{ lib, ... }: { nixos.systems.middleman = { system = "x86_64-linux"; nixpkgs = "mine"; assignments = { internal = { name = "middleman-ctr"; altNames = [ "http" ]; domain = lib.my.colony.domain; ipv4.address = "${lib.my.colony.start.ctrs.v4}2"; ipv6 = { iid = "::2"; address = "${lib.my.colony.start.ctrs.v6}2"; }; }; }; configuration = { lib, config, assignments, allAssignments, ... }: let inherit (lib) mkMerge mkIf; inherit (lib.my) networkdAssignment; in { config = mkMerge [ { my = { server.enable = true; secrets = { key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAuvP9DEsffop53Fsh7xIdeVyQSF6tSKrOUs2faq6rip"; files."dhparams.pem" = {}; }; firewall = { tcp.allowed = [ "http" "https" ]; }; tmproot.persistence.config.directories = [ ]; }; systemd = { network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal; }; services = { nginx = { enable = true; enableReload = true; recommendedTlsSettings = true; clientMaxBodySize = "0"; serverTokens = true; resolver = { addresses = [ "[${allAssignments.estuary.base.ipv6.address}]" ]; valid = "5s"; }; proxyResolveWhileRunning = true; sslDhparam = config.age.secrets."dhparams.pem".path; # Based on recommended*Settings, but probably better to be explicit about these appendHttpConfig = '' # NixOS provides a logrotate config that auto-compresses :) access_log /var/log/nginx/access.log combined; # optimisation sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; # gzip gzip on; gzip_proxied any; gzip_comp_level 5; gzip_types application/atom+xml application/javascript application/json application/xml application/xml+rss image/svg+xml text/css text/javascript text/plain text/xml; gzip_vary on; # proxying proxy_buffering off; proxy_redirect off; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; proxy_http_version 1.1; # proxy headers proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Scheme $scheme; ''; }; }; } (mkIf config.my.build.isDevVM { virtualisation = { forwardPorts = [ { from = "host"; host.port = 8080; guest.port = 80; } { from = "host"; host.port = 8443; guest.port = 443; } ]; }; }) ]; }; }; }