sid/sid.ovh
1
0
Fork 0
Code Issues 3 Pull requests 2 Projects Releases Packages Wiki Activity Actions
sid.ovh/hosts/sid/services/nginx.nix
sid 6c9fd17e00
All checks were successful
Build hosts / build-hosts (pull_request) Successful in 17s
Details
Flake check / flake-check (pull_request) Successful in 18s
Details
acme ownership for hetzner api key
2026-04-03 16:42:33 +02:00

129 lines
3.3 KiB
Nix
Raw Blame History

{
inputs,
constants,
config,
lib,
...
}:
let
ssl = true;
inherit (lib.utils) mkVirtualHost;
in
{
imports = [
inputs.synix.nixosModules.nginx
];
services.resolved.enable = false;
networking.resolvconf.enable = false;
networking.nameservers = [ constants.hosts.sid.ip ];
services.coredns = {
enable = true;
config = with constants; ''
.:53 {
bind ${hosts.sid.ip}
hosts {
${hosts.rx4.ip} ${services.vaultwarden.fqdn}
${hosts.rx4.ip} ${services.webdav.fqdn}
${hosts.rx4.ip} rx4.tail
${hosts.sid.ip} ${services.netdata.fqdn}
${hosts.sid.ip} sid.tail
${hosts.vde.ip} vde.tail
fallthrough
}
forward . 1.1.1.1
cache
log
errors
}
'';
};
security.acme = {
certs."${constants.intranet}" = {
domain = "*.${constants.intranet}";
webroot = null;
dnsProvider = "hetzner";
credentialsFile = config.sops.templates.hetzner-dns-api-key.path;
};
};
services.nginx = {
enable = true;
openFirewall = true;
forceSSL = ssl;
virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = 80;
};
virtualHosts."${constants.services.forgejo.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.forgejo.port;
};
virtualHosts."${constants.services.miniflux.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.miniflux.port;
};
virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
inherit ssl;
port = constants.services.netdata.port;
};
virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.open-webui-oci.port;
};
virtualHosts."${constants.services.rss-bridge.fqdn}" = {
enableACME = ssl;
forceSSL = ssl;
locations."/" = {
proxyPass = "http://${constants.hosts.rx4.ip}";
};
};
virtualHosts."${constants.services.rsshub-oci.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.rsshub-oci.port;
};
virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.vaultwarden.port;
};
virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
inherit ssl;
address = constants.hosts.rx4.ip;
port = constants.services.webdav.port;
};
# FIXME
# virtualHosts."print.sid.ovh" = {
# enableACME = true;
# forceSSL = true;
# locations."/" = {
# proxyPass = "http://100.64.0.5:631";
# proxyWebsockets = true;
# };
# };
};
sops =
let
owner = "acme";
group = "acme";
mode = "0400";
in
{
secrets.hetzner-dns-api-key = { inherit owner group mode; };
templates.hetzner-dns-api-key = {
inherit owner group mode;
content = "HETZNER_API_TOKEN=${config.sops.placeholder.hetzner-dns-api-key}";
};
};
}
Reference in a new issue View git blame Copy permalink