# # System notifications # { config, lib, pkgs, ... }: { services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; appendHttpConfig = '' proxy_cache_path /mnt/Pluto/nix-cache levels=1:2 keys_zone=nix_cache:10m max_size=100g inactive=14d use_temp_path=off; ''; virtualHosts = { "home.opel-online.de" = { enableACME = true; forceSSL = true; default = true; locations."/".return = "503"; }; "cache.home.opel-online.de" = { useACMEHost = "home.opel-online.de"; forceSSL = true; locations."/" = { extraConfig = '' proxy_pass https://cache.ci.kabtop.de; proxy_ssl_server_name on; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host cache.ci.kabtop.de; proxy_cache nix_cache; proxy_cache_valid 200 14d; proxy_cache_valid 404 1m; proxy_cache_use_stale error timeout updating; proxy_cache_lock on; proxy_cache_lock_timeout 1h; add_header X-Cache-Status $upstream_cache_status; proxy_buffering on; proxy_buffer_size 128k; proxy_buffers 8 1m; proxy_max_temp_file_size 0; ''; }; }; }; }; security.acme = { acceptTerms = true; defaults = { email = "webmaster@opel-online.de"; # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; dnsResolver = "9.9.9.9:53"; }; certs = { "home.opel-online.de" = { domain = "*.home.opel-online.de"; dnsProvider = "netcup"; environmentFile = config.age.secrets."services/acme/opel-online".path; webroot = null; }; }; }; systemd.services.nginx.serviceConfig.ReadWritePaths = ["/mnt/Pluto/nix-cache"]; networking.firewall = { enable = true; allowedUDPPorts = []; allowedTCPPorts = [80 443]; }; age.secrets."services/acme/opel-online" = { file = ../../../secrets/services/acme/opel-online.age; owner = "acme"; }; }