fi/nix-infra
1
2
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: fi:44215ecfc92054f69f230348071b01639eb050b8
Branches Tags
fi:main
fi:ikiwiki
fi:mas
..
compare: fi:d793308ebef77258c7a0f7cc2718a28971d0e9b3
Branches Tags
fi:main
fi:ikiwiki
fi:mas

No commits in common. "44215ecfc92054f69f230348071b01639eb050b8" and "d793308ebef77258c7a0f7cc2718a28971d0e9b3" have entirely different histories.
44215ecfc9 ... d793308ebe

44 changed files with 539 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

3
config/hosts/forgejo/nginx.nix
View file

@ -29,8 +29,7 @@
}; };
extraConfig = '' extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

6
config/hosts/hydra/nginx.nix
View file

@ -16,8 +16,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
@ -34,8 +33,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

3
config/hosts/ikiwiki/nginx.nix
View file

@ -39,8 +39,7 @@ in
}; };
}; };
extraConfig = '' extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

3
config/hosts/keycloak/nginx.nix
View file

@ -27,8 +27,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
add_header Strict-Transport-Security "max-age=63072000" always; add_header Strict-Transport-Security "max-age=63072000" always;

3
config/hosts/mastodon/nginx.nix
View file

@ -57,8 +57,7 @@
}; };
extraConfig = '' extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

9
config/hosts/matrix/nginx.nix
View file

@ -51,8 +51,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
@ -81,8 +80,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
@ -105,8 +103,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

3
config/hosts/metrics-nekomesh/nginx.nix
View file

@ -23,8 +23,7 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
extraConfig = '' extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

33
config/hosts/navidrome/configuration.nix Normal file
View file

@ -0,0 +1,33 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "navidrome";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
fileSystems = {
"/mnt/music" = {
device = "//10.202.40.5/music-ro";
fsType = "cifs";
options = [
"username=navidrome"
"credentials=/secrets/navidrome-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=navidrome"
"gid=navidrome"
"_netdev"
];
};
};
system.stateVersion = "23.05";
}

7
config/hosts/navidrome/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }: {
imports = [
./configuration.nix
./navidrome.nix
./nginx.nix
];
}

9
config/hosts/navidrome/navidrome.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }: {
services.navidrome = {
enable = true;
settings = {
Address = "unix:/run/navidrome/navidrome.socket";
MusicFolder = "/mnt/music";
};
};
}

24
config/hosts/navidrome/nginx.nix Normal file
View file

@ -0,0 +1,24 @@
{ ... }: {
services.nginx = {
enable = true;
user = "navidrome";
virtualHosts."navidrome.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://unix:/run/navidrome/navidrome.socket";
};
};
};
}

13
config/hosts/navidrome/secrets.nix Normal file
View file

@ -0,0 +1,13 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"navidrome-samba-credentials.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

17
config/hosts/netbox/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "netbox";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

8
config/hosts/netbox/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./netbox.nix
./nginx.nix
];
}

8
config/hosts/netbox/netbox.nix Normal file
View file

@ -0,0 +1,8 @@
{ pkgs, ... }:
{
services.netbox = {
enable = true;
package = pkgs.netbox;
secretKeyFile = "/secrets/netbox-secret-key.secret";
};
}

29
config/hosts/netbox/nginx.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, ... }:
{
services.nginx = {
enable = true;
clientMaxBodySize = "25m";
user = "netbox";
virtualHosts."netbox.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/static/" = {
alias = "${config.services.netbox.dataDir}/static/";
};
locations."/" = {
proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
};
};
};
}

11
config/hosts/netbox/secrets.nix Normal file
View file

@ -0,0 +1,11 @@
{ keyCommandEnv, ... }:
{
deployment.keys."netbox-secret-key.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ];
destDir = "/secrets";
user = "netbox";
group = "netbox";
permissions = "0640";
uploadAt = "pre-activation";
};
}

3
config/hosts/nextcloud/nextcloud.nix
View file

@ -44,8 +44,7 @@
extraConfig = '' extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol; listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

17
config/hosts/nitter/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "nitter";
firewall = {
enable = true;
allowedTCPPorts = [ 8443 ];
};
};
system.stateVersion = "23.05";
}

8
config/hosts/nitter/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
./nitter.nix
];
}

23
config/hosts/nitter/nginx.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."birdsite.nekover.se" = {
forceSSL = true;
enableACME = true;
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: /\\n\"";
};
locations."/" = {
proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}";
proxyWebsockets = true;
};
extraConfig = ''
listen 0.0.0.0:8443 http2 ssl proxy_protocol;
set_real_ip_from 10.202.41.100;
real_ip_header proxy_protocol;
'';
};
};
}

21
config/hosts/nitter/nitter.nix Normal file
View file

@ -0,0 +1,21 @@
{ ... }:
{
services.nitter = {
enable = true;
server = {
title = "Birdsite";
https = true;
address = "127.0.0.1";
port = 8080;
hostname = "birdsite.nekover.se";
};
preferences = {
theme = "Mastodon";
replaceTwitter = "birdsite.nekover.se";
infiniteScroll = true;
hlsPlayback = true;
};
};
}

17
config/hosts/paperless/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "paperless";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

9
config/hosts/paperless/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./hardware-configuration.nix
./nginx.nix
./paperless.nix
];
}

30
config/hosts/paperless/hardware-configuration.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }:
{
fileSystems = {
"/mnt/data" = {
device = "/dev/disk/by-label/data";
fsType = "ext4";
autoFormat = true;
autoResize = true;
};
"/mnt/paperless-consume" = {
device = "//10.201.40.10/paperless-consume";
fsType = "cifs";
options = [
"username=paperless"
"credentials=/secrets/paperless-samba-credentials.secret"
"iocharset=utf8"
"vers=3.1.1"
"uid=paperless"
"gid=paperless"
"_netdev"
];
};
"/var/lib/paperless" = {
depends = [ "/mnt/data" ];
device = "/mnt/data/paperless";
fsType = "none";
options = [ "bind" ];
};
};
}

31
config/hosts/paperless/nginx.nix Normal file
View file

@ -0,0 +1,31 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts."paperless.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}";
proxyWebsockets = true;
extraConfig = ''
add_header Referrer-Policy "strict-origin-when-cross-origin";
'';
};
extraConfig = ''
client_max_body_size 100M;
'';
};
};
}

8
config/hosts/paperless/paperless.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
services.paperless = {
enable = true;
consumptionDir = "/mnt/paperless-consume";
passwordFile = "/secrets/paperless-admin-password.secret";
};
}

21
config/hosts/paperless/secrets.nix Normal file
View file

@ -0,0 +1,21 @@
{ keyCommandEnv, ... }:
{
deployment.keys = {
"paperless-admin-password.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ];
destDir = "/secrets";
user = "paperless";
group = "paperless";
permissions = "0640";
uploadAt = "pre-activation";
};
"paperless-samba-credentials.secret" = {
keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ];
destDir = "/secrets";
user = "root";
group = "root";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

3
config/hosts/searx/nginx.nix
View file

@ -21,8 +21,7 @@
proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}";
}; };
extraConfig = '' extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 10.202.41.100;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

26
config/hosts/valkyrie/nginx.nix
View file

@ -33,31 +33,5 @@
}; };
}; };
}; };
streamConfig = ''
map $ssl_preread_server_name $address {
cloud.nekover.se 10.202.41.122:8443;
element.nekover.se 10.202.41.100:8443;
element-admin.nekover.se 10.202.41.100:8443;
fi.nekover.se 10.202.41.125:8443;
git.nekover.se 10.202.41.106:8443;
hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443;
mas.nekover.se 10.202.41.112:8443;
matrix.nekover.se 10.202.41.112:8443;
matrix-rtc.nekover.se 10.202.41.112:8443;
mesh.nekover.se 10.202.41.126:8443;
nekover.se 10.202.41.100:8443;
nix-cache.nekover.se 10.202.41.121:8443;
searx.nekover.se 10.202.41.105:8443;
social.nekover.se 10.202.41.104:8443;
}
server {
listen [::]:443;
proxy_pass $address;
ssl_preread on;
proxy_protocol on;
}
'';
}; };
} }

17
config/hosts/web-public-1/configuration.nix Normal file
View file

@ -0,0 +1,17 @@
{ ... }:
{
boot.loader.grub = {
enable = true;
device = "/dev/vda";
};
networking = {
hostName = "web-public-1";
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
};
system.stateVersion = "23.05";
}

7
config/hosts/web-public-1/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./configuration.nix
./nginx.nix
];
}

10
config/hosts/web-public-1/nginx.nix Normal file
View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./virtualHosts
];
services.nginx = {
enable = true;
};
}

18
config/hosts/web-public-1/virtualHosts/acme-challenge.nix Normal file
View file

@ -0,0 +1,18 @@
{ ... }:
let
acmeDomainMap = {
"paperless.grzb.de" = "paperless.wg.grzb.de";
"navidrome.grzb.de" = "navidrome.wg.grzb.de";
};
in
{
services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."^~ /.well-known/acme-challenge/" = {
proxyPass = "http://${target}:80";
};
}) acmeDomainMap);
}

16
config/hosts/web-public-1/virtualHosts/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ ... }:
{
imports = [
./acme-challenge.nix
];
services.nginx.virtualHosts."_" = {
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/" = {
return = "301 https://$host$request_uri";
};
};
}

5
config/hosts/web-public-2/nginx.nix
View file

@ -16,16 +16,20 @@
stream { stream {
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
anisync.grzb.de 127.0.0.1:8443;
cloud.nekover.se 10.202.41.122:8443; cloud.nekover.se 10.202.41.122:8443;
element.nekover.se 127.0.0.1:8443; element.nekover.se 127.0.0.1:8443;
element-admin.nekover.se 127.0.0.1:8443; element-admin.nekover.se 127.0.0.1:8443;
fi.nekover.se 10.202.41.125:8443; fi.nekover.se 10.202.41.125:8443;
gameserver.grzb.de 127.0.0.1:8443;
git.grzb.de 127.0.0.1:8443;
git.nekover.se 10.202.41.106:8443; git.nekover.se 10.202.41.106:8443;
hydra.nekover.se 10.202.41.121:8443; hydra.nekover.se 10.202.41.121:8443;
id.nekover.se 10.202.41.124:8443; id.nekover.se 10.202.41.124:8443;
mas.nekover.se 10.202.41.112:8443; mas.nekover.se 10.202.41.112:8443;
matrix.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443;
matrix-rtc.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443;
mewtube.nekover.se 127.0.0.1:8443;
nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443;
mesh.nekover.se 10.202.41.126:8443; mesh.nekover.se 10.202.41.126:8443;
nix-cache.nekover.se 10.202.41.121:8443; nix-cache.nekover.se 10.202.41.121:8443;
@ -34,6 +38,7 @@
} }
server { server {
listen 0.0.0.0:443; listen 0.0.0.0:443;
listen [::]:443;
proxy_pass $address; proxy_pass $address;
ssl_preread on; ssl_preread on;
proxy_protocol on; proxy_protocol on;

23
config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix Normal file
View file

@ -0,0 +1,23 @@
{ ... }:
{
services.nginx.virtualHosts."anisync.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "localhost";
port = 8443;
ssl = true;
extraParameters = ["proxy_protocol"];
}];
locations."/" = {
proxyPass = "http://anisync.vs.grzb.de:8080";
proxyWebsockets = true;
};
extraConfig = ''
add_header X-Content-Type-Options nosniff;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
'';
};
}

4
config/hosts/web-public-2/virtualHosts/default.nix
View file

@ -2,8 +2,12 @@
{ {
imports = [ imports = [
./acme-challenge.nix ./acme-challenge.nix
./anisync.grzb.de.nix
./element.nekover.se.nix ./element.nekover.se.nix
./element-admin.nekover.se.nix ./element-admin.nekover.se.nix
./gameserver.grzb.de.nix
./git.grzb.de.nix
./mewtube.nekover.se.nix
./nekover.se.nix ./nekover.se.nix
]; ];

5
config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix
View file

@ -37,7 +37,7 @@ in
enableACME = true; enableACME = true;
listen = [{ listen = [{
addr = "0.0.0.0"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
extraParameters = ["proxy_protocol"]; extraParameters = ["proxy_protocol"];
@ -86,8 +86,7 @@ in
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
# protocol. # protocol.
# First set our proxy protocol proxy as trusted. # First set our proxy protocol proxy as trusted.
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 127.0.0.1;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;

5
config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
View file

@ -28,7 +28,7 @@ in
]; ];
}; };
listen = [{ listen = [{
addr = "0.0.0.0"; addr = "localhost";
port = 8443; port = 8443;
ssl = true; ssl = true;
extraParameters = ["proxy_protocol"]; extraParameters = ["proxy_protocol"];
@ -60,8 +60,7 @@ in
# redirect server error pages to the static page /50x.html # redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 127.0.0.1;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };

28
config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
{
services.nginx.virtualHosts."gameserver.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "localhost";
port = 8443;
ssl = true;
extraParameters = ["proxy_protocol"];
}];
locations."/" = {
proxyPass = "http://pterodactyl.vs.grzb.de";
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
proxy_request_buffering off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Content-Type-Options nosniff;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
'';
};
}

30
config/hosts/web-public-2/virtualHosts/git.grzb.de.nix Normal file
View file

@ -0,0 +1,30 @@
{ ... }:
{
services.nginx.virtualHosts."git.grzb.de" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "localhost";
port = 8443;
ssl = true;
extraParameters = ["proxy_protocol"];
}];
locations."/" = {
proxyPass = "http://gitlab.vs.grzb.de:80";
extraConfig = ''
gzip off;
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_redirect off;
'';
};
extraConfig = ''
client_max_body_size 1024m;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
'';
};
}

20
config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
services.nginx.virtualHosts."mewtube.nekover.se" = {
forceSSL = true;
enableACME = true;
listen = [{
addr = "localhost";
port = 8443;
ssl = true;
extraParameters = ["proxy_protocol"];
}];
locations."/" = {
proxyPass = "http://cloudtube.vs.grzb.de:10412";
};
extraConfig = ''
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
'';
};
}

3
config/hosts/web-public-2/virtualHosts/nekover.se.nix
View file

@ -23,8 +23,7 @@
''; '';
}; };
extraConfig = '' extraConfig = ''
set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 set_real_ip_from 127.0.0.1;
set_real_ip_from 10.203.10.3; # IPv6 from valkyrie
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };