feat(nginx): Switch to simpleProxies for the majority of configs

This commit is contained in:
Tom Hubrecht 2024-10-12 19:30:36 +02:00 committed by thubrecht
parent af61ae6e61
commit 2f06f22ac7
22 changed files with 180 additions and 263 deletions

View file

@ -6,6 +6,8 @@ in
{
imports = [ ./module.nix ];
dgn-web.internalPorts.ds-fr = 3000;
services.demarches-simplifiees = {
enable = true;

View file

@ -69,17 +69,11 @@ in
}
];
};
};
nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
dgn-web.simpleProxies.grafana = {
inherit host port;
proxyWebsockets = true;
};
age-secrets.autoMatch = [ "grafana" ];

View file

@ -29,16 +29,6 @@ in
};
};
nginx.virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
postgresql = {
enable = true;
@ -53,6 +43,11 @@ in
};
};
dgn-web.simpleProxies.hedgedoc = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.hedgedoc.serviceConfig.StateDirectory = lib.mkForce [
"hedgedoc"
"hedgedoc/uploads"

View file

@ -8,7 +8,9 @@
let
inherit (lib) escapeRegex concatStringsSep;
domain = "sso.dgnum.eu";
host = "sso.dgnum.eu";
port = 8443;
domain = host;
cert = config.security.acme.certs.${domain};
@ -51,49 +53,40 @@ in
users.users.kanidm.extraGroups = [ cert.group ];
services.nginx = {
enable = true;
dgn-web.simpleProxies.kanidm = {
inherit host port;
vhostConfig.locations."/".extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://127.0.0.1:8443";
set $origin $http_origin;
extraConfig = ''
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
return 444;
}
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
set $origin 'https://${domain}';
}
set $origin $http_origin;
proxy_hide_header Access-Control-Allow-Origin;
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
set $origin 'https://${domain}';
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
proxy_hide_header Access-Control-Allow-Origin;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' "$origin" always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header Access-Control-Max-Age 1728000;
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
};
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
add_header Access-Control-Allow-Origin "$origin" always;
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
add_header Access-Control-Allow-Credentials true always;
}
'';
};
networking.firewall.allowedTCPPorts = [ 636 ];

View file

@ -3,6 +3,8 @@
let
host = "cloud.dgnum.eu";
nextcloud-occ = "${config.services.nextcloud.occ}/bin/nextcloud-occ";
port = 9980;
in
{
services.nextcloud = {
@ -104,7 +106,7 @@ in
imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
};
ports = [ "9980:9980" ];
ports = [ "${builtins.toString port}:${builtins.toString port}" ];
environment = {
domain = "cloud.dgnum.eu";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
@ -119,6 +121,8 @@ in
};
};
dgn-web.internalPorts.collabora = port;
services.nginx.virtualHosts = {
${host} = {
enableACME = true;
@ -136,25 +140,25 @@ in
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:9980;
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980;
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980;
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980;
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
@ -163,13 +167,13 @@ in
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980;
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980;
proxy_pass http://127.0.0.1:${builtins.toString port};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;

View file

@ -6,8 +6,6 @@
}:
{
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts."ollama01.beta.dgnum.eu" = {
enableACME = true;
forceSSL = true;
@ -19,9 +17,4 @@
};
};
};
networking.firewall.allowedTCPPorts = [
80
443
];
}

View file

@ -2,6 +2,7 @@
let
host = "docs.dgnum.eu";
port = 3003;
in
{
services.outline = {
@ -35,21 +36,12 @@ in
defaultLanguage = "fr_FR";
forceHttps = false;
port = 3003;
inherit port;
};
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3003";
proxyWebsockets = true;
};
locations."/robots.txt" = {
return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
dgn-web.simpleProxies.outline = {
inherit host port;
vhostConfig.locations."/robots.txt".return = ''200 "User-agent: *\nDisallow: /s/demarches-normaliennes/\n"'';
};
age-secrets.autoMatch = [ "outline" ];

View file

@ -38,16 +38,7 @@ in
};
};
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
};
};
dgn-web.simpleProxies.plausible = {
inherit host port;
};
}

View file

@ -2,16 +2,15 @@
let
host = "saml-idp.dgnum.eu";
port = 8090;
in
{
imports = [ ./module.nix ];
services.satosa = {
enable = true;
inherit host;
port = 8090;
inherit host port;
envFile = config.age.secrets."satosa-env_file".path;
@ -148,9 +147,8 @@ in
};
};
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
dgn-web.simpleProxies.satosa = {
inherit host port;
};
age-secrets.autoMatch = [ "satosa" ];

View file

@ -190,14 +190,6 @@ in
};
};
services.nginx = mkIf cfg.configureNginx {
enable = true;
virtualHosts.${cfg.host} = {
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
users.users.satosa = {
isSystemUser = true;
group = "satosa";

View file

@ -11,9 +11,12 @@ let
# - finally, update the commit hash of the customization patch
dgn-id = "8f19cb1c9623f8da71f6512c1528d83acc35db57";
port = 8084;
in
{
dgn-web.internalPorts.stirling-pdf = port;
services.stirling-pdf = {
enable = true;
@ -24,7 +27,7 @@ in
});
domain = "pdf.dgnum.eu";
port = 8084;
inherit port;
nginx = {
enableACME = true;

View file

@ -2,6 +2,8 @@
let
host = "pass.dgnum.eu";
port = 10501;
wsPort = 10500;
in
{
services.vaultwarden = {
@ -10,9 +12,9 @@ in
config = {
DOMAIN = "https://${host}";
WEBSOCKET_ENABLED = true;
WEBSOCKET_PORT = 10500;
WEBSOCKET_PORT = wsPort;
SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
ROCKET_PORT = 10501;
ROCKET_PORT = port;
ROCKET_ADDRESS = "127.0.0.1";
SIGNUPS_VERIFY = true;
USE_SYSLOG = true;
@ -31,45 +33,38 @@ in
environmentFile = config.age.secrets."vaultwarden-environment_file".path;
};
services = {
nginx = {
enable = true;
dgn-web = {
internalPorts.vaultwarden-websockets = wsPort;
virtualHosts.${host} = {
forceSSL = true;
enableACME = true;
simpleProxies.vaultwarden = {
inherit host port;
proxyWebsockets = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
vhostConfig.locations = {
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
"/notifications/hub" = {
proxyPass = "http://127.0.0.1:10500";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:10501";
proxyWebsockets = true;
};
"/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${builtins.toString wsPort}";
proxyWebsockets = true;
};
};
};
};
postgresql = {
enable = true;
services.postgresql = {
enable = true;
ensureDatabases = [ "vaultwarden" ];
ensureDatabases = [ "vaultwarden" ];
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
ensureUsers = [
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
};
dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];

View file

@ -3,6 +3,7 @@
lib.extra.mkConfig {
enabledModules = [
# List of modules to enable
"dgn-web"
];
enabledServices = [

View file

@ -122,24 +122,11 @@ in
services.uptime-kuma.enable = true;
services.nginx = {
enable = true;
virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
dgn-web.simpleProxies.uptime-kuma = {
inherit host port;
proxyWebsockets = true;
};
networking.firewall.allowedTCPPorts = [
80
443
];
statelessUptimeKuma = {
probesConfig = mkMerge [
pingProbes

View file

@ -1,6 +1,13 @@
{ config, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (lib) mapAttrs' nameValuePair;
host = "s3.dgnum.eu";
webHost = "cdn.dgnum.eu";
@ -25,8 +32,18 @@ let
] ++ domains;
mkHosted = host: builtins.map (b: "${b}.${host}");
ports = {
admin_api = 3903;
k2v_api = 3904;
rpc = 3901;
s3_api = 3900;
s3_web = 3902;
};
in
{
dgn-web.internalPorts = mapAttrs' (name: nameValuePair "garage-${name}") ports;
services.garage = {
enable = true;
@ -40,24 +57,24 @@ in
replication_mode = "none"; # TODO: deprecated
compression_level = 7;
rpc_bind_addr = "[::]:3901";
rpc_public_addr = "127.0.0.1:3901";
rpc_bind_addr = "[::]:${toString ports.rpc}";
rpc_public_addr = "127.0.0.1:${toString ports.rpc}";
s3_api = {
s3_region = "garage";
api_bind_addr = "127.0.0.1:3900";
api_bind_addr = "127.0.0.1:${toString ports.s3_api}";
root_domain = ".${host}";
};
s3_web = {
bind_addr = "127.0.0.1:3902";
bind_addr = "127.0.0.1:${toString ports.s3_web}";
root_domain = ".${webHost}";
index = "index.html";
};
k2v_api.api_bind_addr = "[::]:3904";
k2v_api.api_bind_addr = "[::]:${toString ports.k2v_api}";
admin.api_bind_addr = "127.0.0.1:3903";
admin.api_bind_addr = "127.0.0.1:${toString ports.admin_api}";
};
environmentFile = config.age.secrets."garage-environment_file".path;
@ -84,7 +101,7 @@ in
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3903;
proxy_pass http://127.0.0.1:${toString ports.admin_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
@ -97,7 +114,7 @@ in
serverAliases = mkHosted host buckets;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3900;
proxy_pass http://127.0.0.1:${toString ports.s3_api};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
# Disable buffering to a temporary file.
@ -113,7 +130,7 @@ in
serverAliases = domains ++ (mkHosted webHost buckets);
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:3902;
proxy_pass http://127.0.0.1:${toString ports.s3_web};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';

View file

@ -4,6 +4,8 @@ let
host = "videos.dgnum.eu";
in
{
dgn-web.internalPorts.peertube = config.services.peertube.listenHttp;
services.peertube = {
enable = true;

View file

@ -12,25 +12,12 @@
dgn-backups.postgresDatabases = [ "crabfit" ];
services.nginx =
let
cfg = config.services.crabfit;
in
{
enable = true;
virtualHosts.${cfg.frontend.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
};
virtualHosts.${cfg.api.host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
};
dgn-web.simpleProxies = {
crabfit-api = {
inherit (config.services.crabfit.api) host port;
};
crabfit-frontend = {
inherit (config.services.crabfit.frontend) host port;
};
};
}

View file

@ -101,20 +101,13 @@ in
# };
# };
services.nginx = {
enable = true;
virtualHosts = mapAttrs' (
name:
{ port, ... }:
nameValuePair "${name}.${cfg.domain}" {
enableACME = true;
# acmeRoot = null; # Use DNS-01 validation
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:${builtins.toString port}/";
}
) cfg.calendarGroups;
};
dgn-web.simpleProxies = mapAttrs' (
name:
{ port, ... }:
nameValuePair "linkal-${name}" {
inherit port;
host = "${name}.${cfg.domain}";
}
) cfg.calendarGroups;
};
}

View file

@ -39,17 +39,6 @@ in
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
'';
};
nginx = {
enable = true;
virtualHosts."netbox.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
};
};
systemd.services = {
@ -69,10 +58,12 @@ in
};
users.users.nginx.extraGroups = [ "netbox" ];
networking.firewall.allowedTCPPorts = [
443
80
];
dgn-web.simpleProxies.netbox = {
inherit (config.services.netbox) port;
host = "netbox.dgnum.eu";
vhostConfig.locations."/static/".alias = "${config.services.netbox.dataDir}/static/";
};
dgn-backups.jobs.netbox.settings.paths = [ "/var/lib/netbox" ];
dgn-backups.postgresDatabases = [ "netbox" ];

View file

@ -2,6 +2,7 @@
let
host = "push.dgnum.eu";
port = 2586;
in
{
services.ntfy-sh = {
@ -17,14 +18,9 @@ in
};
};
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2586";
proxyWebsockets = true;
};
dgn-web.simpleProxies.ntfy-sh = {
inherit host port;
proxyWebsockets = true;
};
systemd.services.ntfy-sh.serviceConfig.EnvironmentFile = [

View file

@ -9,6 +9,7 @@
let
inherit (lib) mapAttrsToList;
host = "cas.eleves.ens.fr";
port = 9889;
python3 =
@ -128,28 +129,24 @@ in
dgn-redirections.permanent."cas-eleves.dgnum.eu" = "cas.eleves.ens.fr";
services = {
postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
nginx.virtualHosts."cas.eleves.ens.fr" = {
enableACME = true;
forceSSL = true;
dgn-web.simpleProxies.cas-eleves = {
inherit host port;
vhostConfig = {
serverAliases = [ "cas-eleves.dgnum.eu" ];
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
"= /robots.txt".root = "${staticDrv}/static";
};
};
};
services.postgresql = {
ensureDatabases = [ "cas_server" ];
ensureUsers = [
{
name = "cas_server";
ensureDBOwnership = true;
}
];
};
}

View file

@ -9,6 +9,7 @@
let
inherit (lib) mapAttrsToList optionals;
host = "vote.dgnum.eu";
port = 9888;
python3 =
@ -168,25 +169,18 @@ in
};
};
services = {
postgresql = {
ensureDatabases = [ "kadenios" ];
ensureUsers = [
{
name = "kadenios";
ensureDBOwnership = true;
}
];
};
dgn-web.simpleProxies.kadenios = {
inherit host port;
vhostConfig.locations."/static/".root = staticDrv;
};
nginx.virtualHosts."vote.dgnum.eu" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
"/static/".root = staticDrv;
};
};
services.postgresql = {
ensureDatabases = [ "kadenios" ];
ensureUsers = [
{
name = "kadenios";
ensureDBOwnership = true;
}
];
};
}