feat(library): add nginx service, add acme

2024-01-05 00:36:49 +08:00 · 2024-01-05 00:36:49 +08:00 · d423fae9db
parent 411bd483f5
commit d423fae9db
2 changed files with 55 additions and 0 deletions
--- a/spec/library/acme.nix
+++ b/spec/library/acme.nix
@ -0,0 +1,18 @@
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "koishi@514fpv.one";
+    defaults.group = "nginx";
+    certs = let
+      cloudflare = {
+        dnsProvider = "cloudflare";
+        credentialsFile = "/nix/persist/secret/cloudflare";
+      };
+    in {
+      "514fpv.io" = cloudflare;
+      ".514fpv.io" = cloudflare // { domain = "*.514fpv.io"; };
+    };
+  };
+
+  environment.persistence."/nix/persist/fhs".directories = [ "/var/lib/acme" ];
+}
--- a/spec/library/nginx.nix
+++ b/spec/library/nginx.nix
@ -0,0 +1,37 @@
+{
+  services.nginx = {
+    enable = true;
+
+    # enable all recommended settings
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    # set a reasonable default
+    clientMaxBodySize = "64m";
+
+    # proxy services running on TrueNAS
+    virtualHosts = {
+      "_" = {
+        addSSL = true;
+        useACMEHost = ".514fpv.io";
+        extraConfig = "return 444;";
+      };
+
+      "home.514fpv.io" = {
+        useACMEHost = ".514fpv.io";
+        addSSL = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+        locations."/" = {
+          proxyPass = "http://192.168.1.250:8123";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}