Alejandro Angulo
d5969ca923
Made a separate ACME module to handle requesting certs from multiple machines. Right now, the module only supports exactly one wildcard cert. It might make sense to have cache.kilonull.com use a cert specific to its subdomain rather than also requesting a wildcard cert (or maybe the nginx on its host shouldn't care about TLS and it should be node's responsibility).
71 lines
1.7 KiB
Nix
71 lines
1.7 KiB
Nix
{
|
|
options,
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
format,
|
|
...
|
|
}:
|
|
with lib; let
|
|
cfg = config.aa.services.nix-serve;
|
|
in {
|
|
options.aa.services.nix-serve = with types; {
|
|
enable = mkEnableOption "nix-serve";
|
|
domain_name = mkOption {
|
|
type = str;
|
|
description = "The domain to use.";
|
|
};
|
|
subdomain_name = mkOption {
|
|
type = str;
|
|
description = "The subdomain to use.";
|
|
};
|
|
acmeCertName = mkOption {
|
|
type = str;
|
|
default = "";
|
|
description = ''
|
|
If set to a non-empty string, forces SSL with the supplied acme
|
|
certificate.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
nix.settings = {
|
|
allowed-users = ["nix-serve"];
|
|
trusted-users = ["nix-serve"];
|
|
};
|
|
|
|
environment.systemPackages = [pkgs.nix-serve];
|
|
|
|
services = {
|
|
nix-serve = {
|
|
enable = true;
|
|
# TODO: Document this or automate the inital creation.
|
|
secretKeyFile = "/var/gospelCache";
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts."${cfg.subdomain_name}.${cfg.domain_name}" =
|
|
{
|
|
serverAliases = ["${cfg.subdomain_name}"];
|
|
locations."/".extraConfig = ''
|
|
proxy_pass http://localhost:${toString config.services.nix-serve.port};
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
'';
|
|
}
|
|
// lib.optionalAttrs (cfg.acmeCertName != "") {
|
|
forceSSL = true;
|
|
useACMEHost = cfg.acmeCertName;
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [80 443];
|
|
};
|
|
};
|
|
}
|