dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
8e9b750ac8
nixfiles/nixos/boxes/kelder/containers/spoder/nginx.nix
Jack O'Sullivan 8878ce56c4
All checks were successful
CI / Check, build and cache Nix flake (push) Successful in 33m1s
Details
nixos/kelder: MTU fix + disable all local redirects
2024-06-21 21:42:17 +01:00

187 lines
5.8 KiB
Nix
Raw Blame History

{ lib, pkgs, config, allAssignments, ... }:
let
inherit (builtins) mapAttrs;
inherit (lib) mkMerge mkIf mkDefault;
inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
inherit (lib.my.c.kelder) domain;
in
{
config = {
my = {
secrets.files = {
"kelder/htpasswd" = {
owner = "nginx";
group = "nginx";
};
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
};
firewall = {
tcp.allowed = [ "http" "https" ];
};
};
services = {
nginx = {
package = pkgs.openresty;
enable = true;
enableReload = true;
logError = "stderr info";
recommendedTlsSettings = true;
clientMaxBodySize = "0";
serverTokens = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
${baseHttpConfig}
# caching
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=4g;
init_worker_by_lua_block {
local update_ip = function(premature)
if premature then
return
end
local hdl, err = io.popen("${pkgs.curl}/bin/curl -s https://v4.ident.me")
if not hdl then
ngx.log(ngx.ERR, "failed to run command: ", err)
return
end
local ip, err = hdl:read("*l")
hdl:close()
if not ip then
ngx.log(ngx.ERR, "failed to read ip: ", err)
return
end
pub_ip = ip
ngx.log(ngx.INFO, "ip is now: ", pub_ip)
end
local hdl, err = ngx.timer.every(5 * 60, update_ip)
if not hdl then
ngx.log(ngx.ERR, "failed to create timer: ", err)
end
update_ip()
}
'';
virtualHosts =
let
withAuth = c: mkMerge [
{
basicAuthFile = config.age.secrets."kelder/htpasswd".path;
}
c
];
acquisition = "http://${allAssignments.kelder-acquisition.internal.ipv4.address}";
# This is kinda borked because Virgin Media filters DNS responses with local IPs...
localRedirect = to: ''
rewrite_by_lua_block {
if ngx.var.remote_addr == pub_ip then
ngx.redirect(ngx.var.scheme .. "://${to}" .. ngx.var.request_uri, ngx.HTTP_MOVED_PERMANENTLY)
end
}
'';
hosts = {
"_" = {
default = true;
forceSSL = true;
onlySSL = false;
locations = {
"/".root = "${pkgs.nginx}/html";
};
};
"monitor.${domain}" = withAuth {
serverAliases = [ "monitor-local.${domain}" ];
# extraConfig = localRedirect "monitor-local.${domain}";
locations = {
"/" = {
proxyPass = "http://${allAssignments.kelder.ctrs.ipv4.address}:19999";
extraConfig = ''
proxy_pass_request_headers on;
${proxyHeaders}
proxy_set_header Connection "keep-alive";
proxy_store off;
gzip on;
gzip_proxied any;
gzip_types *;
'';
};
};
};
"kontent.${domain}" = {
serverAliases = [ "kontent-local.${domain}" ];
locations = {
"/".proxyPass = "${acquisition}:8096";
"= /".return = "302 $scheme://$host/web/";
"= /web/".proxyPass = "${acquisition}:8096/web/index.html";
"/socket" = {
proxyPass = "${acquisition}:8096/socket";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
};
};
"torrents.${domain}" = withAuth {
serverAliases = [ "torrents-local.${domain}" ];
# extraConfig = localRedirect "torrents-local.${domain}";
locations."/".proxyPass = "${acquisition}:9091";
};
"jackett.${domain}" = withAuth {
serverAliases = [ "jackett-local.${domain}" ];
# extraConfig = localRedirect "jackett-local.${domain}";
locations."/".proxyPass = "${acquisition}:9117";
};
"radarr.${domain}" = withAuth {
serverAliases = [ "radarr-local.${domain}" ];
# extraConfig = localRedirect "radarr-local.${domain}";
locations."/" = {
proxyPass = "${acquisition}:7878";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
};
"sonarr.${domain}" = withAuth {
serverAliases = [ "sonarr-local.${domain}" ];
# extraConfig = localRedirect "sonarr-local.${domain}";
locations."/" = {
proxyPass = "${acquisition}:8989";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
};
"cloud.${domain}" = {
serverAliases = [ "cloud-local.${domain}" ];
};
};
defaultsFor = mapAttrs (n: _: {
onlySSL = mkDefault true;
useACMEHost = mkDefault domain;
kTLS = mkDefault true;
http2 = mkDefault true;
});
in
mkMerge [
hosts
(defaultsFor hosts)
];
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink