nix-dotfiles/hosts/tsuki/services/nginx/default.nix

{ pkgs, lib, config, secrets, inputs, ... }:
{
  sops.secrets."cloudflare/api-key" = {};

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "h7x4@nani.wtf";
      dnsProvider = "cloudflare";
      credentialsFile = config.sops.secrets."cloudflare/api-key".path;
      dnsPropagationCheck = true;
    };
    certs."nani.wtf" = {
      extraDomainNames = [ "*.nani.wtf" ];
    };
  };

  users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ];

  services.nginx = let
    generateServerAliases =
      domains: subdomains:
      lib.lists.flatten (map (s: map (d: "${s}.${d}") domains) subdomains);

    s = toString;
  in {
    enable = true;
    enableReload = true;

    statusPage = true;

    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedZstdSettings = true;

    upstreams = let
      inherit (secrets) ips ports;
      srv = config.services;
      sa = config.local.socketActivation;
    in {
      "atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };
      "dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };
      "grafana".servers."unix:/run/grafana/grafana.sock" = { };
      "headscale".servers."localhost:${s srv.headscale.port}" = { };
      "hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };
      "idrac".servers."${ips.idrac}" = { };
      "kanidm".servers."localhost:8300" = { };
      "osuchan".servers."localhost:${s ports.osuchan}" = { };
      "plex".servers."localhost:${s ports.plex}" = { };
      "vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };
      "wstunnel".servers = let
        inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;
      in {
        "${host}:${s port}" = { };
      };
    };

    virtualHosts = let
      inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;
      inherit (lib.lists) head drop;
      inherit (secrets) domains keys;

      cloudflare-origin-pull-ca = builtins.fetchurl {
        url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";
        sha256 = "0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";
      };

      # nonCFHost =
      #   subdomains: extraSettings: let
      #     settings = with keys.certificates; {
      #       useACMEHost = "nani.wtf";
      #       forceSSL = true;
      #       kTLS = true;
      #     };
      #   in
      #     nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);

      # nonCFProxy =
      #   subdomains: url: extraSettings:
      #   nonCFHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);

      host =
        subdomains: extraSettings: let
          settings = with keys.certificates; {
            serverAliases = drop 1 (generateServerAliases domains subdomains);
            useACMEHost = "nani.wtf";
            forceSSL = true;
            kTLS = true;

            extraConfig = ''
              ssl_client_certificate ${cloudflare-origin-pull-ca};
              ssl_verify_client on;
            '';
          };
        in
          nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);

      proxy =
        subdomains: url: extraSettings:
        host subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);

      enableWebsockets = { locations."/".proxyWebsockets = true; };
    in (listToAttrs ([
      {
        name = "nani.wtf";
        value = {
          locations = {
            "= /".return = "301 https://www.nani.wtf/";
            "/.well-known/".alias = "${./well-known}/";
            "/.well-known/openpgpkey/hu/" = {
              alias = "${./well-known/openpgpkey/hu}/";
              extraConfig = ''
                default_type application/octet-stream;
              '';
            };
          };

          useACMEHost = "nani.wtf";
          forceSSL = true;

          extraConfig = ''
            add_header Access-Control-Allow-Origin *;
            default_type text/plain;
            ssl_client_certificate ${cloudflare-origin-pull-ca};
            ssl_verify_client on;
          '';
        };
      }
      # (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })
      (host ["testmap"] {
        root = "/var/lib/mcmap";
        locations = {
          "~* ^/maps/[^/]*/tiles/[^/]*.json$".extraConfig = ''
            error_page 404 =200 /assets/emptyTile.json;
            gzip_static always;
          '';
          "~* ^/maps/[^/]*/tiles/[^/]*.png$".tryFiles = "$uri =204";
        };
      })
      (host ["www"] {
        locations."/" = {
          tryFiles = "$uri /index.html";
          root = pkgs.writeTextDir "index.html" (lib.fileContents ./temp-website.html);
        };
      })
      # (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})
      (host ["matrix"] {
        enableACME = lib.mkForce false;
        locations."/_synapse".proxyPass = "http://$synapse_backend";
      })
      (host ["madmin"] { root = "${pkgs.synapse-admin}/"; })
      # (host ["cache"] { root = "/var/lib/nix-cache"; })
      # (proxy ["slack-bot"] "http://localhost:9898" {})
      (proxy ["atuin"] "http://atuin" {})
      (proxy ["auth"] "https://kanidm" { extraConfig = "proxy_ssl_verify off;"; })
      (proxy ["bw"] "http://vaultwarden" {})
      (proxy ["docs"] "http://hedgedoc" {})
      (host ["git"] {
        locations."/".extraConfig = ''
          location /h7x4 {
            location ~ /h7x4/(?<project>[a-zA-Z0-9\./_-]*) {
              return 301 $scheme://git.pvv.ntnu.no/oysteikt/$project;
            }
            return 301 $scheme://git.pvv.ntnu.no/oysteikt/;
          }
          location ~ /[Ss]chool[Ww]ork {
            location ~ /[Ss]chool[Ww]ork/(?<project>[a-zA-Z0-9\./_-]*) {
              return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/$project;
            }
            return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/;
          }
          return 301 $scheme://git.pvv.ntnu.no$request_uri;
        '';
      })
      (proxy ["idrac"] "https://idrac" {})
      (proxy ["log"] "http://grafana" enableWebsockets)
      (proxy ["map"] "http://dynmap" {})
      (proxy ["osu"] "http://osuchan" {})
      (proxy ["plex"] "http://plex" {})
      # (proxy ["vpn"] "http://headscale" {
      #   locations."/" = {
      #     proxyWebsockets = true;
      #     extraConfig = ''
      #       add_header Access-Control-Allow-Origin *;
      #       add_header Access-Control-Allow-Methods GET,HEAD,POST,OPTIONS;
      #       add_header Access-Control-Max-Age 86400;
      #     '';
      #   };
      # })

      (proxy ["ws"] "http://wstunnel" enableWebsockets)

      (host ["h7x4-stickers"] {})
      (host ["pingu-stickers"] {})
    ]));

    streamConfig = ''
      server {
        listen 0.0.0.0:53589;
        listen [::0]:53589;
        proxy_pass localhost:${s config.services.taskserver.listenPort};
      }
    '';
  };

  # NOTE: This is needed for nginx to be able
  #       to connect to sockets in /run
  systemd.services.nginx.serviceConfig.ProtectHome = false;

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
}
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`{ pkgs, lib, config, secrets, inputs, ... }:`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`{`
tsuki: configure wildcard certs for nginx 2023-03-08 14:32:39 +01:00			`sops.secrets."cloudflare/api-key" = {};`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00
tsuki: configure wildcard certs for nginx 2023-03-08 14:32:39 +01:00			`security.acme = {`
			`acceptTerms = true;`
			`defaults = {`
			`email = "h7x4@nani.wtf";`
			`dnsProvider = "cloudflare";`
			`credentialsFile = config.sops.secrets."cloudflare/api-key".path;`
			`dnsPropagationCheck = true;`
			`};`
			`certs."nani.wtf" = {`
			`extraDomainNames = [ "*.nani.wtf" ];`
			`};`
			`};`

			`users.groups.${config.security.acme.certs."nani.wtf".group}.members = [ "nginx" ];`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00
			`services.nginx = let`
			`generateServerAliases =`
			`domains: subdomains:`
			`lib.lists.flatten (map (s: map (d: "${s}.${d}") domains) subdomains);`
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`s = toString;`
			`in {`
			`enable = true;`
			`enableReload = true;`
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`statusPage = true;`

tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00			`recommendedBrotliSettings = true;`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00			`recommendedZstdSettings = true;`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00			`upstreams = let`
			`inherit (secrets) ips ports;`
			`srv = config.services;`
tsuki/navidrome: init 2023-07-28 21:50:38 +02:00			`sa = config.local.socketActivation;`
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00			`in {`
tsuki/atuin: use socket activation 2023-10-06 13:43:24 +02:00			`"atuin".servers."unix:${sa.atuin.newSocketAddress}" = { };`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`"dynmap".servers."localhost:${s ports.minecraft.dynmap}" = { };`
			`"grafana".servers."unix:/run/grafana/grafana.sock" = { };`
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00			`"headscale".servers."localhost:${s srv.headscale.port}" = { };`
			`"hedgedoc".servers."unix:${srv.hedgedoc.settings.path}" = { };`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`"idrac".servers."${ips.idrac}" = { };`
			`"kanidm".servers."localhost:8300" = { };`
			`"osuchan".servers."localhost:${s ports.osuchan}" = { };`
			`"plex".servers."localhost:${s ports.plex}" = { };`
tsuki/vaultwarden: use socket activation 2023-10-06 13:42:11 +02:00			`"vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { };`
{tsuki/dosei}: set up wstunnel 2024-06-29 02:14:31 +02:00			`"wstunnel".servers = let`
			`inherit (config.services.wstunnel.servers."ws-tsuki".listen) host port;`
			`in {`
			`"${host}:${s port}" = { };`
			`};`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`};`

Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`virtualHosts = let`
			`inherit (lib.attrsets) nameValuePair listToAttrs recursiveUpdate;`
			`inherit (lib.lists) head drop;`
			`inherit (secrets) domains keys;`

			`cloudflare-origin-pull-ca = builtins.fetchurl {`
			`url = "https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem";`
			`sha256 = "0hxqszqfzsbmgksfm6k0gp0hsx9k1gqx24gakxqv0391wl6fsky1";`
			`};`

tsuki/headscale: disable 2024-06-09 16:05:55 +02:00			`# nonCFHost =`
			`# subdomains: extraSettings: let`
			`# settings = with keys.certificates; {`
			`# useACMEHost = "nani.wtf";`
			`# forceSSL = true;`
			`# kTLS = true;`
			`# };`
			`# in`
			`# nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);`

			`# nonCFProxy =`
			`# subdomains: url: extraSettings:`
			`# nonCFHost subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);`

Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`host =`
			`subdomains: extraSettings: let`
			`settings = with keys.certificates; {`
			`serverAliases = drop 1 (generateServerAliases domains subdomains);`
tsuki: configure wildcard certs for nginx 2023-03-08 14:32:39 +01:00			`useACMEHost = "nani.wtf";`
			`forceSSL = true;`
tsuki/nginx: small refactor 2023-07-28 21:58:17 +02:00			`kTLS = true;`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00
			`extraConfig = ''`
			`ssl_client_certificate ${cloudflare-origin-pull-ca};`
			`ssl_verify_client on;`
			`'';`
			`};`
			`in`
			`nameValuePair "${head subdomains}.${head domains}" (recursiveUpdate settings extraSettings);`

			`proxy =`
			`subdomains: url: extraSettings:`
			`host subdomains (recursiveUpdate { locations."/".proxyPass = url; } extraSettings);`

tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`enableWebsockets = { locations."/".proxyWebsockets = true; };`
tsuki: add maunium stickerpickers 2023-01-03 22:45:41 +01:00			`in (listToAttrs ([`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`{`
			`name = "nani.wtf";`
			`value = {`
			`locations = {`
nginx: fix failing hosts - nani.wtf has changed flake structure - jupyter need websockets 2022-11-08 14:28:59 +01:00			`"= /".return = "301 https://www.nani.wtf/";`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`"/.well-known/".alias = "${./well-known}/";`
			`"/.well-known/openpgpkey/hu/" = {`
			`alias = "${./well-known/openpgpkey/hu}/";`
			`extraConfig = ''`
			`default_type application/octet-stream;`
			`'';`
			`};`
			`};`

tsuki: configure wildcard certs for nginx 2023-03-08 14:32:39 +01:00			`useACMEHost = "nani.wtf";`
			`forceSSL = true;`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00
			`extraConfig = ''`
			`add_header Access-Control-Allow-Origin *;`
			`default_type text/plain;`
tsuki: configure wildcard certs for nginx 2023-03-08 14:32:39 +01:00			`ssl_client_certificate ${cloudflare-origin-pull-ca};`
			`ssl_verify_client on;`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`'';`
			`};`
			`}`
tsuki/nginx/www: real website dead, add temporary website 2023-07-12 01:39:50 +02:00			`# (host ["www"] { root = "${inputs.website.packages.${pkgs.system}.default}/"; })`
tsuki/nginx: add vhost for experimental mutable bluemap setup 2024-06-10 00:50:11 +02:00			`(host ["testmap"] {`
			`root = "/var/lib/mcmap";`
			`locations = {`
			`"~* ^/maps/[^/]/tiles/[^/].json$".extraConfig = ''`
			`error_page 404 =200 /assets/emptyTile.json;`
			`gzip_static always;`
			`'';`
			`"~* ^/maps/[^/]/tiles/[^/].png$".tryFiles = "$uri =204";`
			`};`
			`})`
tsuki/nginx/www: real website dead, add temporary website 2023-07-12 01:39:50 +02:00			`(host ["www"] {`
			`locations."/" = {`
			`tryFiles = "$uri /index.html";`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`root = pkgs.writeTextDir "index.html" (lib.fileContents ./temp-website.html);`
tsuki/nginx/www: real website dead, add temporary website 2023-07-12 01:39:50 +02:00			`};`
			`})`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`# (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {})`
			`(host ["matrix"] {`
			`enableACME = lib.mkForce false;`
			`locations."/_synapse".proxyPass = "http://$synapse_backend";`
tsuki/headscale: fix oauth2, and set up tailscale 2023-07-12 01:35:47 +02:00			`})`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`(host ["madmin"] { root = "${pkgs.synapse-admin}/"; })`
			`# (host ["cache"] { root = "/var/lib/nix-cache"; })`
			`# (proxy ["slack-bot"] "http://localhost:9898" {})`
			`(proxy ["atuin"] "http://atuin" {})`
			`(proxy ["auth"] "https://kanidm" { extraConfig = "proxy_ssl_verify off;"; })`
			`(proxy ["bw"] "http://vaultwarden" {})`
			`(proxy ["docs"] "http://hedgedoc" {})`
tsuki/gitea: remove 2024-06-09 15:49:03 +02:00			`(host ["git"] {`
			`locations."/".extraConfig = ''`
			`location /h7x4 {`
			`location ~ /h7x4/(?<project>[a-zA-Z0-9\./_-]*) {`
			`return 301 $scheme://git.pvv.ntnu.no/oysteikt/$project;`
			`}`
			`return 301 $scheme://git.pvv.ntnu.no/oysteikt/;`
			`}`
			`location ~ /[Ss]chool[Ww]ork {`
			`location ~ /[Ss]chool[Ww]ork/(?<project>[a-zA-Z0-9\./_-]*) {`
			`return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/$project;`
			`}`
			`return 301 $scheme://git.pvv.ntnu.no/oysteikt-skolearbeid/;`
			`}`
			`return 301 $scheme://git.pvv.ntnu.no$request_uri;`
			`'';`
			`})`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`(proxy ["idrac"] "https://idrac" {})`
			`(proxy ["log"] "http://grafana" enableWebsockets)`
			`(proxy ["map"] "http://dynmap" {})`
			`(proxy ["osu"] "http://osuchan" {})`
			`(proxy ["plex"] "http://plex" {})`
tsuki/headscale: disable 2024-06-09 16:05:55 +02:00			`# (proxy ["vpn"] "http://headscale" {`
			`# locations."/" = {`
			`# proxyWebsockets = true;`
			`# extraConfig = ''`
			`# add_header Access-Control-Allow-Origin *;`
			`# add_header Access-Control-Allow-Methods GET,HEAD,POST,OPTIONS;`
			`# add_header Access-Control-Max-Age 86400;`
			`# '';`
			`# };`
			`# })`
tsuki/matrix/stickers: use new module and add lots of stickerpacks 2023-10-06 13:25:45 +02:00
{tsuki/dosei}: set up wstunnel 2024-06-29 02:14:31 +02:00			`(proxy ["ws"] "http://wstunnel" enableWebsockets)`

tsuki/matrix/stickers: use new module and add lots of stickerpacks 2023-10-06 13:25:45 +02:00			`(host ["h7x4-stickers"] {})`
			`(host ["pingu-stickers"] {})`
			`]));`
tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00
			`streamConfig = ''`
			`server {`
			`listen 0.0.0.0:53589;`
			`listen [::0]:53589;`
			`proxy_pass localhost:${s config.services.taskserver.listenPort};`
			`}`
			`'';`
Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`};`

tsuki/nginx: misc: - Move temporary website into its own file - Collect all http uris into upstreams - Convert some upstreams to UNIX sockets, as changed in the last few commits 2023-07-12 23:36:57 +02:00			`# NOTE: This is needed for nginx to be able`
			`# to connect to sockets in /run`
			`systemd.services.nginx.serviceConfig.ProtectHome = false;`

Extended nani.wtf/.well-known with some new stuff - Added WKD openpgp key - Added security.txt - Added keybase.txt 2022-10-13 23:42:42 +02:00			`networking.firewall.allowedTCPPorts = [`
			`80`
			`443`
			`];`
			`}`