diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index ba5c4a9..0f323d3 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -1,6 +1,24 @@ { services, pkgs, lib, ... }: +let + serviceSkeleton = { default ? false }: { + inherit default; -{ + enableACME = true; + forceSSL = true; + root = "/var/lib/nginx/error_pages"; + extraConfig = "error_page 404 /index.htm;"; + + locations = { + "/" = { return = "404"; }; + + "/index.htm" = { }; + + "/style.css" = { }; + + "/wat.jpg" = { }; + }; + }; +in { services.nginx = { enable = true; package = pkgs.openresty; @@ -9,61 +27,49 @@ recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts."architect.devs.giugl.io" = { - default = true; - enableACME = true; - addSSL = true; - root = "/var/lib/nginx/error_pages"; - extraConfig = "error_page 404 /index.htm;"; + virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; }; + virtualHosts."runas.rocks" = serviceSkeleton {}; + + appendHttpConfig = + let + extraPureLuaPackages = with pkgs.luajitPackages; [ + lua-resty-openidc + lua-resty-http + lua-resty-session + lua-resty-jwt + lua-resty-openssl + ]; + luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; + makeLuaPath = lib.concatMapStringsSep ";" luaPath; + in + '' + lua_package_path '${makeLuaPath extraPureLuaPackages};;'; + lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + lua_ssl_verify_depth 5; - locations = { - "/" = { return = "404"; }; + # cache for OIDC discovery metadata + lua_shared_dict discovery 1m; + lua_shared_dict jwks 1m; - "/index.htm" = { }; + # https://github.com/openresty/lua-resty-redis/issues/159 + resolver local=on ipv6=off; - "/style.css" = { }; + init_worker_by_lua_block { + function check_role (res, role) + if res.user.roles == nil then + return false + end - "/wat.jpg" = { }; - }; - }; - appendHttpConfig = let - extraPureLuaPackages = with pkgs.luajitPackages; [ - lua-resty-openidc - lua-resty-http - lua-resty-session - lua-resty-jwt - lua-resty-openssl - ]; - luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; - makeLuaPath = lib.concatMapStringsSep ";" luaPath; - in '' - lua_package_path '${makeLuaPath extraPureLuaPackages};;'; - lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; - lua_ssl_verify_depth 5; + for _,v in pairs(res.user.roles) do + if string.lower(v) == role then + return true + end + end - # cache for OIDC discovery metadata - lua_shared_dict discovery 1m; - lua_shared_dict jwks 1m; - - # https://github.com/openresty/lua-resty-redis/issues/159 - resolver local=on ipv6=off; - - init_worker_by_lua_block { - function check_role (res, role) - if res.user.roles == nil then return false end - - for _,v in pairs(res.user.roles) do - if string.lower(v) == role then - return true - end - end - - return false - end - } - ''; + } + ''; appendConfig = '' worker_processes 24;