62 lines
2 KiB
Nix
62 lines
2 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
domain = "jalr.de";
|
|
matrixDomain = "matrix.jalr.de";
|
|
inherit (config.networking) ports;
|
|
in
|
|
{
|
|
networking.firewall.allowedTCPPorts = [ ports.nginx-http.tcp ports.nginx-https.tcp ];
|
|
services.nginx = {
|
|
enable = true;
|
|
defaultHTTPListenPort = ports.nginx-http.tcp;
|
|
defaultSSLListenPort = ports.nginx-https.tcp;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
commonHttpConfig = ''
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
add_header Referrer-Policy strict-origin;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
'';
|
|
virtualHosts = {
|
|
"${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
root = pkgs.jalr.contact;
|
|
locations =
|
|
let
|
|
# workaround for nginx dropping parent headers
|
|
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
|
|
parentHeaders = lib.concatStringsSep "\n" (lib.filter
|
|
(lib.hasPrefix "add_header ")
|
|
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
|
|
in
|
|
{
|
|
"=/.well-known/matrix/server".extraConfig = ''
|
|
${parentHeaders}
|
|
add_header Content-Type application/json;
|
|
return 200 '${builtins.toJSON {
|
|
"m.server" = "${matrixDomain}:443";
|
|
}}';
|
|
'';
|
|
"=/.well-known/matrix/client".extraConfig = ''
|
|
${parentHeaders}
|
|
add_header Content-Type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '${builtins.toJSON {
|
|
"m.homeserver"."base_url" = "https://${matrixDomain}";
|
|
"org.matrix.msc3575.proxy"."url" = "https://${matrixDomain}";
|
|
}}';
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|