{ services, pkgs, lib, ... }: { services.nginx = { enable = true; package = pkgs.openresty; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."architect.devs.giugl.io" = { default = true; enableACME = true; addSSL = true; root = "/var/lib/nginx/error_pages"; extraConfig = "error_page 404 /index.htm;"; locations = { "/" = { return = "404"; }; "/index.htm" = { }; "/style.css" = { }; "/wat.jpg" = { }; }; }; appendHttpConfig = let extraPureLuaPackages = with pkgs.luajitPackages; [ lua-resty-openidc lua-resty-http lua-resty-session lua-resty-jwt lua-resty-openssl ]; luaPath = pkg: "${pkg}/share/lua/5.1/?.lua"; makeLuaPath = lib.concatMapStringsSep ";" luaPath; in '' lua_package_path '${makeLuaPath extraPureLuaPackages};;'; lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; lua_ssl_verify_depth 5; # cache for OIDC discovery metadata lua_shared_dict discovery 1m; lua_shared_dict jwks 1m; # https://github.com/openresty/lua-resty-redis/issues/159 resolver local=on ipv6=off; init_worker_by_lua_block { function check_role (res, role) if res.user.roles == nil then return false end for _,v in pairs(res.user.roles) do if string.lower(v) == role then return true end end return false end } ''; appendConfig = '' worker_processes 24; ''; }; users.groups.acme.members = [ "nginx" ]; }