summaryrefslogtreecommitdiff
path: root/custom/ymir-nginx.nix
diff options
context:
space:
mode:
Diffstat (limited to 'custom/ymir-nginx.nix')
-rw-r--r--custom/ymir-nginx.nix44
1 files changed, 43 insertions, 1 deletions
diff --git a/custom/ymir-nginx.nix b/custom/ymir-nginx.nix
index 861b0720..fd7d7e94 100644
--- a/custom/ymir-nginx.nix
+++ b/custom/ymir-nginx.nix
@@ -16,6 +16,18 @@ let
16 uwsgi_param SERVER_PORT $server_port; 16 uwsgi_param SERVER_PORT $server_port;
17 uwsgi_param SERVER_NAME $server_name; 17 uwsgi_param SERVER_NAME $server_name;
18 ''; 18 '';
19
20 favicon = builtins.toFile "favicon" ''
21 location = /favicon.ico {
22 root /srv/www/praseodym.org;
23 }
24 '';
25
26 acme = builtins.toFile "acme" ''
27 location /.well-known/acme-challenge {
28 root /srv/www/acme/$host/;
29 }
30 '';
19in { 31in {
20 services.nginx = { 32 services.nginx = {
21 enable = true; 33 enable = true;
@@ -56,11 +68,28 @@ in {
56 access_log stderr; 68 access_log stderr;
57 error_log stderr; 69 error_log stderr;
58 70
71 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
72 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
73 ssl_prefer_server_ciphers on;
74 ssl_session_cache shared:SSL:10m;
75 ssl_dhparam /etc/ssl/dhparam.pem;
76
77 server {
78 listen *:80;
79 listen [::]:80;
80 server_name _;
81
82 root /srv/www/praseodym.org;
83 }
84
59 server { 85 server {
60 listen *:80; 86 listen *:80;
61 listen [::]:80; 87 listen [::]:80;
62 server_name dirty-haskell.org www.dirty-haskell.org; 88 server_name dirty-haskell.org www.dirty-haskell.org;
63 89
90 include ${favicon};
91 include ${acme};
92
64 root /srv/www/dirty-haskell.org; 93 root /srv/www/dirty-haskell.org;
65 } 94 }
66 95
@@ -69,6 +98,9 @@ in {
69 listen [::]:443 ssl; 98 listen [::]:443 ssl;
70 server_name dirty-haskell.org; 99 server_name dirty-haskell.org;
71 100
101 include ${favicon};
102 include ${acme};
103
72 ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem; 104 ssl_certificate /etc/nginx/ssl/dirty-haskell.org/fullchain.pem;
73 ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem; 105 ssl_certificate_key /etc/nginx/ssl/dirty-haskell.org/privkey.pem;
74 106
@@ -80,6 +112,9 @@ in {
80 listen [::]:443 ssl; 112 listen [::]:443 ssl;
81 server_name www.dirty-haskell.org; 113 server_name www.dirty-haskell.org;
82 114
115 include ${favicon};
116 include ${acme};
117
83 ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem; 118 ssl_certificate /etc/nginx/ssl/www.dirty-haskell.org/fullchain.pem;
84 ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem; 119 ssl_certificate_key /etc/nginx/ssl/www.dirty-haskell.org/privkey.pem;
85 120
@@ -88,13 +123,20 @@ in {
88 123
89 server { 124 server {
90 listen *:80; 125 listen *:80;
126 listen *:443 ssl;
91 listen [::]:80; 127 listen [::]:80;
92 server_name git.yggdrasil.li www.git.yggdrasil.li; 128 listen [::]:443 ssl;
129 ssl_certificate /etc/nginx/ssl/git.yggdrasil.li/fullchain.pem;
130 ssl_certificate_key /etc/nginx/ssl/git.yggdrasil.li/key.pem;
131 server_name git.yggdrasil.li;
93 132
94 root ${pkgs.cgit}/cgit; 133 root ${pkgs.cgit}/cgit;
95 134
96 try_files $uri @cgit; 135 try_files $uri @cgit;
97 136
137 include ${favicon};
138 include ${acme};
139
98 location @cgit { 140 location @cgit {
99 include ${uwsgi_params}; 141 include ${uwsgi_params};
100 uwsgi_pass unix:/tmp/cgit.sock; 142 uwsgi_pass unix:/tmp/cgit.sock;
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-13 22:17:51 +0000