nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
272ae1cd55adecb549f1fa3a94e6373f9af7e7d5
dotfiles/system-modules/nx2site/proxy.nix
Lennart J. Kurzweg (Nx2) 272ae1cd55 Merge branch 'master' of ssh://ssh.nx2.site:50022/nx2/dotfiles
2025-05-31 13:48:40 +02:00

187 lines
5.8 KiB
Nix
Raw Blame History

{ config, hyper, pkgs, ... }:
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
};
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@${hyper.domain}";
webroot = "/var/nginx/webroot";
group = "nginx";
};
certs = {
"${hyper.domain}" = {
extraDomainNames = builtins.map (subd: "${subd}.${hyper.domain}") [ "sync" ];
};
};
};
users.users."nginx" = {
extraGroups = [ "nginx" "acme" ];
useDefaultShell = false;
linger = true;
home = "/var/nginx/";
homeMode = "770";
createHome = true;
isSystemUser = true;
isNormalUser = false;
};
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
services.nginx = let
dl = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 80; ssl = false; }
{ addr = "[::0]"; port = 443; ssl = true; }
{ addr = "[::0]"; port = 80; ssl = false; }
];
in {
enable = true;
user = "nginx";
group = "nginx";
additionalModules = [];
# appendConfig = '''';
clientMaxBodySize = "20m";
defaultHTTPListenPort = 80;
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
defaultListen = dl;
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
defaultSSLListenPort = 443;
enableQuicBPF = true;
enableReload = true;
package = pkgs.nginxQuic;
proxyResolveWhileRunning = false;
proxyTimeout = "20s";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
serverTokens = false;
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
sslProtocols = "TLSv1.2 TLSv1.3";
statusPage = false;
streamConfig = ""; # udp config
validateConfigFile = true;
virtualHosts = let
vh = {
kTLS = true;
http2 = true;
http3 = true;
http3_hq = true;
quic = true;
forceSSL = true;
enableACME = true;
};
in {
"${hyper.domain}" = vh // {
root = "/var/nginx/webroot";
default = true;
listen = dl;
locations = {
"/" = {
extraConfig = ''
index index.html;
if ($request_uri ~ ^/(.*)\.html(\?|$)) {
return 301 /$1;
}
try_files $uri $uri.html $uri/ /404.html =404;
'';
};
"~^(/ba)$" = { return = "301 /BA.pdf"; };
"/.well-known/matrix/client" = { return = "502"; };
"/.well-known/matrix/server" = { return = "502"; };
};
};
"matrix.${hyper.domain}" = {
listen = dl;
locations = { "~.*" = { return = "502"; }; };
};
# "pw.${hyper.domain}" = vh // {
# listen = dl;
# locations = let d = "pw.docker:80"; in {
# "/" = { proxyPass = "http://${d}"; };
# "/admin" = { proxyPass = "http://${d}"; };
# "/notifications/hub" = { proxyPass = "http://${d}"; };
# "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
# };
# };
"pw.${hyper.domain}" = vh // {
listen = dl;
locations = let
d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}";
in {
"/" = { proxyPass = "http://${d}"; };
"/admin" = { proxyPass = "http://${d}"; };
"/notifications/hub" = { proxyPass = "http://${d}"; };
"/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
};
};
"sync.${hyper.domain}" = vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:11434"; }; };
};
# "git.${hyper.domain}" = vh // {
# listen = dl;
# locations = { "/" = { proxyPass = "http://git.docker:3000"; }; };
# };
"git.${hyper.domain}" = vh // {
http2 = false;
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:3000"; }; };
};
"doc.${hyper.domain}" = vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:8441"; }; };
};
"dav.${hyper.domain}" = pkgs.lib.mkIf config.services.radicale.enable (vh // {
listen = dl;
locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; };
});
# "nc.${hyper.domain}" = vh // {
# # directly to nc
# };
"abs.${hyper.domain}" = vh // {
listen = dl;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}";
proxyWebsockets = true;
};
};
"pnx.${hyper.domain}" = vh // {
listen = dl;
locations."/" = {
proxyPass = "http://127.0.0.1:8040";
proxyWebsockets = true;
};
};
"wip.${hyper.domain}" = vh // {
listen = dl;
};
"dev.${hyper.domain}" = vh // {
listen = dl;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
proxyWebsockets = true;
};
};
# is done atomatically
# "cal.${hyper.domain}" = vh // {
# listen = dl;
# locations = { "/" = {
# proxyPass = "http://unix:///run/open-web-calendar/socket";
# proxyWebsockets = true;
# }; };
# };
"~^(.*).${hyper.domain}$" = {
listen = dl;
root = "/var/nginx/webroot";
locations = { "~.*" = { return = "301 https://${hyper.domain}/502.html"; }; };
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink