37e48b712e
* keep ./services for instances ./profiles is for config-only modules ./services are like profiles, but configure a single instance of a service. Those are fronted by Nginx as the load-balancer and have a DNS entry as well. * ci: build build03 as well * move hydra to services * move matterbridge to services * move marvin-mk2 to services * build01: share the remainder profiles * build02: use the nix-community-cache * fixup kexec * rename profiles to roles * README: sync with reality
33 lines
809 B
Nix
33 lines
809 B
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
|
|
|
# nginx is being used as the frontend HTTP server for all the services
|
|
# running on the box
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
# Should we have this?
|
|
#commonHttpConfig = ''
|
|
# add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
|
|
#'';
|
|
|
|
resolver.addresses =
|
|
if config.networking.nameservers == [ ]
|
|
then [ "1.1.1.1" ]
|
|
else config.networking.nameservers;
|
|
|
|
sslDhparam = config.security.dhparams.params.nginx.path;
|
|
};
|
|
|
|
security.dhparams = {
|
|
enable = true;
|
|
params.nginx = { };
|
|
};
|
|
}
|