{ pkgs, ... }: let domain = "hackertours.hamburg.ccc.de"; dataDir = "/var/www/${domain}"; deployUser = "ht-ccchh-website-deploy"; in { services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; serverName = "${domain}"; listen = [ { addr = "0.0.0.0"; port = 31820; } ]; }; "${domain}" = { forceSSL = true; useACMEHost = "${domain}"; listen = [ { addr = "0.0.0.0"; port = 8443; ssl = true; proxyProtocol = true; } ]; root = "${dataDir}"; extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; error_page 404 /404.html; ''; }; }; systemd.tmpfiles.rules = [ "d ${dataDir} 0755 ${deployUser} ${deployUser}" ]; users.users."${deployUser}" = { isNormalUser = true; group = "${deployUser}"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de" ]; }; users.groups."${deployUser}" = { }; }