From e77307551f76d4c9616e06dcbd49f095a4bf8fa8 Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Thu, 7 Sep 2023 09:01:47 +0200
Subject: [PATCH] Add TLS-SNI forwarding for hedgedoc server

---
 hosts/Emitter.nix |  1 +
 hosts/tls_sni.nix | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 hosts/tls_sni.nix

diff --git a/hosts/Emitter.nix b/hosts/Emitter.nix
index d4421dc..5400a99 100644
--- a/hosts/Emitter.nix
+++ b/hosts/Emitter.nix
@@ -2,6 +2,7 @@
 {
     imports = [
         ./gitea.nix
+        ./tls_sni.nix
     ];
 
     boot.loader.grub.enable = true;
diff --git a/hosts/tls_sni.nix b/hosts/tls_sni.nix
new file mode 100644
index 0000000..ec4d7ee
--- /dev/null
+++ b/hosts/tls_sni.nix
@@ -0,0 +1,32 @@
+{ ... }:
+{
+    services.nginx = {
+        streamConfig = ''
+            map $ssl_preread_server_name $target_backend {
+                md.gvfr.de rupert;
+                default localserv;
+            }
+
+            upstream rupert {
+                server rupert.gvfr.de:443;
+            }
+
+            upstream localserv {
+                server localhost:4431;
+            }
+
+            server {
+                listen 443;
+
+                # proxy_connect_timeout 1s;
+                # proxy_timeout 3s;
+                # resolver 1.1.1.1;
+
+                proxy_pass $target_backend;
+                ssl_preread on;
+            }
+        '';
+
+        defaultSSLListenPort = 4431;
+    };
+}