thegeneralist01/config-new
1
Fork 0
Code Issues Pull requests Activity
config-new/hosts/thegeneralist-central/site.nix
TheGeneralist 572647d7c4
services: add jellyfin, archivebox, custom dns 
- `internal.thegeneralist01.com` and `archive.thegeneralist01.com` are
  not public. I have Split DNS enabled on them (in Tailscale), with the
  IP of the DNS server set to a private Tailscale IP of my home server;
- CoreDNS (also on my home server) is used to resolve the two private
  domains' IPs to the home server itself;
- nginx only listens to its machine's (home server's) Tailscale IP;
- Therefore, all of it is hermetic!
2025-08-03 14:48:21 +02:00

77 lines
2.1 KiB
Nix
Raw Blame History

{ config, pkgs, ... }: let
domain = "thegeneralist01.com";
ssl = {
quic = true;
useACMEHost = domain;
};
in {
imports = [ ./acme ./dns.nix ./jellyfin ];
# Nginx
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
enableQuicBPF = true;
recommendedZstdSettings = true;
recommendedUwsgiSettings = true;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
statusPage = true;
validateConfigFile = true;
virtualHosts."${domain}" = ssl // {
root = "/var/www/${domain}";
locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";
extraConfig = ''
if ($http_x_forwarded_proto = "http") {
return 301 https://${domain}$request_uri;
}
location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ {
expires 1d;
add_header Cache-Control "public";
}
error_page 404 /404.html;
'';
};
virtualHosts."www.${domain}" = ssl // {
locations."/".return = "306 https://${domain}$request_uri";
};
virtualHosts._ = ssl // {
locations."/".return = "307 https://${domain}/404";
};
};
# Cloudflare
environment.systemPackages = [ pkgs.cloudflared ];
age.secrets.cftcert.file = ./cert.pem.age;
age.secrets.cftcredentials.file = ./credentials.age;
services.cloudflared = {
enable = true;
certificateFile = config.age.secrets.cftcert.path;
tunnels."site" = {
ingress = {
"thegeneralist01.com" = "http://localhost:80";
"www.thegeneralist01.com" = "http://localhost:80";
"cache.thegeneralist01.com" = "http://localhost:80";
};
default = "http_status:404";
credentialsFile = config.age.secrets.cftcredentials.path;
certificateFile = config.age.secrets.cftcert.path;
};
};
}
Reference in a new issue View git blame Copy permalink