blob: f136ba021d81d59077c9521dc193669a88dcdec4 (
plain) (
tree)
|
|
{
pkgs,
lib,
...
}:
let
httpHost = "10.100.0.60";
mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config);
mkWebfingers =
{ subject, ... }@config:
map (mkWebfinger config) [
subject
(lib.escapeURL subject)
];
webfingerRoot = pkgs.symlinkJoin {
name = "felschr.com-webfinger";
paths = lib.flatten (
builtins.map mkWebfingers [
{
subject = "acct:franck@fcuny.net";
links = [
{
rel = "http://openid.net/specs/connect/1.0/issuer";
href = "https://auth.fcuny.net";
}
];
}
]
);
};
in
{
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
# limit clients doing too many requests
# can be tested with ab -n 20 -c 10 <host>
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s;
# limit clients opening too many connections
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
'';
virtualHosts = {
"code.fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${httpHost}";
};
"auth.fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${httpHost}:9092";
};
"reader.fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${httpHost}:8002";
};
"fcuny.net" = {
enableACME = true;
acmeRoot = null;
forceSSL = true;
locations."/".proxyPass = "http://${httpHost}:8070";
locations."/.well-known/webfinger" = {
root = webfingerRoot;
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type "application/jrd+json";
types { application/jrd+json json; }
if ($arg_resource) {
rewrite ^(.*)$ /$arg_resource break;
}
'';
};
};
};
};
}
|
