In order to host anything online nowdays, everybody needs a couple of things. The first is a domain, and the second is a web server to handle the different domains/subdomains and the HTTP(S) requests, and deal with the SSL certificates.

Here we will use nginx; caddy is also an option (so is apache, etc) that automates SSL, but before moving to NixOS I was using nginx, so I am more familiar with the syntax

We will put the following at the root of our own modules/server/ folder, since it is the aggregation point for all the following services.

nix decleration #

Make a default.nix at <PATH-TO-NIX-CONFIG>/modules/server

$ touch <PATH-TO-NIX-CONFIG>/modules/server/default.nix

(or use the file explorer of your choice)

configuration #

Open default.nix in any text editor, and copy the following

{ 
	imports = [
    # ... all the services will go here
	];
	
	services = {
		nginx = {
			enable = true;
	    recommendedGzipSettings = true;
	    recommendedOptimisation = true;
	    recommendedProxySettings = true;
	    recommendedTlsSettings = true;
		};

		sshguard.enable = true;

		openssh = {
		  enable  = true;
		  settings = {
		    PermitRootLogin = false;
		    PasswordAuthentication = false;
		    AllowTcpForwarding = false;
		    X11Forwarding = false;
		  };
		};

	};

	networking = {
		firewall.allowedTCPPorts = [ 80 443 ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "<YOUR-EMAIL>";
  }
}

and you’re done.

Let’s break the config file down.

explanation #

  1. We declare nginx as enabled, and set it to use the recommended options.
  2. We enable sshguard, which protects hosts from brute-force attacks, among other things.
  3. We enable openssh, so that we can access the server via SSH, but configure it so that nobody can use a password to log in, and root login is disabled.
  4. We open ports 80 (HTTP) and 443(HTTPS) to the internet.
  5. We set up the acme service which fetches SSL certificates from LetsEncrypt. Certificates require to accept the terms and an email for communication, so we accept the terms and provide an email.

Before you enable the openssh config as is, make sure you have an authorizedKey on your user, otherwise you can be locked out of your machine. To set an SSH authorized key add this tou your user config

users = {
  users = {
    <YOUR-USER> = {
      # ...
      openssh.authorizedKeys.keys = [
        <YOUR-KEY-1>
        <YOUR-KEY-2>
        # ...
      ]
      # ...
    }
  }
}

By default nixos sets a daily interval to renew the Let’sEncrypt SSL certificates, so we don’t need to worry.

Now we can start adding services.

sep 27, 2025
Previous setup nixos gemini:// Next