NixOS configs for new Redbrick deployment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

61 lines
1.6 KiB

  1. let
  2. common = import ../common/variables.nix;
  3. # Define common settings for all ACME cert configurations
  4. acmeCert = {
  5. email = "admins+acme@${common.tld}";
  6. webroot = common.webrootDir;
  7. postRun = "systemctl reload httpd.service";
  8. };
  9. # Define a base vhost for all TLDs. This will serve only ACME on port 80
  10. # Everything else is promoted to HTTPS
  11. acmeVhost = domain: {
  12. hostName = domain;
  13. serverAliases = [ "*.${domain}" ];
  14. servedDirs = [{
  15. urlPath = "/.well-known/acme-challenge";
  16. dir = "${common.webrootDir}/.well-known/acme-challenge";
  17. }];
  18. extraConfig = ''
  19. RewriteEngine On
  20. RewriteCond %{HTTPS} off
  21. RewriteCond %{REQUEST_URI} !^/\.well-known/.*$ [NC]
  22. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
  23. '';
  24. };
  25. in {
  26. # Acme will automatically create the certsDir and webrootDir
  27. security.acme.directory = common.certsDir;
  28. security.acme.certs = {
  29. "${common.tld}" = acmeCert;
  30. };
  31. services.httpd = {
  32. enable = true;
  33. multiProcessingModule = "event";
  34. maxClients = 50;
  35. sslServerKey = "${common.certsDir}/${common.tld}/key.pem";
  36. sslServerCert = "${common.certsDir}/${common.tld}/fullchain.pem";
  37. extraConfig = ''
  38. ProxyPreserveHost On
  39. '';
  40. virtualHosts = [
  41. (acmeVhost common.tld)
  42. ];
  43. adminAddr = "admins+httpd@${common.tld}";
  44. hostName = "localhost";
  45. # Only acme certs are accessible via port 80,
  46. # everything else is explicitly upgraded to https
  47. listen = [{ port = 80; }];
  48. };
  49. networking.firewall.allowedTCPPorts = [ 80 443 ];
  50. }