nixfiles/nixos/boxes/kelder/containers/spoder/nginx.nix

{ lib, pkgs, config, allAssignments, ... }:
let
  inherit (builtins) mapAttrs;
  inherit (lib) mkMerge mkIf mkDefault;
  inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
  inherit (lib.my.c.kelder) domain;
in
{
  config = {
    my = {
      secrets.files = {
        "kelder/htpasswd" = {
          owner = "nginx";
          group = "nginx";
        };
        "dhparams.pem" = {
          owner = "acme";
          group = "acme";
          mode = "440";
        };
      };

      firewall = {
        tcp.allowed = [ "http" "https" ];
      };
    };

    services = {
      nginx = {
        package = pkgs.openresty;
        enable = true;
        enableReload = true;

        logError = "stderr info";
        recommendedTlsSettings = true;
        clientMaxBodySize = "0";
        serverTokens = true;
        sslDhparam = config.age.secrets."dhparams.pem".path;

        # Based on recommended*Settings, but probably better to be explicit about these
        appendHttpConfig = ''
          ${baseHttpConfig}

          # caching
          proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;

          init_worker_by_lua_block {
            local update_ip = function(premature)
              if premature then
                return
              end

              local hdl, err = io.popen("${pkgs.curl}/bin/curl -s https://v4.ident.me")
              if not hdl then
                ngx.log(ngx.ERR, "failed to run command: ", err)
                return
              end

              local ip, err = hdl:read("*l")
              hdl:close()
              if not ip then
                ngx.log(ngx.ERR, "failed to read ip: ", err)
                return
              end

              pub_ip = ip
              ngx.log(ngx.INFO, "ip is now: ", pub_ip)
            end

            local hdl, err = ngx.timer.every(5 * 60, update_ip)
            if not hdl then
              ngx.log(ngx.ERR, "failed to create timer: ", err)
            end
            update_ip()
          }
        '';

        virtualHosts =
        let
          withAuth = c: mkMerge [
            {
              basicAuthFile = config.age.secrets."kelder/htpasswd".path;
            }
            c
          ];
          acquisition = "http://${allAssignments.kelder-acquisition.internal.ipv4.address}";
          # This is kinda borked because Virgin Media filters DNS responses with local IPs...
          localRedirect = to: ''
            rewrite_by_lua_block {
              if ngx.var.remote_addr == pub_ip then
                ngx.redirect(ngx.var.scheme .. "://${to}" .. ngx.var.request_uri, ngx.HTTP_MOVED_PERMANENTLY)
              end
            }
          '';
          hosts = {
            "_" = {
              default = true;
              forceSSL = true;
              onlySSL = false;
              locations = {
                "/".root = "${pkgs.nginx}/html";
              };
            };

            "monitor.${domain}" = withAuth {
              serverAliases = [ "monitor-local.${domain}" ];
              # extraConfig = localRedirect "monitor-local.${domain}";
              locations = {
                "/" = {
                  proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
                  extraConfig = ''
                    proxy_pass_request_headers on;
                    ${proxyHeaders}
                    proxy_set_header Connection "keep-alive";
                    proxy_store off;

                    gzip on;
                    gzip_proxied any;
                    gzip_types *;
                  '';
                };
              };
            };

            "kontent.${domain}" = {
              serverAliases = [ "kontent-local.${domain}" ];
              locations = {
                "/".proxyPass = "${acquisition}:8096";
                "= /".return = "302 $scheme://$host/web/";
                "= /web/".proxyPass = "${acquisition}:8096/web/index.html";
                "/socket" = {
                  proxyPass = "${acquisition}:8096/socket";
                  proxyWebsockets = true;
                  extraConfig = proxyHeaders;
                };
              };
            };
            "torrents.${domain}" = withAuth {
              serverAliases = [ "torrents-local.${domain}" ];
              # extraConfig = localRedirect "torrents-local.${domain}";
              locations."/".proxyPass = "${acquisition}:9091";
            };
            "jackett.${domain}" = withAuth {
              serverAliases = [ "jackett-local.${domain}" ];
              # extraConfig = localRedirect "jackett-local.${domain}";
              locations."/".proxyPass = "${acquisition}:9117";
            };
            "radarr.${domain}" = withAuth {
              serverAliases = [ "radarr-local.${domain}" ];
              # extraConfig = localRedirect "radarr-local.${domain}";
              locations."/" = {
                proxyPass = "${acquisition}:7878";
                proxyWebsockets = true;
                extraConfig = proxyHeaders;
              };
            };
            "sonarr.${domain}" = withAuth {
              serverAliases = [ "sonarr-local.${domain}" ];
              # extraConfig = localRedirect "sonarr-local.${domain}";
              locations."/" = {
                proxyPass = "${acquisition}:8989";
                proxyWebsockets = true;
                extraConfig = proxyHeaders;
              };
            };

            "cloud.${domain}" = {
              serverAliases = [ "cloud-local.${domain}" ];
            };
          };

          defaultsFor = mapAttrs (n: _: {
            onlySSL = mkDefault true;
            useACMEHost = mkDefault domain;
            kTLS = mkDefault true;
            http2 = mkDefault true;
          });
        in
        mkMerge [
          hosts
          (defaultsFor hosts)
        ];
      };
    };
  };
}
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`{ lib, pkgs, config, allAssignments, ... }:`
			`let`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`inherit (builtins) mapAttrs;`
			`inherit (lib) mkMerge mkIf mkDefault;`
nixos/britway: Add headscale 2023-12-19 23:40:54 +00:00			`inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`inherit (lib.my.c.kelder) domain;`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`in`
			`{`
			`config = {`
			`my = {`
			`secrets.files = {`
			`"kelder/htpasswd" = {`
			`owner = "nginx";`
			`group = "nginx";`
			`};`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`"dhparams.pem" = {`
			`owner = "acme";`
			`group = "acme";`
			`mode = "440";`
			`};`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`};`

			`firewall = {`
			`tcp.allowed = [ "http" "https" ];`
			`};`
			`};`

			`services = {`
			`nginx = {`
nixos/kelder: Auto-redirect remote accesses to local ones 2023-05-27 20:50:43 +01:00			`package = pkgs.openresty;`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`enable = true;`
			`enableReload = true;`

nixos/kelder: Auto-redirect remote accesses to local ones 2023-05-27 20:50:43 +01:00			`logError = "stderr info";`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`recommendedTlsSettings = true;`
			`clientMaxBodySize = "0";`
			`serverTokens = true;`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`sslDhparam = config.age.secrets."dhparams.pem".path;`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00
			`# Based on recommended*Settings, but probably better to be explicit about these`
			`appendHttpConfig = ''`
nixos/britway: Add headscale 2023-12-19 23:40:54 +00:00			`${baseHttpConfig}`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00
			`# caching`
			`proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;`
nixos/kelder: Auto-redirect remote accesses to local ones 2023-05-27 20:50:43 +01:00
			`init_worker_by_lua_block {`
			`local update_ip = function(premature)`
			`if premature then`
			`return`
			`end`

			`local hdl, err = io.popen("${pkgs.curl}/bin/curl -s https://v4.ident.me")`
			`if not hdl then`
			`ngx.log(ngx.ERR, "failed to run command: ", err)`
			`return`
			`end`

			`local ip, err = hdl:read("*l")`
			`hdl:close()`
			`if not ip then`
			`ngx.log(ngx.ERR, "failed to read ip: ", err)`
			`return`
			`end`

			`pub_ip = ip`
			`ngx.log(ngx.INFO, "ip is now: ", pub_ip)`
			`end`

			`local hdl, err = ngx.timer.every(5 * 60, update_ip)`
			`if not hdl then`
			`ngx.log(ngx.ERR, "failed to create timer: ", err)`
			`end`
			`update_ip()`
			`}`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`'';`

			`virtualHosts =`
			`let`
			`withAuth = c: mkMerge [`
			`{`
			`basicAuthFile = config.age.secrets."kelder/htpasswd".path;`
			`}`
			`c`
			`];`
			`acquisition = "http://${allAssignments.kelder-acquisition.internal.ipv4.address}";`
nixos/kelder: MTU fix + disable all local redirects 2024-06-21 21:42:17 +01:00			`# This is kinda borked because Virgin Media filters DNS responses with local IPs...`
nixos/kelder: Auto-redirect remote accesses to local ones 2023-05-27 20:50:43 +01:00			`localRedirect = to: ''`
			`rewrite_by_lua_block {`
			`if ngx.var.remote_addr == pub_ip then`
			`ngx.redirect(ngx.var.scheme .. "://${to}" .. ngx.var.request_uri, ngx.HTTP_MOVED_PERMANENTLY)`
			`end`
			`}`
			`'';`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`hosts = {`
			`"_" = {`
			`default = true;`
			`forceSSL = true;`
			`onlySSL = false;`
			`locations = {`
			`"/".root = "${pkgs.nginx}/html";`
			`};`
			`};`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"monitor.${domain}" = withAuth {`
			`serverAliases = [ "monitor-local.${domain}" ];`
nixos/kelder: MTU fix + disable all local redirects 2024-06-21 21:42:17 +01:00			`# extraConfig = localRedirect "monitor-local.${domain}";`
nixos/kelder: Add SMART and netdata 2023-05-28 13:58:42 +01:00			`locations = {`
			`"/" = {`
			`proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";`
			`extraConfig = ''`
			`proxy_pass_request_headers on;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`${proxyHeaders}`
nixos/kelder: Add SMART and netdata 2023-05-28 13:58:42 +01:00			`proxy_set_header Connection "keep-alive";`
			`proxy_store off;`

			`gzip on;`
			`gzip_proxied any;`
			`gzip_types *;`
			`'';`
			`};`
			`};`
			`};`

Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"kontent.${domain}" = {`
			`serverAliases = [ "kontent-local.${domain}" ];`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`locations = {`
			`"/".proxyPass = "${acquisition}:8096";`
			`"= /".return = "302 $scheme://$host/web/";`
			`"= /web/".proxyPass = "${acquisition}:8096/web/index.html";`
			`"/socket" = {`
			`proxyPass = "${acquisition}:8096/socket";`
			`proxyWebsockets = true;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`extraConfig = proxyHeaders;`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`};`
			`};`
			`};`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"torrents.${domain}" = withAuth {`
			`serverAliases = [ "torrents-local.${domain}" ];`
nixos/kelder: MTU fix + disable all local redirects 2024-06-21 21:42:17 +01:00			`# extraConfig = localRedirect "torrents-local.${domain}";`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`locations."/".proxyPass = "${acquisition}:9091";`
			`};`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"jackett.${domain}" = withAuth {`
			`serverAliases = [ "jackett-local.${domain}" ];`
nixos/kelder: MTU fix + disable all local redirects 2024-06-21 21:42:17 +01:00			`# extraConfig = localRedirect "jackett-local.${domain}";`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`locations."/".proxyPass = "${acquisition}:9117";`
			`};`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"radarr.${domain}" = withAuth {`
			`serverAliases = [ "radarr-local.${domain}" ];`
nixos/kelder: MTU fix + disable all local redirects 2024-06-21 21:42:17 +01:00			`# extraConfig = localRedirect "radarr-local.${domain}";`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`locations."/" = {`
			`proxyPass = "${acquisition}:7878";`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`proxyWebsockets = true;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`extraConfig = proxyHeaders;`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`};`
			`};`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"sonarr.${domain}" = withAuth {`
			`serverAliases = [ "sonarr-local.${domain}" ];`
nixos/kelder: MTU fix + disable all local redirects 2024-06-21 21:42:17 +01:00			`# extraConfig = localRedirect "sonarr-local.${domain}";`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`locations."/" = {`
			`proxyPass = "${acquisition}:8989";`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`proxyWebsockets = true;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`extraConfig = proxyHeaders;`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`};`
			`};`
nixos/kelder: Add Nextcloud 2023-05-28 00:14:04 +01:00
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`"cloud.${domain}" = {`
			`serverAliases = [ "cloud-local.${domain}" ];`
nixos/kelder: Add Nextcloud 2023-05-28 00:14:04 +01:00			`};`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`};`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00
			`defaultsFor = mapAttrs (n: _: {`
			`onlySSL = mkDefault true;`
Split constants into separate lib file 2023-11-02 13:41:50 +00:00			`useACMEHost = mkDefault domain;`
nixos/kelder: Independent nginx config 2023-05-27 18:44:23 +01:00			`kTLS = mkDefault true;`
			`http2 = mkDefault true;`
			`});`
			`in`
			`mkMerge [`
			`hosts`
			`(defaultsFor hosts)`
			`];`
nixos/kelder: Add acquisition 2023-05-23 21:32:38 +01:00			`};`
			`};`
			`};`
			`}`