{ config, hyper, pkgs, ... }: { sops.secrets = { "nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; }; "nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; }; "nx2site/dhparams.pem" = { owner = config.services.nginx.user; }; }; security.acme = { acceptTerms = true; defaults = { email = "acme@${hyper.domain}"; webroot = config.services.nginx.virtualHosts."${hyper.domain}".root; group = "nginx"; }; certs = { "${hyper.domain}" = { extraDomainNames = builtins.map (subd: "${subd}.${hyper.domain}") [ "sync" ]; }; }; }; users.users."nginx" = { extraGroups = [ "nginx" "acme" ]; useDefaultShell = false; linger = true; home = "/var/nginx/"; homeMode = "770"; createHome = true; isSystemUser = true; isNormalUser = false; }; systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; services.nginx = let dl = [ { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "[::0]"; port = 443; ssl = true; } { addr = "[::0]"; port = 80; ssl = false; } ]; in { enable = true; user = "nginx"; group = "nginx"; additionalModules = []; # appendConfig = ''''; clientMaxBodySize = "20m"; defaultHTTPListenPort = 80; defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]"; defaultListen = dl; defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types"; defaultSSLListenPort = 443; enableQuicBPF = true; enableReload = true; package = pkgs.nginxQuic; proxyResolveWhileRunning = false; proxyTimeout = "20s"; recommendedBrotliSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedZstdSettings = true; serverTokens = false; sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path; sslProtocols = "TLSv1.2 TLSv1.3"; statusPage = false; streamConfig = ""; # udp config validateConfigFile = true; virtualHosts = let vh = { kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true; forceSSL = true; enableACME = true; }; in { "${hyper.domain}" = vh // { # root = "/var/nginx/webroot"; root = "/var/lib/hugo/nx2site/public"; default = true; listen = dl; locations = { "/" = { extraConfig = '' index index.html; ''; }; "~^(/ba)$" = { return = "301 /BA.pdf"; }; "/.well-known/matrix/client" = { return = "502"; }; "/.well-known/matrix/server" = { return = "502"; }; "/phone" = { return = "301 /en/cards/phone"; }; "/about-me" = { return = "301 /en/slides/about-me"; }; "/about-this-site" = { return = "301 /en/slides/about-this-site"; }; "/gpg" = { return = "301 /en/cards/gpg"; }; "/contact" = { return = "301 /en/cards/contact"; }; }; }; "matrix.${hyper.domain}" = { listen = dl; locations = { "~.*" = { return = "502"; }; }; }; # "pw.${hyper.domain}" = vh // { # listen = dl; # locations = let d = "pw.docker:80"; in { # "/" = { proxyPass = "http://${d}"; }; # "/admin" = { proxyPass = "http://${d}"; }; # "/notifications/hub" = { proxyPass = "http://${d}"; }; # "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; }; # }; # }; "pw.${hyper.domain}" = vh // { listen = dl; locations = let d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}"; in { "/" = { proxyPass = "http://${d}"; }; "/admin" = { proxyPass = "http://${d}"; }; "/notifications/hub" = { proxyPass = "http://${d}"; }; "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; }; }; }; "sync.${hyper.domain}" = vh // { listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:8384"; }; }; }; # "git.${hyper.domain}" = vh // { # listen = dl; # locations = { "/" = { proxyPass = "http://git.docker:3000"; }; }; # }; "git.${hyper.domain}" = vh // { http2 = false; listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; }; }; "doc.${hyper.domain}" = vh // { listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:8441"; }; }; }; "dav.${hyper.domain}" = lib.mkIf config.services.radicale.enable (vh // { listen = dl; locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; }; }); # "nc.${hyper.domain}" = vh // { # # directly to nc # }; "abs.${hyper.domain}" = vh // { listen = dl; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}"; proxyWebsockets = true; }; }; "pnx.${hyper.domain}" = vh // { listen = dl; locations."/" = { proxyPass = "http://127.0.0.1:8040"; proxyWebsockets = true; }; }; "old.${hyper.domain}" = vh // { listen = dl; root = "/var/nginx/webroot"; }; "dev.${hyper.domain}" = vh // { listen = dl; locations."/" = { proxyPass = "http://127.0.0.1:8080"; proxyWebsockets = true; }; }; # is done atomatically # "cal.${hyper.domain}" = vh // { # listen = dl; # locations = { "/" = { # proxyPass = "http://unix:///run/open-web-calendar/socket"; # proxyWebsockets = true; # }; }; # }; "~^(.*).${hyper.domain}$" = { listen = dl; root = "/var/nginx/webroot"; locations = { "~.*" = { return = "301 https://${hyper.domain}/502.html"; }; }; }; }; }; }