diff --git a/flake/flake.nix b/flake/flake.nix index ddf5a10..27ff67b 100644 --- a/flake/flake.nix +++ b/flake/flake.nix @@ -25,6 +25,7 @@ ./system/cerulea-1/networking.nix ./system/base.nix ./system/software.nix + ./system/nginx.nix ]; }; }; diff --git a/flake/system/nginx.nix b/flake/system/nginx.nix new file mode 100644 index 0000000..ed07516 --- /dev/null +++ b/flake/system/nginx.nix @@ -0,0 +1,46 @@ +{ pkgs, lib, ... }: { + environment.systemPackages = with pkgs; [ + certbot + ]; + + systemd.services.certbot-renew = { + description = "certbot auto renew service"; + serviceConfig = { + ExecStart = "${pkgs.certbot}/bin/certbot renew --quiet --post-hook 'systemctl reload nginx.service'"; + }; + }; + systemd.timers.certbot-renew = { + description = "certbot auto renew timer"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + }; + + services.nginx = { + enable = true; + user = "root"; + enableReload = true; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + services.nginx.appendHttpConfig = "include /srv/ngx/out/*.conf;"; + + services.nginx.appendConfig = "user root;"; + + systemd.services.nginx.serviceConfig = lib.mkForce { + User = "root"; + Group = "root"; + ExecStart = "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf"; + ExecReload = [ + "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf -t" + "${pkgs.coreutils}/bin/kill -HUP $MAINPID" + ]; + LogsDirectory = "nginx"; + RuntimeDirectory = "nginx"; + }; +}