{ lib, config, ... }: let importedRedirects = import ./redirects.nix {}; mkRedirect = { key, value, }: { name = key; value = { forceSSL = true; enableACME = true; locations."/".return = "301 ${value}"; }; }; redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects); cfg = config.vhack.nginx; in { options.vhack.nginx = { enable = lib.mkEnableOption '' a default nginx config. ''; selfsign = lib.mkOption { type = lib.types.bool; default = false; description = '' Whether to selfsign the acme certificates. This should only really be useful for tests. ''; }; }; config = lib.mkIf cfg.enable { vhack.persist.directories = [ "/var/lib/acme" ]; users = { users.acme.uid = config.vhack.constants.ids.uids.acme; groups.acme.gid = config.vhack.constants.ids.gids.acme; }; security.acme = { acceptTerms = true; defaults = { email = "admin@vhack.eu"; webroot = "/var/lib/acme/acme-challenge"; # Avoid spamming the acme server, if we run in a test, and only really want self-signed # certificates server = lib.mkIf cfg.selfsign "https://127.0.0.1"; }; }; networking.firewall = { allowedTCPPorts = [80 443]; }; services.nginx = { enable = true; # The merge here is fine, as no domain should be specified twice virtualHosts = { "gallery.s-schoeffel.de" = { forceSSL = true; enableACME = true; root = "/srv/gallery.s-schoeffel.de"; }; } // redirects; }; }; }