feat: fix some proxy issues, not all of them are resolved yet though. also fix some issues regarding quack.social and make that more universal

2025-12-04 15:00:13 +01:00 · 2025-05-23 03:10:41 +02:00 · 2025-05-23 03:10:41 +02:00 · 34c7796d45
commit 34c7796d45
parent 8dd8ffb3c8
1 changed files with 70 additions and 2 deletions
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@ -1,4 +1,11 @@
-{ pkgs, config, lib, ... }: {
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+
  security.acme = {
    acceptTerms = true;
    defaults.email = lib.mkDefault "ahwx@ahwx.org";
@ -10,7 +17,15 @@
        dnsProvider = "desec";
        environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
        webroot = null;
-       };
+      };
+      "quack.social" = {
+        domain = "*.quack.social";
+        extraDomainNames = [ "quack.social" ];
+        group = config.services.nginx.group;
+        dnsProvider = "desec";
+        environmentFile = "/home/liv/desec.env"; # location of your DESEC_TOKEN=[value]
+        webroot = null;
+      };
    };
  };

@ -22,8 +37,42 @@
    recommendedProxySettings = true;
    clientMaxBodySize = lib.mkDefault "10G";

+    defaultListen =
+      let
+        listen = [
+          {
+            addr = "[::]";
+            port = 80;
+            extraParameters = [ "proxy_protocol" ];
+          }
+          {
+            addr = "[::]";
+            port = 443;
+            ssl = true;
+            extraParameters = [ "proxy_protocol" ];
+          }
+        ];
+      in
+      map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
+
    # Hardened TLS and HSTS preloading
    appendHttpConfig = ''
+      # Proxying
+      # real_ip_header proxy_protocol;
+
+      server {
+        listen 80   proxy_protocol;
+        listen 443  ssl proxy_protocol;
+        # set_real_ip_from 10.7.0.0/24;
+      }
+
+      ssl_certificate /var/lib/acme/quack.social/cert.pem;
+      ssl_certificate_key /var/lib/acme/quack.social/key.pem;
+
+      proxy_set_header Host            $host;
+      proxy_set_header X-Real-IP       $proxy_protocol_addr;
+      proxy_set_header X-Forwarded-For $proxy_protocol_addr;
+
      # Add HSTS header with preloading to HTTPS requests.
      # Do not add HSTS header to HTTP requests.
      map $scheme $hsts_header {
@ -49,5 +98,24 @@
      add_header pronouns "any but neopronouns";
      add_header locale "[en_US, nl_NL]";
    '';
+    appendConfig = ''
+      # https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+      # set_real_ip_from 213.210.34.27;
+
+      # real_ip_header proxy_protocol;
+
+      # proxy_set_header Host               $host;
+      # proxy_set_header X-Real-IP          $proxy_protocol_addr;
+      # proxy_set_header X-Forwarded-For    $proxy_protocol_addr;
+      # proxy_set_header X-Forwarded-Proto  $scheme;
+      # proxy_set_header X-Forwarded-Host   $host;
+      # proxy_set_header X-Forwarded-Server $host;
+    '';
+  };
+  networking.firewall = {
+    allowedTCPPorts = [
+      80
+      443
+    ];
  };
 }