55 lines
1.1 KiB
Nix
55 lines
1.1 KiB
Nix
|
{ pkgs
|
||
|
|
, storage
|
||
|
|
, const
|
||
|
|
, domain
|
||
|
|
, host
|
||
|
|
, util
|
||
|
|
, mkContainer
|
||
|
|
, mkContainerConfig
|
||
|
|
, ... } @args: let
|
||
|
|
path = "${storage}/proxy";
|
||
|
|
virtualHosts = util.catSet (util.ls ./proxy/host) args;
|
||
|
|
in {
|
||
|
|
systemd.tmpfiles.rules = map (
|
||
|
|
dirName: "d '${path}/${dirName}' 1777 root root - -"
|
||
|
|
) [ "challenge" "letsencrypt" ];
|
||
|
|
|
||
|
|
containers.proxy = mkContainer {
|
||
|
|
autoStart = true;
|
||
|
|
hostAddress = host;
|
||
|
|
localAddress = "10.1.0.2";
|
||
|
|
privateNetwork = true;
|
||
|
|
|
||
|
|
bindMounts = {
|
||
|
|
"/etc/letsencrypt" = {
|
||
|
|
hostPath = "${path}/letsencrypt";
|
||
|
|
isReadOnly = true;
|
||
|
|
};
|
||
|
|
"/var/www/.well-known" = {
|
||
|
|
hostPath = "${path}/challenge";
|
||
|
|
isReadOnly = false;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
config = { config, lib, pkgs, ... }: mkContainerConfig {
|
||
|
|
system.stateVersion = const.stateVersion;
|
||
|
|
|
||
|
|
users.users.root.password = "";
|
||
|
|
users.mutableUsers = false;
|
||
|
|
|
||
|
|
networking = {
|
||
|
|
useHostResolvConf = lib.mkForce false;
|
||
|
|
firewall.enable = false;
|
||
|
|
};
|
||
|
|
|
||
|
|
environment.systemPackages = with pkgs; [ certbot ];
|
||
|
|
|
||
|
|
services.nginx = {
|
||
|
|
inherit virtualHosts;
|
||
|
|
|
||
|
|
enable = true;
|
||
|
|
};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
}
|