{ config, pkgs, lib, user, ... }: { sops.secrets = { "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; }; "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; }; "nx2site/dhparams.pem" = { owner = config.services.nginx.user; }; }; security.acme = { acceptTerms = true; defaults = { email = "acme@nx2.site"; webroot = "/var/nginx/webroot"; group = "nginx"; }; certs = { "nx2.site" = { extraDomainNames = [ "git.nx2.site" "pw.nx2.site" ]; }; }; }; users.users."nginx" = { extraGroups = [ "nginx" "acme" ]; useDefaultShell = false; linger = true; home = "/var/nginx/"; homeMode = "770"; createHome = true; isSystemUser = true; isNormalUser = false; }; systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; services.nginx = { enable = true; user = "nginx"; group = "nginx"; additionalModules = []; # appendConfig = ''''; clientMaxBodySize = "20m"; defaultHTTPListenPort = 80; defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; defaultListen = [ { addr = "0.0.0.0"; ssl = true; port = 443; proxyProtocol = true; } { addr = "[::0]"; ssl = true; port = 443; proxyProtocol = true; } ]; defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types"; defaultSSLListenPort = 443; enableQuicBPF = true; enableReload = true; # eventsConfig = ''''; # logError = ; # mapHashBucketSize = ; # mapHashMaxSize = ; package = pkgs.nginxQuic; # preStart = true; proxyResolveWhileRunning = false; proxyTimeout = "20s"; recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; serverTokens = false; # sslCiphers = # useing default; sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path; sslProtocols = "TLSv1.2 TLSv1.3"; statusPage = false; streamConfig = ""; # udp config validateConfigFile = true; upstreams = { "staticweb".servers = { "staticweb.docker:80" = {}; }; "matrix".servers = { "matrix.docker:80" = {}; }; "matrix-ss".servers = { "matrix-ss.docker:80" = {}; }; "pw".servers = { "pw.docker:80" = {}; }; "git".servers = { "git.docker:3000" = {}; }; "nn".servers = { "nn.docker:80" = {}; }; "llm".servers = { "llm.docker:80" = {}; }; "share".servers = { "share.docker:80" = {}; }; "sync".servers = { "localhost:8384" = {}; }; }; virtualHosts = let # sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path; # sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path; vh = { kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; addSSL = true; enableACME = true; }; dl = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "[::0]"; port = 443; ssl = true; } { addr = "[::0]"; port = 80; ssl = false; } ]; in { "nx2.site" = vh // { root = "/var/nginx/webroot"; default = true; listen = dl; locations = { "/" = { # index = "index.html"; # tryFiles = "$uri/ $uri.html =404"; extraConfig = '' index index.html; if ($request_uri ~ ^/(.*)\.html(\?|$)) { return 301 /$1; } try_files $uri $uri.html $uri/ /404.html =404; ''; }; "~^(/ba)$" = { return = "301 /BA.pdf"; }; "/.well-known/matrix/client" = { return = "502"; # return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' ''; # extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; }; "/.well-known/matrix/server" = { return = "502"; # return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; # extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ]; }; # "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { # proxyPass = "http://matrix-ss"; # # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ]; # }; # "~ ^(\/_matrix|\/_synapse\/client)" = { # return = ''200 '{"m.server":"matrix.nx2.site:443"}' ''; # # extraConfig = []; # }; }; }; "matrix.nx2.site" = { listen = dl ++ [ # { addr = "0.0.0.0"; port = 8448; ssl = true; } # { addr = "0.0.0.0"; port = 8448; ssl = true; } ]; locations = { # "/" = { # proxyPass = "http://matrix"; # # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf; # }; "~.*" = { return = "502"; }; }; }; # "matrix-ss.nx2.site" = { # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME; # # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; # # "resolver 1.1.1.1;" # # "client_max_body_size 500M;" # # ]; # locations = { # "/" = { proxyPass = "http://pw"; }; # }; # }; # # "dev.nx2.site" = { # # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME; # # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; # # locations = { # # "/" = { # # proxyPass = "http://dev"; # # }; # # }; # # }; "pw.nx2.site" = vh // { # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME; # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; listen = dl; locations = { "/" = { proxyPass = "http://pw"; }; "/admin" = { proxyPass = "http://pw"; }; "/notifications/hub" = { proxyPass = "http://pw"; }; "/notifications/hub/negotiate" = { proxyPass = "http://pw"; }; }; }; # "share.nx2.site" = { # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME; # # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; # locations = { # "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;'' # # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;'' # # ''proxy_set_header X-Real-IP $remote_addr;'' # # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'' # # ''proxy_set_header Host $http_host;'' # # ]; # }; # "/socket.io" = { # proxyPass = "http://share/socket.io"; # proxyWebsockets = true; # # extraConfig = [ # # ''proxy_http_version 1.1;'' # # ''proxy_set_header Upgrade $http_upgrade;'' # # ''proxy_set_header Connection "upgrade";'' # # ]; # }; # }; # }; # "sync.nx2.site" = { # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME; # # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; # locations = { # "/" = { proxyPass = "http://sync"; }; # }; # }; "git.nx2.site" = vh // { # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ]; listen = dl; locations = { "/" = { proxyPass = "http://git"; }; }; }; "~^(.*).nx2.site$" = { listen = dl; root = "/var/nginx/webroot"; locations = { "~.*" = { return = "301 https://nx2.site/502.html"; }; }; }; }; }; }