Initial commit

server-modules/nginx.nix

@@ -0,0 +1,45 @@
+# Nginx is a web server that can also be used as a reverse proxy, load balancer, and HTTP cache.
+{config, ...}: let
+  domain = "hadi.diy";
+in {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = config.var.git.email;
+    certs."${domain}" = {
+      domain = "${domain}";
+      extraDomainNames = ["*.${domain}"];
+      group = "nginx";
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
+    };
+  };
+
+  # Return 444 for all requests not matching a used subdomain.
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "default" = {
+        default = true;
+        locations."/" = {return = 444;};
+      };
+      "*.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {return = 444;};
+      };
+      "aaaaaa.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {return = 444;};
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+    allowedUDPPorts = [80 443];
+  };
+
+  sops.secrets.cloudflare-dns-token = {path = "/etc/cloudflare/dnskey.txt";};
+}