dotfiles/nixng/containers/ingress-toothpick/default.nix

132 lines
3 KiB
Nix
Raw Normal View History

{inputs, ...}: {
flake.nixngConfigurations.ingressToothpick = inputs.nixng.nglib.makeSystem {
system = "x86_64-linux";
name = "ingress-toothpick";
inherit (inputs) nixpkgs;
config = {
pkgs,
lib,
nglib,
...
}: let
inherit
(lib)
singleton
;
in {
dumb-init = {
enable = true;
sigell.entries = [
{
signal = "HUP";
action = {
type = "exec";
environment = {
PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin";
};
command = [
"bash"
"-c"
"kill -s HUP \"$(cat /nginx.pid)\""
];
};
}
{
signal = "TERM";
action = {
type = "signal";
rewrite = "TERM";
selector = {
type = "child";
};
};
}
];
type.services = {};
};
init.services.nginx.shutdownOnExit = true;
system.activation = {
resolv-conf =
nglib.dag.dagEntryBefore ["certbot"]
''
export PATH=${pkgs.busybox}/bin
mkdir -p /etc
echo "nameserver 8.8.8.8" > /etc/resolv.conf
'';
};
services.certbot = {
enable = true;
acceptTerms = true;
domains = {
"redalder.org" = {
extraDomains = [
"hydra.redalder.org"
"gitea.redalder.org"
"matrix.redalder.org"
"buildbot.redalder.org"
"nixng.org"
];
webroot = "/var/www/certbot";
email = "admin@redalder.org";
extraOptions = "--expand --keep-until-expiring --renew-with-new-domains -v";
};
};
};
services.nginx = {
enable = true;
envsubst = true;
configuration = [
{
daemon = "off";
worker_processes = 2;
user = "nginx";
events."" = {
use = "epoll";
worker_connections = 128;
};
error_log = ["/dev/stderr" "warn"];
pid = "/nginx.pid";
stream."" = {
include = [
["/local/streams.conf"]
];
};
http."" = {
server_tokens = "off";
include = [
["${pkgs.nginx}/conf/mime.types"]
["/local/upstreams.conf"]
];
charset = "utf-8";
access_log = ["/dev/stdout" "combined"];
server."" = {
listen = ["80" "default_server"];
server_name = [
"redalder.org"
"nixng.org"
];
location."/" = {
return = ["301" "https://$$host$$request_uri"];
};
};
};
}
];
};
};
};
}