start set up for multi-location nixos flake

2022-07-30 22:16:44 +02:00 · 2022-07-30 22:16:44 +02:00 · 4b7d60c090
commit 4b7d60c090
parent fa09f75ac6
23 changed files with 26 additions and 12 deletions
--- a/nixos/hosts/olympus/nginx/configuration.nix
+++ b/nixos/hosts/olympus/nginx/configuration.nix
@ -0,0 +1,130 @@
+{ config, pkgs, ... }:
+let
+  proxy = url: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = url;
+      proxyWebsockets = true;
+    };
+  };
+  k8s_proxy = proxy "http://10.42.42.150:8000/";
+  clientConfig = {
+    "m.homeserver" = {
+      base_url = "https://chat.meowy.tech";
+      server_name = "meowy.tech";
+    };
+    "m.identity_server" = { };
+  };
+  serverConfig."m.server" = "chat.meowy.tech:443";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in
+{
+  networking.hostName = "nginx";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.05"; # Did you read the comment?
+
+  # Additional packages
+  environment.systemPackages = with pkgs; [ ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+    statusPage = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+
+    package = pkgs.nginxMainline.override {
+      modules = with pkgs.nginxModules; [ brotli ];
+    };
+
+    # Reverse Proxies
+    virtualHosts."ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/";
+    virtualHosts."zookeeper-dev.0x76.dev" = proxy "http://eevee.olympus:8085/";
+    virtualHosts."md.0x76.dev" = proxy "http://hedgedoc.olympus:3000/";
+    virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000";
+    virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000";
+    virtualHosts."grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342";
+
+    # Meow
+    virtualHosts."meowy.tech" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".extraConfig = ''
+        add_header Content-Type 'text/html; charset=UTF-8';
+        return 200 '<h1>meow</h1>';
+      '';
+      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+    };
+    virtualHosts."chat.meowy.tech" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".extraConfig = ''
+        return 307 https://element.chat.meowy.tech;
+      '';
+      locations."/_matrix".proxyPass = "http://synapse.olympus:8008";
+      locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008";
+    };
+    virtualHosts."element.chat.meowy.tech" = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = pkgs.element-web.override {
+        conf = {
+          default_server_config = clientConfig;
+          show_labs_settings = true;
+          brand = "chat.meowy.tech";
+        };
+      };
+    };
+    virtualHosts."admin.chat.meowy.tech" = {
+      enableACME = true;
+      forceSSL = true;
+      root = pkgs.synapse-admin;
+    };
+
+    # Kubernetes endpoints
+    virtualHosts."0x76.dev" = k8s_proxy;
+    virtualHosts."drone.0x76.dev" = k8s_proxy;
+    virtualHosts."id.0x76.dev" = k8s_proxy;
+    virtualHosts."msg.0x76.dev" = k8s_proxy;
+    virtualHosts."zookeeper.0x76.dev" = k8s_proxy;
+    virtualHosts."wooloofan.club" = k8s_proxy;
+    virtualHosts."whoami.wooloofan.club" = k8s_proxy;
+  };
+
+  services.nginx.commonHttpConfig = ''
+    brotli on;
+    brotli_comp_level 6;
+    brotli_static on;
+    brotli_types application/atom+xml application/javascript application/json application/rss+xml
+                application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
+                application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
+                font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
+                image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+  '';
+
+  security.acme.defaults.email = "victorheld12@gmail.com";
+  security.acme.acceptTerms = true;
+  security.acme.preliminarySelfsigned = true;
+
+  services.prometheus.exporters = {
+    nginx = {
+      enable = true;
+      openFirewall = true;
+    };
+  };
+}