move reverse proxy configuration to a profile

author: Franck Cuny <franck@fcuny.net> 2025-11-23 09:47:45 -0800
committer: Franck Cuny <franck@fcuny.net> 2025-11-23 09:47:45 -0800
commit: 6697e18fabf835d63613daab00d3bf6176725880 (patch)
tree: 461f8be1f02df35f8a55f9f5f9c0334072b87e51
parent: cgit: convert org-mode to HTML (diff)
download: infra-6697e18fabf835d63613daab00d3bf6176725880.tar.gz
2 files changed, 83 insertions, 82 deletions
diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix
index 63ff2c9..a67054a 100644
--- a/machines/nixos/x86_64-linux/argonath.nix
+++ b/machines/nixos/x86_64-linux/argonath.nix
@@ -2,34 +2,8 @@
   config,
   lib,
   adminUser,
-  pkgs,
   ...
 }:
-let
-  mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config);
-  mkWebfingers =
-    { subject, ... }@config:
-    map (mkWebfinger config) [
-      subject
-      (lib.escapeURL subject)
-    ];
-  webfingerRoot = pkgs.symlinkJoin {
-    name = "felschr.com-webfinger";
-    paths = lib.flatten (
-      builtins.map mkWebfingers [
-        {
-          subject = "acct:franck@fcuny.net";
-          links = [
-            {
-              rel = "http://openid.net/specs/connect/1.0/issuer";
-              href = "https://auth.fcuny.net";
-            }
-          ];
-        }
-      ]
-    );
-  };
-in
 {
   imports = [
     ../../../profiles/acme.nix
@@ -38,6 +12,7 @@ in
     ../../../profiles/disk/basic-vm.nix
     ../../../profiles/hardware/do-droplet.nix
     ../../../profiles/home-manager.nix
+    ../../../profiles/reverse-proxy.nix
     ../../../profiles/server.nix
   ];
 
@@ -68,62 +43,6 @@ in
   networking.firewall.trustedInterfaces = [ "wg0" ];
   networking.firewall.allowedUDPPorts = [ 51871 ];
 
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    virtualHosts = {
-      "code.fcuny.net" = {
-        enableACME = true;
-        acmeRoot = null;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://10.100.0.60";
-        };
-      };
-      "auth.fcuny.net" = {
-        enableACME = true;
-        acmeRoot = null;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://10.100.0.60:9092";
-        };
-      };
-      "reader.fcuny.net" = {
-        enableACME = true;
-        acmeRoot = null;
-        forceSSL = true;
-        locations."/".proxyPass = "http://10.100.0.60:8002";
-      };
-      "fcuny.net" = {
-        enableACME = true;
-        acmeRoot = null;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://10.100.0.60:8070";
-        };
-        locations."/.well-known/webfinger" = {
-          root = webfingerRoot;
-          extraConfig = ''
-            add_header Access-Control-Allow-Origin "*";
-            default_type "application/jrd+json";
-            types { application/jrd+json json; }
-            if ($arg_resource) {
-              rewrite ^(.*)$ /$arg_resource break;
-            }
-          '';
-        };
-      };
-    };
-  };
-
   system.stateVersion = "25.05"; # Did you read the comment?
 
   home-manager = {
diff --git a/profiles/reverse-proxy.nix b/profiles/reverse-proxy.nix
new file mode 100644
index 0000000..dd98ff2
--- /dev/null
+++ b/profiles/reverse-proxy.nix
@@ -0,0 +1,82 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+let
+  httpHost = "10.100.0.60";
+  mkWebfinger = config: file: pkgs.writeTextDir file (lib.generators.toJSON { } config);
+  mkWebfingers =
+    { subject, ... }@config:
+    map (mkWebfinger config) [
+      subject
+      (lib.escapeURL subject)
+    ];
+  webfingerRoot = pkgs.symlinkJoin {
+    name = "felschr.com-webfinger";
+    paths = lib.flatten (
+      builtins.map mkWebfingers [
+        {
+          subject = "acct:franck@fcuny.net";
+          links = [
+            {
+              rel = "http://openid.net/specs/connect/1.0/issuer";
+              href = "https://auth.fcuny.net";
+            }
+          ];
+        }
+      ]
+    );
+  };
+in
+{
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "code.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${httpHost}";
+      };
+      "auth.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${httpHost}:9092";
+      };
+      "reader.fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${httpHost}:8002";
+      };
+      "fcuny.net" = {
+        enableACME = true;
+        acmeRoot = null;
+        forceSSL = true;
+        locations."/".proxyPass = "http://${httpHost}:8070";
+        locations."/.well-known/webfinger" = {
+          root = webfingerRoot;
+          extraConfig = ''
+            add_header Access-Control-Allow-Origin "*";
+            default_type "application/jrd+json";
+            types { application/jrd+json json; }
+            if ($arg_resource) {
+              rewrite ^(.*)$ /$arg_resource break;
+            }
+          '';
+        };
+      };
+    };
+  };
+}
author	Franck Cuny <franck@fcuny.net>	2025-11-23 09:47:45 -0800
committer	Franck Cuny <franck@fcuny.net>	2025-11-23 09:47:45 -0800
commit	6697e18fabf835d63613daab00d3bf6176725880 (patch)
tree	461f8be1f02df35f8a55f9f5f9c0334072b87e51
parent	cgit: convert org-mode to HTML (diff)
download	infra-6697e18fabf835d63613daab00d3bf6176725880.tar.gz