# NixOps configuration for the hosts running a Cryptpad server { config, pkgs, lib, ... }: { services.cryptpad = { enable = true; # Enable Cryptpad server }; services.nginx = { enable = true; # Enable Nginx recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."pad.mcwhirter.io" = { # Cryptpad hostname enableACME = true; # Use ACME certs forceSSL = true; # Force SSL locations = { "/".proxyPass = "http://[::]:3000/"; "^~ /cryptpad_websocket" = { proxyPass = "http://[::]:3000"; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # WebSocket support (nginx 1.4) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; ''; }; "^~ /customize.dist/" = { # This is needed in order to prevent infinite recursion between /customize/ and the root }; "^~ /customize/" = { extraConfig = '' rewrite ^/customize/(.*)$ $1 break; ''; tryFiles = "/customize/$uri /customize.dist/$uri"; }; "/api/config" = { proxyPass = "http://localhost:3000"; extraConfig = '' proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ''; }; "^~ /block/" = { extraConfig = '' add_header Cache-Control max-age=0; ''; tryFiles = "$uri =404"; }; "~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams)$" = { extraConfig = '' rewrite ^(.*)$ $1/ redirect; ''; }; }; #extraConfig = '' # try_files /www/$uri /www/$uri/index.html /customize/$uri; #''; }; }; security.acme = { acceptTerms = true; certs = {"pad.mcwhirter.io".email = "craige@mcwhirter.io";}; }; }