summary refs log tree commit diff stats
path: root/modules/nixos/vhack/nginx/default.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/nixos/vhack/nginx/default.nix68
1 files changed, 68 insertions, 0 deletions
diff --git a/modules/nixos/vhack/nginx/default.nix b/modules/nixos/vhack/nginx/default.nix
new file mode 100644
index 0000000..6a82147
--- /dev/null
+++ b/modules/nixos/vhack/nginx/default.nix
@@ -0,0 +1,68 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  importedRedirects = import ./redirects.nix {};
+  mkRedirect = {
+    key,
+    value,
+  }: {
+    name = key;
+    value = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/".return = "301 ${value}";
+    };
+  };
+
+  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
+
+  cfg = config.vhack.nginx;
+in {
+  options.vhack.nginx = {
+    enable = lib.mkEnableOption ''
+      a default nginx config.
+    '';
+
+    selfsign = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to selfsign the acme certificates. This should only
+        really be useful for tests.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        email = "admin@vhack.eu";
+        webroot = "/var/lib/acme/acme-challenge";
+
+        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
+        # certificates
+        server = lib.mkIf cfg.selfsign "https://127.0.0.1";
+      };
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [80 443];
+    };
+    services.nginx = {
+      enable = true;
+      # The merge here is fine, as no domain should be specified twice
+      virtualHosts =
+        {
+          "gallery.s-schoeffel.de" = {
+            forceSSL = true;
+            enableACME = true;
+            root = "/srv/gallery.s-schoeffel.de";
+          };
+        }
+        // redirects;
+    };
+  };
+}