diff options
Diffstat (limited to 'os/kay/modules/www.nix')
| -rw-r--r-- | os/kay/modules/www.nix | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix new file mode 100644 index 0000000..3891bf6 --- /dev/null +++ b/os/kay/modules/www.nix @@ -0,0 +1,134 @@ +{ config, pkgs, lib, ... }: + +let + domain = config.userdata.domain; + fscusat = "fscusat.org"; + mark = "themark.ing"; + storage = "/hdd/users/sftp/shr"; +in +{ + imports = [ + ./dendrite.nix + ./matrix-sliding-sync.nix + ./cgit.nix + ]; + + security.acme.certs.${domain}.postRun = "systemctl reload nginx.service"; + networking.firewall = { + allowedTCPPorts = [ 80 443 ]; + allowedUDPPorts = [ 443 ]; + }; + + services.nginx = { + enable = true; + package = pkgs.nginxQuic; + enableQuicBPF = true; + + recommendedTlsSettings = true; + recommendedZstdSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedBrotliSettings = true; + eventsConfig = "worker_connections 1024;"; + + virtualHosts = let + defaultOpts = { + quic = true; + http3 = true; + forceSSL = true; + useACMEHost = domain; + }; + in { + "${domain}" = defaultOpts // { + default = true; + globalRedirect = "www.${domain}"; + + extraConfig = '' + client_max_body_size ${toString + config.services.dendrite.settings.media_api.max_file_size_bytes + }; + ''; + + locations = { + "/.well-known/matrix/server".return = '' + 200 '{ "m.server": "${domain}:443" }' + ''; + + "/.well-known/matrix/client".return = '' + 200 '${builtins.toJSON { + "m.homeserver".base_url = "https://${domain}"; + "org.matrix.msc3575.proxy".url = "https://${domain}"; + }}' + ''; + + "/_matrix".proxyPass = "http://127.0.0.1:${toString + config.services.dendrite.httpPort + }"; + + "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = + "http://${config.services.matrix-sliding-sync.settings.SYNCV3_BINDADDR}"; + }; + }; + + "www.${domain}" = defaultOpts // { + root = "/var/www/${domain}"; + }; + + "git.${domain}" = defaultOpts; + + "bin.${domain}" = defaultOpts // { + root = "${storage}/bin"; + locations."= /".return = "307 https://www.${domain}"; + }; + + "static.${domain}" = defaultOpts // { + root = "${storage}/static"; + locations."= /".return = "301 https://www.${domain}"; + }; + + "${fscusat}" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + globalRedirect = "www.${fscusat}"; + }; + "www.${fscusat}" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations."/" = { + return = "200 '<h1>under construction</h1>'"; + extraConfig = "add_header Content-Type text/html;"; + }; + }; + + "${mark}" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + globalRedirect = "www.${mark}"; + }; + "www.${mark}" = defaultOpts // { + useACMEHost = null; + enableACME = true; + + locations."/" = { + return = "200 '<h1>under construction, see you soon</h1>'"; + extraConfig = "add_header Content-Type text/html;"; + }; + }; + + "mta-sts.${domain}" = defaultOpts // { + locations."= /.well-known/mta-sts.txt".return = ''200 "${ + lib.strings.concatStringsSep "\\n" [ + "version: STSv1" + "mode: enforce" + "mx: mail.${domain}" + "max_age: 86400" + ] + }"''; + }; + }; + }; +} |