From 2e511cc4de2e3daed907ad28c0182d21e718e3c0 Mon Sep 17 00:00:00 2001 From: Ivan Reshetnikov Date: Mon, 4 Mar 2024 19:59:16 +0500 Subject: [PATCH] refactor: simplify nginx config --- nixos/programs/comfycamp.nix | 14 +++ nixos/programs/freshrss.nix | 5 + nixos/programs/jellyfin.nix | 11 +++ nixos/programs/maddy.nix | 6 ++ nixos/programs/mastodon.nix | 27 ++++++ nixos/programs/microboard.nix | 10 ++ nixos/programs/nextcloud.nix | 5 + nixos/programs/nginx.nix | 170 ++-------------------------------- nixos/programs/phoenix.nix | 6 ++ nixos/programs/photoprism.nix | 11 +++ nixos/programs/synapse.nix | 37 +++++++- 11 files changed, 139 insertions(+), 163 deletions(-) diff --git a/nixos/programs/comfycamp.nix b/nixos/programs/comfycamp.nix index f53764e..2ca9f78 100644 --- a/nixos/programs/comfycamp.nix +++ b/nixos/programs/comfycamp.nix @@ -5,4 +5,18 @@ image = "ghcr.io/ordinary-dev/comfycamp:v0.6.0"; ports = ["55007:80"]; }; + + services.nginx.virtualHosts."[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = { + locations = { + "/".proxyPass = "http://127.0.0.1:55007"; + }; + }; + + services.nginx.virtualHosts."comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/".proxyPass = "http://127.0.0.1:55007"; + }; + }; } diff --git a/nixos/programs/freshrss.nix b/nixos/programs/freshrss.nix index fa8ae3b..50c596f 100644 --- a/nixos/programs/freshrss.nix +++ b/nixos/programs/freshrss.nix @@ -13,4 +13,9 @@ passwordFile = "/var/lib/secrets/freshrss/password.txt"; virtualHost = "freshrss.comfycamp.space"; }; + + services.nginx.virtualHosts."freshrss.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + }; } diff --git a/nixos/programs/jellyfin.nix b/nixos/programs/jellyfin.nix index 7db3a10..5841eac 100644 --- a/nixos/programs/jellyfin.nix +++ b/nixos/programs/jellyfin.nix @@ -3,4 +3,15 @@ services.jellyfin = { enable = true; }; + + services.nginx.virtualHosts."jf.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; + }; + }; + }; } diff --git a/nixos/programs/maddy.nix b/nixos/programs/maddy.nix index dcaf89b..af20ae4 100644 --- a/nixos/programs/maddy.nix +++ b/nixos/programs/maddy.nix @@ -25,4 +25,10 @@ "driver postgres" ] options.services.maddy.config.default; }; + + services.nginx.virtualHosts."mta-sts.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + root = "/var/lib/mta-sts"; + }; } diff --git a/nixos/programs/mastodon.nix b/nixos/programs/mastodon.nix index 8e7050e..b6dcbf8 100644 --- a/nixos/programs/mastodon.nix +++ b/nixos/programs/mastodon.nix @@ -78,4 +78,31 @@ systemd.services.mastodon-sidekiq-all = { serviceConfig.ReadWritePaths = "/hdd/mastodon-public-system"; }; + + services.nginx.virtualHosts."m.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + + root = "${config.services.mastodon.package}/public/"; + + locations = { + "/system/" = { + alias = "/var/lib/mastodon/public-system/"; + }; + + "/" = { + tryFiles = "$uri @proxy"; + }; + + "@proxy" = { + proxyPass = "http://unix:/run/mastodon-web/web.socket"; + proxyWebsockets = true; + }; + + "/api/v1/streaming/" = { + proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; + proxyWebsockets = true; + }; + }; + }; } diff --git a/nixos/programs/microboard.nix b/nixos/programs/microboard.nix index bd0094f..3909c50 100644 --- a/nixos/programs/microboard.nix +++ b/nixos/programs/microboard.nix @@ -15,4 +15,14 @@ in "/run/postgresql:/run/postgresql" ]; }; + + services.nginx.virtualHosts."0ch.space" = { + useACMEHost = "0ch.space"; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:55006"; + }; + }; + }; } diff --git a/nixos/programs/nextcloud.nix b/nixos/programs/nextcloud.nix index 4332d17..ada45ea 100644 --- a/nixos/programs/nextcloud.nix +++ b/nixos/programs/nextcloud.nix @@ -20,4 +20,9 @@ createLocally = false; }; }; + + services.nginx.virtualHosts."nc.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + }; } diff --git a/nixos/programs/nginx.nix b/nixos/programs/nginx.nix index a680b3c..ebffa33 100644 --- a/nixos/programs/nginx.nix +++ b/nixos/programs/nginx.nix @@ -1,14 +1,4 @@ -{ config, ... }: -let - # Required stuff for synapse - clientConfig."m.homeserver".base_url = "https://matrix.comfycamp.space"; - serverConfig."m.server" = "matrix.comfycamp.space:443"; - mkWellKnown = data: '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON data}'; - ''; -in { +{ config, ... }: { services.nginx = { enable = true; recommendedTlsSettings = true; @@ -16,15 +6,6 @@ in { recommendedGzipSettings = true; recommendedProxySettings = true; - appendHttpConfig = '' - map $status $loggable { - ~^[23] 0; - default 1; - } - - access_log /var/log/nginx/access.log combined if=$loggable; - ''; - commonHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged @@ -32,149 +13,14 @@ in { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; - access_log off; - ''; - - virtualHosts = { - "[201:80ed:6eeb:aea4:cdc0:c836:2831:f2dd]" = { - locations = { - "/".proxyPass = "http://127.0.0.1:55007"; - }; - }; - - "comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/".proxyPass = "http://127.0.0.1:55007"; - # This section is not needed if the server_name of matrix-synapse is equal to - # the domain (i.e. example.org from @foo:example.org) and the federation port - # is 8448. - # Further reference can be found in the docs about delegation under - # https://matrix-org.github.io/synapse/latest/delegate.html - "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; - # This is usually needed for homeserver discovery (from e.g. other Matrix clients). - # Further reference can be found in the upstream docs at - # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient - "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; - }; - }; - - # Phoenix - "ph.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations."/".proxyPass = "http://127.0.0.1:55009"; - }; - - # Nextcloud - "nc.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - }; - - # Jellyfin - "jf.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:8096"; - proxyWebsockets = true; - }; - }; - }; - - # Plausible - "plausible.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:55005"; - }; - }; - }; - # Microboard - "0ch.space" = { - useACMEHost = "0ch.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:55006"; - }; - }; - }; - - # Mail: MTA-STS - "mta-sts.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - root = "/var/lib/mta-sts"; - }; - - "matrix.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/".extraConfig = '' - return 404; - ''; - # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash - # *must not* be used here. - "/_matrix".proxyPass = "http://127.0.0.1:8008"; - # Forward requests for e.g. SSO and password-resets. - "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; - }; - }; - - # Photoprism - "pp.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:55004"; - proxyWebsockets = true; - }; - }; - }; - - # Freshrss - "freshrss.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - }; - - # Mastodon - "m.comfycamp.space" = { - useACMEHost = "comfycamp.space"; - forceSSL = true; - - root = "${config.services.mastodon.package}/public/"; - - locations = { - "/system/" = { - alias = "/var/lib/mastodon/public-system/"; - }; - - "/" = { - tryFiles = "$uri @proxy"; - }; - - "@proxy" = { - proxyPass = "http://unix:/run/mastodon-web/web.socket"; - proxyWebsockets = true; - }; - - "/api/v1/streaming/" = { - proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket"; - proxyWebsockets = true; - }; - }; - }; - }; + # Log 4xx and 5xx errors. + map $status $loggable { + ~^[23] 0; + default 1; + } + access_log /var/log/nginx/access.log combined if=$loggable; + ''; }; users.users.nginx.extraGroups = [ "acme" ]; diff --git a/nixos/programs/phoenix.nix b/nixos/programs/phoenix.nix index dc9d55c..91e8713 100644 --- a/nixos/programs/phoenix.nix +++ b/nixos/programs/phoenix.nix @@ -12,4 +12,10 @@ "/var/lib/phoenix:/var/lib/phoenix" ]; }; + + services.nginx.virtualHosts."ph.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:55009"; + }; } diff --git a/nixos/programs/photoprism.nix b/nixos/programs/photoprism.nix index d1854ce..0a024e2 100644 --- a/nixos/programs/photoprism.nix +++ b/nixos/programs/photoprism.nix @@ -21,4 +21,15 @@ PHOTOPRISM_DETECT_NSFW = "false"; }; }; + + services.nginx.virtualHosts."pp.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:55004"; + proxyWebsockets = true; + }; + }; + }; } diff --git a/nixos/programs/synapse.nix b/nixos/programs/synapse.nix index 16f3d42..c95bd0f 100644 --- a/nixos/programs/synapse.nix +++ b/nixos/programs/synapse.nix @@ -1,5 +1,14 @@ { config, ... }: -{ +let + # Required stuff for synapse + clientConfig."m.homeserver".base_url = "https://matrix.comfycamp.space"; + serverConfig."m.server" = "matrix.comfycamp.space:443"; + mkWellKnown = data: '' + add_header Content-Type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '${builtins.toJSON data}'; + ''; +in { services.matrix-synapse = { enable = true; settings = { @@ -31,4 +40,30 @@ "/var/lib/secrets/matrix-synapse/config.yml" ]; }; + + services.nginx.virtualHosts."matrix.comfycamp.space" = { + useACMEHost = "comfycamp.space"; + forceSSL = true; + locations = { + "/".extraConfig = '' + return 404; + ''; + # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash + # *must not* be used here. + "/_matrix".proxyPass = "http://127.0.0.1:8008"; + # Forward requests for e.g. SSO and password-resets. + "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; + }; + }; + + # This section is not needed if the server_name of matrix-synapse is equal to + # the domain (i.e. example.org from @foo:example.org) and the federation port + # is 8448. + # Further reference can be found in the docs about delegation under + # https://matrix-org.github.io/synapse/latest/delegate.html + services.nginx.virtualHosts."comfycamp.space".locations."/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; + # This is usually needed for homeserver discovery (from e.g. other Matrix clients). + # Further reference can be found in the upstream docs at + # https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient + services.nginx.virtualHosts."comfycamp.space".locations."/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; }