diff --git a/configuration/default.nix b/configuration/default.nix index bea7539..ef1c804 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -26,6 +26,7 @@ ./services/wireguard.nix ./services/starbound.nix ./services/postgres.nix + ./nginx.nix ./sops.nix ]; @@ -108,17 +109,21 @@ openssh.authorizedKeys.keyFiles = [../keys/tlater.pub]; }; - services.openssh = { - enable = true; - allowSFTP = false; - ports = [2222]; - startWhenNeeded = true; + services = { + openssh = { + enable = true; + allowSFTP = false; + ports = [2222]; + startWhenNeeded = true; - settings = { - GatewayPorts = "yes"; - PermitRootLogin = "no"; - PasswordAuthentication = false; + settings = { + GatewayPorts = "yes"; + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; }; + + logrotate.enable = true; }; security = { @@ -130,57 +135,6 @@ }; }; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - clientMaxBodySize = "10G"; - - statusPage = true; # For metrics, should be accessible only from localhost - - commonHttpConfig = '' - log_format upstream_time '$remote_addr - $remote_user [$time_local] ' - '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent" ' - 'rt=$request_time uct="$upstream_connect_time" ' - 'uht="$upstream_header_time" urt="$upstream_response_time"'; - ''; - }; - - services.logrotate = { - enable = true; - - settings = - { - # Override the default, just keep fewer logs - nginx.rotate = 6; - } - // lib.mapAttrs' (virtualHost: _: - lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { - frequency = "daily"; - rotate = 2; - compress = true; - delaycompress = true; - su = "${config.services.nginx.user} ${config.services.nginx.group}"; - postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; - }) - config.services.nginx.virtualHosts; - }; - systemd.tmpfiles.rules = - lib.mapAttrsToList ( - virtualHost: _: - # - "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" - ) - config.services.nginx.virtualHosts; - - security.acme = { - defaults.email = "tm@tlater.net"; - acceptTerms = true; - }; - # Remove some unneeded packages environment.defaultPackages = []; diff --git a/configuration/nginx.nix b/configuration/nginx.nix new file mode 100644 index 0000000..14ba9d9 --- /dev/null +++ b/configuration/nginx.nix @@ -0,0 +1,60 @@ +{ + config, + lib, + ... +}: { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + clientMaxBodySize = "10G"; + + statusPage = true; # For metrics, should be accessible only from localhost + + commonHttpConfig = '' + log_format upstream_time '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" ' + 'rt=$request_time uct="$upstream_connect_time" ' + 'uht="$upstream_header_time" urt="$upstream_response_time"'; + ''; + }; + + services.logrotate.settings = + { + # Override the default, just keep fewer logs + nginx.rotate = 6; + } + // lib.mapAttrs' (virtualHost: _: + lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { + frequency = "daily"; + rotate = 2; + compress = true; + delaycompress = true; + su = "${config.services.nginx.user} ${config.services.nginx.group}"; + postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; + }) + config.services.nginx.virtualHosts; + + systemd.tmpfiles.rules = + lib.mapAttrsToList ( + virtualHost: _: + # + "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" + ) + config.services.nginx.virtualHosts; + + security.acme = { + defaults.email = "tm@tlater.net"; + acceptTerms = true; + }; + + services.backups.acme = { + user = "acme"; + paths = + lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}") + config.services.nginx.virtualHosts; + }; +}