24 lines
859 B
Nix
24 lines
859 B
Nix
{ lib, config, ... }:
|
|
let
|
|
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
|
|
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
|
|
add_header Alt-Svc 'h3=":443"';
|
|
'';
|
|
in {
|
|
services.nix-serve = {
|
|
bindAddress = "127.0.0.1";
|
|
enable = true;
|
|
secretKeyFile = "/run/secrets/nix-serve/privkey";
|
|
};
|
|
sops.secrets."services/nix-serve/privkey" = { };
|
|
services.nginx.virtualHosts."cache.int.chir.rs" = {
|
|
listenAddresses = listenIPs;
|
|
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
|
|
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
|
|
locations."/" = {
|
|
proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
extraConfig = listenStatements;
|
|
};
|
|
}
|