feat(nginx): Switch to simpleProxies for the majority of configs

This commit is contained in:
Tom Hubrecht 2024-10-12 19:30:36 +02:00 committed by thubrecht
parent af61ae6e61
commit 2f06f22ac7
22 changed files with 180 additions and 263 deletions

View file

@ -6,6 +6,8 @@ in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = { services.demarches-simplifiees = {
enable = true; enable = true;

View file

@ -69,17 +69,11 @@ in
} }
]; ];
}; };
};
nginx.virtualHosts.${host} = { dgn-web.simpleProxies.grafana = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}; };
age-secrets.autoMatch = [ "grafana" ]; age-secrets.autoMatch = [ "grafana" ];

View file

@ -29,16 +29,6 @@ in
}; };
}; };
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = { postgresql = {
enable = true; enable = true;
@ -53,6 +43,11 @@ in
}; };
}; };
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [ systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc" "hedgedoc"
"hedgedoc/uploads" "hedgedoc/uploads"

View file

@ -8,7 +8,9 @@
let let
inherit (lib) escapeRegex concatStringsSep; inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu"; host = "sso.dgnum.eu";
port = 8443;
domain = host;
cert = config.security.acme.certs.${domain}; cert = config.security.acme.certs.${domain};
@ -51,16 +53,9 @@ in
users.users.kanidm.extraGroups = [ cert.group ]; users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = { dgn-web.simpleProxies.kanidm = {
enable = true; inherit host port;
vhostConfig.locations."/".extraConfig = ''
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) { if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444; return 444;
} }
@ -93,8 +88,6 @@ in
} }
''; '';
}; };
};
};
networking.firewall.allowedTCPPorts = [ 636 ]; networking.firewall.allowedTCPPorts = [ 636 ];
networking.firewall.allowedUDPPorts = [ 636 ]; networking.firewall.allowedUDPPorts = [ 636 ];

View file

@ -3,6 +3,8 @@
let let
host = "cloud.dgnum.eu"; host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ"; nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in in
{ {
services.nextcloud = { services.nextcloud = {
@ -104,7 +106,7 @@ in
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4"; imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM="; sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
}; };
ports = [ "9980:9980" ]; ports = [ "${builtins.toString port}:${builtins.toString port}" ];
environment = { environment = {
domain = "cloud.dgnum.eu"; domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json"; extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
@ -119,6 +121,8 @@ in
}; };
}; };
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
${host} = { ${host} = {
enableACME = true; enableACME = true;
@ -136,25 +140,25 @@ in
extraConfig = '' extraConfig = ''
# static files # static files
location ^~ /browser { location ^~ /browser {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# WOPI discovery URL # WOPI discovery URL
location ^~ /hosting/discovery { location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Capabilities # Capabilities
location ^~ /hosting/capabilities { location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# main websocket # main websocket
location ~ ^/cool/(.*)/ws$ { location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;
@ -163,13 +167,13 @@ in
# download, presentation and image upload # download, presentation and image upload
location ~ ^/(c|l)ool { location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host; proxy_set_header Host $host;
} }
# Admin Console websocket # Admin Console websocket
location ^~ /cool/adminws { location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980; proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;

View file

@ -6,8 +6,6 @@
}: }:
{ {
services.nginx = { services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."ollama01.beta.dgnum.eu" = { virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -19,9 +17,4 @@
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
80
443
];
} }

View file

@ -2,6 +2,7 @@
let let
host = "docs.dgnum.eu"; host = "docs.dgnum.eu";
port = 3003;
in in
{ {
services.outline = { services.outline = {
@ -35,21 +36,12 @@ in
defaultLanguage = "fr_FR"; defaultLanguage = "fr_FR";
forceHttps = false; forceHttps = false;
port = 3003; inherit port;
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.outline = {
enableACME = true; inherit host port;
forceSSL = true; vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
}; };
age-secrets.autoMatch = [ "outline" ]; age-secrets.autoMatch = [ "outline" ];

View file

@ -38,16 +38,7 @@ in
}; };
}; };
services.nginx = { dgn-web.simpleProxies.plausible = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
}; };
} }

View file

@ -2,16 +2,15 @@
let let
host = "saml-idp.dgnum.eu"; host = "saml-idp.dgnum.eu";
port = 8090;
in in
{ {
imports = [ ./module.nix ]; imports = [ ./module.nix ];
services.satosa = { services.satosa = {
enable = true; enable = true;
inherit host; inherit host port;
port = 8090;
envFile = config.age.secrets."satosa-env_file".path; envFile = config.age.secrets."satosa-env_file".path;
@ -148,9 +147,8 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.satosa = {
enableACME = true; inherit host port;
forceSSL = true;
}; };
age-secrets.autoMatch = [ "satosa" ]; age-secrets.autoMatch = [ "satosa" ];

View file

@ -190,14 +190,6 @@ in
}; };
}; };
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = { users.users.satosa = {
isSystemUser = true; isSystemUser = true;
group = "satosa"; group = "satosa";

View file

@ -11,9 +11,12 @@ let
# - finally, update the commit hash of the customization patch # - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57"; dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
port = 8084;
in in
{ {
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = { services.stirling-pdf = {
enable = true; enable = true;
@ -24,7 +27,7 @@ in
}); });
domain = "pdf.dgnum.eu"; domain = "pdf.dgnum.eu";
port = 8084; inherit port;
nginx = { nginx = {
enableACME = true; enableACME = true;

View file

@ -2,6 +2,8 @@
let let
host = "pass.dgnum.eu"; host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in in
{ {
services.vaultwarden = { services.vaultwarden = {
@ -10,9 +12,9 @@ in
config = { config = {
DOMAIN = "https://${host}"; DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true; WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = 10500; WEBSOCKET_PORT = wsPort;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu"; SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = 10501; ROCKET_PORT = port;
ROCKET_ADDRESS = "127.0.0.1"; ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true; SIGNUPS_VERIFY = true;
USE_SYSLOG = true; USE_SYSLOG = true;
@ -31,34 +33,28 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path; environmentFile = config.age.secrets."vaultwarden-environment_file".path;
}; };
services = { dgn-web = {
nginx = { internalPorts.vaultwarden-websockets = wsPort;
enable = true;
virtualHosts.${host} = { simpleProxies.vaultwarden = {
forceSSL = true; inherit host port;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true; proxyWebsockets = true;
};
vhostConfig.locations = {
"/notifications/hub" = { "/notifications/hub" = {
proxyPass = "http://127.0.0.1:10500"; proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
"/notifications/hub/negotiate" = { "/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501"; proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
}; };
}; };
postgresql = { services.postgresql = {
enable = true; enable = true;
ensureDatabases = [ "vaultwarden" ]; ensureDatabases = [ "vaultwarden" ];
@ -70,7 +66,6 @@ in
} }
]; ];
}; };
};
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ]; dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
dgn-backups.postgresDatabases = [ "vaultwarden" ]; dgn-backups.postgresDatabases = [ "vaultwarden" ];

View file

@ -3,6 +3,7 @@
lib.extra.mkConfig { lib.extra.mkConfig {
enabledModules = [ enabledModules = [
# List of modules to enable # List of modules to enable
"dgn-web"
]; ];
enabledServices = [ enabledServices = [

View file

@ -122,23 +122,10 @@ in
services.uptime-kuma.enable = true; services.uptime-kuma.enable = true;
services.nginx = { dgn-web.simpleProxies.uptime-kuma = {
enable = true; inherit host port;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = { statelessUptimeKuma = {
probesConfig = mkMerge [ probesConfig = mkMerge [

View file

@ -1,6 +1,13 @@
{ config, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu"; host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu"; webHost = "cdn.dgnum.eu";
@ -25,8 +32,18 @@ let
] ++ domains; ] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}"); mkHosted = host: builtins.map (b: "${b}.${host}");
ports = {
admin_api = 3903;
k2v_api = 3904;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
in in
{ {
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = { services.garage = {
enable = true; enable = true;
@ -40,24 +57,24 @@ in
replication_mode = "none"; # TODO: deprecated replication_mode = "none"; # TODO: deprecated
compression_level = 7; compression_level = 7;
rpc_bind_addr = "[::]:3901"; rpc_bind_addr = "[::]:${toString ports.rpc}";
rpc_public_addr = "127.0.0.1:3901"; rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
s3_api = { s3_api = {
s3_region = "garage"; s3_region = "garage";
api_bind_addr = "127.0.0.1:3900"; api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
root_domain = ".${host}"; root_domain = ".${host}";
}; };
s3_web = { s3_web = {
bind_addr = "127.0.0.1:3902"; bind_addr = "127.0.0.1:${toString ports.s3_web}";
root_domain = ".${webHost}"; root_domain = ".${webHost}";
index = "index.html"; index = "index.html";
}; };
k2v_api.api_bind_addr = "[::]:3904"; k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
admin.api_bind_addr = "127.0.0.1:3903"; admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
}; };
environmentFile = config.age.secrets."garage-environment_file".path; environmentFile = config.age.secrets."garage-environment_file".path;
@ -84,7 +101,7 @@ in
forceSSL = true; forceSSL = true;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3903; proxy_pass http://127.0.0.1:${toString ports.admin_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';
@ -97,7 +114,7 @@ in
serverAliases = mkHosted host buckets; serverAliases = mkHosted host buckets;
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3900; proxy_pass http://127.0.0.1:${toString ports.s3_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
# Disable buffering to a temporary file. # Disable buffering to a temporary file.
@ -113,7 +130,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets); serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3902; proxy_pass http://127.0.0.1:${toString ports.s3_web};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host; proxy_set_header Host $host;
''; '';

View file

@ -4,6 +4,8 @@ let
host = "videos.dgnum.eu"; host = "videos.dgnum.eu";
in in
{ {
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
services.peertube = { services.peertube = {
enable = true; enable = true;

View file

@ -12,25 +12,12 @@
dgn-backups.postgresDatabases = [ "crabfit" ]; dgn-backups.postgresDatabases = [ "crabfit" ];
services.nginx = dgn-web.simpleProxies = {
let crabfit-api = {
cfg = config.services.crabfit; inherit (config.services.crabfit.api) host port;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
}; };
crabfit-frontend = {
virtualHosts.${cfg.api.host} = { inherit (config.services.crabfit.frontend) host port;
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
}; };
}; };
} }

View file

@ -101,20 +101,13 @@ in
# }; # };
# }; # };
services.nginx = { dgn-web.simpleProxies = mapAttrs' (
enable = true;
virtualHosts = mapAttrs' (
name: name:
{ port, ... }: { port, ... }:
nameValuePair "${name}.${cfg.domain}" { nameValuePair "linkal-${name}" {
enableACME = true; inherit port;
# acmeRoot = null; # Use DNS-01 validation host = "${name}.${cfg.domain}";
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
} }
) cfg.calendarGroups; ) cfg.calendarGroups;
}; };
};
} }

View file

@ -39,17 +39,6 @@ in
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"] SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
''; '';
}; };
nginx = {
enable = true;
virtualHosts."netbox.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
};
}; };
systemd.services = { systemd.services = {
@ -69,10 +58,12 @@ in
}; };
users.users.nginx.extraGroups = [ "netbox" ]; users.users.nginx.extraGroups = [ "netbox" ];
networking.firewall.allowedTCPPorts = [
443 dgn-web.simpleProxies.netbox = {
80 inherit (config.services.netbox) port;
]; host = "netbox.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ]; dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
dgn-backups.postgresDatabases = [ "netbox" ]; dgn-backups.postgresDatabases = [ "netbox" ];

View file

@ -2,6 +2,7 @@
let let
host = "push.dgnum.eu"; host = "push.dgnum.eu";
port = 2586;
in in
{ {
services.ntfy-sh = { services.ntfy-sh = {
@ -17,15 +18,10 @@ in
}; };
}; };
services.nginx.virtualHosts.${host} = { dgn-web.simpleProxies.ntfy-sh = {
enableACME = true; inherit host port;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2586";
proxyWebsockets = true; proxyWebsockets = true;
}; };
};
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [ systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [
config.age.secrets."ntfy_sh-environment_file".path config.age.secrets."ntfy_sh-environment_file".path

View file

@ -9,6 +9,7 @@
let let
inherit (lib) mapAttrsToList; inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
port = 9889; port = 9889;
python3 = python3 =
@ -128,8 +129,18 @@ in
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr"; dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
services = { dgn-web.simpleProxies.cas-eleves = {
postgresql = { inherit host port;
vhostConfig = {
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
services.postgresql = {
ensureDatabases = [ "cas_server" ]; ensureDatabases = [ "cas_server" ];
ensureUsers = [ ensureUsers = [
{ {
@ -138,18 +149,4 @@ in
} }
]; ];
}; };
nginx.virtualHosts."cas.eleves.ens.fr" = {
enableACME = true;
forceSSL = true;
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
} }

View file

@ -9,6 +9,7 @@
let let
inherit (lib) mapAttrsToList optionals; inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888; port = 9888;
python3 = python3 =
@ -168,8 +169,12 @@ in
}; };
}; };
services = { dgn-web.simpleProxies.kadenios = {
postgresql = { inherit host port;
vhostConfig.locations."/static/".root = staticDrv;
};
services.postgresql = {
ensureDatabases = [ "kadenios" ]; ensureDatabases = [ "kadenios" ];
ensureUsers = [ ensureUsers = [
{ {
@ -178,15 +183,4 @@ in
} }
]; ];
}; };
nginx.virtualHosts."vote.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
};
};
};
} }