summary refs log tree commit diff stats
path: root/modules/by-name/ng/nginx/module.nix
blob: 9c77652deb25e838490858d5e4b1b5e92cc224e1 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
{
  lib,
  config,
  ...
}: let
  importedRedirects = import ./redirects.nix {};
  mkRedirect = {
    key,
    value,
  }: {
    name = key;
    value = {
      forceSSL = true;
      enableACME = true;
      locations."/".return = "301 ${value}";
    };
  };

  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);

  cfg = config.vhack.nginx;
in {
  options.vhack.nginx = {
    enable = lib.mkEnableOption ''
      a default nginx config.
    '';

    selfsign = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to selfsign the acme certificates. This should only
        really be useful for tests.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    vhack.persist.directories = [
      "/var/lib/acme"
    ];
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "admin@vhack.eu";
        webroot = "/var/lib/acme/acme-challenge";

        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
        # certificates
        server = lib.mkIf cfg.selfsign "https://127.0.0.1";
      };
    };

    networking.firewall = {
      allowedTCPPorts = [80 443];
    };
    services.nginx = {
      enable = true;
      # The merge here is fine, as no domain should be specified twice
      virtualHosts =
        {
          "gallery.s-schoeffel.de" = {
            forceSSL = true;
            enableACME = true;
            root = "/srv/gallery.s-schoeffel.de";
          };
        }
        // redirects;
    };
  };
}