feat(wpcarro/website): Support SSL certs for wpcarro.dev

This has been sloppy for awhile... While I'm at it modularize some of my Nginx configuration. Side note: might be time to decouple the Terraform provisioning stuffs from the NixOS configuration, and this feels *too* tightly coupled. Change-Id: Ida0da5462d938b956571321a67ba1f026fb0a7de Reviewed-on: https://cl.tvl.fyi/c/depot/+/5902 Reviewed-by: wpcarro <wpcarro@gmail.com> Autosubmit: wpcarro <wpcarro@gmail.com> Tested-by: BuildkiteCI
2022-06-28 10:32:41 -07:00 · 2022-06-28 10:32:41 -07:00 · 6d99b93f1a
commit 6d99b93f1a
parent ab1984c8ac
5 changed files with 74 additions and 37 deletions
--- a/users/wpcarro/nixos/modules/.skip-subtree
+++ b/users/wpcarro/nixos/modules/.skip-subtree
@ -0,0 +1 @@
+NixOS modules are not readTree compatible.
--- a/users/wpcarro/nixos/modules/nginx.nix
+++ b/users/wpcarro/nixos/modules/nginx.nix
@ -0,0 +1,45 @@
+# Common configuration for Nginx.
+{ pkgs, ... }:
+
+{
+  config = {
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "wpcarro@gmail.com";
+    };
+
+    services.nginx = {
+      enable = true;
+      enableReload = true;
+
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+
+      # Log errors to journald (i.e. /dev/log) with debug verbosity.
+      logError = "syslog:server=unix:/dev/log debug";
+
+      # for journaldriver
+      commonHttpConfig = ''
+        log_format json_combined escape=json
+        '{'
+            '"remote_addr":"$remote_addr",'
+            '"method":"$request_method",'
+            '"host":"$host",'
+            '"uri":"$request_uri",'
+            '"status":$status,'
+            '"request_size":$request_length,'
+            '"response_size":$body_bytes_sent,'
+            '"response_time":$request_time,'
+            '"referrer":"$http_referer",'
+            '"user_agent":"$http_user_agent"'
+        '}';
+
+        access_log syslog:server=unix:/dev/log,nohostname json_combined;
+      '';
+
+      appendHttpConfig = ''
+        add_header Permissions-Policy "interest-cohort=()";
+      '';
+    };
+  };
+}
--- a/users/wpcarro/nixos/modules/www/billandhiscomputer.com.nix
+++ b/users/wpcarro/nixos/modules/www/billandhiscomputer.com.nix
@ -0,0 +1,11 @@
+{ pkgs, depot, ... }:
+
+{
+  config = {
+    services.nginx.virtualHosts."billandhiscomputer.com" = {
+      enableACME = true;
+      forceSSL = true;
+      root = depot.users.wpcarro.website.root;
+    };
+  };
+}
--- a/users/wpcarro/nixos/modules/www/wpcarro.dev.nix
+++ b/users/wpcarro/nixos/modules/www/wpcarro.dev.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  config = {
+    services.nginx.virtualHosts."wpcarro.dev" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}