Table of Contents
This recipe shows how to use SelfHostBlocks blocks to serve static web pages using the Nginx reverse proxy with SSL termination.
In this recipe, we’ll assume the pages to serve are found under the /srv/my-website path and will be served under the my-website.example.com fqdn.
let
name = "my-website";
subdomain = name;
domain = "example.com";
fqdn = "${subdomain}.${domain}";
user = "me";
in
We also assume the static web pages are owned and updated by the user named me.
We can create a ZFS dataset with:
shb.zfs.datasets."safe/${name}".path = "/srv/${name}";
Requesting an SSL certificate from Let’s Encrypt is done by adding an entry to
the extraDomains option:
shb.certs.certs.letsencrypt.${domain}.extraDomains = [ fqdn ];
This assumes the shb.certs block has been configured:
shb.certs.certs.letsencrypt.${domain} = {
inherit domain;
group = "nginx";
reloadServices = [ "nginx.service" ];
adminEmail = "admin@${domain}";
};
First, we make the parent directory owned by the user which will upload them and nginx:
systemd.tmpfiles.rules = lib.mkBefore [
"d '/srv/${name}' 0750 ${user} nginx - -"
];
Now, we can setup nginx. The following snippet serves files from the /srv/${name}/ directory.
services.nginx.enable = true;
services.nginx.virtualHosts."skarabox.${domain}" = {
forceSSL = true;
sslCertificate = config.shb.certs.certs.letsencrypt."${domain}".paths.cert;
sslCertificateKey = config.shb.certs.certs.letsencrypt."${domain}".paths.key;
locations."/" = {
root = "/srv/${name}/";
extraConfig = ''
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Cache-Control "max-age=604800, stale-while-revalidate=86400, stale-if-error=86400, must-revalidate, public";
'';
};
};