DGNum/infrastructure
12
6
Fork 3
Code Issues 16 Pull requests 9 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:2f06f22ac73b98ea8c607051e82036ae058cfcf6
Branches Tags
DGNum:main
DGNum:npins-update
DGNum:tower01
DGNum:search-infra
DGNum:web02
DGNum:django-backups
DGNum:hypervisor
DGNum:pretalx
DGNum:cas-redirection
DGNum:hypervisors
DGNum:meta_rework
DGNum:sleep-uk
DGNum:reuse
DGNum:doc
DGNum:mdDoc-removal
DGNum:collabora-online
DGNum:logrotate
DGNum:cgroup-exporting
DGNum:ap01-vlan
DGNum:liminix-test
DGNum:crabfit-padding
DGNum:generalized-evaluation
DGNum:colmena-liminx-ng
DGNum:dns-lab
DGNum:nixpkgs--
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
..
compare: DGNum:f819acf9bca2a6efb9283083f1da8acd6f8c649c
Branches Tags
DGNum:npins-update
DGNum:main
DGNum:tower01
DGNum:search-infra
DGNum:web02
DGNum:django-backups
DGNum:hypervisor
DGNum:pretalx
DGNum:cas-redirection
DGNum:hypervisors
DGNum:meta_rework
DGNum:sleep-uk
DGNum:reuse
DGNum:doc
DGNum:mdDoc-removal
DGNum:collabora-online
DGNum:logrotate
DGNum:cgroup-exporting
DGNum:ap01-vlan
DGNum:liminix-test
DGNum:crabfit-padding
DGNum:generalized-evaluation
DGNum:colmena-liminx-ng
DGNum:dns-lab
DGNum:nixpkgs--
DGNum:lix-patched
DGNum:web01
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

No commits in common. "2f06f22ac73b98ea8c607051e82036ae058cfcf6" and "f819acf9bca2a6efb9283083f1da8acd6f8c649c" have entirely different histories.
2f06f22ac7 ... f819acf9bc

26 changed files with 291 additions and 306 deletions
Show stats Expand all files Collapse all files

2
machines/compute01/ds-fr/default.nix
View file

@ -6,8 +6,6 @@ in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = { services.demarches-simplifiees = {
enable = true; enable = true;

14
machines/compute01/grafana.nix
View file

@ -69,11 +69,17 @@ in
} }
]; ];
}; };
};
dgn-web.simpleProxies.grafana = { nginx.virtualHosts.${host} = {
inherit host port; enableACME = true;
proxyWebsockets = true; forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}; };
age-secrets.autoMatch = [ "grafana" ]; age-secrets.autoMatch = [ "grafana" ];

15
machines/compute01/hedgedoc.nix
View file

@ -29,6 +29,16 @@ in
}; };
}; };
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = { postgresql = {
enable = true; enable = true;
@ -43,11 +53,6 @@ in
}; };
}; };
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [ systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc" "hedgedoc"
"hedgedoc/uploads" "hedgedoc/uploads"

69
machines/compute01/kanidm/default.nix
View file

@ -8,9 +8,7 @@
let let
inherit (lib) escapeRegex concatStringsSep; inherit (lib) escapeRegex concatStringsSep;
host = "sso.dgnum.eu"; domain = "sso.dgnum.eu";
port = 8443;
domain = host;
cert = config.security.acme.certs.${domain}; cert = config.security.acme.certs.${domain};
@ -53,40 +51,49 @@ in
users.users.kanidm.extraGroups = [ cert.group ]; users.users.kanidm.extraGroups = [ cert.group ];
dgn-web.simpleProxies.kanidm = { services.nginx = {
inherit host port; enable = true;
vhostConfig.locations."/".extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
set $origin $http_origin; virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { extraConfig = ''
set $origin 'https://${domain}'; if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
} return 444;
}
proxy_hide_header Access-Control-Allow-Origin; set $origin $http_origin;
if ($request_method = 'OPTIONS') { if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
add_header 'Access-Control-Allow-Origin' "$origin" always; set $origin 'https://${domain}';
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; }
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000; proxy_hide_header Access-Control-Allow-Origin;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') { if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin "$origin" always; add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always; add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always; add_header 'Access-Control-Allow-Credentials' 'true' always;
}
''; add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
}; };
networking.firewall.allowedTCPPorts = [ 636 ]; networking.firewall.allowedTCPPorts = [ 636 ];

18
machines/compute01/nextcloud.nix
View file

@ -3,8 +3,6 @@
let let
host = "cloud.dgnum.eu"; host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in in
{ {
services.nextcloud = { services.nextcloud = {
@ -106,7 +104,7 @@ in
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
}; };
ports = [ "${builtins.toString port}:${builtins.toString port}" ]; ports = [ "9980:9980" ];
environment = { environment = {
domain = "cloud.dgnum.eu"; domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
@ -121,8 +119,6 @@ in
}; };
}; };
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
${host} = { ${host} = {
enableACME = true; enableACME = true;
@ -140,25 +136,25 @@ in
extraConfig = '' extraConfig = ''
# static files # static files
location ^~ /browser { location ^~ /browser {
proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# WOPI discovery URL # WOPI discovery URL
location ^~ /hosting/discovery { location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Capabilities # Capabilities
location ^~ /hosting/capabilities { location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# main websocket # main websocket
location ~ ^/cool/(.*)/ws$ { location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;
@ -167,13 +163,13 @@ in
# download, presentation and image upload # download, presentation and image upload
location ~ ^/(c|l)ool { location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Admin Console websocket # Admin Console websocket
location ^~ /cool/adminws { location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:${builtins.toString port}; proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;

7
machines/compute01/ollama-proxy.nix
View file

@ -6,6 +6,8 @@
}: }:
{ {
services.nginx = { services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."ollama01.beta.dgnum.eu" = { virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -17,4 +19,9 @@
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
} }

18
machines/compute01/outline.nix
View file

@ -2,7 +2,6 @@
let let
host = "docs.dgnum.eu"; host = "docs.dgnum.eu";
port = 3003;
in in
{ {
services.outline = { services.outline = {
@ -36,12 +35,21 @@ in
defaultLanguage = "fr_FR"; defaultLanguage = "fr_FR";
forceHttps = false; forceHttps = false;
inherit port; port = 3003;
}; };
dgn-web.simpleProxies.outline = { services.nginx.virtualHosts.${host} = {
inherit host port; enableACME = true;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"''; forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
}; };
age-secrets.autoMatch = [ "outline" ]; age-secrets.autoMatch = [ "outline" ];

13
machines/compute01/plausible.nix
View file

@ -38,7 +38,16 @@ in
}; };
}; };
dgn-web.simpleProxies.plausible = { services.nginx = {
inherit host port; enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
}; };
} }

10
machines/compute01/satosa/default.nix
View file

@ -2,15 +2,16 @@
let let
host = "saml-idp.dgnum.eu"; host = "saml-idp.dgnum.eu";
port = 8090;
in in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
services.satosa = { services.satosa = {
enable = true; enable = true;
inherit host port; inherit host;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path; envFile = config.age.secrets."satosa-env_file".path;
@ -147,8 +148,9 @@ in
}; };
}; };
dgn-web.simpleProxies.satosa = { services.nginx.virtualHosts.${host} = {
inherit host port; enableACME = true;
forceSSL = true;
}; };
age-secrets.autoMatch = [ "satosa" ]; age-secrets.autoMatch = [ "satosa" ];

8
machines/compute01/satosa/module.nix
View file

@ -190,6 +190,14 @@ in
}; };
}; };
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = { users.users.satosa = {
isSystemUser = true; isSystemUser = true;
group = "satosa"; group = "satosa";

5
machines/compute01/stirling-pdf/default.nix
View file

@ -11,12 +11,9 @@ let
# - finally, update the commit hash of the customization patch # - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57"; dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
port = 8084;
in in
{ {
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = { services.stirling-pdf = {
enable = true; enable = true;
@ -27,7 +24,7 @@ in
}); });
domain = "pdf.dgnum.eu"; domain = "pdf.dgnum.eu";
inherit port; port = 8084;
nginx = { nginx = {
enableACME = true; enableACME = true;

59
machines/compute01/vaultwarden.nix
View file

@ -2,8 +2,6 @@
let let
host = "pass.dgnum.eu"; host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in in
{ {
services.vaultwarden = { services.vaultwarden = {
@ -12,9 +10,9 @@ in
config = { config = {
DOMAIN = "https://${host}"; DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true; WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = wsPort; WEBSOCKET_PORT = 10500;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu"; SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = port; ROCKET_PORT = 10501;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true; SIGNUPS_VERIFY = true;
USE_SYSLOG = true; USE_SYSLOG = true;
@ -33,38 +31,45 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path; environmentFile = config.age.secrets."vaultwarden-environment_file".path;
}; };
dgn-web = { services = {
internalPorts.vaultwarden-websockets = wsPort; nginx = {
enable = true;
simpleProxies.vaultwarden = { virtualHosts.${host} = {
inherit host port; forceSSL = true;
proxyWebsockets = true; enableACME = true;
vhostConfig.locations = { locations = {
"/notifications/hub" = { "/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}"; proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true; proxyWebsockets = true;
}; };
"/notifications/hub/negotiate" = { "/notifications/hub" = {
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}"; proxyPass = "http://127.0.0.1:10500";
proxyWebsockets = true; proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
}; };
}; };
}; };
};
services.postgresql = { postgresql = {
enable = true; enable = true;
ensureDatabases = [ "vaultwarden" ]; ensureDatabases = [ "vaultwarden" ];
ensureUsers = [ ensureUsers = [
{ {
name = "vaultwarden"; name = "vaultwarden";
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
};
}; };
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ]; dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];

1
machines/rescue01/_configuration.nix
View file

@ -3,7 +3,6 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-web"
]; ];
enabledServices = [ enabledServices = [

19
machines/rescue01/uptime-kuma.nix
View file

@ -122,11 +122,24 @@ in
services.uptime-kuma.enable = true; services.uptime-kuma.enable = true;
dgn-web.simpleProxies.uptime-kuma = { services.nginx = {
inherit host port; enable = true;
proxyWebsockets = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = { statelessUptimeKuma = {
probesConfig = mkMerge [ probesConfig = mkMerge [
pingProbes pingProbes

14
machines/storage01/forgejo.nix
View file

@ -76,10 +76,18 @@ in
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path; mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
}; };
};
dgn-web.simpleProxies.forgejo = { nginx = {
inherit host port; enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
};
};
}; };
users.users.git = { users.users.git = {

37
machines/storage01/garage.nix
View file

@ -1,13 +1,6 @@
{ { config, pkgs, ... }:
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu"; host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu"; webHost = "cdn.dgnum.eu";
@ -32,18 +25,8 @@ let
] ++ domains; ] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}"); mkHosted = host: builtins.map (b: "${b}.${host}");
ports = {
admin_api = 3903;
k2v_api = 3904;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
in in
{ {
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = { services.garage = {
enable = true; enable = true;
@ -57,24 +40,24 @@ in
replication_mode = "none"; # TODO: deprecated replication_mode = "none"; # TODO: deprecated
compression_level = 7; compression_level = 7;
rpc_bind_addr = "[::]:${toString ports.rpc}"; rpc_bind_addr = "[::]:3901";
rpc_public_addr = "127.0.0.1:${toString ports.rpc}"; rpc_public_addr = "127.0.0.1:3901";
s3_api = { s3_api = {
s3_region = "garage"; s3_region = "garage";
api_bind_addr = "127.0.0.1:${toString ports.s3_api}"; api_bind_addr = "127.0.0.1:3900";
root_domain = ".${host}"; root_domain = ".${host}";
}; };
s3_web = { s3_web = {
bind_addr = "127.0.0.1:${toString ports.s3_web}"; bind_addr = "127.0.0.1:3902";
root_domain = ".${webHost}"; root_domain = ".${webHost}";
index = "index.html"; index = "index.html";
}; };
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}"; k2v_api.api_bind_addr = "[::]:3904";
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}"; admin.api_bind_addr = "127.0.0.1:3903";
}; };
environmentFile = config.age.secrets."garage-environment_file".path; environmentFile = config.age.secrets."garage-environment_file".path;
@ -101,7 +84,7 @@ in
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.admin_api}; proxy_pass http://127.0.0.1:3903;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';
@ -114,7 +97,7 @@ in
serverAliases = mkHosted host buckets; serverAliases = mkHosted host buckets;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.s3_api}; proxy_pass http://127.0.0.1:3900;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
# Disable buffering to a temporary file. # Disable buffering to a temporary file.
@ -130,7 +113,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets); serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.s3_web}; proxy_pass http://127.0.0.1:3902;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';

10
machines/storage01/influxdb.nix
View file

@ -5,7 +5,6 @@ let
token = user: secret "${user}_token_file"; token = user: secret "${user}_token_file";
host = "influx.dgnum.eu"; host = "influx.dgnum.eu";
port = 8086;
in in
{ {
@ -42,8 +41,13 @@ in
}; };
}; };
dgn-web.simpleProxies.influxdb = { services.nginx.virtualHosts.${host} = {
inherit host port; enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8086";
};
}; };
age-secrets.autoMatch = [ "influxdb2" ]; age-secrets.autoMatch = [ "influxdb2" ];

2
machines/storage01/peertube.nix
View file

@ -4,8 +4,6 @@ let
host = "videos.dgnum.eu"; host = "videos.dgnum.eu";
in in
{ {
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
services.peertube = { services.peertube = {
enable = true; enable = true;

12
machines/storage01/prometheus.nix
View file

@ -77,9 +77,15 @@ in
]; ];
}; };
dgn-web.simpleProxies.prometheus = { services.nginx.virtualHosts.${host} = {
inherit host port; enableACME = true;
proxyWebsockets = true; forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
}; };
age-secrets.autoMatch = [ "prometheus" ]; age-secrets.autoMatch = [ "prometheus" ];

27
machines/web01/crabfit/default.nix
View file

@ -12,12 +12,25 @@
dgn-backups.postgresDatabases = [ "crabfit" ]; dgn-backups.postgresDatabases = [ "crabfit" ];
dgn-web.simpleProxies = { services.nginx =
crabfit-api = { let
inherit (config.services.crabfit.api) host port; cfg = config.services.crabfit;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
};
virtualHosts.${cfg.api.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
};
}; };
crabfit-frontend = {
inherit (config.services.crabfit.frontend) host port;
};
};
} }

23
machines/web01/linkal/module.nix
View file

@ -101,13 +101,20 @@ in
# }; # };
# }; # };
dgn-web.simpleProxies = mapAttrs' ( services.nginx = {
name: enable = true;
{ port, ... }:
nameValuePair "linkal-${name}" { virtualHosts = mapAttrs' (
inherit port; name:
host = "${name}.${cfg.domain}"; { port, ... }:
} nameValuePair "${name}.${cfg.domain}" {
) cfg.calendarGroups; enableACME = true;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}
) cfg.calendarGroups;
};
}; };
} }

21
machines/web01/netbox.nix
View file

@ -39,6 +39,17 @@ in
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"] SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
''; '';
}; };
nginx = {
enable = true;
virtualHosts."netbox.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
};
}; };
systemd.services = { systemd.services = {
@ -58,12 +69,10 @@ in
}; };
users.users.nginx.extraGroups = [ "netbox" ]; users.users.nginx.extraGroups = [ "netbox" ];
networking.firewall.allowedTCPPorts = [
dgn-web.simpleProxies.netbox = { 443
inherit (config.services.netbox) port; 80
host = "netbox.dgnum.eu"; ];
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ]; dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
dgn-backups.postgresDatabases = [ "netbox" ]; dgn-backups.postgresDatabases = [ "netbox" ];

12
machines/web01/ntfy-sh.nix
View file

@ -2,7 +2,6 @@
let let
host = "push.dgnum.eu"; host = "push.dgnum.eu";
port = 2586;
in in
{ {
services.ntfy-sh = { services.ntfy-sh = {
@ -18,9 +17,14 @@ in
}; };
}; };
dgn-web.simpleProxies.ntfy-sh = { services.nginx.virtualHosts.${host} = {
inherit host port; enableACME = true;
proxyWebsockets = true; forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2586";
proxyWebsockets = true;
};
}; };
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [ systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [

31
machines/web02/cas-eleves/default.nix
View file

@ -9,7 +9,6 @@
let let
inherit (lib) mapAttrsToList; inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
port = 9889; port = 9889;
python3 = python3 =
@ -129,24 +128,28 @@ in
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
dgn-web.simpleProxies.cas-eleves = { services = {
inherit host port; postgresql = {
vhostConfig = { ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."cas.eleves.ens.fr" = {
enableACME = true;
forceSSL = true;
serverAliases = [ "cas-eleves.dgnum.eu" ]; serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = { locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv; "/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static"; "= /robots.txt".root = "${staticDrv}/static";
}; };
}; };
}; };
services.postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
} }

32
machines/web02/kadenios/default.nix
View file

@ -9,7 +9,6 @@
let let
inherit (lib) mapAttrsToList optionals; inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888; port = 9888;
python3 = python3 =
@ -169,18 +168,25 @@ in
}; };
}; };
dgn-web.simpleProxies.kadenios = { services = {
inherit host port; postgresql = {
vhostConfig.locations."/static/".root = staticDrv; ensureDatabases = [ "kadenios" ];
}; ensureUsers = [
{
name = "kadenios";
ensureDBOwnership = true;
}
];
};
services.postgresql = { nginx.virtualHosts."vote.dgnum.eu" = {
ensureDatabases = [ "kadenios" ]; enableACME = true;
ensureUsers = [ forceSSL = true;
{
name = "kadenios"; locations = {
ensureDBOwnership = true; "/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
} "/static/".root = staticDrv;
]; };
};
}; };
} }

118
modules/dgn-web.nix
View file

@ -1,135 +1,19 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) inherit (lib) mkEnableOption mkIf;
attrsToList
concatStringsSep
filterAttrs
getAttr
mapAttrs
mapAttrs'
mkEnableOption
mkIf
mkOption
nameValuePair
recursiveUpdate
;
inherit (lib.types)
attrs
attrsOf
bool
port
str
submodule
;
cfg = config.dgn-web; cfg = config.dgn-web;
in in
{ {
options.dgn-web = { options.dgn-web = {
enable = mkEnableOption "sane defaults for web services."; enable = mkEnableOption "sane defaults for web services.";
internalPorts = mkOption {
type = attrsOf port;
default = { };
description = ''
Map from the web services to their internal ports, it should avoid port clashes.
'';
};
simpleProxies = mkOption {
type = attrsOf (submodule {
options = {
port = mkOption {
type = port;
description = ''
Port where the service will listen.
'';
};
host = mkOption {
type = str;
description = ''
Hostname of the service.
'';
};
proxyWebsockets = mkOption {
type = bool;
default = false;
description = ''
Whether to support proxying websocket connections with HTTP/1.1.
'';
};
vhostConfig = mkOption {
type = attrs;
default = { };
description = ''
Additional virtualHost settings.
'';
};
};
});
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [
(
let
duplicates = builtins.attrValues (
builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
filterAttrs (_: ls: builtins.length ls != 1) (
builtins.foldl' (
rev:
{ name, value }:
let
str = builtins.toString value;
in
rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
) { } (attrsToList cfg.internalPorts)
)
)
);
in
{
assertion = duplicates == [ ];
message = ''
Internal ports cannot be used for multiple services, the clashes are:
${concatStringsSep "\n " duplicates}
'';
}
)
];
dgn-web.internalPorts = mapAttrs (_: getAttr "port") cfg.simpleProxies;
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = mapAttrs' (
_:
{
host,
port,
proxyWebsockets,
vhostConfig,
}:
nameValuePair host (
recursiveUpdate {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
inherit proxyWebsockets;
};
} vhostConfig
)
) cfg.simpleProxies;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;