123 lines
2.8 KiB
Nix
123 lines
2.8 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
inputs,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
inherit (config.networking) domain;
|
|
root_email = "contact@${domain}";
|
|
in
|
|
{
|
|
imports = [
|
|
./matrix.nix
|
|
./puffer.nix
|
|
./gitea.nix
|
|
./grafana.nix
|
|
./nextcloud.nix
|
|
./prometheus.nix
|
|
# ./mjolnir.nix
|
|
./fail2ban.nix
|
|
./email.nix
|
|
./discord-matrix-bridge.nix
|
|
./mastodon.nix
|
|
];
|
|
|
|
options.serverConfig = with lib; {
|
|
ports = mkOption {
|
|
type = types.attrsOf types.int;
|
|
default = { };
|
|
description = "ports associated with services";
|
|
};
|
|
|
|
vhosts = mkOption {
|
|
type = types.attrsOf (
|
|
types.submodule {
|
|
options = {
|
|
port = mkOption {
|
|
type = types.int;
|
|
description = "port to redirect to this vhost";
|
|
};
|
|
host = mkOption {
|
|
type = types.nonEmptyStr;
|
|
description = "name if the vhost";
|
|
};
|
|
};
|
|
}
|
|
);
|
|
default = { };
|
|
description = "vhosts associated with services";
|
|
};
|
|
};
|
|
|
|
config = {
|
|
networking.firewall.allowedTCPPorts =
|
|
[
|
|
80
|
|
443
|
|
]
|
|
++ lib.attrValues config.serverConfig.ports
|
|
++ (lib.mapAttrsToList (n: v: v.port) config.serverConfig.vhosts);
|
|
|
|
services.nginx.virtualHosts =
|
|
{
|
|
"${domain}" = {
|
|
forceSSL = true;
|
|
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
|
|
useACMEHost = domain;
|
|
locations."/" = {
|
|
root = "/var/www/${domain}";
|
|
};
|
|
};
|
|
}
|
|
// (lib.concatMapAttrs (_: host: {
|
|
"${host.host}" = {
|
|
serverName = host.host;
|
|
forceSSL = true;
|
|
useACMEHost = domain;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${builtins.toString host.port}";
|
|
};
|
|
};
|
|
}) config.serverConfig.vhosts);
|
|
|
|
serverConfig = {
|
|
ports = {
|
|
puffer_sftp_port = 5657;
|
|
};
|
|
vhosts = {
|
|
puffer_host = {
|
|
port = 8080;
|
|
host = "puffer.${domain}";
|
|
};
|
|
tlemap_host = {
|
|
port = 8100;
|
|
host = "tlemap.${domain}";
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = root_email;
|
|
certs."${domain}" = {
|
|
webroot = "/var/lib/acme/acme-challenge/";
|
|
extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
};
|
|
}
|