cyper-nix/nixos/roles/nginx.nix

_:
let
  upstream = "100.109.179.25";

  # helper: simple reverse proxy, force SSL
  mkProxy = port: {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${upstream}:${toString port}";
    };
  };

  # helper: like mkProxy but with websocket support
  mkWsProxy =
    port:
    (mkProxy port)
    // {
      locations."/" = {
        proxyPass = "http://${upstream}:${toString port}";
        proxyWebsockets = true;
      };
    };

  matrixConfig = ''
    client_max_body_size 50M;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
  '';

  wellKnownMatrix = {
    "/.well-known/matrix/client" = {
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{
        		"m.homeserver":{
        				"base_url":"https://matrix.cyperpunk.de"
        		},
        		"org.matrix.msc4143.rtc_foci":[
        				{
        						"type":"livekit",
        						"livekit_service_url":"https://cyperpunk.de/livekit/jwt/"
        				}
        		]
        }';
      '';
    };
    "/.well-known/matrix/server" = {
      extraConfig = ''
        default_type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.server":"matrix.cyperpunk.de:443"}';
      '';
    };
  };
in
{
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "phil.keier@hotmail.com"; # Change accordingly
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;

    virtualHosts = {
      "git.cyperpunk.de" = mkProxy 9000;
      "search.cyperpunk.de" = mkProxy 11080;
      "file.cyperpunk.de" = mkProxy 10000;
      "ngx.cyperpunk.de" = mkWsProxy 28101;

      "vault.cyperpunk.de" = mkWsProxy 8222;
      "fluffy.cyperpunk.de" = mkWsProxy 8012;

      "www.cyperpunk.de" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            proxyPass = "http://${upstream}:15005";
            proxyWebsockets = true;
          };
          "/grafana" = {
            proxyPass = "http://${upstream}:2342";
            proxyWebsockets = true;
          };
        };
      };

      "calvin.cyperpunk.de" = mkWsProxy 15006;
      "cinny.cyperpunk.de" = mkWsProxy 8009;

      "element-call.cyperpunk.de" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          proxyPass = "http://${upstream}:8013";
          proxyWebsockets = true;
          extraConfig = ''
            add_header Cross-Origin-Opener-Policy "same-origin";
            add_header Cross-Origin-Embedder-Policy "require-corp";
            add_header Cross-Origin-Resource-Policy "cross-origin";
          '';
        };
      };

      "element.cyperpunk.de" = {
        forceSSL = true;
        enableACME = true;
        locations = {
          "/" = {
            proxyPass = "http://${upstream}:8010";
            proxyWebsockets = true;
          };
          "/widgets/element-call/config.json" = {
            extraConfig = ''
              	default_type application/json;
              	add_header Access-Control-Allow-Origin *;
              	return 200 '{
              	"livekit_service_url": "https://cyperpunk.de/livekit/jwt/",
              	"default_server_config": {
              			"m.homeserver": {
              					"base_url": "https://matrix.cyperpunk.de",
              					"server_name":"cyperpunk.de"
              					}
              			}
              	}';
            '';
          };
        };
      };

      "cyperpunk.de" = {
        forceSSL = true;
        enableACME = true;
        serverAliases = [ "matrix.cyperpunk.de" ];
        http2 = true;
        extraConfig = matrixConfig;
        locations = wellKnownMatrix // {
          "/" = {
            proxyPass = "http://${upstream}:8008";
            proxyWebsockets = true;
          };
          "^~ /livekit/jwt/" = {
            priority = 400;
            proxyPass = "http://${upstream}:18080/";
          };
          "^~ /livekit/sfu/" = {
            priority = 400;
            proxyPass = "http://127.0.0.1:7880/";
            proxyWebsockets = true;
            extraConfig = ''
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_read_timeout 86400s;
              proxy_send_timeout 86400s;

            '';
          };
          "/_matrix/client/unstable/org.matrix.msc4143/rtc/transports" = {
            extraConfig = ''
              default_type application/json;
              add_header Access-Control-Allow-Origin *;
              add_header Access-Control-Allow-Headers "Authorization, Content-Type";
              add_header Access-Control-Allow-Methods "GET, OPTIONS";
              return 200 '{"rtc_transports":[{"type":"livekit","livekit_service_url":"https://cyperpunk.de/livekit/jwt/"}]}';
            '';
          };
        };
      };
    };
  };
}