free ourselves from the shackles of openresty
This commit is contained in:
parent
f8de5f317f
commit
b43f36d623
GPG key ID:
DAF5EAF6665839FD
4 changed files with 10 additions and 90 deletions
|
|
@ -38,8 +38,6 @@ in {
|
|||
ssh.enableMoshSupport = true;
|
||||
|
||||
postgres.enable = true;
|
||||
|
||||
redis.enable = true;
|
||||
};
|
||||
|
||||
security.useDoas = true;
|
||||
|
|
|
|||
|
|
@ -16,13 +16,10 @@ in {
|
|||
# actually enables nginx, configures acme,
|
||||
# gzip, optimization, proxy, ssl config,
|
||||
# opens ports, and adds some Headers
|
||||
nginx-config = {
|
||||
enable = true;
|
||||
defaultLuaPackagePath = /var/www/reidlab.online/lua;
|
||||
};
|
||||
nginx-config.enable = true;
|
||||
|
||||
staticSites = {
|
||||
"v2.reidlab.online".dataDir = "/var/www/v2.reidlab.online";
|
||||
"reidlab.online".dataDir = "/var/www/reidlab.online";
|
||||
};
|
||||
|
||||
metrics = {
|
||||
|
|
@ -36,30 +33,12 @@ in {
|
|||
services = {
|
||||
nginx.virtualHosts = {
|
||||
"reidlab.online" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = "/var/www/reidlab.online/public";
|
||||
locations."/f/".extraConfig = ''
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
'';
|
||||
# we should perhaps add something to help with this in staticsites?
|
||||
extraConfig = ''
|
||||
error_page 404 /errors/404.html;
|
||||
error_page 403 /errors/403.html;
|
||||
error_page 500 /errors/500.html;
|
||||
location = /errors/404.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location = /errors/403.html { root /var/www/reidlab.online/public/; internal; }
|
||||
location = /errors/500.html { root /var/www/reidlab.online/public/; internal; }
|
||||
|
||||
location / {
|
||||
try_files $uri @main;
|
||||
}
|
||||
|
||||
location /chat {
|
||||
access_by_lua_file /var/www/reidlab.online/lua/chat.lua;
|
||||
}
|
||||
|
||||
location @main {
|
||||
content_by_lua '
|
||||
require("main").handle_request()
|
||||
';
|
||||
}
|
||||
error_page 404 /404.html;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -5,26 +5,10 @@ let
|
|||
cfg = config.modules.services.nginx-config;
|
||||
in {
|
||||
options.modules.services.nginx-config = {
|
||||
enable = mkEnableOption "enable and configure nginx, a high performance web server";
|
||||
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.openresty;
|
||||
};
|
||||
|
||||
defaultLuaPackagePath = mkOption {
|
||||
type = types.path;
|
||||
default = null;
|
||||
};
|
||||
enable = mkEnableOption "enable and configure nginx, a high performance web server";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
assertions = [
|
||||
{ assertion = cfg.defaultLuaPackagePath != null;
|
||||
description = "The defaultLuaPackagePath property *must* be explicitly specified.";
|
||||
}
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "reidlab325@gmail.com";
|
||||
|
|
@ -34,36 +18,13 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = cfg.package;
|
||||
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedProxySettings = true;
|
||||
|
||||
# TODO: clean this up oh my god like everything here :sob: im vomiting shaking and crying looking at this.
|
||||
commonHttpConfig = let
|
||||
# lua
|
||||
lua-resty-template = pkgs.fetchFromGitHub {
|
||||
owner = "bungle";
|
||||
repo = "lua-resty-template";
|
||||
rev = "v2.0";
|
||||
sha256 = "1gpyjq3ms5ib8xiz6k9z97cjifx9zp1dyjkr58b2s034xksy2vb1";
|
||||
};
|
||||
lua-resty-redis = pkgs.fetchFromGitHub {
|
||||
owner = "openresty";
|
||||
repo = "lua-resty-redis";
|
||||
rev = "v0.29";
|
||||
sha256 = "089ishx4482ybfsv10ig8h3cpsdw6rvgy0w874h1c7m1gk2fd7r9";
|
||||
};
|
||||
lua-resty-websocket = pkgs.fetchFromGitHub {
|
||||
owner = "openresty";
|
||||
repo = "lua-resty-websocket";
|
||||
rev = "v0.10";
|
||||
sha256 = "0zpprfi5qc3066ab7g7nyr18jwlk3n8y0006maj4nlx38rl24vfh";
|
||||
};
|
||||
|
||||
# cloudflare
|
||||
realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from ${x};");
|
||||
fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
|
||||
cfipv4 = fileToList (pkgs.fetchurl {
|
||||
|
|
@ -75,17 +36,15 @@ in {
|
|||
sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
|
||||
});
|
||||
in ''
|
||||
lua_package_path "${toString cfg.defaultLuaPackagePath}/?.lua;;${lua-resty-template}/lib/?.lua;;${lua-resty-redis}/lib/?.lua;;${lua-resty-websocket}/lib/?.lua;;";
|
||||
|
||||
# add hsts header with preloading to https reqeusts
|
||||
# adding this header to http requests is
|
||||
# adding this header to http requests is discouraged
|
||||
map $scheme $hsts_header {
|
||||
https "max-age=31536000; includeSubdomains; preload";
|
||||
}
|
||||
add_header Strict-Transport-Security $hsts_header;
|
||||
|
||||
# Enable CSP for your services.
|
||||
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
||||
|
||||
# Minimize information leaked to other domains
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
{ config, lib, pkgs, options, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
cfg = config.modules.services.redis;
|
||||
in {
|
||||
options.modules.services.redis = {
|
||||
enable = mkEnableOption "enable redis, a speedy cache database";
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.redis.servers."" = {
|
||||
enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue