{ nglib, nixpkgs }: nglib.makeSystem { system = "x86_64-linux"; name = "nixng-ingress"; inherit nixpkgs; config = ({ pkgs, config, nglib, ... }: let ids = config.ids; in { config = { dumb-init = { enable = true; sigell = { entries = [ { signal = "HUP"; action = { type = "exec"; environment = { PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin"; }; command = [ "bash" "-c" "kill -s HUP \"$(cat /nginx.pid)\"" ]; }; } { signal = "TERM"; action = { type = "signal"; rewrite = "TERM"; selector = { type = "child"; }; }; } ]; }; type.services = {}; }; init.services.nginx = { shutdownOnExit = true; }; system.activation = { resolv-conf = nglib.dag.dagEntryBefore [ "certbot" ] '' export PATH=${pkgs.busybox}/bin mkdir -p /etc echo "nameserver 8.8.8.8" > /etc/resolv.conf ''; }; services.certbot = { enable = true; acceptTerms = true; domains = { "redalder.org" = { extraDomains = [ "hydra.redalder.org" "gitea.redalder.org" "matrix.redalder.org" "nixng.org" ]; webroot = "/var/www/certbot"; email = "admin@redalder.org"; extraOptions = "--expand --keep-until-expiring --renew-with-new-domains -v"; }; }; }; services.nginx = { enable = true; envsubst = true; configuration = [ { daemon = "off"; worker_processes = 2; user = "nginx"; events."" = { use = "epoll"; worker_connections = 128; }; error_log = [ "/dev/stderr" "warn" ]; pid = "/nginx.pid"; stream."" = { include = [ [ "/local/streams.conf" ] ]; }; http."" = { server_tokens = "off"; include = [ [ "${pkgs.nginx}/conf/mime.types" ] [ "/local/upstreams.conf" ] ]; charset = "utf-8"; access_log = [ "/dev/stdout" "combined" ]; server."" = { listen = [ "80" "default_server" ]; server_name = [ "redalder.org" "nixng.org" ]; location."/" = { return = [ "301" "https://$$host$$request_uri" ]; }; }; }; } ]; }; }; }); }