add nginx overlay to overlays.nix

2026-02-16 09:32:40 +10:00 · 2026-02-16 09:32:40 +10:00 · 3b2e3ddaab
commit 3b2e3ddaab
parent f845588d00
2 changed files with 31 additions and 51 deletions
--- a/hosts/butterfly/services/nginx.nix
+++ b/hosts/butterfly/services/nginx.nix
@ -1,30 +1,13 @@
-{
-  inputs,
-  pkgs,
-  ...
-}: {
-  nixpkgs.overlays = [
-    (self: super: {
-      # in wake of CVE-2022-3602/CVE-2022-3786
-      nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
-    })
-    inputs.dobutterfliescry-net.overlays.default
-  ];
-
-  # simple nginx instance to host static construction page
-  # TODO: I want sshd and forgejo's ssh server to both be bound to port 22
-  #       So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
-  #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
+{pkgs, ...}: {
  services.nginx = {
    enable = true;
-    # XXX: TODO: this should auto use the nginxStable overlay no?
-    # in wake of CVE-2022-3602/CVE-2022-3786
-    # package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
+    # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
+    package = pkgs.nginx;

-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
+    # recommendedGzipSettings = true;
+    # recommendedOptimisation = true;
+    # recommendedProxySettings = true;
+    # recommendedTlsSettings = true;

    # streamConfig = ''
    #   server {
@ -43,40 +26,33 @@
        enableACME = true;
        # kTLS = true; # offload TLS to the linux kernel
      };
-
-      vault =
-        {
-          forceSSL = true;
-          locations."/".proxyPass = "${localhost}:8222";
-        }
-        // std;
-      forge =
-        {
-          forceSSL = true;
-          extraConfig = ''
-            client_max_body_size 512M;
-          '';
-          locations."/".proxyPass = "${localhost}:3000";
-        }
-        // std;
    in {
      "dobutterfliescry.net" =
        {
          default = true;
-          addSSL = true; # not strictly enforced <3
-          # root = "/var/www/cry";
+          addSSL = true; # addSSL NOT forceSSL <3
          root = "${pkgs.dobutterfliescry-net}/www";
          # extraConfig = ''
          #   error_page 404 /custom_404.html;
          # '';
        }
        // std;
-      # Route "vault" subdomain to vaultwarden
-      "vault.imbored.dev" = vault;
-      # Route "forge" subdomain to forgejo
-      # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
+      "vault.imbored.dev" =
+        {
+          forceSSL = true;
+          locations."/".proxyPass = "${localhost}:8222";
+        }
+        // std;
+      # "tearforge.net" =
+      #   {
+      #     forceSSL = true;
+      #     extraConfig = ''
+      #       client_max_body_size 512M;
+      #     '';
+      #     locations."/".proxyPass = "${localhost}:3000";
+      #   }
+      #   // std;
      # "tearforge.net" = forge;
-      "forge.dobutterfliescry.net" = forge;
    };
  };
 }
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,5 +1,5 @@
-[
-  (self: super: {
+{inputs, ...}: (
+  self: super: {
    angry-oxide = import ../packages/angryoxide {
      pkgs = super;
      inherit
@ -18,6 +18,10 @@
      pkgs = super;
    };

+    # in wake of CVE-2022-3602/CVE-2022-3786
+    nginxStable = super.nginxStable.override {openssl = super.libressl;};
+    nginx = super.nginx.override {openssl = super.libressl;};
+
    element-desktop = super.element-desktop.overrideAttrs (final: prev: {
      desktopItems = [
        ((builtins.elemAt prev.desktopItems 0).override {
@ -25,5 +29,5 @@
        })
      ];
    });
-  })
-]
+  }
+)