Skip to content

Instantly share code, notes, and snippets.

@joseph-long
Created April 21, 2019 19:01
Show Gist options
  • Save joseph-long/948699f35649793f3044c85894a29923 to your computer and use it in GitHub Desktop.
Save joseph-long/948699f35649793f3044c85894a29923 to your computer and use it in GitHub Desktop.
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, pkgs, ... }:
let
fqdn = "magao-x.org";
ssl = true;
webRoot = "/srv/www";
in
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
networking.hostName = "magao-x"; # Define your hostname.
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
};
# Set your time zone.
time.timeZone = "America/Phoenix";
# List packages installed in system profile. To search by name, run:
# $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs; [
wget vim emacs curl screen git mosh python3 gnumake unzip
];
# Open ports in the firewall. Note that enabling services won't
# automatically open their ports.
networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; # mosh
# List services that you want to enable:
# MySQL for Wordpress
services.mysql = {
enable = true;
package = pkgs.mariadb;
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.permitRootLogin = "no";
services.openssh.passwordAuthentication = false;
# Enable the locate command
services.locate.enable = true;
programs.bash.enableCompletion = true;
# Enable nginx
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
# Who needs a password anyway?
security.sudo.wheelNeedsPassword = false;
# Enable automatic garbage collection
nix.gc.automatic = true;
nix.gc.dates = "03:15";
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "17.09"; # Did you read the comment?
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
# Production web server config
services.nginx.virtualHosts = {
"${fqdn}" = {
serverAliases = [ "www.${fqdn}" ];
enableACME = ssl;
forceSSL = ssl;
locations = {
"/" = {
root = webRoot;
extraConfig = ''
rewrite ^/gmagaox/?$ /gmagao-x/ permanent;
'';
};
};
locations."~ [^/]\.php(/|$)".extraConfig = ''
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
'';
};
"visao.as.arizona.edu" = {
enableACME = false;
forceSSL = false;
locations = {
"/" = {
root = webRoot;
extraConfig = ''
return 301 $scheme://magao-x.org$request_uri;
'';
};
};
};
};
services.phpfpm.poolConfigs.mypool = ''
listen = 127.0.0.1:9000
user = nobody
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.max_requests = 500
'';
systemd.services.webpermissions = {
wantedBy = [ "multi-user.target" ];
before = [ "nginx.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p ${webRoot}
chown -R ${config.services.nginx.user}:${config.services.nginx.group} ${webRoot}
chmod -R u=rwX,g=rwX,o=rX ${webRoot}
find ${webRoot} -type d -exec chmod g+s {} \;
'';
};
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment