diff --git a/apps/work.nix b/apps/work.nix index 31b2867..b9d242e 100644 --- a/apps/work.nix +++ b/apps/work.nix @@ -286,12 +286,12 @@ let ''; hostsNoRemote = pkgs.writeText "hosts_no_remote" '' - 127.0.0.1 graf1.local graf2.local kibana.local + 127.0.0.1 graf1.local graf2.local kibana.local ${inputs.secrets.work.zabbix} ${inputs.secrets.work.zabbix-url} zabbix.local ''; hostsRemote = pkgs.writeText "host_remote" '' - 100.92.15.128 graf1.local graf2.local kibana.local zabbix.local ${inputs.secrets.work.zabbix-url} + 100.92.15.128 graf1.local graf2.local kibana.local zabbix.local ${inputs.secrets.work.zabbix-url} ${inputs.secrets.work.graf-url} ${inputs.secrets.work.prox-1.name} ${inputs.secrets.work.prox-2.name} ${inputs.secrets.work.prox-3.name} ''; kittyWork = pkgs.writeScriptBin "kittywork" '' diff --git a/hosts/intelnuc/system.nix b/hosts/intelnuc/system.nix index 16519ca..112d811 100644 --- a/hosts/intelnuc/system.nix +++ b/hosts/intelnuc/system.nix @@ -1,5 +1,4 @@ { config, pkgs, inputs,... }: - { imports = [ ./hardware.nix @@ -81,8 +80,19 @@ services.nginx.enable = true; services.nginx.virtualHosts."grafana" = { forceSSL = false; - listen = [{port = 80; addr="0.0.0.0"; ssl=false;}]; - serverName = "graf1.local ${inputs.secrets.work.graf-url}"; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; + + serverName = "graf1.local"; + serverAliases = [ "${inputs.secrets.work.graf-url}" ]; locations."/".extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -98,7 +108,16 @@ services.nginx.virtualHosts."keycloak" = { forceSSL = false; - listen = [{port = 80; addr="0.0.0.0"; ssl=false;}]; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; serverName = "${inputs.secrets.work.keycloak}"; locations."/".extraConfig = '' proxy_set_header Host $host; @@ -109,17 +128,35 @@ services.nginx.virtualHosts."kibana" = { forceSSL = false; - listen = [{port = 80; addr="0.0.0.0"; ssl=false;}]; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; serverName = "kibana.local ${inputs.secrets.work.kibana}"; locations."/".extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.kibana}; + proxy_pass http://${inputs.secrets.work.kibana}; ''; }; services.nginx.virtualHosts."zabbix" = { forceSSL = false; - listen = [{port = 80; addr="0.0.0.0"; ssl=false;}]; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; serverName = "zabbix.local"; serverAliases = [ "${inputs.secrets.work.zabbix-url}" ]; locations."/".extraConfig = '' @@ -128,6 +165,70 @@ proxy_pass https://${inputs.secrets.work.zabbix}; ''; }; + services.nginx.virtualHosts."prox-1" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + proxy_ssl_verify off; + ''; + serverName = "prox-1.local"; + serverAliases = [ "${inputs.secrets.work.prox-1.name}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.prox-1.ip}; + ''; + }; + services.nginx.virtualHosts."prox-2" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + proxy_ssl_verify off; + ''; + serverName = "prox-2.local"; + serverAliases = [ "${inputs.secrets.work.prox-2.name}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.prox-2.ip}; + ''; + }; + services.nginx.virtualHosts."prox-3" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + proxy_ssl_verify off; + ''; + serverName = "prox-3.local"; + serverAliases = [ "${inputs.secrets.work.prox-3.name}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.prox-3.ip}; + ''; + }; + services.forgejo = { enable = true;