]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx.nix
nix: update flake.lock
[sourcephile-nix.git] / hosts / losurdo / nginx.nix
1 { pkgs, lib, config, hostName, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) nginx;
5 in
6 {
7 imports = [
8 ../../nixos/profiles/services/nginx.nix
9 nginx/sourcephile.fr.nix
10 ];
11 users.groups."acme".members = [nginx.user];
12 users.groups."transmission".members = [nginx.user];
13 networking.nftables.ruleset = ''
14 add rule inet filter net2fw tcp dport 80 counter accept comment "HTTP"
15 add rule inet filter net2fw tcp dport 443 counter accept comment "HTTPS"
16 '';
17 fileSystems."/var/lib/nginx" = {
18 device = "${hostName}/var/www";
19 fsType = "zfs";
20 };
21 services.upnpc.redirections = [
22 { description = "HTTP"; externalPort = 80; protocol = "TCP"; duration = 30 * 60;
23 service.wantedBy = ["nginx.service"];
24 service.partOf = ["nginx.service"];
25 }
26 { description = "HTTPS"; externalPort = 443; protocol = "TCP"; duration = 30 * 60;
27 service.wantedBy = ["nginx.service"];
28 service.partOf = ["nginx.service"];
29 }
30 ];
31 services.nginx = {
32 enable = true;
33 package = pkgs.nginx.override {
34 modules = with pkgs.nginxModules; [
35 fancyindex
36 ];
37 };
38 resolver = {
39 addresses = [ "127.0.0.1:53" ];
40 valid = "";
41 };
42 virtualHosts."_" = {
43 default = true;
44 extraConfig = ''
45 # Connection closed without response
46 return 444;
47 '';
48 forceSSL = true;
49 useACMEHost = networking.domain;
50 };
51 };
52 }