infra/services/nginx.nix

{ config, pkgs, ... }:

let
  fqdn = "matrix.berlin.ccc.de";
in
{
  users.users.nginx.extraGroups = [ "acme" ];

  services.nginx = {
    enable = true;
    resolver.addresses = [
      "[2606:4700:4700::1111]"
      "[2620:fe::fe]"
      "1.1.1.1"
      "9.9.9.9"
    ];
    statusPage = true; # http://127.0.0.1/nginx_status
    sslProtocols = "TLSv1.3";
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedBrotliSettings = true;
    virtualHosts."${fqdn}" = {
      quic = true;
      kTLS = true;
      forceSSL = true;
      #useACMEHost = fqdn;
      enableACME = true;
      #listen = [
      #  {
      #    addr = "0.0.0.0";
      #    port = 443;
      #    ssl = true;
      #  }
      #  {
      #    addr = "[::]";
      #    port = 443;
      #    ssl = true;
      #  }
      #  {
      #    addr = "0.0.0.0";
      #    port = 8448;
      #    ssl = true;
      #  }
      #  {
      #    addr = "[::]";
      #    port = 8448;
      #    ssl = true;
      #  }
      #];
      locations = {
        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
        "/".return = "418 \"I'm a Teapot!\"";
        "= /.well-known/matrix/client" = {
          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
          extraConfig = ''
            default_type application/json;
            add_header Access-Control-Allow-Origin "*";
          '';
        };
        "~ ^(/_matrix|/_synapse/client)" = {
          recommendedProxySettings = true;
          proxyPass = "http://[::1]:8008";
          extraConfig = ''
            client_max_body_size 64M;
            proxy_set_header X-Request-ID $request_id;
            proxy_http_version 1.1;
          '';
        };
      };
    };
  };

  #security.acme.certs."${fqdn}" = {
  #  reloadServices = [ "nginx" ];
  #};
}