f4f1d97052
This needs to be present on all machines that run ACME stuff. I've switched the address for a .su one because I have a catchall for these. Change-Id: I7af8e1f1cb2fcfbcba4b7d1930ed0edef0106d72 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5306 Autosubmit: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org>
63 lines
1.6 KiB
Nix
63 lines
1.6 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
config = {
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "letsencrypt@tvl.su";
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = true;
|
|
|
|
recommendedTlsSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
commonHttpConfig = ''
|
|
log_format json_combined escape=json
|
|
'{'
|
|
'"remote_addr":"$remote_addr",'
|
|
'"method":"$request_method",'
|
|
'"host":"$host",'
|
|
'"uri":"$request_uri",'
|
|
'"status":$status,'
|
|
'"request_size":$request_length,'
|
|
'"response_size":$body_bytes_sent,'
|
|
'"response_time":$request_time,'
|
|
'"referrer":"$http_referer",'
|
|
'"user_agent":"$http_user_agent"'
|
|
'}';
|
|
|
|
access_log syslog:server=unix:/dev/log,nohostname json_combined;
|
|
'';
|
|
|
|
appendHttpConfig = ''
|
|
add_header Permissions-Policy "interest-cohort=()";
|
|
'';
|
|
};
|
|
|
|
# NixOS 20.03 broke nginx and I can't be bothered to debug it
|
|
# anymore, all solution attempts have failed, so here's a
|
|
# brute-force fix.
|
|
#
|
|
# TODO(tazjin): Find a link to the upstream issue and see if
|
|
# they've sorted it after ~20.09
|
|
systemd.services.fix-nginx = {
|
|
script = "${pkgs.coreutils}/bin/chown -f -R nginx: /var/spool/nginx /var/cache/nginx";
|
|
|
|
serviceConfig = {
|
|
User = "root";
|
|
Type = "oneshot";
|
|
};
|
|
};
|
|
|
|
systemd.timers.fix-nginx = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
timerConfig = {
|
|
OnCalendar = "minutely";
|
|
};
|
|
};
|
|
};
|
|
}
|