From ade955bdf4772030244a6f394e85ac0f085aa91a Mon Sep 17 00:00:00 2001 From: fi Date: Thu, 20 Jul 2023 06:29:15 +0200 Subject: [PATCH] Add config for public reverse proxy --- configuration/common/default.nix | 1 + flake.lock | 6 +- flake.nix | 3 + hosts/web-public-2/configuration.nix | 16 +- hosts/web-public-2/nginx.nix | 303 ++++++++++++++++++++++++++- users/colmena-deploy/default.nix | 1 + users/yuri/default.nix | 1 + 7 files changed, 325 insertions(+), 6 deletions(-) diff --git a/configuration/common/default.nix b/configuration/common/default.nix index b94e91c..2136658 100644 --- a/configuration/common/default.nix +++ b/configuration/common/default.nix @@ -48,6 +48,7 @@ security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; + preliminarySelfsigned = true; }; services.fstrim.enable = true; diff --git a/flake.lock b/flake.lock index 5ef1dda..3f90c88 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1689534811, - "narHash": "sha256-jnSUdzD/414d94plCyNlvTJJtiTogTep6t7ZgIKIHiE=", + "lastModified": 1689679375, + "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6cee3b5893090b0f5f0a06b4cf42ca4e60e5d222", + "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index bcace6a..820a1dd 100644 --- a/flake.nix +++ b/flake.nix @@ -20,6 +20,9 @@ #hydra = { # site = "vs"; #}; + web-public-2 = { + site = "vs"; + }; }; generateColmenaHost = name: host : { diff --git a/hosts/web-public-2/configuration.nix b/hosts/web-public-2/configuration.nix index dfeb4b0..081ca9a 100644 --- a/hosts/web-public-2/configuration.nix +++ b/hosts/web-public-2/configuration.nix @@ -5,8 +5,20 @@ device = "/dev/vda"; }; - networking = { - hostName = "web-public-02"; + networking = { + interfaces = { + "enp6s18".ipv6.addresses = [{ + address = "2001:470:5429::96"; + prefixLength = 64; + }]; + }; + + defaultGateway6 = { + address = "2001:470:5429::1"; + interface = "enp6s18"; + }; + + hostName = "web-public-2"; firewall.enable = false; }; diff --git a/hosts/web-public-2/nginx.nix b/hosts/web-public-2/nginx.nix index 5c7acd6..8d050aa 100644 --- a/hosts/web-public-2/nginx.nix +++ b/hosts/web-public-2/nginx.nix @@ -1,6 +1,307 @@ -{ ... }: +{ pkgs, ... }: { services.nginx = { enable = true; + + streamConfig = '' + map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 127.0.0.1:8443; + element.nekover.se 127.0.0.1:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; + hydra.nekover.se hydra.vs.grzb.de:8443; + matrix.nekover.se 127.0.0.1:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; + nextcloud.grzb.de 127.0.0.1:8443; + nix-cache.nekover.se hydra.vs.grzb.de:8443; + social.nekover.se 127.0.0.1:8443; + } + + server { + listen 0.0.0.0:443; + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + + virtualHosts = { + "nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/.well-known/matrix/server" = { + return = "200 '{\"m.server\": \"matrix.nekover.se:443\"}'"; + extraConfig = '' + add_header Content-Type application/json; + ''; + }; + locations."/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + ''; + }; + }; + + "anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + ''; + }; + + "birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://nitter.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + }; + + "element.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://element.vs.grzb.de"; + recommendedProxySettings = false; + extraConfig = '' + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + extraConfig = '' + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'none'"; + ''; + }; + + "gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + ''; + }; + + "git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + ''; + }; + + "matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + { + addr = "[::]"; + port = 8448; + ssl = true; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://matrix.vs.grzb.de:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size 500M; + ''; + }; + }; + + "mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + }; + + "nextcloud.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }{ + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + locations."/" = { + proxyPass = "http://nextcloud.vs.grzb.de:80"; + }; + locations."= /.well-known/carddav" = { + return = "301 $scheme://$host/remote.php/dav"; + }; + locations."= /.well-known/caldav" = { + return = "301 $scheme://$host/remote.php/dav"; + extraConfig = '' + proxy_read_timeout 3600; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 4096m; + ''; + }; + + "social.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "127.0.0.1"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + locations."/" = { + proxyPass = "http://mastodon.vs.grzb.de:80"; + proxyWebsockets = true; + }; + extraConfig = '' + client_max_body_size 80m; + ''; + }; + }; }; } diff --git a/users/colmena-deploy/default.nix b/users/colmena-deploy/default.nix index bebd6ef..1766855 100644 --- a/users/colmena-deploy/default.nix +++ b/users/colmena-deploy/default.nix @@ -6,6 +6,7 @@ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPJbR09ZqPnfZkx9JNjCurJDXWa5XtNeNQfkPRU/ZnY colmena-deploy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" ]; }; } diff --git a/users/yuri/default.nix b/users/yuri/default.nix index ff0ac57..546de5e 100644 --- a/users/yuri/default.nix +++ b/users/yuri/default.nix @@ -5,6 +5,7 @@ extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" ]; }; }