Use stable channel and use helper function for acme challenge proxy

2023-10-10 15:21:16 +02:00 · 2023-10-10 15:21:16 +02:00 · 27a6513e84
commit 27a6513e84
parent 9c0398a3c1
21 changed files with 257 additions and 319 deletions
--- a/config/hosts/coturn/secrets.nix
+++ b/config/hosts/coturn/secrets.nix
@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv,... }:
 {
  deployment.keys."static-auth-secret.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ];
    destDir = "/secrets";
    user = "turnserver";
    group = "turnserver";
--- a/config/hosts/hydra/secrets.nix
+++ b/config/hosts/hydra/secrets.nix
@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
  deployment.keys."signing-key.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "hydra/signing-key" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ];
    destDir = "/secrets";
    user = "root";
    group = "root";
--- a/config/hosts/jellyfin/secrets.nix
+++ b/config/hosts/jellyfin/secrets.nix
@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
  deployment.keys."samba-credentials.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "jellyfin/samba-credentials" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ];
    destDir = "/secrets";
    user = "root";
    group = "root";
--- a/config/hosts/lifeline/secrets.nix
+++ b/config/hosts/lifeline/secrets.nix
@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."wireguard-lifeline-wg0-privatekey.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-wg0-privatekey" ];
+    "wireguard-lifeline-wg0-privatekey.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-lifeline-mail-2-lifeline-psk.secret" = {
+    "wireguard-lifeline-mail-2-lifeline-psk.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/mail-2/secrets.nix
+++ b/config/hosts/mail-2/secrets.nix
@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."wireguard-mail-2-wg0-privatekey.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/mail-2-wg0-privatekey" ];
+    "wireguard-mail-2-wg0-privatekey.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ];
      destDir = "/secrets";
      user = "root";
      group = "systemd-network";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-lifeline-mail-2-mail-2-psk.secret" = {
+    "wireguard-lifeline-mail-2-mail-2-psk.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/lifeline-mail-2/psk" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "systemd-network";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@ -1,8 +1,8 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
  deployment.keys = {
    "mastodon-secret-key-base.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/secret-key-base" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/secret-key-base" ];
      destDir = "/secrets";
      user = "mastodon";
      group = "mastodon";
@ -10,7 +10,7 @@
      uploadAt = "pre-activation";
    };
    "mastodon-otp-secret.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/otp-secret" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ];
      destDir = "/secrets";
      user = "mastodon";
      group = "mastodon";
@ -18,7 +18,7 @@
      uploadAt = "pre-activation";
    };
    "mastodon-vapid-private-key.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/vapid-private-key" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
      destDir = "/secrets";
      user = "mastodon";
      group = "mastodon";
@ -26,7 +26,7 @@
      uploadAt = "pre-activation";
    };
    "mastodon-email-smtp-pass.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "mastodon/email-smtp-pass" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/email-smtp-pass" ];
      destDir = "/secrets";
      user = "mastodon";
      group = "mastodon";
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@ -1,43 +1,45 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."matrix-registration-shared-secret.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/registration-shared-secret" ];
+    "matrix-registration-shared-secret.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "matrix/registration-shared-secret" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."matrix-turn-shared-secret.secret" = {
+    "matrix-turn-shared-secret.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/turn-shared-secret" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/turn-shared-secret" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."matrix-email-smtp-pass.secret" = {
+    "matrix-email-smtp-pass.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/email-smtp-pass" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/email-smtp-pass" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."matrix-homeserver-signing-key.secret" = {
+    "matrix-homeserver-signing-key.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/homeserver-signing-key" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-signing-key" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."matrix-SYNCV3_SECRET.secret" = {
+    "matrix-SYNCV3_SECRET.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "matrix/SYNCV3_SECRET" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ];
      destDir = "/secrets";
      user = "matrix-synapse";
      group = "matrix-synapse";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/metrics/secrets.nix
+++ b/config/hosts/metrics/secrets.nix
@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."metrics-grafana-admin-password.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/admin-password" ];
+    "metrics-grafana-admin-password.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/admin-password" ];
      destDir = "/secrets";
      user = "grafana";
      group = "grafana";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."metrics-grafana-smtp-password.secret" = {
+    "metrics-grafana-smtp-password.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "metrics/grafana/smtp-password" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "metrics/grafana/smtp-password" ];
      destDir = "/secrets";
      user = "grafana";
      group = "grafana";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/netbox/secrets.nix
+++ b/config/hosts/netbox/secrets.nix
@ -1,7 +1,7 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
  deployment.keys."netbox-secret-key.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "netbox/secret-key" ];
+    keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ];
    destDir = "/secrets";
    user = "netbox";
    group = "netbox";
--- a/config/hosts/nextcloud/secrets.nix
+++ b/config/hosts/nextcloud/secrets.nix
@ -1,8 +1,8 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
  deployment.keys = {
    "nextcloud-adminpass.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/adminpass" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/adminpass" ];
      destDir = "/secrets";
      user = "nextcloud";
      group = "nextcloud";
@ -10,7 +10,7 @@
      uploadAt = "pre-activation";
    };
    "nextcloud-secretfile.secret" = {
-      keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "nextcloud/secretfile" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "nextcloud/secretfile" ];
      destDir = "/secrets";
      user = "nextcloud";
      group = "nextcloud";
--- a/config/hosts/paperless/secrets.nix
+++ b/config/hosts/paperless/secrets.nix
@ -1,19 +1,21 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."paperless-admin-password.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ];
+    "paperless-admin-password.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ];
      destDir = "/secrets";
      user = "paperless";
      group = "paperless";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."paperless-samba-credentials.secret" = {
+    "paperless-samba-credentials.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/valkyrie/secrets.nix
+++ b/config/hosts/valkyrie/secrets.nix
@ -1,51 +1,53 @@
-{ ... }:
+{ keyCommandEnv, ... }:
 {
-  deployment.keys."wireguard-valkyrie-wg0-privatekey.secret" = {
+  deployment.keys = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg0-privatekey" ];
+    "wireguard-valkyrie-wg0-privatekey.secret" = {
      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg0-privatekey" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-valkyrie-site1-grzb-psk.secret" = {
+    "wireguard-valkyrie-site1-grzb-psk.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-grzb/psk" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-grzb/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-valkyrie-site2-grzb-psk.secret" = {
+    "wireguard-valkyrie-site2-grzb-psk.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site2-grzb/psk" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site2-grzb/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-valkyrie-site1-jsts-psk.secret" = {
+    "wireguard-valkyrie-site1-jsts-psk.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-site1-jsts/psk" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-site1-jsts/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-valkyrie-wg1-privatekey.secret" = {
+    "wireguard-valkyrie-wg1-privatekey.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-wg1-privatekey" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-wg1-privatekey" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
-  deployment.keys."wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
+    "wireguard-valkyrie-mail-1-valkyrie-psk.secret" = {
-    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "wireguard/valkyrie-mail-1/psk" ];
+      keyCommand = keyCommandEnv ++ [ "pass" "wireguard/valkyrie-mail-1/psk" ];
      destDir = "/secrets";
      user = "root";
      group = "root";
      permissions = "0640";
      uploadAt = "pre-activation";
    };
  };
 }
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@ -11,7 +11,10 @@
      worker_connections 1024;
    '';
-    streamConfig = ''
+    appendConfig = ''
      worker_processes auto;
      stream {
        map $ssl_preread_server_name $address {
          anisync.grzb.de 127.0.0.1:8443;
          birdsite.nekover.se 10.202.41.107:8443;
@ -26,7 +29,6 @@
          nix-cache.nekover.se 10.202.41.121:8443;
          social.nekover.se 10.202.41.104:8443;
        }
        server {
          listen 0.0.0.0:443;
          listen [::]:443;
@ -34,10 +36,7 @@
          ssl_preread on;
          proxy_protocol on;
        }
-    '';
+      }
    appendConfig = ''
      worker_processes auto;
    '';
    appendHttpConfig = ''
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@ -1,68 +1,23 @@
 { ... }:
 let
  acmeDomainMap = {
    "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
    "mail-1.grzb.de" = "mail-1.vs.grzb.de";
    "social.nekover.se" = "mastodon.vs.grzb.de";
    "matrix.nekover.se" = "matrix.vs.grzb.de";
    "netbox.grzb.de" = "netbox.vs.grzb.de";
    "grafana.grzb.de" = "metrics.vs.grzb.de";
    "turn.nekover.se" = "coturn.vs.grzb.de";
  };
 in
 {
-  services.nginx.virtualHosts = {
+  services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: {
    "jellyfin.grzb.de" = {
    listen = [{ 
      addr = "0.0.0.0";
      port = 80;
    }];
    locations."^~ /.well-known/acme-challenge/" = {
-        proxyPass = "http://jellyfin.vs.grzb.de:80";
+      proxyPass = "http://${target}:80";
      };
    };
    "mail-1.grzb.de" = {
      listen = [{ 
        addr = "0.0.0.0";
        port = 80;
      }];
      locations."^~ /.well-known/acme-challenge/" = {
        proxyPass = "http://mail-1.vs.grzb.de:80";
      };
    };
    "mastodon.nekover.se" = {
      listen = [{ 
        addr = "0.0.0.0";
        port = 80;
      }];
      locations."^~ /.well-known/acme-challenge/" = {
        proxyPass = "http://mastodon.vs.grzb.de:80";
      };
    };
    "matrix.nekover.se" = {
      listen = [{ 
        addr = "0.0.0.0";
        port = 80;
      }];
      locations."^~ /.well-known/acme-challenge/" = {
        proxyPass = "http://matrix.vs.grzb.de:80";
      };
    };
    "netbox.grzb.de" = {
      listen = [{ 
        addr = "0.0.0.0";
        port = 80;
      }];
      locations."^~ /.well-known/acme-challenge/" = {
        proxyPass = "http://netbox.vs.grzb.de:80";
      };
    };
    "grafana.grzb.de" = {
      listen = [{ 
        addr = "0.0.0.0";
        port = 80;
      }];
      locations."^~ /.well-known/acme-challenge/" = {
        proxyPass = "http://metrics.vs.grzb.de:80";
      };
    };
    "turn.nekover.se" = {
      listen = [{ 
        addr = "0.0.0.0";
        port = 80;
      }];
      locations."^~ /.well-known/acme-challenge/" = {
        proxyPass = "http://coturn.vs.grzb.de:80";
      };
    };
    };
  }) acmeDomainMap);
 }
--- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix
@ -3,18 +3,12 @@
  services.nginx.virtualHosts."anisync.grzb.de" = {
    forceSSL = true;
    enableACME = true;
-    listen = [
+    listen = [{
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
      addr = "localhost";
      port = 8443;
      ssl = true;
-        proxyProtocol = true;
+      extraParameters = ["proxy_protocol"];
-      }
+    }];
    ];
    locations."/" = {
      proxyPass = "http://anisync.vs.grzb.de:8080";
      proxyWebsockets = true;
--- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix
@ -3,18 +3,12 @@
  services.nginx.virtualHosts."gameserver.grzb.de" = {
    forceSSL = true;
    enableACME = true;
-    listen = [
+    listen = [{
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
      addr = "localhost";
      port = 8443;
      ssl = true;
-        proxyProtocol = true;
+      extraParameters = ["proxy_protocol"];
-      }
+    }];
    ];
    locations."/" = {
      proxyPass = "http://pterodactyl.vs.grzb.de";
      extraConfig = ''
--- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
+++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix
@ -3,18 +3,12 @@
  services.nginx.virtualHosts."git.grzb.de" = {
    forceSSL = true;
    enableACME = true;
-    listen = [
+    listen = [{
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
      addr = "localhost";
      port = 8443;
      ssl = true;
-        proxyProtocol = true;
+      extraParameters = ["proxy_protocol"];
-      }
+    }];
    ];
    locations."/" = {
      proxyPass = "http://gitlab.vs.grzb.de:80";
      extraConfig = ''
--- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix
@ -3,18 +3,12 @@
  services.nginx.virtualHosts."mewtube.nekover.se" = {
    forceSSL = true;
    enableACME = true;
-    listen = [
+    listen = [{
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
      addr = "localhost";
      port = 8443;
      ssl = true;
-        proxyProtocol = true;
+      extraParameters = ["proxy_protocol"];
-      }
+    }];
    ];
    locations."/" = {
      proxyPass = "http://cloudtube.vs.grzb.de:10412";
    };
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@ -3,18 +3,12 @@
  services.nginx.virtualHosts."nekover.se" = {
    forceSSL = true;
    enableACME = true;
-    listen = [
+    listen = [{
      { 
        addr = "localhost";
        port = 1234;
      } # workaround for enableACME check
      {
      addr = "localhost";
      port = 8443;
      ssl = true;
-        proxyProtocol = true;
+      extraParameters = ["proxy_protocol"];
-      }
+    }];
    ];
    locations."/.well-known/matrix/server" = {
      return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
      extraConfig = ''
--- a/flake.nix
+++ b/flake.nix
@ -28,6 +28,9 @@
        specialArgs = {
          inherit nixpkgs-unstable hosts simple-nixos-mailserver;
          # Provide environment for secret key command
          keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
        };
      };
    } // builtins.mapAttrs (helper.generateColmenaHost) hosts;
--- a/hosts.nix
+++ b/hosts.nix
@ -102,7 +102,6 @@ in
      environment = "proxmox";
    };
    web-public-2 = {
      hostNixpkgs = nixpkgs-unstable;
      site = "vs";
      environment = "proxmox";
    };