nixos-config/configs/sputnik/nginx.nix

{ config, lib, pkgs, ... }:
let

  errorPages = pkgs.fetchgit {
    url = "https://git.ingolf-wagner.de/palo/http-errors.git";
    rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";
    sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";
  };

  error = {
    extraConfig = ''
      error_page 400 /errors/400.html;
      error_page 401 /errors/401.html;
      error_page 402 /errors/402.html;
      error_page 403 /errors/403.html;
      error_page 404 /errors/404.html;
      error_page 405 /errors/405.html;
      error_page 406 /errors/406.html;
      error_page 500 /errors/500.html;
      error_page 501 /errors/501.html;
      error_page 502 /errors/502.html;
      error_page 503 /errors/503.html;
      error_page 504 /errors/504.html;
    '';
    locations."^~ /errors/" = {
      extraConfig = "internal;";
      root = "${errorPages}/";
    };
  };
in {

  networking.firewall.allowedTCPPorts = [ 80 443 4443 ];
  networking.firewall.allowedUDPPorts = [ 80 443 4443 ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {

      "git.ingolf-wagner.de" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;

        locations = {
          "/" = {
            proxyPass = "http://workhorse.private:3000";
            extraConfig = ''
              if ($request_method = 'OPTIONS') {
              add_header 'Access-Control-Allow-Origin' '*';
              add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
              #
              # Custom headers and headers various browsers *should* be OK with but aren't
              #
              add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
              #
              # Tell client that this pre-flight info is valid for 20 days
              #
              add_header 'Access-Control-Max-Age' 1728000;
              add_header 'Content-Type' 'text/plain; charset=utf-8';
              add_header 'Content-Length' 0;
              return 204;
              }
              if ($request_method = 'POST') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
                add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
              }
              if ($request_method = 'GET') {
                add_header 'Access-Control-Allow-Origin' '*';
                add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
                add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
                add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
              }
            '';
          };
        } // error.locations;
      };

      "paste.ingolf-wagner.de" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = { proxyPass = "http://workhorse.private:8000"; };
        } // error.locations;
      };

      "travel.ingolf-wagner.de" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            root = "/srv/www/travel";
            extraConfig = ''
              if (-d $request_filename) {
                rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
              }
            '';
          };
        } // error.locations;
      };

      "tech.ingolf-wagner.de" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            root = "/srv/www/tech";
            extraConfig = ''
              if (-d $request_filename) {
                rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
              }
            '';
          };
        } // error.locations;
      };

      "terranix.org" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            root = "/srv/www/terranix";
            extraConfig = ''
              if (-d $request_filename) {
                rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;
              }
            '';
          };
        } // error.locations;
      };

      #"chat.ingolf-wagner.de" = {
      #  listen = [
      #    {
      #      addr = "0.0.0.0";
      #      port = 4443;
      #      ssl = true;
      #    }
      #    {
      #      addr = "0.0.0.0";
      #      port = 80;
      #      ssl = false;
      #    }
      #  ];
      #  forceSSL = true;
      #  enableACME = true;
      #  extraConfig = error.extraConfig;
      #  locations = {
      #    "/" = {
      #      proxyPass = "http://chat.workhorse.private";
      #      proxyWebsockets = true;
      #      extraConfig = ''
      #        sub_filter "http://chat.ingolf-wagner.de" "https://chat.ingolf-wagner.de";
      #        sub_filter "chat.workhorse.private" "chat.ingolf-wagner.de";
      #      '';
      #    };
      #  } // error.locations;
      #};

      "nextcloud.ingolf-wagner.de" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = {
            proxyPass = "http://nextcloud.workhorse.private";
            extraConfig = ''
              sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";
              sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";
              # used for view/edit office file via Office Online Server
              client_max_body_size 0;
            '';
          };
          "= /.well-known/carddav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };
          "= /.well-known/caldav" = {
            priority = 210;
            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
          };

        } // error.locations;
      };

      "gaykraft.com" = {
        listen = [
          {
            addr = "0.0.0.0";
            port = 4443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
        ];
        forceSSL = true;
        enableACME = true;
        extraConfig = error.extraConfig;
        locations = {
          "/" = { root = "/srv/www/gaykraft"; };
        } // error.locations;
      };

    };
  };

  services.sslh = {
    enable = true;
    listenAddresses = [ "0.0.0.0" ];
    port = 443;
    verbose = true;
    transparent = true;
    # List of protocols
    #
    # Each protocol entry consists of:
    #   name: name of the probe. These are listed on the command line (ssh -?), plus 'regex' and 'timeout'.
    #   service: (optional) libwrap service name (see hosts_access(5))
    #   host, port: where to connect when this probe succeeds
    #   log_level:  0 to turn off logging
    #               1 to log each incoming connection
    #   keepalive:  Should TCP keepalive be on or off for that
    #               connection (default is off)
    #   fork: Should a new process be forked for this protocol?
    #         (only useful for sslh-select)
    #   tfo_ok: Set to true if the server supports TCP FAST OPEN
    #
    #  Probe-specific options:
    # (sslh will try each probe in order they are declared, and
    # connect to the first that matches.)
    #
    #       tls:
    #               sni_hostnames:  list of FQDN for that target
    #               alpn_protocols: list of ALPN protocols for that target, see:
    #               https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
    #
    #               if both sni_hostnames AND alpn_protocols are specified, both must match
    #
    #               if neither are set, it is just checked whether this is the TLS protocol or not
    #
    #               Obviously set the most specific probes
    #               first, and if you use TLS with no ALPN/SNI
    #               set it as the last TLS probe
    #       regex:
    #               regex_patterns: list of patterns to match for
    #               that target.
    #
    # You can specify several of 'regex' and 'tls'.
    appendConfig = ''
      protocols:
      (
        { name: "ssh"; service: "ssh"; host: "localhost"; port: "2222";},
        { name: "tls";                 host: "localhost"; port: "4443";},
        { name: "tinc";                host: "localhost"; port: "655"; }
      );
    '';
  };

  systemd.services."socat-proxy" = {
    wantedBy = [ "sslh.service" "multi-user.target" ];
    after = [ "sslh.service" ];
    script = ''
      ${pkgs.socat}/bin/socat TCP-LISTEN:2222,fork TCP:workhorse.private:2222
    '';
    #serviceConfig.User = "sslh";
  };

}
add error pages to nginx 2020-03-15 15:52:02 +01:00			`{ config, lib, pkgs, ... }:`
			`let`

			`errorPages = pkgs.fetchgit {`
			`url = "https://git.ingolf-wagner.de/palo/http-errors.git";`
improve error pages 2020-03-17 10:53:52 +01:00			`rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0";`
			`sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg";`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`};`
nginx: update error pages 2020-03-15 16:51:11 +01:00
add error pages to nginx 2020-03-15 15:52:02 +01:00			`error = {`
			`extraConfig = ''`
			`error_page 400 /errors/400.html;`
			`error_page 401 /errors/401.html;`
			`error_page 402 /errors/402.html;`
			`error_page 403 /errors/403.html;`
			`error_page 404 /errors/404.html;`
			`error_page 405 /errors/405.html;`
			`error_page 406 /errors/406.html;`
			`error_page 500 /errors/500.html;`
			`error_page 501 /errors/501.html;`
			`error_page 502 /errors/502.html;`
			`error_page 503 /errors/503.html;`
			`error_page 504 /errors/504.html;`
			`'';`
			`locations."^~ /errors/" = {`
			`extraConfig = "internal;";`
			`root = "${errorPages}/";`
			`};`
			`};`
			`in {`
init 2019-10-24 02:20:38 +02:00
nextcloud: add nextcloud but wrong folder 2020-03-03 17:14:21 +01:00			`networking.firewall.allowedTCPPorts = [ 80 443 4443 ];`
			`networking.firewall.allowedUDPPorts = [ 80 443 4443 ];`
init 2019-10-24 02:20:38 +02:00
			`services.nginx = {`
			`enable = true;`
nextcloud: make oauth logins possible 2020-03-04 07:37:03 +01:00			`recommendedProxySettings = true;`
init 2019-10-24 02:20:38 +02:00			`virtualHosts = {`

			`"git.ingolf-wagner.de" = {`
			`listen = [`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
init 2019-10-24 02:20:38 +02:00			`];`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`forceSSL = true;`
init 2019-10-24 02:20:38 +02:00			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`

			`locations = {`
update: sputnik 2020-12-24 17:07:40 +01:00			`"/" = {`
			`proxyPass = "http://workhorse.private:3000";`
			`extraConfig = ''`
			`if ($request_method = 'OPTIONS') {`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';`
			`#`
			`# Custom headers and headers various browsers should be OK with but aren't`
			`#`
			`add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';`
			`#`
			`# Tell client that this pre-flight info is valid for 20 days`
			`#`
			`add_header 'Access-Control-Max-Age' 1728000;`
			`add_header 'Content-Type' 'text/plain; charset=utf-8';`
			`add_header 'Content-Length' 0;`
			`return 204;`
			`}`
			`if ($request_method = 'POST') {`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';`
			`add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';`
			`add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';`
			`}`
			`if ($request_method = 'GET') {`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';`
			`add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';`
			`add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';`
			`}`
			`'';`
			`};`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`} // error.locations;`
init 2019-10-24 02:20:38 +02:00			`};`

			`"paste.ingolf-wagner.de" = {`
			`listen = [`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
init 2019-10-24 02:20:38 +02:00			`];`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`forceSSL = true;`
init 2019-10-24 02:20:38 +02:00			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`
			`locations = {`
			`"/" = { proxyPass = "http://workhorse.private:8000"; };`
			`} // error.locations;`
init 2019-10-24 02:20:38 +02:00			`};`

nginx: add travel.ingolf-wagner.de 2020-01-19 07:13:54 +01:00			`"travel.ingolf-wagner.de" = {`
			`listen = [`
			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
			`];`
			`forceSSL = true;`
			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`
			`locations = {`
			`"/" = {`
			`root = "/srv/www/travel";`
			`extraConfig = ''`
			`if (-d $request_filename) {`
			`rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;`
			`}`
			`'';`
			`};`
			`} // error.locations;`
nginx: add travel.ingolf-wagner.de 2020-01-19 07:13:54 +01:00			`};`

init 2019-10-24 02:20:38 +02:00			`"tech.ingolf-wagner.de" = {`
			`listen = [`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
init 2019-10-24 02:20:38 +02:00			`];`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`forceSSL = true;`
init 2019-10-24 02:20:38 +02:00			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`
			`locations = {`
			`"/" = {`
			`root = "/srv/www/tech";`
			`extraConfig = ''`
			`if (-d $request_filename) {`
			`rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;`
			`}`
			`'';`
			`};`
			`} // error.locations;`
init 2019-10-24 02:20:38 +02:00			`};`

			`"terranix.org" = {`
			`listen = [`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
init 2019-10-24 02:20:38 +02:00			`];`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`forceSSL = true;`
init 2019-10-24 02:20:38 +02:00			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`
			`locations = {`
			`"/" = {`
			`root = "/srv/www/terranix";`
			`extraConfig = ''`
			`if (-d $request_filename) {`
			`rewrite [^/]$ $scheme://$http_host$request_uri/ permanent;`
			`}`
			`'';`
			`};`
			`} // error.locations;`
init 2019-10-24 02:20:38 +02:00			`};`

sputnik fixing lets encrypt fixes 2021-03-05 17:45:54 +01:00			`#"chat.ingolf-wagner.de" = {`
			`# listen = [`
			`# {`
			`# addr = "0.0.0.0";`
			`# port = 4443;`
			`# ssl = true;`
			`# }`
			`# {`
			`# addr = "0.0.0.0";`
			`# port = 80;`
			`# ssl = false;`
			`# }`
			`# ];`
			`# forceSSL = true;`
			`# enableACME = true;`
			`# extraConfig = error.extraConfig;`
			`# locations = {`
			`# "/" = {`
			`# proxyPass = "http://chat.workhorse.private";`
			`# proxyWebsockets = true;`
			`# extraConfig = ''`
			`# sub_filter "http://chat.ingolf-wagner.de" "https://chat.ingolf-wagner.de";`
			`# sub_filter "chat.workhorse.private" "chat.ingolf-wagner.de";`
			`# '';`
			`# };`
			`# } // error.locations;`
			`#};`
mattermost: add mattermost with tooling 2020-03-09 16:49:15 +01:00
nextcloud: add nextcloud but wrong folder 2020-03-03 17:14:21 +01:00			`"nextcloud.ingolf-wagner.de" = {`
			`listen = [`
			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
			`];`
			`forceSSL = true;`
			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`
nextcloud: use upstream nextcloud module 2020-03-06 08:28:19 +01:00			`locations = {`
			`"/" = {`
			`proxyPass = "http://nextcloud.workhorse.private";`
			`extraConfig = ''`
			`sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de";`
			`sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de";`
			`# used for view/edit office file via Office Online Server`
			`client_max_body_size 0;`
			`'';`
			`};`
			`"= /.well-known/carddav" = {`
			`priority = 210;`
			`extraConfig = "return 301 $scheme://$host/remote.php/dav;";`
			`};`
			`"= /.well-known/caldav" = {`
			`priority = 210;`
			`extraConfig = "return 301 $scheme://$host/remote.php/dav;";`
			`};`

add error pages to nginx 2020-03-15 15:52:02 +01:00			`} // error.locations;`
nextcloud: add nextcloud but wrong folder 2020-03-03 17:14:21 +01:00			`};`

init 2019-10-24 02:20:38 +02:00			`"gaykraft.com" = {`
			`listen = [`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`{`
			`addr = "0.0.0.0";`
			`port = 4443;`
			`ssl = true;`
			`}`
			`{`
			`addr = "0.0.0.0";`
			`port = 80;`
			`ssl = false;`
			`}`
init 2019-10-24 02:20:38 +02:00			`];`
nixfmt: reformat all files 2019-12-20 05:54:26 +01:00			`forceSSL = true;`
init 2019-10-24 02:20:38 +02:00			`enableACME = true;`
add error pages to nginx 2020-03-15 15:52:02 +01:00			`extraConfig = error.extraConfig;`
			`locations = {`
			`"/" = { root = "/srv/www/gaykraft"; };`
			`} // error.locations;`
init 2019-10-24 02:20:38 +02:00			`};`

			`};`
			`};`

			`services.sslh = {`
			`enable = true;`
update: sputnik 2020-12-24 17:07:40 +01:00			`listenAddresses = [ "0.0.0.0" ];`
init 2019-10-24 02:20:38 +02:00			`port = 443;`
update: sputnik 2020-12-24 17:07:40 +01:00			`verbose = true;`
init 2019-10-24 02:20:38 +02:00			`transparent = true;`
update: sputnik 2020-12-24 17:07:40 +01:00			`# List of protocols`
			`#`
			`# Each protocol entry consists of:`
			`# name: name of the probe. These are listed on the command line (ssh -?), plus 'regex' and 'timeout'.`
			`# service: (optional) libwrap service name (see hosts_access(5))`
			`# host, port: where to connect when this probe succeeds`
			`# log_level: 0 to turn off logging`
			`# 1 to log each incoming connection`
			`# keepalive: Should TCP keepalive be on or off for that`
			`# connection (default is off)`
			`# fork: Should a new process be forked for this protocol?`
			`# (only useful for sslh-select)`
			`# tfo_ok: Set to true if the server supports TCP FAST OPEN`
			`#`
			`# Probe-specific options:`
			`# (sslh will try each probe in order they are declared, and`
			`# connect to the first that matches.)`
			`#`
			`# tls:`
			`# sni_hostnames: list of FQDN for that target`
			`# alpn_protocols: list of ALPN protocols for that target, see:`
			`# https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids`
			`#`
			`# if both sni_hostnames AND alpn_protocols are specified, both must match`
			`#`
			`# if neither are set, it is just checked whether this is the TLS protocol or not`
			`#`
			`# Obviously set the most specific probes`
			`# first, and if you use TLS with no ALPN/SNI`
			`# set it as the last TLS probe`
			`# regex:`
			`# regex_patterns: list of patterns to match for`
			`# that target.`
			`#`
			`# You can specify several of 'regex' and 'tls'.`
			`appendConfig = ''`
			`protocols:`
			`(`
			`{ name: "ssh"; service: "ssh"; host: "localhost"; port: "2222";},`
			`{ name: "tls"; host: "localhost"; port: "4443";},`
			`{ name: "tinc"; host: "localhost"; port: "655"; }`
			`);`
			`'';`
init 2019-10-24 02:20:38 +02:00			`};`

			`systemd.services."socat-proxy" = {`
			`wantedBy = [ "sslh.service" "multi-user.target" ];`
			`after = [ "sslh.service" ];`
			`script = ''`
			`${pkgs.socat}/bin/socat TCP-LISTEN:2222,fork TCP:workhorse.private:2222`
			`'';`
			`#serviceConfig.User = "sslh";`
			`};`

			`}`