use librewolf instead; fix a bunch of problems

author: Preston Pan <ret2pop@nullring.xyz> 2026-02-28 20:20:41 -0800
committer: Preston Pan <ret2pop@nullring.xyz> 2026-02-28 20:20:41 -0800
commit: 99a6f13e70b366a858a543f145528152164858e5 (patch)
tree: ac65987c6a0cd142943ab0c5b45616a1c1356486 /nix/modules/nginx.nix
parent: befb04f3a1cbf7e55da26e08f8c974e72ff6f1cf (diff)
1 files changed, 136 insertions, 131 deletions
diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix
index 791e3a4..18fa1eb 100644
--- a/nix/modules/nginx.nix
+++ b/nix/modules/nginx.nix
@@ -1,113 +1,108 @@
 { config, lib, ... }:
 {
-  services.nginx = {
-    enable = lib.mkDefault config.monorepo.profiles.server.enable;
-    user = "nginx";
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    recommendedProxySettings = false;
-
-    gitweb = {
+  config = lib.mkIf config.monorepo.profiles.server.enable {
+    services.nginx = {
       enable = true;
-      virtualHost = "${config.monorepo.vars.orgHost}";
-    };
-
-    virtualHosts = {
-      "matrix.${config.monorepo.vars.orgHost}" = {
-        enableACME = true;
-        forceSSL = true;
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "[::]";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "0.0.0.0";
-            port = 8448;
-            ssl = true;
-          }
-          {
-            addr = "[::]";
-            port = 8448;
-            ssl = true;
-          }
-        ];
-        locations."/_matrix/" = {
-          proxyPass = "http://127.0.0.1:6167";
-          extraConfig = ''
+      user = "nginx";
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = false;
+      virtualHosts = {
+        "matrix.${config.monorepo.vars.orgHost}" = {
+          enableACME = config.monorepo.profiles.server.enable;
+          forceSSL = true;
+          listen = [
+            {
+              addr = "0.0.0.0";
+              port = 443;
+              ssl = true;
+            }
+            {
+              addr = "[::]";
+              port = 443;
+              ssl = true;
+            }
+            {
+              addr = "0.0.0.0";
+              port = 8448;
+              ssl = true;
+            }
+            {
+              addr = "[::]";
+              port = 8448;
+              ssl = true;
+            }
+          ];
+          locations."/_matrix/" = {
+            proxyPass = "http://127.0.0.1:6167";
+            extraConfig = ''
             proxy_set_header Host $host;
             proxy_buffers 32 16k;
             proxy_read_timeout 5m;
           '';
-        };
-        locations."= /.well-known/matrix/server" = {
-          extraConfig = ''
+          };
+          locations."= /.well-known/matrix/server" = {
+            extraConfig = ''
       default_type application/json;
       add_header Content-Type application/json;
       add_header Access-Control-Allow-Origin *;
     '';
-          
-          return = ''200 '{"m.server": "matrix.${config.monorepo.vars.orgHost}:443"}' ''; 
-        };
-        locations."/.well-known/matrix/client" = {
-          extraConfig = ''
+            
+            return = ''200 '{"m.server": "matrix.${config.monorepo.vars.orgHost}:443"}' ''; 
+          };
+          locations."/.well-known/matrix/client" = {
+            extraConfig = ''
     default_type application/json;
     add_header Access-Control-Allow-Origin *;
   '';
 
-          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'";
-        };
+            return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.${config.monorepo.vars.orgHost}\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix.${config.monorepo.vars.orgHost}:8443\"}]}'";
+          };
 
-        extraConfig = ''
+          extraConfig = ''
           merge_slashes off;
         '';
-      };
+        };
 
-      "matrix.${config.monorepo.vars.orgHost}-livekit" = {
-        serverName = "matrix.${config.monorepo.vars.orgHost}";
-        listen = [
-          { 
-            addr = "0.0.0.0"; 
-            port = 8443; 
-            ssl = true; 
-          }
-          {
-            addr = "[::]";
-            port = 8443;
-            ssl = true;
-          }
-        ];
-        addSSL = true;
-        enableACME = false;
-        forceSSL = false;
-        useACMEHost = "matrix.${config.monorepo.vars.orgHost}";
-        
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:6495"; 
-          proxyWebsockets = true;
-          extraConfig = ''
+        "matrix.${config.monorepo.vars.orgHost}-livekit" = {
+          serverName = "matrix.${config.monorepo.vars.orgHost}";
+          listen = [
+            { 
+              addr = "0.0.0.0"; 
+              port = 8443; 
+              ssl = true; 
+            }
+            {
+              addr = "[::]";
+              port = 8443;
+              ssl = true;
+            }
+          ];
+          addSSL = true;
+          enableACME = false;
+          forceSSL = false;
+          useACMEHost = "matrix.${config.monorepo.vars.orgHost}";
+          
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:6495"; 
+            proxyWebsockets = true;
+            extraConfig = ''
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
     '';
+          };
         };
-      };
 
-      "livekit.${config.monorepo.vars.orgHost}" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:7880";
-          proxyWebsockets = true;
-          extraConfig = ''
+        "livekit.${config.monorepo.vars.orgHost}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:7880";
+            proxyWebsockets = true;
+            extraConfig = ''
             proxy_read_timeout 3600s;
             proxy_send_timeout 3600s;
 
@@ -141,53 +136,62 @@
                 }
             # --- CORS CONFIGURATION END ---
           '';
+          };
         };
-      };
 
-      "ntfy.${config.monorepo.vars.remoteHost}" = {
-        serverName = "ntfy.${config.monorepo.vars.remoteHost}";
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://localhost:2586";
-          proxyWebsockets = true;
+        "ntfy.${config.monorepo.vars.remoteHost}" = {
+          serverName = "ntfy.${config.monorepo.vars.remoteHost}";
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:2586";
+            proxyWebsockets = true;
+            extraConfig = ''
+proxy_buffering off;
+proxy_request_buffering off
+
+proxy_set_header Host $host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+'';
+          };
         };
-      };
 
-	    "${config.monorepo.vars.remoteHost}" = {
-        serverName = "${config.monorepo.vars.remoteHost}";
-        serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ];
-	      root = "/var/www/${config.monorepo.vars.internetName}-website/";
-	      addSSL = true;
-	      enableACME = true;
-	    };
+	      "${config.monorepo.vars.remoteHost}" = {
+          serverName = "${config.monorepo.vars.remoteHost}";
+          serverAliases = [ "${config.monorepo.vars.internetName}.${config.monorepo.vars.orgHost}" ];
+	        root = "/var/www/${config.monorepo.vars.internetName}-website/";
+	        addSSL = true;
+	        enableACME = true;
+	      };
 
-      "git.${config.monorepo.vars.orgHost}" = {
-        forceSSL = true;
-        enableACME = true;
-      };
-      "list.${config.monorepo.vars.orgHost}" = {
-        forceSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass = "http://localhost:9090";
-          extraConfig = ''
+        "git.${config.monorepo.vars.orgHost}" = {
+          forceSSL = true;
+          enableACME = true;
+        };
+        "list.${config.monorepo.vars.orgHost}" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://localhost:9090";
+            extraConfig = ''
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
         '';
+          };
         };
-      };
 
-      # the port comes from ssh tunnelling
-      "music.${config.monorepo.vars.remoteHost}" = {
-        addSSL = true;
-        enableACME = true;
-        basicAuthFile = config.sops.secrets."mpd_password".path;
-        locations."/" = {
-          proxyPass = "http://localhost:8000";
-          extraConfig = ''
+        # the port comes from ssh tunnelling
+        "music.${config.monorepo.vars.remoteHost}" = lib.mkIf config.monorepo.profiles.server.enable {
+          addSSL = true;
+          enableACME = true;
+          basicAuthFile = config.sops.secrets."mpd_password".path;
+          locations."/" = {
+            proxyPass = "http://localhost:8000";
+            extraConfig = ''
 proxy_buffering off;
 proxy_http_version 1.1;
 proxy_set_header Connection "";
@@ -196,21 +200,22 @@ proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_read_timeout 36000s;
 '';
+          };
         };
-      };
 
-      "${config.monorepo.vars.orgHost}" = {
-        serverName = "${config.monorepo.vars.orgHost}";
-        root = "/var/www/nullring/";
-        addSSL = true;
-        enableACME = true;
-      };
+        "${config.monorepo.vars.orgHost}" = {
+          serverName = "${config.monorepo.vars.orgHost}";
+          root = "/var/www/nullring/";
+          addSSL = true;
+          enableACME = true;
+        };
 
-      "mail.${config.monorepo.vars.orgHost}" = {
-        serverName = "mail.${config.monorepo.vars.orgHost}";
-        root = "/var/www/dummy";
-        addSSL = true;
-        enableACME = true;
+        "mail.${config.monorepo.vars.orgHost}" = {
+          serverName = "mail.${config.monorepo.vars.orgHost}";
+          root = "/var/www/dummy";
+          addSSL = true;
+          enableACME = true;
+        };
       };
     };
   };
author	Preston Pan <ret2pop@nullring.xyz>	2026-02-28 20:20:41 -0800
committer	Preston Pan <ret2pop@nullring.xyz>	2026-02-28 20:20:41 -0800
commit	99a6f13e70b366a858a543f145528152164858e5 (patch)
tree	ac65987c6a0cd142943ab0c5b45616a1c1356486 /nix/modules/nginx.nix
parent	befb04f3a1cbf7e55da26e08f8c974e72ff6f1cf (diff)