Setup mail server and restructure some things

2023-09-14 14:43:49 +02:00 · 2023-09-14 14:43:49 +02:00 · ba93d164cf
commit ba93d164cf
parent 4c382e629d
90 changed files with 512 additions and 66 deletions
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -0,0 +1,57 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."jellyfin.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://jellyfin.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."mail-1.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://mail-1.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."matrix.nekover.se" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://matrix.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."netbox.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://netbox.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."grafana.grzb.de" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://metrics.vs.grzb.de:80";
+    };
+  };
+  services.nginx.virtualHosts."turn.nekover.se" = {
+    listen = [{ 
+      addr = "0.0.0.0";
+      port = 80;
+    }];
+    locations."^~ /.well-known/acme-challenge/" = {
+      proxyPass = "http://coturn.vs.grzb.de:80";
+    };
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
@ -0,0 +1,26 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."anisync.grzb.de" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://anisync.vs.grzb.de:8080";
+      proxyWebsockets = true;
+    };
+    extraConfig = ''
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/default.nix
+++ b/config/hosts/web-public-2/virtualHosts/default.nix
@ -0,0 +1,23 @@
+{ ... }:
+{
+  imports = [
+    ./acme-challenge.nix
+    ./anisync.grzb.de.nix
+    ./element.nekover.se.nix
+    ./gameserver.grzb.de.nix
+    ./git.grzb.de.nix
+    ./mewtube.nekover.se.nix
+    ./nekover.se.nix
+    ./social.nekover.se.nix
+  ];
+
+  services.nginx.virtualHosts."_" = {
+    listen = [{
+        addr = "0.0.0.0";
+        port = 80;
+    }];
+    locations."/" = {
+			return = "301 https://$host$request_uri";
+		};
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/element-web-config/config.json
+++ b/config/hosts/web-public-2/virtualHosts/element-web-config/config.json
@ -0,0 +1,48 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://matrix.nekover.se",
+            "server_name": "Nekoverse"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "defaultCountryCode": "DE",
+    "showLabsSettings": true,
+    "features": { },
+    "default_federate": true,
+    "default_theme": "dark",
+    "roomDirectory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "piwik": false,
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "settingDefaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferredDomain": "meet.element.io"
+    }
+}
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@ -0,0 +1,83 @@
+{ pkgs, ... }:
+let
+  element-web = pkgs.fetchzip {
+    url = "https://github.com/vector-im/element-web/releases/download/v1.11.40/element-v1.11.40.tar.gz";
+    sha256 = "sha256-IZ1FjT9fAv6wDfgLcCLBHwg6iXGXC4E0/2/67hArD4w=";
+  };
+in
+{
+  services.nginx.virtualHosts."element.nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    root = pkgs.buildEnv {
+      name = "element-web";
+      paths = [
+        element-web
+        ./element-web-config
+      ];
+    };
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+
+    # Set no-cache for the version, config and index.html
+    # so that browsers always check for a new copy of Element Web.
+    # NB http://your-domain/ and http://your-domain/? are also covered by this
+
+    locations."= /index.html" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    locations."= /version" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    # covers config.json and config.hostname.json requests as it is prefix.
+    locations."/config" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    extraConfig = ''
+      index  index.html;
+
+		  # Configuration best practices
+		  # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
+      add_header X-Frame-Options SAMEORIGIN;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header Content-Security-Policy "frame-ancestors 'none'";
+
+      add_header Strict-Transport-Security "max-age=63072000" always;
+
+      # redirect server error pages to the static page /50x.html
+      error_page   500 502 503 504  /50x.html;
+    '';
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
@ -0,0 +1,31 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."gameserver.grzb.de" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://pterodactyl.vs.grzb.de";
+      extraConfig = ''
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_request_buffering off;
+      '';
+    };
+    extraConfig = ''
+      client_max_body_size 1024m;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
@ -0,0 +1,33 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."git.grzb.de" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://gitlab.vs.grzb.de:80";
+      extraConfig = ''
+        gzip off;
+        proxy_read_timeout      300;
+        proxy_connect_timeout   300;
+        proxy_redirect          off;
+      '';
+    };
+    extraConfig = ''
+      client_max_body_size 1024m;
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
@ -0,0 +1,22 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."mewtube.nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://cloudtube.vs.grzb.de:10412";
+    };
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -0,0 +1,32 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/.well-known/matrix/server" = {
+      return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
+      extraConfig = ''
+        add_header Content-Type application/json;
+      '';
+    };
+    locations."/.well-known/matrix/client" = {
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
+      extraConfig = ''
+        default_type application/json;
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
+  };
+}
--- a/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/social.nekover.se.nix
@ -0,0 +1,26 @@
+{ ... }:
+{
+  services.nginx.virtualHosts."social.nekover.se" = {
+    forceSSL = true;
+    enableACME = true;
+    listen = [
+      { 
+        addr = "localhost";
+        port = 1234;
+      } # workaround for enableACME check
+      {
+        addr = "localhost";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+    locations."/" = {
+      proxyPass = "http://mastodon.vs.grzb.de:80";
+      proxyWebsockets = true;
+    };
+    extraConfig = ''
+      client_max_body_size 80m;
+    '';
+  };
+}