globalized port/vhost config

This commit is contained in:
Grimmauld 2024-05-09 12:16:28 +02:00
parent aa06c9b3e9
commit 181f108308
Signed by: Grimmauld
GPG key ID: C2946668769F91FB
3 changed files with 103 additions and 68 deletions

View file

@ -67,7 +67,7 @@ in
concatLines (
map (
n:
"NIXOS_TARGET_HOST=${n} nixos-rebuild build --upgrade --show-trace"
"NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --fast"
+ optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${lib.getExe pkgs.nix-output-monitor}"
) (attrNames host_modules)
)

View file

@ -11,49 +11,112 @@ let
in
{
imports = [
./matrix.nix
./puffer.nix
./gitea.nix
./grafana.nix
./nextcloud.nix
./prometheus.nix
# ./mjolnir.nix
./fail2ban.nix
./email.nix
./discord-matrix-bridge.nix
./mastodon.nix
./matrix.nix
./puffer.nix
./gitea.nix
./grafana.nix
./nextcloud.nix
./prometheus.nix
# ./mjolnir.nix
./fail2ban.nix
./email.nix
./discord-matrix-bridge.nix
./mastodon.nix
];
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${domain}" = {
webroot = "/var/lib/acme/acme-challenge/";
options.serverConfig = with lib; {
ports = mkOption {
type = types.attrsOf types.int;
default = { };
description = "ports associated with services";
};
vhosts = mkOption {
type = types.attrsOf (
types.submodule {
options = {
port = mkOption {
type = types.int;
description = "port to redirect to this vhost";
};
host = mkOption {
type = types.nonEmptyStr;
description = "name if the vhost";
};
};
}
);
default = { };
description = "vhosts associated with services";
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
config = {
networking.firewall.allowedTCPPorts =
[
80
443
]
++ lib.attrValues config.serverConfig.ports
++ (lib.mapAttrsToList (n: v: v.port) config.serverConfig.vhosts);
virtualHosts."${domain}" = {
forceSSL = true;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
useACMEHost = domain;
locations."/" = {
root = "/var/www/${domain}";
services.nginx.virtualHosts =
{
"${domain}" = {
forceSSL = true;
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
useACMEHost = domain;
locations."/" = {
root = "/var/www/${domain}";
};
};
}
// (lib.concatMapAttrs (_: host: {
"${host.host}" = {
serverName = host.host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString host.port}";
};
};
}) config.serverConfig.vhosts);
serverConfig = {
ports = {
puffer_sftp_port = 5657;
};
vhosts = {
puffer_host = {
port = 8080;
host = "puffer.${domain}";
};
tlemap_host = {
port = 8100;
host = "tlemap.${domain}";
};
};
};
};
users.users.nginx.extraGroups = [ "acme" ];
security.acme = {
acceptTerms = true;
defaults.email = root_email;
certs."${domain}" = {
webroot = "/var/lib/acme/acme-challenge/";
extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;
};
};
services.nginx = {
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
};
users.users.nginx.extraGroups = [ "acme" ];
};
}

View file

@ -7,48 +7,20 @@
}:
let
inherit (config.networking) domain;
puffer_port = 8080;
puffer_sftp_port = 5657;
puffer_host = "puffer.${domain}";
tlemap_host = "tlemap.${domain}";
tlemap_port = 8100;
inherit (config.serverConfig) ports vhosts;
in
{
services.pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
PUFFER_WEB_HOST = ":${builtins.toString vhosts.puffer_host.port}";
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString ports.puffer_sftp_port}";
};
extraPackages = with pkgs; [ ];
extraGroups = [ "docker" ];
};
services.nginx = {
enable = true;
virtualHosts."${puffer_host}" = {
serverName = puffer_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
};
};
virtualHosts."${tlemap_host}" = {
serverName = tlemap_host;
forceSSL = true;
useACMEHost = domain;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
};
};
};
security.acme.certs."${domain}".extraDomainNames = [
puffer_host
tlemap_host
];
networking.firewall.allowedTCPPorts = [
puffer_sftp_port
25565
25566
25567