30 lines
958 B
Nix
30 lines
958 B
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
# WARNING: this ends up world-readable in the Nix store if you inline it.
|
|
# For production, use agenix or pass through systemd credentials
|
|
cloudflareEnv = pkgs.writeText "cloudflare-acme.env" ''
|
|
CLOUDFLARE_DNS_API_TOKEN=umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
|
|
'';
|
|
in
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
|
|
# These defaults are inherited by security.acme.certs.* unless overridden. :contentReference[oaicite:0]{index=0}
|
|
defaults = {
|
|
email = "admin@symbiotrip.com";
|
|
dnsProvider = "cloudflare"; # :contentReference[oaicite:1]{index=1}
|
|
environmentFile = cloudflareEnv; # :contentReference[oaicite:2]{index=2}
|
|
};
|
|
};
|
|
}
|