joseph-long/configuration.nix Secret

## configuration.nix
# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, ... }:
let
  fqdn = "magao-x.org";
  ssl = true;
  webRoot = "/srv/www";
in
{
  imports =
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  networking.hostName = "magao-x"; # Define your hostname.

  # Select internationalisation properties.
  i18n = {
    defaultLocale = "en_US.UTF-8";
  };

  # Set your time zone.
  time.timeZone = "America/Phoenix";

  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  environment.systemPackages = with pkgs; [
    wget vim emacs curl screen git mosh python3 gnumake unzip
  ];

  # Open ports in the firewall. Note that enabling services won't
  # automatically open their ports.
  networking.firewall.allowedTCPPorts = [ 22 80 443 ];  # SSH, HTTP, HTTPS
  networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ];  # mosh

  # List services that you want to enable:

  # MySQL for Wordpress
  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
  };

  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.openssh.permitRootLogin = "no";
  services.openssh.passwordAuthentication = false;

  # Enable the locate command
  services.locate.enable = true;

  programs.bash.enableCompletion = true;
  # Enable nginx
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };

  # Who needs a password anyway?
  security.sudo.wheelNeedsPassword = false;

  # Enable automatic garbage collection
  nix.gc.automatic = true;
  nix.gc.dates = "03:15";

  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "17.09"; # Did you read the comment?

  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only

  # Production web server config
  services.nginx.virtualHosts = {
    "${fqdn}" = {
        serverAliases = [ "www.${fqdn}" ];
        enableACME = ssl;
        forceSSL = ssl;
        locations = {
          "/" = {
            root = webRoot;
            extraConfig = ''
              rewrite ^/gmagaox/?$ /gmagao-x/ permanent;
            '';
          };
        };
        locations."~ [^/]\.php(/|$)".extraConfig = ''
          # Mitigate https://httpoxy.org/ vulnerabilities
          fastcgi_param HTTP_PROXY "";

          fastcgi_pass 127.0.0.1:9000;
          fastcgi_index index.php;
        '';
    };
    "visao.as.arizona.edu" = {
        enableACME = false;
        forceSSL = false;
        locations = {
          "/" = {
            root = webRoot;
            extraConfig = ''
              return 301 $scheme://magao-x.org$request_uri;
            '';
          };
        };
    };
  };
  services.phpfpm.poolConfigs.mypool = ''
    listen = 127.0.0.1:9000
    user = nobody
    pm = dynamic
    pm.max_children = 5
    pm.start_servers = 2
    pm.min_spare_servers = 1
    pm.max_spare_servers = 3
    pm.max_requests = 500
  '';
  systemd.services.webpermissions = {
    wantedBy = [ "multi-user.target" ];
    before = [ "nginx.service" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
    };

    script = ''
      mkdir -p ${webRoot}
      chown -R ${config.services.nginx.user}:${config.services.nginx.group} ${webRoot}
      chmod -R u=rwX,g=rwX,o=rX ${webRoot}
      find ${webRoot} -type d -exec chmod g+s {} \;
    '';
  };

}
	# Edit this configuration file to define what should be installed on
	# your system. Help is available in the configuration.nix(5) man page
	# and in the NixOS manual (accessible by running ‘nixos-help’).

	{ config, pkgs, ... }:
	let
	fqdn = "magao-x.org";
	ssl = true;
	webRoot = "/srv/www";
	in
	{
	imports =
	[
	# Include the results of the hardware scan.
	./hardware-configuration.nix
	];

	networking.hostName = "magao-x"; # Define your hostname.

	# Select internationalisation properties.
	i18n = {
	defaultLocale = "en_US.UTF-8";
	};

	# Set your time zone.
	time.timeZone = "America/Phoenix";

	# List packages installed in system profile. To search by name, run:
	# $ nix-env -qaP \| grep wget
	environment.systemPackages = with pkgs; [
	wget vim emacs curl screen git mosh python3 gnumake unzip
	];

	# Open ports in the firewall. Note that enabling services won't
	# automatically open their ports.
	networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # SSH, HTTP, HTTPS
	networking.firewall.allowedUDPPortRanges = [ { from = 60000; to = 61000; } ]; # mosh

	# List services that you want to enable:

	# MySQL for Wordpress
	services.mysql = {
	enable = true;
	package = pkgs.mariadb;
	};

	# Enable the OpenSSH daemon.
	services.openssh.enable = true;
	services.openssh.permitRootLogin = "no";
	services.openssh.passwordAuthentication = false;

	# Enable the locate command
	services.locate.enable = true;

	programs.bash.enableCompletion = true;
	# Enable nginx
	services.nginx = {
	enable = true;
	recommendedGzipSettings = true;
	recommendedOptimisation = true;
	recommendedProxySettings = true;
	recommendedTlsSettings = true;
	};

	# Who needs a password anyway?
	security.sudo.wheelNeedsPassword = false;

	# Enable automatic garbage collection
	nix.gc.automatic = true;
	nix.gc.dates = "03:15";

	# This value determines the NixOS release with which your system is to be
	# compatible, in order to avoid breaking some software such as database
	# servers. You should change this only after NixOS release notes say you
	# should.
	system.stateVersion = "17.09"; # Did you read the comment?

	# Use the GRUB 2 boot loader.
	boot.loader.grub.enable = true;
	boot.loader.grub.version = 2;
	# Define on which hard drive you want to install Grub.
	boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only

	# Production web server config
	services.nginx.virtualHosts = {
	"${fqdn}" = {
	serverAliases = [ "www.${fqdn}" ];
	enableACME = ssl;
	forceSSL = ssl;
	locations = {
	"/" = {
	root = webRoot;
	extraConfig = ''
	rewrite ^/gmagaox/?$ /gmagao-x/ permanent;
	'';
	};
	};
	locations."~ [^/]\.php(/\|$)".extraConfig = ''
	# Mitigate https://httpoxy.org/ vulnerabilities
	fastcgi_param HTTP_PROXY "";

	fastcgi_pass 127.0.0.1:9000;
	fastcgi_index index.php;
	'';
	};
	"visao.as.arizona.edu" = {
	enableACME = false;
	forceSSL = false;
	locations = {
	"/" = {
	root = webRoot;
	extraConfig = ''
	return 301 $scheme://magao-x.org$request_uri;
	'';
	};
	};
	};
	};
	services.phpfpm.poolConfigs.mypool = ''
	listen = 127.0.0.1:9000
	user = nobody
	pm = dynamic
	pm.max_children = 5
	pm.start_servers = 2
	pm.min_spare_servers = 1
	pm.max_spare_servers = 3
	pm.max_requests = 500
	'';
	systemd.services.webpermissions = {
	wantedBy = [ "multi-user.target" ];
	before = [ "nginx.service" ];
	serviceConfig = {
	Type = "oneshot";
	RemainAfterExit = true;
	};

	script = ''
	mkdir -p ${webRoot}
	chown -R ${config.services.nginx.user}:${config.services.nginx.group} ${webRoot}
	chmod -R u=rwX,g=rwX,o=rX ${webRoot}
	find ${webRoot} -type d -exec chmod g+s {} \;
	'';
	};

	}