diff --git a/misskey-service.nix b/misskey-service.nix index 4c39d37..241ad46 100644 --- a/misskey-service.nix +++ b/misskey-service.nix @@ -50,11 +50,29 @@ in { credentialsFile = "/etc/nixos-secrets/namecheap-acme"; group = "nginx"; }; + certs."STAR.egirls.gay" = { + domain = "*.egirls.gay"; + dnsProvider = "namecheap"; + credentialsFile = "/etc/nixos-secrets/namecheap-acme"; + group = "nginx"; + }; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.nginx = { + services.nginx = let + listen = [ + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + } + { + port = 80; + addr = "0.0.0.0"; + } + ]; + in { enable = true; recommendedProxySettings = true; @@ -62,18 +80,41 @@ in { server unix:/var/run/misskey/misskey.sock; ''; + virtualHosts."media.egirls.gay" = { + inherit listen; + + forceSSL = true; + useACMEHost = "STAR.egirls.gay"; + + extraConfig = '' + client_max_body_size 1m; + ''; + + locations."/".extraConfig = '' + set $bucket rub-um5oh2ac4yi9c2mf.misskey.egirls.gay; + set $region us-east-1; + + proxy_pass https://storage.us-east-1.linodeobjects.com; + proxy_set_header Host $bucket.us-east-1.linodeobjects.com; + proxy_http_version 1.1; + proxy_redirect off; + proxy_intercept_errors on; + error_page 400 401 403 404 406 409 410 /404; + + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + proxy_cache off; + ''; + + locations."/404".extraConfig = '' + return 404 "not found"; + ''; + }; + virtualHosts."egirls.gay" = { - listen = [ - { - port = 443; - addr = "0.0.0.0"; - ssl = true; - } - { - port = 80; - addr = "0.0.0.0"; - } - ]; + inherit listen; forceSSL = true; useACMEHost = "egirls.gay";