Setup mail server and restructure some things

config/hosts/web-public-2/configuration.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    interfaces = {
+      "enp6s18".ipv6.addresses = [{
+        address = "2001:470:5429::96";
+        prefixLength = 64;
+      }];
+    };
+
+    defaultGateway6 = {
+      address = "2001:470:5429::1";
+      interface = "enp6s18";
+    };
+
+    hostName = "web-public-2";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 5000 8448 ];
+    };
+  };
+
+  system.stateVersion = "23.05";
+}

config/hosts/web-public-2/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+  ];
+}

config/hosts/web-public-2/nginx.nix

@@ -0,0 +1,40 @@
+{ ... }:
+{
+  imports = [
+    ./virtualHosts
+  ];
+
+  services.nginx = {
+    enable = true;
+
+    streamConfig = ''
+      map $ssl_preread_server_name $address {
+        anisync.grzb.de 127.0.0.1:8443;
+        birdsite.nekover.se 10.202.41.107:8443;
+        cloud.nekover.se 10.202.41.122:8443;
+        element.nekover.se 127.0.0.1:8443;
+        gameserver.grzb.de 127.0.0.1:8443;
+        git.grzb.de 127.0.0.1:8443;
+        hydra.nekover.se 10.202.41.121:8443;
+        matrix.nekover.se 10.202.41.112:8443;
+        mewtube.nekover.se 127.0.0.1:8443;
+        nekover.se 127.0.0.1:8443;
+        nextcloud.grzb.de 127.0.0.1:8443;
+        nix-cache.nekover.se 10.202.41.121:8443;
+        social.nekover.se 127.0.0.1:8443;
+      }
+
+      server {
+        listen 0.0.0.0:443;
+        listen [::]:443;
+        proxy_pass $address;
+        ssl_preread on;
+        proxy_protocol on;
+      }
+    '';
+
+    appendHttpConfig = ''
+      add_header Strict-Transport-Security "max-age=63072000" always;
+    '';
+  };
+}

config/hosts/web-public-2/virtualHosts/acme-challenge.nix

@@ -0,0 +1,57 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."jellyfin.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://jellyfin.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."mail-1.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://mail-1.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."matrix.nekover.se" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://matrix.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."netbox.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://netbox.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."grafana.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://metrics.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."turn.nekover.se" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://coturn.vs.grzb.de:80";
+    };
+  };
+}

config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."anisync.grzb.de" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://anisync.vs.grzb.de:8080";
+      proxyWebsockets = true;
+    };
+    extraConfig = ''
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+}

config/hosts/web-public-2/virtualHosts/default.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  imports = [
+    ./acme-challenge.nix
+    ./anisync.grzb.de.nix
+    ./element.nekover.se.nix
+    ./gameserver.grzb.de.nix
+    ./git.grzb.de.nix
+    ./mewtube.nekover.se.nix
+    ./nekover.se.nix
+    ./social.nekover.se.nix
+  ];
+
+  services.nginx.virtualHosts."_" = {
+    listen = [{
+        addr = "0.0.0.0";
+        port = 80;
+    }];
+    locations."/" = {
+			return = "301 https://$host$request_uri";
+		};
+  };
+}

config/hosts/web-public-2/virtualHosts/element-web-config/config.json

@@ -0,0 +1,48 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://matrix.nekover.se",
+            "server_name": "Nekoverse"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "defaultCountryCode": "DE",
+    "showLabsSettings": true,
+    "features": { },
+    "default_federate": true,
+    "default_theme": "dark",
+    "roomDirectory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "piwik": false,
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "settingDefaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferredDomain": "meet.element.io"
+    }
+}

config/hosts/web-public-2/virtualHosts/element.nekover.se.nix

@@ -0,0 +1,83 @@
+{ pkgs, ... }:
+let
+  element-web = pkgs.fetchzip {
+    url = "https://github.com/vector-im/element-web/releases/download/v1.11.40/element-v1.11.40.tar.gz";
+    sha256 = "sha256-IZ1FjT9fAv6wDfgLcCLBHwg6iXGXC4E0/2/67hArD4w=";
+  };
+in
+{
+  services.nginx.virtualHosts."element.nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    root = pkgs.buildEnv {
+      name = "element-web";
+      paths = [
+        element-web
+        ./element-web-config
+      ];
+    };
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+
+    # Set no-cache for the version, config and index.html
+    # so that browsers always check for a new copy of Element Web.
+    # NB http://your-domain/ and http://your-domain/? are also covered by this
+
+    locations."= /index.html" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    locations."= /version" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    # covers config.json and config.hostname.json requests as it is prefix.
+    locations."/config" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    extraConfig = ''
+      index  index.html;
+
+		  # Configuration best practices
+		  # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
+      add_header X-Frame-Options SAMEORIGIN;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header Content-Security-Policy "frame-ancestors 'none'";
+
+      add_header Strict-Transport-Security "max-age=63072000" always;
+
+      # redirect server error pages to the static page /50x.html
+      error_page   500 502 503 504  /50x.html;
+    '';
+  };
+}

config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix

@@ -0,0 +1,31 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."gameserver.grzb.de" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://pterodactyl.vs.grzb.de";
+      extraConfig = ''
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_request_buffering off;
+      '';
+    };
+    extraConfig = ''
+      client_max_body_size 1024m;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+}

config/hosts/web-public-2/virtualHosts/git.grzb.de.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."git.grzb.de" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://gitlab.vs.grzb.de:80";
+      extraConfig = ''
+        gzip off;
+        proxy_read_timeout      300;
+        proxy_connect_timeout   300;
+        proxy_redirect          off;
+      '';
+    };
+    extraConfig = ''
+      client_max_body_size 1024m;
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+}

config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix

@@ -0,0 +1,22 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."mewtube.nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://cloudtube.vs.grzb.de:10412";
+    };
+  };
+}

config/hosts/web-public-2/virtualHosts/nekover.se.nix

@@ -0,0 +1,32 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/.well-known/matrix/server" = {
+      return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
+      extraConfig = ''
+        add_header Content-Type application/json;
+      '';
+    };
+    locations."/.well-known/matrix/client" = {
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
+  };
+}

config/hosts/web-public-2/virtualHosts/social.nekover.se.nix

@@ -0,0 +1,26 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."social.nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://mastodon.vs.grzb.de:80";
+      proxyWebsockets = true;
+    };
+    extraConfig = ''
+      client_max_body_size 80m;
+    '';
+  };
+}