nixos/hosts/architect/nginx.nix

95 lines
2.4 KiB
Nix
Raw Normal View History

{ services, pkgs, lib, ... }:
2021-07-07 10:45:37 +01:00
{
architect.firewall = {
openTCP = [ 80 443 ];
};
2021-07-07 10:45:37 +01:00
services.nginx = {
2021-11-25 11:42:32 +00:00
enable = true;
2023-06-05 02:12:09 +01:00
package = pkgs.nginx;
2021-11-25 11:42:32 +00:00
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
2021-11-25 11:42:32 +00:00
recommendedTlsSettings = true;
2023-02-21 00:28:13 +00:00
virtualHosts."architect.devs.giugl.io" = {
default = true;
enableACME = true;
forceSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
locations = {
"/" = { return = "404"; };
"/index.htm" = { };
"/style.css" = { };
"/wat.jpg" = { };
};
};
2023-05-27 23:16:46 +01:00
# appendHttpConfig =
# let
# extraPureLuaPackages = with pkgs.luajitPackages; [
# lua-resty-openidc
# lua-resty-http
# lua-resty-session
# lua-resty-jwt
# lua-resty-openssl
# ];
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
# makeLuaPath = lib.concatMapStringsSep ";" luaPath;
# in
# ''
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
# proxy_ssl_server_name on;
2023-02-27 20:18:13 +00:00
2023-05-27 23:16:46 +01:00
# lua_package_path '${makeLuaPath extraPureLuaPackages};;';
# lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# lua_ssl_verify_depth 5;
2022-10-13 15:04:56 +01:00
2023-05-27 23:16:46 +01:00
# # cache for OIDC discovery metadata
# lua_shared_dict discovery 1m;
# lua_shared_dict jwks 1m;
2022-10-13 15:04:56 +01:00
2023-05-27 23:16:46 +01:00
# # https://github.com/openresty/lua-resty-redis/issues/159
# resolver local=on ipv6=off;
2023-05-27 23:16:46 +01:00
# init_worker_by_lua_block {
# function check_role (res, role)
# if res.user.roles == nil then
# return false
# end
2023-05-27 23:16:46 +01:00
# for _,v in pairs(res.user.roles) do
# if string.lower(v) == role then
# return true
# end
# end
2023-05-27 23:16:46 +01:00
# return false
# end
2023-05-27 23:16:46 +01:00
# function is_ip_whitelisted(ip, whitelist)
# for _, x in ipairs(whitelist) do
# if ip == x then
# return true
# end
# end
2023-05-27 23:16:46 +01:00
# return false
# end
# }
# '';
2022-07-06 19:34:12 +01:00
appendConfig = ''
worker_processes 24;
'';
2021-07-07 10:45:37 +01:00
};
2021-08-07 12:38:18 +01:00
users.groups.acme.members = [ "nginx" ];
2021-07-07 10:45:37 +01:00
}