gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: i forgor o:

Browse source
This commit is contained in:
Kat Inskip 2022-09-23 17:57:57 -07:00
parent 0eb5e3bdd7
commit 15519ad70d
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
34 changed files with 552 additions and 265 deletions
Download patch file Download diff file Expand all files Collapse all files

189
services/access.nix
View file

@ -1,4 +1,8 @@
{ config, lib, meta, pkgs, ... }: with lib; {
networks.internet.extra_domains = [
"gensokyo.zone"
];
domains = {
kittywitch-plex = {
network = "internet";
@ -15,17 +19,24 @@
type = "cname";
domain = "cloud";
};
gensokyo-root = {
network = "internet";
type = "both";
zone = "gensokyo.zone.";
};
gensokyo-home = {
network = "internet";
type = "cname";
domain = "home";
zone = "gensokyo.zone.";
};
gensokyo-kanidm = {
network = "internet";
type = "cname";
domain = "id";
zone = "gensokyo.zone.";
};
gensokyo-vouch = {
network = "internet";
type = "cname";
domain = "login";
zone = "gensokyo.zone.";
};
gensokyo-z2m = {
network = "internet";
type = "cname";
@ -35,66 +46,128 @@
};
services.nginx.virtualHosts = mkMerge [
{
"gensokyo.zone" = {
locations."/" = {
root = pkgs.gensokyoZone;
{
"gensokyo.zone" = {
locations."/" = {
root = pkgs.gensokyoZone;
};
};
"home.gensokyo.zone" = {
locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
};
"home.gensokyo.zone" = {
locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
};
"z2m.gensokyo.zone" = {
extraConfig = ''
auth_request /validate;
error_page 401 = @error401;
'';
locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 8072;
extraConfig = ''
add_header Access-Control-Allow-Origin https://login.gensokyo.zone;
add_header Access-Control-Allow-Origin https://id.gensokyo.zone;
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
"@error401" = {
extraConfig = ''
return 302 https://login.gensokyo.zone/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
'';
};
"/validate" = {
recommendedProxySettings = false;
proxyPass = meta.tailnet.tewi.ppp 4 30746 "validate";
extraConfig = ''
proxy_set_header Host $http_host;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
'';
};
};
"home.${config.networking.domain}" = {
locations = {
"/" = {
proxyPass = meta.tailnet.yukari.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
};
"id.gensokyo.zone" = {
locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 8080;
extraConfig = ''
proxy_set_header Host $host;
add_header Access-Control-Allow-Origin https://id.gensokyo.zone;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
};
"cloud.${config.networking.domain}" = {
locations = {
"/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/";
};
"login.gensokyo.zone" = {
locations = {
"/" = {
proxyPass = meta.tailnet.tewi.pp 4 30746;
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host $http_host;
'';
};
};
"plex.${config.networking.domain}" = {
locations = {
"/" = {
proxyPass = meta.tailnet.yukari.pp 4 32400;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
};
};
"home.${config.networking.domain}" = {
locations = {
"/" = {
proxyPass = meta.tailnet.yukari.pp 4 8123;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
'';
};
}
};
};
"cloud.kittywit.ch" = {
locations = {
"/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/";
};
};
"plex.kittywit.ch" = {
locations = {
"/" = {
proxyPass = meta.tailnet.yukari.pp 4 32400;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_buffering off;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
'';
};
};
};
}
];
}
}

10
services/filehost.nix
View file

@ -83,7 +83,7 @@ return [
};
services.nginx.virtualHosts = {
"files.${config.network.dns.domain}" = {
"files.kittywit.ch" = {
root = "/var/lib/xbackbone/www";
locations = {
"/" = {
@ -139,8 +139,6 @@ location CHANGELOG.md {
return 403;
}
'';
enableACME = true;
forceSSL = true;
};
};
@ -181,9 +179,9 @@ location CHANGELOG.md {
};
};
deploy.tf.dns.records.services_filehost = {
inherit (config.network.dns) zone;
domains.kittywitch-filehost = {
domain = "files";
cname = { inherit (config.network.addresses.public) target; };
type = "cname";
inherit (config.networks.internet) target;
};
}

10
services/hedgedoc.nix
View file

@ -10,7 +10,7 @@
secrets.files.hedgedoc-env = {
text = ''
CMD_OAUTH2_USER_PROFILE_URL=https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/userinfo
CMD_OAUTH2_USER_PROFILE_URL=https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/userinfo
CMD_OAUTH2_CLIENT_SECRET=${tf.variables.hedgedoc-secret.ref}
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
@ -27,7 +27,7 @@
configuration = {
debug = true;
path = "/run/hedgedoc/hedgedoc.sock";
domain = "md.${config.network.dns.domain}";
domain = "md.kittywit.ch";
protocolUseSSL = true;
allowFreeURL = true;
email = false;
@ -41,8 +41,8 @@
host = "/run/postgresql";
};
oauth2 = {
tokenURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/token";
authorizationURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/auth";
tokenURL = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/token";
authorizationURL = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/openid-connect/auth";
clientID = "hedgedoc";
clientSecret = "";
};
@ -74,7 +74,7 @@
};
users.users.nginx.extraGroups = [ "hedgedoc" ];
services.nginx.virtualHosts."md.${config.network.dns.domain}" = {
services.nginx.virtualHosts."md.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations."/" = {

13
services/keycloak.nix
View file

@ -24,14 +24,19 @@ in {
};
/* security.acme.certs.domain-auth = {
users.groups.domain-auth = {
gid = 10600;
members = [ "keycloak" ];
};
security.acme.certs."auth.kittywit.ch" = {
group = "domain-auth";
postRun = ''
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -delete -alias auth.kittywit.ch -keypass ${keystore-pass} -storepass ${keystore-pass} -keystore ./trust-store.jks
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.${config.network.dns.domain} -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore trust-store.jks -keypass ${keystore-pass} -storepass ${keystore-pass} -file cert.pem
chown acme:domain-auth ./trust-store.jks
'';
}; */
};
users.groups.keycloak = { };
users.users.keycloak = {
@ -50,7 +55,7 @@ in {
group = "keycloak";
};
services.nginx.virtualHosts."auth.${config.network.dns.domain}" = {
services.nginx.virtualHosts."auth.kittywit.ch" = {
useACMEHost = "domain-auth";
forceSSL = true;
locations = {

15
services/mail/sogo.nix
View file

@ -12,19 +12,10 @@
group = "sogo";
};
services.nginx.virtualHosts."mail.${config.network.dns.domain}" = {
useACMEHost = "dovecot_domains";
enableACME = mkForce false;
forceSSL = true;
};
users.groups.domain-auth.members = [ "postfix" ];
users.users.nginx.extraGroups = singleton "postfix";
deploy.tf.dns.records.services_sogo = {
inherit (config.network.dns) zone;
domain = "mail";
cname = { inherit (config.network.addresses.public) target; };
};
networks.internet.extra_domains = [ "mail.kittywit.ch" ];
services.postgresql = {
enable = true;
@ -42,7 +33,7 @@
services.sogo = {
enable = true;
timezone = "Europe/London";
vhostName = "mail.${config.network.dns.domain}";
vhostName = "mail.kittywit.ch";
extraConfig = ''
SOGoMailDomain = "kittywit.ch";
SOGoPageTitle = "kittywitch";

8
services/murmur.nix
View file

@ -104,6 +104,14 @@ in
};
};
networks.internet = {
extra_domains = [
"kittywit.ch"
"sync.kittywit.ch"
"voice.kittywit.ch"
];
};
users.groups."domain-auth".members = [ "murmur" ];
# Certs
/*
network.extraCerts.services_murmur = "voice.${config.net";

2
services/nginx.nix
View file

@ -25,6 +25,8 @@ with lib;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = mkIf (config.networking.hostName != "yukari") ''
large_client_header_buffers 4 16k;
proxy_buffers 8 8k;
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}

71
services/prosody.nix
View file

@ -3,16 +3,23 @@
with lib;
{
networks.internet.tcp = [
5000
5222
5223
5269
5280
5281
5347
5582
];
networks.internet = {
extra_domains = [
"xmpp.kittywit.ch"
"conference.kittywit.ch"
"upload.kittywit.ch"
];
tcp = [
5000
5222
5223
5269
5280
5281
5347
5582
];
};
services.postgresql = {
ensureDatabases = [ "prosody" ];
@ -44,46 +51,18 @@ with lib;
}
'';
virtualHosts = {
"xmpp.${config.network.dns.domain}" = {
"xmpp.kittywit.ch" = {
domain = config.network.dns.domain;
enabled = true;
ssl.cert = "/var/lib/acme/prosody/fullchain.pem";
ssl.key = "/var/lib/acme/prosody/key.pem";
};
};
muc = [{ domain = "conference.${config.network.dns.domain}"; }];
uploadHttp = { domain = "upload.${config.network.dns.domain}"; };
muc = [{ domain = "conference.kittywit.ch"; }];
uploadHttp = { domain = "upload.kittywit.ch"; };
};
security.acme.certs.prosody = {
domain = "xmpp.${config.network.dns.domain}";
group = "prosody";
dnsProvider = "rfc2136";
credentialsFile = config.secrets.files.dns_creds.path;
postRun = "systemctl restart prosody";
extraDomainNames =
[ config.network.dns.domain "upload.${config.network.dns.domain}" "conference.${config.network.dns.domain}" ];
};
domains = rec {
kittywitch-prosody = {
network = "internet";
type = "both";
domain = "xmpp";
};
kittywitch-prosody-upload = {
network = "internet";
type = "cname";
domain = "upload";
cname.target = kittywitch-prosody.target;
};
kittywitch-prosody-conference = {
network = "internet";
type = "cname";
domain = "conference";
cname.target = kittywitch-prosody.target;
};
};
users.groups.domain-auth.members = [ "prosody" ];
deploy.tf.dns.records = {
services_prosody_muc = {
@ -140,14 +119,10 @@ domains = rec {
};
services.nginx.virtualHosts = {
"upload.${config.network.dns.domain}" = {
useACMEHost = "prosody";
forceSSL = true;
"upload.kittywit.ch" = {
};
"conference.${config.network.dns.domain}" = {
useACMEHost = "prosody";
forceSSL = true;
"conference.kittywit.ch" = {
};
};

24
services/synapse.nix
View file

@ -180,7 +180,7 @@ CONFIG = {
level: WARNING
handlers: [console]
'';
server_name = config.network.dns.domain;
server_name = "kittywit.ch";
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-synapse/discord-registration.yaml"
@ -189,7 +189,7 @@ CONFIG = {
max_upload_size = "512M";
rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25;
public_baseurl = "https://${config.network.dns.domain}";
public_baseurl = "https://kittywit.ch";
url_preview_enabled = mkDefault true;
enable_registration = mkDefault false;
enable_metrics = mkDefault false;
@ -236,14 +236,14 @@ CONFIG = {
public = {
enabled = false;
prefix = "/public";
external = "https://${config.network.dns.domain}/public";
external = "https://kittywit.ch/public";
};
};
bridge = {
relaybot.authless_portals = false;
permissions = {
"@kat:${config.network.dns.domain}" = "admin";
"${config.network.dns.domain}" = "full";
"@kat:kittywit.ch" = "admin";
"kittywit.ch" = "full";
};
};
};
@ -293,15 +293,13 @@ CONFIG = {
after = [ "network.target" ];
};
deploy.tf.dns.records.services_element = {
inherit (config.network.dns) zone;
domains.kittywitch-matrix = {
inherit (config.networks.internet) target;
type = "cname";
domain = "matrix";
cname = { inherit (config.network.addresses.public) target; };
};
services.nginx.virtualHosts."matrix.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
services.nginx.virtualHosts."matrix.kittywit.ch" = {
extraConfig = ''
keepalive_requests 100000;
'';
@ -316,7 +314,7 @@ CONFIG = {
};
};
services.nginx.virtualHosts."${config.network.dns.domain}" = {
services.nginx.virtualHosts."kittywit.ch" = {
# allegedly fixes https://github.com/poljar/weechat-matrix/issues/240
extraConfig = ''
keepalive_requests 100000;
@ -334,7 +332,7 @@ CONFIG = {
"= /.well-known/matrix/client".extraConfig =
let
client = {
"m.homeserver" = { "base_url" = "https://${config.network.dns.domain}"; };
"m.homeserver" = { "base_url" = "https://kittywit.ch"; };
"m.identity_server" = { "base_url" = "https://vector.im"; };
};
in

11
services/syncplay.nix
View file

@ -17,10 +17,10 @@ with lib;
users.users.syncplay = { isSystemUser = true; group = "sync-cert"; };
users.groups."sync-cert".members = [ "nginx" "syncplay" ];
users.groups."domain-auth".members = [ "syncplay" ];
security.acme = {
certs."sync.${config.network.dns.domain}" = {
group = "sync-cert";
certs."kittywit.ch" = {
postRun = ''
cp key.pem privkey.pem
chown acme:voice-cert privkey.pem
@ -30,11 +30,6 @@ with lib;
networks.internet.tcp = [ 8999 ];
services.nginx.virtualHosts."sync.${config.network.dns.domain}" = {
enableACME = true;
forceSSL = true;
};
domains.kittywitch-syncplay = {
network = "internet";
type = "cname";

12
services/vaultwarden.nix
View file

@ -45,14 +45,12 @@
rocketPort = 4000;
websocketEnabled = true;
signupsAllowed = false;
domain = "https://vault.${config.network.dns.domain}";
domain = "https://vault.kittywit.ch}";
databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
};
};
services.nginx.virtualHosts."vault.${config.network.dns.domain}" = {
enableACME = true;
forceSSL = true;
services.nginx.virtualHosts."vault.kittywit.ch" = {
locations = {
"/" = {
proxyPass = "http://localhost:4000";
@ -69,9 +67,9 @@
};
};
deploy.tf.dns.records.services_vaultwarden = {
inherit (config.network.dns) zone;
domains.kittywitch-vault = {
inherit (config.networks.internet) target;
type = "cname";
domain = "vault";
cname = { inherit (config.network.addresses.public) target; };
};
}

2
services/website.nix
View file

@ -2,7 +2,7 @@
{
services.nginx.virtualHosts = {
"${config.network.dns.domain}" = {
"kittywit.ch" = {
root = pkgs.gensokyoZone;
enableACME = true;
forceSSL = true;

10
services/weechat.nix
View file

@ -1,9 +1,7 @@
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."irc.${config.network.dns.domain}" = {
enableACME = true;
forceSSL = true;
services.nginx.virtualHosts."irc.kittywit.ch" = {
locations = {
"/" = { root = pkgs.glowing-bear; };
"^~ /weechat" = {
@ -13,9 +11,9 @@
};
};
deploy.tf.dns.records.services_weechat = {
inherit (config.network.dns) zone;
domains.kittywitch_irc = {
domain = "irc";
cname = { inherit (config.network.addresses.public) target; };
inherit (config.networks.internet) target;
};
}

2
services/znc.nix
View file

@ -121,7 +121,7 @@ in
group = "znc";
};
services.nginx.virtualHosts."znc.${config.network.dns.domain}" = {
services.nginx.virtualHosts."znc.kittywit.ch" = {
enableACME = true;
forceSSL = true;
locations = { "/".proxyPass = "http://127.0.0.1:5002"; };