Major change to hyrule.nginx config

Permit nginx recommended settings for gzip, zstd, tls nginx proxy, and optimisations
2025-07-24 13:44:16 +10:00 · 2025-07-24 13:44:16 +10:00 · 9f6bf432bc
commit 9f6bf432bc
parent db0b1c3883
1 changed files with 48 additions and 51 deletions
--- a/hosts/hyrule/default.nix
+++ b/hosts/hyrule/default.nix
@ -116,64 +116,61 @@ in {
    #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
    nginx = {
      enable = true;
-
      # in wake of CVE-2022-3602/CVE-2022-3786
      package = pkgs.nginxStable.override {openssl = pkgs.libressl;};

-      #virtualHosts."imbored.dev".locations."/" = {
-      virtualHosts = {
-        "imbored.dev" = {
-          # "http:imbored.dev" = {
-          default = true;
-          # serverName = "imbored.dev";
-          # listenAddresses = ["imbored.dev"];
-          enableACME = true;
-          addSSL = true; # forceSSL = true;
-          root = "/var/www/imbored";
-          #index = "index.html";
-          #root = pkgs.writeTextDir "index.html" ''
-          #  <html>
-          #  <body>
-          #  Give me your mittens!
-          #  </body>
-          #  </html>
+      recommendedGzipSettings = true;
+      recommendedZstdSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # streamConfig = ''
+      #   server {
+      #     listen 127.0.0.1:53 udp reuseport;
+      #     proxy_timeout 20s;
+      #     proxy_pass 192.168.0.1:53535;
+      #   }
      # '';
-        };
-        # "ssh:imbored.dev" = {
-        #   serverName = "imbored.dev";
-        #   listen = [{
-        #     addr = "imbored.dev";
-        #     port= 22;
-        #   }];
-        #   locations."/".proxyPass = "ssh://127.0.0.1:2222";
-        # };
-        # Route "vault" subdomain to vaultwarden
-        "vault.imbored.dev" = {
+
+      virtualHosts = let
+        localhost = "http://127.0.0.1";
+        std = {
+          # TODO: should I run over QUIC+HTTP3? (experimental)
+          # quic = true;
+          # http3 = true;
          enableACME = true;
-          forceSSL = true;
-          locations."/".proxyPass = "http://127.0.0.1:8222";
+          # kTLS = true; # offload TLS to the linux kernel
        };
+      in {
+        "imbored.dev" =
+          {
+            default = true;
+            addSSL = true; # not strictly enforced <3
+            root = "/var/www/imbored";
+            # extraConfig = ''
+            #   error_page 404 /custom_404.html;
+            # '';
+          }
+          // std;
+        # Route "vault" subdomain to vaultwarden
+        "vault.imbored.dev" =
+          {
+            forceSSL = true;
+            locations."/".proxyPass = "${localhost}:8222";
+          }
+          // std;
        # Route "forge" subdomain to forgejo
-        "forge.imbored.dev" = {
-          # "https:forge.imbored.dev" = {
-          #serverName = "forge.imbored.dev";
-          #listenAddresses = ["forge.imbored.dev"]; # NOTE: I think this is wrong
-          enableACME = true; # TODO: maybe use `forgejo.settings.server.ENABLE_ACME` instead?
+        # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
+        "forge.imbored.dev" =
+          {
            forceSSL = true;
            extraConfig = ''
              client_max_body_size 512M;
            '';
-          locations."/".proxyPass = "http://127.0.0.1:3000";
-        };
-        # NOTE: would it work if I used "ssh://forge.imbored.dev" and "https://forge.imbored.dev" instead?
-        # "ssh:forge.imbored.dev" = {
-        #   serverName = "forge.imbored.dev";
-        #   listen = [{
-        #     addr = "forge.imbored.dev";
-        #     port = 22;
-        #   }];
-        #   locations."/".proxyPass = "ssh://127.0.0.2:22";
-        # };
+            locations."/".proxyPass = "${localhost}:3000";
+          }
+          // std;
      };
    };