1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
{
me,
config,
pkgs,
lib,
util,
...
}:
let
inherit (lib) mergeAttrsList;
inherit (config.age) secrets;
rnrdUrl = if me.is.renard then "rnrd.eu" else "${me.name}.rnrd.eu";
base-index = pkgs.substituteAll {
src = ../../assets/base.html;
env.me = util.titleCase me.name;
};
base = pkgs.linkFarm "www-base" {
"index.html" = base-index;
"favicon.png" = ../../assets/favicon.png;
};
certificate = domain: {
${domain} = {
domain = "*.${domain}";
extraDomainNames = [ domain ];
dnsProvider = "cloudflare";
credentialFiles = {
CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
};
};
};
in
{
imports = [ ./tailnet.nix ];
age.secrets = {
cloudflare-dns.file = ../../secrets/cloudflare-dns.age;
};
security.acme = {
acceptTerms = true;
# causes issues with tailscale certificates
preliminarySelfsigned = false;
defaults = {
email = "mel@rnrd.eu";
# our certificates are really only used with Nginx
group = config.services.nginx.group;
reloadServices = [ "nginx.service" ];
};
certs = mergeAttrsList [
(certificate "rnrd.eu")
(certificate "rnrd.fyi")
];
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
statusPage = true;
commonHttpConfig = ''
log_format json_combined escape=json '{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_length":"$request_length",'
'"request_time":"$request_time",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"upstream_response_time":"$upstream_response_time",'
'"upstream_addr":"$upstream_addr",'
'"upstream_status":"$upstream_status"'
'}';
access_log /var/log/nginx/access.log json_combined;
error_log /var/log/nginx/error.log warn;
'';
virtualHosts = {
base = {
default = true;
serverName = rnrdUrl;
forceSSL = true;
useACMEHost = "rnrd.eu";
root = base;
extraConfig = ''
access_log /var/log/nginx/base.access.log json_combined;
'';
};
};
};
}
|
