gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(nginx): ssl module

Browse source
This commit is contained in:
arcnmx 2024-03-05 15:42:36 -08:00
parent 69c014b24e
commit a7e35fbc88
28 changed files with 794 additions and 546 deletions
Download patch file Download diff file Expand all files Collapse all files

38
nixos/access/bazarr.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
}: let
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.bazarr;
access = config.services.nginx.access.bazarr;
proxyPass = mkDefault "https://${access.host}:${toString access.port}";
locations = {
"/" = {
inherit proxyPass;
};
};
in {
options.services.nginx.access.bazarr = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "bazarr.${config.networking.domain}";
};
port = mkOption {
type = port;
};
};
config.services.nginx = {
access.bazarr = mkIf cfg.enable {
host = mkOptionDefault "localhost";
port = mkOptionDefault cfg.listenPort;
};
virtualHosts = {
${access.domain} = {
inherit locations;
};
};
};
}

3
nixos/access/gensokyo.nix
View file

@ -7,7 +7,8 @@
}: let
inherit (lib.modules) mkDefault;
in {
services.nginx.virtualHosts.${config.networking.domain} = {
services.nginx.virtualHosts.gensokyoZone = {
serverName = config.networking.domain;
locations = {
"/" = {
root = inputs.website.packages.${pkgs.system}.gensokyoZone;

35
nixos/access/home-assistant.nix
View file

@ -3,20 +3,29 @@
lib,
...
}: let
inherit (lib.modules) mkIf mkDefault;
inherit (config.services) home-assistant tailscale;
proxyPass = "http://localhost:${toString home-assistant.config.http.server_port}/";
inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (config.services) home-assistant nginx;
name.shortServer = mkDefault "home";
listenPorts = {
http = { };
https.ssl = true;
hass = mkIf (!home-assistant.enable) { port = mkDefault home-assistant.config.http.server_port; };
};
in {
services.nginx.virtualHosts."home.local.${config.networking.domain}" = mkIf home-assistant.enable {
local.enable = mkDefault true;
locations."/" = {
inherit proxyPass;
};
};
services.nginx.virtualHosts."home.tail.${config.networking.domain}" = mkIf (home-assistant.enable && tailscale.enable) {
local.enable = mkDefault true;
locations."/" = {
inherit proxyPass;
config.services.nginx.virtualHosts = {
home-assistant = {
inherit name listenPorts;
locations."/".proxyPass = mkIf home-assistant.enable (mkDefault
"http://localhost:${toString home-assistant.config.http.server_port}"
);
};
home-assistant'local = {
inherit name listenPorts;
local.enable = mkDefault true;
locations."/".proxyPass = mkIf home-assistant.enable (mkDefault
nginx.virtualHosts.home-assistant.locations."/".proxyPass
);
};
};
config.networking.firewall.allowedTCPPorts = [ home-assistant.config.http.server_port ];
}

38
nixos/access/jackett.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
}: let
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.jackett;
access = config.services.nginx.access.jackett;
proxyPass = mkDefault "https://${access.host}:${toString access.port}";
locations = {
"/" = {
inherit proxyPass;
};
};
in {
options.services.nginx.access.jackett = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "jackett.${config.networking.domain}";
};
port = mkOption {
type = port;
default = cfg.port;
};
};
config.services.nginx = {
access.jackett = mkIf cfg.enable {
host = mkOptionDefault "localhost";
};
virtualHosts = {
${access.domain} = {
inherit locations;
};
};
};
}

54
nixos/access/keycloak.nix Normal file
View file

@ -0,0 +1,54 @@
{
config,
lib,
...
}: let
inherit (lib.options) mkOption;
inherit (lib.modules) mkIf mkDefault;
cfg = config.services.keycloak;
inherit (config) networking;
inherit (config.services) nginx;
access = nginx.access.keycloak;
locations = {
"/" = {
proxyPass = mkDefault access.url;
};
};
in {
options.services.nginx.access.keycloak = with lib.types; {
host = mkOption {
type = str;
default = "keycloak.local.${networking.domain}";
};
url = mkOption {
type = str;
default = "https://${access.host}";
};
};
config.services.nginx = {
access.keycloak = mkIf cfg.enable {
host = mkDefault "localhost";
url = mkDefault (if cfg.sslCertificate != null then "https://${access.host}" else "http://${access.host}");
};
virtualHosts = {
keycloak = {
name.shortServer = mkDefault "sso";
ssl.force = mkDefault true;
inherit locations;
};
keycloak'local = {
name.shortServer = mkDefault "sso";
ssl.force = mkDefault true;
local.enable = true;
inherit locations;
extraConfig = mkIf nginx.vouch.localSso.enable ''
set $vouch_local_url ${nginx.vouch.localUrl};
if ($x_forwarded_host ~ "\.tail\.${networking.domain}$") {
set $vouch_local_url $x_scheme://${nginx.vouch.tailDomain};
}
proxy_redirect ${nginx.vouch.url}/ $vouch_local_url/;
'';
};
};
};
}

66
nixos/access/kitchencam.nix
View file

@ -27,18 +27,6 @@ in {
type = str;
default = "http://${access.host}:${toString access.streamPort}";
};
domain = mkOption {
type = str;
default = "kitchen.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "kitchen.local.${config.networking.domain}";
};
tailDomain = mkOption {
type = str;
default = "kitchen.tail.${config.networking.domain}";
};
useACMEHost = mkOption {
type = nullOr str;
default = null;
@ -46,7 +34,6 @@ in {
};
config.services.nginx = {
virtualHosts = let
addSSL = access.useACMEHost != null || virtualHosts.${access.domain}.addSSL || virtualHosts.${access.domain}.forceSSL;
extraConfig = ''
proxy_redirect off;
proxy_buffering off;
@ -64,47 +51,22 @@ in {
inherit extraConfig;
};
};
streamListen = {config, ...}: {
listen =
concatMap (addr: [
(mkIf config.addSSL {
inherit addr;
port = nginx.defaultSSLListenPort;
ssl = true;
})
{
inherit addr;
port = nginx.defaultHTTPListenPort;
}
{
inherit addr;
port = access.streamPort;
}
])
nginx.defaultListenAddresses;
listenPorts = {
http = { };
https.ssl = true;
stream.port = mkDefault access.streamPort;
};
name.shortServer = mkDefault "kitchen";
kTLS = mkDefault true;
in {
${access.domain} = mkMerge [
{
vouch.enable = true;
kTLS = mkDefault true;
inherit (access) useACMEHost;
addSSL = mkDefault (access.useACMEHost != null);
inherit locations;
}
streamListen
];
${access.localDomain} = mkMerge [
{
serverAliases = mkIf config.services.tailscale.enable [access.tailDomain];
inherit (virtualHosts.${access.domain}) useACMEHost;
addSSL = mkDefault addSSL;
kTLS = mkDefault true;
local.enable = true;
inherit locations;
}
streamListen
];
kitchencam = {
inherit name locations listenPorts kTLS;
vouch.enable = true;
};
kitchencam'local = {
inherit name locations listenPorts kTLS;
local.enable = true;
};
};
};
config.networking.firewall.allowedTCPPorts = [

13
nixos/access/nextcloud.nix
View file

@ -1,13 +0,0 @@
{
config,
lib,
meta,
...
}:
with lib; {
services.nginx.virtualHosts."cloud.${config.networking.domain}" = {
locations = {
"/".proxyPass = meta.tailnet.yukari.ppp 4 80 "nextcloud/";
};
};
}

38
nixos/access/ombi.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
}: let
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.ombi;
access = config.services.nginx.access.ombi;
proxyPass = mkDefault "https://${access.host}:${toString access.port}";
locations = {
"/" = {
inherit proxyPass;
};
};
in {
options.services.nginx.access.ombi = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "ombi.${config.networking.domain}";
};
port = mkOption {
type = port;
};
};
config.services.nginx = {
access.ombi = mkIf cfg.enable {
host = mkOptionDefault "localhost";
port = mkOptionDefault cfg.port;
};
virtualHosts = {
${access.domain} = {
inherit locations;
};
};
};
}

36
nixos/access/plex.nix
View file

@ -13,14 +13,6 @@ in {
url = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "plex.${config.networking.domain}";
};
localDomain = mkOption {
type = str;
default = "plex.local.${config.networking.domain}";
};
externalPort = mkOption {
type = nullOr port;
default = null;
@ -51,33 +43,25 @@ in {
proxy_redirect off;
proxy_buffering off;
'';
location = {
locations."/" = {
proxy.websocket.enable = true;
proxyPass = access.url;
};
name.shortServer = mkDefault "plex";
kTLS = mkDefault true;
in {
${access.domain} = {
locations."/" = location;
kTLS = mkDefault true;
inherit extraConfig;
plex = {
inherit name locations extraConfig kTLS;
};
${access.localDomain} = {
plex'local = {
inherit name locations extraConfig kTLS;
local.enable = true;
locations."/" = location;
kTLS = mkDefault true;
inherit extraConfig;
};
plex-external = mkIf (access.externalPort != null) {
serverName = mkDefault access.domain;
serverName = mkDefault "plex.${config.networking.domain}";
default = mkDefault true;
listen =
map (addr: {
inherit addr;
port = access.externalPort;
})
nginx.defaultListenAddresses;
locations."/" = location;
inherit extraConfig;
listenPorts.external.port = access.externalPort;
inherit extraConfig locations;
};
};
};

38
nixos/access/radarr.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
}: let
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.radarr;
access = config.services.nginx.access.radarr;
proxyPass = mkDefault "https://${access.host}:${toString access.port}";
locations = {
"/" = {
inherit proxyPass;
};
};
in {
options.services.nginx.access.radarr = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "radarr.${config.networking.domain}";
};
port = mkOption {
type = port;
default = cfg.port;
};
};
config.services.nginx = {
access.radarr = mkIf cfg.enable {
host = mkOptionDefault "localhost";
};
virtualHosts = {
${access.domain} = {
inherit locations;
};
};
};
}

38
nixos/access/sonarr.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
}: let
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.sonarr;
access = config.services.nginx.access.sonarr;
proxyPass = mkDefault "https://${access.host}:${toString access.port}";
locations = {
"/" = {
inherit proxyPass;
};
};
in {
options.services.nginx.access.sonarr = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "sonarr.${config.networking.domain}";
};
port = mkOption {
type = port;
default = cfg.port;
};
};
config.services.nginx = {
access.sonarr = mkIf cfg.enable {
host = mkOptionDefault "localhost";
};
virtualHosts = {
${access.domain} = {
inherit locations;
};
};
};
}

38
nixos/access/tautulli.nix
View file

@ -1,38 +0,0 @@
{
config,
lib,
}: let
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.tautulli;
access = config.services.nginx.access.tautulli;
proxyPass = mkDefault "https://${access.host}:${toString access.port}";
locations = {
"/" = {
inherit proxyPass;
};
};
in {
options.services.nginx.access.tautulli = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "tautulli.${config.networking.domain}";
};
port = mkOption {
type = port;
};
};
config.services.nginx = {
access.tautulli = mkIf cfg.enable {
host = mkOptionDefault "localhost";
port = mkOptionDefault cfg.port;
};
virtualHosts = {
${access.domain} = {
inherit locations;
};
};
};
}

78
nixos/access/vouch.nix
View file

@ -14,22 +14,6 @@ in {
url = mkOption {
type = str;
};
domain = mkOption {
type = str;
default = "login.${networking.domain}";
};
localDomain = mkOption {
type = str;
default = "login.local.${networking.domain}";
};
tailDomain = mkOption {
type = str;
default = "login.tail.${networking.domain}";
};
useACMEHost = mkOption {
type = nullOr str;
default = null;
};
};
config.services.nginx = {
access.vouch = mkIf cfg.enable {
@ -51,42 +35,52 @@ in {
'';
};
"/validate" = {config, ...}: {
proxied.enable = true;
proxyPass = mkDefault (access.url + "/validate");
recommendedProxySettings = mkDefault false;
extraConfig =
if config.local.trusted
then ''
if ($http_x_host = ''') {
set $http_x_host $host;
}
proxy_set_header Host $http_x_host;
''
else ''
proxy_set_header Host $host;
'';
proxy.headers.enableRecommended = true;
local.denyGlobal = true;
extraConfig = ''
set $x_proxy_host $x_forwarded_host;
'';
};
};
localLocations = kanidmDomain: {
"/".extraConfig = ''
proxy_redirect $scheme://sso.${networking.domain}/ $scheme://${kanidmDomain}/;
'';
localLocations = kanidmDomain: mkIf nginx.vouch.localSso.enable {
"/" = {
proxied.xvars.enable = true;
extraConfig = ''
proxy_redirect https://sso.${networking.domain}/ $x_scheme://${kanidmDomain}/;
'';
};
};
name.shortServer = mkDefault "login";
in {
${access.localDomain} = mkIf (access.useACMEHost != null) {
local.enable = true;
locations = mkMerge [
locations
];
useACMEHost = mkDefault access.useACMEHost;
forceSSL = true;
vouch = {
inherit name locations;
ssl.force = true;
};
${access.tailDomain} = mkIf tailscale.enable {
vouch'local = {
name = {
inherit (name) shortServer;
qualifier = mkDefault "local";
includeTailscale = false;
};
local.enable = true;
ssl.force = true;
locations = mkMerge [
locations
(localLocations "sso.local.${networking.domain}")
];
};
vouch'tail = mkIf tailscale.enable {
name = {
inherit (name) shortServer;
qualifier = mkDefault "tail";
};
local.enable = true;
locations = mkMerge [
locations
(localLocations "sso.tail.${networking.domain}")
];
useACMEHost = mkDefault access.useACMEHost;
addSSL = mkIf (access.useACMEHost != null) (mkDefault true);
};
};
};

24
nixos/access/zigbee2mqtt.nix
View file

@ -7,47 +7,35 @@
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
cfg = config.services.zigbee2mqtt;
access = config.services.nginx.access.zigbee2mqtt;
location = {
locations."/" = {
proxy.websocket.enable = true;
proxyPass = mkDefault "http://${access.host}:${toString access.port}";
};
name.shortServer = mkDefault "z2m";
in {
options.services.nginx.access.zigbee2mqtt = with lib.types; {
host = mkOption {
type = str;
};
domain = mkOption {
type = str;
};
localDomain = mkOption {
type = str;
default = "z2m.local.${config.networking.domain}";
};
tailDomain = mkOption {
type = str;
default = "z2m.tail.${config.networking.domain}";
};
port = mkOption {
type = port;
};
};
config.services.nginx = {
access.zigbee2mqtt = mkIf cfg.enable {
domain = mkOptionDefault cfg.domain;
host = mkOptionDefault "localhost";
port = mkIf (cfg.settings ? frontend.port) (
mkOptionDefault cfg.settings.frontend.port
);
};
virtualHosts = {
${access.domain} = {
zigbee2mqtt = {
inherit name locations;
vouch.enable = true;
locations."/" = location;
};
${access.localDomain} = {
serverAliases = mkIf config.services.tailscale.enable [access.tailDomain];
zigbee2mqtt'local = {
inherit name locations;
local.enable = true;
locations."/" = location;
};
};
};