noa/nixconf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx proxy function

Browse source
This commit is contained in:
Noa Aarts 2024-06-04 21:23:35 +02:00
parent b5f91441c8
commit 8bb45dd4a6
1 changed files with 41 additions and 58 deletions
Download patch file Download diff file Expand all files Collapse all files

99
hosts/default/configuration.nix
View file

@ -1,5 +1,5 @@
# Edit this configuration file to define what should be installed on # Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page # your system.Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help). # and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, inputs, nix-colors, ... }: { config, pkgs, inputs, nix-colors, ... }:
@ -49,7 +49,7 @@
"127.0.0.1" = [ "images.noa.voorwaarts.nl" "sods.noa.voorwaarts.nl" "noa.voorwaarts.nl" "testing.noa.voorwaarts.nl" ]; "127.0.0.1" = [ "images.noa.voorwaarts.nl" "sods.noa.voorwaarts.nl" "noa.voorwaarts.nl" "testing.noa.voorwaarts.nl" ];
}; };
}; };
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.wireless.enable = true;# Enables wireless support via wpa_supplicant.
# Configure network proxy if necessary # Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.default = "http://user:password@proxy:port/";
@ -145,8 +145,8 @@
# started in user sessions. # started in user sessions.
# programs.mtr.enable = true; # programs.mtr.enable = true;
# programs.gnupg.agent = { # programs.gnupg.agent = {
# enable = true; # enable = true;
# enableSSHSupport = true; # enableSSHSupport = true;
# }; # };
programs = { programs = {
zsh.enable = true; zsh.enable = true;
@ -232,62 +232,45 @@
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
virtualHosts = virtualHosts =
let extra = '' let
client_max_body_size 50000M; extra = ''
client_max_body_size 50000M;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_redirect off; proxy_redirect off;
proxy_read_timeout 600s; proxy_read_timeout 600s;
proxy_send_timeout 600s; proxy_send_timeout 600s;
send_timeout 600s;''; send_timeout 600s;'';
proxy = port: {
forceSSl = true;
useACMEHost = "noa.voorwaarts.nl";
extraConfig = extra;
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}/";
};
};
in in
{ {
"noa.voorwaarts.nl" = { "noa.voorwaarts.nl" = {
default = true; default = true;
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
};
"images.noa.voorwaarts.nl" = {
forceSSL = true;
useACMEHost = "noa.voorwaarts.nl";
extraConfig = extra;
locations."/" = {
proxyPass = "http://127.0.0.1:2283/";
};
};
"testing.noa.voorwaarts.nl" = {
forceSSL = true;
useACMEHost = "noa.voorwaarts.nl";
extraConfig = extra;
locations."/" = {
proxyPass = "http://127.0.0.1:8000/";
};
};
"sods.noa.voorwaarts.nl" = {
forceSSL = true;
useACMEHost = "noa.voorwaarts.nl";
extraConfig = extra;
locations."/" = {
proxyPass = "http://127.0.0.1:2000/";
};
}; };
"images.noa.voorwaarts.nl" = proxy 2283;
"testing.noa.voorwaarts.nl" = proxy 8000;
"sods.noa.voorwaarts.nl" = proxy 2000;
}; };
}; };
openssh = { openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
}; };
@ -324,13 +307,13 @@
nixos-rebuild nixos-rebuild
]; ];
script = '' script = ''
[[ ! -d '/root/nixconf' ]] && cd /root && git clone git@github.com:itepastra/nixconf [[ ! -d '/root/nixconf' ]] && cd /root && git clone git@github.com:itepastra/nixconf
cd /root/nixconf cd /root/nixconf
git pull git pull
nix flake update --commit-lock-file /root/nixconf nix flake update --commit-lock-file /root/nixconf
nixos-rebuild switch --flake . nixos-rebuild switch --flake .
git push git push
''; '';
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
User = "root"; User = "root";
@ -345,9 +328,9 @@
environment.etc = { environment.etc = {
"fail2ban/filter.d/go-login.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/filter.d/go-login.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition] [Definition]
failregex=^time= level=WARN msg=".*?" ip=<ADDR> status=4\d\d$ failregex=^time= level=WARN msg=".*?" ip=<ADDR> status=4\d\d$
''); '');
}; };
virtualisation.docker = { virtualisation.docker = {
@ -365,8 +348,8 @@
]; ];
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''
options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1 options v4l2loopback devices=1 video_nr=1 card_label="OBS Cam" exclusive_caps=1
''; '';
security = { security = {
acme = { acme = {
acceptTerms = true; acceptTerms = true;