2024-09-13 18:01:30 +02:00
|
|
|
{pkgs, ...}: let
|
2024-09-03 11:15:46 +02:00
|
|
|
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
|
|
|
mkdir "$out"
|
|
|
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
|
|
|
'';
|
|
|
|
in {
|
2023-05-06 06:49:46 +02:00
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.nginxMainline;
|
|
|
|
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
|
|
|
|
virtualHosts = {
|
|
|
|
"defaultDummy404" = {
|
|
|
|
default = true;
|
|
|
|
serverName = "_";
|
2024-09-03 11:15:46 +02:00
|
|
|
locations."/".extraConfig = "return 444;";
|
2023-05-06 06:49:46 +02:00
|
|
|
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
|
|
|
};
|
2024-09-03 11:15:46 +02:00
|
|
|
"defaultDummy404ssl" = {
|
2023-05-06 06:49:46 +02:00
|
|
|
default = true;
|
|
|
|
serverName = "_";
|
2024-09-03 11:15:46 +02:00
|
|
|
locations."/".extraConfig = "return 444;";
|
2023-05-06 06:49:46 +02:00
|
|
|
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
|
|
|
# Dummy SSL config
|
|
|
|
onlySSL = true;
|
|
|
|
sslCertificate = "${snakeoilCert}/cert.pem";
|
|
|
|
sslCertificateKey = "${snakeoilCert}/cert.key";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2024-09-03 11:15:46 +02:00
|
|
|
|
2023-05-06 06:49:46 +02:00
|
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
2024-09-03 11:15:46 +02:00
|
|
|
|
|
|
|
# allow nginx to access Acme secrets
|
2023-05-06 06:49:46 +02:00
|
|
|
users.users.nginx.extraGroups = ["acme"];
|
|
|
|
}
|