diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix index 90a55df..001227c 100644 --- a/config/hosts/crime/configuration.nix +++ b/config/hosts/crime/configuration.nix @@ -1,5 +1,6 @@ { config, pkgs, ... }: { imports = [ + ./nginx.nix ../../common ../../common-lxc.nix ../../common-nginx.nix @@ -15,4 +16,6 @@ "2a0f:be01:0:100::1337/128" ]; }; + + services.jellyfin.enable = true; } diff --git a/config/hosts/crime/nginx.nix b/config/hosts/crime/nginx.nix new file mode 100644 index 0000000..28572b6 --- /dev/null +++ b/config/hosts/crime/nginx.nix @@ -0,0 +1,70 @@ +{ config, pkgs, ... }: +let + extraConfig = '' + add_header Strict-Transport-Security $hsts_header; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + #add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "same-origin" always; + ''; + proxyConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + jellyAddr = "[::1]"; + jellyWeb = { + forceSSl = true; + http3 = true; + quic = true; + inherit extraConfig; + + locations = { + "= /".return = "302 https://$host/web/"; + "/" = { + proxyPass = "http://${jellyAddr}:8096"; + extraConfig = '' + ${proxyConfig} + proxy_buffering on; + ''; + }; + "= /web/" = { + proxyPass = "http://${jellyAddr}:8096/web/index.html" + extraConfig = proxyConfig; + }; + "/socket" = { + proxyPass = "http://${jellyAddr}:8096" + proxyWebsockets = true; + extraConfig = proxyConfig; + }; + }; + }; +in { + services.nginx = { + virtualHosts = { + "fentanyl.trade" = jellyWeb // { + enableACME = true; + }; + "frotti.ng" = jellyWeb // { + useACMEHost = "fentanyl.trade"; + }; + }; + createHost = { + "watch.kyouma.net" = { redirectTo = "fentanyl.trade"; }; + "redirect" = { + default = true; + reuseport = true; + useACMEHost = "fentanyl.trade"; + extraConfig = '' + return 403; + ''; + }; + }; + }; + security.acme.certs = { + "fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; }; + }; +} diff --git a/config/hosts/web-dus/configuration.nix b/config/hosts/web-dus/configuration.nix index bd36ef3..ee1aa3f 100644 --- a/config/hosts/web-dus/configuration.nix +++ b/config/hosts/web-dus/configuration.nix @@ -29,7 +29,7 @@ in { }; services.vyosBld = { enable = true; - output = "/nix/var/www/kyouma.net/vyos"; + output = "/var/www/kyouma.net/vyos"; buildFlags = { architecture = "amd64"; build-by = "noc@kyouma.net"; @@ -57,7 +57,7 @@ in { "miau.zip" = { root = kyouma-www.default; }; "www.miau.zip" = { redirectTo = "miau.zip"; }; "www.kyouma.net" = { redirectTo = "kyouma.net"; }; - "emily.cat" = { root = "/nix/var/www/emily.cat/_site"; }; + "emily.cat" = { root = "/var/www/emily.cat/_site"; }; "www.emily.cat" = { redirectTo = "kyouma.net"; }; "www.cocaine.trade" = { redirectTo = "cocaine.trade"; }; @@ -70,7 +70,7 @@ in { ''; }; "cocaine.trade" = { - root = "/nix/var/www/basti/cocaine.trade"; + root = "/var/www/basti/cocaine.trade"; extraConfig = ''error_page 404 /404.html;''; locations."/" = { index = "index.html"; @@ -80,7 +80,7 @@ in { }; "files.cocaine.trade" = { useACMEHost = "cocaine.trade"; - root = "/nix/var/www/basti/files.cocaine.trade"; + root = "/var/www/basti/files.cocaine.trade"; locations."/".extraConfig = autoIndex; }; "kyouma.net" = { @@ -92,7 +92,7 @@ in { extraConfig = autoIndex; }; "/ihk/" = { - root = "/nix/var/www/kyouma.net/ihk"; + root = "/var/www/kyouma.net/ihk"; extraConfig = autoIndex; }; };