67 lines
2.3 KiB
Nix
67 lines
2.3 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
...
|
|
}: let
|
|
snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
|
|
mkdir "$out"
|
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
|
|
'';
|
|
in {
|
|
services.nginx = {
|
|
enable = true;
|
|
package = pkgs.nginxMainline;
|
|
additionalModules = [pkgs.nginxModules.geoip2];
|
|
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
commonHttpConfig = let
|
|
geoipDir = config.services.geoipupdate.settings.DatabaseDirectory;
|
|
in
|
|
# nginx
|
|
''
|
|
geoip2 ${geoipDir}/GeoLite2-Country.mmdb {
|
|
auto_reload 5m;
|
|
$geoip2_metadata_country_build metadata build_epoch;
|
|
$geoip2_data_country_code country iso_code;
|
|
$geoip2_data_country_name country names en;
|
|
}
|
|
|
|
geoip2 ${geoipDir}/GeoLite2-City.mmdb {
|
|
auto_reload 5m;
|
|
$geoip2_data_city_name city names en;
|
|
}
|
|
|
|
log_format combined_geoip '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time" "$geoip2_data_country_name" "$geoip2_data_city_name"';
|
|
access_log /var/log/nginx/access.log combined_geoip;
|
|
'';
|
|
|
|
# https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
|
|
virtualHosts = {
|
|
"defaultDummy404" = {
|
|
default = true;
|
|
serverName = "_";
|
|
locations."/".extraConfig = "return 444;";
|
|
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
|
};
|
|
"defaultDummy404ssl" = {
|
|
default = true;
|
|
serverName = "_";
|
|
locations."/".extraConfig = "return 444;";
|
|
locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
|
|
# Dummy SSL config
|
|
onlySSL = true;
|
|
sslCertificate = "${snakeoilCert}/cert.pem";
|
|
sslCertificateKey = "${snakeoilCert}/cert.key";
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
|
|
|
# allow nginx to access Acme secrets
|
|
users.users.nginx.extraGroups = ["acme"];
|
|
}
|