1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{
config,
lib,
pkgs,
...
}:
{
options.zpha.profiles.nginx.enable = lib.mkEnableOption "nginx";
config = lib.mkIf config.zpha.profiles.nginx.enable {
common.configure.persist.system.dirs = [ "/var/lib/acme" ];
sops.secrets.acmeTSIGKey = { };
security.acme = {
acceptTerms = true;
defaults = {
email = "letsencrypt@zaphyra.eu";
keyType = "ec384";
dnsProvider = "rfc2136";
environmentFile = pkgs.writeText "acme-dns-env" ''
RFC2136_NAMESERVER=ns1.fc9f.de
RFC2136_TSIG_KEY=acme-nix-${config.networking.hostName}
RFC2136_TSIG_ALGORITHM=hmac-sha384
'';
credentialFiles = {
RFC2136_TSIG_SECRET_FILE = config.sops.secrets.acmeTSIGKey.path;
};
};
certs."${config.networking.fqdn}" = {
group = lib.mkIf config.services.nginx.enable "nginx";
extraDomainNames = lib.pipe config.services.nginx.virtualHosts [
(lib.mapAttrsToList (
key: config: [
(config.serverAliases or [ ])
key
]
))
lib.flatten
(lib.remove config.networking.fqdn)
(lib.filter (domain: !(lib.hasSuffix "dn42" domain)))
];
};
};
services.nginx = {
enable = lib.mkDefault true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
server_names_hash_bucket_size 64;
charset utf-8;
access_log off;
'';
virtualHosts."${config.networking.fqdn}" = {
useACMEHost = "${config.networking.fqdn}";
forceSSL = true;
kTLS = true;
default = true;
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
};
}