{ config, lib, pkgs, ... }: let uwsgi_params = builtins.toFile "uwsgi_param" '' uwsgi_param QUERY_STRING $query_string; uwsgi_param REQUEST_METHOD $request_method; uwsgi_param CONTENT_TYPE $content_type; uwsgi_param CONTENT_LENGTH $content_length; uwsgi_param REQUEST_URI $request_uri; uwsgi_param PATH_INFO $document_uri; uwsgi_param DOCUMENT_ROOT $document_root; uwsgi_param SERVER_PROTOCOL $server_protocol; uwsgi_param REMOTE_ADDR $remote_addr; uwsgi_param REMOTE_PORT $remote_port; uwsgi_param SERVER_ADDR $server_addr; uwsgi_param SERVER_PORT $server_port; uwsgi_param SERVER_NAME $server_name; ''; favicon = builtins.toFile "favicon" '' location = /favicon.ico { root /srv/www/default; } ''; acme = builtins.toFile "acme" '' location /.well-known/acme-challenge { root /srv/www/acme/$host/; } ''; in { services.nginx = { enable = true; httpConfig = '' default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 2k; request_pool_size 4k; gzip on; gzip_min_length 1100; gzip_buffers 4 8k; gzip_types text/plain; output_buffers 1 32k; postpone_output 1460; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 75 20; ignore_invalid_headers on; access_log stderr; error_log stderr; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/ssl/dhparam.pem; ssl_certificate /var/lib/acme/yggdrasil.li/fullchain.pem; ssl_certificate_key /var/lib/acme/yggdrasil.li/key.pem; server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name _; include ${favicon}; include ${acme}; root /srv/www/default; } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?(f|files)\.(yggdrasil\.li|141\.li|praseodym\.org)$; include ${favicon}; include ${acme}; root /srv/www/files; } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?dirty-haskell\.org$; include ${favicon}; include ${acme}; root /srv/www/dirty-haskell.org; } server { listen *:80; listen *:443 ssl; listen [::]:80; listen [::]:443 ssl; server_name ~^(.*\.)?git\.yggdrasil\.li$; root ${pkgs.cgit}/cgit; try_files $uri @cgit; include ${favicon}; include ${acme}; location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/git.yggdrasil.li.sock; uwsgi_modifier1 9; } } server { listen *:80; listen *:443 ssl; listen [::]:80; listen [::]:443 ssl; server_name ~^(.*\.)?git\.rheperire\.org$; root ${pkgs.cgit}/cgit; try_files $uri @cgit; include ${favicon}; include ${acme}; location @cgit { include ${uwsgi_params}; uwsgi_pass unix:/tmp/git.rheperire.org.sock; uwsgi_modifier1 9; } } server { listen *:80; listen [::]:80; server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$; include ${acme}; location / { return 301 https://$host$request_uri; } } server { listen *:443 ssl; listen [::]:443 ssl; server_name ~^(.*\.)?bragi\.(yggdrasil\.li|141\.li)$; location / { auth_basic "Reverse proxy to bragi"; auth_basic_user_file /srv/www/bragi/htpasswd; proxy_pass http://bragi.asgard.yggdrasil/; } } server { listen *:80; listen [::]:80; listen *:443 ssl; listen [::]:443 ssl; server_name ~^webdav\.(yggdrasil\.li|141\.li|praseodym\.org)$; include ${acme}; location ~ ^/(.+?)(/.*)?$ { if ($scheme = http) { return 301 https://$host$request_uri; } alias /srv/www/webdav/$1$2; autoindex on; auth_basic "WebDAV user directory of $1"; auth_basic_user_file /srv/www/webdav/$1.htpasswd; client_body_temp_path /tmp/webdav.$1; dav_methods PUT DELETE MKCOL COPY MOVE; create_full_put_path on; dav_access user:rw group:r all:r; } } ''; }; }