atridad/haschel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61e5fd7eec65ce80fd73e5569d8e00dbc78c88e1
haschel/modules/proxy.nix
T
atridad 61e5fd7eec
Deploy NixOS / deploy (push) Successful in 24s
Details
Update proxy.nix
2026-04-08 15:42:14 -06:00

313 lines
7.3 KiB
Nix
Raw Blame History

{
lib,
pkgs,
...
}:
let
atriDotDad = "atri.dad";
atashDotDev = "atash.dev";
matrixDomain = "matrix.${atriDotDad}";
livekitDomain = "livekit.${atriDotDad}";
upstream = "lloyd.tadpole-pain.ts.net";
streamPorts = [
69
420
25565
25566
25567
30058
51820
];
wellKnownServer = builtins.toJSON {
"m.server" = "${matrixDomain}:443";
};
wellKnownClient = builtins.toJSON {
"m.homeserver" = {
base_url = "https://${matrixDomain}";
};
"org.matrix.msc4143.rtc_foci" = [
{
type = "livekit";
livekit_service_url = "https://${livekitDomain}";
}
];
};
mkProxyBlock =
{
host,
port,
preset,
}:
''
${host} {
import ${preset}
reverse_proxy http://${upstream}:${toString port}
}
'';
proxyServices = [
# atri.dad hosts
{
host = "abs.${atriDotDad}";
port = 30067;
preset = "strict_config";
}
{
host = "analytics.${atriDotDad}";
port = 30060;
preset = "relaxed_config";
}
{
host = "ascently.${atriDotDad}";
port = 8838;
preset = "strict_config";
}
{
host = "chat.${atriDotDad}";
port = 30246;
preset = "relaxed_config";
}
{
host = "chef.${atriDotDad}";
port = 30111;
preset = "strict_config";
}
{
host = "democlimb.${atriDotDad}";
port = 8008;
preset = "strict_config";
}
{
host = "gist.${atriDotDad}";
port = 1227;
preset = "relaxed_config";
}
{
host = "git.${atriDotDad}";
port = 30010;
preset = "relaxed_config";
}
{
host = "links.${atriDotDad}";
port = 30243;
preset = "strict_config";
}
{
host = "memos.${atriDotDad}";
port = 30311;
preset = "strict_config";
}
{
host = "music.${atriDotDad}";
port = 30043;
preset = "relaxed_config";
}
{
host = "openclimb.${atriDotDad}";
port = 1337;
preset = "strict_config";
}
{
host = "photos.${atriDotDad}";
port = 30041;
preset = "strict_config";
}
{
host = "posts.${atriDotDad}";
port = 8181;
preset = "relaxed_config";
}
{
host = "s3.${atriDotDad}";
port = 30188;
preset = "strict_config";
}
{
host = "search.${atriDotDad}";
port = 30053;
preset = "relaxed_config";
}
{
host = "requests.${atriDotDad}";
port = 30357;
preset = "relaxed_config";
}
{
host = "todo.${atriDotDad}";
port = 30107;
preset = "relaxed_config";
}
{
host = "tv.${atriDotDad}";
port = 30013;
preset = "strict_config";
}
{
host = "vault.${atriDotDad}";
port = 30032;
preset = "strict_config";
}
{
host = "vpn.${atriDotDad}";
port = 30058;
preset = "strict_config";
}
# Other hosts
{
host = "ripkyle.org";
port = 4321;
preset = "relaxed_config";
}
{
host = atashDotDev;
port = 6969;
preset = "relaxed_config";
}
{
host = "chronus.${atashDotDev}";
port = 7337;
preset = "strict_config";
}
];
proxyBlocks = lib.concatMapStringsSep "\n" mkProxyBlock proxyServices;
mkSocatService =
port: proto:
lib.nameValuePair "socat-${proto}-${toString port}" {
description = "Socat ${proto} proxy for port ${toString port}";
after = [
"network-online.target"
"tailscaled.service"
];
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${pkgs.socat}/bin/socat ${lib.toUpper proto}-LISTEN:${toString port},fork,reuseaddr ${lib.toUpper proto}:${upstream}:${toString port}";
Restart = "on-failure";
RestartSec = "5s";
DynamicUser = true;
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
};
};
in
{
services.caddy = {
enable = true;
email = "me@${atriDotDad}";
package = pkgs.caddy.withPlugins {
plugins = [ "pkg.jsn.cam/caddy-defender@v0.10.0" ];
hash = "sha256-d1hLwVylShdTOIHnt3HkbyWUAsmvFlC3cIo6wr89EUw=";
};
extraConfig = ''
(strict_config) {
encode zstd gzip
defender garbage {
ranges openai deepseek aliyun azurepubliccloud aws gcloud githubcopilot mistral oci vultr digitalocean linode cloudflare
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-Robots-Tag "noimageindex, noodp, noydir, nofollow"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.atri.dad; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.atri.dad https://*.atash.dev; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
-Server
-alt-svc
}
}
(relaxed_config) {
encode zstd gzip
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
X-Robots-Tag "noimageindex, noodp, noydir, nofollow"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://analytics.atri.dad; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' wss: https:; media-src 'self' https://rogers-hls.leanstream.co; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
-Server
-alt-svc
}
}
${atriDotDad} {
import strict_config
handle /.well-known/matrix/server {
header Content-Type application/json
header X-Content-Type-Options nosniff
respond `${wellKnownServer}` 200
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin "*"
header Vary Origin
header X-Content-Type-Options nosniff
respond `${wellKnownClient}` 200
}
handle {
reverse_proxy http://${upstream}:3000
}
}
${proxyBlocks}
${matrixDomain} {
import relaxed_config
request_body {
max_size 1GB
}
handle {
reverse_proxy http://${upstream}:30394
}
}
${livekitDomain} {
import relaxed_config
@jwt path /sfu/get /healthz /get_token
handle @jwt {
reverse_proxy http://${upstream}:8081
}
handle {
reverse_proxy http://${upstream}:7880
}
}
'';
};
systemd.services = lib.listToAttrs (
(map (port: mkSocatService port "tcp") streamPorts)
++ (map (port: mkSocatService port "udp") streamPorts)
);
networking.firewall = {
allowedTCPPorts = [
80
443
]
++ streamPorts;
allowedUDPPorts = streamPorts;
};
}
Reference in New Issue View Git Blame Copy Permalink