ops/nixos/rexxar: enable fup

This commit is contained in:
Luke Granger-Brown 2024-10-20 17:21:54 +01:00
parent a021fff1da
commit b0eb1f77a0
4 changed files with 32 additions and 37 deletions

View file

@ -13,36 +13,19 @@ in
}; };
}; };
config = let config = {
nginxListen = (map (addr: {
inherit addr;
port = 80;
ssl = false;
}) config.my.fup.listen) ++ (map (addr: {
inherit addr;
port = 443;
ssl = true;
}) config.my.fup.listen);
in {
my.vault.acmeCertificates."p.lukegb.com" = { my.vault.acmeCertificates."p.lukegb.com" = {
hostnames = [ "p.lukegb.com" ]; hostnames = [ "p.lukegb.com" ];
nginxVirtualHosts = [ "p.lukegb.com" ]; caddyVirtualHosts = [ "p.lukegb.com" ];
}; };
services.nginx = { services.caddy = {
enable = lib.mkDefault true;
virtualHosts."p.lukegb.com" = { virtualHosts."p.lukegb.com" = {
listen = nginxListen;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:${sock}";
extraConfig = '' extraConfig = ''
proxy_redirect off; ${lib.optionalString (config.my.fup.listen != []) "bind ${lib.concatStringsSep " " config.my.fup.listen}"}
client_max_body_size 0; reverse_proxy unix/${sock}
proxy_buffering off;
''; '';
}; };
}; };
};
users.users.fup = { isSystemUser = true; group = "fup"; }; users.users.fup = { isSystemUser = true; group = "fup"; };
users.groups.fup = {}; users.groups.fup = {};
@ -51,8 +34,8 @@ in
listenStreams = [ sock ]; listenStreams = [ sock ];
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
socketConfig = { socketConfig = {
SocketUser = config.services.nginx.user; SocketUser = config.services.caddy.user;
SocketGroup = config.services.nginx.group; SocketGroup = config.services.caddy.group;
SocketMode = "0700"; SocketMode = "0700";
}; };
}; };

View file

@ -43,6 +43,11 @@ in
default = []; default = [];
description = "List of nginx virtual hosts to apply SSL to."; description = "List of nginx virtual hosts to apply SSL to.";
}; };
caddyVirtualHosts = mkOption {
type = listOf str;
default = [];
description = "List of caddy virtual hosts to apply SSL to.";
};
group = mkOption { group = mkOption {
type = str; type = str;
default = if isNginx then "nginx" else "acme"; default = if isNginx then "nginx" else "acme";
@ -71,16 +76,21 @@ in
config = mkIf config.my.vault.secretsmgr.acmeCertificates.enable { config = mkIf config.my.vault.secretsmgr.acmeCertificates.enable {
services.nginx = optionalAttrs config.my.vault.enable { services.nginx = optionalAttrs config.my.vault.enable {
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let virtualHosts = builtins.listToAttrs (builtins.concatMap (certData:
fullchain = fullchainPath certData; map (hostName: lib.nameValuePair hostName {
chain = chainPath certData;
key = keyPath certData;
in map (hostName: lib.nameValuePair hostName {
sslCertificate = mkDefault (fullchainPath certData); sslCertificate = mkDefault (fullchainPath certData);
sslCertificateKey = mkDefault (keyPath certData); sslCertificateKey = mkDefault (keyPath certData);
sslTrustedCertificate = mkDefault (chainPath certData); sslTrustedCertificate = mkDefault (chainPath certData);
}) certData.nginxVirtualHosts) acmeCertificates); }) certData.nginxVirtualHosts) acmeCertificates);
}; };
services.caddy = optionalAttrs config.my.vault.enable {
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData:
map (hostName: lib.nameValuePair hostName {
extraConfig = lib.mkBefore ''
tls ${fullchainPath certData} ${keyPath certData}
'';
}) certData.caddyVirtualHosts) acmeCertificates);
};
my.vault.secretsmgr.groups = mkAfter allGroups; my.vault.secretsmgr.groups = mkAfter allGroups;
my.vault.secretsmgr.restartableUnits = mkAfter allRestartableUnits; my.vault.secretsmgr.restartableUnits = mkAfter allRestartableUnits;

View file

@ -13,6 +13,7 @@
../lib/hackyplayer.nix ../lib/hackyplayer.nix
../lib/emfminiserv.nix ../lib/emfminiserv.nix
../lib/seaweedfs.nix ../lib/seaweedfs.nix
../lib/fup.nix
]; ];
# Otherwise _this_ machine won't enumerate things properly. # Otherwise _this_ machine won't enumerate things properly.
@ -502,5 +503,7 @@
ReadOnlyPaths = lib.mkAfter [ "/var/lib/acme" ]; ReadOnlyPaths = lib.mkAfter [ "/var/lib/acme" ];
}; };
my.fup.listen = [];
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }

View file

@ -89,7 +89,6 @@
my.servers.bvm-prosody.apps = [ "turn" ]; my.servers.bvm-prosody.apps = [ "turn" ];
my.servers.bvm-heptapod.apps = [ "gitlab-runner" ]; my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ]; my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
my.servers.blade-tuvok.apps = [ "fup" ];
my.servers.bvm-netbox.apps = [ "netbox" ]; my.servers.bvm-netbox.apps = [ "netbox" ];
my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ]; my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" ];
} }