From 407f99ca9540389b3910a8a30a04f6708bf458e4 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Fri, 11 Oct 2024 01:12:44 +0200 Subject: [PATCH 1/3] feat(compute01): init pages server --- machines/compute01/_configuration.nix | 1 + machines/compute01/pages.nix | 91 +++++++++++++++++++ .../compute01/secrets/pages-environment_file | 32 +++++++ machines/compute01/secrets/secrets.nix | 1 + 4 files changed, 125 insertions(+) create mode 100644 machines/compute01/pages.nix create mode 100644 machines/compute01/secrets/pages-environment_file diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index 1f26c83..aee720a 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -23,6 +23,7 @@ lib.extra.mkConfig { "nextcloud" "ollama-proxy" "outline" + "pages" "plausible" "postgresql" "rstudio-server" diff --git a/machines/compute01/pages.nix b/machines/compute01/pages.nix new file mode 100644 index 0000000..1375e9b --- /dev/null +++ b/machines/compute01/pages.nix @@ -0,0 +1,91 @@ +{ + config, + lib, + pkgs, + nixpkgs, + ... +}: + +let + environment = { + ACME_ACCEPT_TERMS = "true"; + ACME_EMAIL = "acme@dgnum.eu"; + DNS_PROVIDER = "ovh"; + OVH_ENDPOINT = "ovh-eu"; + ENABLE_HTTP_SERVER = "false"; + GITEA_ROOT = "https://git.dgnum.eu"; + PORT = "8010"; + PAGES_DOMAIN = "dgnum.page"; + RAW_DOMAIN = "raw.dgnum.page"; + PAGES_BRANCHES = "pages,main,master"; + }; + + # Necessary until upstream cuts a new release because of + # https://codeberg.org/Codeberg/pages-server/issues/235 + # that is fixed on main + package = nixpkgs.unstable.codeberg-pages.overrideAttrs (_: { + src = pkgs.fetchFromGitea { + domain = "codeberg.org"; + owner = "Codeberg"; + repo = "pages-server"; + rev = "9524b1eb12f77fa345cc8a220f67ae244da0ab12"; + hash = "sha256-RZjwy0Vdqu2XdF14hwXvQ7Bj11+1Q2VxDm1GTU1brA8="; + }; + vendorHash = "sha256-xfn3uMeea25dG7On28mU38i5Izo9YVKDXNFT7WipiYI="; + }); +in + +{ + + systemd.services.codeberg-pages = { + inherit environment; + description = "Codeberg pages server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + StateDirectory = "codeberg-pages"; + EnvironmentFile = config.age.secrets."pages-environment_file".path; + WorkingDirectory = "/var/lib/codeberg-pages"; + DynamicUser = true; + ExecStart = lib.getExe package; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; + }; + + services.nginx = { + streamConfig = '' + map $ssl_preread_server_name $sni_upstream { + hostnames; + default 127.0.0.1:8010; + ${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 127.0.0.1:8446;") ( + lib.attrNames config.services.nginx.virtualHosts + )} + } + + server { + listen 443; + ssl_preread on; + proxy_pass $sni_upstream; + } + + ''; + defaultSSLListenPort = 8446; + }; + +} diff --git a/machines/compute01/secrets/pages-environment_file b/machines/compute01/secrets/pages-environment_file new file mode 100644 index 0000000..d1e4ced --- /dev/null +++ b/machines/compute01/secrets/pages-environment_file @@ -0,0 +1,32 @@ +age-encryption.org/v1 +-> ssh-ed25519 jIXfPA adDi0WGDVz+cMd1BHO7iHbQa0L5h8TXE+gUsmNpTelU +gMTPhxvSHTzZaO99xf5Xd5z3vlxhhPGko9hAsECJ+MA +-> ssh-ed25519 QlRB9Q X36kLbZiK0PuRVFfsTcap/hHVAwZeMoJGPAX6YnS9VI +wKUpjJ1WooBqaKqqYDC8/8Rext/LTyIN/DNUxFVivp0 +-> ssh-ed25519 r+nK/Q C7+FkIik2hcjcPTxEXotPGnxGmrwfjasb0RKgQMAqFI +6RSI8HywfUaHC+095dfYIDm0pQFZh54I4WSTWF/+hUU +-> ssh-rsa krWCLQ +JTY4UJ50gT0YqRP7Oaqm7SYqlp/7W9DobtcCn6hkH/5l/Rg+wH/eKKSnKiVPXtuw +WWi8NlF9J90G7iRPSN/kJSQDutwPfRmwV9IDWRvCqenLHxEHIzXUzATb32kHFNhe +rLaOXcCQUjBDcmGkrjq1XDVOIBiXO55UHBipgtCtVqItQapkDEH6jcgZQ9DxY6T3 +gW1FlxTVRj+n5ZgQPZ64hgVfHLqlk2QwaxUSNzkwa+FmRPT/pB2LD32cTvhvhsxT +io9y8noExNtqgFtwbzs4reiArqzXhlw1gw92c8WMsnz1ej9Dc5iCAPyEML13nyE1 +eAH2s9h4H8UOiLe2yskoWQ +-> ssh-ed25519 /vwQcQ 8uMNWnW4KLtHfihMwcIXrigJyUy+P8VY6DmJeFQC3ig +4VvVGFUavz9vCBnkoz1gyD06licSIvdQygoqKr5trUk +-> ssh-ed25519 0R97PA k2uBLPCrKQAExJD7lQpsQYAg4rCknjmLM38jRCIIq04 +bc2jxJECuvy/V4DF5fjZY1bO3OgPlDQezERP4lHqCmM +-> ssh-ed25519 JGx7Ng k8+E2DFR/FefRBz0D6n+hs4qcWI9h2tiuibEVXyDMR8 +vI75zgK7udv4JnflS1gL7OgJdii1E+86w6iG7g3VUNw +-> ssh-ed25519 5SY7Kg FjRcadeXCg0WBb9cFPPA9ZaDg3inxXIwjeAudwn2Ryw +dDWN4f73t9ynRbA/IlNMhCoxxWXpGm5pfleF4PAUKPE +-> ssh-ed25519 p/Mg4Q OvvMtVWEO1u4GRZsyUmm9DnzQDRx5WrHtCVQChpZE0Q +MuzUJcI9sIUgFdKJujEsM1L5YTtOPodNn1MMsOTYAm0 +-> ssh-ed25519 tDqJRg UY1szeAs7tXzolo+dbxtdcUYo1y+NVf3dpnk988IFng +SJOObLvQ8Ai4EWX9T4AIAi40rFTPX3or0wwp7FERkEk +-> %,-grease Ud+Q +v ; )/g!O +72fL24cCFFkB/kaF5lf2r9P/nvWiMegdPAgnWH1MSBSN2MEeDiuIoCACwYZnpU6G +cYoSW+wQIZEdmZKVOYV9VKxPFlPz3dnN2s8x5vmzpz1TPbFwIQ+r4zwyyVit +--- yJHk5hLLdxkyR4PQvi70VXavFt9P6pfE5I30xH4OlQY +-VTS\Џ]/^*T)g!>,iZ<4%{ YEІQUȍ/<5cr,%CdX3mS +H6`8;|/׫%DPNs`^O-8+oXsgqAB7 K0 [ M9IƍS \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index 9af2cdd..ee63ae8 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -21,6 +21,7 @@ "outline-oidc_client_secret_file" "outline-smtp_password_file" "outline-storage_secret_key_file" + "pages-environment_file" "plausible-admin_user_password_file" "plausible-secret_key_base_file" "plausible-smtp_password_file" -- 2.47.0 From e4cc002f6f1f38b3d4e756fd2ff0cc3afd7cbdfa Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sat, 12 Oct 2024 11:54:46 +0200 Subject: [PATCH 2/3] feat(nginx): Use proxy_protocol for sni redirection WARNING: This alone does not work, we need to set the real ip based on http://nginx.org/en/docs/stream/ngx_stream_realip_module.html Which is not feasible right now without causing an infinite loop during eval --- machines/compute01/pages.nix | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/machines/compute01/pages.nix b/machines/compute01/pages.nix index 1375e9b..10a432d 100644 --- a/machines/compute01/pages.nix +++ b/machines/compute01/pages.nix @@ -69,19 +69,33 @@ in }; services.nginx = { + defaultListen = [ + { + addr = "127.0.0.1"; + port = 8446; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + ssl = false; + } + ]; streamConfig = '' map $ssl_preread_server_name $sni_upstream { - hostnames; default 127.0.0.1:8010; - ${lib.concatMapStringsSep "\n" (vhost: " ${vhost} 127.0.0.1:8446;") ( - lib.attrNames config.services.nginx.virtualHosts - )} + ${ + lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") ( + lib.attrNames config.services.nginx.virtualHosts + ) + } } server { listen 443; ssl_preread on; proxy_pass $sni_upstream; + proxy_protocol on; } ''; -- 2.47.0 From 40b8b8eabcf40417f09b42f4280e069b53045c32 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sat, 12 Oct 2024 12:30:52 +0200 Subject: [PATCH 3/3] feat(nginx): Add default real_ip decoding for all vhosts --- machines/compute01/pages.nix | 136 +++++++++++++++++++---------------- 1 file changed, 73 insertions(+), 63 deletions(-) diff --git a/machines/compute01/pages.nix b/machines/compute01/pages.nix index 10a432d..1153007 100644 --- a/machines/compute01/pages.nix +++ b/machines/compute01/pages.nix @@ -36,70 +36,80 @@ let in { + options.services.nginx.virtualHosts = lib.mkOption { + type = lib.types.attrsOf ( + lib.types.submodule { + config.extraConfig = '' + real_ip_header proxy_protocol; + set_real_ip_from 127.0.0.1; + ''; + } + ); + }; - systemd.services.codeberg-pages = { - inherit environment; - description = "Codeberg pages server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "simple"; - StateDirectory = "codeberg-pages"; - EnvironmentFile = config.age.secrets."pages-environment_file".path; - WorkingDirectory = "/var/lib/codeberg-pages"; - DynamicUser = true; - ExecStart = lib.getExe package; - Restart = "on-failure"; - ProtectHome = true; - ProtectSystem = "strict"; - PrivateTmp = true; - PrivateDevices = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - NoNewPrivileges = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RemoveIPC = true; - PrivateMounts = true; + config = { + systemd.services.codeberg-pages = { + inherit environment; + description = "Codeberg pages server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + StateDirectory = "codeberg-pages"; + EnvironmentFile = config.age.secrets."pages-environment_file".path; + WorkingDirectory = "/var/lib/codeberg-pages"; + DynamicUser = true; + ExecStart = lib.getExe package; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; + }; + + services.nginx = { + defaultListen = [ + { + addr = "127.0.0.1"; + port = 8446; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + ssl = false; + } + ]; + + streamConfig = '' + map $ssl_preread_server_name $sni_upstream { + default 127.0.0.1:8010; + ${ + lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") ( + lib.attrNames config.services.nginx.virtualHosts + ) + } + } + + server { + listen 443; + ssl_preread on; + proxy_pass $sni_upstream; + proxy_protocol on; + } + ''; }; }; - - services.nginx = { - defaultListen = [ - { - addr = "127.0.0.1"; - port = 8446; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - ssl = false; - } - ]; - streamConfig = '' - map $ssl_preread_server_name $sni_upstream { - default 127.0.0.1:8010; - ${ - lib.concatMapStringsSep "\n " (vhost: "${vhost} 127.0.0.1:8446;") ( - lib.attrNames config.services.nginx.virtualHosts - ) - } - } - - server { - listen 443; - ssl_preread on; - proxy_pass $sni_upstream; - proxy_protocol on; - } - - ''; - defaultSSLListenPort = 8446; - }; - } -- 2.47.0