fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add janky nginx config with workaround for proxy protocol

Browse source
This commit is contained in:
fi 2023-07-24 01:12:36 +02:00
commit ecfe325c9c
Signed by: fi
SSH key fingerprint: SHA256:d+6fQoDPMbSFK95zRVflRKZLRKF4cPSQb7VIxYkhFsA
14 changed files with 343 additions and 281 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.nix
View file

@ -17,9 +17,9 @@
jackett = { jackett = {
site = "vs"; site = "vs";
}; };
#hydra = { hydra = {
# site = "vs"; site = "vs";
#}; };
web-public-2 = { web-public-2 = {
site = "vs"; site = "vs";
}; };

10
hosts/hydra/nginx.nix
View file

@ -5,11 +5,16 @@
virtualHosts = { virtualHosts = {
"hydra.nekover.se" = { "hydra.nekover.se" = {
forceSSL = true;
enableACME = true; enableACME = true;
listen = [{ listen = [{
addr = "127.0.0.1";
port = 1234;
}{
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true;
}]; }];
locations."/" = { locations."/" = {
proxyPass = "http://localhost:3001"; proxyPass = "http://localhost:3001";
@ -17,11 +22,16 @@
}; };
"nix-cache.nekover.se" = { "nix-cache.nekover.se" = {
forceSSL = true;
enableACME = true; enableACME = true;
listen = [{ listen = [{
addr = "127.0.0.1";
port = 1234;
}{
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true;
}]; }];
locations."/" = { locations."/" = {
proxyPass = "http://localhost:5005"; proxyPass = "http://localhost:5005";

287
hosts/web-public-2/nginx.nix
View file

@ -1,5 +1,9 @@
{ pkgs, ... }: { ... }:
{ {
imports = [
./virtualHosts
];
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -10,13 +14,14 @@
element.nekover.se 127.0.0.1:8443; element.nekover.se 127.0.0.1:8443;
gameserver.grzb.de 127.0.0.1:8443; gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443;
hydra.nekover.se hydra.vs.grzb.de:8443; hydra.nekover.se 10.202.41.121:8443;
matrix.nekover.se 127.0.0.1:8443; matrix.nekover.se 127.0.0.1:8443;
mewtube.nekover.se 127.0.0.1:8443; mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443;
nextcloud.grzb.de 127.0.0.1:8443; nextcloud.grzb.de 127.0.0.1:8443;
nix-cache.nekover.se hydra.vs.grzb.de:8443; nix-cache.nekover.se 10.202.41.121:8443;
social.nekover.se 127.0.0.1:8443; social.nekover.se 127.0.0.1:8443;
test.grzb.de 127.0.0.1:8443;
} }
server { server {
@ -28,280 +33,8 @@
} }
''; '';
virtualHosts = { appendHttpConfig = ''
"nekover.se" = { add_header Strict-Transport-Security "max-age=63072000" always;
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
extraConfig = ''
add_header Content-Type application/json;
''; '';
}; };
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
};
"anisync.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://anisync.vs.grzb.de:8080";
proxyWebsockets = true;
};
extraConfig = ''
add_header X-Content-Type-Options nosniff;
'';
};
"birdsite.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://nitter.vs.grzb.de:8080";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /\\n\"";
};
};
"element.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://element.vs.grzb.de";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
extraConfig = ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
'';
};
"gameserver.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://pterodactyl.vs.grzb.de";
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Content-Type-Options nosniff;
'';
};
"git.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://gitlab.vs.grzb.de:80";
extraConfig = ''
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
"matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://matrix.vs.grzb.de:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 500M;
'';
};
};
"mewtube.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://cloudtube.vs.grzb.de:10412";
};
};
"nextcloud.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [ {
addr = "0.0.0.0";
port = 80;
}{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
proxyPass = "http://nextcloud.vs.grzb.de:80";
};
locations."= /.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
locations."= /.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
extraConfig = ''
proxy_read_timeout 3600;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 4096m;
'';
};
"social.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://mastodon.vs.grzb.de:80";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 80m;
'';
};
};
};
} }

26
hosts/web-public-2/virtualHosts/anisync.grzb.de.nix Normal file
View file

@ -0,0 +1,26 @@
{ ... }:
{
services.nginx.virtualHosts."anisync.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://anisync.vs.grzb.de:8080";
proxyWebsockets = true;
};
extraConfig = ''
add_header X-Content-Type-Options nosniff;
'';
};
}

26
hosts/web-public-2/virtualHosts/birdsite.nekover.se.nix Normal file
View file

@ -0,0 +1,26 @@
{ ... }:
{
services.nginx.virtualHosts."birdsite.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://nitter.vs.grzb.de:8080";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /\\n\"";
};
};
}

25
hosts/web-public-2/virtualHosts/default.nix Normal file
View file

@ -0,0 +1,25 @@
{ ... }:
{
imports = [
./anisync.grzb.de.nix
./birdsite.nekover.se.nix
./element.nekover.se.nix
./gameserver.grzb.de.nix
./git.grzb.de.nix
./matrix.nekover.se.nix
./mewtube.nekover.se.nix
./nekover.se.nix
./nextcloud.grzb.de.nix
./social.nekover.se.nix
];
services.nginx.virtualHosts."_" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
return = "301 https://$host$request_uri";
};
};
}

33
hosts/web-public-2/virtualHosts/element.nekover.se.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
services.nginx.virtualHosts."element.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://element.vs.grzb.de";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
extraConfig = ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
'';
};
}

31
hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix Normal file
View file

@ -0,0 +1,31 @@
{ ... }:
{
services.nginx.virtualHosts."gameserver.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://pterodactyl.vs.grzb.de";
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Content-Type-Options nosniff;
'';
};
}

33
hosts/web-public-2/virtualHosts/git.grzb.de.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
services.nginx.virtualHosts."git.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://gitlab.vs.grzb.de:80";
extraConfig = ''
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
}

33
hosts/web-public-2/virtualHosts/matrix.nekover.se.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
services.nginx.virtualHosts."matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://matrix.vs.grzb.de:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 500M;
'';
};
};
}

22
hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
services.nginx.virtualHosts."mewtube.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://cloudtube.vs.grzb.de:10412";
};
};
}

32
hosts/web-public-2/virtualHosts/nekover.se.nix Normal file
View file

@ -0,0 +1,32 @@
{ ... }:
{
services.nginx.virtualHosts."nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
extraConfig = ''
add_header Content-Type application/json;
'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
};
}

32
hosts/web-public-2/virtualHosts/nextcloud.grzb.de.nix Normal file
View file

@ -0,0 +1,32 @@
{ ... }:
{
services.nginx.virtualHosts."nextcloud.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [ {
addr = "0.0.0.0";
port = 80;
}{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
proxyPass = "http://nextcloud.vs.grzb.de:80";
};
locations."= /.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
locations."= /.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
extraConfig = ''
proxy_read_timeout 3600;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 4096m;
'';
};
}

26
hosts/web-public-2/virtualHosts/social.nekover.se.nix Normal file
View file

@ -0,0 +1,26 @@
{ ... }:
{
services.nginx.virtualHosts."social.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "localhost";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://mastodon.vs.grzb.de:80";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 80m;
'';
};
}