{ config, lib, ... }: { services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; clientMaxBodySize = "10G"; statusPage = true; # For metrics, should be accessible only from localhost commonHttpConfig = '' log_format upstream_time '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time"'; ''; }; services.logrotate.settings = { # Override the default, just keep fewer logs nginx.rotate = 6; } // lib.mapAttrs' ( virtualHost: _: lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { frequency = "daily"; rotate = 2; compress = true; delaycompress = true; su = "${config.services.nginx.user} ${config.services.nginx.group}"; postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; } ) config.services.nginx.virtualHosts; systemd.tmpfiles.rules = lib.mapAttrsToList ( virtualHost: _: # "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" ) config.services.nginx.virtualHosts; security.acme = { defaults = { email = "tm@tlater.net"; group = "nginx"; }; acceptTerms = true; certs."tlater.net" = { extraDomainNames = [ "*.tlater.net" ]; dnsProvider = "hetzner"; credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path; }; certs."tlater.com" = { extraDomainNames = [ "*.tlater.com" ]; dnsProvider = "porkbun"; credentialFiles = { "PORKBUN_API_KEY_FILE" = config.sops.secrets."porkbun/api".path; "PORKBUN_SECRET_API_KEY_FILE" = config.sops.secrets."porkbun/secret-api".path; }; }; }; services.backups.acme = { user = "acme"; paths = lib.mapAttrsToList ( virtualHost: _: "/var/lib/acme/${virtualHost}" ) config.services.nginx.virtualHosts; }; }