create nginx magic module
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
This commit is contained in:
parent
e34c892fc2
commit
64bdee8a12
|
@ -1,3 +1,3 @@
|
|||
{ ... }: {
|
||||
imports = [ ./meta.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ];
|
||||
imports = [ ./meta.nix ./nginx.nix ./dns.nix ./flood.nix ./gnome ./unpackerr.nix ./vault.nix ];
|
||||
}
|
||||
|
|
|
@ -12,6 +12,7 @@ let
|
|||
};
|
||||
port = mkOption {
|
||||
type = types.int;
|
||||
default = 80;
|
||||
example = 4242;
|
||||
description = ''
|
||||
The port under which the service runs on the host
|
||||
|
@ -21,6 +22,7 @@ let
|
|||
};
|
||||
in {
|
||||
options.meta = {
|
||||
|
||||
exposes = mkOption {
|
||||
type = with types; attrsOf (submodule exposesOpts);
|
||||
description = ''
|
||||
|
@ -37,6 +39,5 @@ in {
|
|||
};
|
||||
|
||||
config = {
|
||||
|
||||
};
|
||||
}
|
||||
|
|
32
nixos/common/modules/nginx.nix
Normal file
32
nixos/common/modules/nginx.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ lib, hosts, config, ... }:
|
||||
with lib;
|
||||
let cfg = config.services.v.nginx;
|
||||
in {
|
||||
options.services.v.nginx.generateVirtualHosts =
|
||||
mkEnableOption "generate vhosts";
|
||||
|
||||
config = let
|
||||
|
||||
proxy = url: {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = url;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
hosts' =
|
||||
filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
|
||||
exposes = { ip, exposes, ... }:
|
||||
map ({ domain, port ? 80}: { inherit ip domain port; }) (attrValues exposes);
|
||||
mkVhost = { ip, domain, port}: {
|
||||
"${domain}" = proxy "http://${ip}:${toString port}";
|
||||
};
|
||||
vhosts = foldr (el: acc: acc // mkVhost el) { } (concatMap exposes hosts');
|
||||
in mkIf cfg.generateVirtualHosts {
|
||||
|
||||
services.nginx.virtualHosts = vhosts;
|
||||
|
||||
};
|
||||
}
|
|
@ -36,6 +36,10 @@
|
|||
ip6 = "2001:41f0:9639:1:bfe7:3fd9:75de:cbee";
|
||||
mac = "9E:60:78:ED:81:B4";
|
||||
nix = false;
|
||||
exposes.ha = {
|
||||
domain = "ha.0x76.dev";
|
||||
port = 8123;
|
||||
};
|
||||
};
|
||||
"nginx" = {
|
||||
ip = "10.42.42.9";
|
||||
|
@ -46,10 +50,19 @@
|
|||
"kubernetes" = {
|
||||
ip = "10.42.42.10";
|
||||
mac = "6E:A5:25:99:FE:68";
|
||||
exposes = {
|
||||
www.domain = "0x76.dev";
|
||||
internal.domain = "internal.xirion.net";
|
||||
blog.domain = "blog.xirion.net";
|
||||
};
|
||||
};
|
||||
"dex" = {
|
||||
ip = "10.42.42.11";
|
||||
mac = "AE:66:7B:FA:15:72";
|
||||
exposes.dex = {
|
||||
domain = "dex.0x76.dev";
|
||||
port = 5556;
|
||||
};
|
||||
};
|
||||
"WoolooTV" = {
|
||||
ip = "10.42.42.13";
|
||||
|
@ -59,6 +72,10 @@
|
|||
"outline" = {
|
||||
ip = "10.42.42.14";
|
||||
mac = "52:13:EB:FD:87:F0";
|
||||
exposes.outline = {
|
||||
domain = "outline.0x76.dev";
|
||||
port = 3000;
|
||||
};
|
||||
};
|
||||
"dns-1" = {
|
||||
profile = "dns";
|
||||
|
@ -75,6 +92,10 @@
|
|||
"minio" = {
|
||||
ip = "10.42.42.17";
|
||||
mac = "0A:06:5E:E7:9A:0C";
|
||||
exposes.minio = {
|
||||
domain = "o.0x76.dev";
|
||||
port = 9000;
|
||||
};
|
||||
};
|
||||
"mailserver" = {
|
||||
ip = "10.42.42.18";
|
||||
|
@ -83,6 +104,12 @@
|
|||
"victoriametrics" = {
|
||||
ip = "10.42.42.19";
|
||||
mac = "9E:91:61:35:84:1F";
|
||||
exposes = {
|
||||
grafana = {
|
||||
domain = "grafana.0x76.dev";
|
||||
port = 2342;
|
||||
};
|
||||
};
|
||||
};
|
||||
"unifi" = {
|
||||
ip = "10.42.42.20";
|
||||
|
@ -96,21 +123,27 @@
|
|||
"gitea" = {
|
||||
ip = "10.42.42.22";
|
||||
mac = "DE:5F:B0:83:6F:34";
|
||||
exposes.git = {
|
||||
domain = "git.0x76.dev";
|
||||
port = 3000;
|
||||
};
|
||||
};
|
||||
"hedgedoc" = {
|
||||
ip = "10.42.42.23";
|
||||
mac = "86:BC:0C:18:BC:9B";
|
||||
exposes = {
|
||||
md = {
|
||||
domain = "md.0x76.dev";
|
||||
port = 3000;
|
||||
};
|
||||
exposes.md = {
|
||||
domain = "md.0x76.dev";
|
||||
port = 3000;
|
||||
};
|
||||
};
|
||||
"zmeura" = {
|
||||
ip = "10.42.42.24";
|
||||
mac = "b8:27:eb:d5:e0:f5";
|
||||
nix = false;
|
||||
exposes.andreea = {
|
||||
domain = "andreea.redshifts.xyz";
|
||||
port = 8008;
|
||||
};
|
||||
};
|
||||
"wireguard" = {
|
||||
ip = "10.42.42.25";
|
||||
|
@ -121,6 +154,10 @@
|
|||
ip = "10.42.42.27";
|
||||
mac = "9E:8A:6C:39:27:DE";
|
||||
nix = false;
|
||||
exposes.books = {
|
||||
domain = "books.meowy.tech";
|
||||
port = 8001;
|
||||
};
|
||||
};
|
||||
"synapse" = {
|
||||
ip = "10.42.42.28";
|
||||
|
@ -140,10 +177,15 @@
|
|||
"ntfy" = {
|
||||
ip = "10.42.42.32";
|
||||
mac = "7A:17:9E:80:72:01";
|
||||
exposes.ntfy.domain = "ntfy.0x76.dev";
|
||||
};
|
||||
"woodpecker" = {
|
||||
ip = "10.42.42.33";
|
||||
mac = "1E:24:DA:DB:4A:1A";
|
||||
exposes.ci = {
|
||||
domain = "ci.0x76.dev";
|
||||
port = 8000;
|
||||
};
|
||||
};
|
||||
"nuc" = {
|
||||
ip = "10.42.42.42";
|
||||
|
|
|
@ -7,6 +7,7 @@ let
|
|||
vs = config.vault-secrets.secrets;
|
||||
db_user = "dex";
|
||||
db_name = "dex";
|
||||
inherit (config.meta.exposes.dex) port;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
||||
|
@ -18,7 +19,7 @@ in {
|
|||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "23.05"; # Did you read the comment?
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 5556 ];
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
@ -47,7 +48,7 @@ in {
|
|||
database = db_name;
|
||||
};
|
||||
};
|
||||
web.http = "0.0.0.0:5556";
|
||||
web.http = "0.0.0.0:${toString port}";
|
||||
|
||||
connectors = [{
|
||||
type = "gitea";
|
||||
|
|
|
@ -3,7 +3,9 @@
|
|||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ lib, config, pkgs, ... }:
|
||||
let vs = config.vault-secrets.secrets;
|
||||
let
|
||||
vs = config.vault-secrets.secrets;
|
||||
inherit (config.meta.exposes.git) port;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
||||
|
@ -20,8 +22,7 @@ in {
|
|||
|
||||
environment.noXlibs = lib.mkForce false;
|
||||
|
||||
networking.firewall.allowedTCPPorts =
|
||||
[ config.services.gitea.settings.server.HTTP_PORT ];
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
||||
services.openssh.startWhenNeeded = false;
|
||||
|
||||
|
@ -77,6 +78,7 @@ in {
|
|||
SSH_PORT = 42;
|
||||
DOMAIN = "git.0x76.dev";
|
||||
ROOT_URL = "https://git.0x76.dev";
|
||||
HTTP_PORT = port;
|
||||
};
|
||||
session = {
|
||||
"PROVIDER" = "db";
|
||||
|
|
|
@ -21,8 +21,7 @@ in {
|
|||
|
||||
environment.noXlibs = lib.mkForce false;
|
||||
|
||||
networking.firewall.allowedTCPPorts =
|
||||
[ config.services.hedgedoc.settings.port ];
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
||||
vault-secrets.secrets.hedgedoc = { };
|
||||
|
||||
|
|
|
@ -5,8 +5,8 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
vs = config.vault-secrets.secrets;
|
||||
listenPort = 9000;
|
||||
consolePort = 9001;
|
||||
listenPort = config.meta.exposes.minio.port;
|
||||
consolePort = listenPort + 1;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
||||
|
|
|
@ -1,16 +1,5 @@
|
|||
{ pkgs, config, hosts, lib, ... }:
|
||||
{ pkgs, ... }:
|
||||
let
|
||||
inherit (builtins) filter hasAttr attrValues concatMap;
|
||||
|
||||
proxy = url: {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = url;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
k8s_proxy = proxy "http://kubernetes.olympus:80/";
|
||||
clientConfig = {
|
||||
"m.homeserver" = {
|
||||
base_url = "https://chat.meowy.tech";
|
||||
|
@ -24,16 +13,6 @@ let
|
|||
add_header Access-Control-Allow-Origin *;
|
||||
return 200 '${builtins.toJSON data}';
|
||||
'';
|
||||
|
||||
hostsWithExposes =
|
||||
filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain});
|
||||
exposes = { ip, exposes, ... }:
|
||||
map ({ domain, port }: { inherit ip domain port; }) (attrValues exposes);
|
||||
mkVhost = { ip, domain, port }: {
|
||||
"${domain}" = proxy "http://${ip}:${toString port}";
|
||||
};
|
||||
vhosts = lib.foldr (el: acc: acc // mkVhost el) { }
|
||||
(concatMap exposes hostsWithExposes);
|
||||
in {
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
|
@ -45,6 +24,9 @@ in {
|
|||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
# Generates vhosts for all hosts that have an `exposes` section
|
||||
services.v.nginx.generateVirtualHosts = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
statusPage = true;
|
||||
|
@ -57,16 +39,7 @@ in {
|
|||
package = pkgs.nginxMainline;
|
||||
|
||||
# Templated
|
||||
virtualHosts = vhosts // {
|
||||
# 0x76.dev
|
||||
"ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/";
|
||||
"git.0x76.dev" = proxy "http://gitea.olympus:3000";
|
||||
"o.0x76.dev" = proxy "http://minio.olympus:9000";
|
||||
"grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342";
|
||||
"outline.0x76.dev" = proxy "http://outline.olympus:3000";
|
||||
"ntfy.0x76.dev" = proxy "http://ntfy.olympus:80";
|
||||
"ci.0x76.dev" = proxy "http://woodpecker.olympus:8000";
|
||||
"dex.0x76.dev" = proxy "http://dex.olympus:5556";
|
||||
virtualHosts = {
|
||||
"pass.0x76.dev" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -84,9 +57,6 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
# Redshifts
|
||||
"andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008";
|
||||
|
||||
# Meow
|
||||
"meowy.tech" = {
|
||||
enableACME = true;
|
||||
|
@ -150,12 +120,6 @@ in {
|
|||
forceSSL = true;
|
||||
root = pkgs.synapse-admin;
|
||||
};
|
||||
"books.meowy.tech" = proxy "http://bookwyrm.olympus:8001";
|
||||
|
||||
# Kubernetes endpoints
|
||||
"0x76.dev" = k8s_proxy;
|
||||
"internal.xirion.net" = k8s_proxy;
|
||||
"blog.xirion.net" = k8s_proxy;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -3,7 +3,9 @@
|
|||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, ... }:
|
||||
let vs = config.vault-secrets.secrets;
|
||||
let
|
||||
vs = config.vault-secrets.secrets;
|
||||
inherit (config.meta.exposes.outline) port;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
||||
|
@ -16,16 +18,17 @@ in {
|
|||
system.stateVersion = "22.11"; # Did you read the comment?
|
||||
|
||||
# Additional packages
|
||||
networking.firewall.allowedTCPPorts = [ config.services.outline.port ];
|
||||
networking.firewall.allowedTCPPorts = [ port ];
|
||||
|
||||
vault-secrets.secrets.outline = {
|
||||
inherit (config.services.outline) user group;
|
||||
};
|
||||
|
||||
services.outline = {
|
||||
inherit port;
|
||||
|
||||
enable = true;
|
||||
concurrency = 1;
|
||||
port = 3000;
|
||||
redisUrl = "local";
|
||||
databaseUrl = "local";
|
||||
publicUrl = "https://outline.0x76.dev";
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
vmPort = 8428;
|
||||
grafanaPort = config.meta.exposes.grafana.port;
|
||||
vs = config.vault-secrets.secrets;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
@ -78,7 +79,7 @@ in {
|
|||
domain = "grafana.0x76.dev";
|
||||
root_url = "https://grafana.0x76.dev";
|
||||
http_addr = "0.0.0.0";
|
||||
http_port = 2342;
|
||||
http_port = grafanaPort;
|
||||
};
|
||||
security.admin_password = "$__file{${vs.grafana}/password}";
|
||||
};
|
||||
|
|
|
@ -3,7 +3,9 @@
|
|||
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
let vs = config.vault-secrets.secrets;
|
||||
let
|
||||
inherit (config.meta.exposes.ci) port;
|
||||
vs = config.vault-secrets.secrets;
|
||||
in {
|
||||
imports = [ ];
|
||||
|
||||
|
@ -18,7 +20,7 @@ in {
|
|||
# Additional packages
|
||||
environment.systemPackages = with pkgs; [ ];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 8000 9000 ];
|
||||
networking.firewall.allowedTCPPorts = [ port 9000 ];
|
||||
|
||||
vault-secrets.secrets.woodpecker = {
|
||||
services = [ "woodpecker-server" "woodpecker-agent-docker" ];
|
||||
|
@ -46,7 +48,7 @@ in {
|
|||
WOODPECKER_GITEA_URL = "https://git.0x76.dev";
|
||||
WOODPECKER_ADMIN = "v";
|
||||
WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true";
|
||||
WOODPECKER_SERVER_ADDR = "10.42.42.33:8000";
|
||||
WOODPECKER_SERVER_ADDR = "10.42.42.33:${toString port}";
|
||||
};
|
||||
environmentFile = "${vs.woodpecker}/environment";
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue