{ pkgs, config, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
security.acme = {
acceptTerms = true;
defaults.email = "webmaster@morj.men";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
appendHttpConfig = ''charset UTF-8;'';
virtualHosts."false.morj.men" = {
default = true;
locations."/".extraConfig = "deny all;";
};
virtualHosts."vpn.morj.men" = {
locations."/".extraConfig = "deny all;";
};
virtualHosts."captive.morj.men" = {
addSSL = false;
rejectSSL = true;
locations."/".return = "200 success";
extraConfig = ''
add_header Content-Type text/plain;
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/srv/www/";
};
# matrix-continuwuity configuration
locations."=/.well-known/matrix/server" = {
alias = let content = pkgs.writeText "well-known-matrix-server" ''
{ "m.server": "matrix.morj.men" }
''; in "${content}";
extraConfig = ''
default_type application/json;
'';
};
locations."=/.well-known/matrix/client" = {
alias = let content = pkgs.writeText "well-known-matrix-client" ''
{ "m.homeserver": { "base_url": "https://matrix.morj.men" }
, "org.matrix.msc3575.proxy": { "url": "https://matrix.morj.men" }
}
''; in "${content}";
extraConfig = ''
default_type application/json;
# https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "X-Requested-With, Content-Type, Authorization";
'';
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."blog-preview.test.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/srv/blog-test/";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."blog.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = "/srv/blog/";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."reader.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8081";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."re.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8040";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."git.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8050";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."tv.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.10.25:8096";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."book.test.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.10.25:8080";
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."matrix.morj.men" = {
forceSSL = true;
enableACME = true;
listen = [
# for acme renewals
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
# for matrix
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
];
locations."/_matrix/" = {
proxyPass =
let port = toString config.services.matrix-continuwuity.settings.global.port;
in "http://localhost:${port}";
proxyWebsockets = true;
extraConfig = ''
proxy_set_header Host $host;
proxy_buffering off;
'';
};
extraConfig = ''
merge_slashes off;
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."radicale.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:5232";
extraConfig = ''
proxy_set_header X-Script-Name /;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass_header Authorization;
'';
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."mumble.morj.men" = {
# only used by some people instead of morj.men to connect to mumble
forceSSL = true;
enableACME = true;
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."pokesz.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9092";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 1d;
proxy_read_timeout 1d;
'';
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
virtualHosts."random.test.morj.men" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:31337";
proxyWebsockets = true;
extraConfig = ''
proxy_send_timeout 1d;
proxy_read_timeout 1d;
'';
};
extraConfig = ''
access_log "/var/log/nginx/access-log-$scheme-$server_name.log";
'';
};
};
services.miniflux = {
enable = true;
adminCredentialsFile = "/etc/miniflux/environment.conf";
config = {
LISTEN_ADDR = "localhost:8081";
};
};
services.re-server = {
enable = true;
port = 8040;
user = "morj";
group = "users";
configPath = "/home/morj/.config/re.ron";
};
services.hagia = {
enable = true;
port = 8050;
baseUrl = "https://git.morj.men";
logLevel = "debug";
projectsRootPath = "/srv/hagia";
databasePath = "/etc/hagia/database.sqlite3";
};
services.matrix-continuwuity = {
enable = true;
settings.global = {
allow_registration = false;
allow_federation = true;
server_name = "morj.men";
};
};
services.radicale = {
enable = true;
settings = {
auth = {
type = "htpasswd";
htpasswd_encryption = "bcrypt";
htpasswd_filename =
let file = pkgs.writeTextFile {
name = "users.htaccess";
text = "morj:$2y$05$gnwS1tQd7DEDLHwnMbylTOoMgjqxFLqOP5UrdQ1N1j.hUsi0518tK";
};
in "${file}";
};
storage.filesystem_folder = "/var/lib/radicale/collections";
server.hosts = "localhost:5232";
};
};
services.murmur = {
enable = true;
openFirewall = true;
registerName = "Моржлога";
welcometext = "Bienvenue au serveur de Maurges";
bandwidth = 558000;
registerHostname = "morj.men";
# Use nginx certificates instead of generating your own
extraConfig = ''
sslCert=/var/lib/acme/morj.men/fullchain.pem
sslKey=/var/lib/acme/morj.men/key.pem
'';
};
# enable murmur to read nginx acme certificates
users.users.murmur.extraGroups = [ "nginx" ];
}