services: add nginx and acme auto-configuration

This ensures that the recommened settings are turned on when using Nginx in any service. It also provides for a SSL certificate using Let's Encrypt.
2021-01-31 16:37:58 +01:00 · 2021-01-31 16:37:58 +01:00 · 32444fe8ae
parent f85f7ff0b8
commit 32444fe8ae
3 changed files with 51 additions and 8 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -9,6 +9,8 @@
    [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
+      # Include my services
+      ./services
    ];

  # Use the GRUB 2 boot loader.
@ -73,19 +75,11 @@

  programs.mosh.enable = true; # Opens the relevant UDP ports.

-  # List services that you want to enable:
-
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  services.openssh.permitRootLogin = "no";
  services.openssh.passwordAuthentication = false;

-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/services/default.nix
+++ b/services/default.nix
@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  imports = [
+    ./nginx.nix
+  ];
+}
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -0,0 +1,42 @@
+# Configuration shamelessly stolen from [1]
+#
+# [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
+{ config, lib, ... }:
+
+{
+  # Whenever something defines an nginx vhost, ensure that nginx defaults are
+  # properly set.
+  config = lib.mkIf ((builtins.attrNames config.services.nginx.virtualHosts) != [ ]) {
+    services.nginx = {
+      enable = true;
+      statusPage = true; # For monitoring scraping.
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    # Nginx needs to be able to read the certificates
+    users.users.nginx.extraGroups = [ "acme" ];
+
+    # Use DNS wildcard certificate
+    security.acme = {
+      email = "bruno.acme@belanyi.fr";
+      acceptTerms = true;
+      certs =
+        let
+          domain = config.networking.domain;
+        in
+        {
+          "${domain}" = {
+            extraDomainNames = [ "*.${domain}" ];
+            dnsProvider = "gandiv5";
+            credentialsFile = ../secrets/acme/key.env;
+          };
+        };
+    };
+  };
+}