forked from CCCHH/nix-infra
64 lines
1.4 KiB
Nix
64 lines
1.4 KiB
Nix
|
{ pkgs, ... }:
|
||
|
|
||
|
let
|
||
|
domain = "hacker.tours";
|
||
|
dataDir = "/var/www/${domain}";
|
||
|
deployUser = "hackertours-website-deploy";
|
||
|
in {
|
||
|
services.nginx.virtualHosts = {
|
||
|
"acme-${domain}" = {
|
||
|
enableACME = true;
|
||
|
serverName = "${domain}";
|
||
|
|
||
|
listen = [
|
||
|
{
|
||
|
addr = "0.0.0.0";
|
||
|
port = 31820;
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
|
||
|
"${domain}" = {
|
||
|
forceSSL = true;
|
||
|
useACMEHost = "${domain}";
|
||
|
|
||
|
listen = [
|
||
|
{
|
||
|
addr = "0.0.0.0";
|
||
|
port = 8443;
|
||
|
ssl = true;
|
||
|
proxyProtocol = true;
|
||
|
}
|
||
|
];
|
||
|
|
||
|
root = "${dataDir}";
|
||
|
|
||
|
extraConfig = ''
|
||
|
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||
|
# $remote_port to the client address and client port, when using proxy
|
||
|
# protocol.
|
||
|
# First set our proxy protocol proxy as trusted.
|
||
|
set_real_ip_from 172.31.17.140;
|
||
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
||
|
# header.
|
||
|
real_ip_header proxy_protocol;
|
||
|
|
||
|
error_page 404 /404.html;
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
|
||
|
systemd.tmpfiles.rules = [
|
||
|
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
|
||
|
];
|
||
|
|
||
|
users.users."${deployUser}" = {
|
||
|
isNormalUser = true;
|
||
|
group = "${deployUser}";
|
||
|
openssh.authorizedKeys.keys = [
|
||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
|
||
|
];
|
||
|
};
|
||
|
users.groups."${deployUser}" = { };
|
||
|
}
|