From ce95a037977a26d7d045c17c767182c530409eb4 Mon Sep 17 00:00:00 2001 From: Vivian Roest Date: Sat, 23 Dec 2023 12:46:35 +0100 Subject: [PATCH] updated hades nginx config --- flake.lock | 165 ++++++++++++++------ flake.nix | 5 +- nixos/common/default.nix | 4 +- nixos/hosts/hades/default.nix | 41 ++++- nixos/hosts/hades/dns/configuration.nix | 4 + nixos/hosts/hades/nginx/configuration.nix | 31 +--- nixos/hosts/olympus/grist/configuration.nix | 15 +- nixos/hosts/olympus/nginx/configuration.nix | 2 +- nixos/util.nix | 2 +- 9 files changed, 180 insertions(+), 89 deletions(-) diff --git a/flake.lock b/flake.lock index fb6ca81d..6460165a 100644 --- a/flake.lock +++ b/flake.lock @@ -528,6 +528,24 @@ "inputs": { "systems": "systems_5" }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "inputs": { + "systems": "systems_6" + }, "locked": { "lastModified": 1685518550, "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", @@ -542,7 +560,7 @@ "type": "github" } }, - "flake-utils_7": { + "flake-utils_8": { "locked": { "lastModified": 1678901627, "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", @@ -556,9 +574,9 @@ "type": "indirect" } }, - "flake-utils_8": { + "flake-utils_9": { "inputs": { - "systems": "systems_7" + "systems": "systems_8" }, "locked": { "lastModified": 1681202837, @@ -692,11 +710,11 @@ ] }, "locked": { - "lastModified": 1703155327, - "narHash": "sha256-Q25AEghhhOp+ImNN4PsAExi7DIB1INMlBSaggGz7q4w=", + "lastModified": 1703265279, + "narHash": "sha256-5jVtOwyMH1FzclxHrsFWzBdB+VyjUUSu1wyZhZlR6WU=", "owner": "nix-community", "repo": "home-manager", - "rev": "8b797c8eea1eba7dfb47f6964103e6e0d134255f", + "rev": "07c322a7cff03267fd881adae1afe63367c5d608", "type": "github" }, "original": { @@ -787,6 +805,25 @@ "type": "gitlab" } }, + "microvm": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_5" + }, + "locked": { + "lastModified": 1703300511, + "narHash": "sha256-lU0sFmNcLTZBDJyeckW5oXtypA62XFZUGFMyGne9EYA=", + "owner": "astro", + "repo": "microvm.nix", + "rev": "fa93cd958b42da4657a47f034af9641349d1c7cb", + "type": "github" + }, + "original": { + "owner": "astro", + "repo": "microvm.nix", + "type": "github" + } + }, "naersk": { "inputs": { "nixpkgs": [ @@ -833,7 +870,7 @@ "nix": { "inputs": { "lowdown-src": "lowdown-src", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "nixpkgs-regression": "nixpkgs-regression" }, "locked": { @@ -1045,6 +1082,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1696165369, + "narHash": "sha256-pd1cjFHCoEf9q5f9B0HhlOwwpBI9RP3HbUE6xjI7wAI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d7186d62bb68fac3c90f1d95515e613ef299e992", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1682526928, "narHash": "sha256-2cKh4O6t1rQ8Ok+v16URynmb0rV7oZPEbXkU0owNLQs=", @@ -1060,7 +1113,7 @@ "type": "github" } }, - "nixpkgs_11": { + "nixpkgs_12": { "locked": { "lastModified": 1670507980, "narHash": "sha256-riNZa0xzM1it3pzxciwALeMs+0CsBMWIW2FqulzK8vM=", @@ -1125,20 +1178,36 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1702312524, + "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a9bf124c46ef298113270b1f84a164865987a91c", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { + "locked": { + "lastModified": 1703213509, + "narHash": "sha256-BDVzvjPwKk4/yvdCNzjmm1wlDf7Pdbhsf+hV2ybKkrY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "bc3575c6cda0c5fc9e322c05d97df6a787066b3e", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-unstable", + "ref": "nixos-unstable-small", "type": "indirect" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1702830618, "narHash": "sha256-lvhwIvRwhOLgzbRuYkqHy4M5cQHYs4ktL6/hyuBS6II=", @@ -1154,7 +1223,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1686736559, "narHash": "sha256-YyUSVoOKIDAscTx7IZhF9x3qgZ9dPNF19fKk+4c5irc=", @@ -1170,7 +1239,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1645296114, "narHash": "sha256-y53N7TyIkXsjMpOG7RhvqJFGDacLs9HlyHeSTBioqYU=", @@ -1186,22 +1255,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1696165369, - "narHash": "sha256-pd1cjFHCoEf9q5f9B0HhlOwwpBI9RP3HbUE6xjI7wAI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d7186d62bb68fac3c90f1d95515e613ef299e992", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_stable": { "locked": { "lastModified": 1703034876, @@ -1219,16 +1272,16 @@ }, "nixvim": { "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_6", + "flake-utils": "flake-utils_6", + "nixpkgs": "nixpkgs_7", "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1703185304, - "narHash": "sha256-CKsV786NBB8fuls4vyKGTfOz9bkpAn2lh8PKL8YLZ+M=", + "lastModified": 1703260550, + "narHash": "sha256-wPe+0oCgzvf9Ixscme+NUS4iRX0n/alJvt3msnu9vPA=", "owner": "pta2002", "repo": "nixvim", - "rev": "43d20e833267ffd026af692060fb344960930fe1", + "rev": "e0521dde87825e4ed16e1ac5b6df9f1b7e60af05", "type": "github" }, "original": { @@ -1239,11 +1292,11 @@ }, "nur": { "locked": { - "lastModified": 1703184342, - "narHash": "sha256-Ofp7blG/cJUeQfi6ZjJeHVCSEmtdUhGaJLFKvxbTKW0=", + "lastModified": 1703324764, + "narHash": "sha256-c5ll8NFOSg+vMvJVDBds/iXNp25VhkSUcmB7jaeV5FM=", "owner": "nix-community", "repo": "NUR", - "rev": "35e7e80e378aedb2b4fc5ae0f560fc395b5653e3", + "rev": "8c88bc919c49528c4cc9a65501406cecb74361b7", "type": "github" }, "original": { @@ -1272,7 +1325,7 @@ "pre-commit-hooks": { "inputs": { "flake-compat": "flake-compat_6", - "flake-utils": "flake-utils_6", + "flake-utils": "flake-utils_7", "gitignore": "gitignore_2", "nixpkgs": [ "nixvim", @@ -1356,7 +1409,7 @@ "inputs": { "fenix": "fenix", "naersk": "naersk_2", - "nixpkgs": "nixpkgs_7" + "nixpkgs": "nixpkgs_8" }, "locked": { "lastModified": 1690193312, @@ -1381,9 +1434,10 @@ "home-manager": "home-manager", "lanzaboote": "lanzaboote", "mailserver": "mailserver", + "microvm": "microvm", "nixos-generators": "nixos-generators", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "nixpkgs_stable": "nixpkgs_stable", "nixvim": "nixvim", "nur": "nur", @@ -1573,6 +1627,21 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems" @@ -1608,7 +1677,7 @@ }, "utils_3": { "inputs": { - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1694529238, @@ -1627,9 +1696,9 @@ "vault-secrets": { "inputs": { "flake-compat": "flake-compat_7", - "flake-utils": "flake-utils_7", + "flake-utils": "flake-utils_8", "nix": "nix", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_10", "utils": "utils_3" }, "locked": { @@ -1648,8 +1717,8 @@ }, "vault-unseal": { "inputs": { - "flake-utils": "flake-utils_8", - "nixpkgs": "nixpkgs_10" + "flake-utils": "flake-utils_9", + "nixpkgs": "nixpkgs_11" }, "locked": { "lastModified": 1683013874, @@ -1668,7 +1737,7 @@ "webcord": { "inputs": { "dream2nix": "dream2nix", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_12", "webcord": "webcord_2" }, "locked": { diff --git a/flake.nix b/flake.nix index 8edf7cdc..e5bfe8ea 100644 --- a/flake.nix +++ b/flake.nix @@ -5,12 +5,14 @@ # * https://github.com/Infinidoge/nix-minecraft inputs = { - nixpkgs.url = "nixpkgs/nixos-unstable"; + nixpkgs.url = "nixpkgs/nixos-unstable-small"; nixpkgs_stable.url = "nixpkgs/nixos-23.05"; nur.url = "github:nix-community/NUR"; colmena.url = "github:zhaofengli/colmena"; vault-secrets.url = "github:serokell/vault-secrets"; + microvm.url = "github:astro/microvm.nix"; + home-manager.url = "github:nix-community/home-manager"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; @@ -52,6 +54,7 @@ , nixos-generators , nur , attic + , microvm , ... }@inputs: let diff --git a/nixos/common/default.nix b/nixos/common/default.nix index 8397d2cc..6a655146 100644 --- a/nixos/common/default.nix +++ b/nixos/common/default.nix @@ -46,7 +46,7 @@ "https://nix-community.cachix.org" "https://nixpkgs-review-bot.cachix.org" "https://colmena.cachix.org" - "https://cache.garnix.io" + # "https://cache.garnix.io" "https://cachix.cachix.org" ]; trusted-public-keys = [ @@ -54,7 +54,7 @@ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nixpkgs-review-bot.cachix.org-1:eppgiDjPk7Hkzzz7XlUesk3rcEHqNDozGOrcLc8IqwE=" "colmena.cachix.org-1:7BzpDnjjH8ki2CT3f6GdOk7QAzPOl+1t3LvTLXqYcSg=" - "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + # "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ]; }; optimise = { diff --git a/nixos/hosts/hades/default.nix b/nixos/hosts/hades/default.nix index d1ca55b0..f3bf6ce0 100644 --- a/nixos/hosts/hades/default.nix +++ b/nixos/hosts/hades/default.nix @@ -35,10 +35,18 @@ "overseerr" = { ip = "192.168.0.105"; mac = "8E:21:7F:88:3A:83"; + exposes.requests = { + domain = "requests.xirion.net"; + port = 5055; + }; }; "tautulli" = { ip = "192.168.0.106"; mac = "BE:30:DB:F8:C6:55"; + exposes.tautulli = { + domain = "tautulli.xirion.net"; + port = 8080; + }; }; "dns-1" = { ip = "192.168.0.107"; @@ -84,11 +92,6 @@ ip = "192.168.0.116"; mac = "06:8a:8e:3e:43:45"; }; - "thelounge" = { - ip = "192.168.0.117"; - mac = "00:0c:29:2a:69:8f"; - nix = false; - }; "mail" = { ip = "192.168.0.118"; mac = "00:50:56:91:3b:03"; @@ -106,6 +109,16 @@ "garage" = { ip = "192.168.0.121"; mac = "3A:19:32:A2:F8:96"; + exposes = { + garage = { + domain = "g.xirion.net"; + port = 3900; + }; + fedi-media = { + domain = "fedi-media.xirion.net"; + port = 3902; + }; + }; }; "nginx" = { ip = "192.168.0.122"; @@ -138,10 +151,18 @@ "attic" = { ip = "192.168.0.128"; mac = "9E:AF:E9:FE:D4:D9"; + exposes.attic = { + domain = "attic.xirion.net"; + port = 8080; + }; }; "hassio" = { ip = "192.168.0.129"; mac = "e6:80:32:fb:00:75"; + exposes.ha = { + domain = "ha.xirion.net"; + port = 8123; + }; nix = false; }; # "docker-registry" = { @@ -156,6 +177,16 @@ "tudelft" = { ip = "192.168.0.132"; mac = "AE:B3:93:4B:04:76"; + exposes = { + grist = { + domain = "grist.tud.0x76.dev"; + port = 8484; + }; + dex = { + domain = "dex.tud.0x76.dev"; + port = 8000; + }; + }; nix = false; }; "mastodon" = { diff --git a/nixos/hosts/hades/dns/configuration.nix b/nixos/hosts/hades/dns/configuration.nix index 7e706edc..f9bc6c18 100644 --- a/nixos/hosts/hades/dns/configuration.nix +++ b/nixos/hosts/hades/dns/configuration.nix @@ -32,6 +32,8 @@ "mail.xirion.net typetransparent" "plex.xirion.net typetransparent" "fedi.xirion.net typetransparent" + "grist.tud.0x76.dev typetransparent" + "dex.tud.0x76.dev typetransparent" ]; local-data = [ @@ -47,6 +49,8 @@ ''"mail.xirion.net A 192.168.0.122"'' ''"plex.xirion.net A 192.168.0.122"'' ''"fedi.xirion.net A 192.168.0.122"'' + ''"grist.tud.0x76.dev A 192.168.0.122"'' + ''"dex.tud.0x76.dev A 192.168.0.122"'' ]; }; } diff --git a/nixos/hosts/hades/nginx/configuration.nix b/nixos/hosts/hades/nginx/configuration.nix index 0b3342f3..87341d93 100644 --- a/nixos/hosts/hades/nginx/configuration.nix +++ b/nixos/hosts/hades/nginx/configuration.nix @@ -31,6 +31,8 @@ in preliminarySelfsigned = true; }; + services.v.nginx.autoExpose = true; + services.nginx = { enable = true; recommendedProxySettings = true; @@ -41,7 +43,6 @@ in package = pkgs.nginxMainline; virtualHosts = { - "ha.xirion.net" = proxy "http://192.168.0.129:8123"; "xirion.net" = { enableACME = true; forceSSL = true; @@ -49,6 +50,8 @@ in add_header Content-Type 'text/html; charset=UTF-8'; return 200 'Hello, World!'; ''; + + # Mastodon federation locations."= /.well-known/host-meta".extraConfig = '' return 301 https://fedi.xirion.net$request_uri; ''; @@ -57,33 +60,9 @@ in return 301 https://fedi.xirion.net$request_uri; ''; }; - "git.xirion.net" = proxy "http://10.10.10.12"; - "o.xirion.net" = proxy "http://192.168.0.112:9000"; - "g.xirion.net" = proxy "http://garage.hades:3900"; - "requests.xirion.net" = proxy "http://overseerr.hades:5055"; - "pass.xirion.net" = proxy "http://bitwarden_rs"; - "repo.xirion.net" = proxy "http://archlinux"; - "thelounge.xirion.net" = proxy "http://thelounge:9000"; - "attic.xirion.net" = proxy "http://attic.hades:8080"; - "tautulli.xirion.net" = proxy "http://tautulli.hades:8080"; "peepeepoopoo.xirion.net" = proxy "http://tautulli.hades:8080"; # Deprecated but Ricardo has it bookmarked already! - "registry.xirion.net" = proxy "http://docker-registry:5000" - // { - locations."/".extraConfig = '' - allow 127.0.0.1; - allow 10.42.42.0/23; - allow 10.10.10.1/24; - allow 192.168.0.0/23; - allow 80.60.83.220; - allow 83.128.154.23; - allow 62.45.26.248; - allow 195.85.167.32/29; - deny all; - ''; - }; - "plex.xirion.net" = { # Since we want a secure connection, we force SSL forceSSL = true; @@ -170,8 +149,6 @@ in }; }; }; - - "fedi-media.xirion.net" = proxy "http://garage.hades:3902"; }; }; } diff --git a/nixos/hosts/olympus/grist/configuration.nix b/nixos/hosts/olympus/grist/configuration.nix index 81571c39..5fb8f69a 100644 --- a/nixos/hosts/olympus/grist/configuration.nix +++ b/nixos/hosts/olympus/grist/configuration.nix @@ -19,12 +19,19 @@ in { environment.systemPackages = with pkgs; [ sqlite ]; virtualisation = { - podman.enable = true; + podman = { + enable = true; + defaultNetwork.settings = { + "subnets" = [{ + subnet = "10.88.0.0/16"; + gateway = "10.88.0.1"; + }]; + }; + }; oci-containers.backend = "podman"; oci-containers.containers.grist = { - image = - "gristlabs/grist:1.1.9"; + image = "gristlabs/grist:1.1.9"; environment = { APP_HOME_URL = "https://grist.0x76.dev"; GRIST_SUPPORT_ANON = "false"; @@ -43,7 +50,7 @@ in { PYTHON_VERSION_ON_CREATION = "3"; GRIST_OIDC_IDP_ISSUER = "https://dex.0x76.dev"; - GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT= "true"; + GRIST_OIDC_IDP_SKIP_END_SESSION_ENDPOINT = "true"; }; environmentFiles = [ "${vs.grist}/environment" ]; ports = [ "8484:8484" ]; diff --git a/nixos/hosts/olympus/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix index 8746cee7..92be50a9 100644 --- a/nixos/hosts/olympus/nginx/configuration.nix +++ b/nixos/hosts/olympus/nginx/configuration.nix @@ -42,7 +42,7 @@ in # Templated virtualHosts = { - "pass.0x76.dev" = { + "pass.0x76.dev" = { enableACME = true; forceSSL = true; locations = { diff --git a/nixos/util.nix b/nixos/util.nix index aacf4bfa..05de7175 100644 --- a/nixos/util.nix +++ b/nixos/util.nix @@ -1,4 +1,4 @@ -{ nixpkgs, home-manager, mailserver, lanzaboote, attic, gnome-autounlock-keyring, ... }: +{ nixpkgs, home-manager, mailserver, lanzaboote, attic, microvm, ... }: let inherit (builtins) filter attrValues concatMap mapAttrs; inherit (nixpkgs.lib.attrsets) mapAttrsToList;