config/profiles/web/default.nix

{ config, pkgs, lib, ... }:
let
  mkDomain = subname: "${subname}.${config.networking.fqdn}";
in
{
  _module.args.mkDomain = mkDomain;
  _module.args.allSubdomains = lib.sort (x: y: x<y) ( # TODO: deduplicate <-
    lib.flatten (
      lib.mapAttrsToList
        (k: v: [k] ++ v.serverAliases)
        config.services.nginx.virtualHosts
    )
  );

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "pbsds+acme@hotmail.com";
  #security.acme.defaults.renewInterval = "daily";
  #security.acme.defaults.reloadServices

  # https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
  #security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
  #security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
  #security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week

  # DNS-based ACME:
  # - https://go-acme.github.io/lego/dns/domeneshop/
  # - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
  #security.acme.defaults.dnsProvider = "domeneshop";
  #security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.


  services.nginx.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 443 ];


  # Website tunnel
  # TODO: remove
  services.nginx.virtualHosts.${config.networking.fqdn} = {
    forceSSL = true; # addSSL = true;
    enableACME = true;
    #acmeRoot = null; # use DNS
    default = true;
    serverAliases = map mkDomain [
      "www"
      #"*" # requires DNS ACME
    ];
    # The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
    # TODO: 'nox' alias for everything
    locations."/" = {
      proxyPass = "http://pbuntu.pbsds.net";
      proxyWebsockets = true;
    };
  };
  #services.nginx.virtualHosts.${mkDomain "www"} = {
  #  addSSL = true;
  #  useACMEHost = acmeDomain; #enableACME = true;
  #  locations."/" = {
  #    proxyPass = "http://pbuntu.pbsds.net";
  #    proxyWebsockets = true;
  #  };
  #};


}
split nas and websites into modules 2023-02-25 00:03:29 +01:00			`{ config, pkgs, lib, ... }:`
			`let`
			`mkDomain = subname: "${subname}.${config.networking.fqdn}";`
			`in`
			`{`
			`_module.args.mkDomain = mkDomain;`
			`_module.args.allSubdomains = lib.sort (x: y: x<y) ( # TODO: deduplicate <-`
			`lib.flatten (`
			`lib.mapAttrsToList`
			`(k: v: [k] ++ v.serverAliases)`
			`config.services.nginx.virtualHosts`
			`)`
			`);`

			`security.acme.acceptTerms = true;`
			`security.acme.defaults.email = "pbsds+acme@hotmail.com";`
			`#security.acme.defaults.renewInterval = "daily";`
			`#security.acme.defaults.reloadServices`

			`# https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/`
			`#security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING`
			`#security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week`
			`#security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week`

			`# DNS-based ACME:`
			`# - https://go-acme.github.io/lego/dns/domeneshop/`
			`# - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts`
			`#security.acme.defaults.dnsProvider = "domeneshop";`
			`#security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.`


			`services.nginx.enable = true;`
			`networking.firewall.allowedTCPPorts = [ 80 443 ];`


			`# Website tunnel`
			`# TODO: remove`
			`services.nginx.virtualHosts.${config.networking.fqdn} = {`
			`forceSSL = true; # addSSL = true;`
			`enableACME = true;`
			`#acmeRoot = null; # use DNS`
			`default = true;`
			`serverAliases = map mkDomain [`
			`"www"`
			`#"*" # requires DNS ACME`
			`];`
			`# The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];`
			`# TODO: 'nox' alias for everything`
			`locations."/" = {`
			`proxyPass = "http://pbuntu.pbsds.net";`
			`proxyWebsockets = true;`
			`};`
			`};`
			`#services.nginx.virtualHosts.${mkDomain "www"} = {`
			`# addSSL = true;`
			`# useACMEHost = acmeDomain; #enableACME = true;`
			`# locations."/" = {`
			`# proxyPass = "http://pbuntu.pbsds.net";`
			`# proxyWebsockets = true;`
			`# };`
			`#};`


			`}`