{ pkgs, lib, secret, ... }: { systemd.services.redlib = let args = lib.concatStringsSep " " ([ "--port 8002" "--address 127.0.0.1" ]); in { description = "Private front-end for Reddit"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { DynamicUser = true; ExecStart = "${pkgs.redlib}/bin/redlib ${args}"; Restart = "on-failure"; RestartSec = "2s"; # Hardening CapabilityBoundingSet = [ "" ]; DeviceAllow = [ "" ]; LockPersonality = true; MemoryDenyWriteExecute = true; PrivateDevices = true; # A private user cannot have process capabilities on the host's user # namespace and thus CAP_NET_BIND_SERVICE has no effect. PrivateUsers = true; ProcSubset = "pid"; ProtectClock = true; ProtectControlGroups = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" "~@privileged" "~@resources" ]; UMask = "0077"; }; }; services.nginx.virtualHosts."${secret.nginx.hostnames.libreddit}" = { # listen = [ # { # addr = "100.64.10.2"; # port = 443; # ssl = true; # extraParameters = [ # "fastopen=63" # "backlog=1023" # "deferred" # ]; # } # # { # addr = "[fd7a:115c:a1e0:1010::2]"; # port = 443; # ssl = true; # extraParameters = [ # "fastopen=63" # "backlog=1023" # ]; # } # ]; listenAddresses = [ "100.64.10.2" "[fd7a:115c:a1e0:1010::2]" ]; quic = true; http3 = true; onlySSL = true; useACMEHost = "daniel.sx"; locations."/" = { recommendedProxySettings = true; proxyPass = "http://127.0.0.1:8002"; }; }; }