diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index a9d20adc63fd..585cef9b42ec 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -886,6 +886,7 @@
./services/web-servers/meguca.nix
./services/web-servers/mighttpd2.nix
./services/web-servers/minio.nix
+ ./services/web-servers/molly-brown.nix
./services/web-servers/nginx/default.nix
./services/web-servers/nginx/gitweb.nix
./services/web-servers/phpfpm/default.nix
diff --git a/nixos/modules/services/web-servers/molly-brown.nix b/nixos/modules/services/web-servers/molly-brown.nix
new file mode 100644
index 000000000000..e9052a184b2d
--- /dev/null
+++ b/nixos/modules/services/web-servers/molly-brown.nix
@@ -0,0 +1,117 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ cfg = config.services.molly-brown;
+
+ settingsType = with types;
+ attrsOf (oneOf [
+ int
+ str
+ (listOf str)
+ (attrsOf (oneOf [ int str (listOf str) (attrsOf str) ]))
+ ]) // {
+ description = "primitive expression convertable to TOML";
+ };
+
+ configFile = pkgs.runCommand "molly-brown.toml" {
+ buildInputs = [ pkgs.remarshal ];
+ preferLocalBuild = true;
+ passAsFile = [ "settings" ];
+ settings = builtins.toJSON cfg.settings;
+ } "remarshal -if json -of toml < $settingsPath > $out";
+in {
+
+ options.services.molly-brown = {
+
+ enable = mkEnableOption "Molly-Brown Gemini server";
+
+ port = mkOption {
+ default = 1965;
+ type = types.port;
+ description = ''
+ TCP port for molly-brown to bind to.
+ '';
+ };
+
+ hostName = mkOption {
+ type = types.str;
+ example = literalExample "config.networking.hostName";
+ default = config.networking.hostName;
+ description = ''
+ The hostname to respond to requests for. Requests for URLs with
+ other hosts will result in a status 53 (PROXY REQUEST REFUSED)
+ response.
+ '';
+ };
+
+ certPath = mkOption {
+ type = types.path;
+ example = "/var/lib/acme/example.com/cert.pem";
+ description = ''
+ Path to TLS certificate. An ACME certificate and key may be
+ shared with an HTTP server, but only if molly-brown has
+ permissions allowing it to read such keys.
+
+ As an example:
+
+ security.acme.certs."example.com".allowKeysForGroup = true;
+ systemd.services.molly-brown.serviceConfig.SupplementaryGroups =
+ [ config.security.acme.certs."example.com".group ];
+
+ '';
+ };
+
+ keyPath = mkOption {
+ type = types.path;
+ example = "/var/lib/acme/example.com/key.pem";
+ description = "Path to TLS key. See .";
+ };
+
+ docBase = mkOption {
+ type = types.path;
+ example = "/var/lib/molly-brown";
+ description = "Base directory for Gemini content.";
+ };
+
+ settings = mkOption {
+ type = settingsType;
+ default = { };
+ description = ''
+ molly-brown configuration. Refer to
+
+ for details on supported values.
+ '';
+ };
+
+ };
+
+ config = mkIf cfg.enable {
+
+ services.molly-brown.settings = let logDir = "/var/log/molly-brown";
+ in {
+ Port = cfg.port;
+ Hostname = cfg.hostName;
+ CertPath = cfg.certPath;
+ KeyPath = cfg.keyPath;
+ DocBase = cfg.docBase;
+ AccessLog = "${logDir}/access.log";
+ ErrorLog = "${logDir}/error.log";
+ };
+
+ systemd.services.molly-brown = {
+ description = "Molly Brown gemini server";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ DynamicUser = true;
+ LogsDirectory = "molly-brown";
+ ExecStart = "${pkgs.molly-brown}/bin/molly-brown -c ${configFile}";
+ Restart = "always";
+ };
+ };
+
+ };
+
+}
diff --git a/nixos/tests/molly-brown.nix b/nixos/tests/molly-brown.nix
new file mode 100644
index 000000000000..09ce42726ca9
--- /dev/null
+++ b/nixos/tests/molly-brown.nix
@@ -0,0 +1,71 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+
+ let testString = "NixOS Gemini test successful";
+ in {
+
+ name = "molly-brown";
+ meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ ehmry ]; };
+
+ nodes = {
+
+ geminiServer = { config, pkgs, ... }:
+ let
+ inherit (config.networking) hostName;
+ cfg = config.services.molly-brown;
+ in {
+
+ environment.systemPackages = [
+ (pkgs.writeScriptBin "test-gemini" ''
+ #!${pkgs.python3}/bin/python
+
+ import socket
+ import ssl
+ import tempfile
+ import textwrap
+ import urllib.parse
+
+ url = "gemini://geminiServer/init.gmi"
+ parsed_url = urllib.parse.urlparse(url)
+
+ s = socket.create_connection((parsed_url.netloc, 1965))
+ context = ssl.SSLContext()
+ context.check_hostname = False
+ context.verify_mode = ssl.CERT_NONE
+ s = context.wrap_socket(s, server_hostname=parsed_url.netloc)
+ s.sendall((url + "\r\n").encode("UTF-8"))
+ fp = s.makefile("rb")
+ print(fp.readline().strip())
+ print(fp.readline().strip())
+ print(fp.readline().strip())
+ '')
+ ];
+
+ networking.firewall.allowedTCPPorts = [ cfg.settings.Port ];
+
+ services.molly-brown = {
+ enable = true;
+ docBase = "/tmp/docs";
+ certPath = "/tmp/cert.pem";
+ keyPath = "/tmp/key.pem";
+ };
+
+ systemd.services.molly-brown.preStart = ''
+ ${pkgs.openssl}/bin/openssl genrsa -out "/tmp/key.pem"
+ ${pkgs.openssl}/bin/openssl req -new \
+ -subj "/CN=${config.networking.hostName}" \
+ -key "/tmp/key.pem" -out /tmp/request.pem
+ ${pkgs.openssl}/bin/openssl x509 -req -days 3650 \
+ -in /tmp/request.pem -signkey "/tmp/key.pem" -out "/tmp/cert.pem"
+
+ mkdir -p "${cfg.settings.DocBase}"
+ echo "${testString}" > "${cfg.settings.DocBase}/test.gmi"
+ '';
+ };
+ };
+ testScript = ''
+ geminiServer.wait_for_unit("molly-brown")
+ geminiServer.wait_for_open_port(1965)
+ geminiServer.succeed("test-gemini")
+ '';
+
+ })
diff --git a/pkgs/servers/gemini/molly-brown/default.nix b/pkgs/servers/gemini/molly-brown/default.nix
index eb5b85784dcd..216a4015ef95 100644
--- a/pkgs/servers/gemini/molly-brown/default.nix
+++ b/pkgs/servers/gemini/molly-brown/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildGoPackage, fetchgit }:
+{ lib, buildGoPackage, fetchgit, nixosTests }:
buildGoPackage rec {
pname = "molly-brown";
@@ -15,6 +15,8 @@ buildGoPackage rec {
goDeps = ./deps.nix;
+ passthru.tests.basic = nixosTests.molly-brown;
+
meta = with lib; {
description = "Full-featured Gemini server";
homepage = "https://tildegit.org/solderpunk/molly-brown";