diff --git a/flake.nix b/flake.nix index 057f126..28bbef1 100644 --- a/flake.nix +++ b/flake.nix @@ -47,6 +47,7 @@ nixos/systems/liveusb nixos/systems/blowhole + nixng/containers/ingress-blowhole nixng/containers/matrix/mautrix-signal nixng/containers/matrix/mautrix-discord nixng/containers/matrix/mautrix-facebook diff --git a/nixng/containers/ingress-blowhole/default.nix b/nixng/containers/ingress-blowhole/default.nix new file mode 100644 index 0000000..b48d52e --- /dev/null +++ b/nixng/containers/ingress-blowhole/default.nix @@ -0,0 +1,91 @@ +{ inputs, ... }: +{ + flake.nixngConfigurations.ingressBlowhole = inputs.nixng.nglib.makeSystem { + system = "x86_64-linux"; + name = "ingress-blowhole"; + inherit (inputs) nixpkgs; + + config = + { pkgs, lib, ... }: + let + inherit (lib) + singleton; + in + { + dumb-init = { + enable = true; + sigell.entries = [ + { + signal = "HUP"; + action = { + type = "exec"; + environment = { + PATH = "${pkgs.bash}/bin:${pkgs.busybox}/bin"; + }; + command = + [ "bash" + "-c" + "kill -s HUP \"$(cat /nginx.pid)\"" + ]; + }; + } + { + signal = "TERM"; + action = { + type = "signal"; + rewrite = "TERM"; + selector = { + type = "child"; + }; + }; + } + ]; + type.services = {}; + }; + init.services.nginx.shutdownOnExit = true; + + + services.nginx = { + enable = true; + envsubst = true; + configuration = singleton { + daemon = "off"; + worker_processes = 2; + user = "nginx"; + + events."" = { + use = "epoll"; + worker_connections = 128; + }; + + error_log = [ "/dev/stderr" "warn" ]; + + pid = "/nginx.pid"; + + stream."" = { + include = singleton [ "/local/streams.conf" ]; + }; + + http."" = { + server_tokens = "off"; + include = [ + [ "${pkgs.nginx}/conf/mime.types" ] + [ "/local/upstreams.conf" ] + ]; + charset = "utf-8"; + access_log = [ "/dev/stdout" "combined" ]; + + server."" = { + listen = [ "80" "default_server" ]; + server_name = singleton "blowhole.in.redalder.org"; + + location."/" = { + return = [ "301" "https://$$host$$request_uri" ]; + }; + }; + }; + }; + }; + }; + }; +}