feat(compute01): init pages server #151
1 changed files with 73 additions and 63 deletions
|
|
@ -36,70 +36,80 @@ let
|
|||
in
|
||||
|
||||
{
|
||||
options.services.nginx.virtualHosts = lib.mkOption {
|
||||
type = lib.types.attrsOf (
|
||||
lib.types.submodule {
|
||||
config.extraConfig = ''
|
||||
real_ip_header proxy_protocol;
|
||||
set_real_ip_from 127.0.0.1;
|
||||
'';
|
||||
}
|
||||
);
|
||||
};
|
||||
|
||||
systemd.services.codeberg-pages = {
|
||||
inherit environment;
|
||||
description = "Codeberg pages server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
StateDirectory = "codeberg-pages";
|
||||
EnvironmentFile = config.age.secrets."pages-environment_file".path;
|
||||
WorkingDirectory = "/var/lib/codeberg-pages";
|
||||
DynamicUser = true;
|
||||
ExecStart = lib.getExe package;
|
||||
Restart = "on-failure";
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
NoNewPrivileges = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RemoveIPC = true;
|
||||
PrivateMounts = true;
|
||||
config = {
|
||||
systemd.services.codeberg-pages = {
|
||||
inherit environment;
|
||||
description = "Codeberg pages server";
|
||||
after = [ "network.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
StateDirectory = "codeberg-pages";
|
||||
EnvironmentFile = config.age.secrets."pages-environment_file".path;
|
||||
WorkingDirectory = "/var/lib/codeberg-pages";
|
||||
DynamicUser = true;
|
||||
ExecStart = lib.getExe package;
|
||||
Restart = "on-failure";
|
||||
ProtectHome = true;
|
||||
ProtectSystem = "strict";
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
NoNewPrivileges = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
RemoveIPC = true;
|
||||
PrivateMounts = true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
defaultListen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8446;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
ssl = false;
|
||||
}
|
||||
];
|
||||
|
||||
streamConfig = ''
|
||||
map $ssl_preread_server_name $sni_upstream {
|
||||
default 127.0.0.1:8010;
|
||||
${
|
||||
lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") (
|
||||
lib.attrNames config.services.nginx.virtualHosts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
ssl_preread on;
|
||||
proxy_pass $sni_upstream;
|
||||
proxy_protocol on;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
defaultListen = [
|
||||
{
|
||||
addr = "127.0.0.1";
|
||||
port = 8446;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
ssl = false;
|
||||
}
|
||||
];
|
||||
streamConfig = ''
|
||||
map $ssl_preread_server_name $sni_upstream {
|
||||
default 127.0.0.1:8010;
|
||||
${
|
||||
lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") (
|
||||
lib.attrNames config.services.nginx.virtualHosts
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
ssl_preread on;
|
||||
proxy_pass $sni_upstream;
|
||||
proxy_protocol on;
|
||||
}
|
||||
|
||||
'';
|
||||
defaultSSLListenPort = 8446;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue