59 lines
1.4 KiB
Nix
59 lines
1.4 KiB
Nix
{ pkgs, lib, ... }:
|
|
|
|
let
|
|
snakeOilCa = pkgs.runCommand "snakeoil-ca" {
|
|
buildInputs = [ pkgs.openssl ];
|
|
} ''
|
|
mkdir "$out"
|
|
openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 \
|
|
-subj '/CN=Snakeoil CA' -nodes \
|
|
-out "$out/ca.pem" -keyout "$out/ca.key"
|
|
'';
|
|
in {
|
|
security.acme.defaults.email = "fricloudacme.cameo530@simplelogin.com";
|
|
security.acme.acceptTerms = true;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
recommendedOptimisation = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedGzipSettings = true;
|
|
# recommendedBrotliSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
# only allow PFS-enabled ciphers with AES256
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
|
|
# give Nginx access to our certs
|
|
group = "acme";
|
|
|
|
# setup a default site
|
|
virtualHosts.default = {
|
|
default = lib.mkDefault true;
|
|
addSSL = true;
|
|
|
|
sslCertificateKey = "${snakeOilCa}/ca.key";
|
|
sslCertificate = "${snakeOilCa}/ca.pem";
|
|
|
|
root = pkgs.writeTextDir "index.html" ''
|
|
<html>
|
|
<head>
|
|
<title>Nothing to see</title>
|
|
</head>
|
|
<body>
|
|
<p>Like I said, nothing to see here</p>
|
|
</body>
|
|
</html>
|
|
'';
|
|
};
|
|
};
|
|
|
|
users.groups.acme = {};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [80 443];
|
|
allowedUDPPorts = [443];
|
|
};
|
|
}
|
|
|