config/profiles/http/default.nix

91 lines
3.2 KiB
Nix
Raw Normal View History

2023-02-25 00:03:29 +01:00
{ config, pkgs, lib, ... }:
let
mkDomain = subname: "${subname}.${config.networking.fqdn}";
in
{
_module.args.mkDomain = mkDomain;
2023-06-26 21:03:25 +02:00
_module.args.allSubdomains = lib.pipe config.services.nginx.virtualHosts [
2023-06-29 02:16:16 +02:00
#(lib.mapAttrsToList (domain: vhost: [ domain ] ++ vhost.serverAliases))
2023-06-26 21:03:25 +02:00
(lib.mapAttrsToList (domain: vhost: [ domain ]))
lib.flatten
2024-09-21 23:56:32 +02:00
(builtins.filter (domain: domain != "" && domain != "_"))
2023-06-26 21:03:25 +02:00
(lib.sort (x: y: x<y))
];
2023-02-25 00:03:29 +01:00
security.acme.acceptTerms = true;
2024-04-16 06:49:45 +02:00
security.acme.defaults.email = "pbsds+acme@hotmail.com"; # TODO: parametrize per host
2023-02-25 00:03:29 +01:00
#security.acme.defaults.renewInterval = "daily";
#security.acme.defaults.reloadServices
# https://www.xf.is/2020/06/30/list-of-free-acme-ssl-providers/
2024-08-18 03:16:17 +02:00
#security.acme.defaults.server = "https://acme-v02.api.letsencrypt.org/directory" # default
2023-02-25 00:03:29 +01:00
#security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # STAGING
#security.acme.defaults.server = "https://api.buypass.com/acme/directory"; # no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
#security.acme.defaults.server = "https://api.test4.buypass.no/acme/directory"; # STAGING. no wildcards, rate limit: 20 domains/week, 5 duplicate certs / week
# DNS-based ACME:
# - https://go-acme.github.io/lego/dns/domeneshop/
# - https://nixos.org/manual/nixos/stable/index.html#module-security-acme-config-dns-with-vhosts
#security.acme.defaults.dnsProvider = "domeneshop";
#security.acme.defaults.credentialsFile = "/var/lib/secrets/domeneshop.key"; # TODO: this file must be made by hand, containing env variables.
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
2024-02-10 21:31:48 +01:00
services.nginx.recommendedGzipSettings = true;
services.nginx.recommendedOptimisation = true;
services.nginx.recommendedProxySettings = true;
services.nginx.recommendedTlsSettings = true;
2024-08-16 21:05:52 +02:00
# nginx return 444 for all nonexistent virtualhosts
services.nginx.virtualHosts."_" = {
addSSL = true;
sslCertificate = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
sslCertificateKey = "${pkgs.path}/nixos/tests/common/acme/server/acme.test.key.pem";
extraConfig = "return 444;";
};
2023-02-25 00:03:29 +01:00
2023-07-04 16:32:09 +02:00
/** /
services.nginx.virtualHosts."" = {
default = true;
forceSSL = false;
enableACME = false;
root = pkgs.writeTextDir "index.html" ''
<!DOCTYPE html>
no
'';
};
/**/
2023-02-25 00:03:29 +01:00
# Website tunnel
# TODO: remove
2023-03-13 01:15:03 +01:00
/** /
2023-02-25 00:03:29 +01:00
services.nginx.virtualHosts.${config.networking.fqdn} = {
forceSSL = true; # addSSL = true;
enableACME = true;
#acmeRoot = null; # use DNS
default = true;
serverAliases = map mkDomain [
"www"
#"*" # requires DNS ACME
];
# The alternative to ^ is: config.security.acme.certs."${acmeDomain}".extraDomainNames = [ (mkDomain "foo") ];
# TODO: 'nox' alias for everything
locations."/" = {
proxyPass = "http://pbuntu.pbsds.net";
proxyWebsockets = true;
};
};
#services.nginx.virtualHosts.${mkDomain "www"} = {
# addSSL = true;
# useACMEHost = acmeDomain; #enableACME = true;
# locations."/" = {
# proxyPass = "http://pbuntu.pbsds.net";
# proxyWebsockets = true;
# };
#};
2023-03-13 01:15:03 +01:00
/**/
2023-02-25 00:03:29 +01:00
}