feat(wpcarro/website): Support SSL certs for wpcarro.dev r/4264

This has been sloppy for awhile...

While I'm at it modularize some of my Nginx configuration.

Side note: might be time to decouple the Terraform provisioning stuffs from the
NixOS configuration, and this feels *too* tightly coupled.

Change-Id: Ida0da5462d938b956571321a67ba1f026fb0a7de
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5902
Reviewed-by: wpcarro <wpcarro@gmail.com>
Autosubmit: wpcarro <wpcarro@gmail.com>
Tested-by: BuildkiteCI

1 files changed, 45 insertions, 0 deletions

diff --git a/users/wpcarro/nixos/modules/nginx.nix b/users/wpcarro/nixos/modules/nginx.nix
new file mode 100644
index 000000000000..e6cc6b0febab
--- /dev/null
+++ b/users/wpcarro/nixos/modules/nginx.nix
@@ -0,0 +1,45 @@
+# Common configuration for Nginx.
+{ pkgs, ... }:
+
+{
+  config = {
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "wpcarro@gmail.com";
+    };
+
+    services.nginx = {
+      enable = true;
+      enableReload = true;
+
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+
+      # Log errors to journald (i.e. /dev/log) with debug verbosity.
+      logError = "syslog:server=unix:/dev/log debug";
+
+      # for journaldriver
+      commonHttpConfig = ''
+        log_format json_combined escape=json
+        '{'
+            '"remote_addr":"$remote_addr",'
+            '"method":"$request_method",'
+            '"host":"$host",'
+            '"uri":"$request_uri",'
+            '"status":$status,'
+            '"request_size":$request_length,'
+            '"response_size":$body_bytes_sent,'
+            '"response_time":$request_time,'
+            '"referrer":"$http_referer",'
+            '"user_agent":"$http_user_agent"'
+        '}';
+
+        access_log syslog:server=unix:/dev/log,nohostname json_combined;
+      '';
+
+      appendHttpConfig = ''
+        add_header Permissions-Policy "interest-cohort=()";
+      '';
+    };
+  };
+}