mirror of
https://github.com/Ascyii/nixos.git
synced 2026-01-01 06:44:26 -05:00
108 lines
2.6 KiB
Nix
108 lines
2.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "jonashahn1@gmx.net";
|
|
#defaults.dnsProvider = "route53";
|
|
#defaults.dnsResolver = "2606:4700:4700::1111";
|
|
certs = {
|
|
"cloud.hahn1.one" = {
|
|
webroot = "/var/lib/acme/.challenges";
|
|
group = "nginx";
|
|
};
|
|
};
|
|
};
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
|
|
# Setting the port for nextcloud
|
|
services.nginx = let
|
|
# support for local vars
|
|
mkDevCert = name: commonName:
|
|
pkgs.runCommandLocal "${name}-dev-cert" { buildInputs = [ pkgs.openssl ]; } ''
|
|
mkdir -p $out
|
|
openssl req -x509 -newkey rsa:4096 -keyout $out/key.pem -out $out/cert.pem -days 3650 -nodes \
|
|
-subj "/CN=${commonName}"
|
|
'';
|
|
|
|
# dev certs
|
|
# collaboraCert = mkDevCert "collabora-misox-cert" "collabora.misox";
|
|
# nextCert = mkDevCert "nextcloud-misox-cert" "nextcloud.misox";
|
|
# defCert = mkDevCert "default-misox-cert" "misox";
|
|
|
|
# default domain to use in the configuration
|
|
domain = "hahn1.one";
|
|
in {
|
|
# enable nginx
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
|
|
# setup virtual hosts
|
|
virtualHosts = {
|
|
# Expose nextcloud
|
|
# this is how to setup a dev cert route with ssl
|
|
#"${config.services.nextcloud.hostName}" = {
|
|
# enableACME = false;
|
|
# forceSSL = true;
|
|
|
|
# sslCertificate = "${nextCert}/cert.pem";
|
|
# sslCertificateKey = "${nextCert}/key.pem";
|
|
#};
|
|
|
|
"${config.services.nextcloud.hostName}" = {
|
|
enableACME = true;
|
|
addSSL = true;
|
|
};
|
|
|
|
"grafana.${domain}" = {
|
|
enableACME = true;
|
|
addSSL = true;
|
|
|
|
# this is to create a default listener
|
|
#listen = [{ addr = "0.0.0.0"; port = grafana_port;}];
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"acmechallenge.${domain}" = {
|
|
# Catchall vhost, will redirect users to HTTPS for all vhosts
|
|
serverAliases = [ "*.example.com" ];
|
|
locations."/.well-known/acme-challenge" = {
|
|
root = "/var/lib/acme/.challenges";
|
|
};
|
|
locations."/" = {
|
|
return = "301 https://$host$request_uri";
|
|
};
|
|
};
|
|
"cool.${domain}" = {
|
|
enableACME = true;
|
|
addSSL = true;
|
|
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://[::1]:${toString config.services.collabora-online.port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
# This is the last and therefor occupies the http://misox?
|
|
# NO!
|
|
"${domain}" = {
|
|
default = true;
|
|
enableACME = true;
|
|
addSSL = true;
|
|
|
|
locations."/" = {
|
|
root = "${pkgs.nginx}/html";
|
|
index = "index.html";
|
|
};
|
|
|
|
};
|
|
};
|
|
};
|
|
|
|
}
|
|
|