dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: mail server

Browse source
This commit is contained in:
DACHXY 2025-05-05 13:37:38 +08:00
parent 396a4d603d
commit 1e77f204d0
13 changed files with 320 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

129
system/dev/dn-server/nginx.nix
View file

@ -1,16 +1,76 @@
{
config,
lib,
pkgs,
...
}:
let
acmeWebRoot = "/var/www/${config.services.nextcloud.hostName}/html/";
mkProxyHost = (
{
domain,
proxyPass,
ssl ? false,
}:
(
if ssl then
{
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${domain}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${domain}/privkey.pem";
certScript = pkgs.writeShellScriptBin "certbot-nextcloud" ''
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
}
else
{
listen = [
{
addr = "0.0.0.0";
port = 80;
}
];
}
)
// {
locations."/" = {
proxyPass = proxyPass;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${domain}/html";
extraConfig = ''
default_type "text/plain";
'';
};
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
}
);
certScript = pkgs.writeShellScriptBin "genCert" ''
acmeWebRoot="/var/www/$1/html/";
if [ ! -d "$acmeWebRoot" ]; then
mkdir -p "$acmeWebRoot"
fi
REQUESTS_CA_BUNDLE=${../../../system/extra/ca.crt} \
${pkgs.certbot}/bin/certbot certonly --webroot \
--webroot-path ${acmeWebRoot} -v \
-d ${config.services.nextcloud.hostName} \
--webroot-path $acmeWebRoot -v \
-d "$1" \
--server https://ca.net.dn:8443/acme/acme/directory \
-m admin@mail.net.dn
@ -21,17 +81,24 @@ let
hostname = "pre-nextcloud.net.dn";
ip = "10.0.0.130";
};
vaultwarden = {
domain = "bitwarden.net.dn";
};
in
{
environment.systemPackages = [
certScript
];
services.nginx = {
enable = true;
enableReload = true;
virtualHosts = {
# Nextcloud - Server
${config.services.nextcloud.hostName} = {
listen = lib.mkForce [
listen = [
{
addr = "0.0.0.0";
port = 443;
@ -61,46 +128,16 @@ in
'';
};
${pre7780.hostname} = {
listen = [
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 80;
}
];
locations."/" = {
proxyPass = "http://${pre7780.ip}/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
locations."^~ /.well-known/acme-challenge/" = {
root = "/var/www/${pre7780.hostname}/html";
extraConfig = ''
default_type "text/plain";
'';
};
forceSSL = true;
sslCertificate = "/etc/letsencrypt/live/${pre7780.hostname}/fullchain.pem";
sslCertificateKey = "/etc/letsencrypt/live/${pre7780.hostname}/privkey.pem";
extraConfig = ''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
'';
${pre7780.hostname} = mkProxyHost {
domain = pre7780.hostname;
proxyPass = "http://${pre7780.ip}";
ssl = true;
};
${vaultwarden.domain} = mkProxyHost {
domain = vaultwarden.domain;
proxyPass = "http://127.0.0.1:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}";
ssl = true;
};
};
};