Refactor server files

2025-05-29 02:12:20 +03:00 · 2025-05-29 02:12:20 +03:00 · 0a78188848
commit 0a78188848
parent c3f87354a9
21 changed files with 90 additions and 111 deletions
--- a/servers/utils/acme-http-client.nix
+++ b/servers/utils/acme-http-client.nix
@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          enableACME = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 80 ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "vili.m.sinerva@gmail.com";
+    };
+  };
+}
--- a/servers/utils/cert-store-client.nix
+++ b/servers/utils/cert-store-client.nix
@ -0,0 +1,34 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          sslCertificate = "/mnt/acme/fullchain.pem";
+          sslCertificateKey = "/mnt/acme/key.pem";
+        };
+      }
+    );
+  };
+
+  config = {
+    services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+    systemd.services.nginx = {
+      wants = [ "mnt-acme.mount" ];
+      after = [ "mnt-acme.mount" ];
+    };
+
+    fileSystems."/mnt/acme" = {
+      device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme/-.vsinerva.fi";
+      fsType = "sshfs";
+      options = [
+        "nodev"
+        "noatime"
+        "allow_other"
+        "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+      ];
+    };
+  };
+}
--- a/servers/utils/nginx-https-server.nix
+++ b/servers/utils/nginx-https-server.nix
@ -0,0 +1,25 @@
+{ lib, ... }:
+{
+  options.services.nginx.virtualHosts = lib.mkOption {
+    type = lib.types.attrsOf (
+      lib.types.submodule {
+        config = lib.mkDefault {
+          forceSSL = true;
+          kTLS = true;
+        };
+      }
+    );
+  };
+
+  config = {
+    networking.firewall.allowedTCPPorts = [ 443 ];
+
+    services.nginx = {
+      enable = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}