fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add config for public reverse proxy

Browse source
This commit is contained in:
yuri 2023-07-20 06:29:15 +02:00
commit 85f427edf0
7 changed files with 325 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

1
configuration/common/default.nix
View file

@ -48,6 +48,7 @@
security.acme = {
defaults.email = "acme@grzb.de";
acceptTerms = true;
preliminarySelfsigned = true;
};
services.fstrim.enable = true;

6
flake.lock generated
View file

@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1689534811,
"narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=",
"lastModified": 1689679375,
"narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222",
"rev": "684c17c429c42515bafb3ad775d2a710947f3d67",
"type": "github"
},
"original": {

3
flake.nix
View file

@ -20,6 +20,9 @@
#hydra = {
# site = "vs";
#};
web-public-2 = {
site = "vs";
};
};
generateColmenaHost = name: host : {

16
hosts/web-public-2/configuration.nix
View file

@ -5,8 +5,20 @@
device = "/dev/vda";
};
networking = {
hostName = "web-public-02";
networking = {
interfaces = {
"enp6s18".ipv6.addresses = [{
address = "2001:470:5429::96";
prefixLength = 64;
}];
};
defaultGateway6 = {
address = "2001:470:5429::1";
interface = "enp6s18";
};
hostName = "web-public-2";
firewall.enable = false;
};

303
hosts/web-public-2/nginx.nix
View file

@ -1,6 +1,307 @@
{ ... }:
{ pkgs, ... }:
{
services.nginx = {
enable = true;
streamConfig = ''
map $ssl_preread_server_name $address {
anisync.grzb.de 127.0.0.1:8443;
birdsite.nekover.se 127.0.0.1:8443;
element.nekover.se 127.0.0.1:8443;
gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443;
hydra.nekover.se hydra.vs.grzb.de:8443;
matrix.nekover.se 127.0.0.1:8443;
mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443;
nextcloud.grzb.de 127.0.0.1:8443;
nix-cache.nekover.se hydra.vs.grzb.de:8443;
social.nekover.se 127.0.0.1:8443;
}
server {
listen 0.0.0.0:443;
listen [::]:443;
proxy_pass $address;
ssl_preread on;
proxy_protocol on;
}
'';
virtualHosts = {
"nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'";
extraConfig = ''
add_header Content-Type application/json;
'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
};
"anisync.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://anisync.vs.grzb.de:8080";
proxyWebsockets = true;
};
extraConfig = ''
add_header X-Content-Type-Options nosniff;
'';
};
"birdsite.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://nitter.vs.grzb.de:8080";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /\\n\"";
};
};
"element.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://element.vs.grzb.de";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
extraConfig = ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
'';
};
"gameserver.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://pterodactyl.vs.grzb.de";
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Content-Type-Options nosniff;
'';
};
"git.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://gitlab.vs.grzb.de:80";
extraConfig = ''
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
'';
};
"matrix.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 8448;
ssl = true;
}
{
addr = "[::]";
port = 8448;
ssl = true;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."~ ^(/_matrix|/_synapse/client)" = {
proxyPass = "http://matrix.vs.grzb.de:8008";
extraConfig = ''
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size 500M;
'';
};
};
"mewtube.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://cloudtube.vs.grzb.de:10412";
};
};
"nextcloud.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [ {
addr = "0.0.0.0";
port = 80;
}{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
proxyPass = "http://nextcloud.vs.grzb.de:80";
};
locations."= /.well-known/carddav" = {
return = "301 $scheme://$host/remote.php/dav";
};
locations."= /.well-known/caldav" = {
return = "301 $scheme://$host/remote.php/dav";
extraConfig = ''
proxy_read_timeout 3600;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 4096m;
'';
};
"social.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "127.0.0.1";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://mastodon.vs.grzb.de:80";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 80m;
'';
};
};
};
}

1
users/colmena-deploy/default.nix
View file

@ -6,6 +6,7 @@
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
];
};
}

1
users/yuri/default.nix
View file

@ -5,6 +5,7 @@
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
];
};
}