{ config, pkgs, lib, user }: { sops.secrets = { "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; }; "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; }; "nx2site/dhparams.pem" = { owner = config.services.nginx.user; }; }; services.nginx = let config-root = /home/${user}/nx2site/proxy/config; xcontent-root = /home/${user}/nx2site/proxy/xcontent; content-root = /home/${user}/nx2site/proxy/content; in { enable = true; additionalModules = []; # appendConfig = ''''; clientMaxBodySize = "20m"; defaultHTTPListenPort = 80; defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; defaultListen = [ { addr = "0.0.0.0"; ssl = true; port = 443; proxyProtocol = true; }]; defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types"; defaultSSLListenPort = 443; enableQuicBPF = true; enableReload = true; # eventsConfig = ''''; # logError = ; # mapHashBucketSize = ; # mapHashMaxSize = ; package = pkgs.nginxQuic; # preStart = true; proxyResolveWhileRunning = false; proxyTimeout = "20s"; recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; serverTokens = false; # sslCiphers = true; sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path; sslProtocols = "TLSv1.2 TLSv1.3"; statusPage = false; streamConfig = ""; # udp config validateConfigFile = true; upstreams = { "staticweb".servers = { "staticweb.docker:80" = {}; }; "matrix".servers = { "matrix.docker:80" = {}; }; "matrix-ss".servers = { "matrix-ss.docker:80" = {}; }; "pw".servers = { "pw.docker:80" = {}; }; "git".servers = { "git.docker:80" = {}; }; "nn".servers = { "nn.docker:80" = {}; }; "llm".servers = { "llm.docker:80" = {}; }; "share".servers = { "share.docker:80" = {}; }; "sync".servers = { "localhost:8384" = {}; }; }; virtualHosts = let sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path; sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path; kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; in { "nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; locations = { "/" = { proxyPass = "http://staticweb"; # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; }; "/.well-known/matrix/client" = { return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' ''; extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; }; "/.well-known/matrix/server" = { return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; }; "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { proxyPass = "http://matrix-ss"; # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ]; }; "~ ^(\/_matrix|\/_synapse\/client)" = { return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; # extraConfig = []; }; }; }; "matrix.nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 8448; ssl = true; } ]; locations = { "/" = { proxyPass = "http://matrix"; # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; }; }; }; "matrix-ss.nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; # "resolver 1.1.1.1;" # "client_max_body_size 500M;" # ]; locations = { "/" = { proxyPass = "http://pw"; }; }; }; # "dev.nx2.site" = { # kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; sslCertificate = cert; sslCertificateKey = key; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; # locations = { # "/" = { # proxyPass = "http://dev"; # }; # }; # }; "pw.nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; locations = { "/" = { proxyPass = "http://pw"; }; "/admin" = { proxyPass = "http://pw"; }; "/notifications/hub" = { proxyPass = "http://pw"; }; "/notifications/hub/negotiate" = { proxyPass = "http://pw"; }; }; }; "share.nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; locations = { "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;'' # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;'' # ''proxy_set_header X-Real-IP $remote_addr;'' # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'' # ''proxy_set_header Host $http_host;'' # ]; }; "/socket.io" = { proxyPass = "http://share/socket.io"; proxyWebsockets = true; # extraConfig = [ # ''proxy_http_version 1.1;'' # ''proxy_set_header Upgrade $http_upgrade;'' # ''proxy_set_header Connection "upgrade";'' # ]; }; }; }; "sync.nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; locations = { "/" = { proxyPass = "http://sync"; }; }; }; "git.nx2.site" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; locations = { "/" = { proxyPass = "http://git"; }; }; }; "~^(.*)\.nx2\.site$" = { inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; root = "/home/nx2/nx2site/staticweb/xcontent/"; locations = { "~.*" = { return = "502 /502.html"; }; }; }; }; }; }