Add container for ingress-toothpick

Signed-off-by: Magic_RB <magic_rb@redalder.org>

flake.nix

@@ -50,6 +50,7 @@
         nixos/systems/blowhole
 
         nixng/containers/ingress-blowhole
+        nixng/containers/ingress-toothpick
         nixng/containers/matrix/mautrix-signal
         nixng/containers/matrix/mautrix-discord
         nixng/containers/matrix/mautrix-facebook

nixng/containers/ingress-toothpick/default.nix

@@ -0,0 +1,128 @@
+{ inputs, ... }:
+{
+  flake.nixngConfigurations.ingressToothpick = inputs.nixng.nglib.makeSystem {
+    system = "x86_64-linux";
+    name = "ingress-toothpick";
+    inherit (inputs) nixpkgs;
+
+    config =
+      { pkgs, lib, nglib, ... }:
+      let
+        inherit (lib)
+          singleton;
+      in
+        {
+          dumb-init = {
+            enable = true;
+            sigell.entries = [
+              {
+                signal = "HUP";
+                action = {
+                  type = "exec";
+                  environment = {
+                    PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
+                  };
+                  command =
+                    [ "bash"
+                      "-c"
+                      "kill -s HUP \"$(cat /nginx.pid)\""
+                    ];
+                };
+              }
+              {
+                signal = "TERM";
+                action = {
+                  type = "signal";
+                  rewrite = "TERM";
+                  selector = {
+                    type = "child";
+                  };
+                };
+              }
+            ];
+            type.services = {};
+          };
+          init.services.nginx.shutdownOnExit = true;
+
+
+          system.activation =
+            { resolv-conf =
+                nglib.dag.dagEntryBefore [ "certbot" ]
+                  ''
+                    export PATH=${pkgs.busybox}/bin
+
+                    mkdir -p /etc
+                    echo "nameserver 8.8.8.8" > /etc/resolv.conf
+                  '';
+            };
+
+          services.certbot = {
+            enable = true;
+
+            acceptTerms = true;
+
+            domains = {
+              "redalder.org" = {
+                extraDomains = [
+                  "hydra.redalder.org"
+                  "gitea.redalder.org"
+                  "matrix.redalder.org"
+                  "nixng.org"
+                ];
+                webroot = "/var/www/certbot";
+                email = "admin@redalder.org";
+                extraOptions = "--expand --keep-until-expiring --renew-with-new-domains -v";
+              };
+            };
+          };
+          services.nginx = {
+            enable = true;
+            envsubst = true;
+            configuration = [
+              {
+                daemon = "off";
+                worker_processes = 2;
+                user = "nginx";
+
+                events."" = {
+                  use = "epoll";
+                  worker_connections = 128;
+                };
+
+                error_log = [ "/dev/stderr" "warn" ];
+
+                pid = "/nginx.pid";
+
+                stream."" = {
+                  include = [
+                    [ "/local/streams.conf" ]
+                  ];
+                };
+
+                http."" = {
+                  server_tokens = "off";
+                  include = [
+                    [ "${pkgs.nginx}/conf/mime.types" ]
+                    [ "/local/upstreams.conf" ]
+                  ];
+                  charset = "utf-8";
+                  access_log = [ "/dev/stdout" "combined" ];
+
+                  server."" = {
+                    listen = [ "80" "default_server" ];
+                    server_name = [
+                      "redalder.org"
+                      "nixng.org"
+                    ];
+
+                    location."/" = {
+                      return = [ "301" "https://$$host$$request_uri" ];
+                    };
+                  };
+                };
+              }
+            ];
+          };
+        };
+  };
+}