240 lines
8.5 KiB
Nix
240 lines
8.5 KiB
Nix
{ config, pkgs, lib, user, ... }:
|
|
{
|
|
sops.secrets = {
|
|
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
|
|
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
|
|
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
|
|
};
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "acme@nx2.site";
|
|
webroot = "/var/nginx/webroot";
|
|
group = "nginx";
|
|
};
|
|
certs = {
|
|
"nx2.site" = {
|
|
extraDomainNames = [ "git.nx2.site" "pw.nx2.site" ];
|
|
};
|
|
};
|
|
};
|
|
users.users."nginx" = {
|
|
extraGroups = [ "nginx" "acme" ];
|
|
useDefaultShell = false;
|
|
linger = true;
|
|
home = "/var/nginx/";
|
|
homeMode = "770";
|
|
createHome = true;
|
|
isSystemUser = true;
|
|
isNormalUser = false;
|
|
};
|
|
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
|
|
services.nginx = {
|
|
enable = true;
|
|
user = "nginx";
|
|
group = "nginx";
|
|
additionalModules = [];
|
|
# appendConfig = '''';
|
|
clientMaxBodySize = "20m";
|
|
|
|
defaultHTTPListenPort = 80;
|
|
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
|
|
defaultListen = [
|
|
{
|
|
addr = "0.0.0.0";
|
|
ssl = true;
|
|
port = 443;
|
|
proxyProtocol = true;
|
|
}
|
|
{
|
|
addr = "[::0]";
|
|
ssl = true;
|
|
port = 443;
|
|
proxyProtocol = true;
|
|
}
|
|
];
|
|
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
|
|
defaultSSLListenPort = 443;
|
|
enableQuicBPF = true;
|
|
enableReload = true;
|
|
# eventsConfig = '''';
|
|
# logError = ;
|
|
# mapHashBucketSize = ;
|
|
# mapHashMaxSize = ;
|
|
package = pkgs.nginxQuic;
|
|
# preStart = true;
|
|
proxyResolveWhileRunning = false;
|
|
proxyTimeout = "20s";
|
|
recommendedBrotliSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedZstdSettings = true;
|
|
serverTokens = false;
|
|
# sslCiphers = # useing default;
|
|
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
|
|
sslProtocols = "TLSv1.2 TLSv1.3";
|
|
statusPage = false;
|
|
streamConfig = ""; # udp config
|
|
validateConfigFile = true;
|
|
upstreams = {
|
|
"staticweb".servers = { "staticweb.docker:80" = {}; };
|
|
"matrix".servers = { "matrix.docker:80" = {}; };
|
|
"matrix-ss".servers = { "matrix-ss.docker:80" = {}; };
|
|
"pw".servers = { "pw.docker:80" = {}; };
|
|
"git".servers = { "git.docker:3000" = {}; };
|
|
"nn".servers = { "nn.docker:80" = {}; };
|
|
"llm".servers = { "llm.docker:80" = {}; };
|
|
"share".servers = { "share.docker:80" = {}; };
|
|
|
|
"sync".servers = { "localhost:8384" = {}; };
|
|
};
|
|
virtualHosts = let
|
|
# sslCertificate = config.sops.secrets."nx2site/sslCertificate.pem".path;
|
|
# sslCertificateKey = config.sops.secrets."nx2site/sslCertificateKey.pem".path;
|
|
vh = {
|
|
kTLS = true;
|
|
http2 = true;
|
|
http3 = true;
|
|
http3_hq = true;
|
|
quic = true;
|
|
addSSL = true;
|
|
enableACME = true;
|
|
};
|
|
dl = [
|
|
{ addr = "0.0.0.0"; port = 443; ssl = true; }
|
|
{ addr = "0.0.0.0"; port = 80; ssl = false; }
|
|
{ addr = "[::0]"; port = 443; ssl = true; }
|
|
{ addr = "[::0]"; port = 80; ssl = false; }
|
|
];
|
|
in {
|
|
"nx2.site" = vh // {
|
|
root = "/var/nginx/webroot";
|
|
default = true;
|
|
listen = dl;
|
|
locations = {
|
|
"/" = {
|
|
# index = "index.html";
|
|
# tryFiles = "$uri/ $uri.html =404";
|
|
extraConfig = ''
|
|
index index.html;
|
|
if ($request_uri ~ ^/(.*)\.html(\?|$)) {
|
|
return 301 /$1;
|
|
}
|
|
try_files $uri $uri.html $uri/ /404.html =404;
|
|
'';
|
|
};
|
|
"~^(/ba)$" = {
|
|
return = "301 /BA.pdf";
|
|
};
|
|
"/.well-known/matrix/client" = {
|
|
return = "502";
|
|
# return = ''200 '{"m.homeserver": {"base_url": "https://matrix.nx2.site"}, "org.matrix.msc3575.proxy": {"url": "https://matrix-ss.nx2.site"}}' '';
|
|
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
|
|
};
|
|
"/.well-known/matrix/server" = {
|
|
return = "502";
|
|
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
|
|
# extraConfig = builtins.concatStringsSep "\n" [ "default_type application/json;" "add_header Access-Control-Allow-Origin *;" ];
|
|
};
|
|
# "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
|
|
# proxyPass = "http://matrix-ss";
|
|
# # extraConfig = [ ''proxy_set_header X-Forwarded-For $remote_addr;'' ''proxy_set_header X-Forwarded-Proto $scheme;'' ''proxy_set_header Host $host;'' ];
|
|
# };
|
|
# "~ ^(\/_matrix|\/_synapse\/client)" = {
|
|
# return = ''200 '{"m.server":"matrix.nx2.site:443"}' '';
|
|
# # extraConfig = [];
|
|
# };
|
|
};
|
|
};
|
|
"matrix.nx2.site" = {
|
|
listen = dl ++ [
|
|
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
|
|
# { addr = "0.0.0.0"; port = 8448; ssl = true; }
|
|
];
|
|
locations = {
|
|
# "/" = {
|
|
# proxyPass = "http://matrix";
|
|
# # extraConfig = [ ''add_header Alt-Svc 'h3=":443"; ma=86400';'' ''add_header Cache-Control "public";'' ] ++ common-location-conf;
|
|
# };
|
|
"~.*" = { return = "502"; };
|
|
};
|
|
};
|
|
# "matrix-ss.nx2.site" = {
|
|
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
|
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
|
# # "resolver 1.1.1.1;"
|
|
# # "client_max_body_size 500M;"
|
|
# # ];
|
|
# locations = {
|
|
# "/" = { proxyPass = "http://pw"; };
|
|
# };
|
|
# };
|
|
# # "dev.nx2.site" = {
|
|
# # inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
|
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
|
# # locations = {
|
|
# # "/" = {
|
|
# # proxyPass = "http://dev";
|
|
# # };
|
|
# # };
|
|
# # };
|
|
"pw.nx2.site" = vh // {
|
|
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
|
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
|
listen = dl;
|
|
locations = {
|
|
"/" = { proxyPass = "http://pw"; };
|
|
"/admin" = { proxyPass = "http://pw"; };
|
|
"/notifications/hub" = { proxyPass = "http://pw"; };
|
|
"/notifications/hub/negotiate" = { proxyPass = "http://pw"; };
|
|
};
|
|
};
|
|
# "share.nx2.site" = {
|
|
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
|
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
|
# locations = {
|
|
# "/" = { proxyPass = "http://share"; # ''proxy_hide_header Content-Disposition;''
|
|
# # ''proxy_set_header Content-Disposition $upstream_http_content_disposition;''
|
|
# # ''proxy_set_header X-Real-IP $remote_addr;''
|
|
# # ''proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;''
|
|
# # ''proxy_set_header Host $http_host;''
|
|
# # ];
|
|
# };
|
|
# "/socket.io" = {
|
|
# proxyPass = "http://share/socket.io";
|
|
# proxyWebsockets = true;
|
|
# # extraConfig = [
|
|
# # ''proxy_http_version 1.1;''
|
|
# # ''proxy_set_header Upgrade $http_upgrade;''
|
|
# # ''proxy_set_header Connection "upgrade";''
|
|
# # ];
|
|
# };
|
|
# };
|
|
# };
|
|
# "sync.nx2.site" = {
|
|
# inherit sslCertificate sslCertificateKey kTLS http2 http3 http3_hq quic addSSL enableACME;
|
|
# # listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
|
# locations = {
|
|
# "/" = { proxyPass = "http://sync"; };
|
|
# };
|
|
# };
|
|
"git.nx2.site" = vh // {
|
|
# listen = [ { addr = "0.0.0.0"; port = 443; ssl = true; } ];
|
|
listen = dl;
|
|
locations = {
|
|
"/" = { proxyPass = "http://git"; };
|
|
};
|
|
};
|
|
"~^(.*).nx2.site$" = {
|
|
listen = dl;
|
|
root = "/var/nginx/webroot";
|
|
locations = {
|
|
"~.*" = { return = "301 https://nx2.site/502.html"; };
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|