Compare commits

...

3 commits

Author SHA1 Message Date
Rouven Seifert 7372df381d Revert "dns test"
This reverts commit 1a759819c6.
2024-05-23 15:56:04 +02:00
Rouven Seifert 1a759819c6 dns test 2024-05-23 15:55:28 +02:00
Rouven Seifert c96d8b7103 falkenstein: switch to caddy 2024-05-23 15:44:49 +02:00
13 changed files with 76 additions and 121 deletions

View file

@ -312,11 +312,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715930644, "lastModified": 1716457508,
"narHash": "sha256-W9pyM3/vePxrffHtzlJI6lDS3seANQ+Nqp+i58O46LI=", "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "e3ad5108f54177e6520535768ddbf1e6af54b59d", "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -460,11 +460,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1715483403, "lastModified": 1716170277,
"narHash": "sha256-WMDuQj7J5jbpXI/X/E6FZRKgBFGcaSTvYyVxPnKE6KU=", "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "f9027322f48b427da23746aa359a6510dfcd0228", "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -475,11 +475,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1715787315, "lastModified": 1716330097,
"narHash": "sha256-cYApT0NXJfqBkKcci7D9Kr4CBYZKOQKDYA23q8XNuWg=", "narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "33d1e753c82ffc557b4a585c77de43d4c922ebb5", "rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -639,11 +639,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1712775102, "lastModified": 1716449531,
"narHash": "sha256-kQF0HpU4Bis+Q1gE+OUJk1T3UJgDwTZc9rCDHRam9h4=", "narHash": "sha256-T/BycXsf5MZM+uqemM2/CzaZSjInKrjJc8MOOAOLKiw=",
"owner": "~rouven", "owner": "~rouven",
"repo": "purge", "repo": "purge",
"rev": "2959391aa4a1438b3f27669c6930feec58171eab", "rev": "4b8353adb065c41d4ca6debba011eb8c1561ce80",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {
@ -783,11 +783,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1712701713, "lastModified": 1716450661,
"narHash": "sha256-q++FP8VC5TTQrUa+0l2TQKmafZpDy1L3rzUynFaAn/4=", "narHash": "sha256-4D4Hbe0+ilkaLEux6oBI/kUIUBqCRnUtf5Oln4kTOEE=",
"owner": "~rouven", "owner": "~rouven",
"repo": "trucksimulator", "repo": "trucksimulator",
"rev": "af43589e9a0ae0f868a4eff3c738201ed1041788", "rev": "43b44df053d484099dedc96784941f6a019f7b39",
"type": "sourcehut" "type": "sourcehut"
}, },
"original": { "original": {

View file

@ -5,12 +5,12 @@
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./modules/backup ./modules/backup
./modules/caddy
./modules/logging ./modules/logging
./modules/dns ./modules/dns
./modules/fail2ban ./modules/fail2ban
./modules/mail ./modules/mail
./modules/networks ./modules/networks
./modules/nginx
./modules/pfersel ./modules/pfersel
./modules/purge ./modules/purge
./modules/trucksimulatorbot ./modules/trucksimulatorbot

View file

@ -0,0 +1,33 @@
{ config, ... }:
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
in
{
services.caddy = {
enable = true;
email = "ca@${config.networking.domain}";
logFormat = "format console";
virtualHosts."${config.networking.domain}".extraConfig = ''
file_server browse
root * /srv/web/${config.networking.domain}
respond /.well-known/matrix/client ${builtins.toJSON clientConfig}
respond /.well-known/matrix/server ${builtins.toJSON serverConfig}
'';
};
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
}

View file

@ -36,9 +36,7 @@ let
subdomains = subdomains =
let let
getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts); getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts);
getVirtualHostsNginx = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts);
genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; });
genCNAMEsNginx = hostname: lib.attrsets.genAttrs (getVirtualHostsNginx hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; });
in in
lib.attrsets.mergeAttrsList [ lib.attrsets.mergeAttrsList [
rec { rec {
@ -56,9 +54,7 @@ let
} }
(genCNAMEs "nuc") (genCNAMEs "nuc")
(genCNAMEsNginx "nuc")
(builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ]) (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ])
(builtins.removeAttrs (genCNAMEsNginx "falkenstein") [ "mail" ])
]; ];
}); });
in in

View file

@ -19,15 +19,11 @@
weekly weekly
rotate 156 rotate 156
} }
"/var/log/nginx/*.log" { "/var/log/caddy/*.log" {
compress compress
delaycompress delaycompress
weekly weekly
postrotate
[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`
endscript
rotate 26 rotate 26
su nginx nginx
} }
''; '';
} }

View file

@ -8,17 +8,6 @@ in
./dovecot2.nix ./dovecot2.nix
./rspamd.nix ./rspamd.nix
]; ];
security.acme.certs."${domain}" = { # acquire certificates
reloadServices = [ services.caddy.virtualHosts."${domain}".extraConfig = "";
"postfix.service"
"dovecot2.service"
];
};
services.nginx.virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
};
};
} }

View file

@ -14,8 +14,8 @@ in
enableQuota = false; enableQuota = false;
enableLmtp = true; enableLmtp = true;
mailLocation = "maildir:/var/mail/%n"; mailLocation = "maildir:/var/mail/%n";
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslServerCert = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.crt";
sslServerKey = "/var/lib/acme/${hostname}/key.pem"; sslServerKey = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.key";
protocols = [ "imap" "sieve" ]; protocols = [ "imap" "sieve" ];
mailPlugins = { mailPlugins = {
globally.enable = [ "listescape" ]; globally.enable = [ "listescape" ];

View file

@ -33,8 +33,8 @@ in
origin = "${domain}"; origin = "${domain}";
destination = [ "${hostname}" "${domain}" "localhost" ]; destination = [ "${hostname}" "${domain}" "localhost" ];
networks = [ "127.0.0.1" ]; networks = [ "127.0.0.1" ];
sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; sslCert = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.crt";
sslKey = "/var/lib/acme/${hostname}/key.pem"; sslKey = "/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${hostname}/${hostname}.key";
config = { config = {
# home_mailbox = "Maildir/"; # home_mailbox = "Maildir/";
smtp_helo_name = config.networking.fqdn; smtp_helo_name = config.networking.fqdn;

View file

@ -38,14 +38,9 @@
enable = true; enable = true;
}; };
}; };
nginx.virtualHosts."rspamd.${config.networking.domain}" = { caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
locations = { reverse_proxy 127.0.0.1:11334
"/" = { '';
proxyPass = "http://127.0.0.1:11334";
proxyWebsockets = true;
};
};
};
}; };
systemd = { systemd = {
services.rspamd-dmarc-report = { services.rspamd-dmarc-report = {

View file

@ -1,70 +0,0 @@
{ config, lib, pkgs, ... }:
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
enableACME = true;
forceSSL = true;
# enable http3 for all hosts
quic = true;
http3 = true;
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
})
);
};
};
config =
let
# matrix homeserver discovery
matrix_domain = "matrix.${config.networking.domain}";
serverConfig = {
"m.server" = "${matrix_domain}:443";
};
clientConfig = {
"m.homeserver" = {
base_url = "https://${matrix_domain}";
# server_name = config.networking.domain;
};
"org.matrix.msc3575.proxy" = {
url = "https://${matrix_domain}";
};
};
mkWellKnown = data: ''
add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
in
{
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."${config.networking.domain}" = {
root = "/srv/web/${config.networking.domain}";
locations = {
"/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
"/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
};
};
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
};
};
}

View file

@ -15,4 +15,7 @@ in
tokenFile = config.age.secrets.purge.path; tokenFile = config.age.secrets.purge.path;
}; };
}; };
services.caddy.virtualHosts."${domain}".extraConfig = ''
reverse_proxy unix//run/purge/app.sock
'';
} }

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { config, pkgs, trucksimulatorbot, ... }:
let let
domain = "trucks.${config.networking.domain}"; domain = "trucks.${config.networking.domain}";
in in
@ -24,4 +24,16 @@ in
]; ];
ensureDatabases = [ "trucksimulator" ]; ensureDatabases = [ "trucksimulator" ];
}; };
# reverse_proxy unix//run/trucksimulator/app.sock
services.caddy.virtualHosts."${domain}".extraConfig = ''
redir /invite https://discord.com/api/oauth2/authorize?client_id=831052837353816066&permissions=262144&scope=bot%20applications.commands
handle /docs* {
file_server browse
root * ${trucksimulatorbot.packages.x86_64-linux.docs}
}
route /images* {
uri strip_prefix /images
reverse_proxy unix//run/trucksimulator/images.sock
}
'';
} }

View file

@ -5,6 +5,7 @@
email = "ca@${config.networking.domain}"; email = "ca@${config.networking.domain}";
logFormat = "format console"; logFormat = "format console";
}; };
systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ]; networking.firewall.allowedUDPPorts = [ 443 ];
} }