diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-20 13:58:21 +0100 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-20 13:58:21 +0100 |
commit | 33639143ea50404a04bc4c454435aff1bd79dd4b (patch) | |
tree | ede4b6832bb86ac30281fc22700ae1fe40658f37 /modules/by-name/ng/nginx/module.nix | |
parent | fix(treewide): Update to nixos release 24.11 (diff) | |
download | nixos-server-33639143ea50404a04bc4c454435aff1bd79dd4b.tar.gz nixos-server-33639143ea50404a04bc4c454435aff1bd79dd4b.zip |
refactor({modules,test}): Migrate to a `by-name` structure
Diffstat (limited to 'modules/by-name/ng/nginx/module.nix')
-rw-r--r-- | modules/by-name/ng/nginx/module.nix | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/modules/by-name/ng/nginx/module.nix b/modules/by-name/ng/nginx/module.nix new file mode 100644 index 0000000..6a82147 --- /dev/null +++ b/modules/by-name/ng/nginx/module.nix @@ -0,0 +1,68 @@ +{ + lib, + config, + ... +}: let + importedRedirects = import ./redirects.nix {}; + mkRedirect = { + key, + value, + }: { + name = key; + value = { + forceSSL = true; + enableACME = true; + locations."/".return = "301 ${value}"; + }; + }; + + redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects); + + cfg = config.vhack.nginx; +in { + options.vhack.nginx = { + enable = lib.mkEnableOption '' + a default nginx config. + ''; + + selfsign = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + Whether to selfsign the acme certificates. This should only + really be useful for tests. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + security.acme = { + acceptTerms = true; + defaults = { + email = "admin@vhack.eu"; + webroot = "/var/lib/acme/acme-challenge"; + + # Avoid spamming the acme server, if we run in a test, and only really want self-signed + # certificates + server = lib.mkIf cfg.selfsign "https://127.0.0.1"; + }; + }; + + networking.firewall = { + allowedTCPPorts = [80 443]; + }; + services.nginx = { + enable = true; + # The merge here is fine, as no domain should be specified twice + virtualHosts = + { + "gallery.s-schoeffel.de" = { + forceSSL = true; + enableACME = true; + root = "/srv/gallery.s-schoeffel.de"; + }; + } + // redirects; + }; + }; +} |