Add config for public reverse proxy

configuration/common/default.nix

@@ -48,6 +48,7 @@
   security.acme = {
     defaults.email = "acme@grzb.de";
     acceptTerms = true;
+    preliminarySelfsigned = true;
   };
 
   services.fstrim.enable = true;

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1689534811,
+        "lastModified": 1689679375,
-        "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=",
+        "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222",
+        "rev": "684c17c429c42515bafb3ad775d2a710947f3d67",
         "type": "github"
       },
       "original": {

flake.nix

@@ -20,6 +20,9 @@
       #hydra = {
       #  site = "vs";
       #};
+      web-public-2 = {
+        site = "vs";
+      };
     };
 
     generateColmenaHost = name: host : {

hosts/web-public-2/configuration.nix

@@ -5,8 +5,20 @@
     device = "/dev/vda";
   };
 
-  networking = {
+  networking = {    
-    hostName = "web-public-02";
+    interfaces = {
+      "enp6s18".ipv6.addresses = [{
+        address = "2001:470:5429::96";
+        prefixLength = 64;
+      }];
+    };
+
+    defaultGateway6 = {
+      address = "2001:470:5429::1";
+      interface = "enp6s18";
+    };
+
+    hostName = "web-public-2";
     firewall.enable = false;
   };
 

hosts/web-public-2/nginx.nix

@@ -1,6 +1,307 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.nginx = {
     enable = true;
+
+    streamConfig = ''
+      map $ssl_preread_server_name $address {
+        anisync.grzb.de 127.0.0.1:8443;
+        birdsite.nekover.se 127.0.0.1:8443;
+        element.nekover.se 127.0.0.1:8443;
+        gameserver.grzb.de 127.0.0.1:8443;
+        git.grzb.de 127.0.0.1:8443;
+        hydra.nekover.se hydra.vs.grzb.de:8443;
+        matrix.nekover.se 127.0.0.1:8443;
+        mewtube.nekover.se 127.0.0.1:8443;
+        nekover.se 127.0.0.1:8443;
+        nextcloud.grzb.de 127.0.0.1:8443;
+        nix-cache.nekover.se hydra.vs.grzb.de:8443;
+        social.nekover.se 127.0.0.1:8443;
+      }
+
+      server {
+        listen 0.0.0.0:443;
+        listen [::]:443;
+        proxy_pass $address;
+        ssl_preread on;
+        proxy_protocol on;
+      }
+    '';
+
+    virtualHosts = {
+      "nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/.well-known/matrix/server" = {
+          return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
+          extraConfig = ''
+            add_header Content-Type application/json;
+          '';
+        };
+        locations."/.well-known/matrix/client" = {
+          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+          extraConfig = ''
+            default_type application/json;
+            add_header Access-Control-Allow-Origin *;
+          '';
+        };
+      };
+
+      "anisync.grzb.de" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://anisync.vs.grzb.de:8080";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          add_header X-Content-Type-Options nosniff;
+        '';
+      };
+
+      "birdsite.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://nitter.vs.grzb.de:8080";
+          proxyWebsockets = true;
+        };
+        locations."/robots.txt" = {
+          return = "200 \"User-agent: *\\nDisallow: /\\n\"";
+        };
+      };
+
+      "element.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://element.vs.grzb.de";
+          recommendedProxySettings = false;
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+        extraConfig = ''
+          add_header X-Frame-Options SAMEORIGIN;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          add_header Content-Security-Policy "frame-ancestors 'none'";
+        '';
+      };
+
+      "gameserver.grzb.de" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://pterodactyl.vs.grzb.de";
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_buffering off;
+            proxy_request_buffering off;
+          '';
+        };
+        extraConfig = ''
+          client_max_body_size 1024m;
+          add_header X-Content-Type-Options nosniff;
+        '';
+      };
+
+      "git.grzb.de" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://gitlab.vs.grzb.de:80";
+          extraConfig = ''
+            gzip off;
+            proxy_read_timeout      300;
+            proxy_connect_timeout   300;
+            proxy_redirect          off;
+          '';
+        };
+        extraConfig = ''
+          client_max_body_size 1024m;
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+        '';
+      };
+
+      "matrix.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "[::]";
+            port = 8448;
+            ssl = true;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."~ ^(/_matrix|/_synapse/client)" = {
+          proxyPass = "http://matrix.vs.grzb.de:8008";
+          extraConfig = ''
+            # Nginx by default only allows file uploads up to 1M in size
+            # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+            client_max_body_size 500M;
+          '';
+        };
+      };
+
+      "mewtube.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://cloudtube.vs.grzb.de:10412";
+        };
+      };
+
+      "nextcloud.grzb.de" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [          {
+            addr = "0.0.0.0";
+            port = 80;
+          }{
+          addr = "127.0.0.1";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }];
+        locations."/" = {
+          proxyPass = "http://nextcloud.vs.grzb.de:80";
+        };
+        locations."= /.well-known/carddav" = {
+          return = "301 $scheme://$host/remote.php/dav";
+        };
+        locations."= /.well-known/caldav" = {
+          return = "301 $scheme://$host/remote.php/dav";
+          extraConfig = ''
+            proxy_read_timeout 3600;
+            proxy_request_buffering off;
+          '';
+        };
+        extraConfig = ''
+          client_max_body_size 4096m;
+        '';
+      };
+
+      "social.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "127.0.0.1";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://mastodon.vs.grzb.de:80";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          client_max_body_size 80m;
+        '';
+      };
+    };
   };
 }

users/colmena-deploy/default.nix

@@ -6,6 +6,7 @@
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
     ];
   };
 }

users/yuri/default.nix

@@ -5,6 +5,7 @@
     extraGroups = [ "wheel" ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
     ];
   };
 }