{pkgs, ...}: { services.nginx = let secrets = import ../modules/secrets.nix; in { enable = true; package = (pkgs.nginx.override { modules = with pkgs.nginxModules; [ rtmp ]; }); recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { # Homepage redirect "${secrets.jimDomain}" = { enableACME = true; addSSL = true; root = "/var/www/jimweb"; locations = { "/.well-known/matrix/client" = { extraConfig = '' default_type application/json; return 200 ' { "m.homeserver": { "base_url": "https://matrix.${secrets.jimDomain}" }, "m.identity_server": { "base_url": "https://matrix.org" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.${secrets.jimDomain}" } }'; ''; }; "/.well-known/matrix/server" = { extraConfig = '' default_type application/json; return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}'; ''; }; }; }; # Nextcloud Proxy "cloud.${secrets.jimDomain}" = { enableACME = true; addSSL = true; locations."/" = { proxyWebsockets = true; extraConfig = " location /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } "; }; }; # Vaultwarden Proxy "warden.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8222"; proxyWebsockets = true; }; }; # Recipes Proxy "recipes.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:5030"; proxyWebsockets = true; }; }; # Bluemap Proxy "bluemap.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:31010"; proxyWebsockets = true; }; }; # Gitea Proxy "git.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:3110"; proxyWebsockets = true; }; }; # Pufferpanel Proxy "panel.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:5010"; proxyWebsockets = true; }; }; # Matrix Proxy "matrix.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations = { "/".extraConfig = ''return 403;''; "/client".proxyPass = "http://127.0.0.1:8009"; "/_matrix".proxyPass = "http://127.0.0.1:8008"; "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009"; "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; }; }; # Element Proxy "chat.${secrets.jimDomain}" = { enableACME = true; addSSL = true; root = "${pkgs.element-web}"; }; # Coturn Proxy "turn.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; listen = [ { addr = "0.0.0.0"; port = 80; ssl = false; } ]; locations."/".proxyPass = "http://127.0.0.1:1380"; }; # Radio Proxy "radio.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:255"; proxyWebsockets = true; }; }; # Streaming proxy "live.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8060"; proxyWebsockets = true; }; }; # Mail certificate proxy "mx.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:1390"; proxyWebsockets = true; }; }; # Add SSL to Lemmy "lemmy.${secrets.jimDomain}" = { enableACME = true; forceSSL = true; }; }; appendConfig = '' rtmp { server { listen 1935; chunk_size 4096; allow publish all; application stream { record off; live on; allow play all; hls on; hls_path /var/www/jimweb/streams/hls; hls_fragment_naming system; hls_fragment 3; hls_playlist_length 40; } } } ''; }; # Force Nginx to work and be able to read+write the hls path security.pam.services.nginx.setEnvironment = false; systemd.services.nginx.serviceConfig = { SupplementaryGroups = [ "shadow" ]; ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ]; }; }