- services.httpd = let
- withSSL = domain: {
- enableSSL = true;
- sslServerCert = "/var/lib/acme/${domain}/full.pem"; # FIXME: cert only?
- sslServerKey = "/var/lib/acme/${domain}/key.pem";
- sslServerChain = "/var/lib/acme/${domain}/fullchain.pem";
- };
- in rec {
- enable = true;
- logPerVirtualHost = true;
- multiProcessingModule = "worker";
- adminAddr = "httpd@immae.eu";
- extraModules = [
- "proxy_fcgi" # for PHP
- ];
- virtualHosts = [
- (withSSL "eldiron" // {
- listen = [ { ip = "*"; port = 443; } ];
- hostName = "eldiron.immae.eu";
- # FIXME: directory needs to exist
- documentRoot = "/var/www";
- })
- (withSSL "eldiron" // {
- listen = [ { ip = "*"; port = 443; } ];
- hostName = "db-1.immae.eu";
- documentRoot = null;
- extraConfig = ''
- Alias /adminer ${mypkgs.adminer}
- <Directory ${mypkgs.adminer}>
- DirectoryIndex = index.php
- <FilesMatch "\.php$">
- SetHandler "proxy:unix:/var/run/phpfpm/adminer.sock|fcgi://localhost"
- </FilesMatch>
- </Directory>
- '';
- })
- { # Should go last, default fallback
- listen = [ { ip = "*"; port = 80; } ];
- hostName = "redirectSSL";
- serverAliases = [ "*" ];
- enableSSL = false;
- # FIXME: directory needs to exist
- documentRoot = "/var/lib/acme/acme-challenge";
- extraConfig = ''
- RewriteEngine on
- RewriteCond "%{REQUEST_URI}" "!^/\.well-known"
- RewriteRule ^(.+) https://%{HTTP_HOST}$1 [R=301]
- # To redirect in specific "VirtualHost *:80", do
- # RedirectMatch 301 ^/((?!\.well-known.*$).*)$ https://host/$1
- # rather than rewrite
- '';
- }
- ];
- };