javalsai
7e7097f457
few side refactors of this: - no more `dns.domain`, it all must rely on `fqdn`, prevents inconsistencies. - also added an specific host `tuxcord-acmetest` that uses the key zone for `nix.tuxcord.net` to test certificate pulling.
46 lines
862 B
Nix
46 lines
862 B
Nix
{ config, ... }:
|
|
let
|
|
inherit (config.networking) fqdn;
|
|
|
|
mkVhost =
|
|
attrs:
|
|
let
|
|
acmeEnabled = config.acme.enable;
|
|
in
|
|
{
|
|
forceSSL = acmeEnabled;
|
|
useACMEHost = if acmeEnabled then fqdn else null;
|
|
}
|
|
// attrs;
|
|
|
|
mkProxy = port: {
|
|
proxyPass = "http://127.0.0.1:${toString port}/";
|
|
};
|
|
in
|
|
{
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
|
|
# services.nginx.virtualHosts."${fqdn}" = {
|
|
# addSSL = true;
|
|
# root = "/var/www/myhost.org";
|
|
# default = true;
|
|
# };
|
|
|
|
virtualHosts."git.${fqdn}" = mkVhost {
|
|
locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
}
|