cluster/containers/ingress-toothpick.nix

129 lines
3.4 KiB
Nix
Raw Normal View History

{ nglib, nixpkgs }:
nglib.makeSystem {
system = "x86_64-linux";
name = "nixng-ingress";
inherit nixpkgs;
config = ({ pkgs, config, nglib, ... }:
let
ids = config.ids;
in
{
config = {
dumb-init = {
enable = true;
sigell = {
entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command =
[ "bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
}
];
};
type.services = {};
};
init.services.nginx = {
shutdownOnExit = true;
};
system.activation =
{ resolv-conf =
nglib.dag.dagEntryBefore [ "certbot" ]
''
export PATH=${pkgs.busybox}/bin
mkdir -p /etc
echo "nameserver 8.8.8.8" > /etc/resolv.conf
'';
};
services.certbot = {
enable = true;
acceptTerms = true;
domains = {
"redalder.org" = {
extraDomains = [
"hydra.redalder.org"
"gitea.redalder.org"
"nixng.org"
];
webroot = "/var/www/certbot";
email = "admin@redalder.org";
extraOptions = "--expand --keep-until-expiring --renew-with-new-domains -v";
};
};
};
services.nginx = {
enable = true;
envsubst = true;
configuration = [
{
daemon = "off";
worker_processes = 2;
user = "nginx";
events."" = {
use = "epoll";
worker_connections = 128;
};
error_log = [ "/dev/stderr" "warn" ];
pid = "/nginx.pid";
stream."" = {
include = [
[ "/local/streams.conf" ]
];
};
http."" = {
server_tokens = "off";
include = [
[ "${pkgs.nginx}/conf/mime.types" ]
[ "/local/upstreams.conf" ]
];
charset = "utf-8";
access_log = [ "/dev/stdout" "combined" ];
server."" = {
listen = [ "80" "default_server" ];
server_name = [
"redalder.org"
"nixng.org"
];
location."/" = {
return = [ "301" "https://$$host$$request_uri" ];
};
};
};
}
];
};
};
});
}