mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2026-04-15 05:39:11 +02:00
feat[server]: serve home services also from home
This commit is contained in:
Leon Schwarzäugl
parent
db273edc48
commit
afd8c2f653
GPG key ID:
26A54C31F2A4FD84
51 changed files with 2740 additions and 3289 deletions
|
|
@ -35,6 +35,7 @@
|
|||
prstatus
|
||||
swarsel-gens
|
||||
swarsel-switch
|
||||
swarsel-sops
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -87,7 +87,7 @@ in
|
|||
# this interface to gain a carrier.
|
||||
networkConfig.LinkLocalAddressing = "no";
|
||||
linkConfig.RequiredForOnline = "carrier";
|
||||
vlan = (map (name: "vlan-${name}") (builtins.attrNames localVLANs));
|
||||
vlan = map (name: "vlan-${name}") (builtins.attrNames localVLANs);
|
||||
};
|
||||
# Remaining macvtap interfaces should not be touched.
|
||||
"90-macvtap-ignore" = lib.mkIf withMicroVMs {
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ self, inputs, lib, config, globals, dns, confLib, ... }:
|
||||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "adguardhome"; port = 3000; }) serviceName servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied homeProxy homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
|
||||
inherit (confLib.static) isHome isProxied homeProxyIf webProxy webProxyIf homeWebProxy dnsServer homeDnsServer homeServiceAddress nginxAccessRules;
|
||||
|
||||
homeServices = lib.attrNames (lib.filterAttrs (_: serviceCfg: serviceCfg.isHome) globals.services);
|
||||
homeDomains = map (name: globals.services.${name}.domain) homeServices;
|
||||
|
|
@ -19,7 +19,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -58,11 +58,7 @@ in
|
|||
];
|
||||
dhcp.enabled = false;
|
||||
};
|
||||
filtering.rewrites = [
|
||||
]
|
||||
# Use the local mirror-proxy for some services (not necessary, just for speed)
|
||||
++
|
||||
map
|
||||
filtering.rewrites = map
|
||||
(domain: {
|
||||
inherit domain;
|
||||
# FIXME: change to homeWebProxy once that is setup
|
||||
|
|
@ -97,42 +93,12 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2 = {
|
||||
enable = true;
|
||||
allowedGroups = [ "adguardhome_access" ];
|
||||
};
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
extraConfig = lib.mkIf (extraConfig != "") extraConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; proxyWebsockets = true; oauth2 = true; oauth2Groups = [ "adguardhome_access" ]; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ self, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "ankisync"; port = 27701; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
ankiUser = globals.user.name;
|
||||
in
|
||||
|
|
@ -9,10 +10,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
|
||||
sops.secrets.anki-pw = { inherit sopsFile; owner = "root"; };
|
||||
|
|
@ -29,7 +26,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -51,31 +48,13 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, config, pkgs, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "attic"; port = 8091; }) serviceName serviceDir servicePort serviceAddress serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
inherit (config.swarselsystems) mainUser isPublic sopsFile;
|
||||
serviceDB = "atticd";
|
||||
in
|
||||
|
|
@ -10,10 +11,6 @@ in
|
|||
};
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
topology.self.services.${serviceName} = {
|
||||
name = lib.swarselsystems.toCapitalized serviceName;
|
||||
info = "https://${serviceDomain}";
|
||||
|
|
@ -26,7 +23,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -138,36 +135,23 @@ in
|
|||
after = [ "garage.service" ];
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
client_body_timeout 600s;
|
||||
proxy_connect_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_request_buffering off;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
client_body_timeout 600s;
|
||||
proxy_connect_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_request_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,12 @@
|
|||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "atuin"; port = 8888; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
|
||||
|
||||
globals = {
|
||||
|
|
@ -18,7 +15,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -35,30 +32,12 @@ in
|
|||
openRegistration = false;
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, pkgs, dns, globals, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6 isHome dnsServer;
|
||||
inherit (confLib.gen { name = "croc"; proxy = config.node.name; }) serviceName serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome dnsServer;
|
||||
servicePorts = [
|
||||
9009
|
||||
9010
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
{ lib, config, globals, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "dns-home"; }) serviceName homeProxy;
|
||||
inherit (confLib.gen { name = "dns-home"; }) serviceName;
|
||||
inherit (confLib.static) homeProxy;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf (config.swarselmodules.server.${serviceName}) {
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
networking.hosts = {
|
||||
${globals.networks.home-lan.vlans.services.hosts.${homeProxy}.ipv4} = [ "server.${homeProxy}.${globals.domains.main}" ];
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome dnsServer webProxy;
|
||||
inherit (confLib.gen { name = "firefly-iii"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
|
||||
|
||||
nginxGroup = "nginx";
|
||||
|
||||
|
|
@ -11,10 +12,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users = {
|
||||
groups.${serviceGroup} = { };
|
||||
users.${serviceUser} = {
|
||||
|
|
@ -81,36 +78,48 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = true;
|
||||
oauth2.allowedGroups = [ "firefly_access" ];
|
||||
# main config is automatically added by nixos firefly config.
|
||||
# hence, only provide certificate
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
"/api" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2 = {
|
||||
enable = true;
|
||||
allowedGroups = [ "firefly_access" ];
|
||||
};
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
"/api" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, pkgs, config, globals, confLib, dns, nodes, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy homeProxyIf webProxyIf idmServer dnsServer;
|
||||
inherit (confLib.gen { name = "firezone"; dir = "/var/lib/private/firezone"; }) serviceName serviceDir serviceAddress serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied homeProxy webProxy homeWebProxy homeProxyIf webProxyIf idmServer dnsServer homeServiceAddress nginxAccessRules;
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
|
||||
apiPort = 8081;
|
||||
|
|
@ -23,10 +24,6 @@ in
|
|||
};
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
globals = {
|
||||
networks = {
|
||||
${webProxyIf}.hosts = lib.mkIf isProxied {
|
||||
|
|
@ -42,7 +39,7 @@ in
|
|||
};
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy} = {
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
|
||||
allowedTCPPorts = [ apiPort webPort domainPort ];
|
||||
allowedUDPPorts = [ relayPort ];
|
||||
allowedUDPPortRanges = [
|
||||
|
|
@ -257,118 +254,15 @@ in
|
|||
# };
|
||||
|
||||
|
||||
nodes = {
|
||||
${homeProxy} =
|
||||
let
|
||||
nodeCfg = nodes.${homeProxy}.config;
|
||||
nodePkgs = nodes.${homeProxy}.pkgs;
|
||||
in
|
||||
{
|
||||
sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
|
||||
networking.nftables = {
|
||||
firewall = {
|
||||
zones.firezone.interfaces = [ "tun-firezone" ];
|
||||
rules = {
|
||||
# masquerade firezone traffic
|
||||
masquerade-firezone = {
|
||||
from = [ "firezone" ];
|
||||
to = [ "vlan-services" ];
|
||||
# masquerade = true; NOTE: custom rule below for ip4 + ip6
|
||||
late = true; # Only accept after any rejects have been processed
|
||||
verdict = "accept";
|
||||
};
|
||||
# forward firezone traffic
|
||||
forward-incoming-firezone-traffic = {
|
||||
from = [ "firezone" ];
|
||||
to = [ "vlan-services" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
|
||||
# FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
|
||||
forward-outgoing-firezone-traffic = {
|
||||
from = [ "vlan-services" ];
|
||||
to = [ "firezone" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
};
|
||||
};
|
||||
chains.postrouting = {
|
||||
masquerade-firezone = {
|
||||
after = [ "hook" ];
|
||||
late = true;
|
||||
rules =
|
||||
lib.forEach
|
||||
[
|
||||
"firezone"
|
||||
]
|
||||
(
|
||||
zone:
|
||||
lib.concatStringsSep " " [
|
||||
"meta protocol { ip, ip6 }"
|
||||
(lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
|
||||
(lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
|
||||
"masquerade random"
|
||||
]
|
||||
);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.wmem_max" = 16777216;
|
||||
"net.core.rmem_max" = 134217728;
|
||||
};
|
||||
services.firezone.gateway = {
|
||||
enable = true;
|
||||
# logLevel = "trace";
|
||||
inherit (nodeCfg.node) name;
|
||||
apiUrl = "wss://${globals.services.firezone.domain}/api/";
|
||||
tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
|
||||
package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
|
||||
};
|
||||
|
||||
topology.self.services."${serviceName}-gateway" = {
|
||||
name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
|
||||
icon = "${self}/files/topology-images/${serviceName}.png";
|
||||
};
|
||||
};
|
||||
${idmServer} =
|
||||
let
|
||||
nodeCfg = nodes.${idmServer}.config;
|
||||
accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
|
||||
externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
|
||||
in
|
||||
{
|
||||
sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
|
||||
services.kanidm.provision = {
|
||||
groups."firezone.access" = { };
|
||||
systems.oauth2.firezone = {
|
||||
displayName = "Firezone VPN";
|
||||
# NOTE: state: both uuids are runtime values
|
||||
originUrl = [
|
||||
"https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
|
||||
"https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
|
||||
];
|
||||
originLanding = "https://${globals.services.firezone.domain}/";
|
||||
basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
|
||||
preferShortUsername = true;
|
||||
scopeMaps."firezone.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
${webProxy} = {
|
||||
services.nginx = {
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers."${serviceAddress}:${builtins.toString webPort}" = { };
|
||||
servers."${toAddress}:${builtins.toString webPort}" = { };
|
||||
};
|
||||
"${serviceName}-api" = {
|
||||
servers."${serviceAddress}:${builtins.toString apiPort}" = { };
|
||||
servers."${toAddress}:${builtins.toString apiPort}" = { };
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
|
|
@ -376,21 +270,133 @@ in
|
|||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations."/" = {
|
||||
# The trailing slash is important to strip the location prefix from the request
|
||||
proxyPass = "http://${serviceName}/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
locations."/api/" = {
|
||||
# The trailing slash is important to strip the location prefix from the request
|
||||
proxyPass = "http://${serviceName}-api/";
|
||||
proxyWebsockets = true;
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
# The trailing slash is important to strip the location prefix from the request
|
||||
proxyPass = "http://${serviceName}/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
"/api/" = {
|
||||
# The trailing slash is important to strip the location prefix from the request
|
||||
proxyPass = "http://${serviceName}-api/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${homeProxy} =
|
||||
let
|
||||
nodeCfg = nodes.${homeProxy}.config;
|
||||
nodePkgs = nodes.${homeProxy}.pkgs;
|
||||
in
|
||||
{
|
||||
sops.secrets.firezone-gateway-token = { inherit (nodeCfg.swarselsystems) sopsFile; mode = "0400"; };
|
||||
networking.nftables = {
|
||||
firewall = {
|
||||
zones.firezone.interfaces = [ "tun-firezone" ];
|
||||
rules = {
|
||||
# masquerade firezone traffic
|
||||
masquerade-firezone = {
|
||||
from = [ "firezone" ];
|
||||
to = [ "vlan-services" ];
|
||||
# masquerade = true; NOTE: custom rule below for ip4 + ip6
|
||||
late = true; # Only accept after any rejects have been processed
|
||||
verdict = "accept";
|
||||
};
|
||||
# forward firezone traffic
|
||||
forward-incoming-firezone-traffic = {
|
||||
from = [ "firezone" ];
|
||||
to = [ "vlan-services" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
|
||||
# FIXME: is this needed? conntrack should take care of it and we want to masquerade anyway
|
||||
forward-outgoing-firezone-traffic = {
|
||||
from = [ "vlan-services" ];
|
||||
to = [ "firezone" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
};
|
||||
};
|
||||
chains.postrouting = {
|
||||
masquerade-firezone = {
|
||||
after = [ "hook" ];
|
||||
late = true;
|
||||
rules =
|
||||
lib.forEach
|
||||
[
|
||||
"firezone"
|
||||
]
|
||||
(
|
||||
zone:
|
||||
lib.concatStringsSep " " [
|
||||
"meta protocol { ip, ip6 }"
|
||||
(lib.head nodeCfg.networking.nftables.firewall.zones.${zone}.ingressExpression)
|
||||
(lib.head nodeCfg.networking.nftables.firewall.zones.vlan-services.egressExpression)
|
||||
"masquerade random"
|
||||
]
|
||||
);
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"net.core.wmem_max" = 16777216;
|
||||
"net.core.rmem_max" = 134217728;
|
||||
};
|
||||
services.firezone.gateway = {
|
||||
enable = true;
|
||||
# logLevel = "trace";
|
||||
inherit (nodeCfg.node) name;
|
||||
apiUrl = "wss://${globals.services.firezone.domain}/api/";
|
||||
tokenFile = nodeCfg.sops.secrets.firezone-gateway-token.path;
|
||||
package = nodePkgs.stable25_05.firezone-gateway; # newer versions of firezone-gateway are not compatible with server package
|
||||
};
|
||||
|
||||
topology.self.services."${serviceName}-gateway" = {
|
||||
name = lib.swarselsystems.toCapitalized "${serviceName} Gateway";
|
||||
icon = "${self}/files/topology-images/${serviceName}.png";
|
||||
};
|
||||
};
|
||||
${idmServer} =
|
||||
let
|
||||
nodeCfg = nodes.${idmServer}.config;
|
||||
accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
|
||||
externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
|
||||
in
|
||||
{
|
||||
sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
|
||||
services.kanidm.provision = {
|
||||
groups."firezone.access" = { };
|
||||
systems.oauth2.firezone = {
|
||||
displayName = "Firezone VPN";
|
||||
# NOTE: state: both uuids are runtime values
|
||||
originUrl = [
|
||||
"https://${globals.services.firezone.domain}/${accountId}/sign_in/providers/${externalId}/handle_callback"
|
||||
"https://${globals.services.firezone.domain}/${accountId}/settings/identity_providers/openid_connect/${externalId}/handle_callback"
|
||||
];
|
||||
originLanding = "https://${globals.services.firezone.domain}/";
|
||||
basicSecretFile = nodeCfg.sops.secrets.kanidm-firezone.path;
|
||||
preferShortUsername = true;
|
||||
scopeMaps."firezone.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ lib, config, pkgs, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "forgejo"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
kanidmDomain = globals.services.kanidm.domain;
|
||||
in
|
||||
|
|
@ -9,10 +10,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
|
|
@ -32,7 +29,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -140,31 +137,13 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
|
||||
inherit (confLib.gen { name = "freshrss"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
|
||||
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
in
|
||||
|
|
@ -8,10 +9,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
extraGroups = [ "users" ];
|
||||
group = serviceGroup;
|
||||
|
|
@ -76,34 +73,46 @@ in
|
|||
# config.sops.templates.freshrss-env.path
|
||||
# ];
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = true;
|
||||
oauth2.allowedGroups = [ "ttrss_access" ];
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
"/api" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = true;
|
||||
oauth2.allowedGroups = [ "ttrss_access" ];
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
"/api" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,8 @@
|
|||
# inspired by https://github.com/atropos112/nixos/blob/7fef652006a1c939f4caf9c8a0cb0892d9cdfe21/modules/garage.nix
|
||||
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen {
|
||||
name = "garage";
|
||||
port = 3900;
|
||||
domain = config.repo.secrets.common.services.domains."garage-${config.node.name}";
|
||||
}) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "garage"; port = 3900; domain = config.repo.secrets.common.services.domains."garage-${config.node.name}"; }) servicePort serviceName specificServiceName serviceDomain subDomain baseDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
cfg = lib.recursiveUpdate config.services.${serviceName} config.swarselsystems.server.${serviceName};
|
||||
inherit (config.swarselsystems) sopsFile mainUser;
|
||||
|
|
@ -73,14 +70,6 @@ in
|
|||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
|
||||
"${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
topology.self.services.${serviceName} = {
|
||||
name = lib.swarselsystems.toCapitalized serviceName;
|
||||
info = "https://${serviceDomain}";
|
||||
|
|
@ -114,7 +103,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort 3901 3902 3903 3904 ];
|
||||
};
|
||||
};
|
||||
services.${specificServiceName} = {
|
||||
|
|
@ -325,69 +314,86 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
"${serviceName}Web" = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString garageWebPort}" = { };
|
||||
};
|
||||
};
|
||||
"${serviceName}Admin" = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString garageAdminPort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${adminDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}Admin";
|
||||
};
|
||||
};
|
||||
};
|
||||
"*.${webDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}Web";
|
||||
};
|
||||
};
|
||||
};
|
||||
"${serviceDomain}" = {
|
||||
serverAliases = [ "*.${serviceDomain}" ];
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
client_body_timeout 600s;
|
||||
proxy_connect_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_request_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
"${serviceName}Web" = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString garageWebPort}" = { };
|
||||
};
|
||||
};
|
||||
"${serviceName}Admin" = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString garageAdminPort}" = { };
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${baseDomain}.subdomainRecords = {
|
||||
"${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"${subDomain}-admin" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"*.${subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
"*.${subDomain}-web" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
|
||||
};
|
||||
virtualHosts = {
|
||||
"${adminDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}Admin";
|
||||
};
|
||||
};
|
||||
};
|
||||
"*.${webDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}Web";
|
||||
};
|
||||
};
|
||||
};
|
||||
"${serviceDomain}" = {
|
||||
serverAliases = [ "*.${serviceDomain}" ];
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
client_body_timeout 600s;
|
||||
proxy_connect_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_request_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,12 @@
|
|||
{ self, lib, pkgs, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "homebox"; port = 7745; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
topology.self.services.${serviceName} = {
|
||||
name = "Homebox";
|
||||
info = "https://${serviceDomain}";
|
||||
|
|
@ -22,7 +19,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -45,30 +42,13 @@ in
|
|||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ inputs, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "hydra"; port = 8002; }) serviceName servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
in
|
||||
{
|
||||
|
|
@ -9,10 +10,6 @@ in
|
|||
};
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
|
||||
|
||||
globals = {
|
||||
|
|
@ -21,7 +18,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -114,32 +111,19 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
proxy_set_header X-Request-Base /hydra;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
proxy_set_header X-Request-Base /hydra;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,12 @@
|
|||
{ lib, pkgs, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "immich"; port = 3001; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
extraGroups = [ "video" "render" "users" ];
|
||||
};
|
||||
|
|
@ -23,7 +20,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -44,42 +41,26 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_redirect off;
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
send_timeout 600s;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_redirect off;
|
||||
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
send_timeout 600s;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,15 +1,12 @@
|
|||
{ pkgs, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "jellyfin"; port = 8096; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
extraGroups = [ "video" "render" "users" ];
|
||||
};
|
||||
|
|
@ -36,7 +33,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -51,31 +48,13 @@ in
|
|||
# openFirewall = true; # this works only for the default ports
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,22 +1,19 @@
|
|||
{ pkgs, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "jenkins"; port = 8088; }) servicePort serviceName serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
globals = {
|
||||
networks = {
|
||||
${webProxyIf}.hosts = lib.mkIf isProxied {
|
||||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -34,31 +31,13 @@ in
|
|||
home = "/Vault/apps/${serviceName}";
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,8 @@
|
|||
let
|
||||
certsSopsFile = self + /secrets/repo/certs.yaml;
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy homeProxyIf webProxyIf dnsServer;
|
||||
inherit (confLib.gen { name = "kanidm"; port = 8300; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy homeProxyIf webProxyIf dnsServer homeServiceAddress nginxAccessRules;
|
||||
|
||||
oauth2ProxyDomain = globals.services.oauth2-proxy.domain;
|
||||
immichDomain = globals.services.immich.domain;
|
||||
|
|
@ -31,9 +32,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users = {
|
||||
users.${serviceUser} = {
|
||||
|
|
@ -69,7 +67,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -396,34 +394,15 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
${serviceName}.serviceConfig.RestartSec = "30";
|
||||
systemd.services.${serviceName}.serviceConfig.RestartSec = "30";
|
||||
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; };
|
||||
${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; noSslVerify = true; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; };
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "https://${serviceName}";
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
proxy_ssl_verify off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,8 @@
|
|||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
|
||||
inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "kavita"; port = 8080; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
|
|
@ -11,9 +12,6 @@ in
|
|||
calibre
|
||||
];
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
extraGroups = [ "users" ];
|
||||
|
|
@ -34,7 +32,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -51,29 +49,13 @@ in
|
|||
dataDir = "/Vault/data/${serviceName}";
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, globals, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir homeDnsServer;
|
||||
inherit (confLib.gen { name = "kea"; dir = "/var/lib/private/kea"; }) serviceName serviceDir;
|
||||
inherit (confLib.static) homeDnsServer;
|
||||
dhcpX = intX:
|
||||
let
|
||||
x = builtins.toString intX;
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "koillection"; port = 2282; dir = "/Vault/data/koillection"; }) servicePort serviceName serviceUser serviceDir serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
serviceDB = "koillection";
|
||||
|
||||
postgresUser = config.systemd.services.postgresql.serviceConfig.User; # postgres
|
||||
|
|
@ -18,9 +19,6 @@ in
|
|||
postgresql = true;
|
||||
};
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
sops.secrets = {
|
||||
koillection-db-password = { inherit sopsFile; owner = postgresUser; group = postgresUser; mode = "0440"; };
|
||||
koillection-env-file = { inherit sopsFile; };
|
||||
|
|
@ -38,7 +36,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort postgresPort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort postgresPort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort postgresPort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -121,32 +119,22 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ self, lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
|
||||
inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
|
||||
inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
|
||||
baseDomain = globals.domains.main;
|
||||
|
||||
|
|
@ -15,11 +16,6 @@ in
|
|||
};
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
|
||||
"${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
globals.services = {
|
||||
${serviceName} = {
|
||||
domain = serviceDomain;
|
||||
|
|
@ -139,33 +135,21 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name ${roundcubeDomain};
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
|
||||
"${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
virtualHosts = {
|
||||
"${roundcubeDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "https://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
proxy_ssl_server_name on;
|
||||
proxy_ssl_name ${roundcubeDomain};
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ lib, config, pkgs, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "matrix"; user = "matrix-synapse"; port = 8008; }) servicePort serviceName serviceUser serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
federationPort = 8448;
|
||||
whatsappPort = 29318;
|
||||
|
|
@ -20,10 +21,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
matrix-synapse
|
||||
lottieconverter
|
||||
|
|
@ -97,7 +94,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort federationPort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -303,60 +300,72 @@ in
|
|||
# messages out after a while.
|
||||
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8448;
|
||||
ssl = true;
|
||||
extraParameters = [
|
||||
"default_server"
|
||||
];
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 8448;
|
||||
ssl = true;
|
||||
extraParameters = [
|
||||
"default_server"
|
||||
];
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
];
|
||||
locations = {
|
||||
"~ ^(/_matrix|/_synapse/client)" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8448;
|
||||
ssl = true;
|
||||
extraParameters = [
|
||||
"default_server"
|
||||
];
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 8448;
|
||||
ssl = true;
|
||||
extraParameters = [
|
||||
"default_server"
|
||||
];
|
||||
}
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
{
|
||||
addr = "[::0]";
|
||||
port = 443;
|
||||
ssl = true;
|
||||
}
|
||||
];
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"~ ^(/_matrix|/_synapse/client)" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
"= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
||||
"= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
||||
};
|
||||
};
|
||||
"= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
||||
"= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, dns, globals, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "microbin"; port = 8777; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
|
||||
|
|
@ -10,10 +11,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users = {
|
||||
groups.${serviceGroup} = { };
|
||||
|
||||
|
|
@ -56,7 +53,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -115,30 +112,12 @@ in
|
|||
{ directory = cfg.dataDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
|
||||
];
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 1G;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 1; maxBodyUnit = "G"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, pkgs, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6 isHome dnsServer;
|
||||
inherit (confLib.gen { name = "minecraft"; port = 25565; dir = "/opt/minecraft"; proxy = config.node.name; }) serviceName servicePort serviceDir serviceDomain proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome dnsServer;
|
||||
inherit (config.swarselsystems) mainUser;
|
||||
worldName = "${mainUser}craft";
|
||||
in
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "grafana"; port = 3000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
prometheusPort = 9090;
|
||||
prometheusUser = "prometheus";
|
||||
|
|
@ -18,10 +19,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
grafana-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
|
||||
|
|
@ -66,7 +63,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort prometheusPort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -222,42 +219,55 @@ in
|
|||
};
|
||||
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
"${grafanaUpstream}" = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfigPre: {
|
||||
upstreams = {
|
||||
"${grafanaUpstream}" = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
"${prometheusUpstream}" = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString prometheusPort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
"${prometheusUpstream}" = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString prometheusPort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${grafanaUpstream}";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
"/${prometheusWebRoot}" = {
|
||||
proxyPass = "http://${prometheusUpstream}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
extraConfig = extraConfigPre;
|
||||
locations =
|
||||
let
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
in
|
||||
{
|
||||
"/" = {
|
||||
proxyPass = "http://${grafanaUpstream}";
|
||||
proxyWebsockets = true;
|
||||
inherit extraConfig;
|
||||
};
|
||||
"/${prometheusWebRoot}" = {
|
||||
proxyPass = "http://${prometheusUpstream}";
|
||||
inherit extraConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = genNginx homeServiceAddress nginxAccessRules;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,14 +1,12 @@
|
|||
{ pkgs, config, lib, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "navidrome"; port = 4040; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf nginxAccessRules homeServiceAddress;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
pciutils
|
||||
|
|
@ -47,7 +45,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -118,58 +116,69 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = true;
|
||||
oauth2.allowedGroups = [ "navidrome_access" ];
|
||||
locations =
|
||||
let
|
||||
extraConfig = ''
|
||||
proxy_redirect http:// https://;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
in
|
||||
{
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
inherit extraConfig;
|
||||
};
|
||||
"/share" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
inherit extraConfig;
|
||||
};
|
||||
"/rest" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
inherit extraConfig;
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfigPre: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2 = {
|
||||
enable = true;
|
||||
allowedGroups = [ "navidrome_access" ];
|
||||
};
|
||||
extraConfig = extraConfigPre;
|
||||
locations =
|
||||
let
|
||||
extraConfig = ''
|
||||
proxy_redirect http:// https://;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
in
|
||||
{
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
inherit extraConfig;
|
||||
};
|
||||
"/share" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
inherit extraConfig;
|
||||
};
|
||||
"/rest" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
proxyWebsockets = true;
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
inherit extraConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,8 @@
|
|||
let
|
||||
inherit (config.repo.secrets.local.nextcloud) adminuser;
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome dnsServer webProxy;
|
||||
inherit (confLib.gen { name = "nextcloud"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome dnsServer webProxy homeWebProxy homeServiceAddress nginxAccessRules;
|
||||
|
||||
nextcloudVersion = "32";
|
||||
in
|
||||
|
|
@ -10,10 +11,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
nextcloud-admin-pw = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
|
||||
kanidm-nextcloud-client = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
|
||||
|
|
@ -50,30 +47,13 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf homeWebProxy oauthServer nginxAccessRules;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules;
|
||||
|
||||
kanidmDomain = globals.services.kanidm.domain;
|
||||
mainDomain = globals.domains.main;
|
||||
|
|
@ -139,7 +139,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
# needed for homeWebProxy
|
||||
networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
|
||||
globals = {
|
||||
networks = {
|
||||
|
|
@ -147,7 +148,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -207,39 +208,17 @@ in
|
|||
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
||||
'' + lib.optionalString (extraConfig != "") extraConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = genNginx globals.hosts.${oauthServer}.wanAddress4 nginxAccessRules;
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceAddress serviceDomain serviceName extraConfig; protocol = "https"; };
|
||||
${homeWebProxy}.services.nginx = confLib.genNginx { inherit servicePort serviceDomain serviceName; protocol = "https"; extraConfig = extraConfig + nginxAccessRules; serviceAddress = globals.hosts.${oauthServer}.wanAddress4; };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ lib, pkgs, config, dns, globals, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "paperless"; port = 28981; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
tikaPort = 9998;
|
||||
gotenbergPort = 3002;
|
||||
|
|
@ -11,10 +12,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
extraGroups = [ "users" ];
|
||||
};
|
||||
|
|
@ -32,7 +29,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -109,35 +106,22 @@ in
|
|||
)
|
||||
'';
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
nodes =
|
||||
let
|
||||
extraConfigLoc = ''
|
||||
proxy_connect_timeout 300;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 300;
|
||||
send_timeout 300;
|
||||
'';
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName extraConfigLoc; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 300;
|
||||
send_timeout 300;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,7 @@ in
|
|||
};
|
||||
|
||||
local-to-podman = {
|
||||
from = [ "local" "wgProxy" "wgHme" ];
|
||||
from = [ "local" "wgProxy" "wgHome" ];
|
||||
to = [ "podman" ];
|
||||
before = [ "drop" ];
|
||||
verdict = "accept";
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "radicale"; port = 8000; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
|
||||
cfg = config.services.${serviceName};
|
||||
|
|
@ -9,10 +10,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets.radicale-user = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
|
||||
|
||||
|
|
@ -40,7 +37,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -100,33 +97,13 @@ in
|
|||
|
||||
# networking.firewall.allowedTCPPorts = [ servicePort ];
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 16M;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 16; maxBodyUnit = "M"; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ lib, config, globals, confLib, ... }:
|
||||
{ lib, config, globals, ... }:
|
||||
let
|
||||
serviceName = "router";
|
||||
bridgeVLANs = lib.mapAttrsToList
|
||||
|
|
@ -9,7 +9,7 @@ let
|
|||
selectVLANs = vlans: map (vlan: { VLAN = globals.networks.home-lan.vlans.${vlan}.id; }) vlans;
|
||||
lan5VLANs = selectVLANs [ "home" "devices" "guests" ];
|
||||
lan4VLANs = selectVLANs [ "home" "services" ];
|
||||
inherit (confLib.gen { }) homeDnsServer;
|
||||
inherit (globals.general) homeDnsServer;
|
||||
in
|
||||
{
|
||||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
|
|
@ -47,7 +47,7 @@ in
|
|||
|
||||
rules = {
|
||||
masquerade-internet = {
|
||||
from = map (name: "vlan-${name}") (globals.general.internetVLANs);
|
||||
from = map (name: "vlan-${name}") globals.general.internetVLANs;
|
||||
to = [ "untrusted" ];
|
||||
# masquerade = true; NOTE: custom rule below for ip4 + ip6
|
||||
late = true; # Only accept after any rejects have been processed
|
||||
|
|
@ -56,7 +56,7 @@ in
|
|||
|
||||
# Allow access to the AdGuardHome DNS server from any VLAN that has internet access
|
||||
access-adguardhome-dns = {
|
||||
from = map (name: "vlan-${name}") (globals.general.internetVLANs);
|
||||
from = map (name: "vlan-${name}") globals.general.internetVLANs;
|
||||
to = [ "adguardhome" ];
|
||||
verdict = "accept";
|
||||
};
|
||||
|
|
@ -94,7 +94,7 @@ in
|
|||
late = true;
|
||||
rules =
|
||||
lib.forEach
|
||||
(map (name: "vlan-${name}") (globals.general.internetVLANs))
|
||||
(map (name: "vlan-${name}") globals.general.internetVLANs)
|
||||
(
|
||||
zone:
|
||||
lib.concatStringsSep " " [
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, dns, globals, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "shlink"; port = 8081; dir = "/var/lib/shlink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
containerRev = "sha256:1a697baca56ab8821783e0ce53eb4fb22e51bb66749ec50581adc0cb6d031d7a";
|
||||
|
||||
|
|
@ -16,10 +17,6 @@ in
|
|||
podman = true;
|
||||
};
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
shlink-api = { inherit sopsFile; };
|
||||
|
|
@ -92,7 +89,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -101,26 +98,13 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, lib, config, dns, globals, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "slink"; port = 3000; dir = "/var/lib/slink"; }) servicePort serviceName serviceDomain serviceDir serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
containerRev = "sha256:98b9442696f0a8cbc92f0447f54fa4bad227af5dcfd6680545fedab2ed28ddd9";
|
||||
in
|
||||
|
|
@ -14,10 +15,6 @@ in
|
|||
podman = true;
|
||||
};
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers.${serviceName} = {
|
||||
image = "anirdev/slink@${containerRev}";
|
||||
environment = {
|
||||
|
|
@ -69,7 +66,7 @@ in
|
|||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy}.allowedTCPPorts = [ servicePort ];
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
|
|
@ -78,34 +75,48 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
nodes =
|
||||
let
|
||||
genNginx = toAddress: extraConfig: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${toAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = true;
|
||||
oauth2.allowedGroups = [ "slink_access" ];
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
"/image" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2 = {
|
||||
enable = true;
|
||||
allowedGroups = [ "slink_access" ];
|
||||
};
|
||||
inherit extraConfig;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
"/image" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
setOauth2Headers = false;
|
||||
bypassAuth = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = genNginx serviceAddress "";
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (genNginx homeServiceAddress nginxAccessRules);
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6 isHome webProxy dnsServer;
|
||||
inherit (confLib.gen { name = "snipeit"; port = 80; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy webProxyIf homeProxyIf dnsServer homeServiceAddress nginxAccessRules;
|
||||
# sopsFile = config.node.secretsDir + "/secrets2.yaml";
|
||||
inherit (config.swarselsystems) sopsFile;
|
||||
|
||||
|
|
@ -12,10 +13,6 @@ in
|
|||
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
snipe-it-appkey = { inherit sopsFile; owner = serviceUser; group = serviceGroup; mode = "0440"; };
|
||||
|
|
@ -24,9 +21,19 @@ in
|
|||
|
||||
topology.self.services.${serviceName}.info = "https://${serviceDomain}";
|
||||
|
||||
globals.services.${serviceName} = {
|
||||
domain = serviceDomain;
|
||||
inherit proxyAddress4 proxyAddress6 isHome;
|
||||
globals = {
|
||||
networks = {
|
||||
${webProxyIf}.hosts = lib.mkIf isProxied {
|
||||
${config.node.name}.firewallRuleForNode.${webProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy}.allowedTCPPorts = [ servicePort ];
|
||||
};
|
||||
};
|
||||
services.${serviceName} = {
|
||||
domain = serviceDomain;
|
||||
inherit proxyAddress4 proxyAddress6 isHome;
|
||||
};
|
||||
};
|
||||
|
||||
services.snipe-it = {
|
||||
|
|
@ -46,30 +53,13 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2.enable = false;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${serviceName}";
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain serviceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain serviceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
{ lib, config, globals, dns, confLib, ... }:
|
||||
let
|
||||
inherit (config.swarselsystems.syncthing) serviceDomain;
|
||||
inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6 isHome isProxied homeProxy webProxy dnsServer homeProxyIf webProxyIf;
|
||||
inherit (confLib.gen { name = "syncthing"; port = 8384; }) servicePort serviceName serviceUser serviceGroup serviceAddress proxyAddress4 proxyAddress6;
|
||||
inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf homeServiceAddress nginxAccessRules;
|
||||
|
||||
specificServiceName = "${serviceName}-${config.node.name}";
|
||||
|
||||
|
|
@ -42,10 +43,6 @@ in
|
|||
};
|
||||
config = lib.mkIf config.swarselmodules.server.${serviceName} {
|
||||
|
||||
nodes.${dnsServer}.swarselsystems.server.dns.${globals.services.${specificServiceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${specificServiceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
|
||||
users.users.${serviceUser} = {
|
||||
extraGroups = [ "users" ];
|
||||
group = serviceGroup;
|
||||
|
|
@ -65,7 +62,7 @@ in
|
|||
};
|
||||
};
|
||||
${homeProxyIf}.hosts = lib.mkIf isHome {
|
||||
${config.node.name}.firewallRuleForNode.${homeProxy} = {
|
||||
${config.node.name}.firewallRuleForNode.${homeWebProxy} = {
|
||||
allowedTCPPorts = [ servicePort 20000 ];
|
||||
allowedUDPPorts = [ 20000 21027 ];
|
||||
};
|
||||
|
|
@ -131,30 +128,13 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
nodes.${webProxy}.services.nginx = {
|
||||
upstreams = {
|
||||
${specificServiceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://${specificServiceName}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 0;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
nodes = {
|
||||
${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
|
||||
"${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
|
||||
};
|
||||
${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; };
|
||||
${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceDomain; serviceName = specificServiceName; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +1,7 @@
|
|||
{ self, pkgs, lib, config, confLib, ... }:
|
||||
let
|
||||
inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain isHome;
|
||||
inherit (confLib.gen { name = "transmission"; }) serviceName serviceDomain;
|
||||
inherit (confLib.static) isHome;
|
||||
|
||||
lidarrUser = "lidarr";
|
||||
lidarrGroup = lidarrUser;
|
||||
|
|
|
|||
|
|
@ -35,11 +35,6 @@ in
|
|||
serviceProxy = proxy;
|
||||
proxyAddress4 = globals.hosts.${proxy}.wanAddress4 or null;
|
||||
proxyAddress6 = globals.hosts.${proxy}.wanAddress6 or null;
|
||||
inherit (globals.hosts.${config.node.name}) isHome;
|
||||
inherit (globals.general) homeProxy webProxy dnsServer homeDnsServer homeWebProxy idmServer;
|
||||
webProxyIf = "${webProxy}-wgProxy";
|
||||
homeProxyIf = "home-wgHome";
|
||||
isProxied = config.node.name != webProxy;
|
||||
};
|
||||
|
||||
static = rec {
|
||||
|
|
@ -97,6 +92,53 @@ in
|
|||
};
|
||||
}) else (_: { _ = { }; });
|
||||
|
||||
genNginx =
|
||||
{ serviceAddress
|
||||
, serviceName
|
||||
, serviceDomain
|
||||
, servicePort
|
||||
, protocol ? "http"
|
||||
, maxBody ? (-1)
|
||||
, maxBodyUnit ? ""
|
||||
, noSslVerify ? false
|
||||
, proxyWebsockets ? false
|
||||
, oauth2 ? false
|
||||
, oauth2Groups ? [ ]
|
||||
, extraConfig ? ""
|
||||
, extraConfigLoc ? ""
|
||||
}: {
|
||||
upstreams = {
|
||||
${serviceName} = {
|
||||
servers = {
|
||||
"${serviceAddress}:${builtins.toString servicePort}" = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
virtualHosts = {
|
||||
"${serviceDomain}" = {
|
||||
useACMEHost = globals.domains.main;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
oauth2 = {
|
||||
enable = lib.mkIf oauth2 true;
|
||||
allowedGroups = lib.mkIf (oauth2Groups != [ ]) oauth2Groups;
|
||||
};
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "${protocol}://${serviceName}";
|
||||
proxyWebsockets = lib.mkIf proxyWebsockets true;
|
||||
extraConfig = lib.optionalString (maxBody != (-1)) ''
|
||||
client_max_body_size ${builtins.toString maxBody}${maxBodyUnit};
|
||||
'' + extraConfigLoc;
|
||||
};
|
||||
};
|
||||
extraConfig = lib.optionalString noSslVerify ''
|
||||
proxy_ssl_verify off;
|
||||
'' + extraConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue