fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Use stable channel and use helper function for acme challenge proxy

Browse source
This commit is contained in:
yuri 2023-10-10 15:21:16 +02:00
parent 9c0398a3c1
commit 27a6513e84
21 changed files with 257 additions and 319 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
config/hosts/coturn/secrets.nix
View file

@ -1,7 +1,7 @@
{ ... }: { keyCommandEnv,... }:
{ {
deployment.keys."static-auth-secret.secret" = { deployment.keys."static-auth-secret.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ];
destDir = "/secrets"; destDir = "/secrets";
user = "turnserver"; user = "turnserver";
group = "turnserver"; group = "turnserver";

4
config/hosts/hydra/secrets.nix
View file

@ -1,7 +1,7 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."signing-key.secret" = { deployment.keys."signing-key.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ]; keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";

4
config/hosts/jellyfin/secrets.nix
View file

@ -1,7 +1,7 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."samba-credentials.secret" = { deployment.keys."samba-credentials.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ]; keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";

12
config/hosts/lifeline/secrets.nix
View file

@ -1,19 +1,21 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = { deployment.keys = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ]; "wireguard-lifeline-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = { "wireguard-lifeline-mail-2-lifeline-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
};
} }

12
config/hosts/mail-2/secrets.nix
View file

@ -1,19 +1,21 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = { deployment.keys = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ]; "wireguard-mail-2-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "systemd-network"; group = "systemd-network";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = { "wireguard-lifeline-mail-2-mail-2-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "systemd-network"; group = "systemd-network";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
};
} }

10
config/hosts/mastodon/secrets.nix
View file

@ -1,8 +1,8 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys = { deployment.keys = {
"mastodon-secret-key-base.secret" = { "mastodon-secret-key-base.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ]; keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
destDir = "/secrets"; destDir = "/secrets";
user = "mastodon"; user = "mastodon";
group = "mastodon"; group = "mastodon";
@ -10,7 +10,7 @@
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
"mastodon-otp-secret.secret" = { "mastodon-otp-secret.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ]; keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ];
destDir = "/secrets"; destDir = "/secrets";
user = "mastodon"; user = "mastodon";
group = "mastodon"; group = "mastodon";
@ -18,7 +18,7 @@
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
"mastodon-vapid-private-key.secret" = { "mastodon-vapid-private-key.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ]; keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
destDir = "/secrets"; destDir = "/secrets";
user = "mastodon"; user = "mastodon";
group = "mastodon"; group = "mastodon";
@ -26,7 +26,7 @@
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
"mastodon-email-smtp-pass.secret" = { "mastodon-email-smtp-pass.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ]; keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
destDir = "/secrets"; destDir = "/secrets";
user = "mastodon"; user = "mastodon";
group = "mastodon"; group = "mastodon";

24
config/hosts/matrix/secrets.nix
View file

@ -1,43 +1,45 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."matrix-registration-shared-secret.secret" = { deployment.keys = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ]; "matrix-registration-shared-secret.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ];
destDir = "/secrets"; destDir = "/secrets";
user = "matrix-synapse"; user = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."matrix-turn-shared-secret.secret" = { "matrix-turn-shared-secret.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ]; keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ];
destDir = "/secrets"; destDir = "/secrets";
user = "matrix-synapse"; user = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."matrix-email-smtp-pass.secret" = { "matrix-email-smtp-pass.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ]; keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ];
destDir = "/secrets"; destDir = "/secrets";
user = "matrix-synapse"; user = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."matrix-homeserver-signing-key.secret" = { "matrix-homeserver-signing-key.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ]; keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ];
destDir = "/secrets"; destDir = "/secrets";
user = "matrix-synapse"; user = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."matrix-SYNCV3_SECRET.secret" = { "matrix-SYNCV3_SECRET.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ]; keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ];
destDir = "/secrets"; destDir = "/secrets";
user = "matrix-synapse"; user = "matrix-synapse";
group = "matrix-synapse"; group = "matrix-synapse";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
};
} }

12
config/hosts/metrics/secrets.nix
View file

@ -1,19 +1,21 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."metrics-grafana-admin-password.secret" = { deployment.keys = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ]; "metrics-grafana-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ];
destDir = "/secrets"; destDir = "/secrets";
user = "grafana"; user = "grafana";
group = "grafana"; group = "grafana";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."metrics-grafana-smtp-password.secret" = { "metrics-grafana-smtp-password.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ]; keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ];
destDir = "/secrets"; destDir = "/secrets";
user = "grafana"; user = "grafana";
group = "grafana"; group = "grafana";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
};
} }

4
config/hosts/netbox/secrets.nix
View file

@ -1,7 +1,7 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."netbox-secret-key.secret" = { deployment.keys."netbox-secret-key.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ]; keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ];
destDir = "/secrets"; destDir = "/secrets";
user = "netbox"; user = "netbox";
group = "netbox"; group = "netbox";

6
config/hosts/nextcloud/secrets.nix
View file

@ -1,8 +1,8 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys = { deployment.keys = {
"nextcloud-adminpass.secret" = { "nextcloud-adminpass.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ]; keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
destDir = "/secrets"; destDir = "/secrets";
user = "nextcloud"; user = "nextcloud";
group = "nextcloud"; group = "nextcloud";
@ -10,7 +10,7 @@
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
"nextcloud-secretfile.secret" = { "nextcloud-secretfile.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ]; keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
destDir = "/secrets"; destDir = "/secrets";
user = "nextcloud"; user = "nextcloud";
group = "nextcloud"; group = "nextcloud";

12
config/hosts/paperless/secrets.nix
View file

@ -1,19 +1,21 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."paperless-admin-password.secret" = { deployment.keys = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ]; "paperless-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ];
destDir = "/secrets"; destDir = "/secrets";
user = "paperless"; user = "paperless";
group = "paperless"; group = "paperless";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."paperless-samba-credentials.secret" = { "paperless-samba-credentials.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ]; keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
};
} }

28
config/hosts/valkyrie/secrets.nix
View file

@ -1,51 +1,53 @@
{ ... }: { keyCommandEnv, ... }:
{ {
deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = { deployment.keys = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ]; "wireguard-valkyrie-wg0-privatekey.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = { "wireguard-valkyrie-site1-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = { "wireguard-valkyrie-site2-grzb-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = { "wireguard-valkyrie-site1-jsts-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = { "wireguard-valkyrie-wg1-privatekey.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = { "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ]; keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
destDir = "/secrets"; destDir = "/secrets";
user = "root"; user = "root";
group = "root"; group = "root";
permissions = "0640"; permissions = "0640";
uploadAt = "pre-activation"; uploadAt = "pre-activation";
}; };
};
} }

11
config/hosts/web-public-2/nginx.nix
View file

@ -11,7 +11,10 @@
worker_connections 1024; worker_connections 1024;
''; '';
streamConfig = '' appendConfig = ''
worker_processes auto;
stream {
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
anisync.grzb.de 127.0.0.1:8443; anisync.grzb.de 127.0.0.1:8443;
birdsite.nekover.se 10.202.41.107:8443; birdsite.nekover.se 10.202.41.107:8443;
@ -26,7 +29,6 @@
nix-cache.nekover.se 10.202.41.121:8443; nix-cache.nekover.se 10.202.41.121:8443;
social.nekover.se 10.202.41.104:8443; social.nekover.se 10.202.41.104:8443;
} }
server { server {
listen 0.0.0.0:443; listen 0.0.0.0:443;
listen [::]:443; listen [::]:443;
@ -34,10 +36,7 @@
ssl_preread on; ssl_preread on;
proxy_protocol on; proxy_protocol on;
} }
''; }
appendConfig = ''
worker_processes auto;
''; '';
appendHttpConfig = '' appendHttpConfig = ''

73
config/hosts/web-public-2/virtualHosts/acme-challenge.nix
View file

@ -1,68 +1,23 @@
{ ... }: { ... }:
let
acmeDomainMap = {
"jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
"mail-1.grzb.de" = "mail-1.vs.grzb.de";
"social.nekover.se" = "mastodon.vs.grzb.de";
"matrix.nekover.se" = "matrix.vs.grzb.de";
"netbox.grzb.de" = "netbox.vs.grzb.de";
"grafana.grzb.de" = "metrics.vs.grzb.de";
"turn.nekover.se" = "coturn.vs.grzb.de";
};
in
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: {
"jellyfin.grzb.de" = {
listen = [{ listen = [{
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
}]; }];
locations."^~ /.well-known/acme-challenge/" = { locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://jellyfin.vs.grzb.de:80"; proxyPass = "http://${target}:80";
};
};
"mail-1.grzb.de" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://mail-1.vs.grzb.de:80";
};
};
"mastodon.nekover.se" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://mastodon.vs.grzb.de:80";
};
};
"matrix.nekover.se" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://matrix.vs.grzb.de:80";
};
};
"netbox.grzb.de" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://netbox.vs.grzb.de:80";
};
};
"grafana.grzb.de" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://metrics.vs.grzb.de:80";
};
};
"turn.nekover.se" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://coturn.vs.grzb.de:80";
};
};
}; };
}) acmeDomainMap);
} }

12
config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
View file

@ -3,18 +3,12 @@
services.nginx.virtualHosts."anisync.grzb.de" = { services.nginx.virtualHosts."anisync.grzb.de" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
listen = [ listen = [{
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true; extraParameters = ["proxy_protocol"];
} }];
];
locations."/" = { locations."/" = {
proxyPass = "http://anisync.vs.grzb.de:8080"; proxyPass = "http://anisync.vs.grzb.de:8080";
proxyWebsockets = true; proxyWebsockets = true;

12
config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
View file

@ -3,18 +3,12 @@
services.nginx.virtualHosts."gameserver.grzb.de" = { services.nginx.virtualHosts."gameserver.grzb.de" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
listen = [ listen = [{
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true; extraParameters = ["proxy_protocol"];
} }];
];
locations."/" = { locations."/" = {
proxyPass = "http://pterodactyl.vs.grzb.de"; proxyPass = "http://pterodactyl.vs.grzb.de";
extraConfig = '' extraConfig = ''

12
config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
View file

@ -3,18 +3,12 @@
services.nginx.virtualHosts."git.grzb.de" = { services.nginx.virtualHosts."git.grzb.de" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
listen = [ listen = [{
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true; extraParameters = ["proxy_protocol"];
} }];
];
locations."/" = { locations."/" = {
proxyPass = "http://gitlab.vs.grzb.de:80"; proxyPass = "http://gitlab.vs.grzb.de:80";
extraConfig = '' extraConfig = ''

12
config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
View file

@ -3,18 +3,12 @@
services.nginx.virtualHosts."mewtube.nekover.se" = { services.nginx.virtualHosts."mewtube.nekover.se" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
listen = [ listen = [{
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true; extraParameters = ["proxy_protocol"];
} }];
];
locations."/" = { locations."/" = {
proxyPass = "http://cloudtube.vs.grzb.de:10412"; proxyPass = "http://cloudtube.vs.grzb.de:10412";
}; };

12
config/hosts/web-public-2/virtualHosts/nekover.se.nix
View file

@ -3,18 +3,12 @@
services.nginx.virtualHosts."nekover.se" = { services.nginx.virtualHosts."nekover.se" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
listen = [ listen = [{
{
addr = "localhost";
port = 1234;
} # workaround for enableACME check
{
addr = "localhost"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
proxyProtocol = true; extraParameters = ["proxy_protocol"];
} }];
];
locations."/.well-known/matrix/server" = { locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
extraConfig = '' extraConfig = ''

3
flake.nix
View file

@ -28,6 +28,9 @@
specialArgs = { specialArgs = {
inherit nixpkgs-unstable hosts simple-nixos-mailserver; inherit nixpkgs-unstable hosts simple-nixos-mailserver;
# Provide environment for secret key command
keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
}; };
}; };
} // builtins.mapAttrs (helper.generateColmenaHost) hosts; } // builtins.mapAttrs (helper.generateColmenaHost) hosts;

1
hosts.nix
View file

@ -102,7 +102,6 @@ in
environment = "proxmox"; environment = "proxmox";
}; };
web-public-2 = { web-public-2 = {
hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };