forked from the-distro/infra
50 lines
1.6 KiB
Nix
50 lines
1.6 KiB
Nix
{ config, lib, ... }:
|
|
let
|
|
inherit (lib) mkIf;
|
|
cfg = config.bagel.services.gerrit;
|
|
in
|
|
{
|
|
config = mkIf cfg.enable {
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = true;
|
|
appendHttpConfig = ''
|
|
add_header Permissions-Policy "interest-cohort=()";
|
|
'';
|
|
recommendedProxySettings = false;
|
|
commonHttpConfig = ''
|
|
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
|
|
'"$request" $status $body_bytes_sent '
|
|
'"$http_referer" "$http_user_agent"'
|
|
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
|
|
'';
|
|
};
|
|
services.nginx.virtualHosts.gerrit = {
|
|
serverName = builtins.head cfg.domains;
|
|
serverAliases = builtins.tail cfg.domains;
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
extraConfig = ''
|
|
access_log /var/log/nginx/gerrit-access.log upstream_time;
|
|
|
|
location / {
|
|
proxy_pass http://localhost:4778;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
# The :443 suffix is a workaround for https://b.tvl.fyi/issues/88.
|
|
proxy_set_header Host $host:443;
|
|
# Gerrit can throw a lot of data.
|
|
proxy_buffering on;
|
|
# NGINX should not give up super fast. Things can take time.
|
|
proxy_read_timeout 3600;
|
|
}
|
|
|
|
location = /robots.txt {
|
|
return 200 'User-agent: *\nAllow: /';
|
|
}
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
|
};
|
|
}
|