feat: redo websites

hosts/default/configuration.nix

@@ -9,56 +9,11 @@
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
       ../../modules/games/steam.nix
-      ../../modules/websites
       ../../modules/plasma
 
       ../../common
     ];
 
-  boot = rec {
-    kernelPackages = pkgs.linuxPackages_latest;
-    extraModulePackages = with kernelPackages; [
-      v4l2loopback
-    ];
-    consoleLogLevel = 0;
-    initrd.verbose = false;
-    plymouth = rec {
-      enable = true;
-      theme = "colorful";
-      themePackages = [ (pkgs.adi1090x-plymouth-themes.override { selected_themes = [ theme ]; }) ];
-    };
-    kernelParams = [
-      "quiet"
-      "splash"
-      "boot.shell_on_fail"
-      "i915.fastboot=1"
-      "loglevel=3"
-      "rd.systemd.show_status=false"
-      "rd.udev.log_level=3"
-      "udev.log_priority=3"
-    ];
-
-    kernelModules = [
-      "v4l2loopback"
-      "nct6775"
-      "k10temp"
-    ];
-
-    extraModprobeConfig = ''
-      options v4l2loopback devices=1 video_nr=2 card_label="OBS Cam" exclusive_caps=1
-    '';
-
-    loader = {
-      timeout = 3;
-      efi.canTouchEfiVariables = true;
-      systemd-boot = {
-        enable = true;
-        editor = false;
-        configurationLimit = 100;
-      };
-    };
-  };
-
 
 
 
@@ -174,6 +129,7 @@
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
+    pinentryPackage = pkgs.pinentry-curses;
   };
 
   xdg.portal.enable = true;
@@ -197,43 +153,57 @@
   modules = {
     games.steam.enable = true;
     plasma.enable = true;
-    websites = {
-      enable = true;
-      certMail = "acme@voorwaarts.nl";
-      mainDomains = {
-        "noa.voorwaarts.nl" = {
-          enable = true;
-          proxy = "http://127.0.0.1:5000/";
-          extra_sites = {
-            "images.noa.voorwaarts.nl" = {
-              enable = true;
-              proxy = "http://127.0.0.1:2283/";
-            };
-            "testing.noa.voorwaarts.nl" = {
-              enable = true;
-              proxy = "http://127.0.0.1:8000/";
-            };
-            "sods.noa.voorwaarts.nl" = {
-              enable = false;
-              proxy = "http://127.0.0.1:2000/";
-            };
-            "sods.voorwaarts.nl" = {
-              enable = true;
-              proxy = "http://127.0.0.1:2000/";
-            };
-            "quiz.slagomdeslotgracht.nl" = {
-              enable = true;
-              proxy = "http://127.0.0.1:2000/";
-            };
-          };
-        };
-      };
-    };
   };
 
   users.defaultUserShell = pkgs.zsh;
 
   security.rtkit.enable = true;
+  boot = rec {
+
+
+    kernelPackages = pkgs.linuxPackages_latest;
+    extraModulePackages = with kernelPackages; [
+      v4l2loopback
+    ];
+    consoleLogLevel = 0;
+    initrd.verbose = false;
+    plymouth = rec {
+      enable = true;
+      theme = "colorful";
+      themePackages = [ (pkgs.adi1090x-plymouth-themes.override { selected_themes = [ theme ]; }) ];
+    };
+    kernelParams = [
+      "quiet"
+      "splash"
+      "boot.shell_on_fail"
+      "i915.fastboot=1"
+      "loglevel=3"
+      "rd.systemd.show_status=false"
+      "rd.udev.log_level=3"
+      "udev.log_priority=3"
+    ];
+
+    kernelModules = [
+      "v4l2loopback"
+      "nct6775"
+      "k10temp"
+    ];
+
+    extraModprobeConfig = ''
+      options v4l2loopback devices=1 video_nr=2 card_label="OBS Cam" exclusive_caps=1
+    '';
+
+    loader = {
+      timeout = 3;
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        enable = true;
+        editor = false;
+        configurationLimit = 100;
+      };
+    };
+
+  };
 
   services = {
     pcscd.enable = true; # for yubikey
@@ -244,6 +214,7 @@
       pulse.enable = true;
       jack.enable = true;
     };
+    fail2ban.enable = true;
     greetd = {
       enable = false;
       settings = rec {
@@ -361,6 +332,8 @@
     53317 # Localsend
     7791 # Pixelflut
     38281 # Archipelago
+    80
+    443
   ];
   networking.firewall.allowedUDPPorts = [
     53317
@@ -369,6 +342,93 @@
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
+
+  services.nginx =
+    let
+
+      extra = ''
+        client_max_body_size 50000M;
+
+        proxy_redirect     off;
+
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+        send_timeout       600s;'';
+      proxy = name: url: {
+        forceSSL = true;
+        useACMEHost = name;
+        extraConfig = extra;
+        locations."/" = {
+          proxyWebsockets = true;
+          proxyPass = url;
+        };
+      };
+    in
+    {
+      enable = true;
+
+
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+
+      virtualHosts = {
+        "noa.voorwaarts.nl" = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = extra;
+          locations."/" = {
+            proxyWebsockets = true;
+            proxyPass = "http://[::1]:8000";
+          };
+        };
+
+        "images.noa.voorwaarts.nl" = proxy "noa.voorwaarts.nl" "http://[::1]:2283/";
+
+        "itepastra.nl" = {
+          forceSSL = true;
+          enableACME = true;
+          extraConfig = extra;
+          locations."/" = {
+            proxyWebsockets = true;
+            proxyPass = "http://[::1]:9001/";
+          };
+        };
+
+        "locked.itepastra.nl" = {
+          forceSSL = true;
+          useACMEHost = "itepastra.nl";
+          extraConfig = ''
+            ${extra}
+            ssl_client_certificate /etc/nginx/certificates/yubikey.crt;
+            ssl_verify_client on;
+            ssl_prefer_server_ciphers on;
+            ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+            keepalive_timeout 10;
+            ssl_session_timeout 5m;
+          '';
+
+          locations."/" = {
+            proxyWebsockets = true;
+            proxyPass = "http://[::1]:9000/";
+          };
+
+        };
+
+      };
+    };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "noa@voorwaarts.nl";
+    certs."noa.voorwaarts.nl".extraDomainNames = [ "images.noa.voorwaarts.nl" ];
+    certs."itepastra.nl".extraDomainNames = [ "locked.itepastra.nl" ];
+  };
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/default/home.nix

@@ -66,6 +66,7 @@
     planify
     keepassxc
     yubikey-manager-qt
+    yubico-piv-tool
   ];
 
 
@@ -82,6 +83,7 @@
     #   org.gradle.console=verbose
     #   org.gradle.daemon.idletimeout=3600000
     # '';
+    "ykcs/ykcs11.so".source = "${pkgs.yubico-piv-tool}/lib/libykcs11.so";
   };
 
   # Home Manager can also manage your environment variables through

hosts/server/configuration.nix

@@ -73,6 +73,37 @@
     ];
   };
 
+  modules = {
+    websites = {
+      enable = true;
+      certMail = "acme@voorwaarts.nl";
+      mainDomains = {
+        "noa.voorwaarts.nl" = {
+          enable = true;
+          proxy = "http://127.0.0.1:5000/";
+          extra_sites = {
+            "images.noa.voorwaarts.nl" = {
+              enable = true;
+              proxy = "http://127.0.0.1:2283/";
+            };
+            "testing.noa.voorwaarts.nl" = {
+              enable = true;
+              proxy = "http://127.0.0.1:8000/";
+            };
+            "sods.noa.voorwaarts.nl" = {
+              enable = false;
+              proxy = "http://127.0.0.1:2000/";
+            };
+          };
+        };
+        "itepastra.nl" = {
+          enable = true;
+          proxy = "http://[::1]:8000/";
+          extra_sites = { };
+        };
+      };
+    };
+  };
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
   # programs.mtr.enable = true;

modules/websites/default.nix

@@ -48,7 +48,12 @@ in
         (
           name: config:
             lib.mkIf config.enable {
-              extraDomainNames = lib.attrsets.mapAttrsToList (n: c: lib.mkIf c.enable n) config.extra_sites;
+              extraDomainNames = lib.attrsets.mapAttrsToList
+                (
+                  domain_name: domain_config: lib.mkIf domain_config.enable domain_name
+                )
+                config.extra_sites;
+              webroot = lib.traceVal "/var/lib/acme/acme-challenge/${name}";
             }
         )
         cfg.mainDomains;
@@ -74,7 +79,7 @@ in
                 };
               };
             in
-            lib.mkIf config.enable (
+            lib.trace name (lib.mkIf config.enable (
               lib.mkMerge [
                 {
                   ${name} = {
@@ -89,18 +94,18 @@ in
                 }
                 (lib.attrsets.mapAttrs
                   (n: c:
-                    proxy c.proxy
+                    lib.traceSeq c (proxy c.proxy)
                   )
                   config.extra_sites)
               ]
-            )
+            ))
         )
         cfg.mainDomains;
     in
     {
       networking.hosts = {
         # NOTE: this is needed because I don't have hairpin nat. :(
-        "127.0.0.1" = hostnames;
+        "::1" = hostnames;
       };
       security.acme = {
         acceptTerms = true;