diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 3602209..6df90b1 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,8 +29,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix index 9aadd25..5a15fe1 100644 --- a/config/hosts/hydra/nginx.nix +++ b/config/hosts/hydra/nginx.nix @@ -16,8 +16,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -34,8 +33,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 9f6462e..4bbcf0a 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -39,8 +39,7 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index e9b46cd..c82597d 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,8 +27,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 02a0d0a..72aec08 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,8 +57,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index c9548b2..f4ddec6 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -51,8 +51,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -81,8 +80,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -105,8 +103,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index a754cb6..e2fc483 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,8 +23,7 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix new file mode 100644 index 0000000..581a631 --- /dev/null +++ b/config/hosts/navidrome/configuration.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "navidrome"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + fileSystems = { + "/mnt/music" = { + device = "//10.202.40.5/music-ro"; + fsType = "cifs"; + options = [ + "username=navidrome" + "credentials=/secrets/navidrome-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=navidrome" + "gid=navidrome" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix new file mode 100644 index 0000000..00d4a90 --- /dev/null +++ b/config/hosts/navidrome/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./navidrome.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix new file mode 100644 index 0000000..74e3a1d --- /dev/null +++ b/config/hosts/navidrome/navidrome.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.navidrome = { + enable = true; + settings = { + Address = "unix:/run/navidrome/navidrome.socket"; + MusicFolder = "/mnt/music"; + }; + }; +} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix new file mode 100644 index 0000000..eef60dd --- /dev/null +++ b/config/hosts/navidrome/nginx.nix @@ -0,0 +1,24 @@ +{ ... }: { + services.nginx = { + enable = true; + user = "navidrome"; + virtualHosts."navidrome.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://unix:/run/navidrome/navidrome.socket"; + }; + }; + }; +} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix new file mode 100644 index 0000000..a11e957 --- /dev/null +++ b/config/hosts/navidrome/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "navidrome-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix new file mode 100644 index 0000000..5bf8422 --- /dev/null +++ b/config/hosts/netbox/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "netbox"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix new file mode 100644 index 0000000..5dd147b --- /dev/null +++ b/config/hosts/netbox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..b9ba2ad --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.netbox = { + enable = true; + package = pkgs.netbox; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + }; +} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix new file mode 100644 index 0000000..a2d1782 --- /dev/null +++ b/config/hosts/netbox/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + clientMaxBodySize = "25m"; + user = "netbox"; + virtualHosts."netbox.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + }; + }; +} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix new file mode 100644 index 0000000..216aca4 --- /dev/null +++ b/config/hosts/netbox/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."netbox-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index f27c9a6..88b842a 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -44,8 +44,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix new file mode 100644 index 0000000..bc54db7 --- /dev/null +++ b/config/hosts/nitter/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/config/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix new file mode 100644 index 0000000..862405c --- /dev/null +++ b/config/hosts/nitter/nginx.nix @@ -0,0 +1,23 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + locations."/" = { + proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; + proxyWebsockets = true; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix new file mode 100644 index 0000000..94165c4 --- /dev/null +++ b/config/hosts/nitter/nitter.nix @@ -0,0 +1,21 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "127.0.0.1"; + port = 8080; + hostname = "birdsite.nekover.se"; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + hlsPlayback = true; + }; + }; +} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix new file mode 100644 index 0000000..494f08c --- /dev/null +++ b/config/hosts/paperless/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "paperless"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix new file mode 100644 index 0000000..e6ebeed --- /dev/null +++ b/config/hosts/paperless/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./nginx.nix + ./paperless.nix + ]; +} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix new file mode 100644 index 0000000..17b9b66 --- /dev/null +++ b/config/hosts/paperless/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + "/mnt/paperless-consume" = { + device = "//10.201.40.10/paperless-consume"; + fsType = "cifs"; + options = [ + "username=paperless" + "credentials=/secrets/paperless-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=paperless" + "gid=paperless" + "_netdev" + ]; + }; + "/var/lib/paperless" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/paperless"; + fsType = "none"; + options = [ "bind" ]; + }; + }; +} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix new file mode 100644 index 0000000..e4a2131 --- /dev/null +++ b/config/hosts/paperless/nginx.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."paperless.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + extraConfig = '' + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; + }; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + }; +} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix new file mode 100644 index 0000000..1def83d --- /dev/null +++ b/config/hosts/paperless/paperless.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.paperless = { + enable = true; + consumptionDir = "/mnt/paperless-consume"; + passwordFile = "/secrets/paperless-admin-password.secret"; + }; +} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix new file mode 100644 index 0000000..6726881 --- /dev/null +++ b/config/hosts/paperless/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index 9283018..a84c171 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,8 +21,7 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index dae48ad..fae78f0 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,31 +33,5 @@ }; }; }; - - streamConfig = '' - map $ssl_preread_server_name $address { - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; - fi.nekover.se 10.202.41.125:8443; - git.nekover.se 10.202.41.106:8443; - hydra.nekover.se 10.202.41.121:8443; - id.nekover.se 10.202.41.124:8443; - mas.nekover.se 10.202.41.112:8443; - matrix.nekover.se 10.202.41.112:8443; - matrix-rtc.nekover.se 10.202.41.112:8443; - mesh.nekover.se 10.202.41.126:8443; - nekover.se 10.202.41.100:8443; - nix-cache.nekover.se 10.202.41.121:8443; - searx.nekover.se 10.202.41.105:8443; - social.nekover.se 10.202.41.104:8443; - } - server { - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; }; } diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix new file mode 100644 index 0000000..7f3b8fa --- /dev/null +++ b/config/hosts/web-public-1/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-1"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/config/hosts/web-public-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix new file mode 100644 index 0000000..0453a73 --- /dev/null +++ b/config/hosts/web-public-1/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./virtualHosts + ]; + + services.nginx = { + enable = true; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..c9b7e61 --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -0,0 +1,18 @@ +{ ... }: +let + acmeDomainMap = { + "paperless.grzb.de" = "paperless.wg.grzb.de"; + "navidrome.grzb.de" = "navidrome.wg.grzb.de"; + }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); +} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix new file mode 100644 index 0000000..e191a9c --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + ./acme-challenge.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 1e51d61..066f3d2 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,16 +16,20 @@ stream { map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; element-admin.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; + mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; @@ -34,6 +38,7 @@ } server { listen 0.0.0.0:443; + listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..9a3950a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index fc2b409..445a087 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,8 +2,12 @@ { imports = [ ./acme-challenge.nix + ./anisync.grzb.de.nix ./element.nekover.se.nix ./element-admin.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./mewtube.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix index d6af438..69c3a9a 100644 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -37,7 +37,7 @@ in enableACME = true; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -86,8 +86,7 @@ in # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 6e61d6c..74b7820 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,8 +60,7 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..c746f3d --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..ac9eefb --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..1ab842a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,20 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 233a49c..40ee30d 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -23,8 +23,7 @@ ''; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; };