Finally switch to flakes.

2024-08-24 22:16:51 -04:00 · 2024-08-24 22:16:51 -04:00 · 5e0b713756
commit 5e0b713756
parent a90e09db74
116 changed files with 5443 additions and 3 deletions
--- a/nixos/server/nginx.nix
+++ b/nixos/server/nginx.nix
@ -0,0 +1,206 @@
+{pkgs, ...}: {
+  services.nginx = let
+    secrets = import ../common/secrets.nix;
+  in {
+    enable = true;
+    package = (pkgs.nginx.override {
+      modules = with pkgs.nginxModules; [ rtmp ];
+    });
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      # Homepage redirect
+      "${secrets.jimDomain}" =  {
+        enableACME = true;
+        addSSL = true;
+       root = "/var/www/jimweb";
+        locations = {
+         "/.well-known/matrix/client" = {
+           extraConfig = ''
+              default_type application/json;
+              return 200 '
+              {
+                "m.homeserver": {
+                  "base_url": "https://matrix.${secrets.jimDomain}"
+                },
+                "m.identity_server": {
+                  "base_url": "https://matrix.org"
+                },
+                "org.matrix.msc3575.proxy": {
+                  "url": "https://matrix.${secrets.jimDomain}"
+                }
+              }';
+           '';
+         };
+         "/.well-known/matrix/server" = {
+           extraConfig = ''
+             default_type application/json;
+             return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
+           '';
+         };
+       };
+      };
+
+      # Nextcloud Proxy
+      "cloud.${secrets.jimDomain}" =  {
+        enableACME = true;
+        addSSL = true;
+        locations."/" = {
+          proxyWebsockets = true;
+          extraConfig = "
+           location /.well-known/carddav {
+              return 301 $scheme://$host/remote.php/dav;
+            }
+            location /.well-known/caldav {
+              return 301 $scheme://$host/remote.php/dav;
+            }
+         ";
+        };
+      };
+
+      # Vaultwarden Proxy
+      "warden.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8222";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Recipes Proxy
+      "recipes.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5030";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Bluemap Proxy
+      "bluemap.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:31010";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Gitea Proxy
+      "git.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3110";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Pufferpanel Proxy
+      "panel.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5010";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Matrix Proxy
+      "matrix.${secrets.jimDomain}" = {
+        enableACME = true;
+        forceSSL = true;
+       locations = {
+         "/".extraConfig = ''return 403;'';
+          "/client".proxyPass = "http://127.0.0.1:8009";
+          "/_matrix".proxyPass = "http://127.0.0.1:8008";
+         "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
+          "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
+       };
+      };
+
+      # Element Proxy
+      "chat.${secrets.jimDomain}" = {
+        enableACME = true;
+        addSSL = true;
+        root = "${pkgs.element-web}";
+      };
+
+      # Coturn Proxy
+      "turn.${secrets.jimDomain}" = {
+        enableACME = true;
+        forceSSL = true;
+        listen = [
+          { addr = "0.0.0.0"; port = 80; ssl = false; }
+        ];
+        locations."/".proxyPass = "http://127.0.0.1:1380";
+      };
+
+      # Radio Proxy
+      "radio.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:255";
+          proxyWebsockets = true;
+       };
+      };
+
+      # Streaming proxy
+      "live.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8060";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Mail certificate proxy
+      "mx.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:1390";
+          proxyWebsockets = true;
+        };
+      };
+
+      # Add SSL to Lemmy
+      "lemmy.${secrets.jimDomain}" =  {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+    appendConfig = ''
+      rtmp {
+        server {
+          listen 1935;
+          chunk_size 4096;
+          allow publish all;
+          application stream {
+            record off;
+            live on;
+           allow play all;
+            hls on;
+            hls_path /var/www/jimweb/streams/hls;
+           hls_fragment_naming system;
+           hls_fragment 3;
+            hls_playlist_length 40;
+          }
+        }
+      }
+    '';
+  };
+
+  # Force Nginx to work and be able to read+write the hls path
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "shadow" ];
+    ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
+  };
+}