{ config, lib, ... }: let rootDomain = "atri.dad"; matrixDomain = "matrix.${rootDomain}"; matrixRtcDomain = "matrixrtc.${rootDomain}"; wellKnownServer = builtins.toJSON { "m.server" = "${matrixDomain}:443"; }; wellKnownClient = builtins.toJSON { "m.homeserver" = { base_url = "https://${matrixDomain}"; }; "org.matrix.msc4143.rtc_foci" = [ { type = "livekit"; livekit_service_url = "https://${matrixDomain}/livekit/jwt"; } ]; }; blockAi = "if ($fuckai) { return 444; }"; mkProxyVhost = { host, upstream, websockets ? false, extraConfig ? "", locationExtraConfig ? "", extraLocations ? { }, }: { "${host}" = { enableACME = true; forceSSL = true; extraConfig = extraConfig; locations = { "/" = { proxyPass = upstream; proxyWebsockets = websockets; extraConfig = lib.concatStringsSep "\n" ( [ blockAi ] ++ lib.optional (locationExtraConfig != "") locationExtraConfig ); }; } // extraLocations; }; }; in { services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; security.acme = { acceptTerms = true; defaults.email = "me@atri.dad"; }; clientMaxBodySize = "3g"; commonHttpConfig = '' more_clear_headers Server; more_clear_headers X-Powered-By; map $http_user_agent $fuckai { default 0; "~*GPTBot" 1; "~*ChatGPT-User" 1; "~*OAI-SearchBot" 1; "~*ChatGPT-Browser" 1; "~*ClaudeBot" 1; "~*Claude-Web" 1; "~*anthropic-ai" 1; "~*Anthropic-Claude" 1; "~*xAI-Bot" 1; "~*DeepseekBot" 1; "~*Google-Extended" 1; "~*Gemini-Ai" 1; "~*Gemini-Deep-Research" 1; "~*Google-CloudVertexBot" 1; "~*Google-NotebookLM" 1; "~*GoogleAgent-Mariner" 1; "~*Bard-Ai" 1; "~*FacebookBot" 1; "~*Meta-ExternalAgent" 1; "~*meta-webindexer" 1; "~*Applebot-Extended" 1; "~*bingbot" 1; "~*CCBot" 1; "~*PerplexityBot" 1; "~*Perplexity-User" 1; "~*Bytespider" 1; "~*Diffbot" 1; "~*Amazonbot" 1; "~*cohere-ai" 1; "~*Cohere-Command" 1; "~*YouBot" 1; "~*Omgilibot" 1; "~*ImagesiftBot" 1; "~*AI2Bot" 1; "~*Andibot" 1; "~*bigsur.ai" 1; "~*Brightbot" 1; "~*TerraCotta" 1; "~*Character-AI" 1; "~*Devin" 1; "~*Crawlspace" 1; "~*DuckAssistBot" 1; "~*FirecrawlAgent" 1; "~*Groq-Bot" 1; "~*HuggingFace-Bot" 1; "~*IbouBot" 1; "~*MistralAI-User" 1; "~*Replicate-Bot" 1; "~*RunPod-Bot" 1; "~*TimpiBot" 1; "~*Together-Bot" 1; "~*Kangaroo Bot" 1; "~*PanguBot" 1; "~*Cotoyogi" 1; "~*Webzio-Extended" 1; } ''; virtualHosts = lib.mkMerge [ (mkProxyVhost { host = rootDomain; upstream = "http://lloyd.tadpole-pain.ts.net:3000"; extraLocations = { "= /.well-known/matrix/server" = { extraConfig = '' default_type application/json; return 200 '${wellKnownServer}'; ''; }; "= /.well-known/matrix/client" = { extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin "*"; return 200 '${wellKnownClient}'; ''; }; }; }) (mkProxyVhost { host = "analytics.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30060"; }) (mkProxyVhost { host = "archive.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30288"; }) (mkProxyVhost { host = "ascently.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:8838"; }) (mkProxyVhost { host = "bsky.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:31173"; }) (mkProxyVhost { host = "chef.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30111"; }) (mkProxyVhost { host = "democlimb.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:8008"; }) (mkProxyVhost { host = "fedi.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:8181"; }) (mkProxyVhost { host = "gist.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:1227"; }) (mkProxyVhost { host = "git.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30010"; }) (mkProxyVhost { host = "links.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30243"; }) (mkProxyVhost { host = "media.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30013"; websockets = true; extraConfig = '' client_max_body_size 0; ''; locationExtraConfig = '' proxy_buffering off; proxy_request_buffering off; proxy_read_timeout 86400s; proxy_send_timeout 86400s; send_timeout 86400s; ''; }) (mkProxyVhost { host = "memos.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30311"; }) (mkProxyVhost { host = "mermaid.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:8280"; }) (mkProxyVhost { host = "msrc.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:3311"; }) (mkProxyVhost { host = "n8n.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30109"; }) (mkProxyVhost { host = "ocr.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30070"; }) (mkProxyVhost { host = "openclimb.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:1337"; }) (mkProxyVhost { host = "photos.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30041"; }) (mkProxyVhost { host = "pods.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:8828"; }) (mkProxyVhost { host = "requests.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30042"; }) (mkProxyVhost { host = "s3.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30188"; }) (mkProxyVhost { host = "search.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30053"; }) (mkProxyVhost { host = "sync.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:20910"; }) (mkProxyVhost { host = "travel.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30251"; }) (mkProxyVhost { host = "travelapi.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30250"; }) (mkProxyVhost { host = "vault.${rootDomain}"; upstream = "http://lloyd.tadpole-pain.ts.net:30032"; }) { "${matrixDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://[::1]:6167"; proxyWebsockets = true; extraConfig = '' client_max_body_size 100M; ''; }; locations."^~ /livekit/jwt/" = { priority = 400; proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; }; }; } { "${matrixRtcDomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}"; proxyWebsockets = true; extraConfig = '' proxy_send_timeout 120; proxy_read_timeout 120; proxy_buffering off; proxy_set_header Accept-Encoding gzip; ''; }; }; } (mkProxyVhost { host = "ripkyle.org"; upstream = "http://lloyd.tadpole-pain.ts.net:4321"; }) (mkProxyVhost { host = "atash.dev"; upstream = "http://lloyd.tadpole-pain.ts.net:6969"; }) (mkProxyVhost { host = "chronus.atash.dev"; upstream = "http://lloyd.tadpole-pain.ts.net:7337"; }) ]; }; }