From ecb9d23d4cb805fa84119482fe712f5191f3783c Mon Sep 17 00:00:00 2001
From: Andrey Golovizin <ag@sologoc.com>
Date: Tue, 10 Mar 2020 15:09:51 +0100
Subject: [PATCH] Include nginx config in the NixOS service

Static files are now served with nginx.
---
 module.nix | 55 ++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 43 insertions(+), 12 deletions(-)

diff --git a/module.nix b/module.nix
index e993089..70c4119 100644
--- a/module.nix
+++ b/module.nix
@@ -8,6 +8,15 @@ let
 
   cfg = config.services.strojnadzor;
 
+  hsts = ''
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+  '';
+
+  static = pkgs.runCommand "static" {} ''
+    export STROJNADZOR_STATIC_ROOT="$out"
+    ${strojnadzor}/bin/strojnadzor-admin collectstatic
+  '';
+
 in
 
 {
@@ -56,18 +65,40 @@ in
       "d '${cfg.stateDir}/data' - strojnadzor strojnadzor - -"
     ];
 
-    systemd.services.strojnadzor =
-      {
-        description = "Strojnadzor HTTP server.";
-        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          User = "strojnadzor";
-          Group = "strojnadzor";
-          ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
-          ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn --bind ${cfg.hostname}:${toString cfg.port}";
-        };
-        environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}/data";
+    systemd.services.strojnadzor = {
+      description = "Strojnadzor HTTP server.";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        User = "strojnadzor";
+        Group = "strojnadzor";
+        ExecStartPre = "${strojnadzor}/bin/strojnadzor-admin migrate";
+        ExecStart = "${strojnadzor}/bin/strojnadzor-admin runserver-gunicorn --bind ${cfg.hostname}:${toString cfg.port}";
       };
+      environment.STROJNADZOR_DATA_DIR = "${cfg.stateDir}/data";
+      environment.STROJNADZOR_STATIC_DIR = "${static}/static";
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = {
+        "golovizin.ru" = {
+          serverAliases = [ "www.golovizin.ru" "xn--b1abndboscb.xn--p1ai" "www.xn--b1abndboscb.xn--p1ai" ];
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = hsts + ''
+            gzip off;
+          '';
+          locations."/static/".alias = "${static}/";
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString cfg.port}";
+            extraConfig = ''
+              proxy_set_header Host $host;
+              proxy_set_header X-Forwarded-For $remote_addr;
+            '';
+          };
+        };
+      };
+    };
   };
 }