simplify hosts management

1 files changed, 203 insertions, 0 deletions

diff --git a/machines/nixos/x86_64-linux/do-rproxy.nix b/machines/nixos/x86_64-linux/do-rproxy.nix
new file mode 100644
index 0000000..c444fef
--- /dev/null
+++ b/machines/nixos/x86_64-linux/do-rproxy.nix
@@ -0,0 +1,203 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  modulesPath,
+  ...
+}:
+{
+  age = {
+    secrets = {
+      cloudflare-nginx = {
+        file = ../../../secrets/cloudflare-nginx.age;
+      };
+      wireguard = {
+        file = ../../../secrets/do/wireguard.age;
+      };
+    };
+  };
+
+  imports = [
+    (modulesPath + "/virtualisation/digital-ocean-config.nix")
+    ../../../profiles/disk/basic-vm.nix
+    ../../../profiles/defaults.nix
+    ../../../profiles/server.nix
+    ../../../profiles/cgroups.nix
+  ];
+
+  disko.devices.disk.disk1.device = "/dev/vda";
+
+  networking.hostName = "do-rproxy";
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.50/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # vm-synology
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.40/32" ];
+          persistentKeepalive = 25;
+        }
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.60/32" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  my.modules.hardware.do-droplet.enable = true;
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "franck@fcuny.net";
+    certs = {
+      "code.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "go.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "id.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+    };
+  };
+
+  services.nginx =
+    let
+      accounts = [
+        {
+          user = "franck@fcuny.net";
+          realm = "fcuny.net";
+        }
+      ];
+      webfingerConfig = {
+        "= /.well-known/webfinger" = {
+          extraConfig = ''
+            return 307 /__webfinger/$arg_resource;
+          '';
+        };
+
+        "~ ^/__webfinger/(acct:[^/]+@[^/]+)" = {
+          root = pkgs.linkFarm "webfinger-entries" (
+            lib.listToAttrs (
+              map (acct: {
+                name = "acct:${acct.user}";
+                value = pkgs.writeText "webfinger-${acct.user}" ''
+                  {
+                    "subject": "acct:${acct.user}",
+                    "links": [
+                      {
+                        "rel": "http://openid.net/specs/connect/1.0/issuer",
+                        "href": "https://id.fcuny.net/realms/${acct.realm}"
+                      }
+                    ]
+                  }
+                '';
+              }) accounts
+            )
+          );
+
+          tryFiles = "/$1 =404";
+
+          extraConfig = ''
+            add_header Content-Type application/json;
+          '';
+        };
+      };
+    in
+    {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "code.fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://10.100.0.60:3000";
+          };
+          locations."/metrics" = {
+            proxyPass = "http://10.100.0.60:3000/metrics";
+            extraConfig = ''
+              deny all;
+              access_log off;
+            '';
+          };
+        };
+        "go.fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://10.100.0.40:8070";
+          };
+        };
+        "id.fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations = (
+            {
+              "/" = {
+                proxyPass = "http://10.100.0.60:8080";
+              };
+            }
+            // webfingerConfig
+          );
+        };
+        "fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+
+          root = "${inputs.my-site.packages.x86_64-linux.default}/";
+
+          locations = {
+            "/".tryFiles = "$uri $uri/ $uri/index.html =404";
+          }
+          // webfingerConfig;
+
+          extraConfig = ''
+            error_page 404 /404;
+          '';
+        };
+      };
+    };
+}