Add PureGym server (#22)

2025-10-23 00:28:40 +00:00 · 2023-12-28 22:18:39 +00:00
parent 56483b6b80
commit 3eec70b88d
14 changed files with 328 additions and 51 deletions
--- a/PulumiWebServer/Nix/nginx/nginx.nix
+++ b/PulumiWebServer/Nix/nginx/nginx.nix
@@ -0,0 +1,89 @@
+{
+  pkgs,
+  lib,
+  config,
+  website,
+  ...
+}: {
+  options = {
+    services.nginx-config = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        example = "example.com";
+        description = lib.mdDoc "Domain to configure";
+      };
+      webrootSubdomain = lib.mkOption {
+        type = lib.types.str;
+        default = "www";
+        description = lib.mdDoc "Global redirect";
+      };
+      email = lib.mkOption {
+        type = lib.types.str;
+        example = "admin@example.com";
+        description = lib.mdDoc "Email address to use when registering with Let's Encrypt";
+      };
+      staging = lib.mkOption {
+        type = lib.types.bool;
+        default = "true";
+        description = lib.mdDoc "Whether to use the staging Let's Encrypt instance";
+      };
+    };
+  };
+
+  config = {
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = config.services.nginx-config.email;
+    security.acme.certs = {
+      "${config.services.nginx-config.domain}" = {
+        server =
+          if config.services.nginx-config.staging
+          then "https://acme-staging-v02.api.letsencrypt.org/directory"
+          else "https://acme-v02.api.letsencrypt.org/directory";
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80 # required for the ACME challenge
+      443
+    ];
+
+    users.users."nginx".extraGroups = [config.users.groups.keys.name];
+
+    system.activationScripts = {
+      create-website = ''
+        ln -sfn ${website} /preserve/www/html
+      '';
+    };
+
+    services.nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+
+      # For Prometheus exporter
+      statusPage = true;
+
+      virtualHosts."${config.services.nginx-config.domain}" = {
+        globalRedirect = "${config.services.nginx-config.webrootSubdomain}.${config.services.nginx-config.domain}";
+        addSSL = true;
+        enableACME = true;
+        root = "/preserve/www/html";
+      };
+
+      virtualHosts."${config.services.nginx-config.webrootSubdomain}.${config.services.nginx-config.domain}" = {
+        addSSL = true;
+        enableACME = true;
+        root = "/preserve/www/html";
+        extraConfig = ''
+          location ~* \.(?:ico|css|js|gif|jpe?g|png|woff2)$ {
+              expires 30d;
+              add_header Pragma public;
+              add_header Cache-Control "public";
+          }
+        '';
+      };
+    };
+  };
+}