From a0f00a52e96f4273f749e16bb791e3cfb34522b8 Mon Sep 17 00:00:00 2001
From: Mike Vink <ivi@vinkies.net>
Date: Tue, 9 Jan 2024 00:29:30 +0100
Subject: add pump

---
 profiles/homeserver/acme.nix  | 13 +++++++++++++
 profiles/homeserver/nginx.nix | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 profiles/homeserver/acme.nix
 create mode 100644 profiles/homeserver/nginx.nix

(limited to 'profiles/homeserver')

diff --git a/profiles/homeserver/acme.nix b/profiles/homeserver/acme.nix
new file mode 100644
index 0000000..a30e395
--- /dev/null
+++ b/profiles/homeserver/acme.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }: with lib; {
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      # NOTE(ivi): use dns wildcard certs for local services
+      domain = "*.vinkies.net";
+      extraLegoRunFlags = ["--preferred-chain" "ISRG Root X1"];
+      email = ivi.email;
+      dnsProvider = "porkbun";
+      credentialsFile = config.secrets.porkbun.path;
+    };
+  };
+}
diff --git a/profiles/homeserver/nginx.nix b/profiles/homeserver/nginx.nix
new file mode 100644
index 0000000..cd847ba
--- /dev/null
+++ b/profiles/homeserver/nginx.nix
@@ -0,0 +1,21 @@
+{ lib, ... }: with lib; {
+  # apparently you can set defaults on existing modules?
+  options.services.nginx.virtualHosts = mkOption {
+    type = types.attrsOf (types.submodule ({ name, ... }: {
+      config = mkIf (name != "default") {
+        forceSSL = mkDefault true;
+      };
+    }));
+  };
+  config = {
+    services.nginx = {
+      enable = true;
+      enableReload = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+    };
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}
-- 
cgit v1.2.3