DGNum/infrastructure
13
6
Fork 3
Code Issues 19 Pull requests 8 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: DGNum:d48a9bcc4bc7b6fae848079b1554723cde397382
Branches Tags
DGNum:main
DGNum:npins-update
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:netbox-agent
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix
...
compare: DGNum:37137ca20bae9e0c437fa8d47b576269bbeba649
Branches Tags
DGNum:npins-update
DGNum:main
DGNum:declarative-buckets
DGNum:victoria-metrics
DGNum:netbox-agent
DGNum:mattermost
DGNum:init-dgnum-page
DGNum:takumi-can-do-ollama
DGNum:ds-fr
DGNum:colmena-liminix

4 commits
d48a9bcc4b ... 37137ca20b

Author SHA1 Message Date
Tom Hubrecht
37137ca20b feat(compute01): Deploy zammad on support.dgnum.eu 2023-10-02 12:50:40 +02:00
Tom Hubrecht
4be2f40abe feat(dgn-web): Enable module on nodes serving web content 
Also remove the firewall config as it is now centralized.
 2023-10-01 23:08:54 +02:00
Tom Hubrecht
958afe957f feat(modules): Init dgn-web 
Add a module to enable recommended web settings
 2023-10-01 23:08:54 +02:00
Tom Hubrecht
6608ae7726 fix(metis): Add permanent redirect from /calendrier to / 2023-10-01 22:50:15 +02:00
12 changed files with 116 additions and 8 deletions
Show stats Expand all files Collapse all files

2
machines/compute01/_configuration.nix
View file

@ -9,6 +9,7 @@ let
# List of modules to enable
enabledModules = [
"dgn-dns"
"dgn-web"
];
# List of services to enable
@ -19,6 +20,7 @@ let
"nextcloud"
"outline"
"satosa"
"zammad"
];
in

2
machines/compute01/nextcloud.nix
View file

@ -75,6 +75,4 @@ in {
(setDefault { owner = "nextcloud"; }
(builtins.filter (lib.hasPrefix "nextcloud-") config.dgn-secrets.names))
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

1
machines/compute01/secrets/secrets.nix
View file

@ -12,4 +12,5 @@ lib.setDefault { inherit publicKeys; } [
"outline-smtp_password_file"
"outline-storage_secret_key_file"
"satosa-env_file"
"zammad-secret_key_base_file"
]

25
machines/compute01/secrets/zammad-secret_key_base_file Normal file
View file

@ -0,0 +1,25 @@
age-encryption.org/v1
-> ssh-ed25519 tDqJRg Or0mrhIqaAIwF/XmRaMiih1LE/HbEXeQ1qQOxbQuRjk
E/OXPSPDDzco0duh8nFK/CvUkR7ioR+H5KELzhA0OIM
-> ssh-ed25519 jIXfPA 3CXEUG3fOwAtbFRY2Y6Sio3OPoW2ZMbrsj4IhK6lTBU
pFJkPT10zAjGOHcjSI+zaCC5+7iN9B3Kv3AVOGuHzP4
-> ssh-ed25519 QlRB9Q vXOLgEZmDL520H6DJ6YJT35K3g38MQyQ/Q37dF6rHm4
8OGw8zjxABTHhK3Krt1Ut1ZtOYTv+Vquztt7KbBfu5E
-> ssh-ed25519 r+nK/Q kXCb4Vr9GP3MuccFL6KuFWc9ka92IsjWKZ8loefAZyU
ZB+fJjHtLmxeNTE3/kE7wVyYEfYPgJZteCPPGuUQnwg
-> ssh-rsa krWCLQ
Lw17n86Jq9JAzXvbNBK1kxhdVsy24pVJw9t8X6tImcvroeT+NZ6TWLcF9CpqaUTI
Fzrs495PSsqk5olsJ5inAiz3Zq9KMs/XXB3po67yGuU50XANdp6aTCNZS0ml+ggz
ezPUmDmf/m33HTjzr09vltJxHEeLXhEJfeswmpRa1331C1FJKoj6pNXrVK+/wRvl
sQQb099AD1rnPCRaBW8CCV6ZUso+HjxctIdoKk+GA9vjmmoF+3nmNlXNJvqNSGqx
L2igVyd822TYl25wqSORW13SFBSBKhtX+Lt7dW65YPi3mhCQzZEJwxXOqIdSiFOT
+ibjMthYgIvZYEFVn3xEDA
-> ssh-ed25519 /vwQcQ JJMXvRIpMy4xFJK/gOPyTsbYEyFYTTrDT6/MfJeFTxs
KaKjsbYVHD6Oi+ItalcICsZiStAGnLsyqtK0jMl+hvE
-> ssh-ed25519 0R97PA yj/QsFvoB7Cr+vOkbuiDcghD42bkLQSavPhB3kx7xQk
3NRXzr/AyaNcZhUNPeRWxfxqYlzcWdfYG4JjpdIhYTc
-> /g1|-R-grease '4R5VG( J`dDW io
quE
--- 8JHXRRriy7D5w8b6CAcgkEegK+24ZLR44oo0TArL0/Y
¡×È_®údð‡„OksΩ—á<E28094>à,çLÝ>”ˆ¸"û,$Ô¬bò©jþ[Fº©ñ}3ƒVmˆX³zZÕsËIôbëJK¡C“<43>ràÑÔiÚˆ/€Æ÷»¿ z8kŸQ¥µµátäuãdÆ—ýîÞæq©üœü7IZoÖùq|x-ýÛù~
Ьx>ª<5À5“qêÑ­D÷õÝMµE

55
machines/compute01/zammad.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, ... }:
let
host = "support.dgnum.eu";
port = 3005;
websocketPort = 6902;
in {
services.zammad = {
enable = true;
inherit port websocketPort;
host = "127.0.0.1";
secretKeyBaseFile = config.age.secrets."zammad-secret_key_base_file".path;
};
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
root = "/var/lib/zammad/public";
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/ws" = {
proxyPass = "http://127.0.0.1:${builtins.toString websocketPort}";
proxyWebsockets = true;
};
"/cable" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
"~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png)".extraConfig =
''
expires max;
'';
};
extraConfig = ''
server_tokens off;
client_max_body_size 50M;
'';
};
};
dgn-secrets.options = [{ zammad-secret_key_base_file.owner = "zammad"; }];
}

1
machines/storage01/_configuration.nix
View file

@ -8,6 +8,7 @@ let
# List of modules to enable
enabledModules = [
"dgn-web"
];
# List of services to enable

2
machines/storage01/forgejo.nix
View file

@ -94,6 +94,4 @@ in {
(setDefault { owner = "git"; }
(builtins.filter (lib.hasPrefix "forgejo-") config.dgn-secrets.names))
];
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

1
machines/web01/_configuration.nix
View file

@ -8,6 +8,7 @@ let
# List of modules to enable
enabledModules = [
"dgn-web"
];
# List of services to enable

4
machines/web01/metis/default.nix
View file

@ -25,6 +25,10 @@ let
}/remote.php/dav/public-calendars/;
'';
}) providers;
extraConfig = ''
rewrite ^/calendrier(.*)$ $1 permanent;
'';
};
in {

4
machines/web01/plausible.nix
View file

@ -52,8 +52,4 @@ in
};
};
};
# dgn-secrets.options."_smtp-password-file".owner = "plausible";
#
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

1
modules/default.nix
View file

@ -43,6 +43,7 @@
"dgn-network"
"dgn-secrets"
"dgn-ssh"
"dgn-web"
]) ++ [
"${sources.agenix}/modules/age.nix"
"${sources.attic}/nixos/atticd.nix"

26
modules/dgn-web.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, ... }:
let
inherit (lib) mkEnableOption mkIf;
cfg = config.dgn-web;
in {
options.dgn-web = {
enable = mkEnableOption "sane defaults for web services.";
};
config = mkIf cfg.enable {
services.nginx = {
enable = true;
recommendedBrotliSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedZstdSettings = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}