60 lines
1.2 KiB
Nix
60 lines
1.2 KiB
Nix
{
|
|
lib,
|
|
config,
|
|
inputs,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
inherit (config.networking) domain;
|
|
root_email = "contact@${domain}";
|
|
in
|
|
{
|
|
imports = [
|
|
./matrix.nix
|
|
./puffer.nix
|
|
./gitea.nix
|
|
./grafana.nix
|
|
./nextcloud.nix
|
|
./prometheus.nix
|
|
# ./mjolnir.nix
|
|
./fail2ban.nix
|
|
./email.nix
|
|
./discord-matrix-bridge.nix
|
|
./mastodon.nix
|
|
];
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = root_email;
|
|
certs."${domain}" = {
|
|
webroot = "/var/lib/acme/acme-challenge/";
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
services.nginx = {
|
|
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
|
|
virtualHosts."${domain}" = {
|
|
forceSSL = true;
|
|
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
|
|
useACMEHost = domain;
|
|
locations."/" = {
|
|
root = "/var/www/${domain}";
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "acme" ];
|
|
}
|