From 9d600f8c95939b7c3463103bcea1172dfc7721b0 Mon Sep 17 00:00:00 2001 From: coolneng Date: Tue, 16 Jul 2024 19:02:25 +0200 Subject: [PATCH] Revert "Set up CGM repository" --- modules/containers.nix | 28 ---------------------------- modules/periodic.nix | 15 ++++++++++++--- modules/webstack.nix | 36 ++++++++++++++---------------------- scripts/motd.sh | 1 - secrets/nightscout.age | Bin 477 -> 0 bytes secrets/secrets.nix | 7 +++---- 6 files changed, 29 insertions(+), 58 deletions(-) delete mode 100644 secrets/nightscout.age diff --git a/modules/containers.nix b/modules/containers.nix index 00f6d89..c3fbca9 100644 --- a/modules/containers.nix +++ b/modules/containers.nix @@ -38,38 +38,10 @@ ports = [ "127.0.0.1:9641:9641" ]; volumes = [ "/vault/mqtt2prometheus/config.yaml:/config.yaml" ]; }; - # CGM repository - nightscout = { - image = - "nightscout/cgm-remote-monitor@sha256:ce522a9fe9b1373f576329e48349a622c8a9b6177c93dc2771152df36dd90876"; - environmentFiles = [ config.age.secrets.nightscout.path ]; - extraOptions = [ "--pod=cgm-repo" ]; - dependsOn = [ "mongodb" ]; - }; - # CGM repository database - mongodb = { - image = - "mongo:4.4.9@sha256:0837a92d01bcc8c750a8d692ed4df33f0befd07ef261b23e7d9feda04bacd3eb"; - volumes = [ "/vault/mongodb:/data/db" ]; - extraOptions = [ "--pod=cgm-repo" ]; - }; }; }; }; - # Allow networking between Cgm-Repo and MongoDB - systemd.services.create-cgm-repo-pod = { - serviceConfig.Type = "oneshot"; - wantedBy = [ "podman-mongodb.service" ]; - script = with pkgs; '' - ${podman}/bin/podman pod exists cgm-repo || ${podman}/bin/podman pod create -n cgm-repo -p '127.0.0.1:1337:1337' - ''; - }; - # Start services after ZFS mount - systemd.services.podman-mongodb.unitConfig.RequiresMountsFor = - [ /vault/mongodb ]; - systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = - [ /vault/mqtt2prometheus ]; systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ]; } diff --git a/modules/periodic.nix b/modules/periodic.nix index a1418e4..a6470b2 100644 --- a/modules/periodic.nix +++ b/modules/periodic.nix @@ -1,10 +1,16 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let stateDir = "/var/lib/dnscrypt-proxy"; blocklist = "${stateDir}/blocklist.txt"; -in { +in +{ # PostgreSQL daily backups services.postgresqlBackup = { enable = true; @@ -18,7 +24,10 @@ in { systemd.services.download-dns-blocklist = { description = "Download hosts-blocklists"; wantedBy = [ "default.target" ]; - path = with pkgs; [ curl coreutils ]; + path = with pkgs; [ + curl + coreutils + ]; script = '' curl -L https://download.dnscrypt.info/blacklists/domains/mybase.txt -o ${blocklist} ''; diff --git a/modules/webstack.nix b/modules/webstack.nix index ae2423c..5463d46 100644 --- a/modules/webstack.nix +++ b/modules/webstack.nix @@ -1,5 +1,11 @@ # Web services configuration -{ config, pkgs, lib, ... }: { +{ + config, + pkgs, + lib, + ... +}: +{ # Reverse proxy configuration services.nginx = { @@ -9,8 +15,7 @@ recommendedProxySettings = true; recommendedOptimisation = true; clientMaxBodySize = "0"; - sslCiphers = - "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; + sslCiphers = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!AES128"; sslProtocols = "TLSv1.2 TLSv1.3"; sslDhparam = "/var/lib/dhparams/nginx.pem"; commonHttpConfig = '' @@ -36,10 +41,8 @@ locations = { "/radicale/".return = "301 https://radicale.coolneng.duckdns.org"; "/syncthing/".return = "301 https://sync.coolneng.duckdns.org"; - "/gitea/".extraConfig = - "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;"; - "/miniflux/".extraConfig = - "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;"; + "/gitea/".extraConfig = "rewrite ^/gitea/(.*)$ https://git.coolneng.duckdns.org/$1 last;"; + "/miniflux/".extraConfig = "rewrite ^/miniflux/(.*)$ https://rss.coolneng.duckdns.org/$1 last;"; # Delegation for Matrix "/.well-known/" = { alias = "${../well-known}" + "/"; @@ -111,8 +114,7 @@ ssl = true; } ]; - locations."~ ^(/_matrix|/_synapse/client)".proxyPass = - "http://localhost:8008"; + locations."~ ^(/_matrix|/_synapse/client)".proxyPass = "http://localhost:8008"; }; "element.coolneng.duckdns.org" = { useACMEHost = "coolneng.duckdns.org"; @@ -165,16 +167,6 @@ proxyWebsockets = true; }; }; - "nightscout.coolneng.duckdns.org" = { - useACMEHost = "coolneng.duckdns.org"; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:1337"; - extraConfig = '' - proxy_set_header X-Forwarded-For $remote_addr; - ''; - }; - }; }; }; @@ -188,9 +180,9 @@ webroot = "/var/lib/acme/acme-challenge"; ocspMustStaple = true; }; - certs."coolneng.duckdns.org".extraDomainNames = - lib.attrsets.mapAttrsToList (name: value: "${name}") - config.services.nginx.virtualHosts; + certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList ( + name: value: "${name}" + ) config.services.nginx.virtualHosts; }; # Generate dhparams diff --git a/scripts/motd.sh b/scripts/motd.sh index bb2a38b..22e7311 100755 --- a/scripts/motd.sh +++ b/scripts/motd.sh @@ -37,7 +37,6 @@ services=( "podman-mqtt2prometheus.service" "prometheus.service" "grafana.service" - "podman-nightscout.service" ) for var in "${services[@]}"; do diff --git a/secrets/nightscout.age b/secrets/nightscout.age deleted file mode 100644 index 064638cddc801476f28d7661508acf5cfd2b861a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 477 zcmV<30V4ikXJsvAZewzJaCB*JZZ2Kb7V(QW^7Djax_(LMJqRVLNqlsM{hKDc}+@kIAUdZMo4T-cxwtsZh1FtOJ_oG zSyfqDbyGxfGjnuIaaL_LYfff2NOg8}VR3F(OKL(?Lw5=-J|HPrW-VuOWnpt=AZKBC zb|q(NL<%`qbU068PB&*(P)K-sS50|sOhR}?R6}q_K`S_JZ$~skLv43)X>2iaIB_^h zWJX#=WluSDN=^zbEiE89N@j0GM{qJnPIO0WO?P2pRCG#ER%bbCXH98LWlvBxZck5X zPA@TcG%yNrdx%*8z2~IOfEW+R^Pk6%Wc<+(z*Ak#PU_s%>YXyKGKaO+4lmwB&Dipb z7TQ^aWT|I_RDyP7NEyr{y%ZEXNF&@8>}-|0y>U^&QdHxw5X6^cmK>%_lZ$Al3tM=x z41{qgMI`QwdO!%9L01xCTNH-^=-4BB2R|I}Za3lD?}Fwb+*IH4