Initial commit unclean

2026-01-01 06:44:26 -05:00 · 2025-08-30 20:31:10 +02:00
commit 4ebc8b23fe
50 changed files with 5191 additions and 0 deletions
--- a/modules/server/nginx.nix
+++ b/modules/server/nginx.nix
@@ -0,0 +1,107 @@
+{ config, lib, pkgs, ... }:
+
+{
+	security.acme = {
+		acceptTerms = true;
+		defaults.email = "jonashahn1@gmx.net";
+		#defaults.dnsProvider = "route53";
+		#defaults.dnsResolver = "2606:4700:4700::1111";
+		certs = {
+			"cloud.hahn1.one" = {
+				webroot = "/var/lib/acme/.challenges";
+				group = "nginx";
+			};
+		};
+	};
+	users.users.nginx.extraGroups = [ "acme" ];
+
+	# Setting the port for nextcloud
+	services.nginx = let
+		# support for local vars
+		mkDevCert = name: commonName:
+			pkgs.runCommandLocal "${name}-dev-cert" { buildInputs = [ pkgs.openssl ]; } ''
+			mkdir -p $out
+			openssl req -x509 -newkey rsa:4096 -keyout $out/key.pem -out $out/cert.pem -days 3650 -nodes \
+			-subj "/CN=${commonName}"
+			'';
+
+		# dev certs
+		# collaboraCert = mkDevCert "collabora-misox-cert" "collabora.misox";
+		# nextCert = mkDevCert "nextcloud-misox-cert" "nextcloud.misox";
+		# defCert = mkDevCert "default-misox-cert" "misox";
+
+		# default domain to use in the configuration
+		domain = "hahn1.one";
+	in {
+		# enable nginx
+		enable = true;
+		recommendedProxySettings = true;
+		recommendedOptimisation = true;
+		recommendedGzipSettings = true;
+
+		# setup virtual hosts
+		virtualHosts = {
+			# Expose nextcloud
+			# this is how to setup a dev cert route with ssl
+			#"${config.services.nextcloud.hostName}" = {
+			#	enableACME = false;
+			#	forceSSL = true;
+
+			#	sslCertificate = "${nextCert}/cert.pem";
+			#	sslCertificateKey = "${nextCert}/key.pem";
+			#};
+
+			"${config.services.nextcloud.hostName}" = {
+				enableACME = true;
+				addSSL = true;
+			};
+
+			"grafana.${domain}" = {
+				enableACME = true;
+				addSSL = true;
+
+				# this is to create a default listener
+				#listen = [{ addr = "0.0.0.0"; port = grafana_port;}];
+				locations."/" = {
+					proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+					proxyWebsockets = true;
+				};
+			};
+			"acmechallenge.${domain}" = {
+				# Catchall vhost, will redirect users to HTTPS for all vhosts
+				serverAliases = [ "*.example.com" ];
+				locations."/.well-known/acme-challenge" = {
+					root = "/var/lib/acme/.challenges";
+				};
+				locations."/" = {
+					return = "301 https://$host$request_uri";
+				};
+			};
+			"cool.${domain}" = {
+				enableACME = true;
+				addSSL = true;
+
+
+				locations."/" = {
+					proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
+					proxyWebsockets = true;
+				};
+			};
+			# This is the last and therefor occupies the http://misox?
+			# NO!
+			"${domain}" = {
+				default = true;
+				enableACME = true;
+				addSSL = true;
+
+				locations."/" = {
+					root = "${pkgs.nginx}/html";
+					index = "index.html";
+				};
+
+			};
+		};
+	};
+
+}
+