nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nx2site001

Browse Source
This commit is contained in:
Lennart J. Kurzweg (Nx2)
2024-11-08 13:48:02 +01:00
parent d46530edd8
commit 924f48b15a
8 changed files with 525 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

255
system-modules/nx2site/proxy.nix
View File

@@ -1,25 +1,58 @@
{ config, pkgs, lib, user }:
lib.mkIf false
{ config, pkgs, lib, user, ... }:
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
};
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@nx2.site";
webroot = "/var/nginx/webroot";
group = "nginx";
};
certs = {
"nx2.site" = {
extraDomainNames = [ "git.nx2.site" "pw.nx2.site" ];
};
};
};
users.users."nginx" = {
extraGroups = [ "nginx" "acme" ];
useDefaultShell = false;
linger = true;
home = "/var/nginx/";
homeMode = "770";
createHome = true;
isSystemUser = true;
isNormalUser = false;
};
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx = {
enable = true;
user = "nginx";
group = "nginx";
additionalModules = [];
# appendConfig = '''';
clientMaxBodySize = "20m";
defaultHTTPListenPort = 80;
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
defaultListen = [ {
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}];
defaultListen = [
{
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}
{
addr = "[::0]";
ssl = true;
port = 443;
proxyProtocol = true;
}
];
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
defaultSSLListenPort = 443;
enableQuicBPF = true;
@@ -39,7 +72,7 @@ lib.mkIf false
recommendedTlsSettings = true;
recommendedZstdSettings = true;
serverTokens = false;
# sslCiphers = true;
# sslCiphers = # useing default;
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
sslProtocols = "TLSv1.2 TLSv1.3";
statusPage = false;
@@ -50,7 +83,7 @@ lib.mkIf false
"matrix".servers = { "matrix.docker:80" = {}; };
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
"pw".servers = { "pw.docker:80" = {}; };
"git".servers = { "git.docker:80" = {}; };
"git".servers = { "git.docker:3000" = {}; };
"nn".servers = { "nn.docker:80" = {}; };
"llm".servers = { "llm.docker:80" = {}; };
"share".servers = { "share.docker:80" = {}; };
@@ -58,72 +91,99 @@ lib.mkIf false
"sync".servers = { "localhost:8384" = {}; };
};
virtualHosts = let
sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
in
{
"nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
# sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
vh = {
kTLS = true;
http2 = true;
http3 = true;
http3_hq = true;
quic = true;
addSSL = true;
enableACME = true;
};
dl = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 80; ssl = false; }
{ addr = "[::0]"; port = 443; ssl = true; }
{ addr = "[::0]"; port = 80; ssl = false; }
];
in {
"nx2.site" = vh // {
root = "/var/nginx/webroot";
default = true;
listen = dl;
locations = {
"/" = {
proxyPass = "http://staticweb";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
# index = "index.html";
# tryFiles = "$uri/ $uri.html =404";
extraConfig = ''
index index.html;
if ($request_uri ~ ^/(.*)\.html(\?|$)) {
return 301 /$1;
}
try_files $uri $uri.html $uri/ /404.html =404;
'';
};
"~^(/ba)$" = {
return = "301 /BA.pdf";
};
"/.well-known/matrix/client" = {
return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
return = "502";
# return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"/.well-known/matrix/server" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://matrix-ss";
# extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
};
"~ ^(\/_matrix|\/_synapse\/client)" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = [];
return = "502";
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
# "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
# proxyPass = "http://matrix-ss";
# # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
# };
# "~ ^(\/_matrix|\/_synapse\/client)" = {
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# # extraConfig = [];
# };
};
};
};
"matrix.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 8448; ssl = true; }
listen = dl ++ [
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
];
locations = {
"/" = {
proxyPass = "http://matrix";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
# "/" = {
# proxyPass = "http://matrix";
# # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
# };
"~.*" = { return = "502"; };
};
};
"matrix-ss.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# "resolver 1.1.1.1;"
# "client_max_body_size 500M;"
# ];
locations = {
"/" = { proxyPass = "http://pw"; };
};
};
# "dev.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = {
# proxyPass = "http://dev";
# };
# };
# };
"pw.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# "matrix-ss.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# # "resolver 1.1.1.1;"
# # "client_max_body_size 500M;"
# # ];
# locations = {
# "/" = { proxyPass = "http://pw"; };
# };
# };
# # "dev.nx2.site" = {
# # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# # locations = {
# # "/" = {
# # proxyPass = "http://dev";
# # };
# # };
# # };
"pw.nx2.site" = vh // {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
listen = dl;
locations = {
"/" = { proxyPass = "http://pw"; };
"/admin" = { proxyPass = "http://pw"; };
@@ -131,48 +191,47 @@ lib.mkIf false
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
};
};
"share.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# ''proxy_set_header X-Real-IP $remote_addr;''
# ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# ''proxy_set_header Host $http_host;''
# ];
};
"/socket.io" = {
proxyPass = "http://share/socket.io";
proxyWebsockets = true;
# extraConfig = [
# ''proxy_http_version 1.1;''
# ''proxy_set_header Upgrade $http_upgrade;''
# ''proxy_set_header Connection "upgrade";''
# ];
};
};
};
"sync.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://sync"; };
};
};
"git.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# "share.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# # ''proxy_set_header X-Real-IP $remote_addr;''
# # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# # ''proxy_set_header Host $http_host;''
# # ];
# };
# "/socket.io" = {
# proxyPass = "http://share/socket.io";
# proxyWebsockets = true;
# # extraConfig = [
# # ''proxy_http_version 1.1;''
# # ''proxy_set_header Upgrade $http_upgrade;''
# # ''proxy_set_header Connection "upgrade";''
# # ];
# };
# };
# };
# "sync.nx2.site" = {
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = { proxyPass = "http://sync"; };
# };
# };
"git.nx2.site" = vh // {
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
listen = dl;
locations = {
"/" = { proxyPass = "http://git"; };
};
};
"~^(.*)\.nx2\.site$" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
root = "/home/nx2/nx2site/staticweb/xcontent/";
"~^(.*).nx2.site$" = {
listen = dl;
root = "/var/nginx/webroot";
locations = {
"~.*" = { return = "502 /502.html"; };
"~.*" = { return = "301 https://nx2.site/502.html"; };
};
};
};