diff --git a/hosts/thegeneralist-central/acme/acmeEnvironment.age b/hosts/thegeneralist-central/acme/acmeEnvironment.age new file mode 100644 index 0000000..c76f8f5 Binary files /dev/null and b/hosts/thegeneralist-central/acme/acmeEnvironment.age differ diff --git a/hosts/thegeneralist-central/acme/default.nix b/hosts/thegeneralist-central/acme/default.nix new file mode 100644 index 0000000..9db64c5 --- /dev/null +++ b/hosts/thegeneralist-central/acme/default.nix @@ -0,0 +1,24 @@ +{ config, ... }: let + domain = "thegeneralist01.com"; +in { + age.secrets.acmeEnvironment.file = ./acmeEnvironment.age; + + security.acme = { + defaults = { + # Options: https://go-acme.github.io/lego/dns/ + environmentFile = config.age.secrets.acmeEnvironment.path; + email = "thegeneralist01@proton.me"; + dnsResolver = "1.1.1.1"; + dnsProvider = "cloudflare"; + }; + + certs.${domain} = { + extraDomainNames = [ "*.${domain}" ]; + group = "acme"; + }; + + acceptTerms = true; + }; + + users.groups.acme.members = [ "nginx" ]; +} diff --git a/hosts/thegeneralist-central/site.nix b/hosts/thegeneralist-central/site.nix index 89d16d1..3fd0c4c 100644 --- a/hosts/thegeneralist-central/site.nix +++ b/hosts/thegeneralist-central/site.nix @@ -1,31 +1,74 @@ { config, pkgs, ... }: let domain = "thegeneralist01.com"; + + ssl = { + quic = true; + useACMEHost = domain; + }; in { - environment.systemPackages = [ pkgs.cloudflared ]; + imports = [ ./acme ]; + # Nginx services.nginx = { - enable = true; + enable = true; + package = pkgs.nginxQuic; + enableQuicBPF = true; - virtualHosts = { - "${domain}" = { - root = "/var/www/${domain}"; - locations."/".tryFiles = "$uri $uri/ $uri/index.html"; - }; + recommendedZstdSettings = true; + recommendedUwsgiSettings = true; + recommendedTlsSettings = true; + recommendedProxySettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedBrotliSettings = true; + + statusPage = true; + validateConfigFile = true; + + virtualHosts."${domain}" = ssl // { + root = "/var/www/${domain}"; + locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404"; + + extraConfig = '' + if ($http_x_forwarded_proto = "http") { + return 301 https://${domain}$request_uri; + } + + location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ { + expires 1d; + add_header Cache-Control "public"; + } + + error_page 404 /404.html; + ''; + }; + + virtualHosts."www.${domain}" = ssl // { + locations."/".return = "306 https://${domain}$request_uri"; + }; + + virtualHosts._ = ssl // { + locations."/".return = "307 https://${domain}/404"; }; }; + # Cloudflare + environment.systemPackages = [ pkgs.cloudflared ]; + age.secrets.cftcert.file = ./cert.pem.age; age.secrets.cftcredentials.file = ./credentials.age; services.cloudflared = { enable = true; certificateFile = config.age.secrets.cftcert.path; + tunnels."site" = { ingress = { "thegeneralist01.com" = "http://localhost:80"; "www.thegeneralist01.com" = "http://localhost:80"; }; default = "http_status:404"; + credentialsFile = config.age.secrets.cftcredentials.path; certificateFile = config.age.secrets.cftcert.path; }; diff --git a/secrets.nix b/secrets.nix index 3bd4512..fb85e81 100644 --- a/secrets.nix +++ b/secrets.nix @@ -4,6 +4,7 @@ in { "hosts/thegeneralist/hostkey.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/hostkey.age".publicKeys = [ thegeneralist ]; + "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ];