Jimbo/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Move most Nginx proxies to the individual services

Browse source
This commit is contained in:
Jimbo 2024-08-26 13:07:59 -04:00
parent f1d2652c53
commit 1f8156e868
16 changed files with 267 additions and 263 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.nix
View file

@ -50,13 +50,13 @@
# NixOS configuration entrypoint, use 'nixos-rebuild --flake .#your-hostname'
nixosConfigurations = {
JimNixDesktop = nixpkgs.lib.nixosSystem {
JimDesktop = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [
./nixos/desktop.nix
];
};
JimNixServer = nixpkgs.lib.nixosSystem {
JimServer = nixpkgs.lib.nixosSystem {
specialArgs = {inherit inputs outputs;};
modules = [
./nixos/server.nix
@ -68,7 +68,7 @@
# Standalone home-manager configuration entrypoint
# Available through 'home-manager --flake .#your-username@your-hostname'
homeConfigurations = {
"jimbo@JimNixDesktop" = home-manager.lib.homeManagerConfiguration {
"jimbo@JimDesktop" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;};
modules = [
@ -76,7 +76,7 @@
nur.nixosModules.nur
];
};
"jimbo@JimNixServer" = home-manager.lib.homeManagerConfiguration {
"jimbo@JimServer" = home-manager.lib.homeManagerConfiguration {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
extraSpecialArgs = {inherit inputs outputs;};
modules = [

4
home-manager/jimbo_desktop.nix
View file

@ -44,8 +44,8 @@
auth = import ./common/auth.nix;
in {
nixdate = ''
${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimNixDesktop;
home-manager switch --flake /etc/nixos/.#jimbo@JimNixDesktop;
${auth.method} nixos-rebuild switch --flake /etc/nixos/.#JimDesktop;
home-manager switch --flake /etc/nixos/.#jimbo@JimDesktop;
notify-send "NixOS switch finished."
'';
};

2
home-manager/tuiapps/ranger.nix
View file

@ -78,7 +78,7 @@
command = ''wine "$1"'';
}
{
condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip, has 7z'';
condition = ''ext 7z|ace|ar|arc|bz2?|cab|cpio|cpt|deb|dgc|dmg|gz|iso|jar|pkg|rar|shar|tar|tgz|xar|xpi|xz|zip|zst, has 7z'';
command = ''7z x -- "$@"'';
}
{

2
nixos/desktop.nix
View file

@ -31,5 +31,5 @@
./services/mpd.nix
];
networking.hostName = "JimNixDesktop";
networking.hostName = "JimDesktop";
}

2
nixos/server.nix
View file

@ -40,5 +40,5 @@
];
services.openssh.ports = [ 2222 ];
networking.hostName = "JimNixServer";
networking.hostName = "JimServer";
}

15
nixos/server/element.nix
View file

@ -1,8 +1,8 @@
{
# Configure the Element web server
nixpkgs.config.element-web.conf = let
let
secrets = import ../modules/secrets.nix;
in {
in {
# Configure the Element web server
nixpkgs.config.element-web.conf {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${secrets.jimDomain}";
@ -20,4 +20,11 @@
disable_guests = true;
default_theme = "dark";
};
# Serve the Element page over Nginx
services.nginx.virtualHosts."chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
}

16
nixos/server/gitea.nix
View file

@ -1,7 +1,8 @@
{
services.gitea = let
let
secrets = import ../modules/secrets.nix;
in {
in {
services = {
gitea = {
enable = true;
settings = {
server = {
@ -22,4 +23,13 @@
service.REGISTER_EMAIL_CONFIRM = true;
};
};
nginx.virtualHosts."git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
};
}

14
nixos/server/lemmy.nix
View file

@ -1,7 +1,8 @@
{
services.lemmy = let
let
secrets = import ../modules/secrets.nix;
in {
in {
services = {
lemmy {
enable = true;
nginx.enable = true;
database.createLocally = true;
@ -16,4 +17,11 @@
};
};
};
# Add SSL to webpage
nginx.virtualHosts."lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
};
}

10
nixos/server/mailserver.nix
View file

@ -50,5 +50,15 @@ in rec {
# Force the mailserver to use a different redis port
redis.servers.rspamd.port = 1515;
# The hostname mail ports use
nginx.virtualHosts."mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
};
}

19
nixos/server/nextcloud.nix
View file

@ -1,7 +1,8 @@
{pkgs, ...}: let
secrets = import ../modules/secrets.nix;
in {
services.nextcloud = {
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${secrets.jimDomain}";
@ -27,4 +28,20 @@ in {
mail_smtpport = 587;
};
};
nginx.virtualHosts."cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
};
}

117
nixos/server/nginx.nix
View file

@ -43,43 +43,6 @@
};
};
# Nextcloud Proxy
"cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
# Vaultwarden Proxy
"warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
# Recipes Proxy
"recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
# Bluemap Proxy
"bluemap.${secrets.jimDomain}" = {
enableACME = true;
@ -90,56 +53,6 @@
};
};
# Gitea Proxy
"git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
# Pufferpanel Proxy
"panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
# Matrix Proxy
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
# Element Proxy
"chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
# Coturn Proxy
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
# Radio Proxy
"radio.${secrets.jimDomain}" = {
enableACME = true;
@ -149,32 +62,6 @@
proxyWebsockets = true;
};
};
# Streaming proxy
"live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
# Mail certificate proxy
"mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
# Add SSL to Lemmy
"lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
};
appendConfig = ''
rtmp {
@ -197,10 +84,8 @@
'';
};
# Force Nginx to work and be able to read+write the hls path
security.pam.services.nginx.setEnvironment = false;
# Allow Nginx to read and write to paths
systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
};
}

16
nixos/server/owncast.nix
View file

@ -1,8 +1,20 @@
{
services.owncast = {
let
secrets = import ../modules/secrets.nix;
in {
services = {
owncast = {
enable = true;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
};
nginx.virtualHosts."live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
};
}

16
nixos/server/pufferpanel.nix
View file

@ -1,7 +1,8 @@
{pkgs, lib, ...}: {
services.pufferpanel = let
{pkgs, lib, ...}: let
secrets = import ../modules/secrets.nix;
in {
in {
services = {
pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
@ -20,4 +21,13 @@
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
};
};
nginx.virtualHosts."panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
};
}

29
nixos/server/synapse.nix
View file

@ -1,7 +1,7 @@
{pkgs, config, ...}: {
services = let
{pkgs, config, ...}: let
secrets = import ../modules/secrets.nix;
in {
in {
services = {
# Synapse Matrix server
matrix-synapse = with config.services.coturn; {
enable = true;
@ -92,5 +92,28 @@
cert = "/var/lib/acme/turn.${secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${secrets.jimDomain}.com/key.pem";
};
# Nginx
nginx.virtualHosts = {
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
};
};
}

16
nixos/server/tandoor.nix
View file

@ -1,6 +1,18 @@
{
services.tandoor-recipes = {
let
secrets = import ../modules/secrets.nix;
in {
services = {
tandoor-recipes = {
enable = true;
port = 5030;
};
nginx.virtualHosts."recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
};
}

16
nixos/server/vaultwarden.nix
View file

@ -1,7 +1,8 @@
{
services.vaultwarden = let
let
secrets = import ../modules/secrets.nix;
in {
in {
services = {
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://warden.${secrets.jimDomain}";
@ -21,4 +22,13 @@
SMTP_TIMEOUT = 15;
};
};
nginx.virtualHosts."warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
};
}