2 files changed, 30 insertions, 4 deletions
diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix
index f3a7154e..0e13acf7 100644
--- a/hosts/surtr/http/default.nix
+++ b/hosts/surtr/http/default.nix
@@ -2,19 +2,16 @@
 {
  imports = [
    ./webdav
+    ./online.nix
  ];
  config = {
    services.nginx = {
      enable = true;
-      package = pkgs.nginxQuic;
      recommendedGzipSettings = false;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
-      sslDhparam = config.security.dhparams.params.nginx.path;
      commonHttpConfig = ''
-        ssl_ecdh_curve X448:X25519:prime256v1:secp521r1:secp384r1;
        log_format main
                '$remote_addr "$remote_user" '
                '"$host" "$request" $status $bytes_sent '
diff --git a/hosts/surtr/http/online.nix b/hosts/surtr/http/online.nix
new file mode 100644
index 00000000..daad65d9
--- /dev/null
+++ b/hosts/surtr/http/online.nix
@@ -0,0 +1,29 @@
+{ config, ... }:
+{
+  config = {
+    services.nginx.virtualHosts."online.yggdrasil.li" = {
+      forceSSL = true;
+      kTLS = true;
+      http3 = true;
+      sslCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.pem";
+      sslCertificateKey = "/run/credentials/nginx.service/online.yggdrasil.li.key.pem";
+      sslTrustedCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.chain.pem";
+      locations."/".extraConfig = ''
+        add_header X-NetworkManager-Status online;
+        add_header Cache-Control "max-age=0, must-revalidate";
+        return 204;
+      '';
+    };
+    security.acme.rfc2136Domains."online.yggdrasil.li" = {
+      restartUnits = ["nginx.service"];
+    };
+    systemd.services.nginx.serviceConfig = {
+      LoadCredential = [
+        "online.yggdrasil.li.key.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/key.pem"
+        "online.yggdrasil.li.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/fullchain.pem"
+        "online.yggdrasil.li.chain.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/chain.pem"
+      ];
+    };
+  };
+}

diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index f3a7154e..0e13acf7 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix
@@ -2,19 +2,16 @@
2	{	2	{
3	imports = [	3	imports = [
4	./webdav	4	./webdav
		5	./online.nix
5	];	6	];
6		7
7	config = {	8	config = {
8	services.nginx = {	9	services.nginx = {
9	enable = true;	10	enable = true;
10	package = pkgs.nginxQuic;
11	recommendedGzipSettings = false;	11	recommendedGzipSettings = false;
12	recommendedProxySettings = true;	12	recommendedProxySettings = true;
13	recommendedTlsSettings = true;	13	recommendedTlsSettings = true;
14	sslDhparam = config.security.dhparams.params.nginx.path;
15	commonHttpConfig = ''	14	commonHttpConfig = ''
16	ssl_ecdh_curve X448:X25519:prime256v1:secp521r1:secp384r1;
17
18	log_format main	15	log_format main
19	'$remote_addr "$remote_user" '	16	'$remote_addr "$remote_user" '
20	'"$host" "$request" $status $bytes_sent '	17	'"$host" "$request" $status $bytes_sent '


diff --git a/hosts/surtr/http/online.nix b/hosts/surtr/http/online.nix new file mode 100644 index 00000000..daad65d9 --- /dev/null +++ b/hosts/surtr/http/online.nix
@@ -0,0 +1,29 @@
		1	{ config, ... }:
		2	{
		3	config = {
		4	services.nginx.virtualHosts."online.yggdrasil.li" = {
		5	forceSSL = true;
		6	kTLS = true;
		7	http3 = true;
		8	sslCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.pem";
		9	sslCertificateKey = "/run/credentials/nginx.service/online.yggdrasil.li.key.pem";
		10	sslTrustedCertificate = "/run/credentials/nginx.service/online.yggdrasil.li.chain.pem";
		11
		12	locations."/".extraConfig = ''
		13	add_header X-NetworkManager-Status online;
		14	add_header Cache-Control "max-age=0, must-revalidate";
		15	return 204;
		16	'';
		17	};
		18	security.acme.rfc2136Domains."online.yggdrasil.li" = {
		19	restartUnits = ["nginx.service"];
		20	};
		21	systemd.services.nginx.serviceConfig = {
		22	LoadCredential = [
		23	"online.yggdrasil.li.key.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/key.pem"
		24	"online.yggdrasil.li.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/fullchain.pem"
		25	"online.yggdrasil.li.chain.pem:${config.security.acme.certs."online.yggdrasil.li".directory}/chain.pem"
		26	];
		27	};
		28	};
		29	}