add aspects/hosts/ configurations

Host-specific NixOS configurations for: - alexandria (server) - io (desktop) - rotterdam (desktop) - trantor (server, aarch64) Each host has a main config file and _hostname/ directory with hardware-configuration and other host-specific modules. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-06 22:36:50 -03:00 · 2026-02-06 22:36:50 -03:00 · 25c69e3c18
commit 25c69e3c18
parent ad0aa14d14
30 changed files with 1298 additions and 0 deletions
--- a/aspects/hosts/_trantor/nginx.nix
+++ b/aspects/hosts/_trantor/nginx.nix
@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services on trantor (host = "trantor")
+  localDomains = lib.unique (
+    map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
+  );
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = ../../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+}