steffen/cryodev
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions
cryodev/modules/nixos/nginx/default.nix
steffen d623a01ebd
Some checks failed
Build Raspberry Pi SD Images / create-release (push) Has been cancelled
Details
Build Raspberry Pi SD Images / build-pi-images (cryodev-pi) (push) Has been cancelled
Details
Deploy cryodev-main / deploy-cryodev-main (push) Has been cancelled
Details
fix ACME: set default group to nginx for webroot permissions 
The ACME challenge directory was created with group 'acme' but nginx
needs read access to serve challenge responses. Setting defaults.group
to 'nginx' ensures all ACME directories are accessible by nginx.
2026-03-14 13:45:08 +01:00

73 lines
1.8 KiB
Nix
Raw Permalink Blame History

{ config, lib, ... }:
let
cfg = config.services.nginx;
inherit (lib)
mkDefault
mkIf
mkOption
optional
optionals
types
;
in
{
options.services.nginx = {
forceSSL = mkOption {
type = types.bool;
default = false;
description = "Force SSL for Nginx virtual host.";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = "Whether to open the firewall for HTTP (and HTTPS if forceSSL is enabled).";
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = optionals cfg.openFirewall (
[
80
]
++ optional cfg.forceSSL 443
);
services.nginx = {
recommendedOptimisation = mkDefault true;
recommendedGzipSettings = mkDefault true;
recommendedProxySettings = mkDefault true;
recommendedTlsSettings = cfg.forceSSL;
commonHttpConfig = "access_log syslog:server=unix:/dev/log;";
resolver.addresses =
let
isIPv6 = addr: builtins.match ".*:.*:.*" addr != null;
escapeIPv6 = addr: if isIPv6 addr then "[${addr}]" else addr;
cloudflare = [
"1.1.1.1"
"2606:4700:4700::1111"
];
resolvers =
if config.networking.nameservers == [ ] then cloudflare else config.networking.nameservers;
in
map escapeIPv6 resolvers;
sslDhparam = mkIf cfg.forceSSL config.security.dhparams.params.nginx.path;
};
security.acme = mkIf cfg.forceSSL {
acceptTerms = true;
defaults.email = mkDefault "postmaster@${config.networking.domain}";
defaults.webroot = mkDefault "/var/lib/acme/acme-challenge";
defaults.group = mkDefault "nginx";
};
security.dhparams = mkIf cfg.forceSSL {
enable = true;
params.nginx = { };
};
};
}
Reference in a new issue View git blame Copy permalink