From 6da20940a32c6cbd01ae7c6088f620147195631b Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Tue, 3 Aug 2021 16:56:50 +0000
Subject: [PATCH] Add an NGINX reverse proxy in front

---
 morph/lib/customize-issuer.nix | 27 ++++++++++++++++++++++++++-
 morph/lib/issuer.nix           |  3 ++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/morph/lib/customize-issuer.nix b/morph/lib/customize-issuer.nix
index 1c0d668f..896580d3 100644
--- a/morph/lib/customize-issuer.nix
+++ b/morph/lib/customize-issuer.nix
@@ -86,8 +86,33 @@
   };
 
   services.private-storage-issuer = {
-    inherit letsEncryptAdminEmail allowedChargeOrigins;
+    inherit allowedChargeOrigins;
     domains = issuerDomains;
+    # Arbitrary non-priviledged port:
+    httpPort = 1061;
+  };
+
+  # nginx reverse proxy
+  security.acme.email = letsEncryptAdminEmail;
+  security.acme.acceptTerms = true;
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256:
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+    virtualHosts."${config.networking.hostName}.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.private-storage-issuer.httpPort}";
+      };
+    };
   };
 
   system.stateVersion = "19.03";
diff --git a/morph/lib/issuer.nix b/morph/lib/issuer.nix
index 51046b43..716fe760 100644
--- a/morph/lib/issuer.nix
+++ b/morph/lib/issuer.nix
@@ -50,7 +50,8 @@ rec {
 
   services.private-storage-issuer = {
     enable = true;
-    tls = true;
+    # We'll let NGINX handle TLS termination:
+    tls = false;
     ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
     stripeSecretKeyPath = deployment.secrets.stripe-secret-key.destination;
     database = "SQLite3";
-- 
GitLab