]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/nginx.nix
mermet: lock machine-id
[sourcephile-nix.git] / hosts / losurdo / nginx.nix
1 { pkgs, config, hostName, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) nginx;
5 in
6 {
7 imports = [
8 ../../nixos/profiles/services/nginx.nix
9 nginx/sourcephile.fr.nix
10 ];
11 users.groups."acme".members = [ nginx.user ];
12 users.groups."keys".members = [ nginx.user ];
13 users.groups."transmission".members = [ nginx.user ];
14 networking.nftables.ruleset = ''
15 table inet filter {
16 chain input-net {
17 tcp dport { http, https } counter accept comment "HTTP(S)"
18 }
19 }
20 '';
21 fileSystems."/var/lib/nginx" = {
22 device = "${hostName}/var/www";
23 fsType = "zfs";
24 };
25 services.upnpc.enable = true;
26 services.upnpc.redirections = [
27 {
28 description = "HTTP";
29 externalPort = 80;
30 protocol = "TCP";
31 duration = 30 * 60;
32 service.wantedBy = [ "nginx.service" ];
33 service.partOf = [ "nginx.service" ];
34 }
35 {
36 description = "HTTPS";
37 externalPort = 443;
38 protocol = "TCP";
39 duration = 30 * 60;
40 service.wantedBy = [ "nginx.service" ];
41 service.partOf = [ "nginx.service" ];
42 }
43 ];
44 services.nginx = {
45 enable = true;
46 package = pkgs.nginx.override {
47 modules = with pkgs.nginxModules; [
48 fancyindex
49 ];
50 };
51 resolver = {
52 addresses = [ "127.0.0.1:53" ];
53 valid = "";
54 };
55 virtualHosts."_" = {
56 default = true;
57 extraConfig = ''
58 # Connection closed without response
59 return 444;
60 '';
61 forceSSL = true;
62 useACMEHost = networking.domain;
63 };
64 };
65 }