fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fi:44215ecfc92054f69f230348071b01639eb050b8
Branches Tags
fi:main
fi:ikiwiki
fi:mas
..
compare: fi:f73990a4278b861ffc5a0077f81b15c0b32f4c24
Branches Tags
fi:main
fi:ikiwiki
fi:mas

3 commits
44215ecfc9 ... f73990a427

Author SHA1 Message Date
fi
f73990a427
 		WIP 2026-04-07 22:59:15 +02:00
fi
f19436b178
 		Allow proxy protocol to reverse proxy 2026-04-07 22:03:15 +02:00
fi
fe86c128ed
 		Put matrix federation behind reverse proxy 2026-04-07 21:32:12 +02:00
6 changed files with 35 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

25
config/hosts/matrix/nginx.nix
View file

@ -11,10 +11,17 @@
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
} }
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 8448; port = 8448;
ssl = true; ssl = true;
proxyProtocol = true;
} }
]; ];
locations = { locations = {
@ -49,8 +56,6 @@
}; };
}; };
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
@ -64,6 +69,12 @@
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
} }
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
]; ];
locations = { locations = {
"/" = { "/" = {
@ -79,8 +90,6 @@
}; };
}; };
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
@ -94,6 +103,12 @@
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
} }
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
]; ];
locations."^~ /livekit/jwt/" = { locations."^~ /livekit/jwt/" = {
proxyPass = "http://localhost:8082/"; proxyPass = "http://localhost:8082/";
@ -103,8 +118,6 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100; # IPv4 from web-public-2
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

2
config/hosts/valkyrie/configuration.nix
View file

@ -7,7 +7,7 @@
nftables.enable = true; nftables.enable = true;
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [ 80 443 8448 ];
allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ];
}; };
wireguard = { wireguard = {

5
config/hosts/valkyrie/nginx.nix
View file

@ -58,6 +58,11 @@
ssl_preread on; ssl_preread on;
proxy_protocol on; proxy_protocol on;
} }
server {
listen [::]:8448;
proxy_pass 10.202.41.112:8448; # matrix federation port
proxy_protocol on;
}
''; '';
}; };
} }

2
config/hosts/web-public-2/configuration.nix
View file

@ -21,7 +21,7 @@
hostName = "web-public-2"; hostName = "web-public-2";
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 5000 8448 ]; allowedTCPPorts = [ 80 443 5000 8443 8448 ];
}; };
}; };

11
config/hosts/web-public-2/nginx.nix
View file

@ -17,8 +17,8 @@
stream { stream {
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
cloud.nekover.se 10.202.41.122:8443; cloud.nekover.se 10.202.41.122:8443;
element.nekover.se 127.0.0.1:8443; element.nekover.se 10.202.41.100:8443;
element-admin.nekover.se 127.0.0.1:8443; element-admin.nekover.se 10.202.41.100:8443;
fi.nekover.se 10.202.41.125:8443; fi.nekover.se 10.202.41.125:8443;
git.nekover.se 10.202.41.106:8443; git.nekover.se 10.202.41.106:8443;
hydra.nekover.se 10.202.41.121:8443; hydra.nekover.se 10.202.41.121:8443;
@ -26,7 +26,7 @@
mas.nekover.se 10.202.41.112:8443; mas.nekover.se 10.202.41.112:8443;
matrix.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443;
matrix-rtc.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443;
nekover.se 127.0.0.1:8443; nekover.se 10.202.41.100:8443;
mesh.nekover.se 10.202.41.126:8443; mesh.nekover.se 10.202.41.126:8443;
nix-cache.nekover.se 10.202.41.121:8443; nix-cache.nekover.se 10.202.41.121:8443;
searx.nekover.se 10.202.41.105:8443; searx.nekover.se 10.202.41.105:8443;
@ -38,6 +38,11 @@
ssl_preread on; ssl_preread on;
proxy_protocol on; proxy_protocol on;
} }
server {
listen 0.0.0.0:8448;
proxy_pass 10.202.41.112:8448; # matrix federation port
proxy_protocol on;
}
} }
''; '';

2
config/hosts/web-public-2/virtualHosts/nekover.se.nix
View file

@ -4,7 +4,7 @@
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
listen = [{ listen = [{
addr = "localhost"; addr = "0.0.0.0";
port = 8443; port = 8443;
ssl = true; ssl = true;
extraParameters = ["proxy_protocol"]; extraParameters = ["proxy_protocol"];