This commit is contained in:
catvayor 2024-06-19 16:26:15 +02:00
parent c032e84459
commit 5cc8688003
7 changed files with 138 additions and 66 deletions

View file

@ -5,7 +5,10 @@ let
id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix"; id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix";
in in
{ {
meta.nixpkgs = import sources.nixpkgs { }; meta.nixpkgs = (import sources.nix-patches { patchFile = ./patches; }).mkNixpkgsSrc {
src = sources.nixpkgs;
version = "unstable";
};
meta.specialArgs = { meta.specialArgs = {
inherit mods users sources; inherit mods users sources;
}; };

View file

@ -111,38 +111,42 @@
acceptTerms = true; acceptTerms = true;
defaults.email = "root@katvayor.net"; defaults.email = "root@katvayor.net";
}; };
services.nginx = { services.nginx =
enable = true; let
virtualHosts = { vhosts = {
"degette.katvayor.net" = { "degette.katvayor.net" = {
vm = "192.168.122.2";
sshport = 22000;
};
"betamail.katvayor.net" = {
vm = "192.168.122.3";
sshport = 22002;
};
"traque.katvayor.net" = {
vm = "192.168.122.4";
sshport = 22001;
};
};
in
{
enable = true;
virtualHosts =
builtins.mapAttrs (_: {vm, ...}: {
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
acmeFallbackHost = vm;
acmeFallbackRecommendedProxySettings = true;
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "http://192.168.122.2/"; proxyPass = "https://${vm}/";
}; };
}; }) vhosts;
"traque.katvayor.net".locations."/" = { streamConfig = builtins.concatStringsSep "\n" (lib.mapAttrsToList (vhost: {vm, sshport}: ''
recommendedProxySettings = true;
proxyPass = "http://192.168.122.4/";
};
};
streamConfig = ''
upstream kat-virt {
server 192.168.122.2:22;
}
server { server {
listen 22000; listen ${toString sshport};
proxy_pass kat-virt; proxy_pass ${vm}:22;
} }
upstream kat-traque { '') vhosts);
server 192.168.122.4:22;
}
server {
listen 22001;
proxy_pass kat-virt;
}
'';
}; };
# Open ports in the firewall. # Open ports in the firewall.

View file

@ -99,13 +99,21 @@
# Enable the OpenSSH daemon. # Enable the OpenSSH daemon.
services.openssh.enable = true; services.openssh.enable = true;
security.acme = {
acceptTerms = true;
defaults.email = "root@katvayor.net";
};
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."degette.katvayor.net".locations."/" = { virtualHosts."degette.katvayor.net" = {
enableACME = true;
addSSL = true;
locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "http://localhost:8000/"; proxyPass = "http://localhost:8000/";
}; };
}; };
};
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];

View file

@ -58,43 +58,35 @@
acceptTerms = true; acceptTerms = true;
defaults.email = "root@katvayor.net"; defaults.email = "root@katvayor.net";
}; };
services.nginx = { services.nginx =
let
kat-r86s = "100.102.49.84";
vhosts = {
"degette.katvayor.net" = 22000;
"traque.katvayor.net" = 22001;
"betamail.katvayor.net" = 22002;
};
in
{
enable = true; enable = true;
virtualHosts = { virtualHosts = builtins.mapAttrs (_: _: {
"degette.katvayor.net" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeFallbackHost = "100.102.49.84"; acmeFallbackHost = kat-r86s;
acmeFallbackRecommendedProxySettings = true;
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyPass = "https://100.102.49.84/"; proxyPass = "https://${kat-r86s}/";
}; };
}; }) vhosts;
"traque.katvayor.net" = { streamConfig = builtins.concatStringsSep "\n" (
enableACME = true; lib.mapAttrsToList (vhost: sshport: ''
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://100.102.49.84/";
};
};
};
streamConfig = ''
upstream kat-virt {
server 100.102.49.84:22000;
}
server { server {
listen 22000; listen ${toString sshport};
proxy_pass kat-virt; proxy_pass ${kat-r86s}:${toString sshport};
} }
upstream kat-traque { '') vhosts
server 100.102.49.84:22001; );
}
server {
listen 22001;
proxy_pass kat-virt;
}
'';
}; };
services.dbus.packages = with pkgs; [ dconf ]; services.dbus.packages = with pkgs; [ dconf ];

View file

@ -39,6 +39,20 @@
"url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz", "url": "https://github.com/nix-community/home-manager/archive/0a7ffb28e5df5844d0e8039c9833d7075cdee792.tar.gz",
"hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh" "hash": "1qd5sdpgpadd0972gmngjl0gf96h4cz0xvmv0186pgj6xgzc7amh"
}, },
"nix-patches": {
"type": "GitRelease",
"repository": {
"type": "Git",
"url": "https://git.hubrecht.ovh/hubrecht/nix-patches"
},
"pre_releases": false,
"version_upper_bound": null,
"release_prefix": null,
"version": "v0.5.0",
"revision": "e11ba20945f4a867f09d84343c37328288f274b4",
"url": null,
"hash": "1c6cc44pwlg3ky6cnwhkml8ci77fw3sgjhwvqg0f6igxxf2fqv9v"
},
"nixos-images": { "nixos-images": {
"type": "Git", "type": "Git",
"repository": { "repository": {

8
patches/default.nix Normal file
View file

@ -0,0 +1,8 @@
{
unstable = [
{
_type = "static";
path = ./nginx-fallback.patch;
}
];
}

View file

@ -0,0 +1,43 @@
From dc29ed2d52b55791b980c4c3ffaedcad687d7549 Mon Sep 17 00:00:00 2001
From: catvayor <catvayor@katvayor.net>
Date: Wed, 19 Jun 2024 10:01:16 +0200
Subject: [PATCH] add recommanded proxy settings to acme fallback
---
nixos/modules/services/web-servers/nginx/default.nix | 1 +
nixos/modules/services/web-servers/nginx/vhost-options.nix | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/nixos/modules/services/web-servers/nginx/default.nix b/nixos/modules/services/web-servers/nginx/default.nix
index f9720c362..5d68f4a7b 100644
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -372,6 +372,7 @@ let
location @acme-fallback {
auth_basic off;
auth_request off;
+ ${optionalString (vhost.acmeFallbackRecommendedProxySettings) "include ${recommendedProxyConfig};"}
proxy_pass http://${vhost.acmeFallbackHost};
}
''}
diff --git a/nixos/modules/services/web-servers/nginx/vhost-options.nix b/nixos/modules/services/web-servers/nginx/vhost-options.nix
index 24fcb101c..272d2e364 100644
--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -132,6 +132,13 @@ with lib;
specify here.
'';
};
+ acmeFallbackRecommendedProxySettings = mkOption {
+ type = types.bool;
+ default = false;
+ description = ''
+ Enable recommended proxy settings for ACME fallback.
+ '';
+ };
addSSL = mkOption {
type = types.bool;
--
2.45.1