globalized port/vhost config
This commit is contained in:
parent
aa06c9b3e9
commit
181f108308
3 changed files with 103 additions and 68 deletions
|
@ -67,7 +67,7 @@ in
|
|||
concatLines (
|
||||
map (
|
||||
n:
|
||||
"NIXOS_TARGET_HOST=${n} nixos-rebuild build --upgrade --show-trace"
|
||||
"NIXOS_TARGET_HOST=${n} nixos-rebuild build --show-trace --fast"
|
||||
+ optionalString (elem nix-output-monitor config.environment.systemPackages) " |& ${lib.getExe pkgs.nix-output-monitor}"
|
||||
) (attrNames host_modules)
|
||||
)
|
||||
|
|
|
@ -11,49 +11,112 @@ let
|
|||
in
|
||||
{
|
||||
imports = [
|
||||
./matrix.nix
|
||||
./puffer.nix
|
||||
./gitea.nix
|
||||
./grafana.nix
|
||||
./nextcloud.nix
|
||||
./prometheus.nix
|
||||
# ./mjolnir.nix
|
||||
./fail2ban.nix
|
||||
./email.nix
|
||||
./discord-matrix-bridge.nix
|
||||
./mastodon.nix
|
||||
./matrix.nix
|
||||
./puffer.nix
|
||||
./gitea.nix
|
||||
./grafana.nix
|
||||
./nextcloud.nix
|
||||
./prometheus.nix
|
||||
# ./mjolnir.nix
|
||||
./fail2ban.nix
|
||||
./email.nix
|
||||
./discord-matrix-bridge.nix
|
||||
./mastodon.nix
|
||||
];
|
||||
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = root_email;
|
||||
certs."${domain}" = {
|
||||
webroot = "/var/lib/acme/acme-challenge/";
|
||||
options.serverConfig = with lib; {
|
||||
ports = mkOption {
|
||||
type = types.attrsOf types.int;
|
||||
default = { };
|
||||
description = "ports associated with services";
|
||||
};
|
||||
|
||||
vhosts = mkOption {
|
||||
type = types.attrsOf (
|
||||
types.submodule {
|
||||
options = {
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
description = "port to redirect to this vhost";
|
||||
};
|
||||
host = mkOption {
|
||||
type = types.nonEmptyStr;
|
||||
description = "name if the vhost";
|
||||
};
|
||||
};
|
||||
}
|
||||
);
|
||||
default = { };
|
||||
description = "vhosts associated with services";
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
services.nginx = {
|
||||
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
config = {
|
||||
networking.firewall.allowedTCPPorts =
|
||||
[
|
||||
80
|
||||
443
|
||||
]
|
||||
++ lib.attrValues config.serverConfig.ports
|
||||
++ (lib.mapAttrsToList (n: v: v.port) config.serverConfig.vhosts);
|
||||
|
||||
virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
root = "/var/www/${domain}";
|
||||
services.nginx.virtualHosts =
|
||||
{
|
||||
"${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = lib.mkForce false; # use the correct cert, not some weird one that matrix-synapse module supplies
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
root = "/var/www/${domain}";
|
||||
};
|
||||
};
|
||||
}
|
||||
// (lib.concatMapAttrs (_: host: {
|
||||
"${host.host}" = {
|
||||
serverName = host.host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString host.port}";
|
||||
};
|
||||
};
|
||||
}) config.serverConfig.vhosts);
|
||||
|
||||
serverConfig = {
|
||||
ports = {
|
||||
puffer_sftp_port = 5657;
|
||||
};
|
||||
vhosts = {
|
||||
puffer_host = {
|
||||
port = 8080;
|
||||
host = "puffer.${domain}";
|
||||
};
|
||||
tlemap_host = {
|
||||
port = 8100;
|
||||
host = "tlemap.${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = root_email;
|
||||
certs."${domain}" = {
|
||||
webroot = "/var/lib/acme/acme-challenge/";
|
||||
extraDomainNames = lib.mapAttrsToList (n: v: v.host) config.serverConfig.vhosts;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
# package = pkgs.nginxStable.override { openssl = pkgs.libressl; };
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "acme" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -7,48 +7,20 @@
|
|||
}:
|
||||
let
|
||||
inherit (config.networking) domain;
|
||||
puffer_port = 8080;
|
||||
puffer_sftp_port = 5657;
|
||||
puffer_host = "puffer.${domain}";
|
||||
tlemap_host = "tlemap.${domain}";
|
||||
tlemap_port = 8100;
|
||||
inherit (config.serverConfig) ports vhosts;
|
||||
in
|
||||
{
|
||||
services.pufferpanel = {
|
||||
enable = true;
|
||||
environment = {
|
||||
PUFFER_WEB_HOST = ":${builtins.toString puffer_port}";
|
||||
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString puffer_sftp_port}";
|
||||
PUFFER_WEB_HOST = ":${builtins.toString vhosts.puffer_host.port}";
|
||||
PUFFER_DAEMON_SFTP_HOST = ":${builtins.toString ports.puffer_sftp_port}";
|
||||
};
|
||||
extraPackages = with pkgs; [ ];
|
||||
extraGroups = [ "docker" ];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts."${puffer_host}" = {
|
||||
serverName = puffer_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString puffer_port}";
|
||||
};
|
||||
};
|
||||
virtualHosts."${tlemap_host}" = {
|
||||
serverName = tlemap_host;
|
||||
forceSSL = true;
|
||||
useACMEHost = domain;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString tlemap_port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
security.acme.certs."${domain}".extraDomainNames = [
|
||||
puffer_host
|
||||
tlemap_host
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
puffer_sftp_port
|
||||
25565
|
||||
25566
|
||||
25567
|
||||
|
|
Loading…
Reference in a new issue