Move web services to subdomains

This commit is contained in:
coolneng 2020-08-24 15:07:55 +02:00
parent 408f724669
commit 351926fb16
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
2 changed files with 70 additions and 46 deletions

View File

@ -1,16 +1,13 @@
# Software development configuration # Software development configuration
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }: {
{
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [ gitea ];
gitea
];
# Gitea setup with daily backup # Gitea setup with daily backup
services.gitea = { services.gitea = {
enable = true; enable = true;
domain = "coolneng.duckdns.org"; domain = "git.coolneng.duckdns.org";
rootUrl = "https://coolneng.duckdns.org/gitea"; rootUrl = "https://git.coolneng.duckdns.org";
database = { database = {
type = "postgres"; type = "postgres";
passwordFile = "/var/keys/gitea/db"; passwordFile = "/var/keys/gitea/db";
@ -19,8 +16,6 @@
disableRegistration = true; disableRegistration = true;
repositoryRoot = "/vault/git"; repositoryRoot = "/vault/git";
appName = "Gitea"; appName = "Gitea";
dump = { dump = { enable = false; };
enable = false;
};
}; };
} }

View File

@ -1,6 +1,5 @@
# LEPP stack configuration # Web services configuration
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }: {
{
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
nginx nginx
@ -16,7 +15,8 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
clientMaxBodySize = "0"; clientMaxBodySize = "0";
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3"; sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem"; sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = '' commonHttpConfig = ''
@ -50,27 +50,46 @@
"coolneng.duckdns.org" = { "coolneng.duckdns.org" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";
sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";
locations."/radicale/" = { locations."/radicale/" = {
return = "301 https://radicale.coolneng.duckdns.org";
};
locations."/syncthing/" = {
return = "301 https://sync.coolneng.duckdns.org";
};
locations."/gitea/" = {
extraConfig =
"rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
};
locations."/miniflux/" = {
extraConfig =
"rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
};
};
"radicale.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:5232/"; proxyPass = "http://localhost:5232/";
extraConfig = '' extraConfig = ''
proxy_set_header X-Script-Name /radicale; proxy_set_header X-Script-Name /;
proxy_pass_header Authorization; proxy_pass_header Authorization;
''; '';
}; };
locations."/syncthing/" = {
proxyPass = "http://localhost:8384/";
}; };
locations."/gitea/" = { "sync.coolneng.duckdns.org" = {
proxyPass = "http://localhost:3000/"; enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://localhost:8384/"; };
}; };
locations."/miniflux/" = { "git.coolneng.duckdns.org" = {
proxyPass = "http://localhost:8080/miniflux/"; enableACME = true;
}; forceSSL = true;
locations."/wallabag/" = { locations."/" = { proxyPass = "http://localhost:3000/"; };
proxyPass = "http://localhost:8081/";
}; };
"rss.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://localhost:8080/"; };
}; };
}; };
}; };
@ -81,7 +100,12 @@
email = "akasroua@gmail.com"; email = "akasroua@gmail.com";
certs = { certs = {
"coolneng.duckdns.org" = { "coolneng.duckdns.org" = {
postRun = "systemctl reload nginx.service"; extraDomains = {
"radicale.coolneng.duckdns.org" = null;
"sync.coolneng.duckdns.org" = null;
"git.coolneng.duckdns.org" = null;
"rss.coolneng.duckdns.org" = null;
};
}; };
}; };
}; };
@ -132,11 +156,16 @@
enable = true; enable = true;
adminCredentialsFile = "/var/keys/miniflux/admin"; adminCredentialsFile = "/var/keys/miniflux/admin";
config = { config = {
BASE_URL = "https://coolneng.duckdns.org/miniflux/"; BASE_URL = "https://rss.coolneng.duckdns.org";
RUN_MIGRATIONS = "1"; RUN_MIGRATIONS = "1";
}; };
}; };
# Restart reverse proxy after services startup # Restart reverse proxy after services startup
systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ]; systemd.services.nginx.after = [
"gitea.service"
"syncthing.service"
"miniflux.service"
"radicale.service"
];
} }