Move most Nginx proxies to the individual services

This commit is contained in:
Jimbo 2024-08-26 13:07:59 -04:00
parent f1d2652c53
commit 1f8156e868
16 changed files with 267 additions and 263 deletions

View file

@ -50,13 +50,13 @@
# NixOS configuration entrypoint, use 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = {
JimNixDesktop = nixpkgs.lib.nixosSystem {
JimDesktop = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [
./nixos/desktop.nix
];
};
JimNixServer = nixpkgs.lib.nixosSystem {
JimServer = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [
./nixos/server.nix
@ -68,7 +68,7 @@
# Standalone home-manager configuration entrypoint
# Available through 'home-manager --flake .#your-username@your-hostname'
homeConfigurations = {
"jimbo@JimNixDesktop" = home-manager.lib.homeManagerConfiguration {
"jimbo@JimDesktop" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;};
modules = [
@ -76,7 +76,7 @@
nur.nixosModules.nur
];
};
"jimbo@JimNixServer" = home-manager.lib.homeManagerConfiguration {
"jimbo@JimServer" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;};
modules = [

View file

@ -44,8 +44,8 @@
auth = import ./common/auth.nix;
in {
nixdate = ''
${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimNixDesktop;
home-manager switch --flake /etc/nixos/.#jimbo@JimNixDesktop;
${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimDesktop;
home-manager switch --flake /etc/nixos/.#jimbo@JimDesktop;
notify-send "NixOS switch finished."
'';
};

View file

@ -78,7 +78,7 @@
command = ''wine "$1"'';
}
{
condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip, has 7z'';
condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip|zst, has 7z'';
command = ''7z x -- "$@"'';
}
{

View file

@ -31,5 +31,5 @@
./services/mpd.nix
];
networking.hostName = "JimNixDesktop";
networking.hostName = "JimDesktop";
}

View file

@ -40,5 +40,5 @@
];
services.openssh.ports = [ 2222 ];
networking.hostName = "JimNixServer";
networking.hostName = "JimServer";
}

View file

@ -1,8 +1,8 @@
{
let
secrets = import ../modules/secrets.nix;
in {
# Configure the Element web server
nixpkgs.config.element-web.conf = let
secrets = import ../modules/secrets.nix;
in {
nixpkgs.config.element-web.conf {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${secrets.jimDomain}";
@ -20,4 +20,11 @@
disable_guests = true;
default_theme = "dark";
};
# Serve the Element page over Nginx
services.nginx.virtualHosts."chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
}

View file

@ -1,25 +1,35 @@
{
services.gitea = let
secrets = import ../modules/secrets.nix;
in {
enable = true;
settings = {
server = {
DOMAIN = "git.${secrets.jimDomain}";
ROOT_URL = "https://git.${secrets.jimDomain}:443";
HTTP_PORT = 3110;
SSH_PORT = 2299;
START_SSH_SERVER = true;
let
secrets = import ../modules/secrets.nix;
in {
services = {
gitea = {
enable = true;
settings = {
server = {
DOMAIN = "git.${secrets.jimDomain}";
ROOT_URL = "https://git.${secrets.jimDomain}:443";
HTTP_PORT = 3110;
SSH_PORT = 2299;
START_SSH_SERVER = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mx.${secrets.jimDomain}";
FROM = "Jimbo's Git <noreply@${secrets.jimDomain}>";
USER = "noreply@${secrets.jimDomain}";
PASSWD = secrets.noreplyPassword;
PROTOCOL = "smtps";
};
service.REGISTER_EMAIL_CONFIRM = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mx.${secrets.jimDomain}";
FROM = "Jimbo's Git <noreply@${secrets.jimDomain}>";
USER = "noreply@${secrets.jimDomain}";
PASSWD = secrets.noreplyPassword;
PROTOCOL = "smtps";
};
nginx.virtualHosts."git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
service.REGISTER_EMAIL_CONFIRM = true;
};
};
}

View file

@ -1,19 +1,27 @@
{
services.lemmy = let
secrets = import ../modules/secrets.nix;
in {
enable = true;
nginx.enable = true;
database.createLocally = true;
settings = {
hostname = "lemmy.${secrets.jimDomain}";
email = {
smtp_server = "mx.${secrets.jimDomain}:587";
smtp_login = "noreply@${secrets.jimDomain}";
smtp_from_address = "Jimbo's Lemmy <noreply@${secrets.jimDomain}>";
smtp_password = secrets.noreplyPassword;
tls_type = "starttls";
let
secrets = import ../modules/secrets.nix;
in {
services = {
lemmy {
enable = true;
nginx.enable = true;
database.createLocally = true;
settings = {
hostname = "lemmy.${secrets.jimDomain}";
email = {
smtp_server = "mx.${secrets.jimDomain}:587";
smtp_login = "noreply@${secrets.jimDomain}";
smtp_from_address = "Jimbo's Lemmy <noreply@${secrets.jimDomain}>";
smtp_password = secrets.noreplyPassword;
tls_type = "starttls";
};
};
};
# Add SSL to webpage
nginx.virtualHosts."lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
};
}

View file

@ -50,5 +50,15 @@ in rec {
# Force the mailserver to use a different redis port
redis.servers.rspamd.port = 1515;
# The hostname mail ports use
nginx.virtualHosts."mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
};
}

View file

@ -1,30 +1,47 @@
{pkgs, ...}: let
secrets = import ../modules/secrets.nix;
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${secrets.jimDomain}";
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = "jimbo";
adminpassFile = "/mnt/nextcloud/password.txt";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${secrets.jimDomain}" ];
overwriteprotocol = "https";
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${secrets.jimDomain}";
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = "jimbo";
adminpassFile = "/mnt/nextcloud/password.txt";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${secrets.jimDomain}" ];
overwriteprotocol = "https";
# Mailserver settings
mail_smtphost = "mx.${secrets.jimDomain}";
mail_domain = "${secrets.jimDomain}";
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${secrets.jimDomain}";
mail_smtppassword = secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
# Mailserver settings
mail_smtphost = "mx.${secrets.jimDomain}";
mail_domain = "${secrets.jimDomain}";
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${secrets.jimDomain}";
mail_smtppassword = secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
};
};
nginx.virtualHosts."cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
};
}

View file

@ -15,68 +15,31 @@
"${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "/var/www/jimweb";
root = "/var/www/jimweb";
locations = {
"/.well-known/matrix/client" = {
extraConfig = ''
"/.well-known/matrix/client" = {
extraConfig = ''
default_type application/json;
return 200 '
{
"m.homeserver": {
"base_url": "https://matrix.${secrets.jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${secrets.jimDomain}"
}
}';
'';
};
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '
{
"m.homeserver": {
"base_url": "https://matrix.${secrets.jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${secrets.jimDomain}"
}
}';
'';
};
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
'';
};
};
};
# Nextcloud Proxy
"cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
# Vaultwarden Proxy
"warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
# Recipes Proxy
"recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
'';
};
};
};
@ -90,56 +53,6 @@
};
};
# Gitea Proxy
"git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
# Pufferpanel Proxy
"panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
# Matrix Proxy
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
# Element Proxy
"chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
# Coturn Proxy
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
# Radio Proxy
"radio.${secrets.jimDomain}" = {
enableACME = true;
@ -147,34 +60,8 @@
locations."/" = {
proxyPass = "http://127.0.0.1:255";
proxyWebsockets = true;
};
};
# Streaming proxy
"live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
# Mail certificate proxy
"mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
# Add SSL to Lemmy
"lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
};
appendConfig = ''
rtmp {
@ -197,10 +84,8 @@
'';
};
# Force Nginx to work and be able to read+write the hls path
security.pam.services.nginx.setEnvironment = false;
# Allow Nginx to read and write to paths
systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
};
}

View file

@ -1,8 +1,20 @@
{
services.owncast = {
enable = true;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
let
secrets = import ../modules/secrets.nix;
in {
services = {
owncast = {
enable = true;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
};
nginx.virtualHosts."live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
};
}

View file

@ -1,23 +1,33 @@
{pkgs, lib, ...}: {
services.pufferpanel = let
secrets = import ../modules/secrets.nix;
in {
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${secrets.jimDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
{pkgs, lib, ...}: let
secrets = import ../modules/secrets.nix;
in {
services = {
pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${secrets.jimDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
name = "pufferpanel-fhs";
meta.mainProgram = "pufferpanel-fhs";
runScript = lib.getExe pkgs.pufferpanel;
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
};
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
name = "pufferpanel-fhs";
meta.mainProgram = "pufferpanel-fhs";
runScript = lib.getExe pkgs.pufferpanel;
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
nginx.virtualHosts."panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
};
}

View file

@ -1,7 +1,7 @@
{pkgs, config, ...}: {
services = let
secrets = import ../modules/secrets.nix;
in {
{pkgs, config, ...}: let
secrets = import ../modules/secrets.nix;
in {
services = {
# Synapse Matrix server
matrix-synapse = with config.services.coturn; {
enable = true;
@ -92,5 +92,28 @@
cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem";
};
# Nginx
nginx.virtualHosts = {
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
};
};
}

View file

@ -1,6 +1,18 @@
{
services.tandoor-recipes = {
enable = true;
port = 5030;
let
secrets = import ../modules/secrets.nix;
in {
services = {
tandoor-recipes = {
enable = true;
port = 5030;
};
nginx.virtualHosts."recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
};
}

View file

@ -1,24 +1,34 @@
{
services.vaultwarden = let
secrets = import ../modules/secrets.nix;
in {
enable = true;
config = {
DOMAIN = "https://warden.${secrets.jimDomain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
let
secrets = import ../modules/secrets.nix;
in {
services = {
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://warden.${secrets.jimDomain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Smtp email
SMTP_HOST = "mx.${secrets.jimDomain}";
SMTP_FROM = "Jimbo's Vaultwarden <noreply@${secrets.jimDomain}>";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${secrets.jimDomain}";
SMTP_PASSWORD = secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_TIMEOUT = 15;
# Smtp email
SMTP_HOST = "mx.${secrets.jimDomain}";
SMTP_FROM = "Jimbo's Vaultwarden <noreply@${secrets.jimDomain}>";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${secrets.jimDomain}";
SMTP_PASSWORD = secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_TIMEOUT = 15;
};
};
nginx.virtualHosts."warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
};
}