path: root/profiles/reverse-proxy.nix



{
  pkgs,
  lib,
  ...
}:
let
  httpHost = "10.100.0.60";
  mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config);
  mkWebfingers =
    { subject, ... }@config:
    map (mkWebfinger config) [
      subject
      (lib.escapeURL subject)
    ];
  webfingerRoot = pkgs.symlinkJoin {
    name = "felschr.com-webfinger";
    paths = lib.flatten (
      builtins.map mkWebfingers [
        {
          subject = "acct:franck@fcuny.net";
          links = [
            {
              rel = "http://openid.net/specs/connect/1.0/issuer";
              href = "https://auth.fcuny.net";
            }
          ];
        }
      ]
    );
  };
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "code.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}";
      };
      "auth.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:9092";
      };
      "reader.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:8002";
      };
      "fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:8070";
        locations."/.well-known/webfinger" = {
          root = webfingerRoot;
          extraConfig = ''
            add_header Access-Control-Allow-Origin "*";
            default_type "application/jrd+json";
            types { application/jrd+json json; }
            if ($arg_resource) {
              rewrite ^(.*)$ /$arg_resource break;
            }
          '';
        };
      };
    };
  };
}
{
  pkgs,
  lib,
  ...
}:
let
  httpHost = "10.100.0.60";
  mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config);
  mkWebfingers =
    { subject, ... }@config:
    map (mkWebfinger config) [
      subject
      (lib.escapeURL subject)
    ];
  webfingerRoot = pkgs.symlinkJoin {
    name = "felschr.com-webfinger";
    paths = lib.flatten (
      builtins.map mkWebfingers [
        {
          subject = "acct:franck@fcuny.net";
          links = [
            {
              rel = "http://openid.net/specs/connect/1.0/issuer";
              href = "https://auth.fcuny.net";
            }
          ];
        }
      ]
    );
  };
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    virtualHosts = {
      "code.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}";
      };
      "auth.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:9092";
      };
      "reader.fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:8002";
      };
      "fcuny.net" = {
        enableACME = true;
        acmeRoot = null;
        forceSSL = true;
        locations."/".proxyPass = "http://${httpHost}:8070";
        locations."/.well-known/webfinger" = {
          root = webfingerRoot;
          extraConfig = ''
            add_header Access-Control-Allow-Origin "*";
            default_type "application/jrd+json";
            types { application/jrd+json json; }
            if ($arg_resource) {
              rewrite ^(.*)$ /$arg_resource break;
            }
          '';
        };
      };
    };
  };
}