{ config, pkgs, ... }:
{
containers.ttrss = {
config = {
users.extraUsers.ttrss = {};
services.postgresql = {
enable = true;
package = pkgs.postgresql95;
initialScript = pkgs.writeText "ttrss-init.sql" ''
create database ttrss;
create user ttrss with password 'ttrss';
grant all privileges on database ttrss to ttrss;
'';
};
services.tt-rss = {
enable = true;
user = "ttrss";
pool = "ttrss";
virtualHost = null;
database = {
type = "pgsql";
host = "localhost";
name = "ttrss";
user = "ttrss";
password = "ttrss";
};
selfUrlPath = "https://reader.gebner.org/";
};
services.phpfpm = {
extraConfig = ''
error_log = /var/log/phpfpm.log
log_level = notice
'';
poolConfigs = {
ttrss = ''
listen = 9000
user = ttrss
pm = dynamic
pm.max_children = 75
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500
catch_workers_output = 1
'';
};
};
networking.firewall.allowedTCPPorts = [ 9000 ];
};
autoStart = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
privateNetwork = true;
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "ens3";
security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
services.nginx.httpConfig = ''
server {
listen [::]:80;
listen 80;
server_name reader.gebner.org;
location /.well-known/acme-challenge {
default_type text/plain;
alias /var/lib/acme/www/.well-known/acme-challenge;
}
location / {
rewrite ^(.*) https://$host$1 permanent;
}
}
server {
listen [::]:443;
listen 443;
server_name reader.gebner.org;
ssl on;
ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location / {
root /var/lib/containers/ttrss/var/lib/tt-rss;
index index.php;
}
location /cache {
deny all;
}
location = /config.php {
deny all;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 192.168.100.11:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
include ${pkgs.nginx}/conf/fastcgi_params;
}
}
'';
}