Add Nginx and pict-rs configurations for enhanced web service management

Introduced separate configuration files for Nginx and pict-rs, enabling a streamlined setup for web services. The Nginx configuration includes reverse proxy settings, automatic SSL certificate generation with Let's Encrypt, and fail2ban for security. The pict-rs configuration facilitates image service management with CORS support. Updated the shared configuration to import these new files, improving modularity and maintainability of the NixOS setup.
2025-10-08 17:19:39 +02:00 · 2025-10-08 17:19:39 +02:00 · ef87fc5906
commit ef87fc5906
parent 667912e732
3 changed files with 101 additions and 42 deletions
--- a/config/shared.nix
+++ b/config/shared.nix
@ -1,6 +1,11 @@
 { config, pkgs, domain, ... }:

 {
+  imports = [
+    ./nginx.nix
+    ./pict-rs.nix
+  ];
+
  # Set hostname (passed as parameter)
  networking.hostName = domain;

@ -14,18 +19,12 @@
  # Enable SSH
  services.openssh.enable = true;

-  # Enable and configure nginx
-  services.nginx = {
-    enable = true;
-
-    # Recommended settings
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
-    recommendedTlsSettings = true;
-
+  # Configure domain-specific virtual hosts
+  services.nginx.virtualHosts = {
    # Web-app service
-    virtualHosts."app.${domain}" = {
+    "app.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
      root = "/var/src/web-app-dist";
      locations."/" = {
        index = "index.html";
@ -33,42 +32,15 @@
      };
    };

-    # LNbits service (example - adjust as needed)
-    virtualHosts."lnbits.${domain}" = {
+    # LNbits service (adjust port as needed)
+    "lnbits.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:5000";
        proxyWebsockets = true;
      };
    };
-
-    # Image service (example - adjust as needed)
-    virtualHosts."img.${domain}" = {
-      locations."/" = {
-        proxyPass = "http://localhost:8080";
-      };
-    };
-  };
-
-  # Enable automatic SSL certificate generation with Let's Encrypt
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "admin@aiolabs.dev";
-  };
-
-  # Open firewall for HTTP/HTTPS
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  # Enable fail2ban for additional security
-  services.fail2ban = {
-    enable = true;
-    jails = {
-      nginx-http-auth.settings = {
-        enabled = true;
-        filter = "nginx-http-auth";
-        logpath = "/var/log/nginx/error.log";
-        backend = "systemd";
-      };
-    };
  };

  # NixOS release version