cry/flake
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add nginx overlay to overlays.nix

Browse source
This commit is contained in:
do butterflies cry? 2026-02-16 09:32:40 +10:00
parent 31652ad177
commit 93faff7d9e
2 changed files with 31 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

70
hosts/butterfly/services/nginx.nix
View file

@ -1,30 +1,13 @@
{ {pkgs, ...}: {
inputs,
pkgs,
...
}: {
nixpkgs.overlays = [
(self: super: {
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
})
inputs.dobutterfliescry-net.overlays.default
];
# simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
services.nginx = { services.nginx = {
enable = true; enable = true;
# XXX: TODO: this should auto use the nginxStable overlay no? # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
# in wake of CVE-2022-3602/CVE-2022-3786 package = pkgs.nginx;
# package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
recommendedGzipSettings = true; # recommendedGzipSettings = true;
recommendedOptimisation = true; # recommendedOptimisation = true;
recommendedProxySettings = true; # recommendedProxySettings = true;
recommendedTlsSettings = true; # recommendedTlsSettings = true;
# streamConfig = '' # streamConfig = ''
# server { # server {
@ -43,40 +26,33 @@
enableACME = true; enableACME = true;
# kTLS = true; # offload TLS to the linux kernel # kTLS = true; # offload TLS to the linux kernel
}; };
vault =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
forge =
{
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "${localhost}:3000";
}
// std;
in { in {
"dobutterfliescry.net" = "dobutterfliescry.net" =
{ {
default = true; default = true;
addSSL = true; # not strictly enforced <3 addSSL = true; # addSSL NOT forceSSL <3
# root = "/var/www/cry";
root = "${pkgs.dobutterfliescry-net}/www"; root = "${pkgs.dobutterfliescry-net}/www";
# extraConfig = '' # extraConfig = ''
# error_page 404 /custom_404.html; # error_page 404 /custom_404.html;
# ''; # '';
} }
// std; // std;
# Route "vault" subdomain to vaultwarden "vault.imbored.dev" =
"vault.imbored.dev" = vault; {
# Route "forge" subdomain to forgejo forceSSL = true;
# TODO: use `forgejo.settings.server.ENABLE_ACME` instead? locations."/".proxyPass = "${localhost}:8222";
}
// std;
# "tearforge.net" =
# {
# forceSSL = true;
# extraConfig = ''
# client_max_body_size 512M;
# '';
# locations."/".proxyPass = "${localhost}:3000";
# }
# // std;
# "tearforge.net" = forge; # "tearforge.net" = forge;
"forge.dobutterfliescry.net" = forge;
}; };
}; };
} }

12
overlays/default.nix
View file

@ -1,5 +1,5 @@
[ {inputs, ...}: (
(self: super: { self: super: {
angry-oxide = import ../packages/angryoxide { angry-oxide = import ../packages/angryoxide {
pkgs = super; pkgs = super;
inherit inherit
@ -18,6 +18,10 @@
pkgs = super; pkgs = super;
}; };
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = super.libressl;};
nginx = super.nginx.override {openssl = super.libressl;};
element-desktop = super.element-desktop.overrideAttrs (final: prev: { element-desktop = super.element-desktop.overrideAttrs (final: prev: {
desktopItems = [ desktopItems = [
((builtins.elemAt prev.desktopItems 0).override { ((builtins.elemAt prev.desktopItems 0).override {
@ -25,5 +29,5 @@
}) })
]; ];
}); });
}) }
] )