nixos/git: Use separate nginx
This commit is contained in:
@@ -1,8 +1,11 @@
|
||||
{ lib, ... }:
|
||||
let
|
||||
inherit (builtins) mapAttrs;
|
||||
inherit (lib) mkMerge mkDefault;
|
||||
inherit (lib.my) net;
|
||||
inherit (lib.my.c) pubDomain;
|
||||
inherit (lib.my.c.colony) domain prefixes;
|
||||
inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
|
||||
in
|
||||
{
|
||||
nixos.systems.git = {
|
||||
@@ -72,9 +75,81 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
users = {
|
||||
nginx.extraGroups = [ "acme" ];
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "dev@nul.ie";
|
||||
server = "https://acme-v02.api.letsencrypt.org/directory";
|
||||
reloadServices = [ "nginx" ];
|
||||
dnsResolver = "8.8.8.8";
|
||||
};
|
||||
certs = {
|
||||
"${pubDomain}" = {
|
||||
extraDomainNames = [
|
||||
"*.${pubDomain}"
|
||||
];
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
fstrim = lib.my.c.colony.fstrimConfig;
|
||||
netdata.enable = true;
|
||||
nginx = {
|
||||
enable = true;
|
||||
enableReload = true;
|
||||
|
||||
logError = "stderr info";
|
||||
recommendedTlsSettings = true;
|
||||
clientMaxBodySize = "0";
|
||||
serverTokens = true;
|
||||
sslDhparam = config.age.secrets."dhparams.pem".path;
|
||||
|
||||
# Based on recommended*Settings, but probably better to be explicit about these
|
||||
appendHttpConfig = ''
|
||||
${baseHttpConfig}
|
||||
|
||||
# caching
|
||||
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=512m;
|
||||
'';
|
||||
|
||||
virtualHosts =
|
||||
let
|
||||
hosts = {
|
||||
"_" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
onlySSL = false;
|
||||
locations = {
|
||||
"/".root = "${pkgs.nginx}/html";
|
||||
};
|
||||
};
|
||||
|
||||
"git.${pubDomain}" = {
|
||||
locations."/".proxyPass = "http://localhost:3000";
|
||||
};
|
||||
};
|
||||
|
||||
defaultsFor = mapAttrs (n: _: {
|
||||
onlySSL = mkDefault true;
|
||||
useACMEHost = mkDefault pubDomain;
|
||||
kTLS = mkDefault true;
|
||||
http2 = mkDefault true;
|
||||
});
|
||||
in
|
||||
mkMerge [
|
||||
hosts
|
||||
(defaultsFor hosts)
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation = {
|
||||
@@ -104,11 +179,24 @@ in
|
||||
};
|
||||
|
||||
my = {
|
||||
secrets.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
|
||||
secrets = {
|
||||
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
|
||||
files = {
|
||||
"dhparams.pem" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
mode = "440";
|
||||
};
|
||||
"middleman/cloudflare-credentials.conf" = {
|
||||
owner = "acme";
|
||||
group = "acme";
|
||||
};
|
||||
};
|
||||
};
|
||||
server.enable = true;
|
||||
|
||||
firewall = {
|
||||
tcp.allowed = [ 19999 ];
|
||||
tcp.allowed = [ 19999 "http" "https" ];
|
||||
extraRules = ''
|
||||
table inet filter {
|
||||
chain forward {
|
||||
|
||||
Reference in New Issue
Block a user