{ config, pkgs, ... }: { containers.ttrss = { config = { users.extraUsers.ttrss = {}; services.postgresql = { enable = true; package = pkgs.postgresql95; initialScript = pkgs.writeText "ttrss-init.sql" '' create database ttrss; create user ttrss with password 'ttrss'; grant all privileges on database ttrss to ttrss; ''; }; services.tt-rss = { enable = true; user = "ttrss"; pool = "ttrss"; database = { type = "pgsql"; host = "localhost"; name = "ttrss"; user = "ttrss"; password = "ttrss"; }; selfUrlPath = "https://reader.gebner.org/"; }; services.phpfpm = { extraConfig = '' error_log = /var/log/phpfpm.log log_level = notice ''; poolConfigs = { ttrss = '' listen = 9000 user = ttrss pm = dynamic pm.max_children = 75 pm.start_servers = 10 pm.min_spare_servers = 5 pm.max_spare_servers = 20 pm.max_requests = 500 catch_workers_output = 1 ''; }; }; networking.firewall.allowedTCPPorts = [ 9000 ]; }; autoStart = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; privateNetwork = true; }; networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "eth0"; security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null; services.nginx.httpConfig = '' server { listen [::]:80; listen 80; server_name reader.gebner.org; location /.well-known/acme-challenge { default_type text/plain; alias /var/lib/acme/www/.well-known/acme-challenge; } location / { rewrite ^(.*) https://$host$1 permanent; } } server { listen [::]:443; listen 443; server_name reader.gebner.org; ssl on; ssl_certificate_key /var/lib/acme/gebner.org/key.pem; ssl_certificate /var/lib/acme/gebner.org/fullchain.pem; ssl_dhparam /etc/nginx/dhparam.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; location / { root /var/lib/containers/ttrss/var/lib/tt-rss; index index.php; } location /cache { deny all; } location = /config.php { deny all; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 192.168.100.11:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name; include ${pkgs.nginx}/conf/fastcgi_params; } } ''; }