mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
refactor(nginx): ssl module
This commit is contained in:
arcnmx
parent
69c014b24e
commit
a7e35fbc88
28 changed files with 794 additions and 546 deletions
|
|
@ -11,6 +11,7 @@
|
|||
tei = access.nixosFor "tei";
|
||||
inherit (mediabox.services) plex;
|
||||
inherit (keycloak.services) vouch-proxy;
|
||||
inherit (tei.services) home-assistant;
|
||||
inherit (config.services) nginx tailscale;
|
||||
in {
|
||||
imports = let
|
||||
|
|
@ -31,11 +32,13 @@ in {
|
|||
nixos.access.nginx
|
||||
nixos.access.global
|
||||
nixos.access.gensokyo
|
||||
nixos.access.keycloak
|
||||
nixos.access.vouch
|
||||
nixos.access.freeipa
|
||||
nixos.access.freepbx
|
||||
nixos.access.unifi
|
||||
nixos.access.kitchencam
|
||||
nixos.access.home-assistant
|
||||
nixos.access.proxmox
|
||||
nixos.access.plex
|
||||
nixos.access.invidious
|
||||
|
|
@ -61,14 +64,31 @@ in {
|
|||
};
|
||||
|
||||
security.acme.certs = let
|
||||
inherit (nginx) access;
|
||||
inherit (nginx) access virtualHosts;
|
||||
in {
|
||||
${access.vouch.localDomain} = {
|
||||
keycloak = {
|
||||
inherit (nginx) group;
|
||||
domain = virtualHosts.keycloak.serverName;
|
||||
extraDomainNames = mkMerge [
|
||||
(mkIf tailscale.enable [
|
||||
access.vouch.tailDomain
|
||||
])
|
||||
virtualHosts.keycloak.serverAliases
|
||||
virtualHosts.keycloak'local.allServerNames
|
||||
];
|
||||
};
|
||||
home-assistant = {
|
||||
inherit (nginx) group;
|
||||
domain = virtualHosts.home-assistant.serverName;
|
||||
extraDomainNames = mkMerge [
|
||||
virtualHosts.home-assistant.serverAliases
|
||||
virtualHosts.home-assistant'local.allServerNames
|
||||
];
|
||||
};
|
||||
vouch = {
|
||||
inherit (nginx) group;
|
||||
domain = virtualHosts.vouch.serverName;
|
||||
extraDomainNames = mkMerge [
|
||||
virtualHosts.vouch.serverAliases
|
||||
virtualHosts.vouch'local.allServerNames
|
||||
(mkIf tailscale.enable virtualHosts.vouch'tail.allServerNames)
|
||||
];
|
||||
};
|
||||
${access.unifi.domain} = {
|
||||
|
|
@ -116,19 +136,20 @@ in {
|
|||
])
|
||||
];
|
||||
};
|
||||
${access.plex.domain} = {
|
||||
inherit (nginx) group;
|
||||
extraDomainNames = [access.plex.localDomain];
|
||||
};
|
||||
${access.kitchencam.domain} = {
|
||||
plex = {
|
||||
inherit (nginx) group;
|
||||
domain = virtualHosts.plex.serverName;
|
||||
extraDomainNames = mkMerge [
|
||||
[
|
||||
access.kitchencam.localDomain
|
||||
]
|
||||
(mkIf tailscale.enable [
|
||||
access.kitchencam.tailDomain
|
||||
])
|
||||
virtualHosts.plex.serverAliases
|
||||
virtualHosts.plex'local.allServerNames
|
||||
];
|
||||
};
|
||||
kitchencam = {
|
||||
inherit (nginx) group;
|
||||
domain = virtualHosts.kitchencam.serverName;
|
||||
extraDomainNames = mkMerge [
|
||||
virtualHosts.kitchencam.serverAliases
|
||||
virtualHosts.kitchencam'local.allServerNames
|
||||
];
|
||||
};
|
||||
${access.invidious.domain} = {
|
||||
|
|
@ -153,7 +174,6 @@ in {
|
|||
};
|
||||
access.vouch = assert vouch-proxy.enable; {
|
||||
url = "http://${keycloak.lib.access.hostnameForNetwork.local}:${toString vouch-proxy.settings.vouch.port}";
|
||||
useACMEHost = access.vouch.localDomain;
|
||||
};
|
||||
access.unifi = {
|
||||
host = tei.lib.access.hostnameForNetwork.local;
|
||||
|
|
@ -169,24 +189,40 @@ in {
|
|||
};
|
||||
access.kitchencam = {
|
||||
streamPort = 41081;
|
||||
useACMEHost = access.kitchencam.domain;
|
||||
};
|
||||
access.invidious = {
|
||||
url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
|
||||
};
|
||||
virtualHosts = {
|
||||
gensokyoZone.proxied.enable = "cloudflared";
|
||||
keycloak = {
|
||||
# we're not the real sso record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.name = "keycloak";
|
||||
};
|
||||
keycloak'local.ssl.cert.name = "keycloak";
|
||||
vouch.ssl.cert.name = "vouch";
|
||||
vouch'local.ssl.cert.name = "vouch";
|
||||
vouch'tail = mkIf tailscale.enable {
|
||||
ssl.cert.name = "vouch";
|
||||
};
|
||||
home-assistant = {
|
||||
# not the real hass record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.name = "home-assistant";
|
||||
locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}";
|
||||
};
|
||||
home-assistant'local.ssl.cert.name = "home-assistant";
|
||||
${access.freepbx.domain} = {
|
||||
local.enable = true;
|
||||
};
|
||||
${access.proxmox.domain} = {
|
||||
useACMEHost = access.proxmox.domain;
|
||||
};
|
||||
${access.plex.domain} = {
|
||||
addSSL = true;
|
||||
useACMEHost = access.plex.domain;
|
||||
};
|
||||
${access.kitchencam.domain} = {
|
||||
};
|
||||
plex.ssl.cert.name = "plex";
|
||||
plex'local.ssl.cert.name = "plex";
|
||||
kitchencam.ssl.cert.name = "kitchencam";
|
||||
kitchencam'local.ssl.cert.name = "kitchencam";
|
||||
${access.invidious.domain} = {
|
||||
useACMEHost = access.invidious.domain;
|
||||
forceSSL = true;
|
||||
|
|
|
|||
|
|
@ -17,18 +17,20 @@
|
|||
tunnels.${tunnelId} = {
|
||||
default = "http_status:404";
|
||||
credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path;
|
||||
ingress = {
|
||||
${keycloak.settings.hostname} = assert keycloak.enable; let
|
||||
scheme = if keycloak.sslCertificate != null then "https" else "http";
|
||||
port = keycloak.settings."${scheme}-port";
|
||||
in {
|
||||
service = "${scheme}://localhost:${toString port}";
|
||||
originRequest.${if scheme == "https" then "noTLSVerify" else null} = true;
|
||||
ingress = let
|
||||
keycloakHost = if keycloak.settings.hostname != null then keycloak.settings.hostname else "sso.${config.networking.domain}";
|
||||
keyCloakScheme = if keycloak.sslCertificate != null then "https" else "http";
|
||||
keycloakPort = keycloak.settings."${keyCloakScheme}-port";
|
||||
in {
|
||||
${keycloakHost} = assert keycloak.enable; {
|
||||
service = "${keyCloakScheme}://localhost:${toString keycloakPort}";
|
||||
originRequest.${if keyCloakScheme == "https" then "noTLSVerify" else null} = true;
|
||||
};
|
||||
${vouch-proxy.domain}.service = assert vouch-proxy.enable; "http://localhost:${toString vouch-proxy.settings.vouch.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.cloudflared-tunnel-keycloak = {
|
||||
owner = config.services.cloudflared.user;
|
||||
};
|
||||
|
|
|
|||
|
|
@ -153,9 +153,9 @@ chmod 0755 /rpool/caches/plex/tautulli/cache
|
|||
mkshared hass 100286 100286 0700
|
||||
mkshared kanidm 100994 100993 0700
|
||||
mkshared mosquitto 100246 100246 0700
|
||||
mkshared plex 100193 100193 0755
|
||||
mkshared plex 100193 100193 0750
|
||||
mkshared postgresql 100071 100071 0750
|
||||
mkshared unifi 100990 100990 0755
|
||||
mkshared unifi 100990 100990 0750
|
||||
mkshared zigbee2mqtt 100317 100317 0700
|
||||
|
||||
ln -sf /lib/systemd/system/auth-rpcgss-module.service /etc/systemd/system/
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ in {
|
|||
nixos.postgres
|
||||
nixos.nginx
|
||||
nixos.access.zigbee2mqtt
|
||||
nixos.access.home-assistant
|
||||
nixos.access.unifi
|
||||
nixos.unifi
|
||||
nixos.mosquitto
|
||||
|
|
@ -27,13 +26,9 @@ in {
|
|||
./cloudflared.nix
|
||||
];
|
||||
|
||||
services.nginx = let
|
||||
inherit (config.services.nginx) access;
|
||||
in {
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
${access.zigbee2mqtt.domain} = {
|
||||
local.denyGlobal = true;
|
||||
};
|
||||
zigbee2mqtt.proxied.enable = "cloudflared";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue