{ pkgs, lib, ... }: let httpHost = "10.100.0.60"; mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config); mkWebfingers = { subject, ... }@config: map (mkWebfinger config) [ subject (lib.escapeURL subject) ]; webfingerRoot = pkgs.symlinkJoin { name = "felschr.com-webfinger"; paths = lib.flatten ( builtins.map mkWebfingers [ { subject = "acct:franck@fcuny.net"; links = [ { rel = "http://openid.net/specs/connect/1.0/issuer"; href = "https://auth.fcuny.net"; } ]; } ] ); }; in { networking.firewall.allowedTCPPorts = [ 80 443 ]; services.nginx = { enable = true; recommendedProxySettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; commonHttpConfig = '' # limit clients doing too many requests # can be tested with ab -n 20 -c 10 limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s; # limit clients opening too many connections limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; ''; virtualHosts = { "code.fcuny.net" = { enableACME = true; acmeRoot = null; forceSSL = true; locations."/".proxyPass = "http://${httpHost}"; }; "auth.fcuny.net" = { enableACME = true; acmeRoot = null; forceSSL = true; locations."/".proxyPass = "http://${httpHost}:9092"; }; "reader.fcuny.net" = { enableACME = true; acmeRoot = null; forceSSL = true; locations."/".proxyPass = "http://${httpHost}:8002"; }; "fcuny.net" = { enableACME = true; acmeRoot = null; forceSSL = true; locations."/".proxyPass = "http://${httpHost}:8070"; locations."/.well-known/webfinger" = { root = webfingerRoot; extraConfig = '' add_header Access-Control-Allow-Origin "*"; default_type "application/jrd+json"; types { application/jrd+json json; } if ($arg_resource) { rewrite ^(.*)$ /$arg_resource break; } ''; }; }; }; }; }