diff --git a/modules/nginx.nix b/modules/nginx.nix index db8090a..8253544 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,9 +1,17 @@ -{ config, pkgs, lib, ... }: +{ + config, + lib, + ... +}: let - serverName = "atri.dad"; - matrixDomain = "matrix.atri.dad"; - matrixRtcDomain = "matrixrtc.atri.dad"; + atriDotDad = "atri.dad"; + atashDotDev = "atash.dev"; + + matrixDomain = "matrix.${atriDotDad}"; + matrixRtcDomain = "matrixrtc.${atriDotDad}"; + + upstream = "lloyd.tadpole-pain.ts.net"; wellKnownServer = builtins.toJSON { "m.server" = "${matrixDomain}:443"; @@ -20,11 +28,44 @@ let } ]; }; + + # Helper: standard proxy virtual host + mkProxy = port: { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://${upstream}:${toString port}"; + extraConfig = "if ($fuckai) { return 444; }"; + }; + }; + + # Helper: proxy host with websocket support and extra location config + mkProxyWs = port: extraLocationConfig: { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://${upstream}:${toString port}"; + proxyWebsockets = true; + extraConfig = '' + if ($fuckai) { return 444; } + ${extraLocationConfig} + ''; + }; + }; + + # Helper: stream server block (TCP + UDP) + mkStream = port: '' + server { + listen ${toString port}; + listen ${toString port} udp; + proxy_pass ${upstream}:${toString port}; + } + ''; in { security.acme = { acceptTerms = true; - defaults.email = "me@atri.dad"; + defaults.email = "me@${atriDotDad}"; }; services.nginx = { @@ -103,48 +144,22 @@ in } ''; - # Stream Hosts - streamConfig = '' - # Port 69 - server { - listen 69; - listen 69 udp; - proxy_pass lloyd.tadpole-pain.ts.net:69; - } + streamConfig = lib.concatStrings ( + map mkStream [ + 69 + 420 + 25565 + 25566 + 25567 + ] + ); - # Port 420 - server { - listen 420; - listen 420 udp; - proxy_pass lloyd.tadpole-pain.ts.net:420; - } - - # Minecraft / Game Ports - server { - listen 25565; - listen 25565 udp; - proxy_pass lloyd.tadpole-pain.ts.net:25565; - } - server { - listen 25566; - listen 25566 udp; - proxy_pass lloyd.tadpole-pain.ts.net:25566; - } - server { - listen 25567; - listen 25567 udp; - proxy_pass lloyd.tadpole-pain.ts.net:25567; - } - ''; - - # Proxy Hosts virtualHosts = { - # atri.dad hosts - "atri.dad" = { + "${atriDotDad}" = { enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:3000"; + proxyPass = "http://${upstream}:3000"; extraConfig = "if ($fuckai) { return 444; }"; }; locations."= /.well-known/matrix/server" = { @@ -161,94 +176,41 @@ in ''; }; }; - "analytics.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30060"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "archive.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30288"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "ascently.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8838"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "bsky.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:31173"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "chef.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30111"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "democlimb.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8008"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "fedi.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8181"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "gist.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:1227"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "git.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30010"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "links.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30243"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "media.atri.dad" = { + + "analytics.${atriDotDad}" = mkProxy 30060; + "archive.${atriDotDad}" = mkProxy 30288; + "ascently.${atriDotDad}" = mkProxy 8838; + "bsky.${atriDotDad}" = mkProxy 31173; + "chef.${atriDotDad}" = mkProxy 30111; + "democlimb.${atriDotDad}" = mkProxy 8008; + "fedi.${atriDotDad}" = mkProxy 8181; + "gist.${atriDotDad}" = mkProxy 1227; + "git.${atriDotDad}" = mkProxy 30010; + "links.${atriDotDad}" = mkProxy 30243; + "memos.${atriDotDad}" = mkProxy 30311; + "mermaid.${atriDotDad}" = mkProxy 8280; + "msrc.${atriDotDad}" = mkProxy 3311; + "n8n.${atriDotDad}" = mkProxy 30109; + "ocr.${atriDotDad}" = mkProxy 30070; + "openclimb.${atriDotDad}" = mkProxy 1337; + "photos.${atriDotDad}" = mkProxy 30041; + "pods.${atriDotDad}" = mkProxy 8828; + "requests.${atriDotDad}" = mkProxy 30042; + "s3.${atriDotDad}" = mkProxy 30188; + "search.${atriDotDad}" = mkProxy 30053; + "sync.${atriDotDad}" = mkProxy 20910; + "travel.${atriDotDad}" = mkProxy 30251; + "travelapi.${atriDotDad}" = mkProxy 30250; + "vault.${atriDotDad}" = mkProxy 30032; + + "media.${atriDotDad}" = { enableACME = true; forceSSL = true; extraConfig = '' client_max_body_size 0; ''; locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30013"; + proxyPass = "http://${upstream}:30013"; proxyWebsockets = true; extraConfig = '' if ($fuckai) { return 444; } @@ -260,139 +222,10 @@ in ''; }; }; - "memos.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30311"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "mermaid.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8280"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "msrc.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:3311"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "n8n.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30109"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "ocr.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30070"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "openclimb.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:1337"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "photos.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30041"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "pods.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8828"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "requests.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30042"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "ripkyle.org" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:4321"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "s3.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30188"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "search.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30053"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "sync.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:20910"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "travel.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30251"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "travelapi.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30250"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "vault.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30032"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "matrix.atri.dad" = { + "${matrixDomain}" = { enableACME = true; forceSSL = true; - locations."/" = { proxyPass = "http://[::1]:6167"; proxyWebsockets = true; @@ -400,18 +233,15 @@ in client_max_body_size 100M; ''; }; - locations."^~ /livekit/jwt/" = { priority = 400; proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; }; }; - "matrixrtc.atri.dad" = { + "${matrixRtcDomain}" = { enableACME = true; forceSSL = true; - - # livekit locations."/" = { proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}"; proxyWebsockets = true; @@ -424,26 +254,26 @@ in }; }; - "atash.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:6969"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "chronus.atash.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:7337"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; + "ripkyle.org" = mkProxy 4321; + "${atashDotDev}" = mkProxy 6969; + "chronus.${atashDotDev}" = mkProxy 7337; }; }; - # Open Ports - networking.firewall.allowedTCPPorts = [ 80 443 69 420 25565 25566 25567 ]; - networking.firewall.allowedUDPPorts = [ 69 420 25565 25566 25567 ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + 69 + 420 + 25565 + 25566 + 25567 + ]; + networking.firewall.allowedUDPPorts = [ + 69 + 420 + 25565 + 25566 + 25567 + ]; }