diff options
author | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-05-09 17:14:35 +0200 |
---|---|---|
committer | Dominique Martinet @ jormungand <asmadeus@codewreck.org> | 2020-05-09 20:52:15 +0200 |
commit | 742a25ecd9d7a56cdf06060c2c5459db607ae58e (patch) | |
tree | f4458e0c395e92a4c4be9ac760f010d263f5ef59 /machines/jormungand | |
parent | 3f84829d2585c752220df44c796117cf3ea3bcee (diff) |
nginx: move from container to host + systemd.services.x.confinement
Also from this commit on, there are no secrets left!
If you read this, mpd password has been changed and
was randomly generated anyway, don't bother :P
Diffstat (limited to 'machines/jormungand')
-rw-r--r-- | machines/jormungand/configuration.nix | 3 | ||||
-rw-r--r-- | machines/jormungand/containers.nix | 55 | ||||
-rw-r--r-- | machines/jormungand/nginx.nix | 45 |
3 files changed, 47 insertions, 56 deletions
diff --git a/machines/jormungand/configuration.nix b/machines/jormungand/configuration.nix index a1ad4ae..2bb93a7 100644 --- a/machines/jormungand/configuration.nix +++ b/machines/jormungand/configuration.nix @@ -5,9 +5,10 @@ [ ./hardware-configuration.nix ./network.nix - ./containers.nix ../../modules/common.nix ../../modules/users.nix + ./nginx.nix + ./containers.nix ]; boot.loader.grub.enable = true; diff --git a/machines/jormungand/containers.nix b/machines/jormungand/containers.nix index 29f201f..19e321c 100644 --- a/machines/jormungand/containers.nix +++ b/machines/jormungand/containers.nix @@ -21,61 +21,6 @@ let targetConfig = { }; in { - containers.nginx = { - autoStart = true; - timeoutStartSec = "10m"; - config = { config, pkgs, ... }: targetConfig // { - security.acme.acceptTerms = true; - security.acme.email = "nrfhrvn.ztnnzq-nfp@noclue.notk.org"; - services.nginx = { - enable = true; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - - virtualHosts."jormungand.codewreck.org" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8080"; - }; - extraConfig = '' - auth_basic "mpd"; - auth_basic_user_file /etc/nginx/mpd.htpasswd; - ''; - }; - - virtualHosts."matrix.codewreck.org" = { - forceSSL = true; - enableACME = true; - locations."/".extraConfig = '' - return 404; - ''; - locations."/_matrix" = { - proxyPass = "http://[::1]:8008"; - }; - }; - - virtualHosts."riot.codewreck.org" = { - forceSSL = true; - enableACME = true; - root = pkgs.riot-web.override { - conf = { - default_server_config."m.homeserver" = { - "base_url" = "https://matrix.codewreck.org"; - "server_name" = "codewreck.org"; - }; - }; - }; - }; - }; - environment.etc."nginx/mpd.htpasswd".text = '' - mpd:$6$jFVDaikg7ApzyPSe$ALjy6GmXV6XnKBuAbzRywqnUD/1ZNl50hLUOFIZ2dZuHVCLIzKr6WTl8x4KnCjOzDgIoS0udv7XPbDB6uyKXg/ - ''; - }; - }; - containers.mpd = { autoStart = true; timeoutStartSec = "10m"; diff --git a/machines/jormungand/nginx.nix b/machines/jormungand/nginx.nix new file mode 100644 index 0000000..1e9bd7c --- /dev/null +++ b/machines/jormungand/nginx.nix @@ -0,0 +1,45 @@ +{ config, pkgs, ... }: + +{ + imports = [ ../../modules/nginx.nix ]; + + services.nginx.virtualHosts = { + "jormungand.codewreck.org" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + }; + # /var/spool/nginx/mpd.htpasswd has been populated manually + # until proper secrets get managed... + extraConfig = '' + auth_basic "mpd"; + auth_basic_user_file /var/spool/nginx/mpd.htpasswd; + ''; + }; + + "matrix.codewreck.org" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + return 404; + ''; + locations."/_matrix" = { + proxyPass = "http://[::1]:8008"; + }; + }; + + "riot.codewreck.org" = { + forceSSL = true; + enableACME = true; + root = pkgs.riot-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "https://matrix.codewreck.org"; + "server_name" = "codewreck.org"; + }; + }; + }; + }; + }; +} |