Jimbo/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Move most Nginx proxies to the individual services

Browse source
This commit is contained in:
Jimbo 2024-08-26 13:07:59 -04:00
parent f1d2652c53
commit 1f8156e868
16 changed files with 267 additions and 263 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.nix
View file

@ -50,13 +50,13 @@
# NixOS configuration entrypoint, use 'nixos-rebuild --flake .#your-hostname' # NixOS configuration entrypoint, use 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = { nixosConfigurations = {
JimNixDesktop = nixpkgs.lib.nixosSystem { JimDesktop = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./nixos/desktop.nix ./nixos/desktop.nix
]; ];
}; };
JimNixServer = nixpkgs.lib.nixosSystem { JimServer = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./nixos/server.nix ./nixos/server.nix
@ -68,7 +68,7 @@
# Standalone home-manager configuration entrypoint # Standalone home-manager configuration entrypoint
# Available through 'home-manager --flake .#your-username@your-hostname' # Available through 'home-manager --flake .#your-username@your-hostname'
homeConfigurations = { homeConfigurations = {
"jimbo@JimNixDesktop" = home-manager.lib.homeManagerConfiguration { "jimbo@JimDesktop" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;}; extraSpecialArgs = {inherit inputs outputs;};
modules = [ modules = [
@ -76,7 +76,7 @@
nur.nixosModules.nur nur.nixosModules.nur
]; ];
}; };
"jimbo@JimNixServer" = home-manager.lib.homeManagerConfiguration { "jimbo@JimServer" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;}; extraSpecialArgs = {inherit inputs outputs;};
modules = [ modules = [

4
home-manager/jimbo_desktop.nix
View file

@ -44,8 +44,8 @@
auth = import ./common/auth.nix; auth = import ./common/auth.nix;
in { in {
nixdate = '' nixdate = ''
${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimNixDesktop; ${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimDesktop;
home-manager switch --flake /etc/nixos/.#jimbo@JimNixDesktop; home-manager switch --flake /etc/nixos/.#jimbo@JimDesktop;
notify-send "NixOS switch finished." notify-send "NixOS switch finished."
''; '';
}; };

2
home-manager/tuiapps/ranger.nix
View file

@ -78,7 +78,7 @@
command = ''wine "$1"''; command = ''wine "$1"'';
} }
{ {
condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip, has 7z''; condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip|zst, has 7z'';
command = ''7z x -- "$@"''; command = ''7z x -- "$@"'';
} }
{ {

2
nixos/desktop.nix
View file

@ -31,5 +31,5 @@
./services/mpd.nix ./services/mpd.nix
]; ];
networking.hostName = "JimNixDesktop"; networking.hostName = "JimDesktop";
} }

2
nixos/server.nix
View file

@ -40,5 +40,5 @@
]; ];
services.openssh.ports = [ 2222 ]; services.openssh.ports = [ 2222 ];
networking.hostName = "JimNixServer"; networking.hostName = "JimServer";
} }

13
nixos/server/element.nix
View file

@ -1,8 +1,8 @@
{ let
# Configure the Element web server
nixpkgs.config.element-web.conf = let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
# Configure the Element web server
nixpkgs.config.element-web.conf {
default_server_config = { default_server_config = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.${secrets.jimDomain}"; base_url = "https://matrix.${secrets.jimDomain}";
@ -20,4 +20,11 @@
disable_guests = true; disable_guests = true;
default_theme = "dark"; default_theme = "dark";
}; };
# Serve the Element page over Nginx
services.nginx.virtualHosts."chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
} }

14
nixos/server/gitea.nix
View file

@ -1,7 +1,8 @@
{ let
services.gitea = let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services = {
gitea = {
enable = true; enable = true;
settings = { settings = {
server = { server = {
@ -22,4 +23,13 @@
service.REGISTER_EMAIL_CONFIRM = true; service.REGISTER_EMAIL_CONFIRM = true;
}; };
}; };
nginx.virtualHosts."git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
};
} }

12
nixos/server/lemmy.nix
View file

@ -1,7 +1,8 @@
{ let
services.lemmy = let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services = {
lemmy {
enable = true; enable = true;
nginx.enable = true; nginx.enable = true;
database.createLocally = true; database.createLocally = true;
@ -16,4 +17,11 @@
}; };
}; };
}; };
# Add SSL to webpage
nginx.virtualHosts."lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
};
} }

10
nixos/server/mailserver.nix
View file

@ -50,5 +50,15 @@ in rec {
# Force the mailserver to use a different redis port # Force the mailserver to use a different redis port
redis.servers.rspamd.port = 1515; redis.servers.rspamd.port = 1515;
# The hostname mail ports use
nginx.virtualHosts."mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
}; };
} }

19
nixos/server/nextcloud.nix
View file

@ -1,7 +1,8 @@
{pkgs, ...}: let {pkgs, ...}: let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services.nextcloud = { services = {
nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud29; package = pkgs.nextcloud29;
hostName = "cloud.${secrets.jimDomain}"; hostName = "cloud.${secrets.jimDomain}";
@ -27,4 +28,20 @@ in {
mail_smtpport = 587; mail_smtpport = 587;
}; };
}; };
nginx.virtualHosts."cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
};
} }

117
nixos/server/nginx.nix
View file

@ -43,43 +43,6 @@
}; };
}; };
# Nextcloud Proxy
"cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
# Vaultwarden Proxy
"warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
# Recipes Proxy
"recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
# Bluemap Proxy # Bluemap Proxy
"bluemap.${secrets.jimDomain}" = { "bluemap.${secrets.jimDomain}" = {
enableACME = true; enableACME = true;
@ -90,56 +53,6 @@
}; };
}; };
# Gitea Proxy
"git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
# Pufferpanel Proxy
"panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
# Matrix Proxy
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
# Element Proxy
"chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
# Coturn Proxy
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
# Radio Proxy # Radio Proxy
"radio.${secrets.jimDomain}" = { "radio.${secrets.jimDomain}" = {
enableACME = true; enableACME = true;
@ -149,32 +62,6 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
# Streaming proxy
"live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
# Mail certificate proxy
"mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
# Add SSL to Lemmy
"lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
}; };
appendConfig = '' appendConfig = ''
rtmp { rtmp {
@ -197,10 +84,8 @@
''; '';
}; };
# Force Nginx to work and be able to read+write the hls path # Allow Nginx to read and write to paths
security.pam.services.nginx.setEnvironment = false;
systemd.services.nginx.serviceConfig = { systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ]; ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
}; };
} }

16
nixos/server/owncast.nix
View file

@ -1,8 +1,20 @@
{ let
services.owncast = { secrets = import ../modules/secrets.nix;
in {
services = {
owncast = {
enable = true; enable = true;
port = 8060; port = 8060;
rtmp-port = 1945; rtmp-port = 1945;
listen = "0.0.0.0"; listen = "0.0.0.0";
}; };
nginx.virtualHosts."live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
};
} }

14
nixos/server/pufferpanel.nix
View file

@ -1,7 +1,8 @@
{pkgs, lib, ...}: { {pkgs, lib, ...}: let
services.pufferpanel = let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services = {
pufferpanel = {
enable = true; enable = true;
environment = { environment = {
PUFFER_WEB_HOST = ":5010"; PUFFER_WEB_HOST = ":5010";
@ -20,4 +21,13 @@
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ]; targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
}; };
}; };
nginx.virtualHosts."panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
};
} }

27
nixos/server/synapse.nix
View file

@ -1,7 +1,7 @@
{pkgs, config, ...}: { {pkgs, config, ...}: let
services = let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services = {
# Synapse Matrix server # Synapse Matrix server
matrix-synapse = with config.services.coturn; { matrix-synapse = with config.services.coturn; {
enable = true; enable = true;
@ -92,5 +92,28 @@
cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem"; cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem"; pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem";
}; };
# Nginx
nginx.virtualHosts = {
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
};
}; };
} }

16
nixos/server/tandoor.nix
View file

@ -1,6 +1,18 @@
{ let
services.tandoor-recipes = { secrets = import ../modules/secrets.nix;
in {
services = {
tandoor-recipes = {
enable = true; enable = true;
port = 5030; port = 5030;
}; };
nginx.virtualHosts."recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
};
} }

14
nixos/server/vaultwarden.nix
View file

@ -1,7 +1,8 @@
{ let
services.vaultwarden = let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services = {
vaultwarden = {
enable = true; enable = true;
config = { config = {
DOMAIN = "https://warden.${secrets.jimDomain}"; DOMAIN = "https://warden.${secrets.jimDomain}";
@ -21,4 +22,13 @@
SMTP_TIMEOUT = 15; SMTP_TIMEOUT = 15;
}; };
}; };
nginx.virtualHosts."warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
};
} }