From 58dd4440eaf6be9d260809b9dcb361d1f46f2abb Mon Sep 17 00:00:00 2001
From: Irene Knapp <ireneista@internetsafetylabs.org>
Date: Thu, 31 Jul 2025 15:25:21 -0700
Subject: try to spin up haproxy, nginx, and an ACME client

no login/ACL stuff yet

Change-Id: If6eeaed671b2711dc809e94ea00bc6387dcae2f4
---
 services/frontend/web-server.nix | 41 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 services/frontend/web-server.nix

(limited to 'services/frontend/web-server.nix')

diff --git a/services/frontend/web-server.nix b/services/frontend/web-server.nix
new file mode 100644
index 0000000..b9fa868
--- /dev/null
+++ b/services/frontend/web-server.nix
@@ -0,0 +1,41 @@
+{ config, ... }:
+
+{
+  # At present, the only thing we serve via nginx is the responses to ACME
+  # challenges, so that's the only thing configured. This interacts closely
+  # with the config in services/frontend/haproxy.nix, in that nginx is behind
+  # HAProxy and relies on HAProxy to route traffic to it, while HAProxy relies
+  # on nginx to handle the ACME stuff.
+  #
+  # This separated-out behavior is fiddly to set up the first time, but I have
+  # found it to be highly reliable once created.
+  services.nginx = {
+    enable = true;
+
+    group = "frontend";
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      ${config.smalltech.domain} = {
+        serverName = config.smalltech.domain;
+
+        listen = [
+          {
+            addr = "127.0.0.1";
+            port = 3080;
+          }
+        ];
+
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/acme-challenge";
+          extraConfig = ''
+            auth_basic off;
+          '';
+        };
+      };
+    };
+  };
+}
-- 
cgit 1.4.1