Improve nginx forwarding

2021-03-19 12:32:48 +01:00 · 2021-03-19 12:32:48 +01:00 · 7eaba34243
parent faacf313b5
commit 7eaba34243
2 changed files with 58 additions and 51 deletions
--- a/nixos/machines/hera/cloud.nix
+++ b/nixos/machines/hera/cloud.nix
@ -8,7 +8,7 @@ let
  } "nextcloud-admin";
  inherit (config.m-0) hosts;
  certPath = "/var/lib/acme";
-  nextcloud-container = { v6, v4, hostname, rss ? false, extraMounts ? { } }: {
+  nextcloud-container = { v6, v4, hostname, rss ? false, extraMounts ? {} }: {
    bindMounts = {
      "${certPath}" = {
        hostPath = certPath;
@ -28,14 +28,18 @@ let

      networking = {
        interfaces.eth0 = {
-          ipv6.addresses = [{
-            address = v6;
-            prefixLength = 112;
-          }];
-          ipv4.addresses = [{
-            address = v4;
-            prefixLength = 24;
-          }];
+          ipv6.addresses = [
+            {
+              address = v6;
+              prefixLength = 112;
+            }
+          ];
+          ipv4.addresses = [
+            {
+              address = v4;
+              prefixLength = 24;
+            }
+          ];
        };
        inherit (config.networking) nameservers;
        defaultGateway6 = {
@ -94,10 +98,12 @@ let
            wantedBy = [ "multi-user.target" ];
          };
          pg_backup = {
-            script = let name = "nextcloud-psql-${hostname}";
-            in ''
-              ${config.services.postgresql.package}/bin/pg_dump nextcloud > /var/lib/db-backup-dumps/${name}
-            '';
+            script = let
+              name = "nextcloud-psql-${hostname}";
+            in
+              ''
+                ${config.services.postgresql.package}/bin/pg_dump nextcloud > /var/lib/db-backup-dumps/${name}
+              '';
            serviceConfig = {
              User = "nextcloud";
              Type = "oneshot";
@ -114,15 +120,18 @@ let
              Type = "oneshot";
              User = "nextcloud";
              ExecStart = let
-                config = pkgs.writeText "updater.ini" (generators.toINI { } {
-                  updater = {
-                    user = adminCreds.adminuser;
-                    password = adminCreds.adminpass;
-                    url = "https://${hostname}/";
-                    mode = "singlerun";
-                  };
-                });
-              in "${pkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -c ${config}";
+                config = pkgs.writeText "updater.ini" (
+                  generators.toINI {} {
+                    updater = {
+                      user = adminCreds.adminuser;
+                      password = adminCreds.adminpass;
+                      url = "https://${hostname}/";
+                      mode = "singlerun";
+                    };
+                  }
+                );
+              in
+                "${pkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -c ${config}";
            };
          };
        };
@ -134,7 +143,26 @@ let
    StartLimitIntervalSec = 30;
    StartLimitBurst = 2;
  };
-in {
+  nginx = {
+    rootExtra = "proxy_set_header Host $host; proxy_buffering off;";
+    wellKnown = {
+      priority = 210;
+      extraConfig = ''
+        location = /.well-known/carddav {
+          return 301 https://$host/remote.php/dav;
+        }
+        location = /.well-known/caldav {
+          return 301 https://$host/remote.php/dav;
+        }
+        location ^~ /.well-known {
+          return 301 https://$host/index.php$request_uri;
+        }
+        try_files $uri $uri/ =404;
+      '';
+    };
+  };
+in
+{
  systemd.services."container@cloud" = { inherit serviceConfig unitConfig; };
  systemd.services."container@chor-cloud" = {
    inherit serviceConfig unitConfig;
@ -148,20 +176,9 @@ in {
        locations = {
          "/" = {
            proxyPass = "http://cloud";
-            extraConfig = "proxy_set_header Host $host; proxy_buffering off;";
-          };
-          "^~ /.well-known" = {
-            priority = 210;
-            extraConfig = ''
-              location = /.well-known/carddav {
-                return 301 https://$host/remote.php/dav;
-              }
-              location = /.well-known/caldav {
-                return 301 https://$host/remote.php/dav;
-              }
-              try_files $uri $uri/ =404;
-            '';
+            extraConfig = nginx.rootExtra;
          };
+          "^~ /.well-known" = nginx.wellKnown;
        };
      };
      virtualHosts."cloud.mathechor.de" = {
@ -170,22 +187,10 @@ in {
        locations = {
          "/" = {
            proxyPass = "http://chor-cloud";
-            extraConfig = "proxy_set_header Host $host; proxy_buffering off;";
-          };
-          "^~ /.well-known" = {
-            priority = 210;
-            extraConfig = ''
-              location = /.well-known/carddav {
-                return 301 https://$host/remote.php/dav;
-              }
-              location = /.well-known/caldav {
-                return 301 https://$host/remote.php/dav;
-              }
-              try_files $uri $uri/ =404;
-            '';
+            extraConfig = nginx.rootExtra;
          };
+          "^~ /.well-known" = nginx.wellKnown;
        };
-
        extraConfig = ''
          more_set_headers "Content-Security-Policy: frame-ancestors 'self' https://*.mathechor.de";
        '';
--- a/nixos/roles/matrix-synapse/default.nix
+++ b/nixos/roles/matrix-synapse/default.nix
@ -54,7 +54,9 @@ in
        enableACME = true;
        locations."/" = {
          proxyPass = "http://[::1]:8008";
-          extraConfig = "proxy_set_header X-Forwarded-For $remote_addr;";
+          extraConfig = ''
+            proxy_set_header X-Forwarded-For $remote_addr;
+            proxy_set_header X-Forwarded-Proto https;'';
        };
      };
    };