From 2f7620458bb0136c285f2f171d4b336f09af7f33 Mon Sep 17 00:00:00 2001 From: yuri Date: Mon, 24 Jul 2023 01:12:36 +0200 Subject: [PATCH] Add janky nginx config with workaround for proxy protocol --- flake.nix | 6 +- hosts/hydra/nginx.nix | 10 + hosts/web-public-2/nginx.nix | 289 +----------------- .../virtualHosts/anisync.grzb.de.nix | 26 ++ .../virtualHosts/birdsite.nekover.se.nix | 26 ++ hosts/web-public-2/virtualHosts/default.nix | 25 ++ .../virtualHosts/element.nekover.se.nix | 33 ++ .../virtualHosts/gameserver.grzb.de.nix | 31 ++ .../web-public-2/virtualHosts/git.grzb.de.nix | 33 ++ .../virtualHosts/matrix.nekover.se.nix | 33 ++ .../virtualHosts/mewtube.nekover.se.nix | 22 ++ .../web-public-2/virtualHosts/nekover.se.nix | 32 ++ .../virtualHosts/nextcloud.grzb.de.nix | 32 ++ .../virtualHosts/social.nekover.se.nix | 26 ++ 14 files changed, 343 insertions(+), 281 deletions(-) create mode 100644 hosts/web-public-2/virtualHosts/anisync.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/default.nix create mode 100644 hosts/web-public-2/virtualHosts/element.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/git.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/matrix.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/nekover.se.nix create mode 100644 hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix create mode 100644 hosts/web-public-2/virtualHosts/social.nekover.se.nix diff --git a/flake.nix b/flake.nix index 820a1dd..7ea666b 100644 --- a/flake.nix +++ b/flake.nix @@ -17,9 +17,9 @@ jackett = { site = "vs"; }; - #hydra = { - # site = "vs"; - #}; + hydra = { + site = "vs"; + }; web-public-2 = { site = "vs"; }; diff --git a/hosts/hydra/nginx.nix b/hosts/hydra/nginx.nix index 7756928..e313c2d 100644 --- a/hosts/hydra/nginx.nix +++ b/hosts/hydra/nginx.nix @@ -5,11 +5,16 @@ virtualHosts = { "hydra.nekover.se" = { + forceSSL = true; enableACME = true; listen = [{ + addr = "127.0.0.1"; + port = 1234; + }{ addr = "0.0.0.0"; port = 8443; ssl = true; + proxyProtocol = true; }]; locations."/" = { proxyPass = "http://localhost:3001"; @@ -17,11 +22,16 @@ }; "nix-cache.nekover.se" = { + forceSSL = true; enableACME = true; listen = [{ + addr = "127.0.0.1"; + port = 1234; + }{ addr = "0.0.0.0"; port = 8443; ssl = true; + proxyProtocol = true; }]; locations."/" = { proxyPass = "http://localhost:5005"; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 8d050aa..77d48ac 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -1,5 +1,9 @@ -{ pkgs, ... }: +{ ... }: { + imports = [ + ./virtualHosts + ]; + services.nginx = { enable = true; @@ -10,13 +14,14 @@ element.nekover.se 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; - hydra.nekover.se hydra.vs.grzb.de:8443; + hydra.nekover.se 10.202.41.121:8443; matrix.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443; - nix-cache.nekover.se hydra.vs.grzb.de:8443; + nix-cache.nekover.se 10.202.41.121:8443; social.nekover.se 127.0.0.1:8443; + test.grzb.de 127.0.0.1:8443; } server { @@ -28,280 +33,8 @@ } ''; - virtualHosts = { - "nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/.well-known/matrix/server" = { - return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; - extraConfig = '' - add_header Content-Type application/json; - ''; - }; - locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; - }; - - "anisync.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://anisync.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - ''; - }; - - "birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://nitter.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - }; - - "element.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://element.vs.grzb.de"; - recommendedProxySettings = false; - extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - ''; - }; - extraConfig = '' - add_header X-Frame-Options SAMEORIGIN; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; - ''; - }; - - "gameserver.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://pterodactyl.vs.grzb.de"; - extraConfig = '' - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Content-Type-Options nosniff; - ''; - }; - - "git.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://gitlab.vs.grzb.de:80"; - extraConfig = '' - gzip off; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - ''; - }; - - "matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - { - addr = "[::]"; - port = 8448; - ssl = true; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://matrix.vs.grzb.de:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size 500M; - ''; - }; - }; - - "mewtube.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://cloudtube.vs.grzb.de:10412"; - }; - }; - - "nextcloud.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ { - addr = "0.0.0.0"; - port = 80; - }{ - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - locations."/" = { - proxyPass = "http://nextcloud.vs.grzb.de:80"; - }; - locations."= /.well-known/carddav" = { - return = "301 $scheme://$host/remote.php/dav"; - }; - locations."= /.well-known/caldav" = { - return = "301 $scheme://$host/remote.php/dav"; - extraConfig = '' - proxy_read_timeout 3600; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 4096m; - ''; - }; - - "social.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "127.0.0.1"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."/" = { - proxyPass = "http://mastodon.vs.grzb.de:80"; - proxyWebsockets = true; - }; - extraConfig = '' - client_max_body_size 80m; - ''; - }; - }; + appendHttpConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + ''; }; } diff --git a/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..6ccc410 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix new file mode 100644 index 0000000..1bf6ec5 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://nitter.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/default.nix b/hosts/web-public-2/virtualHosts/default.nix new file mode 100644 index 0000000..f6aadad --- /dev/null +++ b/hosts/web-public-2/virtualHosts/default.nix @@ -0,0 +1,25 @@ +{ ... }: +{ + imports = [ + ./anisync.grzb.de.nix + ./birdsite.nekover.se.nix + ./element.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./matrix.nekover.se.nix + ./mewtube.nekover.se.nix + ./nekover.se.nix + ./nextcloud.grzb.de.nix + ./social.nekover.se.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/hosts/web-public-2/virtualHosts/element.nekover.se.nix new file mode 100644 index 0000000..70385d1 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."element.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://element.vs.grzb.de"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..ddb1332 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,31 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..554421a --- /dev/null +++ b/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix new file mode 100644 index 0000000..82455bf --- /dev/null +++ b/hosts/web-public-2/virtualHosts/matrix.nekover.se.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + services.nginx.virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://matrix.vs.grzb.de:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 500M; + ''; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..835cb35 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,22 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/nekover.se.nix b/hosts/web-public-2/virtualHosts/nekover.se.nix new file mode 100644 index 0000000..58847cd --- /dev/null +++ b/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + services.nginx.virtualHosts."nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; +} diff --git a/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix new file mode 100644 index 0000000..7a3f7d2 --- /dev/null +++ b/hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix @@ -0,0 +1,32 @@ +{ ... }: +{ + services.nginx.virtualHosts."nextcloud.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }{ + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + locations."/" = { + proxyPass = "http://nextcloud.vs.grzb.de:80"; + }; + locations."= /.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + locations."= /.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + extraConfig = '' + proxy_read_timeout 3600; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 4096m; + ''; + }; +} diff --git a/hosts/web-public-2/virtualHosts/social.nekover.se.nix b/hosts/web-public-2/virtualHosts/social.nekover.se.nix new file mode 100644 index 0000000..5024b8f --- /dev/null +++ b/hosts/web-public-2/virtualHosts/social.nekover.se.nix @@ -0,0 +1,26 @@ +{ ... }: +{ + services.nginx.virtualHosts."social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "localhost"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 80m; + ''; + }; +}