Use http3 everywhere

2025-07-29 11:07:44 +00:00 · 2024-02-04 20:45:50 +03:00 · 2024-02-04 20:45:50 +03:00 · 06362701d5
commit 06362701d5
parent 5e2e8c5cfe
7 changed files with 41 additions and 34 deletions
--- a/flake.lock
+++ b/flake.lock
@ -867,11 +867,11 @@
        "tools": "tools"
      },
      "locked": {
-        "lastModified": 1705583692,
-        "narHash": "sha256-AjKO+46Stiv8bta7A08nIoxQ+rJmv0yFfrBna0k6VNA=",
+        "lastModified": 1707067915,
+        "narHash": "sha256-3utx587jbTHclu58TYDz/JvMZ0lBBs9pHRuCgc6oY1Q=",
        "owner": "RGBCube",
        "repo": "Site",
-        "rev": "97d41827c71364a97b4987a387ae9d41473baad3",
+        "rev": "b61b4c3da1992b69ff86a69cec670e2cf8d85f33",
        "type": "github"
      },
      "original": {
--- a/hosts/cube/grafana.nix
+++ b/hosts/cube/grafana.nix
@ -67,10 +67,7 @@ in serverSystemConfiguration {
    };
  };

-  services.nginx.virtualHosts.${fqdn} = {
-    forceSSL    = true;
-    useACMEHost = domain;
-
+  services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // {
    locations."/" = {
      proxyPass       = "http://[::]:${toString config.services.grafana.settings.server.http_port}";
      proxyWebsockets = true;
--- a/hosts/cube/matrix-synapse.nix
+++ b/hosts/cube/matrix-synapse.nix
@ -16,8 +16,8 @@ let
  clientConfig."org.matrix.msc3575.proxy".url = "https://${syncDomain}";
  serverConfig."m.server" = "${chatDomain}:443";

-  synapsePort     = 8001;
-  syncPort = 8002;
+  synapsePort = 8001;
+  syncPort    = 8002;
 in serverSystemConfiguration {
  age.secrets."cube/password.secret.matrix-synapse".owner = "matrix-synapse";
  age.secrets."cube/password.sync.matrix-synapse".owner   = "matrix-synapse";
@ -91,13 +91,7 @@ in serverSystemConfiguration {
    "= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig;
  };

-  services.nginx.virtualHosts.${chatDomain} = {
-    forceSSL    = true;
-    useACMEHost = domain;
-
-    locations."/".proxyPass       = "http://[::]:${toString config.services.site.port}/404";
-    locations."/assets".proxyPass = "http://[::]:${toString config.services.site.port}/assets";
-
+  services.nginx.virtualHosts.${chatDomain} = (sslTemplate domain) // {
    locations."= /.well-known/matrix/client".extraConfig = wellKnownResponse clientConfig;
    locations."= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig;

@ -106,21 +100,15 @@ in serverSystemConfiguration {
  };

  services.matrix-sliding-sync = enabled {
-    settings = {
+    environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path;
+    settings        = {
      SYNCV3_SERVER   = "https://${chatDomain}";
      SYNCV3_DB       = "postgresql:///matrix-sliding-sync?host=/run/postgresql";
      SYNCV3_BINDADDR = "[::]:${toString syncPort}";
    };
-    environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path;
  };

-  services.nginx.virtualHosts.${syncDomain} = {
-    forceSSL    = true;
-    useACMEHost = domain;
-
-    locations."/".proxyPass       = "http://[::]:${toString config.services.site.port}/404";
-    locations."/assets".proxyPass = "http://[::]:${toString config.services.site.port}/assets";
-
+  services.nginx.virtualHosts.${syncDomain} = (sslTemplate domain) // {
    locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)"
      .proxyPass = "http://[::]:${toString synapsePort}";

--- a/hosts/cube/nextcloud/default.nix
+++ b/hosts/cube/nextcloud/default.nix
@ -84,9 +84,5 @@ in serverSystemConfiguration {
    nginx.recommendedHttpHeaders = true;
  };

-  services.nginx.virtualHosts.${fqdn} = {
-    forceSSL    = true;
-    quic        = true;
-    useACMEHost = domain;
-  };
+  services.nginx.virtualHosts.${fqdn} = sslTemplate domain;
 }
--- a/hosts/cube/site.nix
+++ b/hosts/cube/site.nix
@ -1,8 +1,26 @@
 { config, ulib, ... }: with ulib;

-serverSystemConfiguration {
+let
+  inherit (config.networking) domain;
+
+  port = 8003;
+in serverSystemConfiguration {
  services.site = enabled {
-    url            = config.networking.domain;
-    configureNginx = true;
+    inherit port;
+  };
+
+  services.nginx.virtualHosts.${domain} = (sslTemplate domain) // {
+    locations."/".proxyPass = "http://[::]:${toString port}";
+  };
+
+  services.nginx.virtualHosts."www.${domain}" = (sslTemplate domain) // {
+    locations."/".extraConfig = ''
+      return 301 https://${domain}$request_uri;
+    '';
+  };
+
+  services.nginx.virtualHosts._ = (sslTemplate domain) // {
+    locations."/".proxyPass       = "http://[::]:${toString port}/404/";
+    locations."/assets".proxyPass = "http://[::]:${toString port}/assets";
  };
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,5 +1,6 @@
 users: let
  configuration = import ./configuration.nix users;
  merge         = import ./merge.nix;
+  ssl           = import ./ssl.nix;
  values        = import ./values.nix;
-in configuration // merge // values
+in configuration // merge // ssl // values
--- a/lib/ssl.nix
+++ b/lib/ssl.nix
@ -0,0 +1,7 @@
+{
+  sslTemplate = domain: {
+    forceSSL    = true;
+    quic        = true;
+    useACMEHost = domain;
+  };
+}