{
lib,
pkgs,
config,
...
}:
{
age.secrets."pages-settings-file".file = ../../secrets/pages-settings-file.age;
services.codeberg-pages = {
enable = true;
package = pkgs.unstable.codeberg-pages.overrideAttrs (_: {
src = pkgs.fetchFromGitea {
domain = "codeberg.org";
owner = "Codeberg";
repo = "pages-server";
rev = "831ce3d913015e856351dc4d3fc983ada826ef7e";
hash = "sha256-Ti9sOppHOaUU72A7Bxyfu4phJUed4m/5e9RyjmVino0=";
};
patches = [ ../../packages/codeberg-pages-custom/update-lego.patch ];
vendorHash = "sha256-MWT51u4rjZB/QcJn91CxpCP+/N+O6gbVWAk+PEQlcUA=";
});
settings = {
ACME_ACCEPT_TERMS = "true";
ACME_EMAIL = "julien@malka.sh";
DNS_PROVIDER = "gandiv5";
ENABLE_HTTP_SERVER = "false";
GITEA_ROOT = "https://git.luj.fr";
PORT = "8010";
PAGES_DOMAIN = "luj-static.page";
RAW_DOMAIN = "raw.luj-static.page";
PAGES_BRANCHES = "pages,main,master";
USE_PROXY_PROTOCOL = "true";
};
settingsFile = config.age.secrets."pages-settings-file".path;
};
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx.defaultListen = [
{
addr = "127.0.0.1";
proxyProtocol = true;
ssl = true;
}
{ addr = "127.0.0.2"; }
{
addr = "127.0.0.3";
ssl = false;
}
{
addr = "127.0.0.4";
ssl = false;
proxyProtocol = true;
}
];
security.acme.acceptTerms = true;
security.acme.defaults.email = "julien@malka.sh";
luj.nginx.enable = lib.mkForce false;
services.nginx = {
enable = true;
appendHttpConfig = ''
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
'';
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
streamConfig = ''
map $ssl_preread_server_name $sni_upstream {
hostnames;
default 127.0.0.1:8010;
${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 127.0.0.1:8447;") (
lib.attrNames config.services.nginx.virtualHosts
)}
}
server {
listen 127.0.0.1:8447;
proxy_pass 127.0.0.1:8446;
proxy_protocol on;
}
server {
listen [::]:443;
ssl_preread on;
proxy_pass $sni_upstream;
}
'';
defaultSSLListenPort = 8446;
};
}