nix/container/Proxy.nix

126 lines
3.7 KiB
Nix
Raw Normal View History

# NOTE: To generate self-signed certs use: `openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./privkey.pem -out ./fullchain.pem`
# For dhparams: `openssl dhparam -out ./ssl-dhparam.pem 4096`
# Example for options-ssl-nginx.conf:
# ```
# ssl_session_cache shared:le_nginx_SSL:10m;
# ssl_session_timeout 1440m;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers off;
# ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
# ```
# For certbot to generate new keys: `certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d "*.voronind.com" -d voronind.com`
2024-06-25 04:04:39 +03:00
{ util, container, pkgs, lib, config, ... } @args: with lib; let
cfg = config.container.module.proxy;
virtualHosts = util.catSet (util.ls ./proxy/host) args;
in {
2024-06-25 04:04:39 +03:00
options = {
container.module.proxy = {
enable = mkEnableOption "Proxy server.";
address = mkOption {
default = "10.1.0.2";
type = types.str;
};
port = mkOption {
default = 443;
type = types.int;
};
storage = mkOption {
default = "${config.container.storage}/proxy";
type = types.str;
};
};
};
2024-06-25 04:04:39 +03:00
config = mkIf cfg.enable {
systemd.tmpfiles.rules = container.mkContainerDir cfg [
"challenge"
"letsencrypt"
2024-06-09 23:35:53 +03:00
];
2024-06-25 04:04:39 +03:00
containers.proxy = container.mkContainer cfg {
forwardPorts = [
# {
# containerPort = 80;
# hostPort = 80;
# protocol = "tcp";
# } {
{
containerPort = cfg.port;
hostPort = cfg.port;
protocol = "tcp";
}
];
bindMounts = {
"/etc/letsencrypt" = {
hostPath = "${cfg.storage}/letsencrypt";
isReadOnly = true;
};
"/var/www/.well-known" = {
hostPath = "${cfg.storage}/challenge";
isReadOnly = false;
};
};
2024-06-25 04:04:39 +03:00
config = { ... }: container.mkContainerConfig cfg {
environment.systemPackages = with pkgs; [ certbot ];
2024-06-25 04:04:39 +03:00
services.nginx = {
inherit virtualHosts;
2024-06-25 04:04:39 +03:00
enable = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
2024-07-03 01:59:28 +03:00
clientMaxBodySize = "1024m";
2024-06-25 04:04:39 +03:00
appendConfig = util.trimTabs ''
worker_processes 4;
'';
eventsConfig = util.trimTabs ''
worker_connections 4096;
'';
# TODO: Fix 80 redirect and 403 default.
appendHttpConfig = util.trimTabs ''
server {
server_name default_server;
listen 80;
2024-06-25 04:04:39 +03:00
location / {
return 301 https://$host$request_uri;
}
}
2024-06-25 04:04:39 +03:00
map $http_accept_language $resume {
default https://git.${config.container.domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
~ru https://git.${config.container.domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
}
2024-06-25 04:04:39 +03:00
server {
server_name ${config.container.domain};
listen 443 ssl;
2024-06-25 04:04:39 +03:00
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
2024-06-25 04:04:39 +03:00
return 301 $resume;
}
2024-06-25 04:04:39 +03:00
server {
listen 443 ssl default_server;
server_name _;
2024-06-25 04:04:39 +03:00
ssl_certificate /etc/letsencrypt/live/${config.container.domain}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${config.container.domain}/privkey.pem;
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
2024-06-25 04:04:39 +03:00
return 403;
}
'';
};
};
};
};
}