nixos-config/config/services/reverse-proxy.nix

261 lines
7.3 KiB
Nix
Raw Normal View History

2022-06-12 15:39:15 +00:00
{
system,
pkgs,
config,
...
2022-08-26 15:28:14 +00:00
}: let
mkConfigExtra = extra: dest: {
useACMEHost = "chir.rs";
2022-12-30 13:03:57 +00:00
logFormat = pkgs.lib.mkForce "";
2022-08-26 15:28:14 +00:00
extraConfig = ''
import baseConfig
2022-08-26 16:00:06 +00:00
${extra}
2022-08-26 15:28:14 +00:00
reverse_proxy {
to ${dest}
header_up Host {upstream_hostport}
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
2022-08-26 15:28:14 +00:00
}
}
'';
2022-06-12 15:39:15 +00:00
};
2022-08-26 15:28:14 +00:00
mkConfig = mkConfigExtra "";
in {
services.caddy.virtualHosts = {
"hydra.chir.rs" = mkConfig "https://hydra.int.chir.rs";
2024-03-23 08:34:24 +00:00
"weblate.chir.rs" = mkConfig "https://weblate.int.chir.rs";
2024-03-23 13:01:46 +00:00
"weblate.int.chir.rs" = {
2024-03-23 18:07:59 +00:00
useACMEHost = "int.chir.rs";
logFormat = pkgs.lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy {
to http://localhost:23432
header_up Host weblate.chir.rs
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
2024-03-23 13:01:46 +00:00
}
2024-03-23 18:07:59 +00:00
}
'';
2024-03-23 13:01:46 +00:00
};
2022-08-26 15:28:14 +00:00
"mastodon.chir.rs" = {
useACMEHost = "chir.rs";
2022-12-30 13:03:57 +00:00
logFormat = pkgs.lib.mkForce "";
extraConfig = ''
2022-08-26 15:28:14 +00:00
import baseConfig
reverse_proxy {
to https://mastodon.int.chir.rs
header_up Host {upstream_hostport}
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
2022-08-26 15:28:14 +00:00
}
}
'';
};
2022-08-26 15:28:14 +00:00
"mastodon-assets.chir.rs" = {
useACMEHost = "chir.rs";
2022-12-30 13:03:57 +00:00
logFormat = pkgs.lib.mkForce "";
2022-04-26 11:31:59 +00:00
extraConfig = ''
2022-08-26 15:28:14 +00:00
import baseConfig
@getOnly {
method GET
}
2022-08-26 16:00:06 +00:00
2022-11-27 13:43:41 +00:00
@options {
method OPTIONS
}
header {
Access-Control-Allow-Origin *
Access-Control-Allow-Credentials true
Access-Control-Allow-Methods GET
Access-Control-Allow-Headers *
defer
}
2022-08-26 15:28:14 +00:00
reverse_proxy @getOnly {
2022-11-16 11:40:07 +00:00
to http://localhost:24155
header_up Host {upstream_hostport}
header_up -Authorization
header_down -Set-Cookie
2022-11-27 13:43:41 +00:00
header_down -Access-Control-Allow-Origin
2022-11-16 11:40:07 +00:00
header_down -Access-Control-Allow-Methods
2022-11-27 13:43:41 +00:00
header_down -Access-Control-Allow-Headers
2022-11-16 11:40:07 +00:00
header_up -Set-Cookie
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
2022-11-16 11:40:07 +00:00
}
}
2022-11-27 13:43:41 +00:00
respond @options 204
2022-11-16 11:40:07 +00:00
'';
};
"cache.chir.rs" = {
useACMEHost = "chir.rs";
2022-12-30 13:03:57 +00:00
logFormat = pkgs.lib.mkForce "";
2022-11-16 11:40:07 +00:00
extraConfig = ''
import baseConfig
2022-11-20 14:22:09 +00:00
uri strip_prefix /cache
2022-11-20 14:22:09 +00:00
2022-11-16 11:40:07 +00:00
@getOnly {
method GET
}
2022-11-20 14:22:09 +00:00
@writeRequests {
method POST PUT PATCH DELETE
}
2022-11-20 14:22:09 +00:00
reverse_proxy @writeRequests {
to https://cache-chir-rs.s3.us-west-000.backblazeb2.com
header_up Host {upstream_hostport}
header_down -Set-Cookie
header_down Access-Control-Allow-Origin '*'
header_down -Access-Control-Allow-Methods
header_down Access-Control-Allow-Headers
header_up -Set-Cookie
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
}
}
2022-11-20 14:22:09 +00:00
2022-11-16 11:40:07 +00:00
reverse_proxy @getOnly {
@error status 500 404
handle_response @error {
reverse_proxy {
to http://localhost:24156
header_up Host {upstream_hostport}
header_up -Authorization
header_down -Set-Cookie
header_down Access-Control-Allow-Origin '*'
header_down -Access-Control-Allow-Methods
header_down Access-Control-Allow-Headers
header_up -Set-Cookie
2022-08-26 15:28:14 +00:00
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
}
}
2022-11-16 14:05:29 +00:00
}
to https://cache.nixos.org
header_up Host {upstream_hostport}
header_up -Authorization
header_down -Set-Cookie
header_down Access-Control-Allow-Origin '*'
header_down -Access-Control-Allow-Methods
header_down Access-Control-Allow-Headers
header_up -Set-Cookie
2022-11-16 14:05:29 +00:00
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
2022-08-26 15:28:14 +00:00
}
}
2022-04-26 11:31:59 +00:00
'';
};
2022-11-05 08:32:26 +00:00
"moa.chir.rs" = mkConfig "https://moa.int.chir.rs";
2022-08-26 15:28:14 +00:00
"chir.rs" = {
useACMEHost = "chir.rs";
2022-12-30 13:03:57 +00:00
logFormat = pkgs.lib.mkForce "";
2022-06-23 06:35:05 +00:00
extraConfig = ''
2022-08-26 15:28:14 +00:00
import baseConfig
handle /.well-known/webfinger {
header Location https://mastodon.chir.rs{path}
respond 301
}
2022-09-09 17:59:43 +00:00
handle /.well-known/matrix/server {
header Access-Control-Allow-Origin *
header Content-Type application/json
respond "{ \"m.server\": \"matrix.chir.rs:443\" }" 200
}
handle /.well-known/matrix/client {
header Access-Control-Allow-Origin *
header Content-Type application/json
2023-08-12 11:09:10 +00:00
respond "{ \"m.homeserver\": { \"base_url\": \"https://matrix.chir.rs\" }, \"org.matrix.msc3575.proxy\": {\"url\": \"https://sliding-sync.chir.rs\"} }" 200
2022-09-04 17:01:35 +00:00
}
2022-06-23 06:35:05 +00:00
'';
};
2024-04-15 14:51:56 +00:00
"keycloak.chir.rs" = {
useACMEHost = "chir.rs";
logFormat = pkgs.lib.mkForce "";
extraConfig = ''
import baseConfig
reverse_proxy {
to https://keycloak.int.chir.rs
header_up Host {upstream_hostport}
transport http {
2024-06-05 18:38:34 +00:00
versions 1.1
2024-04-15 14:51:56 +00:00
}
}
'';
};
2022-06-23 06:35:05 +00:00
};
2022-11-16 11:40:07 +00:00
services.nginx.virtualHosts."mastodon-assets.chir.rs" = {
listen = [
{
addr = "127.0.0.1";
port = 24155;
}
];
2022-11-16 12:47:01 +00:00
locations."/" = {
extraConfig = ''
limit_except GET {
deny all;
}
proxy_set_header Authorization ${"''"};
proxy_hide_header Set-Cookie;
proxy_hide_header 'Access-Control-Allow-Origin';
proxy_hide_header 'Access-Control-Allow-Methods';
proxy_hide_header 'Access-Control-Allow-Headers';
proxy_ignore_headers Set-Cookie;
proxy_intercept_errors off;
proxy_cache akkoma_media_cache;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid 200 48h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
expires 1y;
add_header Cache-Control public;
add_header 'Access-Control-Allow-Origin' '*';
add_header X-Cache-Status $upstream_cache_status;
'';
proxyPass = "https://f000.backblazeb2.com/file/mastodon-chir-rs/";
};
2022-11-16 11:40:07 +00:00
};
services.nginx.virtualHosts."cache.chir.rs" = {
listen = [
{
addr = "127.0.0.1";
port = 24156;
2022-11-16 11:40:07 +00:00
}
];
2022-11-16 12:47:01 +00:00
locations."/" = {
extraConfig = ''
limit_except GET {
deny all;
}
proxy_set_header Authorization ${"''"};
proxy_hide_header Set-Cookie;
proxy_hide_header 'Access-Control-Allow-Origin';
proxy_hide_header 'Access-Control-Allow-Methods';
proxy_hide_header 'Access-Control-Allow-Headers';
proxy_ignore_headers Set-Cookie;
proxy_intercept_errors off;
proxy_cache akkoma_media_cache;
proxy_cache_key $host$uri$is_args$args;
proxy_cache_valid 200 48h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_lock on;
expires 1y;
add_header Cache-Control public;
add_header 'Access-Control-Allow-Origin' '*';
add_header X-Cache-Status $upstream_cache_status;
'';
proxyPass = "https://f000.backblazeb2.com/file/cache-chir-rs/";
};
2022-11-16 11:40:07 +00:00
};
2022-04-15 08:27:53 +00:00
}