change dns setup

switch to forgejo enable miniflux autodefenestrate
2025-12-10 00:43:56 -05:00 · 2024-06-29 20:51:01 -04:00 · 2024-06-29 20:51:01 -04:00 · 65638ecb1c
commit 65638ecb1c
parent 92cfe9d05f
7 changed files with 94 additions and 62 deletions
--- a/hosts/gerg-desktop/services/nginx.nix
+++ b/hosts/gerg-desktop/services/nginx.nix
@ -13,20 +13,33 @@
        inherit (config.services.nginx) group;
      });

+  security.acme = {
+    acceptTerms = true;
+    certs."gerg-l.com" = {
+      email = "GregLeyda@proton.me";
+      webroot = "/var/lib/acme/acme-challenge";
+      extraDomainNames = [
+        "search.gerg-l.com"
+        "git.gerg-l.com"
+        "next.gerg-l.com"
+        "flux.gerg-l.com"
+        "cache.gerg-l.com"
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [ "L+ /var/lib/acme - - - - /persist/services/acme" ];
+
+  users.users.${config.services.nginx.user}.extraGroups = [ "acme" ];
+
  services.nginx = {
    enable = true;
+    recommendedZstdSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts = {
-      "_" = {
-        default = true;
-        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".return = "404";
-      };
      "nix-fu.com" = {
        forceSSL = true;
        sslCertificate = config.sops.secrets.nixfu_ssl_cert.path;
@ -34,35 +47,51 @@
        serverAliases = [ "www.nix-fu.com" ];
        globalRedirect = "github.com/Gerg-L";
      };
+      "_" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "gerg-l.com";
+
+        locations."/".return = "404";
+      };
      "search.gerg-l.com" = {
        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        useACMEHost = "gerg-l.com";
+
        locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
        extraConfig = "access_log off;";
      };
      "git.gerg-l.com" = {
        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
-      };
-      "next.gerg-l.com" = {
-        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        useACMEHost = "gerg-l.com";
+
+        locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
      };
      "flux.gerg-L.com" = {
        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        useACMEHost = "gerg-l.com";
+
        locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}";
      };
+      "next.gerg-l.com" = {
+        forceSSL = true;
+        useACMEHost = "gerg-l.com";
+        extraConfig = ''
+          zstd on;
+          zstd_types "*";
+        '';
+      };
      "cache.gerg-L.com" = {
        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
+        useACMEHost = "gerg-l.com";
+
+        locations."/" = {
+          proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
+          extraConfig = ''
+            zstd on;
+            zstd_types "*";
+          '';
+        };
      };
    };
  };