ops/nixos/rexxar: enable fup
This commit is contained in:
parent
a021fff1da
commit
b0eb1f77a0
4 changed files with 32 additions and 37 deletions
|
@ -13,36 +13,19 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = let
|
config = {
|
||||||
nginxListen = (map (addr: {
|
|
||||||
inherit addr;
|
|
||||||
port = 80;
|
|
||||||
ssl = false;
|
|
||||||
}) config.my.fup.listen) ++ (map (addr: {
|
|
||||||
inherit addr;
|
|
||||||
port = 443;
|
|
||||||
ssl = true;
|
|
||||||
}) config.my.fup.listen);
|
|
||||||
in {
|
|
||||||
my.vault.acmeCertificates."p.lukegb.com" = {
|
my.vault.acmeCertificates."p.lukegb.com" = {
|
||||||
hostnames = [ "p.lukegb.com" ];
|
hostnames = [ "p.lukegb.com" ];
|
||||||
nginxVirtualHosts = [ "p.lukegb.com" ];
|
caddyVirtualHosts = [ "p.lukegb.com" ];
|
||||||
};
|
};
|
||||||
services.nginx = {
|
services.caddy = {
|
||||||
enable = lib.mkDefault true;
|
|
||||||
virtualHosts."p.lukegb.com" = {
|
virtualHosts."p.lukegb.com" = {
|
||||||
listen = nginxListen;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://unix:${sock}";
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
proxy_redirect off;
|
${lib.optionalString (config.my.fup.listen != []) "bind ${lib.concatStringsSep " " config.my.fup.listen}"}
|
||||||
client_max_body_size 0;
|
reverse_proxy unix/${sock}
|
||||||
proxy_buffering off;
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
users.users.fup = { isSystemUser = true; group = "fup"; };
|
users.users.fup = { isSystemUser = true; group = "fup"; };
|
||||||
users.groups.fup = {};
|
users.groups.fup = {};
|
||||||
|
@ -51,8 +34,8 @@ in
|
||||||
listenStreams = [ sock ];
|
listenStreams = [ sock ];
|
||||||
wantedBy = [ "sockets.target" ];
|
wantedBy = [ "sockets.target" ];
|
||||||
socketConfig = {
|
socketConfig = {
|
||||||
SocketUser = config.services.nginx.user;
|
SocketUser = config.services.caddy.user;
|
||||||
SocketGroup = config.services.nginx.group;
|
SocketGroup = config.services.caddy.group;
|
||||||
SocketMode = "0700";
|
SocketMode = "0700";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -43,6 +43,11 @@ in
|
||||||
default = [];
|
default = [];
|
||||||
description = "List of nginx virtual hosts to apply SSL to.";
|
description = "List of nginx virtual hosts to apply SSL to.";
|
||||||
};
|
};
|
||||||
|
caddyVirtualHosts = mkOption {
|
||||||
|
type = listOf str;
|
||||||
|
default = [];
|
||||||
|
description = "List of caddy virtual hosts to apply SSL to.";
|
||||||
|
};
|
||||||
group = mkOption {
|
group = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
default = if isNginx then "nginx" else "acme";
|
default = if isNginx then "nginx" else "acme";
|
||||||
|
@ -71,16 +76,21 @@ in
|
||||||
|
|
||||||
config = mkIf config.my.vault.secretsmgr.acmeCertificates.enable {
|
config = mkIf config.my.vault.secretsmgr.acmeCertificates.enable {
|
||||||
services.nginx = optionalAttrs config.my.vault.enable {
|
services.nginx = optionalAttrs config.my.vault.enable {
|
||||||
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData: let
|
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData:
|
||||||
fullchain = fullchainPath certData;
|
map (hostName: lib.nameValuePair hostName {
|
||||||
chain = chainPath certData;
|
|
||||||
key = keyPath certData;
|
|
||||||
in map (hostName: lib.nameValuePair hostName {
|
|
||||||
sslCertificate = mkDefault (fullchainPath certData);
|
sslCertificate = mkDefault (fullchainPath certData);
|
||||||
sslCertificateKey = mkDefault (keyPath certData);
|
sslCertificateKey = mkDefault (keyPath certData);
|
||||||
sslTrustedCertificate = mkDefault (chainPath certData);
|
sslTrustedCertificate = mkDefault (chainPath certData);
|
||||||
}) certData.nginxVirtualHosts) acmeCertificates);
|
}) certData.nginxVirtualHosts) acmeCertificates);
|
||||||
};
|
};
|
||||||
|
services.caddy = optionalAttrs config.my.vault.enable {
|
||||||
|
virtualHosts = builtins.listToAttrs (builtins.concatMap (certData:
|
||||||
|
map (hostName: lib.nameValuePair hostName {
|
||||||
|
extraConfig = lib.mkBefore ''
|
||||||
|
tls ${fullchainPath certData} ${keyPath certData}
|
||||||
|
'';
|
||||||
|
}) certData.caddyVirtualHosts) acmeCertificates);
|
||||||
|
};
|
||||||
|
|
||||||
my.vault.secretsmgr.groups = mkAfter allGroups;
|
my.vault.secretsmgr.groups = mkAfter allGroups;
|
||||||
my.vault.secretsmgr.restartableUnits = mkAfter allRestartableUnits;
|
my.vault.secretsmgr.restartableUnits = mkAfter allRestartableUnits;
|
||||||
|
|
|
@ -13,6 +13,7 @@
|
||||||
../lib/hackyplayer.nix
|
../lib/hackyplayer.nix
|
||||||
../lib/emfminiserv.nix
|
../lib/emfminiserv.nix
|
||||||
../lib/seaweedfs.nix
|
../lib/seaweedfs.nix
|
||||||
|
../lib/fup.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# Otherwise _this_ machine won't enumerate things properly.
|
# Otherwise _this_ machine won't enumerate things properly.
|
||||||
|
@ -502,5 +503,7 @@
|
||||||
ReadOnlyPaths = lib.mkAfter [ "/var/lib/acme" ];
|
ReadOnlyPaths = lib.mkAfter [ "/var/lib/acme" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
my.fup.listen = [];
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -89,7 +89,6 @@
|
||||||
my.servers.bvm-prosody.apps = [ "turn" ];
|
my.servers.bvm-prosody.apps = [ "turn" ];
|
||||||
my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
|
my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
|
||||||
my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
|
my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
|
||||||
my.servers.blade-tuvok.apps = [ "fup" ];
|
|
||||||
my.servers.bvm-netbox.apps = [ "netbox" ];
|
my.servers.bvm-netbox.apps = [ "netbox" ];
|
||||||
my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
|
my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue