diff options
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/default.nix | 2 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix | 72 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix | 73 | ||||
| -rw-r--r-- | machines/nixos/x86_64-linux/do-rproxy/secrets.nix | 4 | ||||
| -rw-r--r-- | secrets/cloudflare-nginx.age (renamed from secrets/cloudflare-caddy.age) | bin | 363 -> 363 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 2 |
6 files changed, 77 insertions, 76 deletions
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix index 159c4fd..e187bd2 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/default.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix @@ -33,7 +33,7 @@ "${self}/profiles/network/fail2ban.nix" "${self}/profiles/services/podman.nix" "${self}/profiles/programs/fish.nix" - ./profiles/caddy.nix + ./profiles/nginx.nix ]; # do not use DHCP, as DigitalOcean provisions IPs using cloud-init diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix deleted file mode 100644 index c39a1ec..0000000 --- a/machines/nixos/x86_64-linux/do-rproxy/profiles/caddy.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ config, ... }: -{ - networking.firewall.allowedTCPPorts = [ - 80 - 443 - ]; - - security.acme = { - acceptTerms = true; - defaults.email = "franck@fcuny.net"; - certs = { - "code.fcuny.net" = { - domain = "code.fcuny.net"; - dnsProvider = "cloudflare"; - dnsResolver = "1.1.1.1"; - reloadServices = [ "caddy.service" ]; - credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path; - }; - "go.fcuny.net" = { - domain = "go.fcuny.net"; - dnsProvider = "cloudflare"; - dnsResolver = "1.1.1.1"; - reloadServices = [ "caddy.service" ]; - credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path; - }; - "id.fcuny.net" = { - domain = "id.fcuny.net"; - dnsProvider = "cloudflare"; - dnsResolver = "1.1.1.1"; - reloadServices = [ "caddy.service" ]; - credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-caddy".path; - }; - }; - }; - - services.caddy = { - enable = true; - email = "franck@fcuny.net"; - globalConfig = '' - metrics { - per_host - } - admin :2019 { - origins 127.0.0.1 10.100.0.0/24 - } - ''; - virtualHosts = { - forgejo = { - hostName = "code.fcuny.net"; - useACMEHost = "code.fcuny.net"; - extraConfig = '' - respond /metrics 403 - reverse_proxy 10.100.0.40:3000 - ''; - }; - go = { - hostName = "go.fcuny.net"; - useACMEHost = "go.fcuny.net"; - extraConfig = '' - reverse_proxy 10.100.0.40:8070 - ''; - }; - auth = { - hostName = "id.fcuny.net"; - useACMEHost = "id.fcuny.net"; - extraConfig = '' - reverse_proxy 10.100.0.40:8080 - ''; - }; - }; - }; -} diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix new file mode 100644 index 0000000..fc273b7 --- /dev/null +++ b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix @@ -0,0 +1,73 @@ +{ config, ... }: +{ + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + security.acme = { + acceptTerms = true; + defaults.email = "franck@fcuny.net"; + certs = { + "code.fcuny.net" = { + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1"; + reloadServices = [ "nginx.service" ]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path; + }; + "go.fcuny.net" = { + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1"; + reloadServices = [ "nginx.service" ]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path; + }; + "id.fcuny.net" = { + dnsProvider = "cloudflare"; + dnsResolver = "1.1.1.1"; + reloadServices = [ "nginx.service" ]; + credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path; + }; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts = { + "code.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.40:3000"; + }; + locations."/metrics" = { + proxyPass = "http://10.100.0.40:3000/metrics"; + extraConfig = '' + deny all; + access_log off; + ''; + }; + }; + "go.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.40:8070"; + }; + }; + "id.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.40:8080"; + }; + }; + }; + }; +} diff --git a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix index e2444e2..8711666 100644 --- a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix +++ b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix @@ -2,8 +2,8 @@ { age = { secrets = { - cloudflare-caddy = { - file = "${self}/secrets/cloudflare-caddy.age"; + cloudflare-nginx = { + file = "${self}/secrets/cloudflare-nginx.age"; }; wireguard = { file = "${self}/secrets/do/wireguard.age"; diff --git a/secrets/cloudflare-caddy.age b/secrets/cloudflare-nginx.age Binary files differindex 6800d5b..6800d5b 100644 --- a/secrets/cloudflare-caddy.age +++ b/secrets/cloudflare-nginx.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5415ae0..ed8de8f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,7 +17,7 @@ in users.fcuny hosts.vm-synology ]; - "cloudflare-caddy.age".publicKeys = [ + "cloudflare-nginx.age".publicKeys = [ users.fcuny hosts.do ]; |