Hosting Gemini on NixOS

NixOS has a module for configuring the Molly Brown server in nixos-unstable (the nixos-unstable sometime before nixos-20.09).

The Nix configuration for serving this gemlog is roughly as follows:

# gemini.nix
{ config, ... }:

let fqdn = "gemini.spam.works";
in {
  networking.firewall.allowedTCPPorts =
    [ 80 443 config.services.molly-brown.settings.Port ];

  services.kineto = {
    enable = true;
    port = 1967;
    geminiDomain = "gemini://${fqdn}";
  };

  services.molly-brown = {
    enable = true;
    hostName = fqdn;
    certPath = "/var/lib/acme/${fqdn}/cert.pem";
    keyPath = "/var/lib/acme/${fqdn}/key.pem";
    docBase = "/srv/gemini";
  };

  services.nginx = {
    enable = true;
    virtualHosts.${fqdn} = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://127.0.0.1:1967";
    };
  };

  security.acme.certs.${fqdn}.allowKeysForGroup = true;
  systemd.services.molly-brown.serviceConfig.SupplementaryGroups =
    [ config.security.acme.certs.${fqdn}.group ];
}

And the flake.nix is something like this:

# flake.nix
{
  inputs.gemini.url = "github:NixOS/nix-community/flake-gemini";

  outputs = { self, c3d2, nixos-hardware, nixpkgs, gemini, upload_bot }: {

    nixosConfigurations.foo = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules =
        [ ./configuration.nix
          ./gemini.nix
          gemini.nixosModules.kineto
        ];
    };
  };
}

The trick to getting TLS to work is to instantiate an nginx server that letsencrypt can hit and reuse that certificate.