Move most Nginx proxies to the individual services

2024-08-26 13:07:59 -04:00 · 2024-08-26 13:07:59 -04:00 · 1f8156e868
commit 1f8156e868
parent f1d2652c53
16 changed files with 267 additions and 263 deletions
--- a/nixos/server/nginx.nix
+++ b/nixos/server/nginx.nix
@ -15,68 +15,31 @@
      "${secrets.jimDomain}" =  {
        enableACME = true;
        addSSL = true;
-       root = "/var/www/jimweb";
+        root = "/var/www/jimweb";
        locations = {
-         "/.well-known/matrix/client" = {
-           extraConfig = ''
+          "/.well-known/matrix/client" = {
+            extraConfig = ''
+               default_type application/json;
+               return 200 '
+               {
+                 "m.homeserver": {
+                   "base_url": "https://matrix.${secrets.jimDomain}"
+                 },
+                 "m.identity_server": {
+                   "base_url": "https://matrix.org"
+                 },
+                 "org.matrix.msc3575.proxy": {
+                   "url": "https://matrix.${secrets.jimDomain}"
+                 }
+               }';
+            '';
+          };
+          "/.well-known/matrix/server" = {
+            extraConfig = ''
              default_type application/json;
-              return 200 '
-              {
-                "m.homeserver": {
-                  "base_url": "https://matrix.${secrets.jimDomain}"
-                },
-                "m.identity_server": {
-                  "base_url": "https://matrix.org"
-                },
-                "org.matrix.msc3575.proxy": {
-                  "url": "https://matrix.${secrets.jimDomain}"
-                }
-              }';
-           '';
-         };
-         "/.well-known/matrix/server" = {
-           extraConfig = ''
-             default_type application/json;
-             return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
-           '';
-         };
-       };
-      };
-
-      # Nextcloud Proxy
-      "cloud.${secrets.jimDomain}" =  {
-        enableACME = true;
-        addSSL = true;
-        locations."/" = {
-          proxyWebsockets = true;
-          extraConfig = "
-           location /.well-known/carddav {
-              return 301 $scheme://$host/remote.php/dav;
-            }
-            location /.well-known/caldav {
-              return 301 $scheme://$host/remote.php/dav;
-            }
-         ";
-        };
-      };
-
-      # Vaultwarden Proxy
-      "warden.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8222";
-          proxyWebsockets = true;
-        };
-      };
-
-      # Recipes Proxy
-      "recipes.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:5030";
-          proxyWebsockets = true;
+              return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
+            '';
+          };
        };
      };

@ -90,56 +53,6 @@
        };
      };

-      # Gitea Proxy
-      "git.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:3110";
-          proxyWebsockets = true;
-        };
-      };
-
-      # Pufferpanel Proxy
-      "panel.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:5010";
-          proxyWebsockets = true;
-        };
-      };
-
-      # Matrix Proxy
-      "matrix.${secrets.jimDomain}" = {
-        enableACME = true;
-        forceSSL = true;
-       locations = {
-         "/".extraConfig = ''return 403;'';
-          "/client".proxyPass = "http://127.0.0.1:8009";
-          "/_matrix".proxyPass = "http://127.0.0.1:8008";
-         "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
-          "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
-       };
-      };
-
-      # Element Proxy
-      "chat.${secrets.jimDomain}" = {
-        enableACME = true;
-        addSSL = true;
-        root = "${pkgs.element-web}";
-      };
-
-      # Coturn Proxy
-      "turn.${secrets.jimDomain}" = {
-        enableACME = true;
-        forceSSL = true;
-        listen = [
-          { addr = "0.0.0.0"; port = 80; ssl = false; }
-        ];
-        locations."/".proxyPass = "http://127.0.0.1:1380";
-      };
-
      # Radio Proxy
      "radio.${secrets.jimDomain}" =  {
        enableACME = true;
@ -147,34 +60,8 @@
        locations."/" = {
          proxyPass = "http://127.0.0.1:255";
          proxyWebsockets = true;
-       };
-      };
-
-      # Streaming proxy
-      "live.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:8060";
-          proxyWebsockets = true;
        };
      };
-
-      # Mail certificate proxy
-      "mx.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:1390";
-          proxyWebsockets = true;
-        };
-      };
-
-      # Add SSL to Lemmy
-      "lemmy.${secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-      };
    };
    appendConfig = ''
      rtmp {
@ -197,10 +84,8 @@
    '';
  };

-  # Force Nginx to work and be able to read+write the hls path
-  security.pam.services.nginx.setEnvironment = false;
+  # Allow Nginx to read and write to paths
  systemd.services.nginx.serviceConfig = {
-    SupplementaryGroups = [ "shadow" ];
    ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
  };
 }