nx2/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
73b0e338fca7accd4001e789cbd07e05d3e9cb05
dotfiles/system-modules/nx2site/proxy.nix
Lennart J. Kurzweg (Nx2) 73b0e338fc nx2site save (unused)
2024-07-28 17:19:25 +02:00

187 lines
7.3 KiB
Nix
Raw Blame History

{ config, pkgs, lib, user }:
{
sops.secrets = {
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
};
services.nginx = let
config-root = /home/${user}/nx2site/proxy/config;
xcontent-root = /home/${user}/nx2site/proxy/xcontent;
content-root = /home/${user}/nx2site/proxy/content;
in {
enable = true;
additionalModules = [];
# appendConfig = '''';
clientMaxBodySize = "20m";
defaultHTTPListenPort = 80;
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
defaultListen = [ {
addr = "0.0.0.0";
ssl = true;
port = 443;
proxyProtocol = true;
}];
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
defaultSSLListenPort = 443;
enableQuicBPF = true;
enableReload = true;
# eventsConfig = '''';
# logError = ;
# mapHashBucketSize = ;
# mapHashMaxSize = ;
package = pkgs.nginxQuic;
# preStart = true;
proxyResolveWhileRunning = false;
proxyTimeout = "20s";
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
serverTokens = false;
# sslCiphers = true;
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
sslProtocols = "TLSv1.2 TLSv1.3";
statusPage = false;
streamConfig = ""; # udp config
validateConfigFile = true;
upstreams = {
"staticweb".servers = { "staticweb.docker:80" = {}; };
"matrix".servers = { "matrix.docker:80" = {}; };
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
"pw".servers = { "pw.docker:80" = {}; };
"git".servers = { "git.docker:80" = {}; };
"nn".servers = { "nn.docker:80" = {}; };
"llm".servers = { "llm.docker:80" = {}; };
"share".servers = { "share.docker:80" = {}; };
"sync".servers = { "localhost:8384" = {}; };
};
virtualHosts = let
sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
in
{
"nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = {
proxyPass = "http://staticweb";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
"/.well-known/matrix/client" = {
return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"/.well-known/matrix/server" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
extraConfig = [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
};
"~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
proxyPass = "http://matrix-ss";
# extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
};
"~ ^(\/_matrix|\/_synapse\/client)" = {
return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
# extraConfig = [];
};
};
};
"matrix.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
listen = [
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 8448; ssl = true; }
];
locations = {
"/" = {
proxyPass = "http://matrix";
# extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
};
};
};
"matrix-ss.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# "resolver 1.1.1.1;"
# "client_max_body_size 500M;"
# ];
locations = {
"/" = { proxyPass = "http://pw"; };
};
};
# "dev.nx2.site" = {
# kTLS = true; http2 = true; http3 = true; http3_hq = true; quic = true;
sslCertificate = cert; sslCertificateKey = key;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
# locations = {
# "/" = {
# proxyPass = "http://dev";
# };
# };
# };
"pw.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://pw"; };
"/admin" = { proxyPass = "http://pw"; };
"/notifications/hub" = { proxyPass = "http://pw"; };
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
};
};
"share.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
# ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
# ''proxy_set_header X-Real-IP $remote_addr;''
# ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
# ''proxy_set_header Host $http_host;''
# ];
};
"/socket.io" = {
proxyPass = "http://share/socket.io";
proxyWebsockets = true;
# extraConfig = [
# ''proxy_http_version 1.1;''
# ''proxy_set_header Upgrade $http_upgrade;''
# ''proxy_set_header Connection "upgrade";''
# ];
};
};
};
"sync.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://sync"; };
};
};
"git.nx2.site" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
locations = {
"/" = { proxyPass = "http://git"; };
};
};
"~^(.*)\.nx2\.site$" = {
inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic;
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
root = "/home/nx2/nx2site/staticweb/xcontent/";
locations = {
"~.*" = {
return = "502 /502.html";
};
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink