nix/container/Proxy.nix

87 lines
2.1 KiB
Nix
Raw Normal View History

2024-06-09 15:31:53 +03:00
{ storage
2024-06-01 10:37:49 +03:00
, util
2024-06-09 15:17:40 +03:00
, domain
2024-06-01 10:37:49 +03:00
, mkContainer
, mkContainerConfig
2024-06-09 15:31:53 +03:00
, mkContainerDir
2024-06-01 10:37:49 +03:00
, ... } @args: let
2024-06-09 15:31:53 +03:00
address = "10.1.0.2";
path = "${storage}/proxy";
2024-06-01 10:37:49 +03:00
virtualHosts = util.catSet (util.ls ./proxy/host) args;
in {
2024-06-09 15:31:53 +03:00
systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [
"challenge"
"letsencrypt"
];
2024-06-01 10:37:49 +03:00
2024-06-09 15:31:53 +03:00
containers.proxy = mkContainer address {
2024-06-01 10:37:49 +03:00
bindMounts = {
"/etc/letsencrypt" = {
hostPath = "${path}/letsencrypt";
isReadOnly = true;
};
"/var/www/.well-known" = {
hostPath = "${path}/challenge";
isReadOnly = false;
};
};
2024-06-09 16:26:05 +03:00
config = { pkgs, ... }: mkContainerConfig {
2024-06-01 10:37:49 +03:00
environment.systemPackages = with pkgs; [ certbot ];
services.nginx = {
inherit virtualHosts;
enable = true;
2024-06-09 15:17:40 +03:00
recommendedOptimisation = true;
recommendedProxySettings = true;
appendConfig = util.trimTabs ''
worker_processes 4;
'';
eventsConfig = util.trimTabs ''
worker_connections 4096;
'';
appendHttpConfig = util.trimTabs ''
server {
server_name default_server;
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
map $http_accept_language $resume {
default https://git.${domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
~ru https://git.${domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
}
server {
server_name ${domain};
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
return 301 $resume;
}
server {
listen 443 ssl default_server;
server_name _;
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
return 403;
}
'';
2024-06-01 10:37:49 +03:00
};
};
};
}