Compare commits

...

2 commits

Author SHA1 Message Date
Rouven Seifert 657ae1385e nuc: switch to caddy 2024-05-21 18:44:04 +02:00
Rouven Seifert 6e82ae5be8 remove secret 2024-05-21 15:32:02 +02:00
11 changed files with 69 additions and 98 deletions

View file

@ -35,8 +35,10 @@ let
subdomains = subdomains =
let let
getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts); getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts);
getVirtualHostsNginx = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.nginx.virtualHosts);
genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; }); genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; });
genCNAMEsNginx = hostname: lib.attrsets.genAttrs (getVirtualHostsNginx hostname) (label: { CNAME = [ "${hostname}.${domain}." ]; });
in in
lib.attrsets.mergeAttrsList [ lib.attrsets.mergeAttrsList [
rec { rec {
@ -54,7 +56,9 @@ let
} }
(genCNAMEs "nuc") (genCNAMEs "nuc")
(genCNAMEsNginx "nuc")
(builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ]) (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ])
(builtins.removeAttrs (genCNAMEsNginx "falkenstein") [ "mail" ])
]; ];
}); });
in in

View file

@ -8,7 +8,6 @@
./modules/networks ./modules/networks
./modules/adguard ./modules/adguard
./modules/backup ./modules/backup
# ./modules/keycloak
./modules/jellyfin ./modules/jellyfin
./modules/cache ./modules/cache
./modules/matrix ./modules/matrix
@ -16,7 +15,8 @@
./modules/seafile ./modules/seafile
./modules/torrent ./modules/torrent
./modules/vaultwarden ./modules/vaultwarden
./modules/nginx # ./modules/nginx
./modules/caddy
./modules/indexing ./modules/indexing
]; ];

View file

@ -9,10 +9,13 @@ in
services.authentik = { services.authentik = {
enable = true; enable = true;
environmentFile = config.age.secrets.authentik.path; environmentFile = config.age.secrets.authentik.path;
nginx = { # nginx = {
enable = true; # enable = true;
enableACME = true; # enableACME = true;
host = domain; # host = domain;
}; # };
}; };
services.caddy.virtualHosts."${domain}".extraConfig = ''
reverse_proxy localhost:9000
'';
} }

View file

@ -10,9 +10,7 @@ in
enable = true; enable = true;
secretKeyFile = config.age.secrets.cache.path; secretKeyFile = config.age.secrets.cache.path;
}; };
services.nginx.virtualHosts."${domain}" = { services.caddy.virtualHosts."${domain}".extraConfig = ''
locations."/" = { reverse_proxy 127.0.0.1:${toString config.services.nix-serve.port}
proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}"; '';
};
};
} }

View file

@ -0,0 +1,10 @@
{ config, ... }:
{
services.caddy = {
enable = true;
email = "ca@${config.networking.domain}";
logFormat = "format console";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
}

View file

@ -1,43 +0,0 @@
{ config, ... }:
let
domain = "auth.${config.networking.domain}";
in
{
age.secrets.keycloak = {
file = ../../../../secrets/nuc/keycloak/db.age;
};
services.keycloak = {
enable = true;
settings = {
http-port = 8084;
https-port = 19000;
hostname = domain;
# proxy-headers = "forwarded";
proxy = "edge";
};
database = {
# host = "/var/run/postgresql/.s.PGSQL.5432";
# useSSL = false;
# createLocally = false;
passwordFile = config.age.secrets.keycloak.path;
};
initialAdminPassword = "plschangeme";
};
# services.postgresql = {
# enable = true;
# ensureUsers = [
# {
# name = "keycloak";
# ensureDBOwnership = true;
# }
# ];
# ensureDatabases = [ "keycloak" ];
# };
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
};
};
}

View file

@ -32,6 +32,7 @@ in
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
configureRedisLocally = true; configureRedisLocally = true;
enableRegistrationScript = false;
extraConfigFiles = [ config.age.secrets."matrix/shared".path ]; extraConfigFiles = [ config.age.secrets."matrix/shared".path ];
log = { log = {
root.level = "WARNING"; root.level = "WARNING";
@ -41,10 +42,9 @@ in
server_name = config.networking.domain; server_name = config.networking.domain;
listeners = [{ listeners = [{
port = 8008; path = "/run/matrix-synapse/server.sock";
bind_addresses = [ "::1" ]; mode = "666";
type = "http"; type = "http";
tls = false;
x_forwarded = true; x_forwarded = true;
resources = [{ resources = [{
names = [ "client" "federation" ]; names = [ "client" "federation" ];
@ -57,29 +57,24 @@ in
enable = true; enable = true;
settings = { settings = {
SYNCV3_SERVER = "https://${domain}"; SYNCV3_SERVER = "https://${domain}";
SYNCV3_BINDADDR = "/run/matrix-sliding-sync/server.sock";
}; };
environmentFile = config.age.secrets."matrix/sync".path; environmentFile = config.age.secrets."matrix/sync".path;
}; };
nginx = { caddy = {
recommendedProxySettings = true;
virtualHosts = { virtualHosts = {
# synapse # synapse
"${domain}" = { "${domain}".extraConfig = ''
# locations."/".extraConfig = "return 404;"; reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock
reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock
# # proxy to synapse reverse_proxy unix//run/matrix-synapse/server.sock
# locations."/_matrix".proxyPass = "http://[::1]:8008"; '';
locations."/".proxyPass = "http://[::1]:8008";
locations."~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)".proxyPass = "http://localhost:8009";
# locations."/_synapse/client".proxyPass = "http://[::1]:8008";
};
# element # element
"${domainClient}" = { "${domainClient}".extraConfig = ''
root = pkgs.element-web.override { root '${pkgs.element-web.override {
conf = { conf = {
default_server_config = { default_server_config = {
inherit (clientConfig) "m.homeserver"; inherit (clientConfig) "m.homeserver";
@ -87,13 +82,23 @@ in
}; };
disable_3pid_login = true; disable_3pid_login = true;
}; };
}; }}'
}; '';
}; };
}; };
}; };
systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ]; systemd.services.matrix-synapse = {
after = [ "matrix-synapse-pgsetup.service" ];
serviceConfig = {
RuntimeDirectory = "matrix-synapse";
};
};
systemd.services.matrix-sliding-sync = {
serviceConfig = {
RuntimeDirectory = "matrix-sliding-sync";
};
};
systemd.services.matrix-synapse-pgsetup = { systemd.services.matrix-synapse-pgsetup = {
description = "Prepare Synapse postgres database"; description = "Prepare Synapse postgres database";

View file

@ -31,21 +31,16 @@ in
} }
''; '';
}; };
services.nginx.virtualHosts."${domain}" = { services.caddy.virtualHosts."${domain}".extraConfig = ''
locations."/" = { redir /accounts/login /oauth/login
proxyPass = "http://unix:/run/seahub/gunicorn.sock"; reverse_proxy unix//run/seahub/gunicorn.sock
}; route /media/* {
locations."/seafhttp" = { root '${pkgs.seahub}'
proxyPass = "http://127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port}"; }
extraConfig = ''
rewrite ^/seafhttp(.*)$ $1 break; route /seafhttp/* {
''; uri strip_prefix /seafhttp
}; reverse_proxy 127.0.0.1:${toString config.services.seafile.seafileSettings.fileserver.port}
locations."/media" = { }
root = pkgs.seahub; '';
};
locations."/accounts/login" = {
return = "301 /oauth/login";
};
};
} }

View file

@ -29,9 +29,7 @@ in
]; ];
ensureDatabases = [ "vaultwarden" ]; ensureDatabases = [ "vaultwarden" ];
}; };
services.nginx.virtualHosts."${domain}" = { services.caddy.virtualHosts."${domain}".extraConfig = ''
locations."/" = { reverse_proxy 127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; '';
};
};
} }

Binary file not shown.

View file

@ -9,6 +9,7 @@
trash-cli trash-cli
nix-output-monitor nix-output-monitor
iperf iperf
jq
]; ];
users.defaultUserShell = pkgs.zsh; users.defaultUserShell = pkgs.zsh;
programs.fzf = { programs.fzf = {