flakes/modules/services/nginx.nix

{ config, inputs, ... }: {
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    email = "me@lava.moe";
    certs."lava.moe" = {
      group = "nginx";
      domain = "lava.moe";
      extraDomainNames = [
        "*.lava.moe"
        "*.local.lava.moe"
      ];
      dnsProvider = "cloudflare";
      credentialsFile = config.age.secrets."acme_dns".path;
    };
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts = {
      "lava.moe" = {
        useACMEHost = "lava.moe";
        forceSSL = true;
        root = inputs.website.outPath;
      };
      "_" = {
        default = true;
        addSSL = true;
        # TODO generate this somewhere
        sslCertificate = "/persist/fakeCerts/fake.crt";
        sslCertificateKey = "/persist/fakeCerts/fake.key";
        extraConfig = ''
          return 444;
        '';
      };
    };
  };
}
services/nginx: use acme dns challenge 2022-02-27 02:13:36 +07:00			`{ config, inputs, ... }: {`
services/nginx: open ports 80 and 443 (cherry picked from commit 328b0283483b18dda90904fb975368d414a72118) 2022-03-28 23:04:30 +07:00			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
services/nginx: use acme dns challenge 2022-02-27 02:13:36 +07:00			`security.acme = {`
			`acceptTerms = true;`
			`email = "me@lava.moe";`
			`certs."lava.moe" = {`
services/nginx: set acme group to nginx 2022-02-27 02:23:43 +07:00			`group = "nginx";`
services/nginx: add local wildcard to acme 2022-02-27 13:22:16 +07:00			`domain = "lava.moe";`
			`extraDomainNames = [`
			`"*.lava.moe"`
			`"*.local.lava.moe"`
			`];`
services/nginx: use acme dns challenge 2022-02-27 02:13:36 +07:00			`dnsProvider = "cloudflare";`
			`credentialsFile = config.age.secrets."acme_dns".path;`
			`};`
			`};`

services/{nginx,postgres,synapse}: init 2022-02-13 21:06:56 +07:00			`services.nginx = {`
			`enable = true;`
			`recommendedTlsSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedGzipSettings = true;`
			`recommendedProxySettings = true;`

			`virtualHosts = {`
			`"lava.moe" = {`
services/nginx: use acme dns challenge 2022-02-27 02:13:36 +07:00			`useACMEHost = "lava.moe";`
services/{nginx,postgres,synapse}: init 2022-02-13 21:06:56 +07:00			`forceSSL = true;`
services/nginx: add website 2022-02-14 18:34:46 +07:00			`root = inputs.website.outPath;`
services/{nginx,postgres,synapse}: init 2022-02-13 21:06:56 +07:00			`};`
services/nginx: return 444 on unknown domains 2022-02-17 09:54:46 +07:00			`"_" = {`
			`default = true;`
			`addSSL = true;`
			`# TODO generate this somewhere`
			`sslCertificate = "/persist/fakeCerts/fake.crt";`
			`sslCertificateKey = "/persist/fakeCerts/fake.key";`
			`extraConfig = ''`
			`return 444;`
			`'';`
			`};`
services/{nginx,postgres,synapse}: init 2022-02-13 21:06:56 +07:00			`};`
			`};`
			`}`