configurations/nixos/websites: add `flauschehorn.katja.wtf` (and import on node `wanderduene`)

commit 82351d60da3abb5f6866e2094bcade5b87c5acd3
parent 573c943141f65ffd97e6a6720e9b617ba4a1f0a1
Author: Katja (ctucx) <git@ctu.cx>
Date: Mon, 17 Mar 2025 20:25:58 +0100

configurations/nixos/websites: add `flauschehorn.katja.wtf` (and import on node `wanderduene`)

2 files changed, 72 insertions(+), 0 deletions(-)

configurations/nixos/websites/flauschehorn.katja.wtf.nix

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

nodes/wanderduene/default.nix

diff --git a/configurations/nixos/websites/flauschehorn.katja.wtf.nix b/configurations/nixos/websites/flauschehorn.katja.wtf.nix
@@ -0,0 +1,71 @@
+{ config, pkgs, ...}:
+
+{
+
+  dns.zones."katja.wtf".subdomains.flauschehorn.CNAME = [ "${config.networking.fqdn}." ];
+
+  users.groups."flauschehorn" = {};
+  users.users."flauschehorn"  = {
+   isSystemUser = true;
+   home  = "/var/lib/flauschehorn";
+   group = config.systemd.services.flauschehornFetcher.serviceConfig.Group;
+  };
+
+  systemd.services.flauschehornFetcher = {
+    environment.DB_PATH = "/var/lib/flauschehorn/db.sqlite";
+    startAt       = "*-*-* 3:00:00";
+    wants         = [ "network-online.target" ];
+    after         = [ "network-online.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+
+      ExecStart = "${pkgs.flauschehorn-sexy}/bin/mastofetch";
+
+      User  = "flauschehorn";
+      Group = "flauschehorn";
+
+      StateDirectory          = "flauschehorn";
+      StateDirectoryMode      = "755";
+      UMask                   = "755";
+
+      NoNewPrivileges         = true;
+      PrivateTmp              = true;
+      PrivateDevices          = true;
+
+      RestrictAddressFamilies = "AF_INET AF_INET6";
+      RestrictNamespaces      = true;
+      RestrictRealtime        = true;
+
+      ProtectSystem           = "full";
+      ProtectControlGroups    = true;
+      ProtectKernelModules    = true;
+      ProtectKernelTunables   = true;
+
+      DevicePolicy            = "closed";
+      LockPersonality         = true;
+    };
+  };
+
+  services.fcgiwrap.instances.flauschehorn = {
+    socket.user   = config.services.nginx.user;
+    socket.group  = config.services.nginx.group;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."flauschehorn.katja.wtf" = {
+      useACMEHost = config.networking.fqdn;
+      serverAliases = [ "flauschehorn.sexy" ];
+      forceSSL    = true;
+      kTLS        = true;
+      locations."/".extraConfig = ''
+        include "${pkgs.nginx}/conf/fastcgi_params";
+        fastcgi_param SCRIPT_FILENAME "${pkgs.flauschehorn-sexy}/bin/website";
+        fastcgi_param DB_PATH         "${config.systemd.services.flauschehornFetcher.environment.DB_PATH}";
+        fastcgi_param QUERY_STRING    $args;
+        fastcgi_pass  unix:${config.services.fcgiwrap.instances.flauschehorn.socket.address};
+      '';
+    };
+  };
+
+}

diff --git a/nodes/wanderduene/default.nix b/nodes/wanderduene/default.nix
@@ -26,6 +26,7 @@
 
       ctucxConfig.websites."ip.ctu.cx"
       ctucxConfig.websites."dendrite.ctucx.de"
+      ctucxConfig.websites."flauschehorn.katja.wtf"
 
       ./rclone-restic-server.nix
       ./syncthing.nix