59 lines
1.6 KiB
Nix
59 lines
1.6 KiB
Nix
{ lib, config, ... }:
|
|
with lib;
|
|
let
|
|
cfg = config.services.danilafe-blog;
|
|
sslForSite = package: package.ssl;
|
|
anySsl = any sslForSite cfg.sites;
|
|
virtualHost = package:
|
|
{
|
|
virtualHosts."${package.host}" = mkMerge [
|
|
{
|
|
root = package;
|
|
}
|
|
(mkIf (sslForSite package) {
|
|
addSSL = true;
|
|
enableACME = true;
|
|
acmeRoot = cfg.challengePath;
|
|
})
|
|
];
|
|
};
|
|
service = package:
|
|
{
|
|
# Workaround for new configuration setting all of /var to be readonly.
|
|
# See https://github.com/NixOS/nixpkgs/issues/139310
|
|
"acme-${package.host}".serviceConfig = {
|
|
ReadWritePaths = [ cfg.challengePath ];
|
|
};
|
|
};
|
|
virtualHosts = map virtualHost cfg.sites;
|
|
services = map service (filter sslForSite cfg.sites);
|
|
in
|
|
{
|
|
options.services.danilafe-blog = {
|
|
enable = mkEnableOption "Daniel's blog service";
|
|
sites = mkOption {
|
|
type = types.listOf types.package;
|
|
default = {};
|
|
description = "List of versions of this blog that should be enabled.";
|
|
};
|
|
challengePath = mkOption {
|
|
type = types.str;
|
|
description = "The location for ACME challenges.";
|
|
};
|
|
};
|
|
|
|
config.services.nginx = mkIf cfg.enable (mkMerge (virtualHosts ++ [
|
|
{
|
|
# Always enable nginx.
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
}
|
|
]));
|
|
config.systemd.services = mkIf cfg.enable (mkMerge services);
|
|
config.security.acme = mkIf (cfg.enable && anySsl) {
|
|
# If any site uses SSL, enable ACME and accept terms.
|
|
email = "danila.fedorin@gmail.com";
|
|
acceptTerms = true;
|
|
};
|
|
}
|