From 64bdee8a12616ccdfbef35d9bc36fd75fa67ecce Mon Sep 17 00:00:00 2001 From: Victor Date: Fri, 5 May 2023 10:04:38 +0200 Subject: [PATCH] create nginx magic module --- nixos/common/modules/default.nix | 2 +- nixos/common/modules/meta.nix | 3 +- nixos/common/modules/nginx.nix | 32 ++++++++++++ nixos/hosts/olympus/default.nix | 52 +++++++++++++++++-- nixos/hosts/olympus/dex/configuration.nix | 5 +- nixos/hosts/olympus/gitea/configuration.nix | 8 +-- .../hosts/olympus/hedgedoc/configuration.nix | 3 +- nixos/hosts/olympus/minio/configuration.nix | 4 +- nixos/hosts/olympus/nginx/configuration.nix | 46 ++-------------- nixos/hosts/olympus/outline/configuration.nix | 9 ++-- .../olympus/victoriametrics/configuration.nix | 3 +- .../olympus/woodpecker/configuration.nix | 8 +-- 12 files changed, 111 insertions(+), 64 deletions(-) create mode 100644 nixos/common/modules/nginx.nix diff --git a/nixos/common/modules/default.nix b/nixos/common/modules/default.nix index 32e5402..6672702 100644 --- a/nixos/common/modules/default.nix +++ b/nixos/common/modules/default.nix @@ -1,3 +1,3 @@ { ... }: { - imports = [ ./meta.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ]; + imports = [ ./meta.nix ./nginx.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ]; } diff --git a/nixos/common/modules/meta.nix b/nixos/common/modules/meta.nix index 524e82b..562d21f 100644 --- a/nixos/common/modules/meta.nix +++ b/nixos/common/modules/meta.nix @@ -12,6 +12,7 @@ let }; port = mkOption { type = types.int; + default = 80; example = 4242; description = '' The port under which the service runs on the host @@ -21,6 +22,7 @@ let }; in { options.meta = { + exposes = mkOption { type = with types; attrsOf (submodule exposesOpts); description = '' @@ -37,6 +39,5 @@ in { }; config = { - }; } diff --git a/nixos/common/modules/nginx.nix b/nixos/common/modules/nginx.nix new file mode 100644 index 0000000..4d1ac1f --- /dev/null +++ b/nixos/common/modules/nginx.nix @@ -0,0 +1,32 @@ +{ lib, hosts, config, ... }: +with lib; +let cfg = config.services.v.nginx; +in { + options.services.v.nginx.generateVirtualHosts = + mkEnableOption "generate vhosts"; + + config = let + + proxy = url: { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = url; + proxyWebsockets = true; + }; + }; + + hosts' = + filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain}); + exposes = { ip, exposes, ... }: + map ({ domain, port ? 80}: { inherit ip domain port; }) (attrValues exposes); + mkVhost = { ip, domain, port}: { + "${domain}" = proxy "http://${ip}:${toString port}"; + }; + vhosts = foldr (el: acc: acc // mkVhost el) { } (concatMap exposes hosts'); + in mkIf cfg.generateVirtualHosts { + + services.nginx.virtualHosts = vhosts; + + }; +} diff --git a/nixos/hosts/olympus/default.nix b/nixos/hosts/olympus/default.nix index 0adce81..f553528 100644 --- a/nixos/hosts/olympus/default.nix +++ b/nixos/hosts/olympus/default.nix @@ -36,6 +36,10 @@ ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee"; mac = "9E:60:78:ED:81:B4"; nix = false; + exposes.ha = { + domain = "ha.0x76.dev"; + port = 8123; + }; }; "nginx" = { ip = "10.42.42.9"; @@ -46,10 +50,19 @@ "kubernetes" = { ip = "10.42.42.10"; mac = "6E:A5:25:99:FE:68"; + exposes = { + www.domain = "0x76.dev"; + internal.domain = "internal.xirion.net"; + blog.domain = "blog.xirion.net"; + }; }; "dex" = { ip = "10.42.42.11"; mac = "AE:66:7B:FA:15:72"; + exposes.dex = { + domain = "dex.0x76.dev"; + port = 5556; + }; }; "WoolooTV" = { ip = "10.42.42.13"; @@ -59,6 +72,10 @@ "outline" = { ip = "10.42.42.14"; mac = "52:13:EB:FD:87:F0"; + exposes.outline = { + domain = "outline.0x76.dev"; + port = 3000; + }; }; "dns-1" = { profile = "dns"; @@ -75,6 +92,10 @@ "minio" = { ip = "10.42.42.17"; mac = "0A:06:5E:E7:9A:0C"; + exposes.minio = { + domain = "o.0x76.dev"; + port = 9000; + }; }; "mailserver" = { ip = "10.42.42.18"; @@ -83,6 +104,12 @@ "victoriametrics" = { ip = "10.42.42.19"; mac = "9E:91:61:35:84:1F"; + exposes = { + grafana = { + domain = "grafana.0x76.dev"; + port = 2342; + }; + }; }; "unifi" = { ip = "10.42.42.20"; @@ -96,21 +123,27 @@ "gitea" = { ip = "10.42.42.22"; mac = "DE:5F:B0:83:6F:34"; + exposes.git = { + domain = "git.0x76.dev"; + port = 3000; + }; }; "hedgedoc" = { ip = "10.42.42.23"; mac = "86:BC:0C:18:BC:9B"; - exposes = { - md = { - domain = "md.0x76.dev"; - port = 3000; - }; + exposes.md = { + domain = "md.0x76.dev"; + port = 3000; }; }; "zmeura" = { ip = "10.42.42.24"; mac = "b8:27:eb:d5:e0:f5"; nix = false; + exposes.andreea = { + domain = "andreea.redshifts.xyz"; + port = 8008; + }; }; "wireguard" = { ip = "10.42.42.25"; @@ -121,6 +154,10 @@ ip = "10.42.42.27"; mac = "9E:8A:6C:39:27:DE"; nix = false; + exposes.books = { + domain = "books.meowy.tech"; + port = 8001; + }; }; "synapse" = { ip = "10.42.42.28"; @@ -140,10 +177,15 @@ "ntfy" = { ip = "10.42.42.32"; mac = "7A:17:9E:80:72:01"; + exposes.ntfy.domain = "ntfy.0x76.dev"; }; "woodpecker" = { ip = "10.42.42.33"; mac = "1E:24:DA:DB:4A:1A"; + exposes.ci = { + domain = "ci.0x76.dev"; + port = 8000; + }; }; "nuc" = { ip = "10.42.42.42"; diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix index 8d030c8..b205de8 100644 --- a/nixos/hosts/olympus/dex/configuration.nix +++ b/nixos/hosts/olympus/dex/configuration.nix @@ -7,6 +7,7 @@ let vs = config.vault-secrets.secrets; db_user = "dex"; db_name = "dex"; + inherit (config.meta.exposes.dex) port; in { imports = [ ]; @@ -18,7 +19,7 @@ in { # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "23.05"; # Did you read the comment? - networking.firewall.allowedTCPPorts = [ 5556 ]; + networking.firewall.allowedTCPPorts = [ port ]; services.postgresql = { enable = true; @@ -47,7 +48,7 @@ in { database = db_name; }; }; - web.http = "0.0.0.0:5556"; + web.http = "0.0.0.0:${toString port}"; connectors = [{ type = "gitea"; diff --git a/nixos/hosts/olympus/gitea/configuration.nix b/nixos/hosts/olympus/gitea/configuration.nix index 2be1db9..8b8823c 100644 --- a/nixos/hosts/olympus/gitea/configuration.nix +++ b/nixos/hosts/olympus/gitea/configuration.nix @@ -3,7 +3,9 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { lib, config, pkgs, ... }: -let vs = config.vault-secrets.secrets; +let + vs = config.vault-secrets.secrets; + inherit (config.meta.exposes.git) port; in { imports = [ ]; @@ -20,8 +22,7 @@ in { environment.noXlibs = lib.mkForce false; - networking.firewall.allowedTCPPorts = - [ config.services.gitea.settings.server.HTTP_PORT ]; + networking.firewall.allowedTCPPorts = [ port ]; services.openssh.startWhenNeeded = false; @@ -77,6 +78,7 @@ in { SSH_PORT = 42; DOMAIN = "git.0x76.dev"; ROOT_URL = "https://git.0x76.dev"; + HTTP_PORT = port; }; session = { "PROVIDER" = "db"; diff --git a/nixos/hosts/olympus/hedgedoc/configuration.nix b/nixos/hosts/olympus/hedgedoc/configuration.nix index 87e19bd..c23b63c 100644 --- a/nixos/hosts/olympus/hedgedoc/configuration.nix +++ b/nixos/hosts/olympus/hedgedoc/configuration.nix @@ -21,8 +21,7 @@ in { environment.noXlibs = lib.mkForce false; - networking.firewall.allowedTCPPorts = - [ config.services.hedgedoc.settings.port ]; + networking.firewall.allowedTCPPorts = [ port ]; vault-secrets.secrets.hedgedoc = { }; diff --git a/nixos/hosts/olympus/minio/configuration.nix b/nixos/hosts/olympus/minio/configuration.nix index eae48e5..aa0fc92 100644 --- a/nixos/hosts/olympus/minio/configuration.nix +++ b/nixos/hosts/olympus/minio/configuration.nix @@ -5,8 +5,8 @@ { config, pkgs, ... }: let vs = config.vault-secrets.secrets; - listenPort = 9000; - consolePort = 9001; + listenPort = config.meta.exposes.minio.port; + consolePort = listenPort + 1; in { imports = [ ]; diff --git a/nixos/hosts/olympus/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix index ff5e447..2027eab 100644 --- a/nixos/hosts/olympus/nginx/configuration.nix +++ b/nixos/hosts/olympus/nginx/configuration.nix @@ -1,16 +1,5 @@ -{ pkgs, config, hosts, lib, ... }: +{ pkgs, ... }: let - inherit (builtins) filter hasAttr attrValues concatMap; - - proxy = url: { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = url; - proxyWebsockets = true; - }; - }; - k8s_proxy = proxy "http://kubernetes.olympus:80/"; clientConfig = { "m.homeserver" = { base_url = "https://chat.meowy.tech"; @@ -24,16 +13,6 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; - - hostsWithExposes = - filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain}); - exposes = { ip, exposes, ... }: - map ({ domain, port }: { inherit ip domain port; }) (attrValues exposes); - mkVhost = { ip, domain, port }: { - "${domain}" = proxy "http://${ip}:${toString port}"; - }; - vhosts = lib.foldr (el: acc: acc // mkVhost el) { } - (concatMap exposes hostsWithExposes); in { # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -45,6 +24,9 @@ in { networking.firewall.allowedTCPPorts = [ 80 443 ]; + # Generates vhosts for all hosts that have an `exposes` section + services.v.nginx.generateVirtualHosts = true; + services.nginx = { enable = true; statusPage = true; @@ -57,16 +39,7 @@ in { package = pkgs.nginxMainline; # Templated - virtualHosts = vhosts // { - # 0x76.dev - "ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/"; - "git.0x76.dev" = proxy "http://gitea.olympus:3000"; - "o.0x76.dev" = proxy "http://minio.olympus:9000"; - "grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342"; - "outline.0x76.dev" = proxy "http://outline.olympus:3000"; - "ntfy.0x76.dev" = proxy "http://ntfy.olympus:80"; - "ci.0x76.dev" = proxy "http://woodpecker.olympus:8000"; - "dex.0x76.dev" = proxy "http://dex.olympus:5556"; + virtualHosts = { "pass.0x76.dev" = { enableACME = true; forceSSL = true; @@ -84,9 +57,6 @@ in { }; }; - # Redshifts - "andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008"; - # Meow "meowy.tech" = { enableACME = true; @@ -150,12 +120,6 @@ in { forceSSL = true; root = pkgs.synapse-admin; }; - "books.meowy.tech" = proxy "http://bookwyrm.olympus:8001"; - - # Kubernetes endpoints - "0x76.dev" = k8s_proxy; - "internal.xirion.net" = k8s_proxy; - "blog.xirion.net" = k8s_proxy; }; }; diff --git a/nixos/hosts/olympus/outline/configuration.nix b/nixos/hosts/olympus/outline/configuration.nix index 1ac2cd3..43d9e99 100644 --- a/nixos/hosts/olympus/outline/configuration.nix +++ b/nixos/hosts/olympus/outline/configuration.nix @@ -3,7 +3,9 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, ... }: -let vs = config.vault-secrets.secrets; +let + vs = config.vault-secrets.secrets; + inherit (config.meta.exposes.outline) port; in { imports = [ ]; @@ -16,16 +18,17 @@ in { system.stateVersion = "22.11"; # Did you read the comment? # Additional packages - networking.firewall.allowedTCPPorts = [ config.services.outline.port ]; + networking.firewall.allowedTCPPorts = [ port ]; vault-secrets.secrets.outline = { inherit (config.services.outline) user group; }; services.outline = { + inherit port; + enable = true; concurrency = 1; - port = 3000; redisUrl = "local"; databaseUrl = "local"; publicUrl = "https://outline.0x76.dev"; diff --git a/nixos/hosts/olympus/victoriametrics/configuration.nix b/nixos/hosts/olympus/victoriametrics/configuration.nix index 9678ebf..da9d327 100644 --- a/nixos/hosts/olympus/victoriametrics/configuration.nix +++ b/nixos/hosts/olympus/victoriametrics/configuration.nix @@ -5,6 +5,7 @@ { config, pkgs, ... }: let vmPort = 8428; + grafanaPort = config.meta.exposes.grafana.port; vs = config.vault-secrets.secrets; in { imports = [ ]; @@ -78,7 +79,7 @@ in { domain = "grafana.0x76.dev"; root_url = "https://grafana.0x76.dev"; http_addr = "0.0.0.0"; - http_port = 2342; + http_port = grafanaPort; }; security.admin_password = "$__file{${vs.grafana}/password}"; }; diff --git a/nixos/hosts/olympus/woodpecker/configuration.nix b/nixos/hosts/olympus/woodpecker/configuration.nix index 682338b..c5da5db 100644 --- a/nixos/hosts/olympus/woodpecker/configuration.nix +++ b/nixos/hosts/olympus/woodpecker/configuration.nix @@ -3,7 +3,9 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: -let vs = config.vault-secrets.secrets; +let + inherit (config.meta.exposes.ci) port; + vs = config.vault-secrets.secrets; in { imports = [ ]; @@ -18,7 +20,7 @@ in { # Additional packages environment.systemPackages = with pkgs; [ ]; - networking.firewall.allowedTCPPorts = [ 8000 9000 ]; + networking.firewall.allowedTCPPorts = [ port 9000 ]; vault-secrets.secrets.woodpecker = { services = [ "woodpecker-server" "woodpecker-agent-docker" ]; @@ -46,7 +48,7 @@ in { WOODPECKER_GITEA_URL = "https://git.0x76.dev"; WOODPECKER_ADMIN = "v"; WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true"; - WOODPECKER_SERVER_ADDR = "10.42.42.33:8000"; + WOODPECKER_SERVER_ADDR = "10.42.42.33:${toString port}"; }; environmentFile = "${vs.woodpecker}/environment"; };