coolneng
/
zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move web services to subdomains

This commit is contained in:
coolneng 2020-08-24 15:07:55 +02:00
parent 408f724669
commit 351926fb16
Signed by: coolneng
GPG Key ID: 9893DA236405AF57
2 changed files with 70 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
modules/devops.nix
View File

@ -1,16 +1,13 @@
# Software development configuration
{ config, pkgs, lib, ... }:
{
{ config, pkgs, lib, ... }: {
environment.systemPackages = with pkgs; [
gitea
];
environment.systemPackages = with pkgs; [ gitea ];
# Gitea setup with daily backup
services.gitea = {
enable = true;
domain = "coolneng.duckdns.org";
rootUrl = "https://coolneng.duckdns.org/gitea";
domain = "git.coolneng.duckdns.org";
rootUrl = "https://git.coolneng.duckdns.org";
database = {
type = "postgres";
passwordFile = "/var/keys/gitea/db";
@ -19,8 +16,6 @@
disableRegistration = true;
repositoryRoot = "/vault/git";
appName = "Gitea";
dump = {
enable = false;
};
dump = { enable = false; };
};
}

71
modules/webstack.nix
View File

@ -1,6 +1,5 @@
# LEPP stack configuration
{ config, pkgs, lib, ... }:
{
# Web services configuration
{ config, pkgs, lib, ... }: {
environment.systemPackages = with pkgs; [
nginx
@ -16,7 +15,8 @@
recommendedProxySettings = true;
recommendedOptimisation = true;
clientMaxBodySize = "0";
sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslCiphers =
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128";
sslProtocols = "TLSv1.2 TLSv1.3";
sslDhparam = "/var/lib/dhparams/nginx.pem";
commonHttpConfig = ''
@ -50,27 +50,46 @@
"coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
sslCertificate = "/var/lib/acme/coolneng.duckdns.org/fullchain.pem";
sslCertificateKey = "/var/lib/acme/coolneng.duckdns.org/key.pem";
locations."/radicale/" = {
return = "301 https://radicale.coolneng.duckdns.org";
};
locations."/syncthing/" = {
return = "301 https://sync.coolneng.duckdns.org";
};
locations."/gitea/" = {
extraConfig =
"rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;";
};
locations."/miniflux/" = {
extraConfig =
"rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;";
};
};
"radicale.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:5232/";
extraConfig = ''
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Script-Name /;
proxy_pass_header Authorization;
'';
};
locations."/syncthing/" = {
proxyPass = "http://localhost:8384/";
};
locations."/gitea/" = {
proxyPass = "http://localhost:3000/";
"sync.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://localhost:8384/"; };
};
locations."/miniflux/" = {
proxyPass = "http://localhost:8080/miniflux/";
};
locations."/wallabag/" = {
proxyPass = "http://localhost:8081/";
"git.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://localhost:3000/"; };
};
"rss.coolneng.duckdns.org" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://localhost:8080/"; };
};
};
};
@ -81,7 +100,12 @@
email = "akasroua@gmail.com";
certs = {
"coolneng.duckdns.org" = {
postRun = "systemctl reload nginx.service";
extraDomains = {
"radicale.coolneng.duckdns.org" = null;
"sync.coolneng.duckdns.org" = null;
"git.coolneng.duckdns.org" = null;
"rss.coolneng.duckdns.org" = null;
};
};
};
};
@ -100,11 +124,11 @@
ensureUsers = [
{
name = "gitea";
ensurePermissions = {"DATABASE gitea" = "ALL PRIVILEGES";};
ensurePermissions = { "DATABASE gitea" = "ALL PRIVILEGES"; };
}
{
name = "wallabag";
ensurePermissions = {"DATABASE wallabag" = "ALL PRIVILEGES";};
ensurePermissions = { "DATABASE wallabag" = "ALL PRIVILEGES"; };
}
];
authentication = lib.mkForce ''
@ -132,11 +156,16 @@
enable = true;
adminCredentialsFile = "/var/keys/miniflux/admin";
config = {
BASE_URL = "https://coolneng.duckdns.org/miniflux/";
BASE_URL = "https://rss.coolneng.duckdns.org";
RUN_MIGRATIONS = "1";
};
};
# Restart reverse proxy after services startup
systemd.services.nginx.after = [ "gitea.service" "syncthing.service" "miniflux.service" "radicale.service" ];
systemd.services.nginx.after = [
"gitea.service"
"syncthing.service"
"miniflux.service"
"radicale.service"
];
}