nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nx2site001

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2024-11-08 13:48:02 +01:00
parent d46530edd8
commit 924f48b15a
8 changed files with 525 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
home-modules/nx2site.nix Normal file
View File

@@ -0,0 +1,100 @@
{ pkgs, lib, host, user, ... }:
lib.mkIf (host == "NxACE" && user != "tv")
{
home.packages = with pkgs; [
(writeShellApplication {
name = "nxmd";
text = let
ascii_size = (pkgs.writers.writePython3Bin "ascii_size" {
# libraries = with pkgs.python311Packages; [ ];
flakeIgnore = [];
} /* python */ ''
from sys import argv
with open(argv[1], "r", encoding='utf-8') as f:
raw = f.read()
sraw = raw.split("\n")
linestart = 0
lineend = 0
started = False
for linenum in range(len(sraw)):
if sraw[linenum].strip() == "```ascii":
linestart = linenum
started = True
if started and sraw[linenum].strip() == "```":
lineend = linenum
break
maxwidth = 0
for linenum in range(linestart, lineend):
linewidth = len(sraw[linenum])
if linewidth > maxwidth:
maxwidth = linewidth
print(f"Maximum length of the `ascii` code clock is {maxwidth} characters.")
px = (1 / maxwidth) * 1500
vw = (1 / maxwidth) * 150
snew = sraw
snew[3] = "aaw: " + str(round(vw, 2))
snew[4] = "aawm: " + str(round(px, 2))
new = "\n".join(snew)
with open(argv[1], "w", encoding='utf-8') as f:
f.write(new)
print(f"The resulting font sizes are {px}px (aawm) and {vw}vw (aam).")
print(f"You can now use the push operation on {argv[1]}.")
''
);
in /* bash */ ''
ord=$(date +"%e" | awk '{printf("%d%s\n", $1, ($1==11||$1==12||$1==13)?"th":((($1%10)==1)?"st":((($1%10)==2)?"nd":((($1%10)==3)?"rd":"th"))))}')
nxdate="$(date +'%A the ')"
nxdate="$nxdate""$ord"
nxdate="$nxdate""$(date +' of %B %Y')"
if [[ $# -eq 0 ]]; then
echo "Error: No arguments provided."
echo "Usage: $0 push <markdown-file>"
exit 1
fi
if [[ "$1" == "push" ]]; then
if [[ ! "$2" =~ \.md$ ]]; then
echo "Error: Second argument must be a markdown (.md) file"
echo "Usage: $0 push <markdown-file>"
exit 1
fi
pandoc \
"$2" \
--highlight-style=breezeDark \
--standalone \
--mathjax \
--ascii \
--template /var/nginx/assets/template.html \
--metadata pdate="$nxdate" \
--verbose --from markdown-markdown_in_html_blocks+raw_html \
-o /var/nginx/webroot/"$(basename "$2" .md )".html
echo pushed "$2"
elif [[ "$1" == "ascii-size" ]]; then
if [[ ! "$2" =~ \.md$ ]]; then
echo "Error: Second argument must be a markdown (.md) file"
echo "Usage: $0 ascii-size <markdown-file>"
exit 1
fi
${ascii_size}/bin/ascii_size "$2"
else
echo "Error: First argument must be 'push'"
echo "Usage: $0 push <markdown-file>"
exit 1
fi
'';
})
];
}

1
home.nix
View File

@@ -26,6 +26,7 @@
# ./home-modules/matrix.nix
./home-modules/nh.nix
./home-modules/nvidia.nix
./home-modules/nx2site.nix
./home-modules/nx-gcal-event.nix
./home-modules/obs.nix
./home-modules/office.nix

12
sops-secrets.yaml
View File

File diff suppressed because one or more lines are too long

1
system-modules/docker.nix
View File

@@ -15,6 +15,7 @@
users.users."${user}".extraGroups = [ "docker" ];
networking.firewall.allowedTCPPorts = [
80
443
8384
];
}

2
system-modules/networking.nix
View File

@@ -14,5 +14,5 @@ in
enable = true;
};
networking.enableIPv6 = false;
networking.enableIPv6 = true;
}

361
system-modules/nx2site.nix
View File

@@ -1,121 +1,272 @@
{ config, pkgs, lib, user, host, ... }:
{ config, pkgs, lib, user, host, secrets, ... }:
# lib.mkIf false
lib.mkIf (host == "NxACE")
# ((import ./nx2site/proxy.nix { inherit config pkgs lib user; }) //
(
lib.mkIf (host == "NxACE" && user != "tv")
{
sops.secrets = {
"nx2site/namecheap.pw" = { };
};
systemd = {
timers."namecheap-dynamic-dns" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "2m";
OnUnitActiveSec = "10m";
Unit = "namecheap-dynamic-dns.service";
};
"nx2site/namecheap.pw" = { };
# "nx2site/cloudflare/api-token-dns-edit" = { };
"nx2site/cloudflare/global-api-key" = { };
};
services."namecheap-dynamic-dns" = let
u = let
domain = "nx2.site";
passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
# passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
log-file-path = "/var/log/update_namecheap.log";
count-file-path = "/var/log/update_namecheap-count.txt";
in pkgs.writers.writePython3Bin "update_namecheap" {
libraries = with pkgs.python311Packages; [ requests ];
flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ];
} ''
import requests
import argparse
import socket
from datetime import datetime
def get_public_ip(): return requests.get('https://ipinfo.io/ip').text.strip()
systemd = {
timers."dynamic-dns" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "2m";
OnUnitActiveSec = "10m";
Unit = "dynamic-dns.service";
};
};
# services."dynamic-dns" = let
# u = let
# domain = "nx2.site";
# passord-file-path = config.sops.secrets."nx2site/namecheap.pw".path;
# log-file-path = "/var/log/update_namecheap.log";
# count-file-path = "/var/log/update_namecheap-count.txt";
# in pkgs.writers.writePython3Bin "update_namecheap" {
# libraries = with pkgs.python311Packages; [ requests ];
# flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" ];
# } ''
# import requests
# import argparse
# import socket
# from datetime import datetime
def get_dns_ip(): return socket.gethostbyname_ex('${domain}')[2][0]
# def get_public_ip(): return requests.get('https://ipinfo.io/ip').text.strip()
def main(force_update):
my_ip = get_public_ip()
dns_ip = get_dns_ip()
# def get_dns_ip(): return socket.gethostbyname_ex('${domain}')[2][0]
with open("${count-file-path}", "r") as f:
content = f.read()
if content == "": count = 0
else: count = int(content)
count += 1
with open("${count-file-path}", "w") as f:
f.write(str(count))
# def main(force_update):
# my_ip = get_public_ip()
# dns_ip = get_dns_ip()
if not (force_update or my_ip != dns_ip):
print(f"Host IP and DNS response are both {my_ip} --> No Action")
exit(0)
else:
with open("${passord-file-path}", 'r') as pw_file: pw = pw_file.read().strip()
# with open("${count-file-path}", "r") as f:
# content = f.read()
# if content == "": count = 0
# else: count = int(content)
# count += 1
# with open("${count-file-path}", "w") as f:
# f.write(str(count))
# Perform DNS updates
resp_base = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password={pw}&ip={my_ip}")
resp_subd = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=*&domain=${domain}&password={pw}&ip={my_ip}")
# if not (force_update or my_ip != dns_ip):
# print(f"Host IP and DNS response are both {my_ip} --> No Action")
# exit(0)
# else:
# with open("${passord-file-path}", 'r') as pw_file: pw = pw_file.read().strip()
# # Perform DNS updates
# resp_base = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=@&domain=${domain}&password={pw}&ip={my_ip}")
# resp_subd = requests.get(f"https://dynamicdns.park-your-domain.com/update?host=*&domain=${domain}&password={pw}&ip={my_ip}")
# Reset the count file
with open("${count-file-path}", 'w') as f: f.write('0')
# # Reset the count file
# with open("${count-file-path}", 'w') as f: f.write('0')
now_str = datetime.now().strftime('%Y/%m/%d-%R')
log_entry = f"At {now_str} - from {dns_ip} to {my_ip} - {count} times - Response {resp_base.status_code}{' - (forced)' if force_update else ' '}\n"
print(log_entry, end="")
with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry)
# now_str = datetime.now().strftime('%Y/%m/%d-%R')
# log_entry = f"At {now_str} - from {dns_ip} to {my_ip} - {count} times - Response {resp_base.status_code}{' - (forced)' if force_update else ' '}\n"
# print(log_entry, end="")
# with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-f', '--force', action='store_true', help='Force update')
args = parser.parse_args()
# if __name__ == "__main__":
# parser = argparse.ArgumentParser()
# parser.add_argument('-f', '--force', action='store_true', help='Force update')
# args = parser.parse_args()
main(args.force)
'';
in {
script = ''
set -eu
${u}/bin/update_namecheap
'';
serviceConfig = {
Type = "oneshot";
# main(args.force)
# '';
# in {
# script = ''
# set -eu
# ${u}/bin/update_namecheap
# '';
# serviceConfig = {
# Type = "oneshot";
# };
services."dynamic-dns" = let
u = let
domain = "nx2.site";
account_id = secrets.email.gmail-online.mail;
zone_id = "33fecab36e060f49d492127345ea95a0";
record_id = {
base = "58d3412e8d88889d1a611b3669f0700f";
sub = "fc861353142bc05d5dbad1799178e6a1";
base6 = "d1b90e21d2d747dcb30448bd65312927";
sub6 = "b8082b7afe9e80971fc9f9dda16ec284";
};
passord-file-path = config.sops.secrets."nx2site/cloudflare/global-api-key".path;
log-file-path = "/var/log/couldflare.log";
count-file-path = "/var/log/cloudflare-count.txt";
in pkgs.writers.writePython3Bin "dyn_dns" {
libraries = with pkgs.python311Packages; [ requests ];
flakeIgnore = [ "E501" "E305" "E701" "E704" "E302" "E114" "F841" "E121" "E261" "E303"];
} ''
import requests
import subprocess
from datetime import datetime
def get_public_ip(ipv6=False):
return subprocess.run(['${pkgs.curl}/bin/curl', '-s', '-6' if ipv6 else '-4', 'https://ifconfig.me'], capture_output=True, text=True).stdout.strip()
def main():
my_ip = get_public_ip()
my_ip6 = get_public_ip(ipv6=True)
with open("${count-file-path}", "r") as f:
content = f.read()
if content == "": count = 0
else: count = int(content)
count += 1
with open("${count-file-path}", "w") as f:
f.write(str(count))
# 4
with open("${passord-file-path}", 'r') as pw_file:
pw = pw_file.read().strip()
# Perform DNS updates
# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-update-dns-record
resp_base = requests.patch(
'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.base}',
headers={
'Content-Type': 'application/json',
'X-Auth-Email': '${account_id}',
'X-Auth-Key': pw
},
json={
"comment": "Domain verification record",
"name": "${domain}",
"proxied": True,
"settings": {},
"tags": [],
"ttl": 1, # automatic
"content": my_ip,
"type": "A"
}
)
resp_subd = requests.patch(
'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.sub}',
headers={
'Content-Type': 'application/json',
'X-Auth-Email': '${account_id}',
'X-Auth-Key': pw
},
json={
"comment": "Domain verification record",
"name": "${domain}",
"proxied": True,
"settings": {},
"tags": [],
"ttl": 1, # automatic
"content": my_ip,
"type": "A"
}
)
if resp_base.status_code != 200:
print(resp_base.text)
now_str = datetime.now().strftime('%Y/%m/%d-%R')
log_entry = f"At {now_str} - to {my_ip} - Response {resp_base.status_code}\n"
print(log_entry, end="")
with open("${log-file-path}", 'a') as log_file:
log_file.write(log_entry)
# Perform DNS updates
# https://developers.cloudflare.com/api/operations/dns-records-for-a-zone-update-dns-record
resp_base = requests.patch(
'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.base6}',
headers={
'Content-Type': 'application/json',
'X-Auth-Email': '${account_id}',
'X-Auth-Key': pw
},
json={
"comment": "Domain verification record",
"name": "${domain}",
"proxied": True,
"settings": {},
"tags": [],
"ttl": 1, # automatic
"content": my_ip6,
"type": "AAAA"
}
)
resp_subd = requests.patch(
'https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id.sub6}',
headers={
'Content-Type': 'application/json',
'X-Auth-Email': '${account_id}',
'X-Auth-Key': pw
},
json={
"comment": "Domain verification record",
"name": "${domain}",
"proxied": True,
"settings": {},
"tags": [],
"ttl": 1, # automatic
"content": my_ip6,
"type": "AAAA"
}
)
if resp_base.status_code != 200:
print(resp_base.text)
now_str = datetime.now().strftime('%Y/%m/%d-%R')
log_entry = f"At {now_str} - to {my_ip6} - Response {resp_base.status_code}\n"
print(log_entry, end="")
with open("${log-file-path}", 'a') as log_file: log_file.write(log_entry)
if __name__ == "__main__":
main()
'';
in {
script = ''
set -eu
${u}/bin/dyn_dns
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
};
};
# I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have
# security.acme = {
# acceptTerms = true;
# certs."nx2site" = { };
# };
environment.systemPackages = with pkgs; [
certbot
(writeShellApplication {
name = "refresh_ssl_certificate";
runtimeInputs = [ certbot ];
# https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431
text = let
webroot = /home/nx2/nx2site/staticweb/content;
in /*bash*/ ''
cartbot
ls ${webroot}
'';
})
];
networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",- "\2" = [ "\1.docker" ];-g'
"172.1.2.1" = [ "staticweb.docker" ];
"172.1.3.1" = [ "matrix.docker" ];
# "172.1.0.9" = [ "matrixdb.docker" ];
"172.1.4.1" = [ "matrix-ss.docker" ];
# "172.1.0.7" = [ "matrix-ssdb.docker" ];
"172.1.5.1" = [ "pw.docker" ];
"172.1.6.1" = [ "git.docker" ];
# "172.1.0.10" = [ "gitdb.docker" ];
"172.1.7.1" = [ "nn.docker" ];
"172.1.8.1" = [ "llm.docker" ];
# "172.1.9.1" = [ "proxy.docker" ];
"172.1.10.1" = [ "share.docker" ];
"172.1.11.1" = [ "odq.docker" ];
};
})
# I can't use this becasue API Access for Namecheap needs a static whitelisted IP, which I don't have
# security.acme = {
# acceptTerms = true;
# certs."nx2site" = { };
# };
environment.systemPackages = with pkgs; [
certbot
(writeShellApplication {
name = "refresh_ssl_certificate";
runtimeInputs = [ certbot ];
# https://forum.endeavouros.com/t/tutorial-add-a-systemd-boot-loader-menu-entry-for-a-windows-installation-using-a-separate-esp-partition/37431
text = let
webroot = /home/nx2/nx2site/staticweb/content;
in /*bash*/ ''
cartbot
ls ${webroot}
'';
})
];
networking.hosts = { # docker network inspect nx2site_default | grep -E "Name|IPv4" | tr "\n" " " | sed -r 's- +- -g;s-\n?"Name": -\n-g' | sed -r '1d;2d;s-"(.+?)", "IPv4Address": "(.+)/16",- "\2" = [ "\1.docker" ];-g'
"172.1.2.1" = [ "staticweb.docker" ];
"172.1.3.1" = [ "matrix.docker" ];
# "172.1.0.9" = [ "matrixdb.docker" ];
"172.1.4.1" = [ "matrix-ss.docker" ];
# "172.1.0.7" = [ "matrix-ssdb.docker" ];
"172.1.5.1" = [ "pw.docker" ];
"172.1.6.1" = [ "git.docker" ];
# "172.1.0.10" = [ "gitdb.docker" ];
"172.1.7.1" = [ "nn.docker" ];
"172.1.8.1" = [ "llm.docker" ];
# "172.1.9.1" = [ "proxy.docker" ];
"172.1.10.1" = [ "share.docker" ];
"172.1.11.1" = [ "odq.docker" ];
};
}

255
system-modules/nx2site/proxy.nix
View File

@@ -1,25 +1,58 @@
{ config, pkgs, lib, user }:
lib.mkIf false
{ config, pkgs, lib, user, ... }:
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
};
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@nx2.site";
webroot = "/var/nginx/webroot";
group = "nginx";
};
certs = {
"nx2.site" = {
extraDomainNames = [ "git.nx2.site" "pw.nx2.site" ];
};
};
};
users.users."nginx" = {
extraGroups = [ "nginx" "acme" ];
useDefaultShell = false;
linger = true;
home = "/var/nginx/";
homeMode = "770";
createHome = true;
isSystemUser = true;
isNormalUser = false;
};
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx = {
enable = true;
user = "nginx";
group = "nginx";
additionalModules = [];
# appendConfig = '''';
clientMaxBodySize = "20m";
defaultHTTPListenPort = 80;
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
defaultListen = [ {
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}];
defaultListen = [
{
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}
{
addr = "[::0]";
ssl = true;
port = 443;
proxyProtocol = true;
}
];
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
defaultSSLListenPort = 443;
enableQuicBPF = true;
@@ -39,7 +72,7 @@ lib.mkIf false
recommendedTlsSettings = true;
recommendedZstdSettings = true;
serverTokens = false;
# sslCiphers = true;
# sslCiphers = # useing default;
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
sslProtocols = "TLSv1.2 TLSv1.3";
statusPage = false;
@@ -50,7 +83,7 @@ lib.mkIf false
"matrix".servers = { "matrix.docker:80" = {}; };
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
"pw".servers = { "pw.docker:80" = {}; };
"git".servers = { "git.docker:80" = {}; };
"git".servers = { "git.docker:3000" = {}; };
"nn".servers = { "nn.docker:80" = {}; };
"llm".servers = { "llm.docker:80" = {}; };
"share".servers = { "share.docker:80" = {}; };
@@ -58,72 +91,99 @@ lib.mkIf false
"sync".servers = { "localhost:8384" = {}; };
};
virtualHosts = let
sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
in
{
"nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
# sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
vh = {
kTLS = true;
http2 = true;
http3 = true;
http3_hq = true;
quic = true;
addSSL = true;
enableACME = true;
};
dl = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 80; ssl = false; }
{ addr = "[::0]"; port = 443; ssl = true; }
{ addr = "[::0]"; port = 80; ssl = false; }
];
in {
"nx2.site" = vh // {
root = "/var/nginx/webroot";
default = true;
listen = dl;
locations = {
"/" = {
proxyPass = "http://staticweb";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
# index = "index.html";
# tryFiles = "$uri/ $uri.html =404";
extraConfig = ''
index index.html;
if ($request_uri ~ ^/(.*)\.html(\?|$)) {
return 301 /$1;
}
try_files $uri $uri.html $uri/ /404.html =404;
'';
};
"~^(/ba)$" = {
return = "301 /BA.pdf";
};
"/.well-known/matrix/client" = {
return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
return = "502";
# return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"/.well-known/matrix/server" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://matrix-ss";
# extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
};
"~ ^(\/_matrix|\/_synapse\/client)" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = [];
return = "502";
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
# "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
# proxyPass = "http://matrix-ss";
# # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
# };
# "~ ^(\/_matrix|\/_synapse\/client)" = {
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# # extraConfig = [];
# };
};
};
};
"matrix.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 8448; ssl = true; }
listen = dl ++ [
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
];
locations = {
"/" = {
proxyPass = "http://matrix";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
# "/" = {
# proxyPass = "http://matrix";
# # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
# };
"~.*" = { return = "502"; };
};
};
"matrix-ss.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# "resolver 1.1.1.1;"
# "client_max_body_size 500M;"
# ];
locations = {
"/" = { proxyPass = "http://pw"; };
};
};
# "dev.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = {
# proxyPass = "http://dev";
# };
# };
# };
"pw.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# "matrix-ss.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# # "resolver 1.1.1.1;"
# # "client_max_body_size 500M;"
# # ];
# locations = {
# "/" = { proxyPass = "http://pw"; };
# };
# };
# # "dev.nx2.site" = {
# # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# # locations = {
# # "/" = {
# # proxyPass = "http://dev";
# # };
# # };
# # };
"pw.nx2.site" = vh // {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
listen = dl;
locations = {
"/" = { proxyPass = "http://pw"; };
"/admin" = { proxyPass = "http://pw"; };
@@ -131,48 +191,47 @@ lib.mkIf false
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
};
};
"share.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# ''proxy_set_header X-Real-IP $remote_addr;''
# ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# ''proxy_set_header Host $http_host;''
# ];
};
"/socket.io" = {
proxyPass = "http://share/socket.io";
proxyWebsockets = true;
# extraConfig = [
# ''proxy_http_version 1.1;''
# ''proxy_set_header Upgrade $http_upgrade;''
# ''proxy_set_header Connection "upgrade";''
# ];
};
};
};
"sync.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://sync"; };
};
};
"git.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# "share.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# # ''proxy_set_header X-Real-IP $remote_addr;''
# # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# # ''proxy_set_header Host $http_host;''
# # ];
# };
# "/socket.io" = {
# proxyPass = "http://share/socket.io";
# proxyWebsockets = true;
# # extraConfig = [
# # ''proxy_http_version 1.1;''
# # ''proxy_set_header Upgrade $http_upgrade;''
# # ''proxy_set_header Connection "upgrade";''
# # ];
# };
# };
# };
# "sync.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = { proxyPass = "http://sync"; };
# };
# };
"git.nx2.site" = vh // {
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
listen = dl;
locations = {
"/" = { proxyPass = "http://git"; };
};
};
"~^(.*)\.nx2\.site$" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
root = "/home/nx2/nx2site/staticweb/xcontent/";
"~^(.*).nx2.site$" = {
listen = dl;
root = "/var/nginx/webroot";
locations = {
"~.*" = { return = "502 /502.html"; };
"~.*" = { return = "301 https://nx2.site/502.html"; };
};
};
};

2
system-modules/users.nix
View File

@@ -5,7 +5,7 @@
users.users."${user}" = {
isNormalUser = true;
extraGroups = [ "networkmanager" "wheel" "audio" "video" "docker" "libvirtd" "uinput" "input" "ydotool" ];
extraGroups = [ "networkmanager" "wheel" "audio" "video" "docker" "libvirtd" "uinput" "input" "ydotool" "acme" "nginx" ];
useDefaultShell = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID1RPCcS8DtIf75a2FEW4d8X6WTVeLlmretoLqppvZlJ" # From [A] GPG Sub Key