-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathdefault.nix
65 lines (55 loc) · 1.41 KB
/
default.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
{
nixpkgs,
config,
lib,
pkgs,
...
}: let
cfg = config.vyxos.nginx;
inherit (lib) types mkEnableOption mkOption mkIf mkForce;
inherit (lib) optionalString mapAttrs' nameValuePair foldlAttrs;
processVhost = config:
config
// {
forceSSL = mkForce true;
enableACME = mkForce true;
extraConfig = ''
${config.extraConfig}
error_page 502 /502.html;
location = /502.html {
root ${./error};
}
location = /badgateway.jpg {
root ${./error};
}
'';
};
in {
options.vyxos.nginx = {
enable = mkEnableOption "VyxOS nginx";
vhosts = mkOption {
type = types.attrsOf (types.submoduleWith {
modules = [
(import "${nixpkgs}/nixos/modules/services/web-servers/nginx/vhost-options.nix" {inherit config lib;})
];
});
default = {};
};
};
config = mkIf (cfg.enable) {
networking.firewall.allowedTCPPorts = [80 443];
users.users = {
nginx.extraGroups = ["acme"];
};
# Needed for reading sites from /home/kinu.
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = lib.mapAttrs (lib.const processVhost) cfg.vhosts;
};
};
}