cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

all the broken

Browse Source
This commit is contained in:
cnst
2025-10-04 20:35:06 +02:00
parent 67e83e3e4e
commit 123dfd7605
21 changed files with 408 additions and 304 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
modules/server/nginx/default.nix Normal file
View File

@@ -0,0 +1,79 @@
{
lib,
config,
pkgs,
self,
myLib,
...
}: let
inherit (myLib) mkVirtualHost;
inherit (lib) mkEnableOption mkIf types;
unit = "nginx";
cfg = config.server.nginx;
srv = config.server;
in {
options.server.nginx = {
enable = mkEnableOption "Enable global NGINX reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets = {
nginxEnv = {
file = "${self}/secrets/nginxEnv.age";
};
};
networking.firewall.allowedTCPPorts = [80 443];
security = {
acme = {
acceptTerms = true;
defaults.email = config.server.email;
certs.${srv.domain} = {
reloadServices = ["nginx.service"];
domain = "${srv.domain}";
extraDomainNames = ["*.${srv.domain}"];
dnsProvider = "cloudflare";
dnsPropagationCheck = true;
group = config.services.nginx.group;
environmentFile = config.age.secrets.nginxEnv.path;
};
};
dhparams = {
enable = true;
params.nginx = {};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
resolver.addresses = config.networking.nameservers;
sslDhparam = config.security.dhparams.params.nginx.path;
appendHttpConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
virtualHosts = let
labDomain = "cnix.dev";
labCert = {
useACMEHost = "cnix.dev";
forceSSL = true;
};
in {
# proxies on domain with https, only accessible within local network
"${labDomain}" =
labCert
// {
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.homepage-dashboard.listenPort}";
};
};
};
users.users.nginx.extraGroups = ["acme"];
};
}