nx2site save (unused)

2024-07-28 17:19:25 +02:00
parent 70b3d92fb1
commit 73b0e338fc
2 changed files with 230 additions and 14 deletions
--- a/system-modules/nx2site/proxy.nix
+++ b/system-modules/nx2site/proxy.nix
@@ -0,0 +1,186 @@
+{ config, pkgs, lib, user }:
+{
+  sops.secrets = {
+    "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
+    "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
+    "nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
+  };
+	services.nginx = let
+    config-root = /home/${user}/nx2site/proxy/config;
+    xcontent-root = /home/${user}/nx2site/proxy/xcontent;
+    content-root = /home/${user}/nx2site/proxy/content;
+  in {
+    enable = true;
+    additionalModules = [];
+    # appendConfig = '''';
+    clientMaxBodySize = "20m";
+
+    defaultHTTPListenPort = 80;
+    defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
+    defaultListen = [ {
+      addr = "0.0.0.0";
+      ssl = true;
+      port = 443;
+      proxyProtocol = true;
+    }];
+    defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
+    defaultSSLListenPort = 443;
+    enableQuicBPF = true;
+    enableReload = true;
+    # eventsConfig = '''';
+    # logError = ;
+    # mapHashBucketSize = ;
+    # mapHashMaxSize = ;
+    package = pkgs.nginxQuic;
+    # preStart = true;
+    proxyResolveWhileRunning = false;
+    proxyTimeout = "20s";
+    recommendedBrotliSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedZstdSettings = true;
+    serverTokens = false;
+    # sslCiphers = true;
+    sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
+    sslProtocols = "TLSv1.2 TLSv1.3";
+    statusPage = false;
+    streamConfig = ""; # udp config
+    validateConfigFile = true;
+    upstreams = {
+      "staticweb".servers = { "staticweb.docker:80" = {}; };
+      "matrix".servers    = { "matrix.docker:80"    = {}; };
+      "matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
+      "pw".servers        = { "pw.docker:80"        = {}; };
+      "git".servers       = { "git.docker:80"       = {}; };
+      "nn".servers        = { "nn.docker:80"        = {}; };
+      "llm".servers       = { "llm.docker:80"       = {}; };
+      "share".servers     = { "share.docker:80"     = {}; };
+
+      "sync".servers      = { "localhost:8384"      = {}; };
+    };
+    virtualHosts = let
+      sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
+      sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
+      kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
+    in
+    {
+      "nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        locations = {
+          "/" = {
+            proxyPass = "http://staticweb";
+      #       extraConfig = [  ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
+          };
+          "/.well-known/matrix/client" = {
+            return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}'  '';
+            extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
+          };
+          "/.well-known/matrix/server" = {
+            return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
+            extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
+          };
+          "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+            proxyPass = "http://matrix-ss";
+            # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
+          };
+          "~ ^(\/_matrix|\/_synapse\/client)" = {
+            return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
+      #       extraConfig = [];
+          };
+        }; 
+      };
+      "matrix.nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        listen = [ 
+          { addr = "0.0.0.0"; port = 443;  ssl = true; }
+          { addr = "0.0.0.0"; port = 8448; ssl = true; }
+        ];
+        locations = {
+          "/" = {
+            proxyPass = "http://matrix";
+            # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
+          };
+        }; 
+      };
+      "matrix-ss.nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        #   "resolver 1.1.1.1;"
+        #   "client_max_body_size 500M;"
+        # ];
+        locations = {
+          "/" = { proxyPass = "http://pw"; };
+        }; 
+      };
+      # "dev.nx2.site" = {
+      #   kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
+      sslCertificate = cert; sslCertificateKey = key;
+      #   listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+      #   locations = {
+      #     "/" = {
+      #       proxyPass = "http://dev";
+      #     };
+      #   }; 
+      # };
+      "pw.nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        locations = {
+          "/" = { proxyPass = "http://pw"; };
+          "/admin" = { proxyPass = "http://pw"; };
+          "/notifications/hub" = { proxyPass = "http://pw"; };
+          "/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
+        }; 
+      };
+      "share.nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        locations = {
+          "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
+              # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
+              # ''proxy_set_header X-Real-IP $remote_addr;''
+              # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
+              # ''proxy_set_header Host $http_host;''
+            # ];
+          };
+          "/socket.io" = {
+            proxyPass = "http://share/socket.io";
+            proxyWebsockets = true;
+      #       extraConfig = [
+            #  ''proxy_http_version 1.1;''
+            #  ''proxy_set_header Upgrade $http_upgrade;''
+            #  ''proxy_set_header Connection "upgrade";''
+            # ];
+          };
+        }; 
+      };
+      "sync.nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        locations = {
+          "/" = { proxyPass = "http://sync"; };
+        }; 
+      };
+      "git.nx2.site" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        locations = {
+          "/" = { proxyPass = "http://git"; };
+        }; 
+      };
+      "~^(.*)\.nx2\.site$" = {
+        inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
+        # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
+        root = "/home/nx2/nx2site/staticweb/xcontent/";
+        locations = {
+          "~.*" = {
+            return = "502 /502.html";
+          };
+        };
+      };
+    };
+  };
+}