From 7bd24122d663d65693aecef100266f90529136e2 Mon Sep 17 00:00:00 2001 From: Noa Aarts Date: Tue, 27 Aug 2024 09:07:06 +0200 Subject: [PATCH] feat: redo websites --- hosts/default/configuration.nix | 214 ++++++++++++++++++++------------ hosts/default/home.nix | 2 + hosts/server/configuration.nix | 31 +++++ modules/websites/default.nix | 15 ++- 4 files changed, 180 insertions(+), 82 deletions(-) diff --git a/hosts/default/configuration.nix b/hosts/default/configuration.nix index d604d28..b114c56 100644 --- a/hosts/default/configuration.nix +++ b/hosts/default/configuration.nix @@ -9,56 +9,11 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ../../modules/games/steam.nix - ../../modules/websites ../../modules/plasma ../../common ]; - boot = rec { - kernelPackages = pkgs.linuxPackages_latest; - extraModulePackages = with kernelPackages; [ - v4l2loopback - ]; - consoleLogLevel = 0; - initrd.verbose = false; - plymouth = rec { - enable = true; - theme = "colorful"; - themePackages = [ (pkgs.adi1090x-plymouth-themes.override { selected_themes = [ theme ]; }) ]; - }; - kernelParams = [ - "quiet" - "splash" - "boot.shell_on_fail" - "i915.fastboot=1" - "loglevel=3" - "rd.systemd.show_status=false" - "rd.udev.log_level=3" - "udev.log_priority=3" - ]; - - kernelModules = [ - "v4l2loopback" - "nct6775" - "k10temp" - ]; - - extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=2 card_label="OBS Cam" exclusive_caps=1 - ''; - - loader = { - timeout = 3; - efi.canTouchEfiVariables = true; - systemd-boot = { - enable = true; - editor = false; - configurationLimit = 100; - }; - }; - }; - @@ -174,6 +129,7 @@ programs.gnupg.agent = { enable = true; enableSSHSupport = true; + pinentryPackage = pkgs.pinentry-curses; }; xdg.portal.enable = true; @@ -197,43 +153,57 @@ modules = { games.steam.enable = true; plasma.enable = true; - websites = { - enable = true; - certMail = "acme@voorwaarts.nl"; - mainDomains = { - "noa.voorwaarts.nl" = { - enable = true; - proxy = "http://127.0.0.1:5000/"; - extra_sites = { - "images.noa.voorwaarts.nl" = { - enable = true; - proxy = "http://127.0.0.1:2283/"; - }; - "testing.noa.voorwaarts.nl" = { - enable = true; - proxy = "http://127.0.0.1:8000/"; - }; - "sods.noa.voorwaarts.nl" = { - enable = false; - proxy = "http://127.0.0.1:2000/"; - }; - "sods.voorwaarts.nl" = { - enable = true; - proxy = "http://127.0.0.1:2000/"; - }; - "quiz.slagomdeslotgracht.nl" = { - enable = true; - proxy = "http://127.0.0.1:2000/"; - }; - }; - }; - }; - }; }; users.defaultUserShell = pkgs.zsh; security.rtkit.enable = true; + boot = rec { + + + kernelPackages = pkgs.linuxPackages_latest; + extraModulePackages = with kernelPackages; [ + v4l2loopback + ]; + consoleLogLevel = 0; + initrd.verbose = false; + plymouth = rec { + enable = true; + theme = "colorful"; + themePackages = [ (pkgs.adi1090x-plymouth-themes.override { selected_themes = [ theme ]; }) ]; + }; + kernelParams = [ + "quiet" + "splash" + "boot.shell_on_fail" + "i915.fastboot=1" + "loglevel=3" + "rd.systemd.show_status=false" + "rd.udev.log_level=3" + "udev.log_priority=3" + ]; + + kernelModules = [ + "v4l2loopback" + "nct6775" + "k10temp" + ]; + + extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=2 card_label="OBS Cam" exclusive_caps=1 + ''; + + loader = { + timeout = 3; + efi.canTouchEfiVariables = true; + systemd-boot = { + enable = true; + editor = false; + configurationLimit = 100; + }; + }; + + }; services = { pcscd.enable = true; # for yubikey @@ -244,6 +214,7 @@ pulse.enable = true; jack.enable = true; }; + fail2ban.enable = true; greetd = { enable = false; settings = rec { @@ -361,6 +332,8 @@ 53317 # Localsend 7791 # Pixelflut 38281 # Archipelago + 80 + 443 ]; networking.firewall.allowedUDPPorts = [ 53317 @@ -369,6 +342,93 @@ # Or disable the firewall altogether. # networking.firewall.enable = false; + + services.nginx = + let + + extra = '' + client_max_body_size 50000M; + + proxy_redirect off; + + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s;''; + proxy = name: url: { + forceSSL = true; + useACMEHost = name; + extraConfig = extra; + locations."/" = { + proxyWebsockets = true; + proxyPass = url; + }; + }; + in + { + enable = true; + + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + + virtualHosts = { + "noa.voorwaarts.nl" = { + forceSSL = true; + enableACME = true; + extraConfig = extra; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://[::1]:8000"; + }; + }; + + "images.noa.voorwaarts.nl" = proxy "noa.voorwaarts.nl" "http://[::1]:2283/"; + + "itepastra.nl" = { + forceSSL = true; + enableACME = true; + extraConfig = extra; + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://[::1]:9001/"; + }; + }; + + "locked.itepastra.nl" = { + forceSSL = true; + useACMEHost = "itepastra.nl"; + extraConfig = '' + ${extra} + ssl_client_certificate /etc/nginx/certificates/yubikey.crt; + ssl_verify_client on; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; + + keepalive_timeout 10; + ssl_session_timeout 5m; + ''; + + locations."/" = { + proxyWebsockets = true; + proxyPass = "http://[::1]:9000/"; + }; + + }; + + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "noa@voorwaarts.nl"; + certs."noa.voorwaarts.nl".extraDomainNames = [ "images.noa.voorwaarts.nl" ]; + certs."itepastra.nl".extraDomainNames = [ "locked.itepastra.nl" ]; + }; + # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/default/home.nix b/hosts/default/home.nix index 295095e..3d69f24 100644 --- a/hosts/default/home.nix +++ b/hosts/default/home.nix @@ -66,6 +66,7 @@ planify keepassxc yubikey-manager-qt + yubico-piv-tool ]; @@ -82,6 +83,7 @@ # org.gradle.console=verbose # org.gradle.daemon.idletimeout=3600000 # ''; + "ykcs/ykcs11.so".source = "${pkgs.yubico-piv-tool}/lib/libykcs11.so"; }; # Home Manager can also manage your environment variables through diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 55e47f4..7ade692 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -73,6 +73,37 @@ ]; }; + modules = { + websites = { + enable = true; + certMail = "acme@voorwaarts.nl"; + mainDomains = { + "noa.voorwaarts.nl" = { + enable = true; + proxy = "http://127.0.0.1:5000/"; + extra_sites = { + "images.noa.voorwaarts.nl" = { + enable = true; + proxy = "http://127.0.0.1:2283/"; + }; + "testing.noa.voorwaarts.nl" = { + enable = true; + proxy = "http://127.0.0.1:8000/"; + }; + "sods.noa.voorwaarts.nl" = { + enable = false; + proxy = "http://127.0.0.1:2000/"; + }; + }; + }; + "itepastra.nl" = { + enable = true; + proxy = "http://[::1]:8000/"; + extra_sites = { }; + }; + }; + }; + }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; diff --git a/modules/websites/default.nix b/modules/websites/default.nix index 781dce2..42287db 100644 --- a/modules/websites/default.nix +++ b/modules/websites/default.nix @@ -48,7 +48,12 @@ in ( name: config: lib.mkIf config.enable { - extraDomainNames = lib.attrsets.mapAttrsToList (n: c: lib.mkIf c.enable n) config.extra_sites; + extraDomainNames = lib.attrsets.mapAttrsToList + ( + domain_name: domain_config: lib.mkIf domain_config.enable domain_name + ) + config.extra_sites; + webroot = lib.traceVal "/var/lib/acme/acme-challenge/${name}"; } ) cfg.mainDomains; @@ -74,7 +79,7 @@ in }; }; in - lib.mkIf config.enable ( + lib.trace name (lib.mkIf config.enable ( lib.mkMerge [ { ${name} = { @@ -89,18 +94,18 @@ in } (lib.attrsets.mapAttrs (n: c: - proxy c.proxy + lib.traceSeq c (proxy c.proxy) ) config.extra_sites) ] - ) + )) ) cfg.mainDomains; in { networking.hosts = { # NOTE: this is needed because I don't have hairpin nat. :( - "127.0.0.1" = hostnames; + "::1" = hostnames; }; security.acme = { acceptTerms = true;