server-configuration/services/website.nix

{
  fetchFromGitLab,
  pkgs,
  ...
}: let
  host = "127.0.0.1";
  port = 8080;
  user = "website-host-user";
  repo = "https://git.spoodythe.one/spoody/website";
in {
  imports = [./nginx.nix];
  services.nginx.virtualHosts."spoodythe.one" = {
    enableACME = true;
    forceSSL = true;
    default = true;
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
    };
  };

  users.users."${user}" = {
    isSystemUser = true;
    home = "/home/${user}";
    createHome = true;
    group = "${user}";
    shell = pkgs.bash;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90JNokb4/4DZ/2tHS8Lj/jq+UiA0B2g+MFeM8KuA6Y website-host-user@server"
    ];
  };
  users.groups."${user}" = {};

  security.sudo.extraRules = [
    {
      users = ["${user}"];
      commands = [
        {
          command = "/run/current-system/sw/bin/systemctl restart rebuild-website.service";
          options = ["SETENV" "NOPASSWD"];
        }
        {
          command = "/run/current-system/sw/bin/systemd-run -d --uid website-host-user ./webbisitey";
          options = ["SETENV" "NOPASSWD"];
        }
      ];
    }
  ];

  systemd.services."rebuild-website" = {
    description = "Service for running my website";
    wants = ["network-online.target"];
    after = ["network-online.target"];
    wantedBy = ["multi-user.target"];

    script = ''
      echo "Sleeping for 25 seconds to allow forgejo to start"
      ${pkgs.busybox}/bin/sleep 25
      echo "Making temporary folder"
      path=$(mktemp -d)
      echo "Cloning repo"
      ${pkgs.git}/bin/git clone ${repo} "$path"
      echo "cd $path"
      cd "$path"
      echo "[nix build] Rebuilding website flake..."
      ${pkgs.nix}/bin/nix build                                                         # build
      echo "[killall] Killing previous website process"
      ${pkgs.killall}/bin/killall webbisitey || true                                    # stop old website
      echo "Changing directory to build result..."
      cd result/bin                                                                     # cd into result folder
      echo "[systemd-run] Running webbisitey-wrapped..."
      /run/wrappers/bin/sudo /run/current-system/sw/bin/systemd-run -d --uid ${user} ./webbisitey       # run new website
    '';

    serviceConfig = {
      Type = "oneshot";
      RemainsAfterExit = true;
      User = user;
      WorkingDirectory = "/tmp";
    };
  };
}