liv/nixos-config
1
0
Fork 0
mirror of https://github.com/Ahwxorg/nixos-config.git synced 2025-12-04 15:00:13 +01:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

feat: fix some proxy issues, not all of them are resolved yet though. also fix some issues regarding quack.social and make that more universal

Browse source
This commit is contained in:
Ahwx 2025-05-23 03:10:41 +02:00
parent 8dd8ffb3c8
commit 34c7796d45
1 changed files with 70 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

72
modules/services/nginx.nix
View file

@ -1,4 +1,11 @@
{ pkgs, config, lib, ... }: { {
pkgs,
config,
lib,
...
}:
{
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = lib.mkDefault "ahwx@ahwx.org"; defaults.email = lib.mkDefault "ahwx@ahwx.org";
@ -10,7 +17,15 @@
dnsProvider = "desec"; dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value] environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null; webroot = null;
}; };
"quack.social" = {
domain = "*.quack.social";
extraDomainNames = [ "quack.social" ];
group = config.services.nginx.group;
dnsProvider = "desec";
environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
webroot = null;
};
}; };
}; };
@ -22,8 +37,42 @@
recommendedProxySettings = true; recommendedProxySettings = true;
clientMaxBodySize = lib.mkDefault "10G"; clientMaxBodySize = lib.mkDefault "10G";
defaultListen =
let
listen = [
{
addr = "[::]";
port = 80;
extraParameters = [ "proxy_protocol" ];
}
{
addr = "[::]";
port = 443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
in
map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
# Hardened TLS and HSTS preloading # Hardened TLS and HSTS preloading
appendHttpConfig = '' appendHttpConfig = ''
# Proxying
# real_ip_header proxy_protocol;
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
# set_real_ip_from 10.7.0.0/24;
}
ssl_certificate /var/lib/acme/quack.social/cert.pem;
ssl_certificate_key /var/lib/acme/quack.social/key.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# Add HSTS header with preloading to HTTPS requests. # Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests. # Do not add HSTS header to HTTP requests.
map $scheme $hsts_header { map $scheme $hsts_header {
@ -49,5 +98,24 @@
add_header pronouns "any but neopronouns"; add_header pronouns "any but neopronouns";
add_header locale "[en_US, nl_NL]"; add_header locale "[en_US, nl_NL]";
''; '';
appendConfig = ''
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# set_real_ip_from 213.210.34.27;
# real_ip_header proxy_protocol;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
'';
};
networking.firewall = {
allowedTCPPorts = [
80
443
];
}; };
} }