nixos/hosts/common/optional/nginx/xmpp.nix

{configVars, ...}: let
  email = configVars.email.user;
  xmppDomain = configVars.domains.xmpp;
  xmppIp = configVars.networking.addresses.xmpp.localAddress;
  xmppPort = configVars.networking.addresses.xmpp.port;
in {
  networking.firewall.allowedTCPPorts = [80 443];
  users.groups.www-data = {
    gid = 33;
  };

  users.users.nginx = {
    isSystemUser = true;
    uid = 60;
    extraGroups = ["www-data"];
  };

  systemd.tmpfiles.rules = [
    "d /var/www/${xmppDomain} 0777 root root"
  ];

  services.httpd.virtualHosts."root" = {
    hostName = "${xmppDomain}";
    documentRoot = "/var/www/${xmppDomain}";
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = email;
    certs = {
      "${xmppDomain}" = {
        webroot = "/var/www/${xmppDomain}";
        email = email;
        extraDomainNames = [
          "chat.${xmppDomain}"
        ];
        group = "www-data";
      };
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."chat.${xmppDomain}" = {
      # enableACME = true;
      forceSSL = true;
      extraConfig = ''
        client_max_body_size 10G;
      '';
      sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem";
      sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem";
      locations = {
        "/" = {
          proxyPass = "http://${xmppIp}:${toString xmppPort}";
          extraConfig = ''
            proxy_set_header Host "${xmppDomain}";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_buffering off;
            tcp_nodelay on;
          '';
        };
        "/xmpp-websocket" = {
          proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket";
          extraConfig = ''
            proxy_http_version 1.1;
            proxy_set_header Connection "Upgrade";
            proxy_set_header Upgrade $http_upgrade;

            proxy_set_header Host "${xmppDomain}";
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 900s;
          '';
        };
        "/upload/" = {
          extraConfig = ''
            proxy_buffering off;
            proxy_set_header Host $host;
                  # pass PUT requests to mod_http_upload for processing
            if ($request_method = PUT) {
              proxy_pass http://${xmppIp}:${toString xmppPort};
            }
            alias /var/lib/prosody/http_upload;  # storage path of mod_http_upload. NGINX will serve these files to the clients.
          '';
        };
      };
    };
  };
}
add prosody xmpp container 2025-02-11 12:26:58 +00:00			`{configVars, ...}: let`
			`email = configVars.email.user;`
			`xmppDomain = configVars.domains.xmpp;`
			`xmppIp = configVars.networking.addresses.xmpp.localAddress;`
			`xmppPort = configVars.networking.addresses.xmpp.port;`
			`in {`
			`networking.firewall.allowedTCPPorts = [80 443];`
			`users.groups.www-data = {`
			`gid = 33;`
			`};`

			`users.users.nginx = {`
			`isSystemUser = true;`
			`uid = 60;`
			`extraGroups = ["www-data"];`
			`};`

			`systemd.tmpfiles.rules = [`
			`"d /var/www/${xmppDomain} 0777 root root"`
			`];`

			`services.httpd.virtualHosts."root" = {`
			`hostName = "${xmppDomain}";`
			`documentRoot = "/var/www/${xmppDomain}";`
			`};`

			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = email;`
			`certs = {`
			`"${xmppDomain}" = {`
			`webroot = "/var/www/${xmppDomain}";`
			`email = email;`
			`extraDomainNames = [`
			`"chat.${xmppDomain}"`
			`];`
			`group = "www-data";`
			`};`
			`};`
			`};`

			`services.nginx = {`
			`enable = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`virtualHosts."chat.${xmppDomain}" = {`
			`# enableACME = true;`
			`forceSSL = true;`
			`extraConfig = ''`
			`client_max_body_size 10G;`
			`'';`
			`sslCertificate = "/var/lib/acme/${xmppDomain}/fullchain.pem";`
			`sslCertificateKey = "/var/lib/acme/${xmppDomain}/key.pem";`
			`locations = {`
			`"/" = {`
			`proxyPass = "http://${xmppIp}:${toString xmppPort}";`
			`extraConfig = ''`
			`proxy_set_header Host "${xmppDomain}";`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_buffering off;`
			`tcp_nodelay on;`
			`'';`
			`};`
			`"/xmpp-websocket" = {`
			`proxyPass = "http://${xmppIp}:${toString xmppPort}/xmpp-websocket";`
			`extraConfig = ''`
			`proxy_http_version 1.1;`
			`proxy_set_header Connection "Upgrade";`
			`proxy_set_header Upgrade $http_upgrade;`

			`proxy_set_header Host "${xmppDomain}";`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_read_timeout 900s;`
			`'';`
			`};`
			`"/upload/" = {`
			`extraConfig = ''`
			`proxy_buffering off;`
			`proxy_set_header Host $host;`
			`# pass PUT requests to mod_http_upload for processing`
			`if ($request_method = PUT) {`
			`proxy_pass http://${xmppIp}:${toString xmppPort};`
			`}`
			`alias /var/lib/prosody/http_upload; # storage path of mod_http_upload. NGINX will serve these files to the clients.`
			`'';`
			`};`
			`};`
			`};`
			`};`
			`}`