1 { config, lib, pkgs, ... }:
3 cfg = config.helpers.pelican;
6 options.helpers.pelican = lib.mkOption {
7 description = "Pelican SSG helper";
9 type = with lib.types; attrsOf (submodule {
14 # auth = lib.mkOption {
22 networking.hosts."127.0.0.1" = builtins.attrNames cfg;
25 # lifted from https://nixos.wiki/wiki/Nginx#Authentication_via_PAM
26 # also https://github.com/NixOS/nixpkgs/issues/117578
27 # Have not tested to see which of these can be re-enabled. Not a fan of killing all that stuff just for pam.
28 # Maybe copy /etc/shadow to /run/keys via colmena?
29 # security.pam.services.nginx.setEnvironment = false;
30 # systemd.services.nginx.serviceConfig = {
31 # SupplementaryGroups = [ "shadow" ];
32 # NoNewPrivileges = lib.mkForce false;
33 # PrivateDevices = lib.mkForce false;
34 # ProtectHostname = lib.mkForce false;
35 # ProtectKernelTunables = lib.mkForce false;
36 # ProtectKernelModules = lib.mkForce false;
37 # RestrictAddressFamilies = lib.mkForce [ ];
38 # LockPersonality = lib.mkForce false;
39 # MemoryDenyWriteExecute = lib.mkForce false;
40 # RestrictRealtime = lib.mkForce false;
41 # RestrictSUIDSGID = lib.mkForce false;
42 # SystemCallArchitectures = lib.mkForce "";
43 # ProtectClock = lib.mkForce false;
44 # ProtectKernelLogs = lib.mkForce false;
45 # RestrictNamespaces = lib.mkForce false;
46 # SystemCallFilter = lib.mkForce "";
50 # services.nginx.virtualHosts."nfo".locations."/subdomain"
52 enable = lib.mkDefault true;
53 additionalModules = [ pkgs.nginxModules.pam ];
54 virtualHosts = lib.attrsets.mapAttrs (fqdn: name: {
55 enableACME = config.security.acme.acceptTerms;
56 forceSSL = config.security.acme.acceptTerms;
58 root = "${name.path}/output";
59 # extraConfig = lib.mkIf name.localOnly ''
64 # extraConfig = lib.mkIf name.auth ''
65 # auth_pam "Password Required";
66 # auth_pam_service_name "nginx";
70 systemd.services = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-reloader" {
71 after = [ "networking.target" ];
73 exec ${pkgs.python310Packages.pelican}/bin/pelican content
74 exec systemd-tmpfiles --create
75 exec systemctl restart nginx.service
79 WorkingDirectory = "${name.path}";
82 systemd.paths = lib.attrsets.mapAttrs' (fqdn: name: lib.attrsets.nameValuePair "${fqdn}-watcher" {
83 wantedBy = [ "multi-user.target" ];
85 PathModified = "${name.path}/content";
86 Unit = "${fqdn}-reloader.service";
87 # TriggerLimitIntervalSec = "10s";
88 # TriggerLimitBurst = 50;