mirror of
https://github.com/itme-brain/nixos.git
synced 2026-05-08 06:50:11 -04:00
119 lines
3 KiB
Nix
119 lines
3 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
|
|
with lib;
|
|
let
|
|
cfg = config.modules.system.nginx;
|
|
domain = "ramos.codes";
|
|
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;";
|
|
|
|
in
|
|
{
|
|
options.modules.system.nginx = {
|
|
enable = mkEnableOption "Nginx Reverse Proxy";
|
|
|
|
privateAllowCidrs = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [
|
|
"127.0.0.1/32"
|
|
"192.168.0.0/24"
|
|
"10.8.0.0/24"
|
|
];
|
|
description = ''
|
|
CIDR ranges allowed to access private vhosts (LAN + WireGuard).
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
systemd.services.nginx.serviceConfig.LimitNOFILE = 65536;
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = config.user.email;
|
|
|
|
certs."${domain}" = {
|
|
domain = "*.${domain}";
|
|
dnsProvider = "namecheap";
|
|
environmentFile = "/var/lib/acme/namecheap.env";
|
|
group = "nginx";
|
|
};
|
|
};
|
|
|
|
services.sslh = {
|
|
enable = true;
|
|
listenAddresses = [ "0.0.0.0" ];
|
|
port = 443;
|
|
settings = {
|
|
protocols = [
|
|
{ name = "ssh"; host = "127.0.0.1"; port = "22"; }
|
|
{ name = "tls"; host = "127.0.0.1"; port = "4443"; }
|
|
];
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
eventsConfig = "worker_connections 4096;";
|
|
defaultSSLListenPort = 4443;
|
|
|
|
# Catch-all default - friendly error for unknown subdomains
|
|
virtualHosts."_" = {
|
|
default = true;
|
|
useACMEHost = domain;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
return = "404 'Not Found: This subdomain does not exist.'";
|
|
extraConfig = ''
|
|
add_header Content-Type text/plain;
|
|
'';
|
|
};
|
|
};
|
|
|
|
virtualHosts."test.${domain}" = {
|
|
useACMEHost = domain;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
return = "200 'nginx is working'";
|
|
extraConfig = ''
|
|
add_header Content-Type text/plain;
|
|
'';
|
|
};
|
|
};
|
|
|
|
virtualHosts."chat.${domain}" = {
|
|
useACMEHost = domain;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.0.23:3080";
|
|
proxyWebsockets = true;
|
|
extraConfig = privateAccessRules;
|
|
};
|
|
};
|
|
|
|
virtualHosts."ai.${domain}" = {
|
|
useACMEHost = domain;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.0.23:8000";
|
|
proxyWebsockets = true;
|
|
extraConfig = privateAccessRules;
|
|
};
|
|
};
|
|
|
|
virtualHosts."comfy.${domain}" = {
|
|
useACMEHost = domain;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.0.23:8188";
|
|
proxyWebsockets = true;
|
|
extraConfig = privateAccessRules;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|