80 lines
2.0 KiB
Nix
80 lines
2.0 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
pkgs,
|
|
self,
|
|
myLib,
|
|
...
|
|
}: let
|
|
inherit (myLib) mkVirtualHost;
|
|
inherit (lib) mkEnableOption mkIf types;
|
|
|
|
unit = "nginx";
|
|
cfg = config.server.nginx;
|
|
srv = config.server;
|
|
in {
|
|
options.server.nginx = {
|
|
enable = mkEnableOption "Enable global NGINX reverse proxy with ACME";
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
age.secrets = {
|
|
nginxEnv = {
|
|
file = "${self}/secrets/nginxEnv.age";
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
|
|
|
security = {
|
|
acme = {
|
|
acceptTerms = true;
|
|
defaults.email = config.server.email;
|
|
certs.${srv.domain} = {
|
|
reloadServices = ["nginx.service"];
|
|
domain = "${srv.domain}";
|
|
extraDomainNames = ["*.${srv.domain}"];
|
|
dnsProvider = "cloudflare";
|
|
dnsPropagationCheck = true;
|
|
group = config.services.nginx.group;
|
|
environmentFile = config.age.secrets.nginxEnv.path;
|
|
};
|
|
};
|
|
dhparams = {
|
|
enable = true;
|
|
params.nginx = {};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
resolver.addresses = config.networking.nameservers;
|
|
sslDhparam = config.security.dhparams.params.nginx.path;
|
|
appendHttpConfig = ''
|
|
proxy_headers_hash_max_size 512;
|
|
proxy_headers_hash_bucket_size 128;
|
|
'';
|
|
|
|
virtualHosts = let
|
|
labDomain = "cnix.dev";
|
|
labCert = {
|
|
useACMEHost = "cnix.dev";
|
|
forceSSL = true;
|
|
};
|
|
in {
|
|
# proxies on domain with https, only accessible within local network
|
|
"${labDomain}" =
|
|
labCert
|
|
// {
|
|
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.homepage-dashboard.listenPort}";
|
|
};
|
|
};
|
|
};
|
|
users.users.nginx.extraGroups = ["acme"];
|
|
};
|
|
}
|