better services

2025-12-10 00:43:56 -05:00 · 2025-03-05 22:32:40 -05:00 · 2025-03-05 22:32:40 -05:00 · 518ab13797
commit 518ab13797
parent 29b35ab058
10 changed files with 189 additions and 123 deletions
--- a/nixosConfigurations/gerg-desktop/services/nginx.nix
+++ b/nixosConfigurations/gerg-desktop/services/nginx.nix
@ -9,70 +9,71 @@
    };
  };

-  config = {
-    local.nginx.defaultVhosts = builtins.mapAttrs (_: v: {
-      locations."/".proxyPass = v;
-    }) config.local.nginx.proxyVhosts;
+  config =
+    let
+      cfg = config.services.nginx;
+    in
+    {
+      local.nginx.defaultVhosts = builtins.mapAttrs (_: v: {
+        locations."/".proxyPass = v;
+      }) config.local.nginx.proxyVhosts;

-    sops.secrets = {
-      gerg_ssl_key.owner = config.services.nginx.user;
-      gerg_ssl_cert.owner = config.services.nginx.user;
-    };
-
-    security.acme = {
-      acceptTerms = true;
-      certs."gerg-l.com" = {
-        email = "GregLeyda@proton.me";
-        webroot = "/var/lib/acme/acme-challenge";
-        extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts;
+      sops.secrets = {
+        gerg_ssl_key.owner = cfg.user;
+        gerg_ssl_cert.owner = cfg.user;
      };
-    };

-    fileSystems."/var/lib/acme" = {
-      device = "/persist/services/acme";
-      fsType = "none";
-      options = [ "bind" ];
-      depends = [
-        "/persist"
-        "/var"
+      security.acme = {
+        acceptTerms = true;
+        certs."gerg-l.com" = {
+          email = "GregLeyda@proton.me";
+          inherit (cfg) group;
+          webroot = "/var/lib/acme/acme-challenge";
+          extraDomainNames = builtins.attrNames config.local.nginx.defaultVhosts;
+        };
+      };
+
+      systemd.mounts = [
+        {
+          what = "/persist/services/acme";
+          where = "/var/lib/acme";
+          type = "none";
+          options = "bind";
+        }
+      ];
+
+      services.nginx = {
+        enable = true;
+        recommendedZstdSettings = true;
+        recommendedOptimisation = true;
+        recommendedProxySettings = true;
+        recommendedTlsSettings = true;
+        # For immich
+        clientMaxBodySize = "50000M";
+        proxyTimeout = "600s";
+        virtualHosts =
+          builtins.mapAttrs
+            (
+              _: v:
+              {
+                forceSSL = true;
+                useACMEHost = "gerg-l.com";
+              }
+              // v
+            )
+            (
+              config.local.nginx.defaultVhosts
+              // {
+                "_" = {
+                  default = true;
+                  locations."/".return = "404";
+                };
+              }
+            );
+      };
+      networking.firewall.allowedTCPPorts = [
+        80
+        443
      ];
    };
-
-    users.users.${config.services.nginx.user}.extraGroups = [ "acme" ];
-
-    services.nginx = {
-      enable = true;
-      recommendedZstdSettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      # For immich
-      clientMaxBodySize = "50000M";
-      proxyTimeout = "600s";
-      virtualHosts =
-        builtins.mapAttrs
-          (
-            _: v:
-            {
-              forceSSL = true;
-              useACMEHost = "gerg-l.com";
-            }
-            // v
-          )
-          (
-            config.local.nginx.defaultVhosts
-            // {
-              "_" = {
-                default = true;
-                locations."/".return = "404";
-              };
-            }
-          );
-    };
-    networking.firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-  };
 }