{ lib, config, pkgs, ... }: { services = { hydra = { enable = true; hydraURL = "https://hydra.home.opel-online.de"; listenHost = "127.0.0.1"; notificationSender = "hydra@localhost"; useSubstitutes = true; minimumDiskFree = 30; }; nix-serve = { enable = true; port = 5001; bindAddress = "127.0.0.1"; secretKeyFile = config.age.secrets."keys/nixsign".path; }; nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; virtualHosts = { "home.opel-online.de" = { enableACME = true; forceSSL = true; default = true; locations."/".return = "503"; }; "hydra.home.opel-online.de" = { useACMEHost = "home.opel-online.de"; forceSSL = true; locations."/" = { proxyPass = "http://localhost:3000"; extraConfig = '' proxy_set_header X-Forwarded-Port 443; ''; }; }; "cache.home.opel-online.de" = { useACMEHost = "home.opel-online.de"; forceSSL = true; locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; }; }; }; }; security.acme = { acceptTerms = true; defaults = { email = "webmaster@opel-online.de"; #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; dnsResolver = "9.9.9.9:53"; }; certs = { "home.opel-online.de" = { domain = "*.home.opel-online.de"; dnsProvider = "netcup"; environmentFile = config.age.secrets."services/acme/opel-online".path; webroot = null; }; }; }; nix = { settings = { trusted-users = [ "hydra" ]; allowed-uris = "http:// https://"; }; extraOptions = '' secret-key-files = ${config.age.secrets."keys/nixsign".path} ''; }; age.secrets."keys/nixsign" = { file = ../../../secrets/keys/nixservepriv.age; owner = "hydra"; }; age.secrets."services/acme/opel-online" = { file = ../../../secrets/services/acme/opel-online.age; owner = "acme"; }; }