add nginx overlay to overlays.nix

This commit is contained in:
do butterflies cry? 2026-02-16 09:32:40 +10:00
parent f845588d00
commit 3b2e3ddaab
2 changed files with 31 additions and 51 deletions

View file

@ -1,30 +1,13 @@
{
inputs,
pkgs,
...
}: {
nixpkgs.overlays = [
(self: super: {
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
})
inputs.dobutterfliescry-net.overlays.default
];
# simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
{pkgs, ...}: {
services.nginx = {
enable = true;
# XXX: TODO: this should auto use the nginxStable overlay no?
# in wake of CVE-2022-3602/CVE-2022-3786
# package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
# NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
package = pkgs.nginx;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# streamConfig = ''
# server {
@ -43,40 +26,33 @@
enableACME = true;
# kTLS = true; # offload TLS to the linux kernel
};
vault =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
forge =
{
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "${localhost}:3000";
}
// std;
in {
"dobutterfliescry.net" =
{
default = true;
addSSL = true; # not strictly enforced <3
# root = "/var/www/cry";
addSSL = true; # addSSL NOT forceSSL <3
root = "${pkgs.dobutterfliescry-net}/www";
# extraConfig = ''
# error_page 404 /custom_404.html;
# '';
}
// std;
# Route "vault" subdomain to vaultwarden
"vault.imbored.dev" = vault;
# Route "forge" subdomain to forgejo
# TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
"vault.imbored.dev" =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
# "tearforge.net" =
# {
# forceSSL = true;
# extraConfig = ''
# client_max_body_size 512M;
# '';
# locations."/".proxyPass = "${localhost}:3000";
# }
# // std;
# "tearforge.net" = forge;
"forge.dobutterfliescry.net" = forge;
};
};
}

View file

@ -1,5 +1,5 @@
[
(self: super: {
{inputs, ...}: (
self: super: {
angry-oxide = import ../packages/angryoxide {
pkgs = super;
inherit
@ -18,6 +18,10 @@
pkgs = super;
};
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = super.libressl;};
nginx = super.nginx.override {openssl = super.libressl;};
element-desktop = super.element-desktop.overrideAttrs (final: prev: {
desktopItems = [
((builtins.elemAt prev.desktopItems 0).override {
@ -25,5 +29,5 @@
})
];
});
})
]
}
)