fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Setup paperless host and reverse proxy for acme http challange

Browse source
This commit is contained in:
fi 2023-09-25 01:35:11 +02:00
commit c1e74a4494
Signed by: fi
SSH key fingerprint: SHA256:d+6fQoDPMbSFK95zRVflRKZLRKF4cPSQb7VIxYkhFsA
13 changed files with 184 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/hosts/mail-1/simple-nixos-mailserver.nix
View file

@ -10,10 +10,7 @@
enableImapSsl = true; enableImapSsl = true;
enableSubmission = false; enableSubmission = false;
enableSubmissionSsl = true; enableSubmissionSsl = true;
<<<<<<< HEAD
lmtpSaveToDetailMailbox = "no"; lmtpSaveToDetailMailbox = "no";
=======
>>>>>>> 634557c (Change mail config of services to use new mail server)
domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ]; domains = [ "grzb.de" "vs.grzb.de" "wg.grzb.de" "nekover.se" ];
loginAccounts = { loginAccounts = {
"fiona@grzb.de" = { "fiona@grzb.de" = {

17
config/hosts/paperless/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "paperless";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

9
config/hosts/paperless/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./nginx.nix
./paperless.nix
];
}

30
config/hosts/paperless/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }:
{
fileSystems = {
"/mnt/data" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
autoFormat = true;
autoResize = true;
};
"/mnt/paperless-consume" = {
device = "//10.201.40.10/paperless-consume";
fsType = "cifs";
options = [
"username=paperless"
"credentials=/secrets/paperless-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=paperless"
"gid=paperless"
"_netdev"
];
};
"/var/lib/paperless" = {
depends = [ "/mnt/data" ];
device = "/mnt/data/paperless";
fsType = "none";
options = [ "bind" "X-mount.owner=paperless" "X-mount.group=paperless" ];
};
};
}

31
config/hosts/paperless/nginx.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."paperless.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}";
proxyWebsockets = true;
extraConfig = ''
add_header Referrer-Policy "strict-origin-when-cross-origin";
'';
};
extraConfig = ''
client_max_body_size 100M;
'';
};
};
}

8
config/hosts/paperless/paperless.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
services.paperless = {
enable = true;
consumptionDir = "/mnt/paperless-consume";
passwordFile = "/secrets/paperless-admin-password.secret";
};
}

19
config/hosts/paperless/secrets.nix Normal file
View file

@ -0,0 +1,19 @@
{ ... }:
{
deployment.keys."paperless-admin-password.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/admin-password" ];
destDir = "/secrets";
user = "paperless";
group = "paperless";
permissions = "0640";
uploadAt = "pre-activation";
};
deployment.keys."paperless-samba-credentials.secret" = {
keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "paperless/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
}

17
config/hosts/web-public-1/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "web-public-1";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

7
config/hosts/web-public-1/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
];
}

10
config/hosts/web-public-1/nginx.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./virtualHosts
];
services.nginx = {
enable = true;
};
}

12
config/hosts/web-public-1/virtualHosts/acme-challenge.nix Normal file
View file

@ -0,0 +1,12 @@
{ ... }:
{
services.nginx.virtualHosts."paperless.grzb.de" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://paperless.wg.grzb.de:80";
};
};
}

16
config/hosts/web-public-1/virtualHosts/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
imports = [
./acme-challenge.nix
];
services.nginx.virtualHosts."_" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
return = "301 https://$host$request_uri";
};
};
}

8
hosts.nix
View file

@ -77,6 +77,10 @@ in
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
}; };
paperless = {
site = "wg";
environment = "proxmox";
};
coturn = { coturn = {
site = "vs"; site = "vs";
environment = "proxmox"; environment = "proxmox";
@ -89,6 +93,10 @@ in
site = "af"; site = "af";
environment = "openstack"; environment = "openstack";
}; };
web-public-1 = {
site = "wg";
environment = "proxmox";
};
web-public-2 = { web-public-2 = {
hostNixpkgs = nixpkgs-unstable; hostNixpkgs = nixpkgs-unstable;
site = "vs"; site = "vs";