nginx preset

master
Sven Slootweg 3 years ago
parent 1aded254ae
commit ac895afd28

@ -28,6 +28,7 @@ let
trackSystemMetrics = (import ./lib/track-system-metrics.nix);
trackServiceMetrics = (import ./lib/track-service-metrics.nix);
httpHealthChecks = (import ./lib/http-health-checks.nix);
nginx = (import ./lib/nginx.nix);
in {
network = {
inherit pkgs;
@ -111,17 +112,7 @@ in {
(trackSystemMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
(trackServiceMetrics nodes."machine-haless-03.cryto.net".internalIpv4)
(httpHealthChecks {
http = [
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
"matrix-rooms.cryto.net"
"validatem.cryto.net"
"nixos-manual-mdx.cryto.net"
"geojson.cryto.net"
"ossworks.nl"
];
https = [
both = [
"iomfats.cryto.net"
"castleroland.cryto.net"
"awesomedude.cryto.net"
@ -132,64 +123,28 @@ in {
"ossworks.nl"
];
})
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.borgbackup.jobs.system = {
paths = "/";
exclude = [
"/nix"
"/boot"
"/sys"
"/run"
"/tmp"
"/dev"
"/proc"
];
repo = "backup-haless@machine-borg2-01.cryto.net:haless-03";
encryption = {
mode = "repokey-blake2";
passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix);
};
compression = "auto,zlib";
startAt = "daily";
};
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
default = true;
extraConfig = ''
return 404;
'';
};
"modular-matrix.cryto.net" = lib.mkMerge [
(nginx {
"modular-matrix.cryto.net" = [
(nginxPresets.letsEncrypt)
{ root = ./sources/modular-matrix; }
];
"geojson.cryto.net" = lib.mkMerge [
"geojson.cryto.net" = [
(nginxPresets.letsEncrypt)
{ root = ../../image-to-geojson/static; }
];
# "validatem.cryto.net" = lib.mkMerge [
# (nginxPresets.letsEncrypt)
# { root = ./sources/validatem-site; }
# ];
"validatem.cryto.net" = lib.mkMerge [
"validatem.cryto.net" = [
(nginxPresets.letsEncrypt)
{ root = ../../validatem/site/build; }
];
"ossworks.nl" = lib.mkMerge [
"ossworks.nl" = [
(nginxPresets.letsEncrypt)
{ root = ../../ossworks-site/build; }
];
"nixos-manual-mdx.cryto.net" = lib.mkMerge [
"nixos-manual-mdx.cryto.net" = [
(nginxPresets.letsEncrypt)
{ root = ../../nixos-manual-mdx/build; }
];
"haless.cryto.net" = lib.mkMerge [
"haless.cryto.net" = [
(nginxPresets.letsEncrypt)
{
locations."/shadow/" = {
@ -200,37 +155,59 @@ in {
};
}
];
"books.cryto.net" = lib.mkMerge [
"books.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.phpDisabled)
];
"todo.cryto.net" = lib.mkMerge [
"todo.cryto.net" = [
(nginxPresets.phpDisabled)
];
"learn.cryto.net" = lib.mkMerge [
"learn.cryto.net" = [
(nginxPresets.phpDisabled)
];
"vps-list.cryto.net" = lib.mkMerge [
"vps-list.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.phpDisabled)
];
"iomfats.cryto.net" = lib.mkMerge [
"iomfats.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"castleroland.cryto.net" = lib.mkMerge [
"castleroland.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"awesomedude.cryto.net" = lib.mkMerge [
"awesomedude.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
"matrix-rooms.cryto.net" = lib.mkMerge [
"matrix-rooms.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3842/")
];
})
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.borgbackup.jobs.system = {
paths = "/";
exclude = [
"/nix"
"/boot"
"/sys"
"/run"
"/tmp"
"/dev"
"/proc"
];
repo = "backup-haless@machine-borg2-01.cryto.net:haless-03";
encryption = {
mode = "repokey-blake2";
passphrase = (import ../private/machine-haless-03.cryto.net/borg-passphrase.nix);
};
compression = "auto,zlib";
startAt = "daily";
};
users.groups.mobile-proxy = {};
@ -309,6 +286,15 @@ in {
(tincConfiguration { hostname = "machine-konjassiem-02.cryto.net"; nodes = nodes; })
(trackSystemMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
(trackServiceMetrics nodes."machine-konjassiem-02.cryto.net".internalIpv4)
(httpHealthChecks {
both = [ "git.cryto.net" ];
})
(nginx {
"git.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
})
];
services.postgresql = {
@ -334,22 +320,6 @@ in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
default = true;
extraConfig = ''
return 404;
'';
};
"git.cryto.net" = lib.mkMerge [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://127.0.0.1:3000/")
];
};
};
# NOTE: Workaround that removes `setuid` from the disallowed syscall list, because otherwise sendmail/opensmtpd breaks
# systemd.services.gitea.serviceConfig.SystemCallFilter = lib.mkForce "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @resources @swap";
@ -484,36 +454,25 @@ in {
# "nix-cache.cryto.net" # Not directory-indexable
];
})
];
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
# Pseudo-hostname just to set a default when no Host header is specified
default = true;
extraConfig = ''
return 404;
'';
};
"hydra.cryto.net" = lib.mkMerge [
(nginx {
"hydra.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://localhost:3333/")
];
"prometheus.cryto.net" = lib.mkMerge [
"prometheus.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://localhost:9090/")
];
"metrics.cryto.net" = lib.mkMerge [
"metrics.cryto.net" = [
(nginxPresets.letsEncrypt)
(nginxPresets.reverseProxy "http://localhost:8452/")
];
"nix-cache.cryto.net" = lib.mkMerge [
"nix-cache.cryto.net" = [
(nginxPresets.letsEncrypt)
{ root = "/var/lib/hydra-builds"; }
];
};
};
})
];
services.postgresql = {
enable = true;

@ -0,0 +1,17 @@
hosts: { lib, ... }:
let
mapMkMerge = builtins.mapAttrs (_host: configs: lib.mkMerge configs);
in {
services.nginx = {
enable = true;
virtualHosts = {
"404.cryto.net" = {
# Pseudo-hostname just to set a default when no Host header is specified
default = true;
extraConfig = ''
return 404;
'';
};
} // mapMkMerge hosts;
};
}
Loading…
Cancel
Save