2024-08-24 22:16:51 -04:00
|
|
|
{pkgs, ...}: {
|
|
|
|
services.nginx = let
|
2024-08-24 22:32:58 -04:00
|
|
|
secrets = import ../../../secrets.nix;
|
2024-08-24 22:16:51 -04:00
|
|
|
in {
|
|
|
|
enable = true;
|
|
|
|
package = (pkgs.nginx.override {
|
|
|
|
modules = with pkgs.nginxModules; [ rtmp ];
|
|
|
|
});
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
virtualHosts = {
|
|
|
|
# Homepage redirect
|
|
|
|
"${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
addSSL = true;
|
|
|
|
root = "/var/www/jimweb";
|
|
|
|
locations = {
|
|
|
|
"/.well-known/matrix/client" = {
|
|
|
|
extraConfig = ''
|
|
|
|
default_type application/json;
|
|
|
|
return 200 '
|
|
|
|
{
|
|
|
|
"m.homeserver": {
|
|
|
|
"base_url": "https://matrix.${secrets.jimDomain}"
|
|
|
|
},
|
|
|
|
"m.identity_server": {
|
|
|
|
"base_url": "https://matrix.org"
|
|
|
|
},
|
|
|
|
"org.matrix.msc3575.proxy": {
|
|
|
|
"url": "https://matrix.${secrets.jimDomain}"
|
|
|
|
}
|
|
|
|
}';
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
"/.well-known/matrix/server" = {
|
|
|
|
extraConfig = ''
|
|
|
|
default_type application/json;
|
|
|
|
return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Nextcloud Proxy
|
|
|
|
"cloud.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
addSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = "
|
|
|
|
location /.well-known/carddav {
|
|
|
|
return 301 $scheme://$host/remote.php/dav;
|
|
|
|
}
|
|
|
|
location /.well-known/caldav {
|
|
|
|
return 301 $scheme://$host/remote.php/dav;
|
|
|
|
}
|
|
|
|
";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Vaultwarden Proxy
|
|
|
|
"warden.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:8222";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Recipes Proxy
|
|
|
|
"recipes.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:5030";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Bluemap Proxy
|
|
|
|
"bluemap.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:31010";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Gitea Proxy
|
|
|
|
"git.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:3110";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Pufferpanel Proxy
|
|
|
|
"panel.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:5010";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Matrix Proxy
|
|
|
|
"matrix.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations = {
|
|
|
|
"/".extraConfig = ''return 403;'';
|
|
|
|
"/client".proxyPass = "http://127.0.0.1:8009";
|
|
|
|
"/_matrix".proxyPass = "http://127.0.0.1:8008";
|
|
|
|
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
|
|
|
|
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Element Proxy
|
|
|
|
"chat.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
addSSL = true;
|
|
|
|
root = "${pkgs.element-web}";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Coturn Proxy
|
|
|
|
"turn.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
listen = [
|
|
|
|
{ addr = "0.0.0.0"; port = 80; ssl = false; }
|
|
|
|
];
|
|
|
|
locations."/".proxyPass = "http://127.0.0.1:1380";
|
|
|
|
};
|
|
|
|
|
|
|
|
# Radio Proxy
|
|
|
|
"radio.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:255";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Streaming proxy
|
|
|
|
"live.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:8060";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Mail certificate proxy
|
|
|
|
"mx.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:1390";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# Add SSL to Lemmy
|
|
|
|
"lemmy.${secrets.jimDomain}" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
appendConfig = ''
|
|
|
|
rtmp {
|
|
|
|
server {
|
|
|
|
listen 1935;
|
|
|
|
chunk_size 4096;
|
|
|
|
allow publish all;
|
|
|
|
application stream {
|
|
|
|
record off;
|
|
|
|
live on;
|
|
|
|
allow play all;
|
|
|
|
hls on;
|
|
|
|
hls_path /var/www/jimweb/streams/hls;
|
|
|
|
hls_fragment_naming system;
|
|
|
|
hls_fragment 3;
|
|
|
|
hls_playlist_length 40;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
# Force Nginx to work and be able to read+write the hls path
|
|
|
|
security.pam.services.nginx.setEnvironment = false;
|
|
|
|
systemd.services.nginx.serviceConfig = {
|
|
|
|
SupplementaryGroups = [ "shadow" ];
|
|
|
|
ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
|
|
|
|
};
|
|
|
|
}
|