mastus: use nginx module

mastus/gogs.nix

@@ -28,54 +28,18 @@
     '';
   };
 
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name git.gebner.org;
-
-      location /.well-known/acme-challenge {
-        default_type text/plain;
-        alias /var/lib/acme/www/.well-known/acme-challenge;
-      }
-
-      location / {
-        rewrite ^(.*) https://$host$1 permanent;
-      }
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name git.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-        proxy_pass http://gogs;
-        client_max_body_size 30M;
-        break;
-      }
-    }
-
-    upstream gogs {
-      server 127.0.0.1:${toString config.services.gogs.httpPort};
-    }
-  '';
+  services.nginx = {
+    recommendedProxySettings = true;
+    virtualHosts."git.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.gogs.httpPort}";
+        extraConfig = ''
+          proxy_buffering off;
+          client_max_body_size 30M;
+        '';
+      };
+    };
+  };
 }

mastus/radicale.nix

@@ -24,58 +24,15 @@ in
 
   security.acme.certs."gebner.org".extraDomains."radicale.gebner.org" = null;
 
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name radicale.gebner.org;
+  services.nginx = {
+    recommendedProxySettings = true;
+    virtualHosts."radicale.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString radicalePort}";
+      };
+    };
+  };
 
-      location /.well-known/acme-challenge {
-        default_type text/plain;
-        alias /var/lib/acme/www/.well-known/acme-challenge;
-      }
-
-      location / {
-        rewrite ^(.*) https://$host$1 permanent;
-      }
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name radicale.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $http_host;
-        proxy_redirect off;
-        proxy_buffering off;
-        proxy_connect_timeout       900;
-        proxy_send_timeout          900;
-        proxy_read_timeout          900;
-        send_timeout                900;
-        proxy_pass http://radicale;
-        client_max_body_size 30M;
-        break;
-      }
-    }
-
-    upstream radicale {
-      server 127.0.0.1:${toString radicalePort};
-    }
-  '';
 }

mastus/ttrss.nix

@@ -68,57 +68,24 @@
 
   security.acme.certs."gebner.org".extraDomains."reader.gebner.org" = null;
 
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:80;
-      listen 80;
-      server_name reader.gebner.org;
-
-      location /.well-known/acme-challenge {
-        default_type text/plain;
-        alias /var/lib/acme/www/.well-known/acme-challenge;
-      }
-
-      location / {
-        rewrite ^(.*) https://$host$1 permanent;
-      }
-    }
-
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name reader.gebner.org;
-
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      location / {
-        root /var/lib/containers/ttrss/var/lib/tt-rss;
-        index index.php;
-      }
-
-      location /cache {
-        deny all;
-      }
-      location = /config.php {
-        deny all;
-      }
-
-      location ~ \.php$ {
+  services.nginx = {
+    virtualHosts."reader.gebner.org" = {
+      forceSSL = true;
+      useACMEHost = "gebner.org";
+      locations."/" = {
+        root = "/var/lib/containers/ttrss/var/lib/tt-rss";
+        index = "index.php";
+      };
+      locations."/cache".extraConfig = "deny all;";
+      locations."= /config.php".extraConfig = "deny all;";
+      locations."~ \\.php$".extraConfig = ''
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass 192.168.100.11:9000;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME /var/lib/tt-rss/$fastcgi_script_name;
         include ${pkgs.nginx}/conf/fastcgi_params;
-      }
-    }
-  '';
+      '';
+    };
+  };
+
 }

mastus/vmtest.nix

@@ -24,7 +24,7 @@ let
     environment.systemPackages = with pkgs; [ elinks carddav-util fcgi ];
 
     networking.extraHosts = ''
-      127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org
+      127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at
 
       # disable letsencrypt
       127.0.0.111 acme-v01.api.letsencrypt.org

mastus/website.nix

@@ -1,65 +1,29 @@
 { config, pkgs, ... }:
 
 {
-  services.nginx.httpConfig = ''
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name gabrielebner.at www.gabrielebner.at 2b7e.org www.2b7e.org www.gebner.org;
 
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
+  services.nginx = {
+    virtualHosts."gebner.org" = {
+      useACMEHost = "gebner.org";
+      forceSSL = true;
+      root = "/srv/www.gebner.org";
+      extraConfig = ''
+        access_log logs/website_access.log;
 
-      location / {
-        rewrite ^(.*) https://gebner.org$1 permanent;
-      }
-    }
+        error_page 404 403 /404.html;
 
-    server {
-      listen [::]:443;
-      listen 443;
-      server_name gebner.org;
+        location / {
+          try_files $uri $uri/ @not_found;
+        }
 
-      ssl on;
-      ssl_certificate_key /var/lib/acme/gebner.org/key.pem;
-      ssl_certificate /var/lib/acme/gebner.org/fullchain.pem;
-      ssl_dhparam /etc/nginx/dhparam.pem;
-      ssl_protocols TLSv1.1 TLSv1.2;
-      ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-      ssl_prefer_server_ciphers on;
-      add_header Strict-Transport-Security max-age=15768000;
-      ssl_stapling on;
-      ssl_stapling_verify on;
-
-      root /srv/www.gebner.org;
-      error_page 404 403 /404.html;
-
-      gzip on;
-      gzip_types image/x-icon image/svg+xml text/css;
-      brotli on;
-      brotli_types image/x-icon image/svg+xml text/css;
-
-      access_log logs/website_access.log;
-
-      location / {
-        try_files $uri $uri/ @not_found;
-      }
-
-      location @not_found {
-        try_files /404.cgi =404;
-        fastcgi_intercept_errors on;
-        fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
-      }
-    }
-  '';
+        location @not_found {
+          try_files /404.cgi =404;
+          fastcgi_intercept_errors on;
+          fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+        }
+      '';
+    };
+  };
 
   services.fcgiwrap = {
     enable = true;

mastus/www.nix

@@ -16,26 +16,17 @@
 
   services.nginx = {
     enable = true;
-    httpConfig = ''
-      server {
-        listen [::]:80;
-        listen 80;
-        server_name _;
 
-        location /.well-known/acme-challenge {
-          default_type text/plain;
-          alias /var/lib/acme/www/.well-known/acme-challenge;
-        }
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
 
-        location / {
-          rewrite ^(.*) https://gebner.org$1 permanent;
-        }
-      }
-    '';
-    package = with pkgs; nginxMainline.override {
-      modules = [
-        nginxModules.brotli
-      ];
+    sslDhparam = "/etc/nginx/dhparam.pem";
+
+    virtualHosts."_" = {
+      default = true;
+      addSSL = true;
+      useACMEHost = "gebner.org";
+      globalRedirect = "gebner.org";
     };
   };
 }