feat: initial amzebs config

2025-11-14 09:30:19 +01:00
parent 9fab06795a
commit 865311bf49
13 changed files with 741 additions and 0 deletions
--- a/hosts/amzebs-01/sites/api.ebs.amz.at.nix
+++ b/hosts/amzebs-01/sites/api.ebs.amz.at.nix
@@ -0,0 +1,37 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.ebs.amz.at" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      # Add deployment SSH key here
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php;
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+
+  # Use HTTP-01 challenge for Let's Encrypt
+  services.nginx.virtualHosts."api.ebs.amz.at".acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
+}
--- a/hosts/amzebs-01/sites/api.ebs.cloonar.dev.nix
+++ b/hosts/amzebs-01/sites/api.ebs.cloonar.dev.nix
@@ -0,0 +1,37 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.ebs.cloonar.dev" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      # Add deployment SSH key here
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php;
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+
+  # Use HTTP-01 challenge for Let's Encrypt
+  services.nginx.virtualHosts."api.ebs.cloonar.dev".acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
+}
--- a/hosts/amzebs-01/sites/api.stage.ebs.amz.at.nix
+++ b/hosts/amzebs-01/sites/api.stage.ebs.amz.at.nix
@@ -0,0 +1,37 @@
+{ pkgs, lib, config, ... }:
+{
+  services.webstack.instances."api.stage.ebs.amz.at" = {
+    enableDefaultLocations = false;
+    enableMysql = true;
+    authorizedKeys = [
+      # Add deployment SSH key here
+    ];
+    extraConfig = ''
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-Content-Type-Options "nosniff";
+
+      index index.php;
+
+      charset utf-8;
+
+      error_page 404 /index.php;
+    '';
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+    locations."/robots.txt".extraConfig = ''
+      access_log off;
+      log_not_found off;
+    '';
+
+    locations."/".extraConfig = ''
+      try_files $uri $uri/ /index.php$is_args$args;
+    '';
+    phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
+      enabled ++ [ all.imagick ]);
+  };
+
+  # Use HTTP-01 challenge for Let's Encrypt
+  services.nginx.virtualHosts."api.stage.ebs.amz.at".acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
+}
--- a/hosts/amzebs-01/sites/default.nix
+++ b/hosts/amzebs-01/sites/default.nix
@@ -0,0 +1,13 @@
+{ ... }: {
+  imports = [
+    # Enabled vhosts (cloonar.dev)
+    ./api.ebs.cloonar.dev.nix
+    ./ebs.cloonar.dev.nix
+
+    # Disabled vhosts (amz.at) - uncomment to enable
+    # ./api.ebs.amz.at.nix
+    # ./api.stage.ebs.amz.at.nix
+    # ./ebs.amz.at.nix
+    # ./stage.ebs.amz.at.nix
+  ];
+}
--- a/hosts/amzebs-01/sites/ebs.amz.at.nix
+++ b/hosts/amzebs-01/sites/ebs.amz.at.nix
@@ -0,0 +1,49 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "ebs.amz.at";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    # Use HTTP-01 challenge for Let's Encrypt
+    acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    # React client-side routing support
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html;
+    '';
+
+    # Cache static assets
+    locations."~* \\.(js|jpg|gif|png|webp|css|woff2|svg|ico)$".extraConfig = ''
+      expires 365d;
+      add_header Pragma "public";
+      add_header Cache-Control "public";
+    '';
+
+    # Deny PHP execution
+    locations."~ [^/]\\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode = "770";
+    group = "nginx";
+    openssh.authorizedKeys.keys = [
+      # Add deployment SSH key here
+    ];
+  };
+
+  users.groups.${domain} = {};
+}
--- a/hosts/amzebs-01/sites/ebs.cloonar.dev.nix
+++ b/hosts/amzebs-01/sites/ebs.cloonar.dev.nix
@@ -0,0 +1,49 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "ebs.cloonar.dev";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    # Use HTTP-01 challenge for Let's Encrypt
+    acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    # React client-side routing support
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html;
+    '';
+
+    # Cache static assets
+    locations."~* \\.(js|jpg|gif|png|webp|css|woff2|svg|ico)$".extraConfig = ''
+      expires 365d;
+      add_header Pragma "public";
+      add_header Cache-Control "public";
+    '';
+
+    # Deny PHP execution
+    locations."~ [^/]\\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode = "770";
+    group = "nginx";
+    openssh.authorizedKeys.keys = [
+      # Add deployment SSH key here
+    ];
+  };
+
+  users.groups.${domain} = {};
+}
--- a/hosts/amzebs-01/sites/stage.ebs.amz.at.nix
+++ b/hosts/amzebs-01/sites/stage.ebs.amz.at.nix
@@ -0,0 +1,49 @@
+{ pkgs, lib, config, ... }:
+let
+  domain = "stage.ebs.amz.at";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    # Use HTTP-01 challenge for Let's Encrypt
+    acmeRoot = lib.mkForce "/var/lib/acme/acme-challenge";
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    # React client-side routing support
+    locations."/".extraConfig = ''
+      index index.html;
+      try_files $uri $uri/ /index.html;
+    '';
+
+    # Cache static assets
+    locations."~* \\.(js|jpg|gif|png|webp|css|woff2|svg|ico)$".extraConfig = ''
+      expires 365d;
+      add_header Pragma "public";
+      add_header Cache-Control "public";
+    '';
+
+    # Deny PHP execution
+    locations."~ [^/]\\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+
+  users.users."${domain}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode = "770";
+    group = "nginx";
+    openssh.authorizedKeys.keys = [
+      # Add deployment SSH key here
+    ];
+  };
+
+  users.groups.${domain} = {};
+}