot.initrd.supportedFilesystems = [ "zfs" ]; boot.initrd.systemd.enable = true; services.zfs.autoScrub.enable = true; services.zfs.trim.enable = true; networking.hostName = "sunflower"; networking.hostId = "77d68c52"; system.stateVersion = "24.11"; security.sudo.wheelNeedsPassword = false; networking.firewall.allowedTCPPorts = [ 22 80 443 1337 1338 ]; networking.firewall.allowedUDPPorts = [ 1337 1338 ]; security.acme = { acceptTerms = true; defaults.email = "audrey@rhelmot.io"; }; services.bingosync = { enable = true; domain = "celestebingo.rhelmot.io"; socketsDomain = "sockets-celestebingo.rhelmot.io"; databaseUrl = "postgres://%2Frun%2Fpostgresql/bingosync"; extraPythonPackages = p: [ p.psycopg2 ]; }; services.postgresql = { enable = true; ensureDatabases = [ "bingosync" "mspa" ]; ensureUsers = [ { name = "bingosync"; ensureDBOwnership = true; } { name = "mspa"; ensureDBOwnership = true; } ]; authentication = pkgs.lib.mkOverride 10 '' #type database DBuser auth-method optional_ident_map local all all peer map=defaultmap ''; identMap = '' # ArbitraryMapName systemUser DBUser defaultmap root postgres defaultmap postgres postgres defaultmap php-nginx mspa defaultmap bingosync bingosync ''; }; users.users.php-nginx = { isSystemUser = true; group = "php-nginx"; }; users.groups.php-nginx = {}; services.phpfpm.pools.nginx = { user = "php-nginx"; settings = { "pm" = "dynamic"; "listen.owner" = config.services.nginx.user; "pm.max_children" = 5; "pm.start_servers" = 2; "pm.min_spare_servers" = 1; "pm.max_spare_servers" = 3; "pm.max_requests" = 500; }; }; services.nginx = { recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "rhelmot.io" = { default = true; forceSSL = true; enableACME = true; root = "/var/www/rhelmot.io/"; locations."/secret/" = { basicAuthFile = "/var/lib/rhelmot.io/secret"; }; locations."~ ^/MSPA/(.*\\.php|)$" = { extraConfig = '' fastcgi_pass unix:${config.services.phpfpm.pools.nginx.socket}; fastcgi_index index.php; ''; index = "index.php index.html"; }; }; "www.rhelmot.io" = { globalRedirect = "rhelmot.io"; enableACME = true; }; "blog.rhelmot.io" = { forceSSL = true; enableACME = true; locations."/" = { root = "/nix/var/nix/profiles/blog-rhelmot-io"; }; }; "www.blog.rhelmot.io" = { globalRedirect = "blog.rhelmot.io"; enableACME = true; }; "bingosync.rhelmot.io" = { locations."/" = { proxyPass = "https://bingosync.com/"; proxyWebsockets = true; }; }; # proxy conf generated by services.bingosync "celestebingo.rhelmot.io" = { forceSSL = true; enableACME = true; }; "sockets-celestebingo.rhelmot.io" = { forceSSL = true; enableACME = true; }; "www.celestebingo.rhelmot.io" = { globalRedirect = "celestebingo.rhelmot.io"; enableACME = true; }; "minal.rhelmot.io" = { forceSSL = true; enableACME = true; locations."/".root = "/var/www/minal.rhelmot.io/"; }; "www.minal.rhelmot.io" = { globalRedirect = "minal.rhelmot.io"; enableACME = true; }; "mimispastrypost.com" = { forceSSL = true; enableACME = true; locations."/".root = "/var/www/mimispastrypost.com/"; }; "www.mimispastrypost.com" = { globalRedirect = "mimispastrypost.com"; enableACME = true; }; }; }; }