Attempt to setup a forward proxy with nginx on altra

Signed-off-by: Magic_RB <magic_rb@redalder.org>

nixos/systems/altra/default.nix

@@ -35,6 +35,7 @@ in
             ./hardware.nix
             ./filesystems.nix
             ./users.nix
+            ./http-synapse-proxy.nix
             ../../common/remote_access.nix
 
             config'.flake.nixosModules.hashicorp

nixos/systems/altra/http-synapse-proxy.nix

@@ -0,0 +1,113 @@
+{ pkgs, inputs', lib, config, ... }:
+let
+  inherit (lib)
+    singleton;
+in
+{
+  users.users.nginx = {
+    group = "nginx";
+    isSystemUser = true;
+    uid = config.ids.uids.nginx;
+  };
+
+  users.groups.nginx = {
+    gid = config.ids.gids.nginx;
+  };
+
+  systemd.services.nginx-proxy =
+    let
+      nginxConfiguration = inputs'.nixng.nglib.generators.toNginx {
+        daemon = "off";
+        worker_processes = 2;
+
+        events."" = {
+          use = "epoll";
+          worker_connections = 128;
+        };
+
+        error_log = "/var/log/nginx/error.log warn";
+
+        http."" = {
+          server_tokens = "off";
+          include = singleton [ "${pkgs.nginx}/conf/mime.types" ];
+          charset = "utf-8";
+
+          access_log = "/var/log/nginx/access.log combined";
+
+          server."" = {
+            listen = [ "8883" ];
+
+            location."/" = {
+              satisfy = "all";
+
+              allow = [ [ "10.64.2.1" ] [ "127.0.0.1" ] ];
+              deny = "all";
+
+              rewrite_by_lua_file
+
+              auth_basic = "\"Administrator’s Area\"";
+              auth_basic_user_file = "/var/secret/htpasswd";
+
+              resolver = "8.8.8.8";
+              proxy_pass = "http://$http_host$uri$is_args$args";
+
+            };
+          };
+        };
+      };
+    in
+      {
+        serviceConfig = {
+          Restart = "always";
+          RestartSec = "10s";
+          # User and group
+          User = "nginx";
+          Group = "nginx";
+          # Runtime directory and mode
+          RuntimeDirectory = "nginx";
+          RuntimeDirectoryMode = "0750";
+          # Cache directory and mode
+          CacheDirectory = "nginx";
+          CacheDirectoryMode = "0750";
+          # Logs directory and mode
+          LogsDirectory = "nginx";
+          LogsDirectoryMode = "0750";
+          # Proc filesystem
+          ProcSubset = "pid";
+          ProtectProc = "invisible";
+          # New file permissions
+          UMask = "0027"; # 0640 / 0750
+          # Capabilities
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
+          CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
+          # Security
+          NoNewPrivileges = true;
+          # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
+          ProtectSystem = "strict";
+          ProtectHome = true;
+          PrivateTmp = true;
+          PrivateDevices = true;
+          ProtectHostname = true;
+          ProtectClock = true;
+          ProtectKernelTunables = true;
+          ProtectKernelModules = true;
+          ProtectKernelLogs = true;
+          ProtectControlGroups = true;
+          RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          LockPersonality = true;
+          MemoryDenyWriteExecute = false;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          RemoveIPC = true;
+          PrivateMounts = true;
+          # System Call Filtering
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid" ];
+        };
+        script = ''
+          ls /proc/self/fd /dev
+          ${pkgs.openresty}/bin/nginx -c ${pkgs.writeText "nginx.cfg" nginxConfiguration}
+        '';
+    };
+}