nyanloutre
/
nixos-config
1
1
Fork 1
Code Issues Pull Requests Releases Wiki Activity

update nginx conf

This commit is contained in:
nyanloutre 2021-10-11 10:58:02 +02:00
parent dea468e9f1
commit d1212c9d73
2 changed files with 125 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
systems/LoutreOS/hardware-configuration.nix
View File

@ -163,6 +163,11 @@
fsType = "zfs";
};
fileSystems."/mnt/webdav" =
{ device = "loutrepool/webdav";
fsType = "zfs";
};
swapDevices =
[
{

165
systems/LoutreOS/web.nix
View File

@ -48,30 +48,56 @@ in
acceptTerms = true;
};
users.groups.work = {};
users.users.work = {
isSystemUser = true;
group = config.users.groups.work.name;
users.groups = {
work = {};
webdav = {};
};
users.users = {
work = {
isSystemUser = true;
group = config.users.groups.work.name;
};
webdav = {
isSystemUser = true;
group = config.users.groups.webdav.name;
};
};
services = {
phpfpm.pools.work = {
user = config.users.users.work.name;
phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
phpfpm.pools = {
work = {
user = config.users.users.work.name;
phpPackage = pkgs.php.withExtensions ({ all, ... }: with all; [ redis filter ]);
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
};
drive = {
user = config.users.users.webdav.name;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
};
phpOptions = ''
output_buffering=off
'';
};
};
nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [ dav ];
modules = with pkgs.nginxModules; [ dav moreheaders ];
};
recommendedGzipSettings = true;
recommendedOptimisation = true;
@ -83,8 +109,6 @@ in
}
add_header Strict-Transport-Security $hsts_header;
add_header Referrer-Policy origin-when-cross-origin;
error_page 500 502 503 504 https://nyanlout.re/errorpages/50x.html;
'';
sso = {
enable = true;
@ -128,34 +152,47 @@ in
};
virtualHosts = let
base = locations: {
inherit locations;
locations = locations // {
"@maintenance" = {
root = "/var/www/errorpages/";
extraConfig = ''
rewrite ^(.*)$ /50x.html break;
'';
};
};
forceSSL = true;
enableACME = true;
extraConfig = ''
error_page 500 502 503 504 = @maintenance;
'';
};
simpleReverse = rport: base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
};
};
authReverse = rport: base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
include ${nginxSsoAuth};
'';
};
} // {
extraConfig = ''
include ${nginxSsoAuth};
'';
};
}
];
in {
"nyanlout.re" = base {
"/" = {
alias = "/var/www/site-perso/";
};
"/errorpages/" = {
"/maintenance/" = {
alias = "/var/www/errorpages/";
};
"/.well-known/openpgpkey/" = {
@ -194,7 +231,11 @@ in
"jackett.nyanlout.re" = authReverse 9117;
"pgmanage.nyanlout.re" = authReverse config.services.pgmanage.port;
"matrix.nyanlout.re" = simpleReverse 8008;
"emby.nyanlout.re" = simpleReverse 8096;
"emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
locations."/" = {
proxyWebsockets = true;
};
};
"ci.nyanlout.re" = simpleReverse 52350;
"gitea.nyanlout.re" = simpleReverse config.services.gitea.httpPort;
"musique.nyanlout.re" = simpleReverse config.services.navidrome.settings.Port;
@ -203,27 +244,58 @@ in
proxyWebsockets = true;
};
};
"work.rezom.eu" = base {
# "work.rezom.eu" = base {
# "/" = {
# index = "/_h5ai/public/index.php";
# extraConfig = ''
# dav_ext_methods PROPFIND OPTIONS;
# '';
# };
# "~ ^/(_h5ai/public/index|random).php" = {
# extraConfig = ''
# fastcgi_split_path_info ^(.+\.php)(/.+)$;
# fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
# include ${pkgs.nginx}/conf/fastcgi_params;
# include ${pkgs.nginx}/conf/fastcgi.conf;
# '';
# };
# } // {
# root = "/mnt/medias/iso_linux";
# extraConfig = ''
# access_log /var/log/nginx/$host.log;
# '';
# };
"drive.nyanlout.re" = base {
"/" = {
index = "/_h5ai/public/index.php";
extraConfig = ''
dav_ext_methods PROPFIND OPTIONS;
'';
};
"~ ^/(_h5ai/public/index|random).php" = {
index = "/index.php";
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.work.socket};
fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
client_max_body_size 0;
'';
};
} // {
root = "/mnt/medias/iso_linux";
extraConfig = ''
access_log /var/log/nginx/$host.log;
'';
root = "/mnt/webdav";
};
"rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
};
};
@ -279,7 +351,10 @@ in
};
systemd.services.nginx.serviceConfig = {
ReadWritePaths = "/var/www/hls";
ReadWritePaths = [
"/var/www/hls"
"/mnt/webdav"
];
};
systemd.services.phpfpm-work.serviceConfig = {