239 lines
7.9 KiB
Nix
239 lines
7.9 KiB
Nix
{ pkgs, ...}@all: with all;
|
|
{
|
|
sops.secrets = {
|
|
"nx2site/sslCertificate.pem" = { owner = config.services.nginx.user; };
|
|
"nx2site/sslCertificateKey.pem" = { owner = config.services.nginx.user; };
|
|
"nx2site/dhparams.pem" = { owner = config.services.nginx.user; };
|
|
};
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "acme@${hyper.domain}";
|
|
webroot = config.services.nginx.virtualHosts."${hyper.domain}".root;
|
|
group = "nginx";
|
|
};
|
|
certs = {
|
|
"${hyper.domain}" = {
|
|
extraDomainNames = builtins.map (subd: "${subd}.${hyper.domain}") [ "sync" ];
|
|
};
|
|
};
|
|
};
|
|
users.users."nginx" = {
|
|
extraGroups = [ "nginx" "acme" "copyparty" ];
|
|
useDefaultShell = false;
|
|
linger = true;
|
|
home = "/var/nginx/";
|
|
homeMode = "770";
|
|
createHome = true;
|
|
isSystemUser = true;
|
|
isNormalUser = false;
|
|
};
|
|
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
|
|
services.nginx = let
|
|
dl = [
|
|
{ addr = "0.0.0.0"; port = 443; ssl = true; }
|
|
{ addr = "0.0.0.0"; port = 80; ssl = false; }
|
|
{ addr = "[::0]"; port = 443; ssl = true; }
|
|
{ addr = "[::0]"; port = 80; ssl = false; }
|
|
];
|
|
in {
|
|
enable = true;
|
|
user = "nginx";
|
|
group = "nginx";
|
|
additionalModules = [];
|
|
# appendConfig = '''';
|
|
clientMaxBodySize = "20m";
|
|
defaultHTTPListenPort = 80;
|
|
defaultListenAddresses = [ "0.0.0.0" ] ++ lib.optional config.networking.enableIPv6 "[::0]";
|
|
defaultListen = dl;
|
|
defaultMimeTypes = "${pkgs.mailcap}/etc/nginx/mime.types";
|
|
defaultSSLListenPort = 443;
|
|
enableQuicBPF = true;
|
|
enableReload = true;
|
|
package = pkgs.nginx;
|
|
proxyResolveWhileRunning = false;
|
|
proxyTimeout = "20s";
|
|
recommendedBrotliSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
# recommendedZstdSettings = true;
|
|
serverTokens = false;
|
|
sslDhparam = config.sops.secrets."nx2site/dhparams.pem".path;
|
|
sslProtocols = "TLSv1.2 TLSv1.3";
|
|
statusPage = false;
|
|
streamConfig = ""; # udp config
|
|
validateConfigFile = true;
|
|
upstreams = {
|
|
"partysock" = {
|
|
servers."unix:/dev/shm/party.sock".fail_timeout = "1s";
|
|
extraConfig = /* nginx */ ''
|
|
keepalive 1;
|
|
'';
|
|
};
|
|
};
|
|
virtualHosts = let
|
|
vh = {
|
|
kTLS = true;
|
|
http2 = true;
|
|
http3 = true;
|
|
http3_hq = true;
|
|
quic = true;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
};
|
|
in {
|
|
"${hyper.domain}" = vh // {
|
|
# root = "/var/nginx/webroot";
|
|
root = "/var/lib/hugo/nx2site/public";
|
|
default = true;
|
|
listen = dl;
|
|
locations = {
|
|
"/".extraConfig = ''
|
|
index index.html;
|
|
'';
|
|
"~ ^(/.well-known/matrix/client)$".return = "502";
|
|
"~ ^(/.well-known/matrix/server)$".return = "502";
|
|
"~ ^(/phone)$".return = "301 /cards/phone";
|
|
"~ ^(/about-me)$".return = "301 /slides/about-me";
|
|
"~ ^(/about-this-site)$".return = "301 /slides/about-this-site";
|
|
"~ ^(/gpg)$".return = "301 /cards/gpg";
|
|
"~ ^(/contact)$".return = "301 /cards/contact";
|
|
"~ ^(/ba)$".return = "301 /BA.pdf";
|
|
};
|
|
};
|
|
"matrix.${hyper.domain}" = {
|
|
listen = dl;
|
|
locations."~.*".return = "502";
|
|
};
|
|
# "pw.${hyper.domain}" = vh // {
|
|
# listen = dl;
|
|
# locations = let d = "pw.docker:80"; in {
|
|
# "/" = { proxyPass = "http://${d}"; };
|
|
# "/admin" = { proxyPass = "http://${d}"; };
|
|
# "/notifications/hub" = { proxyPass = "http://${d}"; };
|
|
# "/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
|
|
# };
|
|
# };
|
|
"pw.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
locations = let
|
|
d = with config.services.vaultwarden.config; "${ROCKET_ADDRESS}:${builtins.toString ROCKET_PORT}";
|
|
in {
|
|
"/" = { proxyPass = "http://${d}"; };
|
|
"/admin" = { proxyPass = "http://${d}"; };
|
|
"/notifications/hub" = { proxyPass = "http://${d}"; };
|
|
"/notifications/hub/negotiate" = { proxyPass = "http://${d}"; };
|
|
};
|
|
};
|
|
"sync.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
locations = { "/" = { proxyPass = "http://127.0.0.1:8384"; }; };
|
|
};
|
|
# "git.${hyper.domain}" = vh // {
|
|
# listen = dl;
|
|
# locations = { "/" = { proxyPass = "http://git.docker:3000"; }; };
|
|
# };
|
|
"git.${hyper.domain}" = vh // {
|
|
http2 = false;
|
|
listen = dl;
|
|
locations = {
|
|
"/" = { proxyPass = "http://127.0.0.1:3000"; };
|
|
"/robots.txt" = {
|
|
extraConfig = ''
|
|
default_type text/plain;
|
|
return 200 "User-agent: *\nDisallow: /\nAllow: /explore/repos\nAllow: /nx2/dotdiles\nAllow: /nx2";
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
"doc.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
locations = { "/" = { proxyPass = "http://127.0.0.1:8441"; }; };
|
|
};
|
|
"dav.${hyper.domain}" = lib.mkIf config.services.radicale.enable (vh // {
|
|
listen = dl;
|
|
locations = { "/" = { proxyPass = "http://127.0.0.1:5232"; }; };
|
|
});
|
|
"nxc.${hyper.domain}" = lib.mkIf config.services.radicale.enable (vh // {
|
|
listen = dl;
|
|
locations = { "/" = { proxyPass = "http://127.0.0.1:14243"; }; };
|
|
});
|
|
# "nc.${hyper.domain}" = vh // {
|
|
# # directly to nc
|
|
# };
|
|
"abs.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${builtins.toString config.services.audiobookshelf.port}";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"pnx.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8040";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"old.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
root = "/var/nginx/webroot";
|
|
};
|
|
"dev.${hyper.domain}" = vh // {
|
|
listen = dl;
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:8080";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
# is done atomatically
|
|
# "owc.${hyper.domain}" = vh // {
|
|
# listen = dl;
|
|
# locations = { "/" = {
|
|
# proxyPass = "http://unix:///run/open-web-calendar/socket";
|
|
# proxyWebsockets = true;
|
|
# }; };
|
|
# };
|
|
"file.${hyper.domain}" = { # copyparty
|
|
listen = dl;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations = {
|
|
"/" = {
|
|
proxyPass = "http://partysock";
|
|
proxyWebsockets = true;
|
|
extraConfig = /* nginx */ ''
|
|
proxy_redirect off;
|
|
# disable buffering (next 4 lines)
|
|
# proxy_http_version 1.1; # this is set by nixos
|
|
client_max_body_size 0;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
# improve download speed from 600 to 1500 MiB/s
|
|
proxy_buffers 32 8k;
|
|
proxy_buffer_size 16k;
|
|
proxy_busy_buffers_size 24k;
|
|
|
|
proxy_set_header Connection "Keep-Alive";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
# NOTE: with cloudflare you want this X-Forwarded-For instead:
|
|
#proxy_set_header X-Forwarded-For $http_cf_connecting_ip;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
"~^(.*).${hyper.domain}$" = {
|
|
listen = dl;
|
|
root = "/var/nginx/webroot";
|
|
locations."~.*".return = "502";
|
|
};
|
|
};
|
|
};
|
|
}
|
|
|