let basicAuthLogin = { admin = "jkblufies"; }; cdn-node-setup = args@{ domain, config_file, ... }: { deployment.targetHost = domain; nixpkgs.localSystem.system = "x86_64-linux"; imports = [ config_file ]; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPs ]; services.netdata = { enable = true; }; # Enable nginx service services.nginx = { enable = true; # Use recommended settings # Don't use recommended Proxy settings because it does funky things with the setup recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts.${domain} = { forceSSL = true; enableACME = true; basicAuth = basicAuthLogin; locations = { "~* \\.(m3u8)$" = { proxyPass = "https://cdn-master.live.hacc.media$request_uri"; extraConfig = '' #proxy_cache = off; expires 3s; auth_basic off; ''; }; "/hls" = { proxyPass = "https://cdn-master.live.hacc.media$request_uri"; extraConfig = '' types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; } proxy_cache hls; proxy_ignore_headers Cache-Control; proxy_cache_valid any 30m; auth_basic off; ''; }; "/stats" = { return = "301 /stats/"; }; "~ /stats/(?.*)" = { proxyPass = "http://127.0.0.1:19999/$ndpath$is_args$args"; extraConfig = '' proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; gzip on; gzip_proxied any; gzip_types *; ''; }; }; }; appendHttpConfig = '' proxy_cache_path /tmp keys_zone=hls:10m max_size=10g inactive=60m use_temp_path=on; resolver 1.1.1.1; ''; }; security.acme.certs = { ${domain}.email = "allesmoeglicheundvielmehr@hotmail.de"; }; security.acme.acceptTerms = true; }; cdn-master-setup = args@{ domain, config_file, host-server, ... }: { deployment.targetHost = domain; nixpkgs.localSystem.system = "x86_64-linux"; imports = [ config_file ]; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPs ]; services.netdata = { enable = true; }; # Enable nginx service services.nginx = { enable = true; # Use recommended settings # Don't use recommendea Proxy settings because it does funky things with the setup recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts.${domain} = { forceSSL = true; enableACME = true; basicAuth = basicAuthLogin; locations = { "~* \\.(m3u8)$" = { proxyPass = "${host-server}$request_uri"; extraConfig = '' #proxy_cache = off; expires 2s; auth_basic off; ''; }; "/hls" = { proxyPass = "${host-server}$request_uri"; extraConfig = '' types { application/vnd.apple.mpegurl m3u8; video/mp2t ts; } proxy_cache hls; proxy_ignore_headers Cache-Control; proxy_cache_valid any 30m; auth_basic off; ''; }; "/stats" = { return = "301 /stats/"; }; "~ /stats/(?.*)" = { proxyPass = "http://127.0.0.1:19999/$ndpath$is_args$args"; extraConfig = '' proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; gzip on; gzip_proxied any; gzip_types *; ''; }; }; }; appendHttpConfig = '' proxy_cache_path /tmp keys_zone=hls:10m max_size=10g inactive=60m use_temp_path=on; resolver 1.1.1.1; ''; }; security.acme.certs = { ${domain}.email = "allesmoeglicheundvielmehr@hotmail.de"; }; security.acme.acceptTerms = true; }; cdn-loadbalancer-setup = args@{ domain, config_file, nodes, ... }: { deployment.targetHost = domain; nixpkgs.localSystem.system = "x86_64-linux"; imports = [ config_file ]; networking.firewall.allowedTCPPorts = [ 80 # HTTP 443 # HTTPs ]; services.netdata = { enable = true; }; # Enable nginx service services.nginx = { enable = true; # Use recommended settings # Don't use recommended Proxy settings because it does funky things with the setup recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts.${domain} = { locations = { "/" = { return = "301 \"http://\$\{cdnhosts\}\$\{request_uri\}\""; extraConfig = '' auth_basic off; ''; }; "/stats" = { return = "301 /stats/"; }; "~ /stats/(?.*)" = { proxyPass = "http://127.0.0.1:19999/$ndpath$is_args$args"; extraConfig = '' proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; gzip on; gzip_proxied any; gzip_types *; ''; }; }; forceSSL = true; enableACME = true; }; appendHttpConfig = '' split_clients "''\$''\{remote_addr''\}" $cdnhosts { 50% "cdn-node-1.live.hacc.media"; 50% "cdn-node-2.live.hacc.media"; } ''; }; security.acme.certs = { ${domain}.email = "allesmoeglicheundvielmehr@hotmail.de"; }; security.acme.acceptTerms = true; }; in { network.description = "CDN for some stuff"; #network.enableRollback = true; cdn-node-1 = cdn-node-setup { domain="cdn-node-1.live.hacc.media"; config_file="/Users/lukas/Documents/nixops/configuration-cdn-node-1.nix"; }; cdn-node-2 = cdn-node-setup { domain="cdn-node-2.live.hacc.media"; config_file="/Users/lukas/Documents/nixops/configuration-cdn-node-2.nix"; }; cdn-master = cdn-master-setup { domain="cdn-master.live.hacc.media"; config_file="/Users/lukas/Documents/nixops/configuration-cdn-master.nix"; host-server = "https://rosenbaum.lukas.studio"; }; cdn-loadbalancer = cdn-loadbalancer-setup { domain="cdn-loadbalancer.live.hacc.media"; config_file="/Users/lukas/Documents/nixops/configuration-cdn-loadbalancer.nix"; nodes= { # implement automatic node setting }; }; }