nixfiles/nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix

507 lines
14 KiB
Nix
Raw Normal View History

{ lib, pkgs, config, ... }:
let
2022-06-11 01:20:32 +01:00
inherit (builtins) mapAttrs toJSON;
2022-06-12 17:27:11 +01:00
inherit (lib) mkMerge mkDefault genAttrs flatten concatStringsSep;
2024-08-20 10:36:21 +01:00
inherit (lib.my.c) pubDomain home;
2023-11-02 13:41:50 +00:00
inherit (lib.my.c.nginx) proxyHeaders;
inherit (config.networking) domain;
2022-06-11 01:20:32 +01:00
dualStackListen' = l: map (addr: l // { inherit addr; }) [ "0.0.0.0" "[::]" ];
dualStackListen = ll: flatten (map dualStackListen' ll);
2022-06-12 00:31:08 +01:00
ssoServer = i: {
extraConfig = ''
include /etc/nginx/includes/sso/server-${i}.conf;
'';
};
ssoLoc = i: {
extraConfig = ''
include /etc/nginx/includes/sso/location-${i}.conf;
'';
};
2022-06-11 01:20:32 +01:00
mkWellKnown = type: content: pkgs.writeTextFile {
name = "well-known-${type}";
destination = "/${type}";
text = content;
};
wellKnownRoot = pkgs.symlinkJoin {
name = "http-wellknown";
paths = [
# For federation
(mkWellKnown "matrix/server" (toJSON {
"m.server" = "matrix.nul.ie:443";
}))
# For clients
(mkWellKnown "matrix/client" (toJSON {
"m.homeserver".base_url = "https://matrix.nul.ie";
"org.matrix.msc3575.proxy".url = "https://matrix-syncv3.nul.ie";
2022-06-11 01:20:32 +01:00
}))
];
};
wellKnown = {
"/.well-known/" = {
alias = "${wellKnownRoot}/";
extraConfig = ''
autoindex on;
add_header Access-Control-Allow-Origin *;
2022-06-11 01:20:32 +01:00
'';
};
2022-11-20 02:43:48 +00:00
"/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
2023-08-27 18:59:07 +01:00
"/.well-known/nodeinfo".return = "301 https://toot.nul.ie$request_uri";
"/.well-known/host-meta".return = "301 https://toot.nul.ie$request_uri";
2022-06-11 01:20:32 +01:00
};
in
{
2022-06-12 00:31:08 +01:00
my = {
nginx-sso.includes.instances = {
generic = {};
};
};
services.nginx.virtualHosts =
let
hosts = {
"_" = {
default = true;
forceSSL = true;
onlySSL = false;
2022-06-11 01:20:32 +01:00
locations = mkMerge [
{
"/".root = pkgs.linkFarm "nginx-root" [
{
name = "index.html";
path = ./default.html;
}
{
name = "cv.pdf";
path = builtins.fetchurl {
url = "https://github.com/devplayer0/cvos/releases/download/v0.1.3/bootable.pdf";
sha256 = "018wh6ps19n7323fi44njzj9yd4wqslc90dykbwfyscv7bgxhlar";
};
}
];
}
2022-06-11 01:20:32 +01:00
wellKnown
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
};
"localhost" = {
forceSSL = false;
onlySSL = false;
locations = {
"/status".extraConfig = ''
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
vhost_traffic_status_display;
vhost_traffic_status_display_format html;
'';
};
};
2023-11-02 13:41:50 +00:00
"sso.${pubDomain}" = {
2022-06-12 00:31:08 +01:00
locations."/".proxyPass = config.my.nginx-sso.includes.endpoint;
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 00:31:08 +01:00
};
2023-11-02 13:41:50 +00:00
"netdata-colony.${pubDomain}" =
2022-06-12 17:27:11 +01:00
let
2022-06-13 02:14:18 +01:00
hosts = [
"vm"
2022-08-01 17:44:08 +01:00
"fw" "ctr" "oci"
2022-06-13 02:14:18 +01:00
"http" "jackflix-ctr" "chatterbox-ctr" "colony-psql-ctr"
];
2022-06-12 17:27:11 +01:00
matchHosts = concatStringsSep "|" hosts;
in
mkMerge [
{
locations = {
2022-06-13 01:12:01 +01:00
"= /".return = "301 https://$host/vm/";
2022-06-12 17:27:11 +01:00
"~ /(?<behost>${matchHosts})$".return = "301 https://$host/$behost/";
"~ /(?<behost>${matchHosts})/(?<ndpath>.*)" = mkMerge [
{
proxyPass = "http://$behost.${domain}:19999/$ndpath$is_args$args";
2022-06-12 17:27:11 +01:00
extraConfig = ''
proxy_pass_request_headers on;
2023-11-02 13:41:50 +00:00
${proxyHeaders}
2022-06-12 17:27:11 +01:00
proxy_set_header Connection "keep-alive";
proxy_store off;
gzip on;
gzip_proxied any;
gzip_types *;
'';
}
(ssoLoc "generic")
];
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 17:27:11 +01:00
}
(ssoServer "generic")
];
2023-11-02 13:41:50 +00:00
"pass.${pubDomain}" =
let
upstream = "http://vaultwarden-ctr.${domain}:8080";
in
{
locations = {
"/".proxyPass = upstream;
"/notifications/hub" = {
proxyPass = upstream;
proxyWebsockets = true;
2023-11-02 13:41:50 +00:00
extraConfig = proxyHeaders;
};
"/notifications/hub/negotiate".proxyPass = upstream;
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
};
2022-06-06 17:10:53 +01:00
"matrix.nul.ie" = {
2022-06-11 01:20:32 +01:00
listen = dualStackListen [
{
port = 443;
ssl = true;
}
{
# Matrix federation
port = 8448;
ssl = true;
extraParameters = [ "default_server" ];
}
];
locations = mkMerge [
{
"/".proxyPass = "http://chatterbox-ctr.${domain}:8008";
2023-11-02 13:41:50 +00:00
"= /".return = "301 https://element.${pubDomain}";
2022-06-11 01:20:32 +01:00
}
wellKnown
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-06 17:10:53 +01:00
};
"matrix-syncv3.${pubDomain}" = {
locations."/".proxyPass = "http://chatterbox-ctr.${domain}:8009";
useACMEHost = pubDomain;
};
2022-06-11 01:20:32 +01:00
2023-11-02 13:41:50 +00:00
"element.${pubDomain}" =
2022-06-06 17:10:53 +01:00
let
headers = ''
# TODO: why are these here?
#add_header X-Frame-Options SAMEORIGIN;
#add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block";
# This seems to break file downloads...
#add_header Content-Security-Policy "frame-ancestors 'none'";
2022-06-06 17:10:53 +01:00
'';
in
{
extraConfig = ''
${headers}
'';
root = pkgs.element-web.override {
2022-11-20 04:44:22 +00:00
# Currently it seems like single quotes aren't escaped like they should be...
2022-06-06 17:10:53 +01:00
conf = {
2022-11-20 04:44:22 +00:00
brand = "/dev/player0 Matrix";
show_labs_settings = true;
default_country_code = "IE";
2022-06-06 17:10:53 +01:00
disable_guests = true;
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.nul.ie";
server_name = "nul.ie";
};
};
room_directory.servers = [
2022-06-06 17:10:53 +01:00
"nul.ie"
"matrix.org"
];
};
};
locations = mkMerge [
{ }
(genAttrs [ "= /index.html" "= /version" "/config" ] (_: {
extraConfig = ''
# Gotta duplicate the headers...
# https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
${headers}
add_header Cache-Control "no-cache";
'';
}))
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-06 17:10:53 +01:00
};
2022-06-12 01:40:57 +01:00
2023-11-02 13:41:50 +00:00
"torrents.${pubDomain}" = mkMerge [
2022-06-12 02:40:57 +01:00
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${domain}:9091";
2022-06-12 02:40:57 +01:00
}
(ssoLoc "generic")
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 02:40:57 +01:00
}
(ssoServer "generic")
];
2023-11-02 13:41:50 +00:00
"jackett.${pubDomain}" = mkMerge [
2022-06-12 01:40:57 +01:00
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${domain}:9117";
2022-06-12 01:40:57 +01:00
}
(ssoLoc "generic")
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 01:40:57 +01:00
}
(ssoServer "generic")
];
2023-11-02 13:41:50 +00:00
"radarr.${pubDomain}" = mkMerge [
2022-06-12 01:40:57 +01:00
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${domain}:7878";
2022-06-12 01:40:57 +01:00
proxyWebsockets = true;
2023-11-02 13:41:50 +00:00
extraConfig = proxyHeaders;
2022-06-12 01:40:57 +01:00
}
(ssoLoc "generic")
2022-06-12 15:17:35 +01:00
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 15:17:35 +01:00
}
(ssoServer "generic")
];
2023-11-02 13:41:50 +00:00
"sonarr.${pubDomain}" = mkMerge [
2022-06-12 15:17:35 +01:00
{
locations."/" = mkMerge [
{
proxyPass = "http://jackflix-ctr.${domain}:8989";
2022-06-12 15:17:35 +01:00
proxyWebsockets = true;
2023-11-02 13:41:50 +00:00
extraConfig = proxyHeaders;
2022-06-12 15:17:35 +01:00
}
(ssoLoc "generic")
2022-06-12 01:40:57 +01:00
];
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 01:40:57 +01:00
}
(ssoServer "generic")
];
2023-11-13 20:49:59 +00:00
"gib.${pubDomain}" = {
locations."/".proxyPass = "http://jackflix-ctr.${domain}:5055";
useACMEHost = pubDomain;
};
2022-06-12 14:56:44 +01:00
2023-11-02 13:41:50 +00:00
"jackflix.${pubDomain}" =
2022-06-12 14:56:44 +01:00
let
upstream = "http://jackflix-ctr.${domain}:8096";
2022-06-12 14:56:44 +01:00
in
{
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
'';
locations = {
"/".proxyPass = upstream;
"= /".return = "302 https://$host/web/";
"= /web/".proxyPass = "${upstream}/web/index.html";
"/socket" = {
proxyPass = upstream;
proxyWebsockets = true;
2023-11-02 13:41:50 +00:00
extraConfig = proxyHeaders;
2022-06-12 14:56:44 +01:00
};
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-06-12 14:56:44 +01:00
};
2022-11-20 02:43:48 +00:00
"toot.nul.ie" = {
locations."/" = {
proxyPass = "http://toot-ctr.${domain}:80";
proxyWebsockets = true;
extraConfig = proxyHeaders;
2022-11-20 02:43:48 +00:00
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-11-20 02:43:48 +00:00
};
2022-11-20 18:41:49 +00:00
2023-11-02 13:41:50 +00:00
"share.${pubDomain}" = {
2022-11-20 18:41:49 +00:00
locations."/" = {
proxyPass = "http://object-ctr.${domain}:9090";
2022-11-20 18:41:49 +00:00
proxyWebsockets = true;
2023-11-02 13:41:50 +00:00
extraConfig = proxyHeaders;
2022-11-20 18:41:49 +00:00
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-11-20 18:41:49 +00:00
};
2023-11-02 13:41:50 +00:00
"stuff.${pubDomain}" = {
locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff";
extraConfig = ''
fancyindex on;
fancyindex_show_dotfiles on;
'';
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
};
2024-01-07 03:40:33 +00:00
"public.${pubDomain}" = {
serverAliases = [ "p.${pubDomain}" ];
locations."/" = {
root = "/mnt/media/public";
extraConfig = ''
fancyindex on;
fancyindex_show_dotfiles on;
'';
};
useACMEHost = pubDomain;
};
2023-11-13 08:14:16 +00:00
2024-01-01 16:28:04 +00:00
"mc-map.${pubDomain}" = {
locations."/".proxyPass = "http://simpcraft-oci.${domain}:8100";
useACMEHost = pubDomain;
};
"mc-rail.${pubDomain}" = {
locations."/".proxyPass = "http://simpcraft-oci.${domain}:3876";
useACMEHost = pubDomain;
};
2024-01-03 01:07:12 +00:00
"librespeed.${domain}" = {
locations."/".proxyPass = "http://localhost:8989";
};
"speed.${pubDomain}" = {
locations."/".proxyPass = "http://localhost:8989";
useACMEHost = pubDomain;
};
2024-01-08 21:40:20 +00:00
"md.${pubDomain}" = {
locations."/" = {
proxyPass = "http://object-ctr.${domain}:3000";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
2024-01-08 21:40:20 +00:00
useACMEHost = pubDomain;
};
2024-01-10 15:21:40 +00:00
"pb.${pubDomain}" = {
locations."/".proxyPass = "http://object-ctr.${domain}:8088";
useACMEHost = pubDomain;
};
2024-05-06 00:57:52 +01:00
"photos.${pubDomain}" = {
locations."/" = {
proxyPass = "http://jackflix-ctr.${domain}:2342";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
useACMEHost = pubDomain;
};
2024-08-20 10:36:21 +01:00
"pront.${pubDomain}" = mkMerge [
{
locations."/" = mkMerge [
{
proxyPass = "http://stream-hi.${home.domain}:5000";
proxyWebsockets = true;
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
locations."~* ^/webcam/(.*)" = mkMerge [
{
proxyPass = "http://stream-hi.${home.domain}:5050/$1$is_args$args";
extraConfig = proxyHeaders;
}
(ssoLoc "generic")
];
useACMEHost = pubDomain;
}
(ssoServer "generic")
];
2022-07-16 21:01:18 +01:00
};
minio =
let
host = "object-ctr.${domain}";
2022-07-16 21:01:18 +01:00
s3Upstream = "http://${host}:9000";
extraConfig = ''
chunked_transfer_encoding off;
ignore_invalid_headers off;
'';
2022-07-16 15:01:15 +01:00
nixCacheableRegex = ''^\/(\S+\.narinfo|nar\/\S+\.nar.*|serve\/.+)$'';
2022-07-16 21:01:18 +01:00
nixCacheHeaders = ''
add_header Cache-Control $nix_cache_control;
add_header Expires $nix_expires;
brotli on;
brotli_types application/x-nix-archive;
2022-07-16 21:01:18 +01:00
'';
in
{
2023-11-02 13:41:50 +00:00
"minio.${pubDomain}" = {
2022-07-16 21:01:18 +01:00
inherit extraConfig;
2022-07-16 15:01:15 +01:00
locations = {
2022-07-16 21:01:18 +01:00
"/" = {
proxyPass = "http://${host}:9001";
};
"/ws" = {
proxyPass = "http://${host}:9001";
proxyWebsockets = true;
2023-11-02 13:41:50 +00:00
extraConfig = proxyHeaders;
2022-07-16 21:01:18 +01:00
};
2022-07-16 15:01:15 +01:00
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-07-16 15:01:15 +01:00
};
2023-11-02 13:41:50 +00:00
"s3.${pubDomain}" = {
serverAliases = [ "*.s3.${pubDomain}" ];
2022-07-16 21:01:18 +01:00
inherit extraConfig;
locations = {
"/".proxyPass = s3Upstream;
"/gitea/packages/" = {
proxyPass = s3Upstream;
# HACK: Docker images need the MIME type to be correct for the manifest but Gitea
# doesn't tell S3... By hiding the header we can use add_header to set Content-Type
# (normally can't be set directly)
extraConfig = ''
proxy_hide_header Content-Type;
add_header Content-Type $upstream_http_content_type always;
if ($args ~ "response-content-disposition=.+filename%3D%22manifest\.json%22") {
add_header Content-Type "application/vnd.docker.distribution.manifest.v2+json";
}
'';
};
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-07-16 21:01:18 +01:00
};
2023-11-02 13:41:50 +00:00
"nix-cache.${pubDomain}" = {
2022-07-16 15:01:15 +01:00
locations = {
"/" = {
proxyPass = "http://${host}:5000";
};
2022-07-16 21:01:18 +01:00
"~ ${nixCacheableRegex}" = {
proxyPass = "http://${host}:5000";
2022-07-16 21:01:18 +01:00
extraConfig = nixCacheHeaders;
};
2022-07-16 15:01:15 +01:00
};
2023-11-02 13:41:50 +00:00
useACMEHost = pubDomain;
2022-07-16 15:01:15 +01:00
};
};
2022-07-16 21:01:18 +01:00
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault "${domain}";
kTLS = mkDefault true;
http2 = mkDefault true;
2022-07-16 21:01:18 +01:00
});
in
mkMerge [
hosts
(defaultsFor hosts)
minio
(defaultsFor minio)
];
}