blob: 1e9b6261c82ddf7078f47dcab45453368ce566bd (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
{
lib,
config,
...
}: let
importedRedirects = import ./redirects.nix {};
mkRedirect = {
key,
value,
}: {
name = key;
value = {
forceSSL = true;
enableACME = true;
locations."/".return = "301 ${value}";
};
};
redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
cfg = config.vhack.nginx;
in {
options.vhack.nginx = {
enable = lib.mkEnableOption ''
a default nginx config.
'';
selfsign = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to selfsign the acme certificates. This should only
really be useful for tests.
'';
};
};
config = lib.mkIf cfg.enable {
vhack.persist.directories = [
"/var/lib/acme"
];
users = {
users.acme.uid = config.vhack.constants.ids.uids.acme;
groups.acme.gid = config.vhack.constants.ids.gids.acme;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "admin@vhack.eu";
webroot = "/var/lib/acme/acme-challenge";
# Avoid spamming the acme server, if we run in a test, and only really want self-signed
# certificates
server = lib.mkIf cfg.selfsign "https://127.0.0.1";
};
};
networking.firewall = {
allowedTCPPorts = [80 443];
};
services.nginx = {
enable = true;
# The merge here is fine, as no domain should be specified twice
virtualHosts =
{
"gallery.s-schoeffel.de" = {
forceSSL = true;
enableACME = true;
root = "/srv/gallery.s-schoeffel.de";
};
}
// redirects;
};
};
}
|