clanModules: Add vaultwarden module. Add nginx module. Make matrix-synapse subdomain configurable
This commit is contained in:
Qubasa
3
clanModules/nginx/README.md
Normal file
3
clanModules/nginx/README.md
Normal file
@@ -0,0 +1,3 @@
|
||||
---
|
||||
description = "Good defaults for the nginx webserver"
|
||||
---
|
||||
70
clanModules/nginx/default.nix
Normal file
70
clanModules/nginx/default.nix
Normal file
@@ -0,0 +1,70 @@
|
||||
{ config, lib, ... }:
|
||||
|
||||
{
|
||||
|
||||
imports = [
|
||||
(lib.mkRemovedOptionModule [
|
||||
"clan"
|
||||
"nginx"
|
||||
"enable"
|
||||
] "Importing the module will already enable the service.")
|
||||
|
||||
];
|
||||
config = {
|
||||
|
||||
clan.core.facts.services."nginx-acme-email" = {
|
||||
public."nginx-acme-email" = { };
|
||||
generator.prompt = "Please enter your email address for Let's Encrypt certificate generation";
|
||||
|
||||
generator.script = ''
|
||||
echo -n "$prompt_value" | tr -d "\n" > "$facts"/nginx-acme-email
|
||||
'';
|
||||
};
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email =
|
||||
lib.mkDefault
|
||||
config.clan.core.facts.services."nginx-acme-email".public."nginx-acme-email".value;
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
443
|
||||
80
|
||||
];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
statusPage = lib.mkDefault true;
|
||||
recommendedBrotliSettings = lib.mkDefault true;
|
||||
recommendedGzipSettings = lib.mkDefault true;
|
||||
recommendedOptimisation = lib.mkDefault true;
|
||||
recommendedProxySettings = lib.mkDefault true;
|
||||
recommendedTlsSettings = lib.mkDefault true;
|
||||
recommendedZstdSettings = lib.mkDefault true;
|
||||
|
||||
# Nginx sends all the access logs to /var/log/nginx/access.log by default.
|
||||
# instead of going to the journal!
|
||||
commonHttpConfig = "access_log syslog:server=unix:/dev/log;";
|
||||
|
||||
resolver.addresses =
|
||||
let
|
||||
isIPv6 = addr: builtins.match ".*:.*:.*" addr != null;
|
||||
escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr;
|
||||
cloudflare = [
|
||||
"1.1.1.1"
|
||||
"2606:4700:4700::1111"
|
||||
];
|
||||
resolvers =
|
||||
if config.networking.nameservers == [ ] then cloudflare else config.networking.nameservers;
|
||||
in
|
||||
map escapeIPv6 resolvers;
|
||||
|
||||
sslDhparam = config.security.dhparams.params.nginx.path;
|
||||
};
|
||||
|
||||
security.dhparams = {
|
||||
enable = true;
|
||||
params.nginx = { };
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user