initial commit

shared/applications/server/nginx.nix

@@ -0,0 +1,59 @@
+{ pkgs, lib, ... }:
+
+let
+  snakeOilCa = pkgs.runCommand "snakeoil-ca" {
+    buildInputs = [ pkgs.openssl ];
+  } ''
+    mkdir "$out"
+    openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
+      -subj '/CN=Snakeoil CA' -nodes \
+      -out "$out/ca.pem" -keyout "$out/ca.key"
+  '';
+in {
+  security.acme.defaults.email = "fricloudacme.cameo530@simplelogin.com";
+  security.acme.acceptTerms = true;
+
+  services.nginx = {
+    enable = true;
+
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    # recommendedBrotliSettings = true;
+    recommendedProxySettings = true;
+
+    # only allow PFS-enabled ciphers with AES256
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    # give Nginx access to our certs
+    group = "acme";
+
+    # setup a default site
+    virtualHosts.default = {
+      default = lib.mkDefault true;
+      addSSL = true;
+
+      sslCertificateKey = "${snakeOilCa}/ca.key";
+      sslCertificate = "${snakeOilCa}/ca.pem";
+
+      root = pkgs.writeTextDir "index.html" ''
+        <html>
+          <head>
+            <title>Nothing to see</title>
+          </head>
+          <body>
+            <p>Like I said, nothing to see here</p>
+          </body>
+        </html>
+      '';
+    };
+  };
+
+  users.groups.acme = {};
+
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+    allowedUDPPorts = [443];
+  };
+}
+

shared/applications/state/ssh.nix

@@ -0,0 +1,6 @@
+{
+  environment.persistence.root.files = [
+    "/etc/ssh/ssh_host_ed25519_key"
+    "/etc/ssh/ssh_host_rsa_key"
+  ];
+}