{ config, lib, pkgs, ... }: let errorPages = pkgs.fetchgit { url = "https://git.ingolf-wagner.de/palo/http-errors.git"; rev = "74b8e4c1d9bbba3db6ad858b888e1867318af1f0"; sha256 = "0czdzafx4k76q773lyf3vsjm74g1995iz542dhw15kpy5xbivsrg"; }; error = { extraConfig = '' error_page 400 /errors/400.html; error_page 401 /errors/401.html; error_page 402 /errors/402.html; error_page 403 /errors/403.html; error_page 404 /errors/404.html; error_page 405 /errors/405.html; error_page 406 /errors/406.html; error_page 500 /errors/500.html; error_page 501 /errors/501.html; error_page 502 /errors/502.html; error_page 503 /errors/503.html; error_page 504 /errors/504.html; ''; locations."^~ /errors/" = { extraConfig = "internal;"; root = "${errorPages}/"; }; }; in { networking.firewall.allowedTCPPorts = [ 80 443 4443 ]; networking.firewall.allowedUDPPorts = [ 80 443 4443 ]; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "git.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { proxyPass = "http://workhorse.private:3000"; }; } // error.locations; }; "paste.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { proxyPass = "http://workhorse.private:8000"; }; } // error.locations; }; "travel.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { root = "/srv/www/travel"; extraConfig = '' if (-d $request_filename) { rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; } ''; }; } // error.locations; }; "tech.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { root = "/srv/www/tech"; extraConfig = '' if (-d $request_filename) { rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; } ''; }; } // error.locations; }; "terranix.org" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { root = "/srv/www/terranix"; extraConfig = '' if (-d $request_filename) { rewrite [^/]$ $scheme://$http_host$request_uri/ permanent; } ''; }; } // error.locations; }; "chat.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { proxyPass = "http://chat.workhorse.private"; proxyWebsockets = true; extraConfig = '' sub_filter "http://chat.ingolf-wagner.de" "https://chat.ingolf-wagner.de"; sub_filter "chat.workhorse.private" "chat.ingolf-wagner.de"; ''; }; } // error.locations; }; "nextcloud.ingolf-wagner.de" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { proxyPass = "http://nextcloud.workhorse.private"; extraConfig = '' sub_filter "http://nextcloud.ingolf-wagner.de" "https://nextcloud.ingolf-wagner.de"; sub_filter "nextcloud.workhorse.private" "nextcloud.ingolf-wagner.de"; # used for view/edit office file via Office Online Server client_max_body_size 0; ''; }; "= /.well-known/carddav" = { priority = 210; extraConfig = "return 301 $scheme://$host/remote.php/dav;"; }; "= /.well-known/caldav" = { priority = 210; extraConfig = "return 301 $scheme://$host/remote.php/dav;"; }; } // error.locations; }; "gaykraft.com" = { listen = [ { addr = "0.0.0.0"; port = 4443; ssl = true; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; forceSSL = true; enableACME = true; extraConfig = error.extraConfig; locations = { "/" = { root = "/srv/www/gaykraft"; }; } // error.locations; }; }; }; services.sslh = { enable = true; listenAddress = "0.0.0.0"; port = 443; verbose = false; transparent = true; appendConfig = # json '' protocols: ( { name: "ssh"; service: "ssh"; host: "localhost"; port: "2222"; probe: "builtin"; }, { name: "ssl"; host: "localhost"; port: "4443"; probe: "builtin"; }, { name: "tinc"; host: "localhost"; port: "655"; probe: "builtin"; } ); ''; }; systemd.services."socat-proxy" = { wantedBy = [ "sslh.service" "multi-user.target" ]; after = [ "sslh.service" ]; script = '' ${pkgs.socat}/bin/socat TCP-LISTEN:2222,fork TCP:workhorse.private:2222 ''; #serviceConfig.User = "sslh"; }; }