feat(nix): Configure reverse-proxy for tazblog

2018-01-02 00:55:23 +01:00 · 2018-01-02 00:55:23 +01:00 · aac2c029a4
commit aac2c029a4
parent a646f94d47
2 changed files with 25 additions and 9 deletions
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@ -13,10 +13,10 @@
    curl emacs htop
  ];

-
  services.openssh.enable = true;

-  networking.firewall.allowedTCPPorts = [ 22 ];
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];

  users.extraUsers.vincent = {
    isNormalUser = true;
--- a/nix/tazserve.nix
+++ b/nix/tazserve.nix
@ -1,13 +1,19 @@
 { pkgs, config, ... }:

-with pkgs; let
-  blogSource = fetchgit {
-    url = "https://git.tazj.in/tazjin/tazblog.git";
-    sha256 = "0m745vb8k6slzdsld63rbfg583k70q3g6i5lz576sccalkg0r2l2";
-    rev = "aeeb11f1b76729115c4db98f419cbcda1a0f7660";
+with pkgs; let blogSource = fetchgit {
+  url = "https://git.tazj.in/tazjin/tazblog.git";
+  sha256 = "0m745vb8k6slzdsld63rbfg583k70q3g6i5lz576sccalkg0r2l2";
+  rev = "aeeb11f1b76729115c4db98f419cbcda1a0f7660";
+};
+tazblog = import ./tazblog { inherit blogSource; };
+blog = tazblog.tazblog;
+blogConfig = {
+  enableACME = true;
+  addSSL = true;
+  locations."/" = {
+    proxyPass = "http://127.0.0.1:8000";
  };
-  tazblog = import ./tazblog { inherit blogSource; };
-  blog = tazblog.tazblog;
+};
 in {
  # Ensure that blog software is installed
  environment.systemPackages = [
@ -31,4 +37,14 @@ in {
    requires              = [ "tazblog-db.service" ];
    wantedBy              = [ "multi-user.target" ];
  };
+
+  # Set up reverse proxy
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."tazj.in" = blogConfig;
+    virtualHosts."www.tazj.in" = blogConfig;
+  };
 }