2022-06-06 16:17:33 +01:00
|
|
|
{ lib, pkgs, config, ... }:
|
|
|
|
let
|
2022-06-11 01:20:32 +01:00
|
|
|
inherit (builtins) mapAttrs toJSON;
|
2022-06-12 17:27:11 +01:00
|
|
|
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
|
2022-06-11 01:20:32 +01:00
|
|
|
|
|
|
|
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
|
|
|
|
dualStackListen = ll: flatten (map dualStackListen' ll);
|
|
|
|
|
2022-06-12 00:31:08 +01:00
|
|
|
ssoServer = i: {
|
|
|
|
extraConfig = ''
|
|
|
|
include /etc/nginx/includes/sso/server-${i}.conf;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
ssoLoc = i: {
|
|
|
|
extraConfig = ''
|
|
|
|
include /etc/nginx/includes/sso/location-${i}.conf;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2022-06-11 01:20:32 +01:00
|
|
|
mkWellKnown = type: content: pkgs.writeTextFile {
|
|
|
|
name = "well-known-${type}";
|
|
|
|
destination = "/${type}";
|
|
|
|
text = content;
|
|
|
|
};
|
|
|
|
wellKnownRoot = pkgs.symlinkJoin {
|
|
|
|
name = "http-wellknown";
|
|
|
|
paths = [
|
|
|
|
# For federation
|
|
|
|
(mkWellKnown "matrix/server" (toJSON {
|
|
|
|
"m.server" = "matrix.nul.ie:443";
|
|
|
|
}))
|
|
|
|
# For clients
|
|
|
|
(mkWellKnown "matrix/client" (toJSON {
|
|
|
|
"m.homeserver".base_url = "https://matrix.nul.ie";
|
|
|
|
}))
|
|
|
|
];
|
|
|
|
};
|
|
|
|
wellKnown = {
|
|
|
|
"/.well-known/" = {
|
|
|
|
alias = "${wellKnownRoot}/";
|
|
|
|
extraConfig = ''
|
|
|
|
autoindex on;
|
2023-01-13 14:04:47 +00:00
|
|
|
add_header Access-Control-Allow-Origin *;
|
2022-06-11 01:20:32 +01:00
|
|
|
'';
|
|
|
|
};
|
2022-11-20 02:43:48 +00:00
|
|
|
"/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
|
2023-08-27 18:59:07 +01:00
|
|
|
"/.well-known/nodeinfo".return = "301 https://toot.nul.ie$request_uri";
|
|
|
|
"/.well-known/host-meta".return = "301 https://toot.nul.ie$request_uri";
|
2022-06-11 01:20:32 +01:00
|
|
|
};
|
2022-06-06 16:17:33 +01:00
|
|
|
in
|
|
|
|
{
|
2022-06-12 00:31:08 +01:00
|
|
|
my = {
|
|
|
|
nginx-sso.includes.instances = {
|
|
|
|
generic = {};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-06-06 16:17:33 +01:00
|
|
|
services.nginx.virtualHosts =
|
|
|
|
let
|
|
|
|
hosts = {
|
|
|
|
"_" = {
|
|
|
|
default = true;
|
|
|
|
forceSSL = true;
|
|
|
|
onlySSL = false;
|
2022-06-11 01:20:32 +01:00
|
|
|
locations = mkMerge [
|
2022-10-03 22:39:35 +01:00
|
|
|
{
|
|
|
|
"/".root = pkgs.linkFarm "nginx-root" [
|
|
|
|
{
|
|
|
|
name = "index.html";
|
|
|
|
path = ./default.html;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "cv.pdf";
|
|
|
|
path = builtins.fetchurl {
|
|
|
|
url = "https://github.com/devplayer0/cvos/releases/download/v0.1.3/bootable.pdf";
|
|
|
|
sha256 = "018wh6ps19n7323fi44njzj9yd4wqslc90dykbwfyscv7bgxhlar";
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
2022-06-11 01:20:32 +01:00
|
|
|
wellKnown
|
|
|
|
];
|
2022-07-10 18:16:35 +01:00
|
|
|
useACMEHost = lib.my.pubDomain;
|
2022-06-06 16:17:33 +01:00
|
|
|
};
|
2022-06-12 18:23:35 +01:00
|
|
|
"localhost" = {
|
|
|
|
forceSSL = false;
|
|
|
|
onlySSL = false;
|
|
|
|
locations = {
|
|
|
|
"/status".extraConfig = ''
|
|
|
|
access_log off;
|
|
|
|
allow 127.0.0.1;
|
|
|
|
allow ::1;
|
|
|
|
deny all;
|
|
|
|
|
|
|
|
vhost_traffic_status_display;
|
|
|
|
vhost_traffic_status_display_format html;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2022-06-06 16:17:33 +01:00
|
|
|
|
2022-06-12 00:31:08 +01:00
|
|
|
"sso.${lib.my.pubDomain}" = {
|
|
|
|
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
|
|
|
|
2022-06-12 17:27:11 +01:00
|
|
|
"netdata-colony.${lib.my.pubDomain}" =
|
|
|
|
let
|
2022-06-13 02:14:18 +01:00
|
|
|
hosts = [
|
|
|
|
"vm"
|
2022-08-01 17:44:08 +01:00
|
|
|
"fw" "ctr" "oci"
|
2022-06-13 02:14:18 +01:00
|
|
|
"http" "jackflix-ctr" "chatterbox-ctr" "colony-psql-ctr"
|
|
|
|
];
|
2022-06-12 17:27:11 +01:00
|
|
|
matchHosts = concatStringsSep "|" hosts;
|
|
|
|
in
|
|
|
|
mkMerge [
|
|
|
|
{
|
|
|
|
locations = {
|
2022-06-13 01:12:01 +01:00
|
|
|
"= /".return = "301 https://$host/vm/";
|
2022-06-12 17:27:11 +01:00
|
|
|
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
|
|
|
|
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
|
|
|
|
{
|
|
|
|
proxyPass = "http://$behost.${config.networking.domain}:19999/$ndpath$is_args$args";
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_pass_request_headers on;
|
2022-07-16 21:01:18 +01:00
|
|
|
${lib.my.nginx.proxyHeaders}
|
2022-06-12 17:27:11 +01:00
|
|
|
proxy_set_header Connection "keep-alive";
|
|
|
|
proxy_store off;
|
|
|
|
|
|
|
|
gzip on;
|
|
|
|
gzip_proxied any;
|
|
|
|
gzip_types *;
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
(ssoLoc "generic")
|
|
|
|
];
|
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
}
|
|
|
|
(ssoServer "generic")
|
|
|
|
];
|
|
|
|
|
2022-06-12 00:31:08 +01:00
|
|
|
"pass.${lib.my.pubDomain}" =
|
2022-06-06 16:17:33 +01:00
|
|
|
let
|
|
|
|
upstream = "http://vaultwarden-ctr.${config.networking.domain}";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
locations = {
|
|
|
|
"/".proxyPass = upstream;
|
|
|
|
"/notifications/hub" = {
|
|
|
|
proxyPass = upstream;
|
|
|
|
proxyWebsockets = true;
|
2022-07-16 21:01:18 +01:00
|
|
|
extraConfig = lib.my.nginx.proxyHeaders;
|
2022-06-06 16:17:33 +01:00
|
|
|
};
|
|
|
|
"/notifications/hub/negotiate".proxyPass = upstream;
|
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2022-06-06 17:10:53 +01:00
|
|
|
|
|
|
|
"matrix.nul.ie" = {
|
2022-06-11 01:20:32 +01:00
|
|
|
listen = dualStackListen [
|
|
|
|
{
|
|
|
|
port = 443;
|
|
|
|
ssl = true;
|
|
|
|
}
|
|
|
|
{
|
|
|
|
# Matrix federation
|
|
|
|
port = 8448;
|
|
|
|
ssl = true;
|
|
|
|
extraParameters = [ "default_server" ];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
locations = mkMerge [
|
|
|
|
{
|
|
|
|
"/".proxyPass = "http://chatterbox-ctr.${config.networking.domain}:8008";
|
2022-06-12 00:31:08 +01:00
|
|
|
"= /".return = "301 https://element.${lib.my.pubDomain}";
|
2022-06-11 01:20:32 +01:00
|
|
|
}
|
|
|
|
wellKnown
|
|
|
|
];
|
2022-06-06 17:10:53 +01:00
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2022-06-11 01:20:32 +01:00
|
|
|
|
2022-06-12 00:31:08 +01:00
|
|
|
"element.${lib.my.pubDomain}" =
|
2022-06-06 17:10:53 +01:00
|
|
|
let
|
|
|
|
headers = ''
|
2023-01-13 14:04:47 +00:00
|
|
|
# TODO: why are these here?
|
|
|
|
#add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
#add_header X-Content-Type-Options nosniff;
|
|
|
|
#add_header X-XSS-Protection "1; mode=block";
|
2022-11-18 11:52:20 +00:00
|
|
|
# This seems to break file downloads...
|
|
|
|
#add_header Content-Security-Policy "frame-ancestors 'none'";
|
2022-06-06 17:10:53 +01:00
|
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
extraConfig = ''
|
|
|
|
${headers}
|
|
|
|
'';
|
|
|
|
root = pkgs.element-web.override {
|
2022-11-20 04:44:22 +00:00
|
|
|
# Currently it seems like single quotes aren't escaped like they should be...
|
2022-06-06 17:10:53 +01:00
|
|
|
conf = {
|
2022-11-20 04:44:22 +00:00
|
|
|
brand = "/dev/player0 Matrix";
|
2022-06-06 17:10:53 +01:00
|
|
|
showLabsSettings = true;
|
|
|
|
disable_guests = true;
|
|
|
|
default_server_config = {
|
|
|
|
"m.homeserver" = {
|
|
|
|
base_url = "https://matrix.nul.ie";
|
|
|
|
server_name = "nul.ie";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
roomDirectory.servers = [
|
|
|
|
"nul.ie"
|
|
|
|
"netsoc.ie"
|
|
|
|
"matrix.org"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
locations = mkMerge [
|
|
|
|
{ }
|
|
|
|
(genAttrs [ "= /index.html" "= /version" "/config" ] (_: {
|
|
|
|
extraConfig = ''
|
|
|
|
# Gotta duplicate the headers...
|
|
|
|
# https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
|
|
|
|
${headers}
|
|
|
|
add_header Cache-Control "no-cache";
|
|
|
|
'';
|
|
|
|
}))
|
|
|
|
];
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2022-06-12 01:40:57 +01:00
|
|
|
|
2022-07-10 13:07:02 +01:00
|
|
|
"torrents.${lib.my.pubDomain}" = mkMerge [
|
2022-06-12 02:40:57 +01:00
|
|
|
{
|
|
|
|
locations."/" = mkMerge [
|
|
|
|
{
|
|
|
|
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9091";
|
|
|
|
}
|
|
|
|
(ssoLoc "generic")
|
|
|
|
];
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
}
|
|
|
|
(ssoServer "generic")
|
|
|
|
];
|
|
|
|
|
2022-07-10 13:07:02 +01:00
|
|
|
"jackett.${lib.my.pubDomain}" = mkMerge [
|
2022-06-12 01:40:57 +01:00
|
|
|
{
|
|
|
|
locations."/" = mkMerge [
|
|
|
|
{
|
|
|
|
proxyPass = "http://jackflix-ctr.${config.networking.domain}:9117";
|
|
|
|
}
|
|
|
|
(ssoLoc "generic")
|
|
|
|
];
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
}
|
|
|
|
(ssoServer "generic")
|
|
|
|
];
|
2022-07-10 13:07:02 +01:00
|
|
|
"radarr.${lib.my.pubDomain}" = mkMerge [
|
2022-06-12 01:40:57 +01:00
|
|
|
{
|
|
|
|
locations."/" = mkMerge [
|
|
|
|
{
|
|
|
|
proxyPass = "http://jackflix-ctr.${config.networking.domain}:7878";
|
|
|
|
proxyWebsockets = true;
|
2022-07-16 21:01:18 +01:00
|
|
|
extraConfig = lib.my.nginx.proxyHeaders;
|
2022-06-12 01:40:57 +01:00
|
|
|
}
|
|
|
|
(ssoLoc "generic")
|
2022-06-12 15:17:35 +01:00
|
|
|
];
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
}
|
|
|
|
(ssoServer "generic")
|
|
|
|
];
|
2022-07-10 13:07:02 +01:00
|
|
|
"sonarr.${lib.my.pubDomain}" = mkMerge [
|
2022-06-12 15:17:35 +01:00
|
|
|
{
|
|
|
|
locations."/" = mkMerge [
|
|
|
|
{
|
|
|
|
proxyPass = "http://jackflix-ctr.${config.networking.domain}:8989";
|
|
|
|
proxyWebsockets = true;
|
2022-07-16 21:01:18 +01:00
|
|
|
extraConfig = lib.my.nginx.proxyHeaders;
|
2022-06-12 15:17:35 +01:00
|
|
|
}
|
|
|
|
(ssoLoc "generic")
|
2022-06-12 01:40:57 +01:00
|
|
|
];
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
}
|
|
|
|
(ssoServer "generic")
|
|
|
|
];
|
2022-06-12 14:56:44 +01:00
|
|
|
|
2022-07-08 21:40:59 +01:00
|
|
|
"jackflix.${lib.my.pubDomain}" =
|
2022-06-12 14:56:44 +01:00
|
|
|
let
|
|
|
|
upstream = "http://jackflix-ctr.${config.networking.domain}:8096";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
extraConfig = ''
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
add_header X-Content-Type-Options "nosniff";
|
|
|
|
'';
|
|
|
|
locations = {
|
|
|
|
"/".proxyPass = upstream;
|
|
|
|
|
|
|
|
"= /".return = "302 https://$host/web/";
|
|
|
|
"= /web/".proxyPass = "${upstream}/web/index.html";
|
|
|
|
|
|
|
|
"/socket" = {
|
|
|
|
proxyPass = upstream;
|
|
|
|
proxyWebsockets = true;
|
2022-07-16 21:01:18 +01:00
|
|
|
extraConfig = lib.my.nginx.proxyHeaders;
|
2022-06-12 14:56:44 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2022-11-20 02:43:48 +00:00
|
|
|
|
|
|
|
"toot.nul.ie" =
|
|
|
|
let
|
|
|
|
mkAssetLoc = name: {
|
|
|
|
tryFiles = "$uri =404";
|
|
|
|
extraConfig = ''
|
|
|
|
add_header Cache-Control "public, max-age=2419200, must-revalidate";
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
root = "${pkgs.mastodon}/public";
|
|
|
|
locations = mkMerge [
|
|
|
|
(genAttrs [
|
|
|
|
"= /sw.js"
|
|
|
|
"~ ^/assets/"
|
|
|
|
"~ ^/avatars/"
|
|
|
|
"~ ^/emoji/"
|
|
|
|
"~ ^/headers/"
|
|
|
|
"~ ^/packs/"
|
|
|
|
"~ ^/shortcuts/"
|
|
|
|
"~ ^/sounds/"
|
|
|
|
] mkAssetLoc)
|
|
|
|
{
|
|
|
|
"/".tryFiles = "$uri @proxy";
|
|
|
|
|
|
|
|
"^~ /api/v1/streaming" = {
|
|
|
|
proxyPass = "http://toot-ctr.${config.networking.domain}:55000";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${lib.my.nginx.proxyHeaders}
|
|
|
|
proxy_set_header Proxy "";
|
|
|
|
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
"@proxy" = {
|
|
|
|
proxyPass = "http://toot-ctr.${config.networking.domain}:55001";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${lib.my.nginx.proxyHeaders}
|
|
|
|
proxy_set_header Proxy "";
|
|
|
|
proxy_pass_header Server;
|
|
|
|
|
|
|
|
proxy_cache CACHE;
|
|
|
|
proxy_cache_valid 200 7d;
|
|
|
|
proxy_cache_valid 410 24h;
|
|
|
|
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
|
|
|
add_header X-Cached $upstream_cache_status;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2022-11-20 18:41:49 +00:00
|
|
|
|
|
|
|
"share.${lib.my.pubDomain}" = {
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://object-ctr.${config.networking.domain}:9090";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = lib.my.nginx.proxyHeaders;
|
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2023-06-24 17:31:11 +01:00
|
|
|
|
|
|
|
"stuff.${lib.my.pubDomain}" = {
|
|
|
|
locations."/" = {
|
|
|
|
basicAuthFile = config.age.secrets."middleman/htpasswd".path;
|
|
|
|
root = "/mnt/media/stuff";
|
|
|
|
extraConfig = ''
|
|
|
|
fancyindex on;
|
|
|
|
fancyindex_show_dotfiles on;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
2022-07-16 21:01:18 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
minio =
|
|
|
|
let
|
|
|
|
host = "object-ctr.${config.networking.domain}";
|
|
|
|
s3Upstream = "http://${host}:9000";
|
|
|
|
extraConfig = ''
|
|
|
|
chunked_transfer_encoding off;
|
|
|
|
ignore_invalid_headers off;
|
|
|
|
'';
|
2022-07-16 15:01:15 +01:00
|
|
|
|
2022-07-16 21:01:18 +01:00
|
|
|
nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar\.\S+)$'';
|
|
|
|
nixCacheHeaders = ''
|
|
|
|
proxy_hide_header "X-Amz-Request-Id";
|
|
|
|
add_header Cache-Control $nix_cache_control;
|
|
|
|
add_header Expires $nix_expires;
|
|
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
2022-07-16 15:01:15 +01:00
|
|
|
"minio.${lib.my.pubDomain}" = {
|
2022-07-16 21:01:18 +01:00
|
|
|
inherit extraConfig;
|
2022-07-16 15:01:15 +01:00
|
|
|
locations = {
|
2022-07-16 21:01:18 +01:00
|
|
|
"/" = {
|
|
|
|
proxyPass = "http://${host}:9001";
|
|
|
|
};
|
|
|
|
"/ws" = {
|
|
|
|
proxyPass = "http://${host}:9001";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = lib.my.nginx.proxyHeaders;
|
|
|
|
};
|
2022-07-16 15:01:15 +01:00
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
|
|
|
"s3.${lib.my.pubDomain}" = {
|
|
|
|
serverAliases = [ "*.s3.${lib.my.pubDomain}" ];
|
2022-07-16 21:01:18 +01:00
|
|
|
inherit extraConfig;
|
|
|
|
locations."/".proxyPass = s3Upstream;
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
|
|
|
};
|
|
|
|
|
|
|
|
"nix-cache.${lib.my.pubDomain}" = {
|
2022-07-16 15:01:15 +01:00
|
|
|
extraConfig = ''
|
2022-07-16 21:01:18 +01:00
|
|
|
${extraConfig}
|
|
|
|
proxy_set_header Host "nix-cache.s3.nul.ie";
|
2022-07-16 15:01:15 +01:00
|
|
|
'';
|
|
|
|
locations = {
|
2022-07-16 21:01:18 +01:00
|
|
|
"/".proxyPass = s3Upstream;
|
|
|
|
"~ ${nixCacheableRegex}" = {
|
|
|
|
proxyPass = s3Upstream;
|
|
|
|
extraConfig = nixCacheHeaders;
|
|
|
|
};
|
2022-07-16 15:01:15 +01:00
|
|
|
};
|
|
|
|
useACMEHost = lib.my.pubDomain;
|
2022-07-16 21:01:18 +01:00
|
|
|
onlySSL = false;
|
2022-07-16 15:01:15 +01:00
|
|
|
};
|
2022-06-06 16:17:33 +01:00
|
|
|
};
|
2022-07-16 21:01:18 +01:00
|
|
|
|
|
|
|
defaultsFor = mapAttrs (n: _: {
|
2022-06-06 16:17:33 +01:00
|
|
|
onlySSL = mkDefault true;
|
|
|
|
useACMEHost = mkDefault "${config.networking.domain}";
|
|
|
|
kTLS = mkDefault true;
|
|
|
|
http2 = mkDefault true;
|
2022-07-16 21:01:18 +01:00
|
|
|
});
|
|
|
|
in
|
|
|
|
mkMerge [
|
|
|
|
hosts
|
|
|
|
(defaultsFor hosts)
|
|
|
|
|
|
|
|
minio
|
|
|
|
(defaultsFor minio)
|
2022-06-06 16:17:33 +01:00
|
|
|
];
|
|
|
|
}
|