update/format configuration for jack

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
2026-04-02 11:12:09 +02:00 · 2025-07-16 19:51:05 +02:00
parent 18c8afb616
commit 72e4be86eb
30 changed files with 466 additions and 589 deletions
--- a/server-modules/nginx.nix
+++ b/server-modules/nginx.nix
@@ -1,38 +1,45 @@
-{ config, ... }: {
-  services.nginx = { enable = true; };
-
+# Nginx is a web server that can also be used as a reverse proxy, load balancer, and HTTP cache.
+{config, ...}: let
+  domain = "hadi.diy";
+in {
  security.acme = {
    acceptTerms = true;
    defaults.email = config.var.git.email;
-  };
-
-  security.acme.certs."hadi.diy" = {
-    domain = "hadi.diy";
-    extraDomainNames = [ "*.hadi.diy" ];
-    group = "nginx";
-
-    dnsProvider = "cloudflare";
-    dnsPropagationCheck = true;
-    credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
-  };
-
-  services.nginx.virtualHosts = {
-    "default" = {
-      default = true;
-      locations."/" = { return = 444; };
-    };
-    "*.hadi.diy" = {
-      useACMEHost = "hadi.diy";
-      forceSSL = true;
-      locations."/" = { return = 444; };
-    };
-    "aaaaaa.hadi.diy" = {
-      useACMEHost = "hadi.diy";
-      forceSSL = true;
-      locations."/" = { return = 444; };
+    certs."${domain}" = {
+      domain = "${domain}";
+      extraDomainNames = ["*.${domain}"];
+      group = "nginx";
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      credentialsFile = config.sops.secrets.cloudflare-dns-token.path;
    };
  };

-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 80 443 ];
+  # Return 444 for all requests not matching a used subdomain.
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "default" = {
+        default = true;
+        locations."/" = {return = 444;};
+      };
+      "*.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {return = 444;};
+      };
+      "aaaaaa.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {return = 444;};
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [80 443];
+    allowedUDPPorts = [80 443];
+  };
+
+  sops.secrets.cloudflare-dns-token = {path = "/etc/cloudflare/dnskey.txt";};
 }