From 2f06f22ac73b98ea8c607051e82036ae058cfcf6 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sat, 12 Oct 2024 19:30:36 +0200 Subject: [PATCH] feat(nginx): Switch to simpleProxies for the majority of configs --- machines/compute01/ds-fr/default.nix | 2 + machines/compute01/grafana.nix | 14 ++--- machines/compute01/hedgedoc.nix | 15 ++--- machines/compute01/kanidm/default.nix | 69 +++++++++------------ machines/compute01/nextcloud.nix | 18 +++--- machines/compute01/ollama-proxy.nix | 7 --- machines/compute01/outline.nix | 18 ++---- machines/compute01/plausible.nix | 13 +--- machines/compute01/satosa/default.nix | 10 ++- machines/compute01/satosa/module.nix | 8 --- machines/compute01/stirling-pdf/default.nix | 5 +- machines/compute01/vaultwarden.nix | 59 ++++++++---------- machines/rescue01/_configuration.nix | 1 + machines/rescue01/uptime-kuma.nix | 19 +----- machines/storage01/garage.nix | 37 ++++++++--- machines/storage01/peertube.nix | 2 + machines/web01/crabfit/default.nix | 27 +++----- machines/web01/linkal/module.nix | 23 +++---- machines/web01/netbox.nix | 21 ++----- machines/web01/ntfy-sh.nix | 12 ++-- machines/web02/cas-eleves/default.nix | 31 +++++---- machines/web02/kadenios/default.nix | 32 ++++------ 22 files changed, 180 insertions(+), 263 deletions(-) diff --git a/machines/compute01/ds-fr/default.nix b/machines/compute01/ds-fr/default.nix index 3650948..547543b 100644 --- a/machines/compute01/ds-fr/default.nix +++ b/machines/compute01/ds-fr/default.nix @@ -6,6 +6,8 @@ in { imports = [ ./module.nix ]; + dgn-web.internalPorts.ds-fr = 3000; + services.demarches-simplifiees = { enable = true; diff --git a/machines/compute01/grafana.nix b/machines/compute01/grafana.nix index 2687a68..b434bd8 100644 --- a/machines/compute01/grafana.nix +++ b/machines/compute01/grafana.nix @@ -69,17 +69,11 @@ in } ]; }; + }; - nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; + dgn-web.simpleProxies.grafana = { + inherit host port; + proxyWebsockets = true; }; age-secrets.autoMatch = [ "grafana" ]; diff --git a/machines/compute01/hedgedoc.nix b/machines/compute01/hedgedoc.nix index b2d2136..41998f0 100644 --- a/machines/compute01/hedgedoc.nix +++ b/machines/compute01/hedgedoc.nix @@ -29,16 +29,6 @@ in }; }; - nginx.virtualHosts.${host} = { - forceSSL = true; - enableACME = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - proxyWebsockets = true; - }; - }; - postgresql = { enable = true; @@ -53,6 +43,11 @@ in }; }; + dgn-web.simpleProxies.hedgedoc = { + inherit host port; + proxyWebsockets = true; + }; + systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" diff --git a/machines/compute01/kanidm/default.nix b/machines/compute01/kanidm/default.nix index 33acdd4..f88d070 100644 --- a/machines/compute01/kanidm/default.nix +++ b/machines/compute01/kanidm/default.nix @@ -8,7 +8,9 @@ let inherit (lib) escapeRegex concatStringsSep; - domain = "sso.dgnum.eu"; + host = "sso.dgnum.eu"; + port = 8443; + domain = host; cert = config.security.acme.certs.${domain}; @@ -51,49 +53,40 @@ in users.users.kanidm.extraGroups = [ cert.group ]; - services.nginx = { - enable = true; + dgn-web.simpleProxies.kanidm = { + inherit host port; + vhostConfig.locations."/".extraConfig = '' + if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { + return 444; + } - virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "https://127.0.0.1:8443"; + set $origin $http_origin; - extraConfig = '' - if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { - return 444; - } + if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { + set $origin 'https://${domain}'; + } - set $origin $http_origin; + proxy_hide_header Access-Control-Allow-Origin; - if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { - set $origin 'https://${domain}'; - } + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' "$origin" always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always; + add_header 'Access-Control-Allow-Credentials' 'true' always; - proxy_hide_header Access-Control-Allow-Origin; + add_header Access-Control-Max-Age 1728000; + add_header Content-Type 'text/plain charset=UTF-8'; + add_header Content-Length 0; + return 204; + } - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' "$origin" always; - add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; - add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always; - add_header 'Access-Control-Allow-Credentials' 'true' always; - - add_header Access-Control-Max-Age 1728000; - add_header Content-Type 'text/plain charset=UTF-8'; - add_header Content-Length 0; - return 204; - } - - if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') { - add_header Access-Control-Allow-Origin "$origin" always; - add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; - add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always; - add_header Access-Control-Allow-Credentials true always; - } - ''; - }; - }; + if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') { + add_header Access-Control-Allow-Origin "$origin" always; + add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; + add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always; + add_header Access-Control-Allow-Credentials true always; + } + ''; }; networking.firewall.allowedTCPPorts = [ 636 ]; diff --git a/machines/compute01/nextcloud.nix b/machines/compute01/nextcloud.nix index 9432612..4e2863b 100644 --- a/machines/compute01/nextcloud.nix +++ b/machines/compute01/nextcloud.nix @@ -3,6 +3,8 @@ let host = "cloud.dgnum.eu"; nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; + + port = 9980; in { services.nextcloud = { @@ -104,7 +106,7 @@ in imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; }; - ports = [ "9980:9980" ]; + ports = [ "${builtins.toString port}:${builtins.toString port}" ]; environment = { domain = "cloud.dgnum.eu"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; @@ -119,6 +121,8 @@ in }; }; + dgn-web.internalPorts.collabora = port; + services.nginx.virtualHosts = { ${host} = { enableACME = true; @@ -136,25 +140,25 @@ in extraConfig = '' # static files location ^~ /browser { - proxy_pass http://127.0.0.1:9980; + proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_set_header Host $host; } # WOPI discovery URL location ^~ /hosting/discovery { - proxy_pass http://127.0.0.1:9980; + proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_set_header Host $host; } # Capabilities location ^~ /hosting/capabilities { - proxy_pass http://127.0.0.1:9980; + proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_set_header Host $host; } # main websocket location ~ ^/cool/(.*)/ws$ { - proxy_pass http://127.0.0.1:9980; + proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; @@ -163,13 +167,13 @@ in # download, presentation and image upload location ~ ^/(c|l)ool { - proxy_pass http://127.0.0.1:9980; + proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_set_header Host $host; } # Admin Console websocket location ^~ /cool/adminws { - proxy_pass http://127.0.0.1:9980; + proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; diff --git a/machines/compute01/ollama-proxy.nix b/machines/compute01/ollama-proxy.nix index 0d396a5..31edbbf 100644 --- a/machines/compute01/ollama-proxy.nix +++ b/machines/compute01/ollama-proxy.nix @@ -6,8 +6,6 @@ }: { services.nginx = { - enable = true; - recommendedProxySettings = true; virtualHosts."ollama01.beta.dgnum.eu" = { enableACME = true; forceSSL = true; @@ -19,9 +17,4 @@ }; }; }; - - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; } diff --git a/machines/compute01/outline.nix b/machines/compute01/outline.nix index 9242c5c..cd125d7 100644 --- a/machines/compute01/outline.nix +++ b/machines/compute01/outline.nix @@ -2,6 +2,7 @@ let host = "docs.dgnum.eu"; + port = 3003; in { services.outline = { @@ -35,21 +36,12 @@ in defaultLanguage = "fr_FR"; forceHttps = false; - port = 3003; + inherit port; }; - services.nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://localhost:3003"; - proxyWebsockets = true; - }; - - locations."/robots.txt" = { - return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"''; - }; + dgn-web.simpleProxies.outline = { + inherit host port; + vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"''; }; age-secrets.autoMatch = [ "outline" ]; diff --git a/machines/compute01/plausible.nix b/machines/compute01/plausible.nix index 98232c8..22707fd 100644 --- a/machines/compute01/plausible.nix +++ b/machines/compute01/plausible.nix @@ -38,16 +38,7 @@ in }; }; - services.nginx = { - enable = true; - - virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - }; - }; + dgn-web.simpleProxies.plausible = { + inherit host port; }; } diff --git a/machines/compute01/satosa/default.nix b/machines/compute01/satosa/default.nix index 9855d5a..b64d5b6 100644 --- a/machines/compute01/satosa/default.nix +++ b/machines/compute01/satosa/default.nix @@ -2,16 +2,15 @@ let host = "saml-idp.dgnum.eu"; + port = 8090; in { - imports = [ ./module.nix ]; services.satosa = { enable = true; - inherit host; - port = 8090; + inherit host port; envFile = config.age.secrets."satosa-env_file".path; @@ -148,9 +147,8 @@ in }; }; - services.nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; + dgn-web.simpleProxies.satosa = { + inherit host port; }; age-secrets.autoMatch = [ "satosa" ]; diff --git a/machines/compute01/satosa/module.nix b/machines/compute01/satosa/module.nix index 3be8f0a..6af95fd 100644 --- a/machines/compute01/satosa/module.nix +++ b/machines/compute01/satosa/module.nix @@ -190,14 +190,6 @@ in }; }; - services.nginx = mkIf cfg.configureNginx { - enable = true; - - virtualHosts.${cfg.host} = { - locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; - }; - }; - users.users.satosa = { isSystemUser = true; group = "satosa"; diff --git a/machines/compute01/stirling-pdf/default.nix b/machines/compute01/stirling-pdf/default.nix index e8fdb09..72045e8 100644 --- a/machines/compute01/stirling-pdf/default.nix +++ b/machines/compute01/stirling-pdf/default.nix @@ -11,9 +11,12 @@ let # - finally, update the commit hash of the customization patch dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57"; + port = 8084; in { + dgn-web.internalPorts.stirling-pdf = port; + services.stirling-pdf = { enable = true; @@ -24,7 +27,7 @@ in }); domain = "pdf.dgnum.eu"; - port = 8084; + inherit port; nginx = { enableACME = true; diff --git a/machines/compute01/vaultwarden.nix b/machines/compute01/vaultwarden.nix index d5f8e75..28ac9c1 100644 --- a/machines/compute01/vaultwarden.nix +++ b/machines/compute01/vaultwarden.nix @@ -2,6 +2,8 @@ let host = "pass.dgnum.eu"; + port = 10501; + wsPort = 10500; in { services.vaultwarden = { @@ -10,9 +12,9 @@ in config = { DOMAIN = "https://${host}"; WEBSOCKET_ENABLED = true; - WEBSOCKET_PORT = 10500; + WEBSOCKET_PORT = wsPort; SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu"; - ROCKET_PORT = 10501; + ROCKET_PORT = port; ROCKET_ADDRESS = "127.0.0.1"; SIGNUPS_VERIFY = true; USE_SYSLOG = true; @@ -31,45 +33,38 @@ in environmentFile = config.age.secrets."vaultwarden-environment_file".path; }; - services = { - nginx = { - enable = true; + dgn-web = { + internalPorts.vaultwarden-websockets = wsPort; - virtualHosts.${host} = { - forceSSL = true; - enableACME = true; + simpleProxies.vaultwarden = { + inherit host port; + proxyWebsockets = true; - locations = { - "/" = { - proxyPass = "http://127.0.0.1:10501"; - proxyWebsockets = true; - }; + vhostConfig.locations = { + "/notifications/hub" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + proxyWebsockets = true; + }; - "/notifications/hub" = { - proxyPass = "http://127.0.0.1:10500"; - proxyWebsockets = true; - }; - - "/notifications/hub/negotiate" = { - proxyPass = "http://127.0.0.1:10501"; - proxyWebsockets = true; - }; + "/notifications/hub/negotiate" = { + proxyPass = "http://127.0.0.1:${builtins.toString wsPort}"; + proxyWebsockets = true; }; }; }; + }; - postgresql = { - enable = true; + services.postgresql = { + enable = true; - ensureDatabases = [ "vaultwarden" ]; + ensureDatabases = [ "vaultwarden" ]; - ensureUsers = [ - { - name = "vaultwarden"; - ensureDBOwnership = true; - } - ]; - }; + ensureUsers = [ + { + name = "vaultwarden"; + ensureDBOwnership = true; + } + ]; }; dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ]; diff --git a/machines/rescue01/_configuration.nix b/machines/rescue01/_configuration.nix index ca68e2e..781a9dd 100644 --- a/machines/rescue01/_configuration.nix +++ b/machines/rescue01/_configuration.nix @@ -3,6 +3,7 @@ lib.extra.mkConfig { enabledModules = [ # List of modules to enable + "dgn-web" ]; enabledServices = [ diff --git a/machines/rescue01/uptime-kuma.nix b/machines/rescue01/uptime-kuma.nix index d223262..6fe099c 100644 --- a/machines/rescue01/uptime-kuma.nix +++ b/machines/rescue01/uptime-kuma.nix @@ -122,24 +122,11 @@ in services.uptime-kuma.enable = true; - services.nginx = { - enable = true; - - virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:${builtins.toString port}"; - proxyWebsockets = true; - }; - }; + dgn-web.simpleProxies.uptime-kuma = { + inherit host port; + proxyWebsockets = true; }; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - statelessUptimeKuma = { probesConfig = mkMerge [ pingProbes diff --git a/machines/storage01/garage.nix b/machines/storage01/garage.nix index a07bf17..29a7f8b 100644 --- a/machines/storage01/garage.nix +++ b/machines/storage01/garage.nix @@ -1,6 +1,13 @@ -{ config, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mapAttrs' nameValuePair; + host = "s3.dgnum.eu"; webHost = "cdn.dgnum.eu"; @@ -25,8 +32,18 @@ let ] ++ domains; mkHosted = host: builtins.map (b: "${b}.${host}"); + + ports = { + admin_api = 3903; + k2v_api = 3904; + rpc = 3901; + s3_api = 3900; + s3_web = 3902; + }; in { + dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports; + services.garage = { enable = true; @@ -40,24 +57,24 @@ in replication_mode = "none"; # TODO: deprecated compression_level = 7; - rpc_bind_addr = "[::]:3901"; - rpc_public_addr = "127.0.0.1:3901"; + rpc_bind_addr = "[::]:${toString ports.rpc}"; + rpc_public_addr = "127.0.0.1:${toString ports.rpc}"; s3_api = { s3_region = "garage"; - api_bind_addr = "127.0.0.1:3900"; + api_bind_addr = "127.0.0.1:${toString ports.s3_api}"; root_domain = ".${host}"; }; s3_web = { - bind_addr = "127.0.0.1:3902"; + bind_addr = "127.0.0.1:${toString ports.s3_web}"; root_domain = ".${webHost}"; index = "index.html"; }; - k2v_api.api_bind_addr = "[::]:3904"; + k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}"; - admin.api_bind_addr = "127.0.0.1:3903"; + admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}"; }; environmentFile = config.age.secrets."garage-environment_file".path; @@ -84,7 +101,7 @@ in forceSSL = true; locations."/".extraConfig = '' - proxy_pass http://127.0.0.1:3903; + proxy_pass http://127.0.0.1:${toString ports.admin_api}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; ''; @@ -97,7 +114,7 @@ in serverAliases = mkHosted host buckets; locations."/".extraConfig = '' - proxy_pass http://127.0.0.1:3900; + proxy_pass http://127.0.0.1:${toString ports.s3_api}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; # Disable buffering to a temporary file. @@ -113,7 +130,7 @@ in serverAliases = domains ++ (mkHosted webHost buckets); locations."/".extraConfig = '' - proxy_pass http://127.0.0.1:3902; + proxy_pass http://127.0.0.1:${toString ports.s3_web}; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; ''; diff --git a/machines/storage01/peertube.nix b/machines/storage01/peertube.nix index 0382f1a..018a0c6 100644 --- a/machines/storage01/peertube.nix +++ b/machines/storage01/peertube.nix @@ -4,6 +4,8 @@ let host = "videos.dgnum.eu"; in { + dgn-web.internalPorts.peertube = config.services.peertube.listenHttp; + services.peertube = { enable = true; diff --git a/machines/web01/crabfit/default.nix b/machines/web01/crabfit/default.nix index 879ac36..2fb70e1 100644 --- a/machines/web01/crabfit/default.nix +++ b/machines/web01/crabfit/default.nix @@ -12,25 +12,12 @@ dgn-backups.postgresDatabases = [ "crabfit" ]; - services.nginx = - let - cfg = config.services.crabfit; - in - { - enable = true; - - virtualHosts.${cfg.frontend.host} = { - enableACME = true; - forceSSL = true; - - locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}"; - }; - - virtualHosts.${cfg.api.host} = { - enableACME = true; - forceSSL = true; - - locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}"; - }; + dgn-web.simpleProxies = { + crabfit-api = { + inherit (config.services.crabfit.api) host port; }; + crabfit-frontend = { + inherit (config.services.crabfit.frontend) host port; + }; + }; } diff --git a/machines/web01/linkal/module.nix b/machines/web01/linkal/module.nix index eb55f65..07c316f 100644 --- a/machines/web01/linkal/module.nix +++ b/machines/web01/linkal/module.nix @@ -101,20 +101,13 @@ in # }; # }; - services.nginx = { - enable = true; - - virtualHosts = mapAttrs' ( - name: - { port, ... }: - nameValuePair "${name}.${cfg.domain}" { - enableACME = true; - # acmeRoot = null; # Use DNS-01 validation - forceSSL = true; - - locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/"; - } - ) cfg.calendarGroups; - }; + dgn-web.simpleProxies = mapAttrs' ( + name: + { port, ... }: + nameValuePair "linkal-${name}" { + inherit port; + host = "${name}.${cfg.domain}"; + } + ) cfg.calendarGroups; }; } diff --git a/machines/web01/netbox.nix b/machines/web01/netbox.nix index 2bd819a..7c2157b 100644 --- a/machines/web01/netbox.nix +++ b/machines/web01/netbox.nix @@ -39,17 +39,6 @@ in SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"] ''; }; - - nginx = { - enable = true; - virtualHosts."netbox.dgnum.eu" = { - enableACME = true; - forceSSL = true; - - locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - locations."/static/".alias = "${config.services.netbox.dataDir}/static/"; - }; - }; }; systemd.services = { @@ -69,10 +58,12 @@ in }; users.users.nginx.extraGroups = [ "netbox" ]; - networking.firewall.allowedTCPPorts = [ - 443 - 80 - ]; + + dgn-web.simpleProxies.netbox = { + inherit (config.services.netbox) port; + host = "netbox.dgnum.eu"; + vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/"; + }; dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ]; dgn-backups.postgresDatabases = [ "netbox" ]; diff --git a/machines/web01/ntfy-sh.nix b/machines/web01/ntfy-sh.nix index b6e3fb4..6074749 100644 --- a/machines/web01/ntfy-sh.nix +++ b/machines/web01/ntfy-sh.nix @@ -2,6 +2,7 @@ let host = "push.dgnum.eu"; + port = 2586; in { services.ntfy-sh = { @@ -17,14 +18,9 @@ in }; }; - services.nginx.virtualHosts.${host} = { - enableACME = true; - forceSSL = true; - - locations."/" = { - proxyPass = "http://127.0.0.1:2586"; - proxyWebsockets = true; - }; + dgn-web.simpleProxies.ntfy-sh = { + inherit host port; + proxyWebsockets = true; }; systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [ diff --git a/machines/web02/cas-eleves/default.nix b/machines/web02/cas-eleves/default.nix index 378ec3c..68e3530 100644 --- a/machines/web02/cas-eleves/default.nix +++ b/machines/web02/cas-eleves/default.nix @@ -9,6 +9,7 @@ let inherit (lib) mapAttrsToList; + host = "cas.eleves.ens.fr"; port = 9889; python3 = @@ -128,28 +129,24 @@ in dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; - services = { - postgresql = { - ensureDatabases = [ "cas_server" ]; - ensureUsers = [ - { - name = "cas_server"; - ensureDBOwnership = true; - } - ]; - }; - - nginx.virtualHosts."cas.eleves.ens.fr" = { - enableACME = true; - forceSSL = true; - + dgn-web.simpleProxies.cas-eleves = { + inherit host port; + vhostConfig = { serverAliases = [ "cas-eleves.dgnum.eu" ]; - locations = { - "/".proxyPass = "http://127.0.0.1:${builtins.toString port}"; "/static/".root = staticDrv; "= /robots.txt".root = "${staticDrv}/static"; }; }; }; + + services.postgresql = { + ensureDatabases = [ "cas_server" ]; + ensureUsers = [ + { + name = "cas_server"; + ensureDBOwnership = true; + } + ]; + }; } diff --git a/machines/web02/kadenios/default.nix b/machines/web02/kadenios/default.nix index a20f22c..55c8867 100644 --- a/machines/web02/kadenios/default.nix +++ b/machines/web02/kadenios/default.nix @@ -9,6 +9,7 @@ let inherit (lib) mapAttrsToList optionals; + host = "vote.dgnum.eu"; port = 9888; python3 = @@ -168,25 +169,18 @@ in }; }; - services = { - postgresql = { - ensureDatabases = [ "kadenios" ]; - ensureUsers = [ - { - name = "kadenios"; - ensureDBOwnership = true; - } - ]; - }; + dgn-web.simpleProxies.kadenios = { + inherit host port; + vhostConfig.locations."/static/".root = staticDrv; + }; - nginx.virtualHosts."vote.dgnum.eu" = { - enableACME = true; - forceSSL = true; - - locations = { - "/".proxyPass = "http://127.0.0.1:${builtins.toString port}"; - "/static/".root = staticDrv; - }; - }; + services.postgresql = { + ensureDatabases = [ "kadenios" ]; + ensureUsers = [ + { + name = "kadenios"; + ensureDBOwnership = true; + } + ]; }; }