From 774d34d50bf3908dd1f209dbbd0de2093d5f5a08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
Date: Mon, 14 Aug 2023 10:16:21 +0200
Subject: nixos/lipwig: Fixes

---
 nixos/machine/lipwig.nix | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

(limited to 'nixos/machine/lipwig.nix')

diff --git a/nixos/machine/lipwig.nix b/nixos/machine/lipwig.nix
index 23d0b7b..f235455 100644
--- a/nixos/machine/lipwig.nix
+++ b/nixos/machine/lipwig.nix
@@ -19,6 +19,11 @@ with lib; {
       fsType = "nfs";
     };
 
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+      allowedUDPPorts = [1194];
+    };
+
     # Web ######################################################################
     services.nginx = {
       enable = true;
@@ -26,9 +31,6 @@ with lib; {
         "cynerd.cz" = {
           forceSSL = true;
           enableACME = true;
-          serverAliases = [
-            "grafana.cynerd.cz"
-          ];
           locations = {
             "/".root = ../../web;
             "/radicale/" = {
@@ -43,10 +45,14 @@ with lib; {
         "git.cynerd.cz" = {
           forceSSL = true;
           useACMEHost = "cynerd.cz";
-          locations."/".extraConfig = ''
-            fastcgi_param DOCUMENT_ROOT ${pkgs.cgit}/cgit/;
-            fastcgi_param SCRIPT_NAME cgit;
+          root = "${pkgs.cgit}/cgit";
+          locations."/".tryFiles = "$uri @cgit";
+          locations."@cgit".extraConfig = ''
+            fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi;
             fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+            fastcgi_param PATH_INFO    $uri;
+            fastcgi_param QUERY_STRING $args;
+            fastcgi_param HTTP_HOST    $server_name;
           '';
         };
         "grafana.cynerd.cz" = {
@@ -66,6 +72,10 @@ with lib; {
     security.acme = {
       acceptTerms = true;
       defaults.email = "cynerd+acme@email.cz";
+      certs."cynerd.cz".extraDomainNames = [
+        "git.cynerd.cz"
+        "grafana.cynerd.cz"
+      ];
     };
 
     # Git ######################################################################
@@ -85,7 +95,7 @@ with lib; {
     environment.etc."cgitrc".text = ''
       root-title=Cynerd's git repository
       root-desc=All my projects (at least those released to public)
-      logo=${../../web/wolf.svg}
+      #logo=cynerd.cz/wolf.svg
       virtual-root=/
 
       # Allow download of tar.gz, tar.bz2 and zip-files
@@ -119,6 +129,7 @@ with lib; {
     '';
 
     # CalDAV and CardDAV #######################################################
+    # TODO vdirsyncer needs CA
     services.radicale = {
       enable = true;
       rights.cynerd = {
-- 
cgit v1.2.3