{ config, pkgs, ... }: { config = { services.etebase-server = { enable = true; port = null; unixSocket = "/run/etebase-server/etebase-server.sock"; user = "etebase"; settings = { allowed_hosts.allowed_host1 = "etesync.yggdrasil.li"; global.secret_file = config.sops.secrets."etebase-server-secret.txt".path; database = { engine = "django.db.backends.postgresql"; name = "etebase"; user = "etebase"; }; }; }; systemd.services.etebase-server = { serviceConfig = { RuntimeDirectory = "etebase-server"; }; }; sops.secrets."etebase-server-secret.txt" = { format = "binary"; sopsFile = ./secret.txt; owner = config.services.etebase-server.user; group = config.services.etebase-server.user; restartUnits = ["etebase-server.service"]; }; security.acme.domains = { "etesync.yggdrasil.li".certCfg = { postRun = '' ${pkgs.systemd}/bin/systemctl try-restart nginx.service ''; }; "app.etesync.yggdrasil.li".certCfg = { postRun = '' ${pkgs.systemd}/bin/systemctl try-restart nginx.service ''; }; }; services.nginx = { upstreams."etebase" = { servers = { "unix://${config.services.etebase-server.unixSocket}" = {}; }; }; virtualHosts = { "etesync.yggdrasil.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/etesync.yggdrasil.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/etesync.yggdrasil.li.chain.pem"; extraConfig = '' client_max_body_size 100M; charset utf-8; ''; locations = { "/static/" = { alias = "${config.services.etebase-server.settings.global.static_root}/"; }; "= /".return = "301 https://app.etesync.yggdrasil.li"; "/".extraConfig = '' proxy_pass http://etebase; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; ''; }; }; "app.etesync.yggdrasil.li" = { forceSSL = true; sslCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.pem"; sslCertificateKey = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.key.pem"; sslTrustedCertificate = "/run/credentials/nginx.service/app.etesync.yggdrasil.li.chain.pem"; locations."/".alias = "${pkgs.etesync-web}/"; }; }; }; systemd.services.nginx = { serviceConfig = { ReadPaths = [ config.services.etebase-server.settings.global.static_root pkgs.etesync-web ]; LoadCredential = [ "etesync.yggdrasil.li.key.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/key.pem" "etesync.yggdrasil.li.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/fullchain.pem" "etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."etesync.yggdrasil.li".directory}/chain.pem" "app.etesync.yggdrasil.li.key.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/key.pem" "app.etesync.yggdrasil.li.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/fullchain.pem" "app.etesync.yggdrasil.li.chain.pem:${config.security.acme.certs."app.etesync.yggdrasil.li".directory}/chain.pem" ]; }; }; users = { users.${config.services.etebase-server.user} = { isSystemUser = true; group = config.services.etebase-server.user; home = config.services.etebase-server.dataDir; }; groups.${config.services.etebase-server.user} = { members = [ "nginx" ]; }; }; }; }