v/infrastructure
1
0
Fork 0
Code Issues 13 Pull requests 1 Actions Packages Projects Releases Activity

create nginx magic module
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse source
This commit is contained in:
Vivian 2023-05-05 10:04:38 +02:00
parent e34c892fc2
commit 64bdee8a12
12 changed files with 111 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/common/modules/default.nix
View file

@ -1,3 +1,3 @@
{ ... }: { { ... }: {
imports = [ ./meta.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ]; imports = [ ./meta.nix ./nginx.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ];
} }

3
nixos/common/modules/meta.nix
View file

@ -12,6 +12,7 @@ let
}; };
port = mkOption { port = mkOption {
type = types.int; type = types.int;
default = 80;
example = 4242; example = 4242;
description = '' description = ''
The port under which the service runs on the host The port under which the service runs on the host
@ -21,6 +22,7 @@ let
}; };
in { in {
options.meta = { options.meta = {
exposes = mkOption { exposes = mkOption {
type = with types; attrsOf (submodule exposesOpts); type = with types; attrsOf (submodule exposesOpts);
description = '' description = ''
@ -37,6 +39,5 @@ in {
}; };
config = { config = {
}; };
} }

32
nixos/common/modules/nginx.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, hosts, config, ... }:
with lib;
let cfg = config.services.v.nginx;
in {
options.services.v.nginx.generateVirtualHosts =
mkEnableOption "generate vhosts";
config = let
proxy = url: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = url;
proxyWebsockets = true;
};
};
hosts' =
filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
exposes = { ip, exposes, ... }:
map ({ domain, port ? 80}: { inherit ip domain port; }) (attrValues exposes);
mkVhost = { ip, domain, port}: {
"${domain}" = proxy "http://${ip}:${toString port}";
};
vhosts = foldr (el: acc: acc // mkVhost el) { } (concatMap exposes hosts');
in mkIf cfg.generateVirtualHosts {
services.nginx.virtualHosts = vhosts;
};
}

52
nixos/hosts/olympus/default.nix
View file

@ -36,6 +36,10 @@
ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee"; ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
mac = "9E:60:78:ED:81:B4"; mac = "9E:60:78:ED:81:B4";
nix = false; nix = false;
exposes.ha = {
domain = "ha.0x76.dev";
port = 8123;
};
}; };
"nginx" = { "nginx" = {
ip = "10.42.42.9"; ip = "10.42.42.9";
@ -46,10 +50,19 @@
"kubernetes" = { "kubernetes" = {
ip = "10.42.42.10"; ip = "10.42.42.10";
mac = "6E:A5:25:99:FE:68"; mac = "6E:A5:25:99:FE:68";
exposes = {
www.domain = "0x76.dev";
internal.domain = "internal.xirion.net";
blog.domain = "blog.xirion.net";
};
}; };
"dex" = { "dex" = {
ip = "10.42.42.11"; ip = "10.42.42.11";
mac = "AE:66:7B:FA:15:72"; mac = "AE:66:7B:FA:15:72";
exposes.dex = {
domain = "dex.0x76.dev";
port = 5556;
};
}; };
"WoolooTV" = { "WoolooTV" = {
ip = "10.42.42.13"; ip = "10.42.42.13";
@ -59,6 +72,10 @@
"outline" = { "outline" = {
ip = "10.42.42.14"; ip = "10.42.42.14";
mac = "52:13:EB:FD:87:F0"; mac = "52:13:EB:FD:87:F0";
exposes.outline = {
domain = "outline.0x76.dev";
port = 3000;
};
}; };
"dns-1" = { "dns-1" = {
profile = "dns"; profile = "dns";
@ -75,6 +92,10 @@
"minio" = { "minio" = {
ip = "10.42.42.17"; ip = "10.42.42.17";
mac = "0A:06:5E:E7:9A:0C"; mac = "0A:06:5E:E7:9A:0C";
exposes.minio = {
domain = "o.0x76.dev";
port = 9000;
};
}; };
"mailserver" = { "mailserver" = {
ip = "10.42.42.18"; ip = "10.42.42.18";
@ -83,6 +104,12 @@
"victoriametrics" = { "victoriametrics" = {
ip = "10.42.42.19"; ip = "10.42.42.19";
mac = "9E:91:61:35:84:1F"; mac = "9E:91:61:35:84:1F";
exposes = {
grafana = {
domain = "grafana.0x76.dev";
port = 2342;
};
};
}; };
"unifi" = { "unifi" = {
ip = "10.42.42.20"; ip = "10.42.42.20";
@ -96,21 +123,27 @@
"gitea" = { "gitea" = {
ip = "10.42.42.22"; ip = "10.42.42.22";
mac = "DE:5F:B0:83:6F:34"; mac = "DE:5F:B0:83:6F:34";
exposes.git = {
domain = "git.0x76.dev";
port = 3000;
};
}; };
"hedgedoc" = { "hedgedoc" = {
ip = "10.42.42.23"; ip = "10.42.42.23";
mac = "86:BC:0C:18:BC:9B"; mac = "86:BC:0C:18:BC:9B";
exposes = { exposes.md = {
md = { domain = "md.0x76.dev";
domain = "md.0x76.dev"; port = 3000;
port = 3000;
};
}; };
}; };
"zmeura" = { "zmeura" = {
ip = "10.42.42.24"; ip = "10.42.42.24";
mac = "b8:27:eb:d5:e0:f5"; mac = "b8:27:eb:d5:e0:f5";
nix = false; nix = false;
exposes.andreea = {
domain = "andreea.redshifts.xyz";
port = 8008;
};
}; };
"wireguard" = { "wireguard" = {
ip = "10.42.42.25"; ip = "10.42.42.25";
@ -121,6 +154,10 @@
ip = "10.42.42.27"; ip = "10.42.42.27";
mac = "9E:8A:6C:39:27:DE"; mac = "9E:8A:6C:39:27:DE";
nix = false; nix = false;
exposes.books = {
domain = "books.meowy.tech";
port = 8001;
};
}; };
"synapse" = { "synapse" = {
ip = "10.42.42.28"; ip = "10.42.42.28";
@ -140,10 +177,15 @@
"ntfy" = { "ntfy" = {
ip = "10.42.42.32"; ip = "10.42.42.32";
mac = "7A:17:9E:80:72:01"; mac = "7A:17:9E:80:72:01";
exposes.ntfy.domain = "ntfy.0x76.dev";
}; };
"woodpecker" = { "woodpecker" = {
ip = "10.42.42.33"; ip = "10.42.42.33";
mac = "1E:24:DA:DB:4A:1A"; mac = "1E:24:DA:DB:4A:1A";
exposes.ci = {
domain = "ci.0x76.dev";
port = 8000;
};
}; };
"nuc" = { "nuc" = {
ip = "10.42.42.42"; ip = "10.42.42.42";

5
nixos/hosts/olympus/dex/configuration.nix
View file

@ -7,6 +7,7 @@ let
vs = config.vault-secrets.secrets; vs = config.vault-secrets.secrets;
db_user = "dex"; db_user = "dex";
db_name = "dex"; db_name = "dex";
inherit (config.meta.exposes.dex) port;
in { in {
imports = [ ]; imports = [ ];
@ -18,7 +19,7 @@ in {
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment? system.stateVersion = "23.05"; # Did you read the comment?
networking.firewall.allowedTCPPorts = [ 5556 ]; networking.firewall.allowedTCPPorts = [ port ];
services.postgresql = { services.postgresql = {
enable = true; enable = true;
@ -47,7 +48,7 @@ in {
database = db_name; database = db_name;
}; };
}; };
web.http = "0.0.0.0:5556"; web.http = "0.0.0.0:${toString port}";
connectors = [{ connectors = [{
type = "gitea"; type = "gitea";

8
nixos/hosts/olympus/gitea/configuration.nix
View file

@ -3,7 +3,9 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let vs = config.vault-secrets.secrets; let
vs = config.vault-secrets.secrets;
inherit (config.meta.exposes.git) port;
in { in {
imports = [ ]; imports = [ ];
@ -20,8 +22,7 @@ in {
environment.noXlibs = lib.mkForce false; environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = networking.firewall.allowedTCPPorts = [ port ];
[ config.services.gitea.settings.server.HTTP_PORT ];
services.openssh.startWhenNeeded = false; services.openssh.startWhenNeeded = false;
@ -77,6 +78,7 @@ in {
SSH_PORT = 42; SSH_PORT = 42;
DOMAIN = "git.0x76.dev"; DOMAIN = "git.0x76.dev";
ROOT_URL = "https://git.0x76.dev"; ROOT_URL = "https://git.0x76.dev";
HTTP_PORT = port;
}; };
session = { session = {
"PROVIDER" = "db"; "PROVIDER" = "db";

3
nixos/hosts/olympus/hedgedoc/configuration.nix
View file

@ -21,8 +21,7 @@ in {
environment.noXlibs = lib.mkForce false; environment.noXlibs = lib.mkForce false;
networking.firewall.allowedTCPPorts = networking.firewall.allowedTCPPorts = [ port ];
[ config.services.hedgedoc.settings.port ];
vault-secrets.secrets.hedgedoc = { }; vault-secrets.secrets.hedgedoc = { };

4
nixos/hosts/olympus/minio/configuration.nix
View file

@ -5,8 +5,8 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
vs = config.vault-secrets.secrets; vs = config.vault-secrets.secrets;
listenPort = 9000; listenPort = config.meta.exposes.minio.port;
consolePort = 9001; consolePort = listenPort + 1;
in { in {
imports = [ ]; imports = [ ];

46
nixos/hosts/olympus/nginx/configuration.nix
View file

@ -1,16 +1,5 @@
{ pkgs, config, hosts, lib, ... }: { pkgs, ... }:
let let
inherit (builtins) filter hasAttr attrValues concatMap;
proxy = url: {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = url;
proxyWebsockets = true;
};
};
k8s_proxy = proxy "http://kubernetes.olympus:80/";
clientConfig = { clientConfig = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://chat.meowy.tech"; base_url = "https://chat.meowy.tech";
@ -24,16 +13,6 @@ let
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}'; return 200 '${builtins.toJSON data}';
''; '';
hostsWithExposes =
filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
exposes = { ip, exposes, ... }:
map ({ domain, port }: { inherit ip domain port; }) (attrValues exposes);
mkVhost = { ip, domain, port }: {
"${domain}" = proxy "http://${ip}:${toString port}";
};
vhosts = lib.foldr (el: acc: acc // mkVhost el) { }
(concatMap exposes hostsWithExposes);
in { in {
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
@ -45,6 +24,9 @@ in {
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
# Generates vhosts for all hosts that have an `exposes` section
services.v.nginx.generateVirtualHosts = true;
services.nginx = { services.nginx = {
enable = true; enable = true;
statusPage = true; statusPage = true;
@ -57,16 +39,7 @@ in {
package = pkgs.nginxMainline; package = pkgs.nginxMainline;
# Templated # Templated
virtualHosts = vhosts // { virtualHosts = {
# 0x76.dev
"ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/";
"git.0x76.dev" = proxy "http://gitea.olympus:3000";
"o.0x76.dev" = proxy "http://minio.olympus:9000";
"grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342";
"outline.0x76.dev" = proxy "http://outline.olympus:3000";
"ntfy.0x76.dev" = proxy "http://ntfy.olympus:80";
"ci.0x76.dev" = proxy "http://woodpecker.olympus:8000";
"dex.0x76.dev" = proxy "http://dex.olympus:5556";
"pass.0x76.dev" = { "pass.0x76.dev" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -84,9 +57,6 @@ in {
}; };
}; };
# Redshifts
"andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008";
# Meow # Meow
"meowy.tech" = { "meowy.tech" = {
enableACME = true; enableACME = true;
@ -150,12 +120,6 @@ in {
forceSSL = true; forceSSL = true;
root = pkgs.synapse-admin; root = pkgs.synapse-admin;
}; };
"books.meowy.tech" = proxy "http://bookwyrm.olympus:8001";
# Kubernetes endpoints
"0x76.dev" = k8s_proxy;
"internal.xirion.net" = k8s_proxy;
"blog.xirion.net" = k8s_proxy;
}; };
}; };

9
nixos/hosts/olympus/outline/configuration.nix
View file

@ -3,7 +3,9 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, ... }: { config, ... }:
let vs = config.vault-secrets.secrets; let
vs = config.vault-secrets.secrets;
inherit (config.meta.exposes.outline) port;
in { in {
imports = [ ]; imports = [ ];
@ -16,16 +18,17 @@ in {
system.stateVersion = "22.11"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
# Additional packages # Additional packages
networking.firewall.allowedTCPPorts = [ config.services.outline.port ]; networking.firewall.allowedTCPPorts = [ port ];
vault-secrets.secrets.outline = { vault-secrets.secrets.outline = {
inherit (config.services.outline) user group; inherit (config.services.outline) user group;
}; };
services.outline = { services.outline = {
inherit port;
enable = true; enable = true;
concurrency = 1; concurrency = 1;
port = 3000;
redisUrl = "local"; redisUrl = "local";
databaseUrl = "local"; databaseUrl = "local";
publicUrl = "https://outline.0x76.dev"; publicUrl = "https://outline.0x76.dev";

3
nixos/hosts/olympus/victoriametrics/configuration.nix
View file

@ -5,6 +5,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
let let
vmPort = 8428; vmPort = 8428;
grafanaPort = config.meta.exposes.grafana.port;
vs = config.vault-secrets.secrets; vs = config.vault-secrets.secrets;
in { in {
imports = [ ]; imports = [ ];
@ -78,7 +79,7 @@ in {
domain = "grafana.0x76.dev"; domain = "grafana.0x76.dev";
root_url = "https://grafana.0x76.dev"; root_url = "https://grafana.0x76.dev";
http_addr = "0.0.0.0"; http_addr = "0.0.0.0";
http_port = 2342; http_port = grafanaPort;
}; };
security.admin_password = "$__file{${vs.grafana}/password}"; security.admin_password = "$__file{${vs.grafana}/password}";
}; };

8
nixos/hosts/olympus/woodpecker/configuration.nix
View file

@ -3,7 +3,9 @@
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }: { config, pkgs, ... }:
let vs = config.vault-secrets.secrets; let
inherit (config.meta.exposes.ci) port;
vs = config.vault-secrets.secrets;
in { in {
imports = [ ]; imports = [ ];
@ -18,7 +20,7 @@ in {
# Additional packages # Additional packages
environment.systemPackages = with pkgs; [ ]; environment.systemPackages = with pkgs; [ ];
networking.firewall.allowedTCPPorts = [ 8000 9000 ]; networking.firewall.allowedTCPPorts = [ port 9000 ];
vault-secrets.secrets.woodpecker = { vault-secrets.secrets.woodpecker = {
services = [ "woodpecker-server" "woodpecker-agent-docker" ]; services = [ "woodpecker-server" "woodpecker-agent-docker" ];
@ -46,7 +48,7 @@ in {
WOODPECKER_GITEA_URL = "https://git.0x76.dev"; WOODPECKER_GITEA_URL = "https://git.0x76.dev";
WOODPECKER_ADMIN = "v"; WOODPECKER_ADMIN = "v";
WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true"; WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true";
WOODPECKER_SERVER_ADDR = "10.42.42.33:8000"; WOODPECKER_SERVER_ADDR = "10.42.42.33:${toString port}";
}; };
environmentFile = "${vs.woodpecker}/environment"; environmentFile = "${vs.woodpecker}/environment";
}; };