ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

services: add nginx and acme auto-configuration

Browse source 
This ensures that the recommened settings are turned on when using Nginx
in any service. It also provides for a SSL certificate using Let's
Encrypt.
This commit is contained in:
Bruno BELANYI 2021-01-31 16:37:58 +01:00
parent f85f7ff0b8
commit 32444fe8ae
3 changed files with 51 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
configuration.nix
View file

@ -9,6 +9,8 @@
[ [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
# Include my services
./services
]; ];
# Use the GRUB 2 boot loader. # Use the GRUB 2 boot loader.
@ -73,19 +75,11 @@
programs.mosh.enable = true; # Opens the relevant UDP ports. programs.mosh.enable = true; # Opens the relevant UDP ports.
# List services that you want to enable:
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.permitRootLogin = "no"; services.openssh.permitRootLogin = "no";
services.openssh.passwordAuthentication = false; services.openssh.passwordAuthentication = false;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave

7
services/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./nginx.nix
];
}

42
services/nginx.nix Normal file
View file

@ -0,0 +1,42 @@
# Configuration shamelessly stolen from [1]
#
# [1]: https://github.com/delroth/infra.delroth.net/blob/master/common/nginx.nix
{ config, lib, ... }:
{
# Whenever something defines an nginx vhost, ensure that nginx defaults are
# properly set.
config = lib.mkIf ((builtins.attrNames config.services.nginx.virtualHosts) != [ ]) {
services.nginx = {
enable = true;
statusPage = true; # For monitoring scraping.
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Nginx needs to be able to read the certificates
users.users.nginx.extraGroups = [ "acme" ];
# Use DNS wildcard certificate
security.acme = {
email = "bruno.acme@belanyi.fr";
acceptTerms = true;
certs =
let
domain = config.networking.domain;
in
{
"${domain}" = {
extraDomainNames = [ "*.${domain}" ];
dnsProvider = "gandiv5";
credentialsFile = ../secrets/acme/key.env;
};
};
};
};
}