losurdo: gitolite: udpate
[sourcephile-nix.git] / hosts / losurdo / nginx.nix
1 { pkgs, lib, config, hostName, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) nginx;
5 in
6 {
7 imports = [
8 ../../nixos/profiles/services/nginx.nix
9 nginx/sourcephile.fr.nix
10 ];
11 users.groups."acme".members = [nginx.user];
12 users.groups."keys".members = [nginx.user];
13 users.groups."transmission".members = [nginx.user];
14 networking.nftables.ruleset = ''
15 add rule inet filter net2fw tcp dport 80 counter accept comment "HTTP"
16 add rule inet filter net2fw tcp dport 443 counter accept comment "HTTPS"
17 '';
18 fileSystems."/var/lib/nginx" = {
19 device = "${hostName}/var/www";
20 fsType = "zfs";
21 };
22 services.upnpc.redirections = [
23 { description = "HTTP"; externalPort = 80; protocol = "TCP"; duration = 30 * 60;
24 service.wantedBy = ["nginx.service"];
25 service.partOf = ["nginx.service"];
26 }
27 { description = "HTTPS"; externalPort = 443; protocol = "TCP"; duration = 30 * 60;
28 service.wantedBy = ["nginx.service"];
29 service.partOf = ["nginx.service"];
30 }
31 ];
32 services.nginx = {
33 enable = true;
34 package = pkgs.nginx.override {
35 modules = with pkgs.nginxModules; [
36 fancyindex
37 ];
38 };
39 resolver = {
40 addresses = [ "127.0.0.1:53" ];
41 valid = "";
42 };
43 virtualHosts."_" = {
44 default = true;
45 extraConfig = ''
46 # Connection closed without response
47 return 444;
48 '';
49 forceSSL = true;
50 useACMEHost = networking.domain;
51 };
52 };
53 }