summaryrefslogtreecommitdiffstats
path: root/machines/jormungand
diff options
context:
space:
mode:
authorDominique Martinet @ jormungand <asmadeus@codewreck.org>2020-05-09 17:14:35 +0200
committerDominique Martinet @ jormungand <asmadeus@codewreck.org>2020-05-09 20:52:15 +0200
commit742a25ecd9d7a56cdf06060c2c5459db607ae58e (patch)
treef4458e0c395e92a4c4be9ac760f010d263f5ef59 /machines/jormungand
parent3f84829d2585c752220df44c796117cf3ea3bcee (diff)
nginx: move from container to host + systemd.services.x.confinement
Also from this commit on, there are no secrets left! If you read this, mpd password has been changed and was randomly generated anyway, don't bother :P
Diffstat (limited to 'machines/jormungand')
-rw-r--r--machines/jormungand/configuration.nix3
-rw-r--r--machines/jormungand/containers.nix55
-rw-r--r--machines/jormungand/nginx.nix45
3 files changed, 47 insertions, 56 deletions
diff --git a/machines/jormungand/configuration.nix b/machines/jormungand/configuration.nix
index a1ad4ae..2bb93a7 100644
--- a/machines/jormungand/configuration.nix
+++ b/machines/jormungand/configuration.nix
@@ -5,9 +5,10 @@
[
./hardware-configuration.nix
./network.nix
- ./containers.nix
../../modules/common.nix
../../modules/users.nix
+ ./nginx.nix
+ ./containers.nix
];
boot.loader.grub.enable = true;
diff --git a/machines/jormungand/containers.nix b/machines/jormungand/containers.nix
index 29f201f..19e321c 100644
--- a/machines/jormungand/containers.nix
+++ b/machines/jormungand/containers.nix
@@ -21,61 +21,6 @@ let targetConfig = {
}; in
{
- containers.nginx = {
- autoStart = true;
- timeoutStartSec = "10m";
- config = { config, pkgs, ... }: targetConfig // {
- security.acme.acceptTerms = true;
- security.acme.email = "nrfhrvn.ztnnzq-nfp@noclue.notk.org";
- services.nginx = {
- enable = true;
- recommendedTlsSettings = true;
- recommendedOptimisation = true;
- recommendedGzipSettings = true;
- recommendedProxySettings = true;
-
- virtualHosts."jormungand.codewreck.org" = {
- forceSSL = true;
- enableACME = true;
- locations."/" = {
- proxyPass = "http://127.0.0.1:8080";
- };
- extraConfig = ''
- auth_basic "mpd";
- auth_basic_user_file /etc/nginx/mpd.htpasswd;
- '';
- };
-
- virtualHosts."matrix.codewreck.org" = {
- forceSSL = true;
- enableACME = true;
- locations."/".extraConfig = ''
- return 404;
- '';
- locations."/_matrix" = {
- proxyPass = "http://[::1]:8008";
- };
- };
-
- virtualHosts."riot.codewreck.org" = {
- forceSSL = true;
- enableACME = true;
- root = pkgs.riot-web.override {
- conf = {
- default_server_config."m.homeserver" = {
- "base_url" = "https://matrix.codewreck.org";
- "server_name" = "codewreck.org";
- };
- };
- };
- };
- };
- environment.etc."nginx/mpd.htpasswd".text = ''
- mpd:$6$jFVDaikg7ApzyPSe$ALjy6GmXV6XnKBuAbzRywqnUD/1ZNl50hLUOFIZ2dZuHVCLIzKr6WTl8x4KnCjOzDgIoS0udv7XPbDB6uyKXg/
- '';
- };
- };
-
containers.mpd = {
autoStart = true;
timeoutStartSec = "10m";
diff --git a/machines/jormungand/nginx.nix b/machines/jormungand/nginx.nix
new file mode 100644
index 0000000..1e9bd7c
--- /dev/null
+++ b/machines/jormungand/nginx.nix
@@ -0,0 +1,45 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [ ../../modules/nginx.nix ];
+
+ services.nginx.virtualHosts = {
+ "jormungand.codewreck.org" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:8080";
+ };
+ # /var/spool/nginx/mpd.htpasswd has been populated manually
+ # until proper secrets get managed...
+ extraConfig = ''
+ auth_basic "mpd";
+ auth_basic_user_file /var/spool/nginx/mpd.htpasswd;
+ '';
+ };
+
+ "matrix.codewreck.org" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/".extraConfig = ''
+ return 404;
+ '';
+ locations."/_matrix" = {
+ proxyPass = "http://[::1]:8008";
+ };
+ };
+
+ "riot.codewreck.org" = {
+ forceSSL = true;
+ enableACME = true;
+ root = pkgs.riot-web.override {
+ conf = {
+ default_server_config."m.homeserver" = {
+ "base_url" = "https://matrix.codewreck.org";
+ "server_name" = "codewreck.org";
+ };
+ };
+ };
+ };
+ };
+}