From af893b9e438d4975b9623d2b62221aee0f9cb889 Mon Sep 17 00:00:00 2001 From: Victor Date: Thu, 4 May 2023 16:19:01 +0200 Subject: [PATCH] added nginx autoproxy for exposes config, needs some refactoring --- nixos/common/modules/meta.nix | 6 +- nixos/common/modules/vault.nix | 2 +- nixos/hosts/olympus/nginx/configuration.nix | 193 +++++++++++--------- 3 files changed, 106 insertions(+), 95 deletions(-) diff --git a/nixos/common/modules/meta.nix b/nixos/common/modules/meta.nix index 63585fa..524e82b 100644 --- a/nixos/common/modules/meta.nix +++ b/nixos/common/modules/meta.nix @@ -20,15 +20,15 @@ let }; }; in { - options = { - meta.exposes = mkOption { + options.meta = { + exposes = mkOption { type = with types; attrsOf (submodule exposesOpts); description = '' Exposed services ''; }; - meta.ipv4 = mkOption { + ipv4 = mkOption { type = types.str; description = '' Own IPv4 Address diff --git a/nixos/common/modules/vault.nix b/nixos/common/modules/vault.nix index 1df023b..90b86c8 100644 --- a/nixos/common/modules/vault.nix +++ b/nixos/common/modules/vault.nix @@ -2,7 +2,7 @@ with lib; let cfg = config.services.v.vault; - hostIP = config.deployment.targetHost; + hostIP = config.meta.ipv4; # Find all vault hosts that do not have the same IP as the current host vault_hosts = diff --git a/nixos/hosts/olympus/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix index 2e926c7..ff5e447 100644 --- a/nixos/hosts/olympus/nginx/configuration.nix +++ b/nixos/hosts/olympus/nginx/configuration.nix @@ -1,5 +1,7 @@ -{ pkgs, hosts, ... }: +{ pkgs, config, hosts, lib, ... }: let + inherit (builtins) filter hasAttr attrValues concatMap; + proxy = url: { enableACME = true; forceSSL = true; @@ -22,6 +24,16 @@ let add_header Access-Control-Allow-Origin *; return 200 '${builtins.toJSON data}'; ''; + + hostsWithExposes = + filter (hasAttr "exposes") (attrValues hosts.${config.networking.domain}); + exposes = { ip, exposes, ... }: + map ({ domain, port }: { inherit ip domain port; }) (attrValues exposes); + mkVhost = { ip, domain, port }: { + "${domain}" = proxy "http://${ip}:${toString port}"; + }; + vhosts = lib.foldr (el: acc: acc // mkVhost el) { } + (concatMap exposes hostsWithExposes); in { # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -45,107 +57,106 @@ in { package = pkgs.nginxMainline; # Templated - virtualHosts.${hosts.olympus.hedgedoc.exposes.md.domain} = proxy "http://hedgedoc.olympus:${toString hosts.olympus.hedgedoc.exposes.md.port}/"; - - # 0x76.dev - virtualHosts."ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/"; - virtualHosts."git.0x76.dev" = proxy "http://gitea.olympus:3000"; - virtualHosts."o.0x76.dev" = proxy "http://minio.olympus:9000"; - virtualHosts."grafana.0x76.dev" = - proxy "http://victoriametrics.olympus:2342"; - virtualHosts."outline.0x76.dev" = proxy "http://outline.olympus:3000"; - virtualHosts."ntfy.0x76.dev" = proxy "http://ntfy.olympus:80"; - virtualHosts."ci.0x76.dev" = proxy "http://woodpecker.olympus:8000"; - virtualHosts."dex.0x76.dev" = proxy "http://dex.olympus:5556"; - virtualHosts."pass.0x76.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://vaultwarden.olympus:8222"; - proxyWebsockets = true; + virtualHosts = vhosts // { + # 0x76.dev + "ha.0x76.dev" = proxy "http://home-assistant.olympus:8123/"; + "git.0x76.dev" = proxy "http://gitea.olympus:3000"; + "o.0x76.dev" = proxy "http://minio.olympus:9000"; + "grafana.0x76.dev" = proxy "http://victoriametrics.olympus:2342"; + "outline.0x76.dev" = proxy "http://outline.olympus:3000"; + "ntfy.0x76.dev" = proxy "http://ntfy.olympus:80"; + "ci.0x76.dev" = proxy "http://woodpecker.olympus:8000"; + "dex.0x76.dev" = proxy "http://dex.olympus:5556"; + "pass.0x76.dev" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://vaultwarden.olympus:8222"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://vaultwarden.olympus:8222"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://vaultwarden.olympus:3012"; + proxyWebsockets = true; + }; }; - locations."/notifications/hub/negotiate" = { - proxyPass = "http://vaultwarden.olympus:8222"; - proxyWebsockets = true; - }; - locations."/notifications/hub" = { - proxyPass = "http://vaultwarden.olympus:3012"; - proxyWebsockets = true; - }; - }; - # Redshifts - virtualHosts."andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008"; + # Redshifts + "andreea.redshifts.xyz" = proxy "http://zmeura.olympus:8008"; - # Meow - virtualHosts."meowy.tech" = { - enableACME = true; - forceSSL = true; - locations."/".extraConfig = '' - add_header Content-Type 'text/html; charset=UTF-8'; - return 200 '

meow

'; - ''; - locations."= /.well-known/matrix/client".extraConfig = - mkWellKnown clientConfig; - locations."= /.well-known/matrix/server".extraConfig = - mkWellKnown serverConfig; - }; - virtualHosts."chat.meowy.tech" = { - enableACME = true; - forceSSL = true; - locations."/".extraConfig = '' - return 307 https://element.chat.meowy.tech; - ''; - locations."/_matrix".proxyPass = "http://synapse.olympus:8008"; - locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008"; - locations."/_synapse/admin" = { - # Allow only local and my own IPs - extraConfig = '' - allow 127.0.0.1; - allow 10.42.42.0/23; - allow 192.168.0.0/23; - allow 80.60.83.220; - allow 195.85.167.32/29; - deny all; + # Meow + "meowy.tech" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + add_header Content-Type 'text/html; charset=UTF-8'; + return 200 '

meow

'; ''; - proxyPass = "http://synapse.olympus:8008"; + locations."= /.well-known/matrix/client".extraConfig = + mkWellKnown clientConfig; + locations."= /.well-known/matrix/server".extraConfig = + mkWellKnown serverConfig; }; - }; - virtualHosts."element.chat.meowy.tech" = { - enableACME = true; - forceSSL = true; - - root = pkgs.element-web.override { - conf = { - default_server_config = clientConfig; - show_labs_settings = true; - brand = "chat.meowy.tech"; + "chat.meowy.tech" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + return 307 https://element.chat.meowy.tech; + ''; + locations."/_matrix".proxyPass = "http://synapse.olympus:8008"; + locations."/_synapse/client".proxyPass = "http://synapse.olympus:8008"; + locations."/_synapse/admin" = { + # Allow only local and my own IPs + extraConfig = '' + allow 127.0.0.1; + allow 10.42.42.0/23; + allow 192.168.0.0/23; + allow 80.60.83.220; + allow 195.85.167.32/29; + deny all; + ''; + proxyPass = "http://synapse.olympus:8008"; }; }; - }; - virtualHosts."cinny.chat.meowy.tech" = { - enableACME = true; - forceSSL = true; + "element.chat.meowy.tech" = { + enableACME = true; + forceSSL = true; - root = pkgs.cinny.override { - conf = { - defaultHomeserver = 0; - allowCustomHomeservers = false; - homeserverList = [ "chat.meowy.tech" ]; + root = pkgs.element-web.override { + conf = { + default_server_config = clientConfig; + show_labs_settings = true; + brand = "chat.meowy.tech"; + }; }; }; - }; - virtualHosts."admin.chat.meowy.tech" = { - enableACME = true; - forceSSL = true; - root = pkgs.synapse-admin; - }; - virtualHosts."books.meowy.tech" = proxy "http://bookwyrm.olympus:8001"; + "cinny.chat.meowy.tech" = { + enableACME = true; + forceSSL = true; - # Kubernetes endpoints - virtualHosts."0x76.dev" = k8s_proxy; - virtualHosts."internal.xirion.net" = k8s_proxy; - virtualHosts."blog.xirion.net" = k8s_proxy; + root = pkgs.cinny.override { + conf = { + defaultHomeserver = 0; + allowCustomHomeservers = false; + homeserverList = [ "chat.meowy.tech" ]; + }; + }; + }; + "admin.chat.meowy.tech" = { + enableACME = true; + forceSSL = true; + root = pkgs.synapse-admin; + }; + "books.meowy.tech" = proxy "http://bookwyrm.olympus:8001"; + + # Kubernetes endpoints + "0x76.dev" = k8s_proxy; + "internal.xirion.net" = k8s_proxy; + "blog.xirion.net" = k8s_proxy; + }; }; security.acme.defaults.email = "victorheld12@gmail.com";