mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(wpcarro/website): Support SSL certs for wpcarro.dev

Browse source 
This has been sloppy for awhile...

While I'm at it modularize some of my Nginx configuration.

Side note: might be time to decouple the Terraform provisioning stuffs from the
NixOS configuration, and this feels *too* tightly coupled.

Change-Id: Ida0da5462d938b956571321a67ba1f026fb0a7de
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5902
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI
This commit is contained in:
William Carroll 2022-06-28 10:32:41 -07:00 committed by clbot
parent ab1984c8ac
commit 6d99b93f1a
5 changed files with 74 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
users/wpcarro/nixos/diogenes/default.nix
View file

@ -4,6 +4,9 @@ let
inherit (depot.users) wpcarro;
name = "diogenes";
domainName = "billandhiscomputer.com";
mod = name: depot.path.origSrc + ("/ops/modules/" + name);
usermod = name: depot.path.origSrc + ("/users/wpcarro/nixos/modules/" + name);
in
wpcarro.terraform.googleCloudVM {
project = "wpcarros-infrastructure";
@ -36,7 +39,10 @@ wpcarro.terraform.googleCloudVM {
configuration = {
imports = [
(depot.path.origSrc + "/ops/modules/quassel.nix")
(mod "quassel.nix")
(usermod "nginx.nix")
(usermod "www/billandhiscomputer.com.nix")
(usermod "www/wpcarro.dev.nix")
];
networking = {
@ -117,42 +123,6 @@ wpcarro.terraform.googleCloudVM {
googleCloudProject = "wpcarros-infrastructure";
applicationCredentials = "/etc/gcp/key.json";
};
nginx = {
enable = true;
enableReload = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# for journaldriver
commonHttpConfig = ''
log_format json_combined escape=json
'{'
'"remote_addr":"$remote_addr",'
'"method":"$request_method",'
'"host":"$host",'
'"uri":"$request_uri",'
'"status":$status,'
'"request_size":$request_length,'
'"response_size":$body_bytes_sent,'
'"response_time":$request_time,'
'"referrer":"$http_referer",'
'"user_agent":"$http_user_agent"'
'}';
access_log syslog:server=unix:/dev/log,nohostname json_combined;
'';
virtualHosts = {
"${domainName}" = {
addSSL = true;
enableACME = true;
root = wpcarro.website.root;
};
};
};
};
system.stateVersion = "21.11";

1
users/wpcarro/nixos/modules/.skip-subtree Normal file
View file

@ -0,0 +1 @@
NixOS modules are not readTree compatible.

45
users/wpcarro/nixos/modules/nginx.nix Normal file
View file

@ -0,0 +1,45 @@
# Common configuration for Nginx.
{ pkgs, ... }:
{
config = {
security.acme = {
acceptTerms = true;
defaults.email = "wpcarro@gmail.com";
};
services.nginx = {
enable = true;
enableReload = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
# Log errors to journald (i.e. /dev/log) with debug verbosity.
logError = "syslog:server=unix:/dev/log debug";
# for journaldriver
commonHttpConfig = ''
log_format json_combined escape=json
'{'
'"remote_addr":"$remote_addr",'
'"method":"$request_method",'
'"host":"$host",'
'"uri":"$request_uri",'
'"status":$status,'
'"request_size":$request_length,'
'"response_size":$body_bytes_sent,'
'"response_time":$request_time,'
'"referrer":"$http_referer",'
'"user_agent":"$http_user_agent"'
'}';
access_log syslog:server=unix:/dev/log,nohostname json_combined;
'';
appendHttpConfig = ''
add_header Permissions-Policy "interest-cohort=()";
'';
};
};
}

11
users/wpcarro/nixos/modules/www/billandhiscomputer.com.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs, depot, ... }:
{
config = {
services.nginx.virtualHosts."billandhiscomputer.com" = {
enableACME = true;
forceSSL = true;
root = depot.users.wpcarro.website.root;
};
};
}

10
users/wpcarro/nixos/modules/www/wpcarro.dev.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs, ... }:
{
config = {
services.nginx.virtualHosts."wpcarro.dev" = {
enableACME = true;
forceSSL = true;
};
};
}