From c13c8b4ce5eafc606654fffdc951c4c6df890809 Mon Sep 17 00:00:00 2001
From: Craige McWhirter <craige.mcwhirter@iohk.io>
Date: Thu, 17 Sep 2020 11:12:02 +1000
Subject: [PATCH] Initial commit

---
 roles/craige4rocky.nix | 50 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 roles/craige4rocky.nix

diff --git a/roles/craige4rocky.nix b/roles/craige4rocky.nix
new file mode 100644
index 0000000..e85960c
--- /dev/null
+++ b/roles/craige4rocky.nix
@@ -0,0 +1,50 @@
+# NixOps configuration for deploying the craige4rocky website
+
+{ config, pkgs, ...}:
+
+let
+  craige4rocky = import (pkgs.fetchgit {
+    name       = "craige4rocky-src";
+    url        = "https://source.mcwhirter.io/craige/craige4rocky.git";
+    branchName = "master";
+    sha256     = "1cammdgszclrhvp56af3c7vnanyn0gplvkhqi6jkg1ygy01ard4w";
+  }) { nixpkgs = pkgs; };
+  webdomain = "craige4rocky.org";
+
+in {
+
+  environment.sessionVariables = {
+    LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
+  };
+
+  services.nginx = {
+    enable = true;                     # Enable Nginx
+    recommendedGzipSettings  = true;
+    recommendedOptimisation  = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings   = true;
+    virtualHosts = {
+      "${webdomain}" = {               # website hostname
+        enableACME = true;             # Use ACME certs
+        forceSSL = true;               # Force SSL
+        root = "${craige4rocky}";      # Wesbite root
+      };
+      "www.${webdomain}" = {           # Respect our elders :-)
+        forceSSL = true;
+        enableACME = true;
+        locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "${webdomain}".email     = "admin@${webdomain}";
+      "www.${webdomain}".email = "admin@${webdomain}";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+}