Major change to hyrule.nginx config

Permit nginx recommended settings for gzip, zstd, tls nginx proxy, and optimisations
2025-07-24 13:44:16 +10:00 · 2025-07-24 13:44:16 +10:00 · 9f6bf432bc
commit 9f6bf432bc
parent db0b1c3883
1 changed files with 48 additions and 51 deletions
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@ -116,64 +116,61 @@ in {
    #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
    nginx = {
      enable = true;
      # in wake of CVE-2022-3602/CVE-2022-3786
      package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
-      #virtualHosts."imbored.dev".locations."/" = {
+      recommendedGzipSettings = true;
-      virtualHosts = {
+      recommendedZstdSettings = true;
-        "imbored.dev" = {
+      recommendedOptimisation = true;
-          # "http:imbored.dev" = {
+      recommendedProxySettings = true;
-          default = true;
+      recommendedTlsSettings = true;
-          # serverName = "imbored.dev";
+
-          # listenAddresses = ["imbored.dev"];
+      # streamConfig = ''
      #   server {
      #     listen 127.0.0.1:53 udp reuseport;
      #     proxy_timeout 20s;
      #     proxy_pass 192.168.0.1:53535;
      #   }
      # '';
      virtualHosts = let
        localhost = "http://127.0.0.1";
        std = {
          # TODO: should I run over QUIC+HTTP3? (experimental)
          # quic = true;
          # http3 = true;
          enableACME = true;
-          addSSL = true; # forceSSL = true;
+          # kTLS = true; # offload TLS to the linux kernel
          root = "/var/www/imbored";
          #index = "index.html";
          #root = pkgs.writeTextDir "index.html" ''
          #  <html>
          #  <body>
          #  Give me your mittens!
          #  </body>
          #  </html>
          #'';
        };
-        # "ssh:imbored.dev" = {
+      in {
-        #   serverName = "imbored.dev";
+        "imbored.dev" =
-        #   listen = [{
+          {
-        #     addr = "imbored.dev";
+            default = true;
-        #     port= 22;
+            addSSL = true; # not strictly enforced <3
-        #   }];
+            root = "/var/www/imbored";
-        #   locations."/".proxyPass = "ssh://127.0.0.1:2222";
+            # extraConfig = ''
-        # };
+            #   error_page 404 /custom_404.html;
            # '';
          }
          // std;
        # Route "vault" subdomain to vaultwarden
-        "vault.imbored.dev" = {
+        "vault.imbored.dev" =
-          enableACME = true;
+          {
-          forceSSL = true;
+            forceSSL = true;
-          locations."/".proxyPass = "http://127.0.0.1:8222";
+            locations."/".proxyPass = "${localhost}:8222";
-        };
+          }
          // std;
        # Route "forge" subdomain to forgejo
-        "forge.imbored.dev" = {
+        # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
-          # "https:forge.imbored.dev" = {
+        "forge.imbored.dev" =
-          #serverName = "forge.imbored.dev";
+          {
-          #listenAddresses = ["forge.imbored.dev"]; # NOTE: I think this is wrong
+            forceSSL = true;
-          enableACME = true; # TODO: maybe use `forgejo.settings.server.ENABLE_ACME` instead?
+            extraConfig = ''
-          forceSSL = true;
+              client_max_body_size 512M;
-          extraConfig = ''
+            '';
-            client_max_body_size 512M;
+            locations."/".proxyPass = "${localhost}:3000";
-          '';
+          }
-          locations."/".proxyPass = "http://127.0.0.1:3000";
+          // std;
        };
        # NOTE: would it work if I used "ssh://forge.imbored.dev" and "https://forge.imbored.dev" instead?
        # "ssh:forge.imbored.dev" = {
        #   serverName = "forge.imbored.dev";
        #   listen = [{
        #     addr = "forge.imbored.dev";
        #     port = 22;
        #   }];
        #   locations."/".proxyPass = "ssh://127.0.0.2:22";
        # };
      };
    };