forked from DGNum/infrastructure
feat(nginx): Switch to simpleProxies for the majority of configs
This commit is contained in:
parent
af61ae6e61
commit
2f06f22ac7
22 changed files with 180 additions and 263 deletions
|
@ -6,6 +6,8 @@ in
|
|||
{
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
dgn-web.internalPorts.ds-fr = 3000;
|
||||
|
||||
services.demarches-simplifiees = {
|
||||
enable = true;
|
||||
|
||||
|
|
|
@ -69,17 +69,11 @@ in
|
|||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
recommendedProxySettings = true;
|
||||
};
|
||||
};
|
||||
dgn-web.simpleProxies.grafana = {
|
||||
inherit host port;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "grafana" ];
|
||||
|
|
|
@ -29,16 +29,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${host} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
|
||||
|
@ -53,6 +43,11 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.simpleProxies.hedgedoc = {
|
||||
inherit host port;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
|
||||
"hedgedoc"
|
||||
"hedgedoc/uploads"
|
||||
|
|
|
@ -8,7 +8,9 @@
|
|||
let
|
||||
inherit (lib) escapeRegex concatStringsSep;
|
||||
|
||||
domain = "sso.dgnum.eu";
|
||||
host = "sso.dgnum.eu";
|
||||
port = 8443;
|
||||
domain = host;
|
||||
|
||||
cert = config.security.acme.certs.${domain};
|
||||
|
||||
|
@ -51,49 +53,40 @@ in
|
|||
|
||||
users.users.kanidm.extraGroups = [ cert.group ];
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
dgn-web.simpleProxies.kanidm = {
|
||||
inherit host port;
|
||||
vhostConfig.locations."/".extraConfig = ''
|
||||
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||
return 444;
|
||||
}
|
||||
|
||||
virtualHosts.${domain} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "https://127.0.0.1:8443";
|
||||
set $origin $http_origin;
|
||||
|
||||
extraConfig = ''
|
||||
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
||||
return 444;
|
||||
}
|
||||
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
|
||||
set $origin 'https://${domain}';
|
||||
}
|
||||
|
||||
set $origin $http_origin;
|
||||
proxy_hide_header Access-Control-Allow-Origin;
|
||||
|
||||
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
|
||||
set $origin 'https://${domain}';
|
||||
}
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
||||
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
||||
|
||||
proxy_hide_header Access-Control-Allow-Origin;
|
||||
add_header Access-Control-Max-Age 1728000;
|
||||
add_header Content-Type 'text/plain charset=UTF-8';
|
||||
add_header Content-Length 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
||||
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
||||
|
||||
add_header Access-Control-Max-Age 1728000;
|
||||
add_header Content-Type 'text/plain charset=UTF-8';
|
||||
add_header Content-Length 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
||||
add_header Access-Control-Allow-Origin "$origin" always;
|
||||
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
||||
add_header Access-Control-Allow-Credentials true always;
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
||||
add_header Access-Control-Allow-Origin "$origin" always;
|
||||
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
||||
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
||||
add_header Access-Control-Allow-Credentials true always;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 636 ];
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
let
|
||||
host = "cloud.dgnum.eu";
|
||||
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
|
||||
|
||||
port = 9980;
|
||||
in
|
||||
{
|
||||
services.nextcloud = {
|
||||
|
@ -104,7 +106,7 @@ in
|
|||
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
|
||||
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
|
||||
};
|
||||
ports = [ "9980:9980" ];
|
||||
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
|
||||
environment = {
|
||||
domain = "cloud.dgnum.eu";
|
||||
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
|
||||
|
@ -119,6 +121,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
dgn-web.internalPorts.collabora = port;
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
${host} = {
|
||||
enableACME = true;
|
||||
|
@ -136,25 +140,25 @@ in
|
|||
extraConfig = ''
|
||||
# static files
|
||||
location ^~ /browser {
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# WOPI discovery URL
|
||||
location ^~ /hosting/discovery {
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# Capabilities
|
||||
location ^~ /hosting/capabilities {
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# main websocket
|
||||
location ~ ^/cool/(.*)/ws$ {
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
|
@ -163,13 +167,13 @@ in
|
|||
|
||||
# download, presentation and image upload
|
||||
location ~ ^/(c|l)ool {
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
# Admin Console websocket
|
||||
location ^~ /cool/adminws {
|
||||
proxy_pass http://127.0.0.1:9980;
|
||||
proxy_pass http://127.0.0.1:${builtins.toString port};
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_set_header Host $host;
|
||||
|
|
|
@ -6,8 +6,6 @@
|
|||
}:
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts."ollama01.beta.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -19,9 +17,4 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
}
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
let
|
||||
host = "docs.dgnum.eu";
|
||||
port = 3003;
|
||||
in
|
||||
{
|
||||
services.outline = {
|
||||
|
@ -35,21 +36,12 @@ in
|
|||
defaultLanguage = "fr_FR";
|
||||
|
||||
forceHttps = false;
|
||||
port = 3003;
|
||||
inherit port;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:3003";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
locations."/robots.txt" = {
|
||||
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
|
||||
};
|
||||
dgn-web.simpleProxies.outline = {
|
||||
inherit host port;
|
||||
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "outline" ];
|
||||
|
|
|
@ -38,16 +38,7 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
};
|
||||
};
|
||||
dgn-web.simpleProxies.plausible = {
|
||||
inherit host port;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,16 +2,15 @@
|
|||
|
||||
let
|
||||
host = "saml-idp.dgnum.eu";
|
||||
port = 8090;
|
||||
in
|
||||
{
|
||||
|
||||
imports = [ ./module.nix ];
|
||||
|
||||
services.satosa = {
|
||||
enable = true;
|
||||
|
||||
inherit host;
|
||||
port = 8090;
|
||||
inherit host port;
|
||||
|
||||
envFile = config.age.secrets."satosa-env_file".path;
|
||||
|
||||
|
@ -148,9 +147,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
dgn-web.simpleProxies.satosa = {
|
||||
inherit host port;
|
||||
};
|
||||
|
||||
age-secrets.autoMatch = [ "satosa" ];
|
||||
|
|
|
@ -190,14 +190,6 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx = mkIf cfg.configureNginx {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${cfg.host} = {
|
||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.satosa = {
|
||||
isSystemUser = true;
|
||||
group = "satosa";
|
||||
|
|
|
@ -11,9 +11,12 @@ let
|
|||
# - finally, update the commit hash of the customization patch
|
||||
|
||||
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
|
||||
port = 8084;
|
||||
in
|
||||
|
||||
{
|
||||
dgn-web.internalPorts.stirling-pdf = port;
|
||||
|
||||
services.stirling-pdf = {
|
||||
enable = true;
|
||||
|
||||
|
@ -24,7 +27,7 @@ in
|
|||
});
|
||||
|
||||
domain = "pdf.dgnum.eu";
|
||||
port = 8084;
|
||||
inherit port;
|
||||
|
||||
nginx = {
|
||||
enableACME = true;
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
let
|
||||
host = "pass.dgnum.eu";
|
||||
port = 10501;
|
||||
wsPort = 10500;
|
||||
in
|
||||
{
|
||||
services.vaultwarden = {
|
||||
|
@ -10,9 +12,9 @@ in
|
|||
config = {
|
||||
DOMAIN = "https://${host}";
|
||||
WEBSOCKET_ENABLED = true;
|
||||
WEBSOCKET_PORT = 10500;
|
||||
WEBSOCKET_PORT = wsPort;
|
||||
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
|
||||
ROCKET_PORT = 10501;
|
||||
ROCKET_PORT = port;
|
||||
ROCKET_ADDRESS = "127.0.0.1";
|
||||
SIGNUPS_VERIFY = true;
|
||||
USE_SYSLOG = true;
|
||||
|
@ -31,45 +33,38 @@ in
|
|||
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
|
||||
};
|
||||
|
||||
services = {
|
||||
nginx = {
|
||||
enable = true;
|
||||
dgn-web = {
|
||||
internalPorts.vaultwarden-websockets = wsPort;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
simpleProxies.vaultwarden = {
|
||||
inherit host port;
|
||||
proxyWebsockets = true;
|
||||
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:10501";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
vhostConfig.locations = {
|
||||
"/notifications/hub" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
"/notifications/hub" = {
|
||||
proxyPass = "http://127.0.0.1:10500";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
"/notifications/hub/negotiate" = {
|
||||
proxyPass = "http://127.0.0.1:10501";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
"/notifications/hub/negotiate" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases = [ "vaultwarden" ];
|
||||
ensureDatabases = [ "vaultwarden" ];
|
||||
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "vaultwarden";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "vaultwarden";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
lib.extra.mkConfig {
|
||||
enabledModules = [
|
||||
# List of modules to enable
|
||||
"dgn-web"
|
||||
];
|
||||
|
||||
enabledServices = [
|
||||
|
|
|
@ -122,24 +122,11 @@ in
|
|||
|
||||
services.uptime-kuma.enable = true;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
dgn-web.simpleProxies.uptime-kuma = {
|
||||
inherit host port;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
statelessUptimeKuma = {
|
||||
probesConfig = mkMerge [
|
||||
pingProbes
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrs' nameValuePair;
|
||||
|
||||
host = "s3.dgnum.eu";
|
||||
webHost = "cdn.dgnum.eu";
|
||||
|
||||
|
@ -25,8 +32,18 @@ let
|
|||
] ++ domains;
|
||||
|
||||
mkHosted = host: builtins.map (b: "${b}.${host}");
|
||||
|
||||
ports = {
|
||||
admin_api = 3903;
|
||||
k2v_api = 3904;
|
||||
rpc = 3901;
|
||||
s3_api = 3900;
|
||||
s3_web = 3902;
|
||||
};
|
||||
in
|
||||
{
|
||||
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
|
||||
|
||||
services.garage = {
|
||||
enable = true;
|
||||
|
||||
|
@ -40,24 +57,24 @@ in
|
|||
replication_mode = "none"; # TODO: deprecated
|
||||
compression_level = 7;
|
||||
|
||||
rpc_bind_addr = "[::]:3901";
|
||||
rpc_public_addr = "127.0.0.1:3901";
|
||||
rpc_bind_addr = "[::]:${toString ports.rpc}";
|
||||
rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
|
||||
|
||||
s3_api = {
|
||||
s3_region = "garage";
|
||||
api_bind_addr = "127.0.0.1:3900";
|
||||
api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
|
||||
root_domain = ".${host}";
|
||||
};
|
||||
|
||||
s3_web = {
|
||||
bind_addr = "127.0.0.1:3902";
|
||||
bind_addr = "127.0.0.1:${toString ports.s3_web}";
|
||||
root_domain = ".${webHost}";
|
||||
index = "index.html";
|
||||
};
|
||||
|
||||
k2v_api.api_bind_addr = "[::]:3904";
|
||||
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
|
||||
|
||||
admin.api_bind_addr = "127.0.0.1:3903";
|
||||
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
|
||||
};
|
||||
|
||||
environmentFile = config.age.secrets."garage-environment_file".path;
|
||||
|
@ -84,7 +101,7 @@ in
|
|||
forceSSL = true;
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:3903;
|
||||
proxy_pass http://127.0.0.1:${toString ports.admin_api};
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
|
@ -97,7 +114,7 @@ in
|
|||
serverAliases = mkHosted host buckets;
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:3900;
|
||||
proxy_pass http://127.0.0.1:${toString ports.s3_api};
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
# Disable buffering to a temporary file.
|
||||
|
@ -113,7 +130,7 @@ in
|
|||
serverAliases = domains ++ (mkHosted webHost buckets);
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://127.0.0.1:3902;
|
||||
proxy_pass http://127.0.0.1:${toString ports.s3_web};
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Host $host;
|
||||
'';
|
||||
|
|
|
@ -4,6 +4,8 @@ let
|
|||
host = "videos.dgnum.eu";
|
||||
in
|
||||
{
|
||||
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
|
||||
|
||||
services.peertube = {
|
||||
enable = true;
|
||||
|
||||
|
|
|
@ -12,25 +12,12 @@
|
|||
|
||||
dgn-backups.postgresDatabases = [ "crabfit" ];
|
||||
|
||||
services.nginx =
|
||||
let
|
||||
cfg = config.services.crabfit;
|
||||
in
|
||||
{
|
||||
enable = true;
|
||||
|
||||
virtualHosts.${cfg.frontend.host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
|
||||
};
|
||||
|
||||
virtualHosts.${cfg.api.host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
|
||||
};
|
||||
dgn-web.simpleProxies = {
|
||||
crabfit-api = {
|
||||
inherit (config.services.crabfit.api) host port;
|
||||
};
|
||||
crabfit-frontend = {
|
||||
inherit (config.services.crabfit.frontend) host port;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -101,20 +101,13 @@ in
|
|||
# };
|
||||
# };
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts = mapAttrs' (
|
||||
name:
|
||||
{ port, ... }:
|
||||
nameValuePair "${name}.${cfg.domain}" {
|
||||
enableACME = true;
|
||||
# acmeRoot = null; # Use DNS-01 validation
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
|
||||
}
|
||||
) cfg.calendarGroups;
|
||||
};
|
||||
dgn-web.simpleProxies = mapAttrs' (
|
||||
name:
|
||||
{ port, ... }:
|
||||
nameValuePair "linkal-${name}" {
|
||||
inherit port;
|
||||
host = "${name}.${cfg.domain}";
|
||||
}
|
||||
) cfg.calendarGroups;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -39,17 +39,6 @@ in
|
|||
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
|
||||
'';
|
||||
};
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."netbox.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
|
||||
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
|
@ -69,10 +58,12 @@ in
|
|||
};
|
||||
|
||||
users.users.nginx.extraGroups = [ "netbox" ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
443
|
||||
80
|
||||
];
|
||||
|
||||
dgn-web.simpleProxies.netbox = {
|
||||
inherit (config.services.netbox) port;
|
||||
host = "netbox.dgnum.eu";
|
||||
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
|
||||
};
|
||||
|
||||
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
|
||||
dgn-backups.postgresDatabases = [ "netbox" ];
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
|
||||
let
|
||||
host = "push.dgnum.eu";
|
||||
port = 2586;
|
||||
in
|
||||
{
|
||||
services.ntfy-sh = {
|
||||
|
@ -17,14 +18,9 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts.${host} = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:2586";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
dgn-web.simpleProxies.ntfy-sh = {
|
||||
inherit host port;
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
|
||||
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
let
|
||||
inherit (lib) mapAttrsToList;
|
||||
|
||||
host = "cas.eleves.ens.fr";
|
||||
port = 9889;
|
||||
|
||||
python3 =
|
||||
|
@ -128,28 +129,24 @@ in
|
|||
|
||||
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
ensureDatabases = [ "cas_server" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "cas_server";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
nginx.virtualHosts."cas.eleves.ens.fr" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
dgn-web.simpleProxies.cas-eleves = {
|
||||
inherit host port;
|
||||
vhostConfig = {
|
||||
serverAliases = [ "cas-eleves.dgnum.eu" ];
|
||||
|
||||
locations = {
|
||||
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
"/static/".root = staticDrv;
|
||||
"= /robots.txt".root = "${staticDrv}/static";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "cas_server" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "cas_server";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
let
|
||||
inherit (lib) mapAttrsToList optionals;
|
||||
|
||||
host = "vote.dgnum.eu";
|
||||
port = 9888;
|
||||
|
||||
python3 =
|
||||
|
@ -168,25 +169,18 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
ensureDatabases = [ "kadenios" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "kadenios";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
dgn-web.simpleProxies.kadenios = {
|
||||
inherit host port;
|
||||
vhostConfig.locations."/static/".root = staticDrv;
|
||||
};
|
||||
|
||||
nginx.virtualHosts."vote.dgnum.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations = {
|
||||
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
|
||||
"/static/".root = staticDrv;
|
||||
};
|
||||
};
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "kadenios" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "kadenios";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue