{ config, pkgs, lib, domain, ... }: { sops.secrets = { "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; }; "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; }; "nx2site/dhparams.pem" = { owner = config.services.nginx.user; }; }; security.acme = { acceptTerms = true; defaults = { email = "acme@${domain}"; webroot = "/var/nginx/webroot"; group = "nginx"; }; certs = { "${domain}" = { extraDomainNames = builtins.map (subd: "${subd}.${domain}") [ "git" "git2" "pw" "pw2" "sync" ]; }; }; }; users.users."nginx" = { extraGroups = [ "nginx" "acme" ]; useDefaultShell = false; linger = true; home = "/var/nginx/"; homeMode = "770"; createHome = true; isSystemUser = true; isNormalUser = false; }; systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; services.nginx = let dl = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "[::0]"; port = 443; ssl = true; } { addr = "[::0]"; port = 80; ssl = false; } ]; in { enable = true; user = "nginx"; group = "nginx"; additionalModules = []; # appendConfig = ''''; clientMaxBodySize = "20m"; defaultHTTPListenPort = 80; defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; defaultListen = dl; defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types"; defaultSSLListenPort = 443; enableQuicBPF = true; enableReload = true; package = pkgs.nginxQuic; proxyResolveWhileRunning = false; proxyTimeout = "20s"; recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; serverTokens = false; sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path; sslProtocols = "TLSv1.2 TLSv1.3"; statusPage = false; streamConfig = ""; # udp config validateConfigFile = true; virtualHosts = let vh = { kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; addSSL = true; enableACME = true; }; in { "${domain}" = vh // { root = "/var/nginx/webroot"; default = true; listen = dl; locations = { "/" = { extraConfig = '' index index.html; if ($request_uri ~ ^/(.*)\.html(\?|$)) { return 301 /$1; } try_files $uri $uri.html $uri/ /404.html =404; ''; }; "~^(/ba)$" = { return = "301 /BA.pdf"; }; "/.well-known/matrix/client" = { return = "502"; }; "/.well-known/matrix/server" = { return = "502"; }; }; }; "matrix.${domain}" = { listen = dl; locations = { "~.*" = { return = "502"; }; }; }; "pw.${domain}" = vh // { listen = dl; locations = let d = "pw.docker:80"; in { "/" = { proxyPass = "http://${d}"; }; "/admin" = { proxyPass = "http://${d}"; }; "/notifications/hub" = { proxyPass = "http://${d}"; }; "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; }; }; }; "pw2.${domain}" = vh // { listen = dl; locations = let d = "127.0.0.1:8222"; in { "/" = { proxyPass = "http://${d}"; }; "/admin" = { proxyPass = "http://${d}"; }; "/notifications/hub" = { proxyPass = "http://${d}"; }; "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; }; }; }; "sync.${domain}" = vh // { listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:11434"; }; }; }; "git.${domain}" = vh // { listen = dl; locations = { "/" = { proxyPass = "http://git.docker:3000"; }; }; }; "git2.${domain}" = vh // { listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:8222"; }; }; }; "~^(.*).${domain}$" = { listen = dl; root = "/var/nginx/webroot"; locations = { "~.*" = { return = "301 https://${domain}/502.html"; }; }; }; }; }; }