webserver: Use a hardened systemd unit instead of a container
This commit is contained in:
parent
b6594cea54
commit
068e6d5d77
GPG key ID:
49670FD774E43268
6 changed files with 321 additions and 401 deletions
configuration
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
|
|
@ -10,7 +9,6 @@
|
|||
./services/webserver.nix
|
||||
./services/starbound.nix
|
||||
./services/postgres.nix
|
||||
./ids.nix
|
||||
./sops.nix
|
||||
];
|
||||
|
||||
|
|
@ -67,30 +65,12 @@
|
|||
recommendedProxySettings = true;
|
||||
clientMaxBodySize = "10G";
|
||||
domain = "tlater.net";
|
||||
|
||||
virtualHosts = let
|
||||
proxyPassToPort = port: extra:
|
||||
lib.recursiveUpdate {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString port}";
|
||||
extraConfig = ''
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
'';
|
||||
}
|
||||
extra;
|
||||
domain = config.services.nginx.domain;
|
||||
in {
|
||||
"${domain}" = proxyPassToPort 3002 {serverAliases = ["www.${domain}"];};
|
||||
};
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
email = "tm@tlater.net";
|
||||
defaults.email = "tm@tlater.net";
|
||||
acceptTerms = true;
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.backend = "podman";
|
||||
|
||||
system.stateVersion = "20.09";
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue