98 lines
2.3 KiB
Nix
98 lines
2.3 KiB
Nix
{ storage
|
|
, const
|
|
, util
|
|
, domain
|
|
, mkContainer
|
|
, mkContainerConfig
|
|
, mkContainerDir
|
|
, ... } @args: let
|
|
address = "10.1.0.2";
|
|
path = "${storage}/proxy";
|
|
virtualHosts = util.catSet (util.ls ./proxy/host) args;
|
|
in {
|
|
systemd.tmpfiles.rules = map (dir: mkContainerDir "${path}/${dir}") [
|
|
"challenge"
|
|
"letsencrypt"
|
|
];
|
|
|
|
containers.proxy = mkContainer address {
|
|
bindMounts = {
|
|
"/etc/letsencrypt" = {
|
|
hostPath = "${path}/letsencrypt";
|
|
isReadOnly = true;
|
|
};
|
|
"/var/www/.well-known" = {
|
|
hostPath = "${path}/challenge";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
config = { lib, pkgs, ... }: mkContainerConfig {
|
|
system.stateVersion = const.stateVersion;
|
|
|
|
users.users.root.password = "";
|
|
users.mutableUsers = false;
|
|
|
|
networking = {
|
|
useHostResolvConf = lib.mkForce false;
|
|
firewall.enable = false;
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [ certbot ];
|
|
|
|
services.nginx = {
|
|
inherit virtualHosts;
|
|
|
|
enable = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
appendConfig = util.trimTabs ''
|
|
worker_processes 4;
|
|
'';
|
|
eventsConfig = util.trimTabs ''
|
|
worker_connections 4096;
|
|
'';
|
|
appendHttpConfig = util.trimTabs ''
|
|
server {
|
|
server_name default_server;
|
|
listen 80;
|
|
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
map $http_accept_language $resume {
|
|
default https://git.${domain}/voronind/resume/releases/download/latest/voronind_en.pdf;
|
|
~ru https://git.${domain}/voronind/resume/releases/download/latest/voronind_ru.pdf;
|
|
}
|
|
|
|
server {
|
|
server_name ${domain};
|
|
listen 443 ssl;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
|
|
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
|
|
|
|
return 301 $resume;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl default_server;
|
|
server_name _;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
|
|
include /etc/letsencrypt/conf/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/conf/ssl-dhparams.pem;
|
|
|
|
return 403;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
}
|