diff options
Diffstat (limited to 'profiles/reverse-proxy.nix')
| -rw-r--r-- | profiles/reverse-proxy.nix | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/profiles/reverse-proxy.nix b/profiles/reverse-proxy.nix new file mode 100644 index 0000000..dd98ff2 --- /dev/null +++ b/profiles/reverse-proxy.nix @@ -0,0 +1,82 @@ +{ + pkgs, + lib, + ... +}: +let + httpHost = "10.100.0.60"; + mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config); + mkWebfingers = + { subject, ... }@config: + map (mkWebfinger config) [ + subject + (lib.escapeURL subject) + ]; + webfingerRoot = pkgs.symlinkJoin { + name = "felschr.com-webfinger"; + paths = lib.flatten ( + builtins.map mkWebfingers [ + { + subject = "acct:franck@fcuny.net"; + links = [ + { + rel = "http://openid.net/specs/connect/1.0/issuer"; + href = "https://auth.fcuny.net"; + } + ]; + } + ] + ); + }; +in +{ + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts = { + "code.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${httpHost}"; + }; + "auth.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${httpHost}:9092"; + }; + "reader.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${httpHost}:8002"; + }; + "fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/".proxyPass = "http://${httpHost}:8070"; + locations."/.well-known/webfinger" = { + root = webfingerRoot; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + default_type "application/jrd+json"; + types { application/jrd+json json; } + if ($arg_resource) { + rewrite ^(.*)$ /$arg_resource break; + } + ''; + }; + }; + }; + }; +} |