diff options
| -rw-r--r-- | ivi/ivi.nix | 3 | ||||
| -rw-r--r-- | profiles/homeserver/acme.nix | 13 | ||||
| -rw-r--r-- | profiles/homeserver/nginx.nix | 21 | ||||
| -rw-r--r-- | profiles/server/nginx.nix | 2 |
4 files changed, 37 insertions, 2 deletions
diff --git a/ivi/ivi.nix b/ivi/ivi.nix index ad6d79d..469a11b 100644 --- a/ivi/ivi.nix +++ b/ivi/ivi.nix @@ -87,10 +87,11 @@ self: lib: with lib; let "server" ]; }; - kubo = { + pump = { isDeployed = true; profiles = [ "core" + "homeserver" ]; }; }; diff --git a/profiles/homeserver/acme.nix b/profiles/homeserver/acme.nix new file mode 100644 index 0000000..a30e395 --- /dev/null +++ b/profiles/homeserver/acme.nix @@ -0,0 +1,13 @@ +{ config, lib, ... }: with lib; { + security.acme = { + acceptTerms = true; + defaults = { + # NOTE(ivi): use dns wildcard certs for local services + domain = "*.vinkies.net"; + extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"]; + email = ivi.email; + dnsProvider = "porkbun"; + credentialsFile = config.secrets.porkbun.path; + }; + }; +} diff --git a/profiles/homeserver/nginx.nix b/profiles/homeserver/nginx.nix new file mode 100644 index 0000000..cd847ba --- /dev/null +++ b/profiles/homeserver/nginx.nix @@ -0,0 +1,21 @@ +{ lib, ... }: with lib; { + # apparently you can set defaults on existing modules? + options.services.nginx.virtualHosts = mkOption { + type = types.attrsOf (types.submodule ({ name, ... }: { + config = mkIf (name != "default") { + forceSSL = mkDefault true; + }; + })); + }; + config = { + services.nginx = { + enable = true; + enableReload = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} diff --git a/profiles/server/nginx.nix b/profiles/server/nginx.nix index 3662598..d497833 100644 --- a/profiles/server/nginx.nix +++ b/profiles/server/nginx.nix @@ -1,4 +1,4 @@ -{ inputs, lib, ... }: with lib; { +{ lib, ... }: with lib; { # apparently you can set defaults on existing modules? options.services.nginx.virtualHosts = mkOption { type = types.attrsOf (types.submodule ({ name, ... }: { |