2021-10-26 03:05:00 +03:00
|
|
|
{ pkgs, config, lib, ... }: {
|
2021-10-30 21:04:53 +03:00
|
|
|
users.groups.cert.members = [ "turnserver" "nginx" "dovecot2" ];
|
|
|
|
|
|
2021-10-26 02:34:50 +03:00
|
|
|
secrets."ataraxiadev.com.pem" = {
|
2021-10-30 21:04:53 +03:00
|
|
|
owner = "root:cert";
|
2021-10-27 14:25:26 +03:00
|
|
|
permissions = "440";
|
2021-10-26 02:34:50 +03:00
|
|
|
};
|
|
|
|
|
secrets."ataraxiadev.com.key" = {
|
2021-10-30 21:04:53 +03:00
|
|
|
owner = "root:cert";
|
2021-10-27 14:25:26 +03:00
|
|
|
permissions = "440";
|
2021-10-26 02:34:50 +03:00
|
|
|
};
|
|
|
|
|
secrets."origin-pull-ca.pem" = {
|
2021-10-30 21:04:53 +03:00
|
|
|
owner = "root:cert";
|
2021-10-27 14:25:26 +03:00
|
|
|
permissions = "440";
|
2021-10-26 02:34:50 +03:00
|
|
|
};
|
2021-10-26 01:04:58 +03:00
|
|
|
## DNS-over-TLS
|
|
|
|
|
services.stubby = {
|
|
|
|
|
enable = true;
|
|
|
|
|
listenAddresses = [ "0::1" "127.0.0.1" ];
|
|
|
|
|
roundRobinUpstreams = false;
|
|
|
|
|
upstreamServers = ''
|
|
|
|
|
## Quad9
|
|
|
|
|
- address_data: 2620:fe::fe
|
|
|
|
|
tls_auth_name: "dns.quad9.net"
|
|
|
|
|
- address_data: 2620:fe::9
|
|
|
|
|
tls_auth_name: "dns.quad9.net"
|
|
|
|
|
- address_data: 9.9.9.9
|
|
|
|
|
tls_auth_name: "dns.quad9.net"
|
|
|
|
|
- address_data: 149.112.112.112
|
|
|
|
|
tls_auth_name: "dns.quad9.net"
|
|
|
|
|
## Cloudflare
|
|
|
|
|
- address_data: 2606:4700:4700::1112
|
|
|
|
|
tls_auth_name: "cloudflare-dns.com"
|
|
|
|
|
- address_data: 2606:4700:4700::1002
|
|
|
|
|
tls_auth_name: "cloudflare-dns.com"
|
|
|
|
|
- address_data: 1.1.1.2
|
|
|
|
|
tls_auth_name: "cloudflare-dns.com"
|
|
|
|
|
- address_data: 1.0.0.2
|
|
|
|
|
tls_auth_name: "cloudflare-dns.com"
|
|
|
|
|
'';
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
# Set TLS 1.3 as minimum acceptable version
|
|
|
|
|
tls_min_version: GETDNS_TLS1_3
|
|
|
|
|
# Require DNSSEC validation
|
|
|
|
|
dnssec: GETDNS_EXTENSION_TRUE
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
networking.nameservers = [ "::1" "127.0.0.1" ];
|
|
|
|
|
services.resolved = {
|
|
|
|
|
enable = true;
|
|
|
|
|
fallbackDns = [ "2606:4700:4700::1111" "2606:4700:4700::1001" "1.1.1.1" "1.0.0.1" ];
|
|
|
|
|
};
|
|
|
|
|
|
2021-10-25 23:20:08 +03:00
|
|
|
services.nginx = {
|
|
|
|
|
enable = true;
|
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
|
appendHttpConfig = "charset utf-8;";
|
|
|
|
|
virtualHosts = let
|
|
|
|
|
default = {
|
2021-10-26 02:31:54 +03:00
|
|
|
forceSSL = true;
|
2021-10-25 23:20:08 +03:00
|
|
|
enableACME = false;
|
2021-10-26 02:31:54 +03:00
|
|
|
sslCertificate = config.secrets."ataraxiadev.com.pem".decrypted;
|
|
|
|
|
sslCertificateKey = config.secrets."ataraxiadev.com.key".decrypted;
|
|
|
|
|
sslTrustedCertificate = config.secrets."origin-pull-ca.pem".decrypted;
|
2021-10-25 23:20:08 +03:00
|
|
|
};
|
|
|
|
|
in {
|
|
|
|
|
"ataraxiadev.com" = {
|
|
|
|
|
default = true;
|
|
|
|
|
locations."/" = {
|
|
|
|
|
root = "/var/lib/ataraxiadev.com";
|
|
|
|
|
};
|
|
|
|
|
locations."/.well-known" = {
|
|
|
|
|
proxyPass = "http://localhost:13748";
|
|
|
|
|
};
|
|
|
|
|
locations."/_matrix" = {
|
|
|
|
|
proxyPass = "http://localhost:13748";
|
|
|
|
|
};
|
|
|
|
|
} // default;
|
|
|
|
|
"matrix.ataraxiadev.com" = {
|
|
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://localhost:13748";
|
|
|
|
|
};
|
2021-10-27 14:25:26 +03:00
|
|
|
locations."/mautrix-telegram/" = {
|
|
|
|
|
proxyPass = "http://localhost:29317";
|
|
|
|
|
};
|
2021-10-25 23:20:08 +03:00
|
|
|
} // default;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|
