2022-10-28 12:40:50 +01:00
|
|
|
{ services, pkgs, lib, ... }:
|
2021-07-07 10:45:37 +01:00
|
|
|
|
2022-12-09 14:38:55 +00:00
|
|
|
{
|
2023-02-14 23:19:52 +00:00
|
|
|
architect.firewall = {
|
|
|
|
|
openTCP = [ 80 443 ];
|
|
|
|
|
};
|
|
|
|
|
|
2021-07-07 10:45:37 +01:00
|
|
|
services.nginx = {
|
2021-11-25 11:42:32 +00:00
|
|
|
enable = true;
|
2023-06-05 02:12:09 +01:00
|
|
|
package = pkgs.nginx;
|
2021-11-25 11:42:32 +00:00
|
|
|
recommendedGzipSettings = true;
|
|
|
|
|
recommendedOptimisation = true;
|
2024-04-17 17:02:22 +01:00
|
|
|
# recommendedProxySettings = true;
|
2021-11-25 11:42:32 +00:00
|
|
|
recommendedTlsSettings = true;
|
2023-02-21 00:28:13 +00:00
|
|
|
|
2022-12-09 14:38:55 +00:00
|
|
|
virtualHosts."architect.devs.giugl.io" = {
|
|
|
|
|
default = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
root = "/var/lib/nginx/error_pages";
|
|
|
|
|
extraConfig = "error_page 404 /index.htm;";
|
|
|
|
|
|
|
|
|
|
locations = {
|
|
|
|
|
"/" = { return = "404"; };
|
|
|
|
|
|
|
|
|
|
"/index.htm" = { };
|
|
|
|
|
|
|
|
|
|
"/style.css" = { };
|
|
|
|
|
|
|
|
|
|
"/wat.jpg" = { };
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# appendHttpConfig =
|
|
|
|
|
# let
|
|
|
|
|
# extraPureLuaPackages = with pkgs.luajitPackages; [
|
|
|
|
|
# lua-resty-openidc
|
|
|
|
|
# lua-resty-http
|
|
|
|
|
# lua-resty-session
|
|
|
|
|
# lua-resty-jwt
|
|
|
|
|
# lua-resty-openssl
|
|
|
|
|
# ];
|
|
|
|
|
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
|
|
|
|
# makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
|
|
|
|
# in
|
|
|
|
|
# ''
|
|
|
|
|
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
|
|
|
|
|
# proxy_ssl_server_name on;
|
2023-02-27 20:18:13 +00:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
|
|
|
|
# lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
|
|
|
|
# lua_ssl_verify_depth 5;
|
2022-10-13 15:04:56 +01:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# # cache for OIDC discovery metadata
|
|
|
|
|
# lua_shared_dict discovery 1m;
|
|
|
|
|
# lua_shared_dict jwks 1m;
|
2022-10-13 15:04:56 +01:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# # https://github.com/openresty/lua-resty-redis/issues/159
|
|
|
|
|
# resolver local=on ipv6=off;
|
2022-10-28 12:40:50 +01:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# init_worker_by_lua_block {
|
|
|
|
|
# function check_role (res, role)
|
|
|
|
|
# if res.user.roles == nil then
|
|
|
|
|
# return false
|
|
|
|
|
# end
|
2022-10-28 13:35:22 +01:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# for _,v in pairs(res.user.roles) do
|
|
|
|
|
# if string.lower(v) == role then
|
|
|
|
|
# return true
|
|
|
|
|
# end
|
|
|
|
|
# end
|
2022-10-28 21:01:07 +01:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# return false
|
|
|
|
|
# end
|
2022-11-29 13:53:17 +00:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# function is_ip_whitelisted(ip, whitelist)
|
|
|
|
|
# for _, x in ipairs(whitelist) do
|
|
|
|
|
# if ip == x then
|
|
|
|
|
# return true
|
|
|
|
|
# end
|
|
|
|
|
# end
|
2022-11-29 13:53:17 +00:00
|
|
|
|
2023-05-27 23:16:46 +01:00
|
|
|
# return false
|
|
|
|
|
# end
|
|
|
|
|
# }
|
|
|
|
|
# '';
|
2022-10-28 12:40:50 +01:00
|
|
|
|
2022-07-06 19:34:12 +01:00
|
|
|
appendConfig = ''
|
|
|
|
|
worker_processes 24;
|
|
|
|
|
'';
|
2021-07-07 10:45:37 +01:00
|
|
|
};
|
2023-05-12 22:05:10 +01:00
|
|
|
|
2021-08-07 12:38:18 +01:00
|
|
|
users.groups.acme.members = [ "nginx" ];
|
2021-07-07 10:45:37 +01:00
|
|
|
}
|
