Improve nginx forwarding
This commit is contained in:
parent
faacf313b5
commit
7eaba34243
|
@ -8,7 +8,7 @@ let
|
|||
} "nextcloud-admin";
|
||||
inherit (config.m-0) hosts;
|
||||
certPath = "/var/lib/acme";
|
||||
nextcloud-container = { v6, v4, hostname, rss ? false, extraMounts ? { } }: {
|
||||
nextcloud-container = { v6, v4, hostname, rss ? false, extraMounts ? {} }: {
|
||||
bindMounts = {
|
||||
"${certPath}" = {
|
||||
hostPath = certPath;
|
||||
|
@ -28,14 +28,18 @@ let
|
|||
|
||||
networking = {
|
||||
interfaces.eth0 = {
|
||||
ipv6.addresses = [{
|
||||
address = v6;
|
||||
prefixLength = 112;
|
||||
}];
|
||||
ipv4.addresses = [{
|
||||
address = v4;
|
||||
prefixLength = 24;
|
||||
}];
|
||||
ipv6.addresses = [
|
||||
{
|
||||
address = v6;
|
||||
prefixLength = 112;
|
||||
}
|
||||
];
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = v4;
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
};
|
||||
inherit (config.networking) nameservers;
|
||||
defaultGateway6 = {
|
||||
|
@ -94,10 +98,12 @@ let
|
|||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
pg_backup = {
|
||||
script = let name = "nextcloud-psql-${hostname}";
|
||||
in ''
|
||||
${config.services.postgresql.package}/bin/pg_dump nextcloud > /var/lib/db-backup-dumps/${name}
|
||||
'';
|
||||
script = let
|
||||
name = "nextcloud-psql-${hostname}";
|
||||
in
|
||||
''
|
||||
${config.services.postgresql.package}/bin/pg_dump nextcloud > /var/lib/db-backup-dumps/${name}
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "nextcloud";
|
||||
Type = "oneshot";
|
||||
|
@ -114,15 +120,18 @@ let
|
|||
Type = "oneshot";
|
||||
User = "nextcloud";
|
||||
ExecStart = let
|
||||
config = pkgs.writeText "updater.ini" (generators.toINI { } {
|
||||
updater = {
|
||||
user = adminCreds.adminuser;
|
||||
password = adminCreds.adminpass;
|
||||
url = "https://${hostname}/";
|
||||
mode = "singlerun";
|
||||
};
|
||||
});
|
||||
in "${pkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -c ${config}";
|
||||
config = pkgs.writeText "updater.ini" (
|
||||
generators.toINI {} {
|
||||
updater = {
|
||||
user = adminCreds.adminuser;
|
||||
password = adminCreds.adminpass;
|
||||
url = "https://${hostname}/";
|
||||
mode = "singlerun";
|
||||
};
|
||||
}
|
||||
);
|
||||
in
|
||||
"${pkgs.nextcloud-news-updater}/bin/nextcloud-news-updater -c ${config}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -134,7 +143,26 @@ let
|
|||
StartLimitIntervalSec = 30;
|
||||
StartLimitBurst = 2;
|
||||
};
|
||||
in {
|
||||
nginx = {
|
||||
rootExtra = "proxy_set_header Host $host; proxy_buffering off;";
|
||||
wellKnown = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
location = /.well-known/carddav {
|
||||
return 301 https://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 https://$host/remote.php/dav;
|
||||
}
|
||||
location ^~ /.well-known {
|
||||
return 301 https://$host/index.php$request_uri;
|
||||
}
|
||||
try_files $uri $uri/ =404;
|
||||
'';
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
systemd.services."container@cloud" = { inherit serviceConfig unitConfig; };
|
||||
systemd.services."container@chor-cloud" = {
|
||||
inherit serviceConfig unitConfig;
|
||||
|
@ -148,20 +176,9 @@ in {
|
|||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://cloud";
|
||||
extraConfig = "proxy_set_header Host $host; proxy_buffering off;";
|
||||
};
|
||||
"^~ /.well-known" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
location = /.well-known/carddav {
|
||||
return 301 https://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 https://$host/remote.php/dav;
|
||||
}
|
||||
try_files $uri $uri/ =404;
|
||||
'';
|
||||
extraConfig = nginx.rootExtra;
|
||||
};
|
||||
"^~ /.well-known" = nginx.wellKnown;
|
||||
};
|
||||
};
|
||||
virtualHosts."cloud.mathechor.de" = {
|
||||
|
@ -170,22 +187,10 @@ in {
|
|||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://chor-cloud";
|
||||
extraConfig = "proxy_set_header Host $host; proxy_buffering off;";
|
||||
};
|
||||
"^~ /.well-known" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
location = /.well-known/carddav {
|
||||
return 301 https://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 https://$host/remote.php/dav;
|
||||
}
|
||||
try_files $uri $uri/ =404;
|
||||
'';
|
||||
extraConfig = nginx.rootExtra;
|
||||
};
|
||||
"^~ /.well-known" = nginx.wellKnown;
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
more_set_headers "Content-Security-Policy: frame-ancestors 'self' https://*.mathechor.de";
|
||||
'';
|
||||
|
|
|
@ -54,7 +54,9 @@ in
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://[::1]:8008";
|
||||
extraConfig = "proxy_set_header X-Forwarded-For $remote_addr;";
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue