cry/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/hosts/hyrule/services/nginx.nix

105 lines
3 KiB
Nix
Raw Blame History

{
inputs,
pkgs,
...
}: {
nixpkgs.overlays = [
(self: super: {
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
})
inputs.dobutterfliescry-net.overlays.default
];
# simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
services.nginx = {
enable = true;
# XXX: TODO: this should auto use the nginxStable overlay no?
# in wake of CVE-2022-3602/CVE-2022-3786
# package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
recommendedGzipSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# streamConfig = ''
# server {
# listen 127.0.0.1:53 udp reuseport;
# proxy_timeout 20s;
# proxy_pass 192.168.0.1:53535;
# }
# '';
virtualHosts = let
localhost = "http://127.0.0.1";
std = {
# TODO: should I run over QUIC+HTTP3? (experimental)
# quic = true;
# http3 = true;
enableACME = true;
# kTLS = true; # offload TLS to the linux kernel
};
website =
{
default = true;
addSSL = true; # not strictly enforced <3
root = "/var/www/imbored";
# extraConfig = ''
# error_page 404 /custom_404.html;
# '';
}
// std;
vault =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
forge =
{
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "${localhost}:3000";
}
// std;
in {
# XXX: TODO: imbored.dev and dobutterfliescry.net can't
# XXX: TODO: be active at the same time??? why??
# "imbored.dev" =
# {
# default = true;
# addSSL = true; # not strictly enforced <3
# root = "/var/www/imbored";
# # extraConfig = ''
# # error_page 404 /custom_404.html;
# # '';
# }
# // std;
"dobutterfliescry.net" =
{
default = true;
addSSL = true; # not strictly enforced <3
# root = "/var/www/cry";
root = "${pkgs.dobutterfliescry-net}/www";
# extraConfig = ''
# error_page 404 /custom_404.html;
# '';
}
// std;
# Route "vault" subdomain to vaultwarden
"vault.imbored.dev" = vault;
# Route "forge" subdomain to forgejo
# TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
"forge.imbored.dev" = forge;
# "forge.dobutterfliescry.net" = forge;
};
};
}
Reference in a new issue View git blame Copy permalink