Compare commits

...

3 commits

Author SHA1 Message Date
2f06f22ac7 feat(nginx): Switch to simpleProxies for the majority of configs
All checks were successful
Check meta / check_meta (pull_request) Successful in 18s
Check meta / check_dns (pull_request) Successful in 16s
build configuration / build_and_cache_storage01 (pull_request) Successful in 1m22s
build configuration / build_and_cache_rescue01 (pull_request) Successful in 1m20s
build configuration / build_and_cache_krz01 (pull_request) Successful in 2m2s
build configuration / build_and_cache_compute01 (pull_request) Successful in 1m40s
build configuration / build_and_cache_geo01 (pull_request) Successful in 1m4s
lint / check (pull_request) Successful in 25s
build configuration / build_and_cache_geo02 (pull_request) Successful in 1m4s
build configuration / build_and_cache_web02 (pull_request) Successful in 1m16s
build configuration / build_and_cache_bridge01 (pull_request) Successful in 1m9s
build configuration / build_and_cache_web01 (pull_request) Successful in 1m54s
build configuration / build_and_cache_vault01 (pull_request) Successful in 1m23s
build configuration / build_and_cache_storage01 (push) Successful in 1m14s
build configuration / build_and_cache_compute01 (push) Successful in 1m33s
build configuration / build_and_cache_krz01 (push) Successful in 2m1s
build configuration / build_and_cache_rescue01 (push) Successful in 1m15s
build configuration / build_and_cache_geo01 (push) Successful in 1m0s
build configuration / build_and_cache_geo02 (push) Successful in 1m4s
build configuration / build_and_cache_vault01 (push) Successful in 1m21s
lint / check (push) Successful in 24s
build configuration / build_and_cache_web02 (push) Successful in 1m7s
build configuration / build_and_cache_web01 (push) Successful in 1m41s
build configuration / build_and_cache_bridge01 (push) Successful in 1m5s
2024-10-12 20:00:54 +02:00
af61ae6e61 feat(dgn-web): Add simpleProxies
This proxies the required host to localhost:$port and enables SSL
2024-10-12 20:00:54 +02:00
9ea6bada0a feat(dgn-web): Add a way to detect internal port clashes 2024-10-12 20:00:54 +02:00
26 changed files with 306 additions and 291 deletions

View file

@ -6,6 +6,8 @@ in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = { services.demarches-simplifiees = {
enable = true; enable = true;

View file

@ -69,17 +69,11 @@ in
} }
]; ];
}; };
};
nginx.virtualHosts.${host} = { dgn-web.simpleProxies.grafana = {
enableACME = true; inherit host port;
forceSSL = true; proxyWebsockets = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}; };
age-secrets.autoMatch = [ "grafana" ]; age-secrets.autoMatch = [ "grafana" ];

View file

@ -29,16 +29,6 @@ in
}; };
}; };
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = { postgresql = {
enable = true; enable = true;
@ -53,6 +43,11 @@ in
}; };
}; };
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [ systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc" "hedgedoc"
"hedgedoc/uploads" "hedgedoc/uploads"

View file

@ -8,7 +8,9 @@
let let
inherit (lib) escapeRegex concatStringsSep; inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu"; host = "sso.dgnum.eu";
port = 8443;
domain = host;
cert = config.security.acme.certs.${domain}; cert = config.security.acme.certs.${domain};
@ -51,49 +53,40 @@ in
users.users.kanidm.extraGroups = [ cert.group ]; users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = { dgn-web.simpleProxies.kanidm = {
enable = true; inherit host port;
vhostConfig.locations."/".extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
virtualHosts.${domain} = { set $origin $http_origin;
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = '' if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { set $origin 'https://${domain}';
return 444; }
}
set $origin $http_origin; proxy_hide_header Access-Control-Allow-Origin;
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') { if ($request_method = 'OPTIONS') {
set $origin 'https://${domain}'; add_header 'Access-Control-Allow-Origin' "$origin" always;
} add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
proxy_hide_header Access-Control-Allow-Origin; add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'OPTIONS') { if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header 'Access-Control-Allow-Origin' "$origin" always; add_header Access-Control-Allow-Origin "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always; add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always; add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always; add_header Access-Control-Allow-Credentials true always;
}
add_header Access-Control-Max-Age 1728000; '';
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
}; };
networking.firewall.allowedTCPPorts = [ 636 ]; networking.firewall.allowedTCPPorts = [ 636 ];

View file

@ -3,6 +3,8 @@
let let
host = "cloud.dgnum.eu"; host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in in
{ {
services.nextcloud = { services.nextcloud = {
@ -104,7 +106,7 @@ in
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
}; };
ports = [ "9980:9980" ]; ports = [ "${builtins.toString port}:${builtins.toString port}" ];
environment = { environment = {
domain = "cloud.dgnum.eu"; domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
@ -119,6 +121,8 @@ in
}; };
}; };
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
${host} = { ${host} = {
enableACME = true; enableACME = true;
@ -136,25 +140,25 @@ in
extraConfig = '' extraConfig = ''
# static files # static files
location ^~ /browser { location ^~ /browser {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# WOPI discovery URL # WOPI discovery URL
location ^~ /hosting/discovery { location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Capabilities # Capabilities
location ^~ /hosting/capabilities { location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# main websocket # main websocket
location ~ ^/cool/(.*)/ws$ { location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;
@ -163,13 +167,13 @@ in
# download, presentation and image upload # download, presentation and image upload
location ~ ^/(c|l)ool { location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Admin Console websocket # Admin Console websocket
location ^~ /cool/adminws { location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;

View file

@ -6,8 +6,6 @@
}: }:
{ {
services.nginx = { services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."ollama01.beta.dgnum.eu" = { virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -19,9 +17,4 @@
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
} }

View file

@ -2,6 +2,7 @@
let let
host = "docs.dgnum.eu"; host = "docs.dgnum.eu";
port = 3003;
in in
{ {
services.outline = { services.outline = {
@ -35,21 +36,12 @@ in
defaultLanguage = "fr_FR"; defaultLanguage = "fr_FR";
forceHttps = false; forceHttps = false;
port = 3003; inherit port;
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.outline = {
enableACME = true; inherit host port;
forceSSL = true; vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
}; };
age-secrets.autoMatch = [ "outline" ]; age-secrets.autoMatch = [ "outline" ];

View file

@ -38,16 +38,7 @@ in
}; };
}; };
services.nginx = { dgn-web.simpleProxies.plausible = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
}; };
} }

View file

@ -2,16 +2,15 @@
let let
host = "saml-idp.dgnum.eu"; host = "saml-idp.dgnum.eu";
port = 8090;
in in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
services.satosa = { services.satosa = {
enable = true; enable = true;
inherit host; inherit host port;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path; envFile = config.age.secrets."satosa-env_file".path;
@ -148,9 +147,8 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.satosa = {
enableACME = true; inherit host port;
forceSSL = true;
}; };
age-secrets.autoMatch = [ "satosa" ]; age-secrets.autoMatch = [ "satosa" ];

View file

@ -190,14 +190,6 @@ in
}; };
}; };
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = { users.users.satosa = {
isSystemUser = true; isSystemUser = true;
group = "satosa"; group = "satosa";

View file

@ -11,9 +11,12 @@ let
# - finally, update the commit hash of the customization patch # - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57"; dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
port = 8084;
in in
{ {
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = { services.stirling-pdf = {
enable = true; enable = true;
@ -24,7 +27,7 @@ in
}); });
domain = "pdf.dgnum.eu"; domain = "pdf.dgnum.eu";
port = 8084; inherit port;
nginx = { nginx = {
enableACME = true; enableACME = true;

View file

@ -2,6 +2,8 @@
let let
host = "pass.dgnum.eu"; host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in in
{ {
services.vaultwarden = { services.vaultwarden = {
@ -10,9 +12,9 @@ in
config = { config = {
DOMAIN = "https://${host}"; DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true; WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = 10500; WEBSOCKET_PORT = wsPort;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu"; SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = 10501; ROCKET_PORT = port;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true; SIGNUPS_VERIFY = true;
USE_SYSLOG = true; USE_SYSLOG = true;
@ -31,45 +33,38 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path; environmentFile = config.age.secrets."vaultwarden-environment_file".path;
}; };
services = { dgn-web = {
nginx = { internalPorts.vaultwarden-websockets = wsPort;
enable = true;
virtualHosts.${host} = { simpleProxies.vaultwarden = {
forceSSL = true; inherit host port;
enableACME = true; proxyWebsockets = true;
locations = { vhostConfig.locations = {
"/" = { "/notifications/hub" = {
proxyPass = "http://127.0.0.1:10501"; proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
"/notifications/hub" = { "/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10500"; proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
proxyWebsockets = true; proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
}; };
}; };
}; };
};
postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ "vaultwarden" ]; ensureDatabases = [ "vaultwarden" ];
ensureUsers = [ ensureUsers = [
{ {
name = "vaultwarden"; name = "vaultwarden";
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
};
}; };
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ]; dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];

View file

@ -3,6 +3,7 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-web"
]; ];
enabledServices = [ enabledServices = [

View file

@ -122,24 +122,11 @@ in
services.uptime-kuma.enable = true; services.uptime-kuma.enable = true;
services.nginx = { dgn-web.simpleProxies.uptime-kuma = {
enable = true; inherit host port;
proxyWebsockets = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = { statelessUptimeKuma = {
probesConfig = mkMerge [ probesConfig = mkMerge [
pingProbes pingProbes

View file

@ -76,18 +76,10 @@ in
mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path; mailerPasswordFile = config.age.secrets."forgejo-mailer_password_file".path;
}; };
};
nginx = { dgn-web.simpleProxies.forgejo = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
};
};
};
}; };
users.users.git = { users.users.git = {

View file

@ -1,6 +1,13 @@
{ config, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu"; host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu"; webHost = "cdn.dgnum.eu";
@ -25,8 +32,18 @@ let
] ++ domains; ] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}"); mkHosted = host: builtins.map (b: "${b}.${host}");
ports = {
admin_api = 3903;
k2v_api = 3904;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
in in
{ {
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = { services.garage = {
enable = true; enable = true;
@ -40,24 +57,24 @@ in
replication_mode = "none"; # TODO: deprecated replication_mode = "none"; # TODO: deprecated
compression_level = 7; compression_level = 7;
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:${toString ports.rpc}";
rpc_public_addr = "127.0.0.1:3901"; rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
s3_api = { s3_api = {
s3_region = "garage"; s3_region = "garage";
api_bind_addr = "127.0.0.1:3900"; api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
root_domain = ".${host}"; root_domain = ".${host}";
}; };
s3_web = { s3_web = {
bind_addr = "127.0.0.1:3902"; bind_addr = "127.0.0.1:${toString ports.s3_web}";
root_domain = ".${webHost}"; root_domain = ".${webHost}";
index = "index.html"; index = "index.html";
}; };
k2v_api.api_bind_addr = "[::]:3904"; k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
admin.api_bind_addr = "127.0.0.1:3903"; admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
}; };
environmentFile = config.age.secrets."garage-environment_file".path; environmentFile = config.age.secrets."garage-environment_file".path;
@ -84,7 +101,7 @@ in
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3903; proxy_pass http://127.0.0.1:${toString ports.admin_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';
@ -97,7 +114,7 @@ in
serverAliases = mkHosted host buckets; serverAliases = mkHosted host buckets;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3900; proxy_pass http://127.0.0.1:${toString ports.s3_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
# Disable buffering to a temporary file. # Disable buffering to a temporary file.
@ -113,7 +130,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets); serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3902; proxy_pass http://127.0.0.1:${toString ports.s3_web};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';

View file

@ -5,6 +5,7 @@ let
token = user: secret "${user}_token_file"; token = user: secret "${user}_token_file";
host = "influx.dgnum.eu"; host = "influx.dgnum.eu";
port = 8086;
in in
{ {
@ -41,13 +42,8 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.influxdb = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8086";
};
}; };
age-secrets.autoMatch = [ "influxdb2" ]; age-secrets.autoMatch = [ "influxdb2" ];

View file

@ -4,6 +4,8 @@ let
host = "videos.dgnum.eu"; host = "videos.dgnum.eu";
in in
{ {
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
services.peertube = { services.peertube = {
enable = true; enable = true;

View file

@ -77,15 +77,9 @@ in
]; ];
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.prometheus = {
enableACME = true; inherit host port;
forceSSL = true; proxyWebsockets = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
}; };
age-secrets.autoMatch = [ "prometheus" ]; age-secrets.autoMatch = [ "prometheus" ];

View file

@ -12,25 +12,12 @@
dgn-backups.postgresDatabases = [ "crabfit" ]; dgn-backups.postgresDatabases = [ "crabfit" ];
services.nginx = dgn-web.simpleProxies = {
let crabfit-api = {
cfg = config.services.crabfit; inherit (config.services.crabfit.api) host port;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
};
virtualHosts.${cfg.api.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
};
}; };
crabfit-frontend = {
inherit (config.services.crabfit.frontend) host port;
};
};
} }

View file

@ -101,20 +101,13 @@ in
# }; # };
# }; # };
services.nginx = { dgn-web.simpleProxies = mapAttrs' (
enable = true; name:
{ port, ... }:
virtualHosts = mapAttrs' ( nameValuePair "linkal-${name}" {
name: inherit port;
{ port, ... }: host = "${name}.${cfg.domain}";
nameValuePair "${name}.${cfg.domain}" { }
enableACME = true; ) cfg.calendarGroups;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}
) cfg.calendarGroups;
};
}; };
} }

View file

@ -39,17 +39,6 @@ in
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"] SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
''; '';
}; };
nginx = {
enable = true;
virtualHosts."netbox.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
};
}; };
systemd.services = { systemd.services = {
@ -69,10 +58,12 @@ in
}; };
users.users.nginx.extraGroups = [ "netbox" ]; users.users.nginx.extraGroups = [ "netbox" ];
networking.firewall.allowedTCPPorts = [
443 dgn-web.simpleProxies.netbox = {
80 inherit (config.services.netbox) port;
]; host = "netbox.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ]; dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
dgn-backups.postgresDatabases = [ "netbox" ]; dgn-backups.postgresDatabases = [ "netbox" ];

View file

@ -2,6 +2,7 @@
let let
host = "push.dgnum.eu"; host = "push.dgnum.eu";
port = 2586;
in in
{ {
services.ntfy-sh = { services.ntfy-sh = {
@ -17,14 +18,9 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.ntfy-sh = {
enableACME = true; inherit host port;
forceSSL = true; proxyWebsockets = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2586";
proxyWebsockets = true;
};
}; };
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [ systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [

View file

@ -9,6 +9,7 @@
let let
inherit (lib) mapAttrsToList; inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
port = 9889; port = 9889;
python3 = python3 =
@ -128,28 +129,24 @@ in
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
services = { dgn-web.simpleProxies.cas-eleves = {
postgresql = { inherit host port;
ensureDatabases = [ "cas_server" ]; vhostConfig = {
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."cas.eleves.ens.fr" = {
enableACME = true;
forceSSL = true;
serverAliases = [ "cas-eleves.dgnum.eu" ]; serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = { locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv; "/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static"; "= /robots.txt".root = "${staticDrv}/static";
}; };
}; };
}; };
services.postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
} }

View file

@ -9,6 +9,7 @@
let let
inherit (lib) mapAttrsToList optionals; inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888; port = 9888;
python3 = python3 =
@ -168,25 +169,18 @@ in
}; };
}; };
services = { dgn-web.simpleProxies.kadenios = {
postgresql = { inherit host port;
ensureDatabases = [ "kadenios" ]; vhostConfig.locations."/static/".root = staticDrv;
ensureUsers = [ };
{
name = "kadenios";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."vote.dgnum.eu" = { services.postgresql = {
enableACME = true; ensureDatabases = [ "kadenios" ];
forceSSL = true; ensureUsers = [
{
locations = { name = "kadenios";
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}"; ensureDBOwnership = true;
"/static/".root = staticDrv; }
}; ];
};
}; };
} }

View file

@ -1,19 +1,135 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkEnableOption mkIf; inherit (lib)
attrsToList
concatStringsSep
filterAttrs
getAttr
mapAttrs
mapAttrs'
mkEnableOption
mkIf
mkOption
nameValuePair
recursiveUpdate
;
inherit (lib.types)
attrs
attrsOf
bool
port
str
submodule
;
cfg = config.dgn-web; cfg = config.dgn-web;
in in
{ {
options.dgn-web = { options.dgn-web = {
enable = mkEnableOption "sane defaults for web services."; enable = mkEnableOption "sane defaults for web services.";
internalPorts = mkOption {
type = attrsOf port;
default = { };
description = ''
Map from the web services to their internal ports, it should avoid port clashes.
'';
};
simpleProxies = mkOption {
type = attrsOf (submodule {
options = {
port = mkOption {
type = port;
description = ''
Port where the service will listen.
'';
};
host = mkOption {
type = str;
description = ''
Hostname of the service.
'';
};
proxyWebsockets = mkOption {
type = bool;
default = false;
description = ''
Whether to support proxying websocket connections with HTTP/1.1.
'';
};
vhostConfig = mkOption {
type = attrs;
default = { };
description = ''
Additional virtualHost settings.
'';
};
};
});
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [
(
let
duplicates = builtins.attrValues (
builtins.mapAttrs (p: serv: "${p}: ${concatStringsSep ", " serv}") (
filterAttrs (_: ls: builtins.length ls != 1) (
builtins.foldl' (
rev:
{ name, value }:
let
str = builtins.toString value;
in
rev // { ${str} = (rev.${str} or [ ]) ++ [ name ]; }
) { } (attrsToList cfg.internalPorts)
)
)
);
in
{
assertion = duplicates == [ ];
message = ''
Internal ports cannot be used for multiple services, the clashes are:
${concatStringsSep "\n " duplicates}
'';
}
)
];
dgn-web.internalPorts = mapAttrs (_: getAttr "port") cfg.simpleProxies;
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = mapAttrs' (
_:
{
host,
port,
proxyWebsockets,
vhostConfig,
}:
nameValuePair host (
recursiveUpdate {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
inherit proxyWebsockets;
};
} vhostConfig
)
) cfg.simpleProxies;
recommendedBrotliSettings = true; recommendedBrotliSettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;