NixOS-Config/nixos/server/nginx.nix

{pkgs, ...}: {
  services.nginx = let
    secrets = import ../modules/secrets.nix;
  in {
    enable = true;
    package = (pkgs.nginx.override {
      modules = with pkgs.nginxModules; [ rtmp ];
    });
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      # Homepage redirect
      "${secrets.jimDomain}" =  {
        enableACME = true;
        addSSL = true;
       root = "/var/www/jimweb";
        locations = {
         "/.well-known/matrix/client" = {
           extraConfig = ''
              default_type application/json;
              return 200 '
              {
                "m.homeserver": {
                  "base_url": "https://matrix.${secrets.jimDomain}"
                },
                "m.identity_server": {
                  "base_url": "https://matrix.org"
                },
                "org.matrix.msc3575.proxy": {
                  "url": "https://matrix.${secrets.jimDomain}"
                }
              }';
           '';
         };
         "/.well-known/matrix/server" = {
           extraConfig = ''
             default_type application/json;
             return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
           '';
         };
       };
      };

      # Nextcloud Proxy
      "cloud.${secrets.jimDomain}" =  {
        enableACME = true;
        addSSL = true;
        locations."/" = {
          proxyWebsockets = true;
          extraConfig = "
           location /.well-known/carddav {
              return 301 $scheme://$host/remote.php/dav;
            }
            location /.well-known/caldav {
              return 301 $scheme://$host/remote.php/dav;
            }
         ";
        };
      };

      # Vaultwarden Proxy
      "warden.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8222";
          proxyWebsockets = true;
        };
      };

      # Recipes Proxy
      "recipes.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:5030";
          proxyWebsockets = true;
        };
      };

      # Bluemap Proxy
      "bluemap.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:31010";
          proxyWebsockets = true;
        };
      };

      # Gitea Proxy
      "git.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:3110";
          proxyWebsockets = true;
        };
      };

      # Pufferpanel Proxy
      "panel.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:5010";
          proxyWebsockets = true;
        };
      };

      # Matrix Proxy
      "matrix.${secrets.jimDomain}" = {
        enableACME = true;
        forceSSL = true;
       locations = {
         "/".extraConfig = ''return 403;'';
          "/client".proxyPass = "http://127.0.0.1:8009";
          "/_matrix".proxyPass = "http://127.0.0.1:8008";
         "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
          "/_synapse/client".proxyPass = "http://127.0.0.1:8008";
       };
      };

      # Element Proxy
      "chat.${secrets.jimDomain}" = {
        enableACME = true;
        addSSL = true;
        root = "${pkgs.element-web}";
      };

      # Coturn Proxy
      "turn.${secrets.jimDomain}" = {
        enableACME = true;
        forceSSL = true;
        listen = [
          { addr = "0.0.0.0"; port = 80; ssl = false; }
        ];
        locations."/".proxyPass = "http://127.0.0.1:1380";
      };

      # Radio Proxy
      "radio.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:255";
          proxyWebsockets = true;
       };
      };

      # Streaming proxy
      "live.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:8060";
          proxyWebsockets = true;
        };
      };

      # Mail certificate proxy
      "mx.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:1390";
          proxyWebsockets = true;
        };
      };

      # Add SSL to Lemmy
      "lemmy.${secrets.jimDomain}" =  {
        enableACME = true;
        forceSSL = true;
      };
    };
    appendConfig = ''
      rtmp {
        server {
          listen 1935;
          chunk_size 4096;
          allow publish all;
          application stream {
            record off;
            live on;
           allow play all;
            hls on;
            hls_path /var/www/jimweb/streams/hls;
           hls_fragment_naming system;
           hls_fragment 3;
            hls_playlist_length 40;
          }
        }
      }
    '';
  };

  # Force Nginx to work and be able to read+write the hls path
  security.pam.services.nginx.setEnvironment = false;
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = [ "shadow" ];
    ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
  };
}