diff --git a/modules/devops.nix b/modules/devops.nix index c930cb9..155b11e 100644 --- a/modules/devops.nix +++ b/modules/devops.nix @@ -1,16 +1,13 @@ # Software development configuration -{ config, pkgs, lib, ... }: -{ +{ config, pkgs, lib, ... }: { - environment.systemPackages = with pkgs; [ - gitea - ]; + environment.systemPackages = with pkgs; [ gitea ]; # Gitea setup with daily backup services.gitea = { enable = true; - domain = "coolneng.duckdns.org"; - rootUrl = "https://coolneng.duckdns.org/gitea"; + domain = "git.coolneng.duckdns.org"; + rootUrl = "https://git.coolneng.duckdns.org"; database = { type = "postgres"; passwordFile = "/var/keys/gitea/db"; @@ -19,8 +16,6 @@ disableRegistration = true; repositoryRoot = "/vault/git"; appName = "Gitea"; - dump = { - enable = false; - }; + dump = { enable = false; }; }; } diff --git a/modules/webstack.nix b/modules/webstack.nix index 29e3e4e..7d41746 100644 --- a/modules/webstack.nix +++ b/modules/webstack.nix @@ -1,6 +1,5 @@ -# LEPP stack configuration -{ config, pkgs, lib, ... }: -{ +# Web services configuration +{ config, pkgs, lib, ... }: { environment.systemPackages = with pkgs; [ nginx @@ -16,7 +15,8 @@ recommendedProxySettings = true; recommendedOptimisation = true; clientMaxBodySize = "0"; - sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; + sslCiphers = + "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslProtocols = "TLSv1.2 TLSv1.3"; sslDhparam = "/var/lib/dhparams/nginx.pem"; commonHttpConfig = '' @@ -50,27 +50,46 @@ "coolneng.duckdns.org" = { enableACME = true; forceSSL = true; - sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem"; locations."/radicale/" = { + return = "301 https://radicale.coolneng.duckdns.org"; + }; + locations."/syncthing/" = { + return = "301 https://sync.coolneng.duckdns.org"; + }; + locations."/gitea/" = { + extraConfig = + "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;"; + }; + locations."/miniflux/" = { + extraConfig = + "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;"; + }; + }; + "radicale.coolneng.duckdns.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://localhost:5232/"; extraConfig = '' - proxy_set_header X-Script-Name /radicale; + proxy_set_header X-Script-Name /; proxy_pass_header Authorization; ''; }; - locations."/syncthing/" = { - proxyPass = "http://localhost:8384/"; - }; - locations."/gitea/" = { - proxyPass = "http://localhost:3000/"; - }; - locations."/miniflux/" = { - proxyPass = "http://localhost:8080/miniflux/"; - }; - locations."/wallabag/" = { - proxyPass = "http://localhost:8081/"; - }; + }; + "sync.coolneng.duckdns.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://localhost:8384/"; }; + }; + "git.coolneng.duckdns.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://localhost:3000/"; }; + }; + "rss.coolneng.duckdns.org" = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://localhost:8080/"; }; }; }; }; @@ -81,7 +100,12 @@ email = "akasroua@gmail.com"; certs = { "coolneng.duckdns.org" = { - postRun = "systemctl reload nginx.service"; + extraDomains = { + "radicale.coolneng.duckdns.org" = null; + "sync.coolneng.duckdns.org" = null; + "git.coolneng.duckdns.org" = null; + "rss.coolneng.duckdns.org" = null; + }; }; }; }; @@ -99,32 +123,32 @@ ensureDatabases = [ "gitea" "wallabag" ]; ensureUsers = [ { - name = "gitea"; - ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";}; + name = "gitea"; + ensurePermissions = { "DATABASE gitea" = "ALL PRIVILEGES"; }; } { - name = "wallabag"; - ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";}; + name = "wallabag"; + ensurePermissions = { "DATABASE wallabag" = "ALL PRIVILEGES"; }; } ]; authentication = lib.mkForce '' - # Generated file; do not edit! - # TYPE DATABASE USER ADDRESS METHOD - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust + # Generated file; do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust ''; identMap = '' - gitea-users gitea gitea + gitea-users gitea gitea ''; }; # PostgreSQL daily backups services.postgresqlBackup = { - enable = true; - backupAll = true; - location = "/vault/backups/zion/databases"; - startAt = "*-*-* 05:15:00"; + enable = true; + backupAll = true; + location = "/vault/backups/zion/databases"; + startAt = "*-*-* 05:15:00"; }; # Miniflux configuration @@ -132,11 +156,16 @@ enable = true; adminCredentialsFile = "/var/keys/miniflux/admin"; config = { - BASE_URL = "https://coolneng.duckdns.org/miniflux/"; + BASE_URL = "https://rss.coolneng.duckdns.org"; RUN_MIGRATIONS = "1"; }; }; # Restart reverse proxy after services startup - systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ]; + systemd.services.nginx.after = [ + "gitea.service" + "syncthing.service" + "miniflux.service" + "radicale.service" + ]; }