Move most Nginx proxies to the individual services

This commit is contained in:
Jimbo 2024-08-26 13:07:59 -04:00
parent f1d2652c53
commit 1f8156e868
16 changed files with 267 additions and 263 deletions

View file

@ -50,13 +50,13 @@
# NixOS configuration entrypoint, use 'nixos-rebuild --flake .#your-hostname' # NixOS configuration entrypoint, use 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = { nixosConfigurations = {
JimNixDesktop = nixpkgs.lib.nixosSystem { JimDesktop = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./nixos/desktop.nix ./nixos/desktop.nix
]; ];
}; };
JimNixServer = nixpkgs.lib.nixosSystem { JimServer = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;}; specialArgs = {inherit inputs outputs;};
modules = [ modules = [
./nixos/server.nix ./nixos/server.nix
@ -68,7 +68,7 @@
# Standalone home-manager configuration entrypoint # Standalone home-manager configuration entrypoint
# Available through 'home-manager --flake .#your-username@your-hostname' # Available through 'home-manager --flake .#your-username@your-hostname'
homeConfigurations = { homeConfigurations = {
"jimbo@JimNixDesktop" = home-manager.lib.homeManagerConfiguration { "jimbo@JimDesktop" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;}; extraSpecialArgs = {inherit inputs outputs;};
modules = [ modules = [
@ -76,7 +76,7 @@
nur.nixosModules.nur nur.nixosModules.nur
]; ];
}; };
"jimbo@JimNixServer" = home-manager.lib.homeManagerConfiguration { "jimbo@JimServer" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux; pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;}; extraSpecialArgs = {inherit inputs outputs;};
modules = [ modules = [

View file

@ -44,8 +44,8 @@
auth = import ./common/auth.nix; auth = import ./common/auth.nix;
in { in {
nixdate = '' nixdate = ''
${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimNixDesktop; ${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimDesktop;
home-manager switch --flake /etc/nixos/.#jimbo@JimNixDesktop; home-manager switch --flake /etc/nixos/.#jimbo@JimDesktop;
notify-send "NixOS switch finished." notify-send "NixOS switch finished."
''; '';
}; };

View file

@ -78,7 +78,7 @@
command = ''wine "$1"''; command = ''wine "$1"'';
} }
{ {
condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip, has 7z''; condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip|zst, has 7z'';
command = ''7z x -- "$@"''; command = ''7z x -- "$@"'';
} }
{ {

View file

@ -31,5 +31,5 @@
./services/mpd.nix ./services/mpd.nix
]; ];
networking.hostName = "JimNixDesktop"; networking.hostName = "JimDesktop";
} }

View file

@ -40,5 +40,5 @@
]; ];
services.openssh.ports = [ 2222 ]; services.openssh.ports = [ 2222 ];
networking.hostName = "JimNixServer"; networking.hostName = "JimServer";
} }

View file

@ -1,8 +1,8 @@
{ let
secrets = import ../modules/secrets.nix;
in {
# Configure the Element web server # Configure the Element web server
nixpkgs.config.element-web.conf = let nixpkgs.config.element-web.conf {
secrets = import ../modules/secrets.nix;
in {
default_server_config = { default_server_config = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.${secrets.jimDomain}"; base_url = "https://matrix.${secrets.jimDomain}";
@ -20,4 +20,11 @@
disable_guests = true; disable_guests = true;
default_theme = "dark"; default_theme = "dark";
}; };
# Serve the Element page over Nginx
services.nginx.virtualHosts."chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
} }

View file

@ -1,25 +1,35 @@
{ let
services.gitea = let secrets = import ../modules/secrets.nix;
secrets = import ../modules/secrets.nix; in {
in { services = {
enable = true; gitea = {
settings = { enable = true;
server = { settings = {
DOMAIN = "git.${secrets.jimDomain}"; server = {
ROOT_URL = "https://git.${secrets.jimDomain}:443"; DOMAIN = "git.${secrets.jimDomain}";
HTTP_PORT = 3110; ROOT_URL = "https://git.${secrets.jimDomain}:443";
SSH_PORT = 2299; HTTP_PORT = 3110;
START_SSH_SERVER = true; SSH_PORT = 2299;
START_SSH_SERVER = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mx.${secrets.jimDomain}";
FROM = "Jimbo's Git <noreply@${secrets.jimDomain}>";
USER = "noreply@${secrets.jimDomain}";
PASSWD = secrets.noreplyPassword;
PROTOCOL = "smtps";
};
service.REGISTER_EMAIL_CONFIRM = true;
}; };
mailer = { };
ENABLED = true; nginx.virtualHosts."git.${secrets.jimDomain}" = {
SMTP_ADDR = "mx.${secrets.jimDomain}"; enableACME = true;
FROM = "Jimbo's Git <noreply@${secrets.jimDomain}>"; forceSSL = true;
USER = "noreply@${secrets.jimDomain}"; locations."/" = {
PASSWD = secrets.noreplyPassword; proxyPass = "http://127.0.0.1:3110";
PROTOCOL = "smtps"; proxyWebsockets = true;
}; };
service.REGISTER_EMAIL_CONFIRM = true;
}; };
}; };
} }

View file

@ -1,19 +1,27 @@
{ let
services.lemmy = let secrets = import ../modules/secrets.nix;
secrets = import ../modules/secrets.nix; in {
in { services = {
enable = true; lemmy {
nginx.enable = true; enable = true;
database.createLocally = true; nginx.enable = true;
settings = { database.createLocally = true;
hostname = "lemmy.${secrets.jimDomain}"; settings = {
email = { hostname = "lemmy.${secrets.jimDomain}";
smtp_server = "mx.${secrets.jimDomain}:587"; email = {
smtp_login = "noreply@${secrets.jimDomain}"; smtp_server = "mx.${secrets.jimDomain}:587";
smtp_from_address = "Jimbo's Lemmy <noreply@${secrets.jimDomain}>"; smtp_login = "noreply@${secrets.jimDomain}";
smtp_password = secrets.noreplyPassword; smtp_from_address = "Jimbo's Lemmy <noreply@${secrets.jimDomain}>";
tls_type = "starttls"; smtp_password = secrets.noreplyPassword;
tls_type = "starttls";
};
}; };
}; };
# Add SSL to webpage
nginx.virtualHosts."lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
}; };
} }

View file

@ -50,5 +50,15 @@ in rec {
# Force the mailserver to use a different redis port # Force the mailserver to use a different redis port
redis.servers.rspamd.port = 1515; redis.servers.rspamd.port = 1515;
# The hostname mail ports use
nginx.virtualHosts."mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
}; };
} }

View file

@ -1,30 +1,47 @@
{pkgs, ...}: let {pkgs, ...}: let
secrets = import ../modules/secrets.nix; secrets = import ../modules/secrets.nix;
in { in {
services.nextcloud = { services = {
enable = true; nextcloud = {
package = pkgs.nextcloud29; enable = true;
hostName = "cloud.${secrets.jimDomain}"; package = pkgs.nextcloud29;
datadir = "/mnt/nextcloud"; hostName = "cloud.${secrets.jimDomain}";
https = true; datadir = "/mnt/nextcloud";
config = { https = true;
adminuser = "jimbo"; config = {
adminpassFile = "/mnt/nextcloud/password.txt"; adminuser = "jimbo";
}; adminpassFile = "/mnt/nextcloud/password.txt";
settings = { };
trusted_proxies = [ "127.0.0.1" ]; settings = {
trusted_domains = [ "cloud.${secrets.jimDomain}" ]; trusted_proxies = [ "127.0.0.1" ];
overwriteprotocol = "https"; trusted_domains = [ "cloud.${secrets.jimDomain}" ];
overwriteprotocol = "https";
# Mailserver settings # Mailserver settings
mail_smtphost = "mx.${secrets.jimDomain}"; mail_smtphost = "mx.${secrets.jimDomain}";
mail_domain = "${secrets.jimDomain}"; mail_domain = "${secrets.jimDomain}";
mail_from_address = "noreply"; mail_from_address = "noreply";
mail_smtpauth = "true"; mail_smtpauth = "true";
mail_smtpname = "noreply@${secrets.jimDomain}"; mail_smtpname = "noreply@${secrets.jimDomain}";
mail_smtppassword = secrets.noreplyPassword; mail_smtppassword = secrets.noreplyPassword;
mail_smtpmode = "smtp"; mail_smtpmode = "smtp";
mail_smtpport = 587; mail_smtpport = 587;
};
};
nginx.virtualHosts."cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
}; };
}; };
} }

View file

@ -15,68 +15,31 @@
"${secrets.jimDomain}" = { "${secrets.jimDomain}" = {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
root = "/var/www/jimweb"; root = "/var/www/jimweb";
locations = { locations = {
"/.well-known/matrix/client" = { "/.well-known/matrix/client" = {
extraConfig = '' extraConfig = ''
default_type application/json;
return 200 '
{
"m.homeserver": {
"base_url": "https://matrix.${secrets.jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${secrets.jimDomain}"
}
}';
'';
};
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json; default_type application/json;
return 200 ' return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
{ '';
"m.homeserver": { };
"base_url": "https://matrix.${secrets.jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${secrets.jimDomain}"
}
}';
'';
};
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
'';
};
};
};
# Nextcloud Proxy
"cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
# Vaultwarden Proxy
"warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
# Recipes Proxy
"recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
}; };
}; };
@ -90,56 +53,6 @@
}; };
}; };
# Gitea Proxy
"git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
# Pufferpanel Proxy
"panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
# Matrix Proxy
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
# Element Proxy
"chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
# Coturn Proxy
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
# Radio Proxy # Radio Proxy
"radio.${secrets.jimDomain}" = { "radio.${secrets.jimDomain}" = {
enableACME = true; enableACME = true;
@ -147,34 +60,8 @@
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:255"; proxyPass = "http://127.0.0.1:255";
proxyWebsockets = true; proxyWebsockets = true;
};
};
# Streaming proxy
"live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
}; };
}; };
# Mail certificate proxy
"mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
# Add SSL to Lemmy
"lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
}; };
appendConfig = '' appendConfig = ''
rtmp { rtmp {
@ -197,10 +84,8 @@
''; '';
}; };
# Force Nginx to work and be able to read+write the hls path # Allow Nginx to read and write to paths
security.pam.services.nginx.setEnvironment = false;
systemd.services.nginx.serviceConfig = { systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ]; ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
}; };
} }

View file

@ -1,8 +1,20 @@
{ let
services.owncast = { secrets = import ../modules/secrets.nix;
enable = true; in {
port = 8060; services = {
rtmp-port = 1945; owncast = {
listen = "0.0.0.0"; enable = true;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
};
nginx.virtualHosts."live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
}; };
} }

View file

@ -1,23 +1,33 @@
{pkgs, lib, ...}: { {pkgs, lib, ...}: let
services.pufferpanel = let secrets = import ../modules/secrets.nix;
secrets = import ../modules/secrets.nix; in {
in { services = {
enable = true; pufferpanel = {
environment = { enable = true;
PUFFER_WEB_HOST = ":5010"; environment = {
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${secrets.jimDomain}"; PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp"; PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_HOST = "mx.${secrets.jimDomain}:587"; PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_FROM = "noreply@${secrets.jimDomain}"; PUFFER_PANEL_EMAIL_HOST = "mx.${secrets.jimDomain}:587";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${secrets.jimDomain}"; PUFFER_PANEL_EMAIL_FROM = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword; PUFFER_PANEL_EMAIL_USERNAME = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
name = "pufferpanel-fhs";
meta.mainProgram = "pufferpanel-fhs";
runScript = lib.getExe pkgs.pufferpanel;
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
};
}; };
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ]; nginx.virtualHosts."panel.${secrets.jimDomain}" = {
package = pkgs.buildFHSEnv { enableACME = true;
name = "pufferpanel-fhs"; forceSSL = true;
meta.mainProgram = "pufferpanel-fhs"; locations."/" = {
runScript = lib.getExe pkgs.pufferpanel; proxyPass = "http://127.0.0.1:5010";
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ]; proxyWebsockets = true;
};
}; };
}; };
} }

View file

@ -1,7 +1,7 @@
{pkgs, config, ...}: { {pkgs, config, ...}: let
services = let secrets = import ../modules/secrets.nix;
secrets = import ../modules/secrets.nix; in {
in { services = {
# Synapse Matrix server # Synapse Matrix server
matrix-synapse = with config.services.coturn; { matrix-synapse = with config.services.coturn; {
enable = true; enable = true;
@ -92,5 +92,28 @@
cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem"; cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem"; pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem";
}; };
# Nginx
nginx.virtualHosts = {
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
};
}; };
} }

View file

@ -1,6 +1,18 @@
{ let
services.tandoor-recipes = { secrets = import ../modules/secrets.nix;
enable = true; in {
port = 5030; services = {
tandoor-recipes = {
enable = true;
port = 5030;
};
nginx.virtualHosts."recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
}; };
} }

View file

@ -1,24 +1,34 @@
{ let
services.vaultwarden = let secrets = import ../modules/secrets.nix;
secrets = import ../modules/secrets.nix; in {
in { services = {
enable = true; vaultwarden = {
config = { enable = true;
DOMAIN = "https://warden.${secrets.jimDomain}"; config = {
SIGNUPS_ALLOWED = false; DOMAIN = "https://warden.${secrets.jimDomain}";
ROCKET_ADDRESS = "127.0.0.1"; SIGNUPS_ALLOWED = false;
ROCKET_PORT = 8222; ROCKET_ADDRESS = "127.0.0.1";
ROCKET_LOG = "critical"; ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Smtp email # Smtp email
SMTP_HOST = "mx.${secrets.jimDomain}"; SMTP_HOST = "mx.${secrets.jimDomain}";
SMTP_FROM = "Jimbo's Vaultwarden <noreply@${secrets.jimDomain}>"; SMTP_FROM = "Jimbo's Vaultwarden <noreply@${secrets.jimDomain}>";
SMTP_FROM_NAME = "Vaultwarden"; SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${secrets.jimDomain}"; SMTP_USERNAME = "noreply@${secrets.jimDomain}";
SMTP_PASSWORD = secrets.noreplyPassword; SMTP_PASSWORD = secrets.noreplyPassword;
SMTP_SECURITY = "starttls"; SMTP_SECURITY = "starttls";
SMTP_PORT = 587; SMTP_PORT = 587;
SMTP_TIMEOUT = 15; SMTP_TIMEOUT = 15;
};
};
nginx.virtualHosts."warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
}; };
}; };
} }