huge cleanup
This commit is contained in:
Lennart J. Kurzweg (Nx2)
@@ -1,4 +1,4 @@
|
||||
{ config, pkgs, lib, user, ... }:
|
||||
{ config, pkgs, lib, domain, ... }:
|
||||
{
|
||||
sops.secrets = {
|
||||
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
|
||||
@@ -8,13 +8,13 @@
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults = {
|
||||
email = "acme@nx2.site";
|
||||
email = "acme@${domain}";
|
||||
webroot = "/var/nginx/webroot";
|
||||
group = "nginx";
|
||||
};
|
||||
certs = {
|
||||
"nx2.site" = {
|
||||
extraDomainNames = [ "git.nx2.site" "pw.nx2.site" ];
|
||||
"${domain}" = {
|
||||
extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "git2" "pw" "pw2" "sync" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
@@ -29,40 +29,28 @@
|
||||
isNormalUser = false;
|
||||
};
|
||||
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
|
||||
services.nginx = {
|
||||
services.nginx = let
|
||||
dl = [
|
||||
{ addr = "0.0.0.0"; port = 443; ssl = true; }
|
||||
{ addr = "0.0.0.0"; port = 80; ssl = false; }
|
||||
{ addr = "[::0]"; port = 443; ssl = true; }
|
||||
{ addr = "[::0]"; port = 80; ssl = false; }
|
||||
];
|
||||
in {
|
||||
enable = true;
|
||||
user = "nginx";
|
||||
group = "nginx";
|
||||
additionalModules = [];
|
||||
# appendConfig = '''';
|
||||
clientMaxBodySize = "20m";
|
||||
|
||||
defaultHTTPListenPort = 80;
|
||||
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
|
||||
defaultListen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
ssl = true;
|
||||
port = 443;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
ssl = true;
|
||||
port = 443;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
];
|
||||
defaultListen = dl;
|
||||
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
|
||||
defaultSSLListenPort = 443;
|
||||
enableQuicBPF = true;
|
||||
enableReload = true;
|
||||
# eventsConfig = '''';
|
||||
# logError = ;
|
||||
# mapHashBucketSize = ;
|
||||
# mapHashMaxSize = ;
|
||||
package = pkgs.nginxQuic;
|
||||
# preStart = true;
|
||||
proxyResolveWhileRunning = false;
|
||||
proxyTimeout = "20s";
|
||||
recommendedBrotliSettings = true;
|
||||
@@ -72,27 +60,12 @@
|
||||
recommendedTlsSettings = true;
|
||||
recommendedZstdSettings = true;
|
||||
serverTokens = false;
|
||||
# sslCiphers = # useing default;
|
||||
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
|
||||
sslProtocols = "TLSv1.2 TLSv1.3";
|
||||
statusPage = false;
|
||||
streamConfig = ""; # udp config
|
||||
validateConfigFile = true;
|
||||
upstreams = {
|
||||
"staticweb".servers = { "staticweb.docker:80" = {}; };
|
||||
"matrix".servers = { "matrix.docker:80" = {}; };
|
||||
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
|
||||
"pw".servers = { "pw.docker:80" = {}; };
|
||||
"git".servers = { "git.docker:3000" = {}; };
|
||||
"nn".servers = { "nn.docker:80" = {}; };
|
||||
"llm".servers = { "llm.docker:80" = {}; };
|
||||
"share".servers = { "share.docker:80" = {}; };
|
||||
|
||||
"sync".servers = { "localhost:8384" = {}; };
|
||||
};
|
||||
virtualHosts = let
|
||||
# sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
|
||||
# sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
|
||||
vh = {
|
||||
kTLS = true;
|
||||
http2 = true;
|
||||
@@ -102,21 +75,13 @@
|
||||
addSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
dl = [
|
||||
{ addr = "0.0.0.0"; port = 443; ssl = true; }
|
||||
{ addr = "0.0.0.0"; port = 80; ssl = false; }
|
||||
{ addr = "[::0]"; port = 443; ssl = true; }
|
||||
{ addr = "[::0]"; port = 80; ssl = false; }
|
||||
];
|
||||
in {
|
||||
"nx2.site" = vh // {
|
||||
"${domain}" = vh // {
|
||||
root = "/var/nginx/webroot";
|
||||
default = true;
|
||||
listen = dl;
|
||||
locations = {
|
||||
"/" = {
|
||||
# index = "index.html";
|
||||
# tryFiles = "$uri/ $uri.html =404";
|
||||
extraConfig = ''
|
||||
index index.html;
|
||||
if ($request_uri ~ ^/(.*)\.html(\?|$)) {
|
||||
@@ -125,115 +90,51 @@
|
||||
try_files $uri $uri.html $uri/ /404.html =404;
|
||||
'';
|
||||
};
|
||||
"~^(/ba)$" = {
|
||||
return = "301 /BA.pdf";
|
||||
};
|
||||
"/.well-known/matrix/client" = {
|
||||
return = "502";
|
||||
# return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
|
||||
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
|
||||
};
|
||||
"/.well-known/matrix/server" = {
|
||||
return = "502";
|
||||
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
|
||||
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
|
||||
};
|
||||
# "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
|
||||
# proxyPass = "http://matrix-ss";
|
||||
# # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
|
||||
# };
|
||||
# "~ ^(\/_matrix|\/_synapse\/client)" = {
|
||||
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
|
||||
# # extraConfig = [];
|
||||
# };
|
||||
"~^(/ba)$" = { return = "301 /BA.pdf"; };
|
||||
"/.well-known/matrix/client" = { return = "502"; };
|
||||
"/.well-known/matrix/server" = { return = "502"; };
|
||||
};
|
||||
};
|
||||
"matrix.nx2.site" = {
|
||||
listen = dl ++ [
|
||||
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
|
||||
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
|
||||
];
|
||||
locations = {
|
||||
# "/" = {
|
||||
# proxyPass = "http://matrix";
|
||||
# # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
|
||||
# };
|
||||
"~.*" = { return = "502"; };
|
||||
};
|
||||
};
|
||||
# "matrix-ss.nx2.site" = {
|
||||
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
||||
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
||||
# # "resolver 1.1.1.1;"
|
||||
# # "client_max_body_size 500M;"
|
||||
# # ];
|
||||
# locations = {
|
||||
# "/" = { proxyPass = "http://pw"; };
|
||||
# };
|
||||
# };
|
||||
# # "dev.nx2.site" = {
|
||||
# # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
||||
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
||||
# # locations = {
|
||||
# # "/" = {
|
||||
# # proxyPass = "http://dev";
|
||||
# # };
|
||||
# # };
|
||||
# # };
|
||||
"pw.nx2.site" = vh // {
|
||||
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
||||
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
||||
"matrix.${domain}" = {
|
||||
listen = dl;
|
||||
locations = {
|
||||
"/" = { proxyPass = "http://pw"; };
|
||||
"/admin" = { proxyPass = "http://pw"; };
|
||||
"/notifications/hub" = { proxyPass = "http://pw"; };
|
||||
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
|
||||
};
|
||||
locations = { "~.*" = { return = "502"; }; };
|
||||
};
|
||||
# "share.nx2.site" = {
|
||||
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
||||
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
||||
# locations = {
|
||||
# "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
|
||||
# # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
|
||||
# # ''proxy_set_header X-Real-IP $remote_addr;''
|
||||
# # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
|
||||
# # ''proxy_set_header Host $http_host;''
|
||||
# # ];
|
||||
# };
|
||||
# "/socket.io" = {
|
||||
# proxyPass = "http://share/socket.io";
|
||||
# proxyWebsockets = true;
|
||||
# # extraConfig = [
|
||||
# # ''proxy_http_version 1.1;''
|
||||
# # ''proxy_set_header Upgrade $http_upgrade;''
|
||||
# # ''proxy_set_header Connection "upgrade";''
|
||||
# # ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# "sync.nx2.site" = {
|
||||
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
||||
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
||||
# locations = {
|
||||
# "/" = { proxyPass = "http://sync"; };
|
||||
# };
|
||||
# };
|
||||
"git.nx2.site" = vh // {
|
||||
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
||||
"pw.${domain}" = vh // {
|
||||
listen = dl;
|
||||
locations = {
|
||||
"/" = { proxyPass = "http://git"; };
|
||||
locations = let d = "pw.docker:80"; in {
|
||||
"/" = { proxyPass = "http://${d}"; };
|
||||
"/admin" = { proxyPass = "http://${d}"; };
|
||||
"/notifications/hub" = { proxyPass = "http://${d}"; };
|
||||
"/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
|
||||
};
|
||||
};
|
||||
"~^(.*).nx2.site$" = {
|
||||
"pw2.${domain}" = vh // {
|
||||
listen = dl;
|
||||
locations = let d = "127.0.0.1:8222"; in {
|
||||
"/" = { proxyPass = "http://${d}"; };
|
||||
"/admin" = { proxyPass = "http://${d}"; };
|
||||
"/notifications/hub" = { proxyPass = "http://${d}"; };
|
||||
"/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
|
||||
};
|
||||
};
|
||||
"sync.${domain}" = vh // {
|
||||
listen = dl;
|
||||
locations = { "/" = { proxyPass = "http://127.0.0.1:11434"; }; };
|
||||
};
|
||||
"git.${domain}" = vh // {
|
||||
listen = dl;
|
||||
locations = { "/" = { proxyPass = "http://git.docker:3000"; }; };
|
||||
};
|
||||
"git2.${domain}" = vh // {
|
||||
listen = dl;
|
||||
locations = { "/" = { proxyPass = "http://127.0.0.1:8222"; }; };
|
||||
};
|
||||
"~^(.*).${domain}$" = {
|
||||
listen = dl;
|
||||
root = "/var/nginx/webroot";
|
||||
locations = {
|
||||
"~.*" = { return = "301 https://nx2.site/502.html"; };
|
||||
};
|
||||
locations = { "~.*" = { return = "301 https://${domain}/502.html"; }; };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user