From fe86c128ed6df25dfbe87ae405cedcbbdc5b9d89 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 7 Apr 2026 21:32:12 +0200 Subject: [PATCH 1/3] Put matrix federation behind reverse proxy --- config/hosts/matrix/nginx.nix | 25 +++++++++++++++++++------ config/hosts/valkyrie/configuration.nix | 2 +- config/hosts/valkyrie/nginx.nix | 5 +++++ config/hosts/web-public-2/nginx.nix | 5 +++++ 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index c9548b2..0e419bc 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -11,10 +11,17 @@ addr = "0.0.0.0"; port = 80; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8448; ssl = true; + proxyProtocol = true; } ]; locations = { @@ -49,8 +56,6 @@ }; }; extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; @@ -64,6 +69,12 @@ addr = "0.0.0.0"; port = 80; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } ]; locations = { "/" = { @@ -79,8 +90,6 @@ }; }; extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; @@ -94,6 +103,12 @@ addr = "0.0.0.0"; port = 80; } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } ]; locations."^~ /livekit/jwt/" = { proxyPass = "http://localhost:8082/"; @@ -103,8 +118,6 @@ proxyWebsockets = true; }; extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index aca6e04..e581f8c 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -7,7 +7,7 @@ nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ 80 443 ]; + allowedTCPPorts = [ 80 443 8448 ]; allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index dae48ad..ab96419 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -58,6 +58,11 @@ ssl_preread on; proxy_protocol on; } + server { + listen [::]:8448; + proxy_pass 10.202.41.112:8448; # matrix federation port + proxy_protocol on; + } ''; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 1e51d61..01d6fae 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -38,6 +38,11 @@ ssl_preread on; proxy_protocol on; } + server { + listen 0.0.0.0:8448; + proxy_pass 10.202.41.112:8448; # matrix federation port + proxy_protocol on; + } } ''; From f19436b1786c70af02a8edd58755d3cb1e4b2788 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 7 Apr 2026 21:51:50 +0200 Subject: [PATCH 2/3] Allow proxy protocol to reverse proxy --- config/hosts/web-public-2/configuration.nix | 2 +- .../virtualHosts/element.nekover.se.nix | 18 ++++++++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix index 94e74b6..e942787 100644 --- a/config/hosts/web-public-2/configuration.nix +++ b/config/hosts/web-public-2/configuration.nix @@ -21,7 +21,7 @@ hostName = "web-public-2"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 5000 8448 ]; + allowedTCPPorts = [ 80 443 5000 8443 8448 ]; }; }; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 6e61d6c..23a3212 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -27,12 +27,18 @@ in ./element-web-config ]; }; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. From f73990a4278b861ffc5a0077f81b15c0b32f4c24 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 7 Apr 2026 22:20:28 +0200 Subject: [PATCH 3/3] WIP --- config/hosts/web-public-2/nginx.nix | 6 +++--- .../virtualHosts/element.nekover.se.nix | 18 ++++++------------ .../web-public-2/virtualHosts/nekover.se.nix | 2 +- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 01d6fae..3217be8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -17,8 +17,8 @@ stream { map $ssl_preread_server_name $address { cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 127.0.0.1:8443; - element-admin.nekover.se 127.0.0.1:8443; + element.nekover.se 10.202.41.100:8443; + element-admin.nekover.se 10.202.41.100:8443; fi.nekover.se 10.202.41.125:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; @@ -26,7 +26,7 @@ mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - nekover.se 127.0.0.1:8443; + nekover.se 10.202.41.100:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 23a3212..6e61d6c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -27,18 +27,12 @@ in ./element-web-config ]; }; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; # Set no-cache for the version, config and index.html # so that browsers always check for a new copy of Element Web. diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 233a49c..4629365 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,7 +4,7 @@ forceSSL = true; enableACME = true; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"];