{ config, pkgs, lib, ... }: let extraConfig = '' add_header Strict-Transport-Security $hsts_header; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "same-origin" always; ''; virtHostCfg = { forceSSL = true; http3 = true; quic = true; }; autoIndex = '' autoindex on; autoindex_exact_size off; autoindex_format html; autoindex_localtime on; ''; createHost = builtins.mapAttrs (vhostName: vhostCfg: with lib; let mkRedirect = if builtins.hasAttr "redirectTo" vhostCfg then { useACMEHost = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo; } else ( optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { enableACME = true; }); extraCfg = if builtins.hasAttr "extraConfig" vhostCfg then { extraConfig = ''${vhostCfg.extraConfig} ${extraConfig}''; } else { inherit extraConfig; }; in virtHostCfg // mkRedirect // extraCfg // (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]) ); in { networking = { hostName = "web02"; firewall.allowedTCPPorts = [ 80 443 ]; firewall.allowedUDPPorts = [ 443 ]; }; systemd.network.networks."98-eth-default" = { address = [ "2a0f:be01:0:100::1312/128" ]; }; users.users."lg" = { isSystemUser = true; createHome = true; home = "/var/www/lg.kyouma.net"; group = "lg"; }; users.groups."lg" = {}; services.phpfpm.pools."lg" = { user = "lg"; settings = { "listen.owner" = config.services.nginx.user; "pm" = "dynamic"; "pm.max_children" = 32; "pm.max_requests" = 500; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 5; "php_admin_value[error_log]" = "stderr"; "php_admin_flag[log_errors]" = true; "catch_workers_output" = true; }; phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; }; services.vnstat.enable = true; services.nginx = { package = pkgs.nginxQuic; enable = true; recommendedOptimisation = true; recommendedTlsSettings = true; recommendedGzipSettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslProtocols = "TLSv1.3"; clientMaxBodySize = "0"; appendHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } ${extraConfig} ''; virtualHosts = createHost { "miau.zip" = { root = "/var/www/kyouma.net"; }; "www.miau.zip" = { redirectTo = "miau.zip"; }; "www.kyouma.net" = { redirectTo = "kyouma.net"; }; "emily.cat" = { root = "/var/www/emily.cat/_site"; }; "www.emily.cat" = { redirectTo = "kyouma.net"; }; "www.cocaine.trade" = { redirectTo = "cocaine.trade"; }; "redirect" = { default = true; reuseport = true; useACMEHost = "kyouma.net"; extraConfig = '' return 403; ''; }; "cocaine.trade" = { root = "/var/www/cocaine.trade"; extraConfig = ''error_page 404 /404.html;''; locations."/" = { index = "index.html"; tryFiles = "$uri $uri.html =404"; }; locations."= /".extraConfig = ''rewrite ^ /index.html last;''; }; "files.cocaine.trade" = { useACMEHost = "cocaine.trade"; root = "/mnt/basti/files.cocaine.trade"; locations."/".extraConfig = autoIndex; }; "kyouma.net" = { root = "/var/www/kyouma.net"; locations = { "/ihk/".extraConfig = autoIndex; "/vyos/".extraConfig = autoIndex; "/3ds/".extraConfig = autoIndex; }; }; "lg.kyouma.net" = { root = "/var/www/lg.kyouma.net"; useACMEHost = "kyouma.net"; locations."/".tryFiles = "$uri /$uri /index.php$is_args$args"; locations."~ \\.php$".extraConfig = '' fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${config.services.phpfpm.pools.lg.socket}; fastcgi_index index.php; fastcgi_buffering on; fastcgi_buffer_size 1k; fastcgi_buffers 128 1k; include ${pkgs.nginxQuic}/conf/fastcgi_params; include ${pkgs.nginxQuic}/conf/fastcgi.conf; ''; }; }; }; security.acme = { acceptTerms = true; defaults = { keyType = "ec384"; email = "noc@kyouma.net"; }; certs = { "miau.zip" = { extraDomainNames = [ "www.miau.zip" "lg.miau.zip" ]; }; "kyouma.net" = { extraDomainNames = [ "www.kyouma.net" "lg.kyouma.net" ]; }; "emily.cat" = { extraDomainNames = [ "www.emily.cat" ]; }; "cocaine.trade" = { extraDomainNames = [ "www.cocaine.trade" "files.cocaine.trade" ]; }; }; }; }