{ config, lib, pkgs, ... }: let uwsgi_params = builtins.toFile "uwsgi_param" '' uwsgi_param QUERY_STRING $query_string; uwsgi_param REQUEST_METHOD $request_method; uwsgi_param CONTENT_TYPE $content_type; uwsgi_param CONTENT_LENGTH $content_length; uwsgi_param REQUEST_URI $request_uri; uwsgi_param PATH_INFO $document_uri; uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param SERVER_PROTOCOL $server_protocol; uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param SERVER_ADDR $server_addr; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; ''; favicon = builtins.toFile "favicon" '' location = /favicon.ico { root /srv/www/default; } ''; acme = builtins.toFile "acme" '' location /.well-known/acme-challenge { root /srv/www/acme/$host/; } ''; in { services.nginx = { enable = true; httpConfig = '' default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 2k; request_pool_size 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; ignore_invalid_headers on; access_log stderr; error_log stderr; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/dhparam.pem; ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name _; include ${favicon}; include ${acme}; root /srv/www/default; } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?(f|files)\.(yggdrasil\.li|141\.li|praseodym\.org)$; include ${favicon}; include ${acme}; root /srv/www/files; } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?dirty-haskell\.org$; include ${favicon}; include ${acme}; root /srv/www/dirty-haskell.org; } server { listen *:80; listen *:443 ssl; listen [::]:80; listen [::]:443 ssl; server_name ~^(.*\.)?git\.yggdrasil\.li$; root ${pkgs.cgit}/cgit; try_files $uri @cgit; include ${favicon}; include ${acme}; location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/cgit.sock; uwsgi_modifier1 9; } } server { listen *:80; listen [::]:80; server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$; include ${acme}; location / { return 301 https://$host$request_uri; } } server { listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$; include ${acme}; location / { auth_basic "Reverse proxy to bragi"; auth_basic_user_file /srv/www/bragi/htpasswd; proxy_pass http://bragi.asgard.yggdrasil; proxy_set_header Host $host; } } ''; }; }