diff options
author | Nguyễn Gia Phong <mcsinyx@disroot.org> | 2022-05-11 09:45:25 +0900 |
---|---|---|
committer | Nguyễn Gia Phong <mcsinyx@disroot.org> | 2022-05-11 09:45:25 +0900 |
commit | 84835e036491e99222d95a2ce730b355acf3c9b4 (patch) | |
tree | 3bee4c5380b70597e7a01ff3aaee36f095aee625 | |
parent | c1521fb5a888bc7d72c960c2089abf1ee5643538 (diff) | |
download | nixos-conf-84835e036491e99222d95a2ce730b355acf3c9b4.tar.gz |
Enable encryption for IPFS gateway subdomains
-rw-r--r-- | configuration.nix | 48 |
1 files changed, 34 insertions, 14 deletions
diff --git a/configuration.nix b/configuration.nix index 6c446b1..188ec12 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: let + certs = config.security.acme.certs.${domain}; domain = "loang.net"; bindUserDirs = sources: target: lib.mapAttrs' (user: dir: { name = "${target}/~${user}"; @@ -42,6 +43,18 @@ in { security = { acme = { acceptTerms = true; + certs.${domain} = { + credentialsFile = pkgs.writeText "namesilo.env" '' + NAMESILO_API_KEY_FILE=/var/lib/acme/namesilo.key + NAMESILO_PROPAGATION_TIMEOUT=1800 + ''; + dnsProvider = "namesilo"; + extraDomainNames = [ + "*.ipfs.${domain}" + "*.ipns.${domain}" + ]; + webroot = null; + }; defaults.email = "mcsinyx@disroot.org"; }; @@ -66,7 +79,7 @@ in { }; molly-brown = let - certDir = config.security.acme.certs.${domain}.directory; + certDir = certs.directory; in { certPath = "${certDir}/cert.pem"; docBase = "/var/lib/gemini/${domain}"; @@ -75,19 +88,28 @@ in { keyPath = "${certDir}/key.pem"; }; - nginx = { + nginx = let + ipfsGateway = "http://localhost:8080"; + ipfsProxy = { + forceSSL = true; + locations."/".proxyPass = ipfsGateway; + useACMEHost = domain; + }; + in { enable = true; recommendedProxySettings = true; - virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; - locations = let - ipfsGateway = "http://localhost:8080"; - in { - "/ipfs".proxyPass = ipfsGateway; - "/ipns".proxyPass = ipfsGateway; + virtualHosts = { + "${domain}" = { + enableACME = true; + forceSSL = true; + locations = { + "/ipfs".proxyPass = ipfsGateway; + "/ipns".proxyPass = ipfsGateway; + }; + root = "/var/lib/www/${domain}"; }; - root = "/var/lib/www/${domain}"; + "*.ipfs.${domain}" = ipfsProxy; + "*.ipns.${domain}" = ipfsProxy; }; }; @@ -104,9 +126,7 @@ in { extraConfig = '' DefaultTimeoutStartSec=900s ''; - services.molly-brown.serviceConfig.SupplementaryGroups = [ - config.security.acme.certs.${domain}.group - ]; + services.molly-brown.serviceConfig.SupplementaryGroups = [ certs.group ]; }; time.timeZone = "UTC"; |