From 06362701d56059dd956f49c211e6cda2a9369963 Mon Sep 17 00:00:00 2001 From: RGBCube Date: Sun, 4 Feb 2024 20:45:50 +0300 Subject: [PATCH] Use http3 everywhere --- flake.lock | 6 +++--- hosts/cube/grafana.nix | 5 +---- hosts/cube/matrix-synapse.nix | 24 ++++++------------------ hosts/cube/nextcloud/default.nix | 6 +----- hosts/cube/site.nix | 24 +++++++++++++++++++++--- lib/default.nix | 3 ++- lib/ssl.nix | 7 +++++++ 7 files changed, 41 insertions(+), 34 deletions(-) create mode 100644 lib/ssl.nix diff --git a/flake.lock b/flake.lock index f7c23a6..34788b7 100644 --- a/flake.lock +++ b/flake.lock @@ -867,11 +867,11 @@ "tools": "tools" }, "locked": { - "lastModified": 1705583692, - "narHash": "sha256-AjKO+46Stiv8bta7A08nIoxQ+rJmv0yFfrBna0k6VNA=", + "lastModified": 1707067915, + "narHash": "sha256-3utx587jbTHclu58TYDz/JvMZ0lBBs9pHRuCgc6oY1Q=", "owner": "RGBCube", "repo": "Site", - "rev": "97d41827c71364a97b4987a387ae9d41473baad3", + "rev": "b61b4c3da1992b69ff86a69cec670e2cf8d85f33", "type": "github" }, "original": { diff --git a/hosts/cube/grafana.nix b/hosts/cube/grafana.nix index f3026a3..84b14d6 100644 --- a/hosts/cube/grafana.nix +++ b/hosts/cube/grafana.nix @@ -67,10 +67,7 @@ in serverSystemConfiguration { }; }; - services.nginx.virtualHosts.${fqdn} = { - forceSSL = true; - useACMEHost = domain; - + services.nginx.virtualHosts.${fqdn} = (sslTemplate domain) // { locations."/" = { proxyPass = "http://[::]:${toString config.services.grafana.settings.server.http_port}"; proxyWebsockets = true; diff --git a/hosts/cube/matrix-synapse.nix b/hosts/cube/matrix-synapse.nix index 8934f66..88fc666 100644 --- a/hosts/cube/matrix-synapse.nix +++ b/hosts/cube/matrix-synapse.nix @@ -16,8 +16,8 @@ let clientConfig."org.matrix.msc3575.proxy".url = "https://${syncDomain}"; serverConfig."m.server" = "${chatDomain}:443"; - synapsePort = 8001; - syncPort = 8002; + synapsePort = 8001; + syncPort = 8002; in serverSystemConfiguration { age.secrets."cube/password.secret.matrix-synapse".owner = "matrix-synapse"; age.secrets."cube/password.sync.matrix-synapse".owner = "matrix-synapse"; @@ -91,13 +91,7 @@ in serverSystemConfiguration { "= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig; }; - services.nginx.virtualHosts.${chatDomain} = { - forceSSL = true; - useACMEHost = domain; - - locations."/".proxyPass = "http://[::]:${toString config.services.site.port}/404"; - locations."/assets".proxyPass = "http://[::]:${toString config.services.site.port}/assets"; - + services.nginx.virtualHosts.${chatDomain} = (sslTemplate domain) // { locations."= /.well-known/matrix/client".extraConfig = wellKnownResponse clientConfig; locations."= /.well-known/matrix/server".extraConfig = wellKnownResponse serverConfig; @@ -106,21 +100,15 @@ in serverSystemConfiguration { }; services.matrix-sliding-sync = enabled { - settings = { + environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path; + settings = { SYNCV3_SERVER = "https://${chatDomain}"; SYNCV3_DB = "postgresql:///matrix-sliding-sync?host=/run/postgresql"; SYNCV3_BINDADDR = "[::]:${toString syncPort}"; }; - environmentFile = config.age.secrets."cube/password.sync.matrix-synapse".path; }; - services.nginx.virtualHosts.${syncDomain} = { - forceSSL = true; - useACMEHost = domain; - - locations."/".proxyPass = "http://[::]:${toString config.services.site.port}/404"; - locations."/assets".proxyPass = "http://[::]:${toString config.services.site.port}/assets"; - + services.nginx.virtualHosts.${syncDomain} = (sslTemplate domain) // { locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" .proxyPass = "http://[::]:${toString synapsePort}"; diff --git a/hosts/cube/nextcloud/default.nix b/hosts/cube/nextcloud/default.nix index fd549ae..dacd3d7 100644 --- a/hosts/cube/nextcloud/default.nix +++ b/hosts/cube/nextcloud/default.nix @@ -84,9 +84,5 @@ in serverSystemConfiguration { nginx.recommendedHttpHeaders = true; }; - services.nginx.virtualHosts.${fqdn} = { - forceSSL = true; - quic = true; - useACMEHost = domain; - }; + services.nginx.virtualHosts.${fqdn} = sslTemplate domain; } diff --git a/hosts/cube/site.nix b/hosts/cube/site.nix index ff4f0ff..18a2659 100644 --- a/hosts/cube/site.nix +++ b/hosts/cube/site.nix @@ -1,8 +1,26 @@ { config, ulib, ... }: with ulib; -serverSystemConfiguration { +let + inherit (config.networking) domain; + + port = 8003; +in serverSystemConfiguration { services.site = enabled { - url = config.networking.domain; - configureNginx = true; + inherit port; + }; + + services.nginx.virtualHosts.${domain} = (sslTemplate domain) // { + locations."/".proxyPass = "http://[::]:${toString port}"; + }; + + services.nginx.virtualHosts."www.${domain}" = (sslTemplate domain) // { + locations."/".extraConfig = '' + return 301 https://${domain}$request_uri; + ''; + }; + + services.nginx.virtualHosts._ = (sslTemplate domain) // { + locations."/".proxyPass = "http://[::]:${toString port}/404/"; + locations."/assets".proxyPass = "http://[::]:${toString port}/assets"; }; } diff --git a/lib/default.nix b/lib/default.nix index 833e868..8689ead 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,5 +1,6 @@ users: let configuration = import ./configuration.nix users; merge = import ./merge.nix; + ssl = import ./ssl.nix; values = import ./values.nix; -in configuration // merge // values +in configuration // merge // ssl // values diff --git a/lib/ssl.nix b/lib/ssl.nix new file mode 100644 index 0000000..474c971 --- /dev/null +++ b/lib/ssl.nix @@ -0,0 +1,7 @@ +{ + sslTemplate = domain: { + forceSSL = true; + quic = true; + useACMEHost = domain; + }; +}