From df106467ab654aa694beb6fc70fe449db60aa451 Mon Sep 17 00:00:00 2001 From: Your Name Date: Sun, 19 May 2024 23:42:20 +0300 Subject: [PATCH] nginx work sep file --- flake.lock | 8 +- hosts/intelnuc/nginx-work.nix | 154 ++++++++++++++++++++++++++++++++++ hosts/intelnuc/system.nix | 154 +--------------------------------- 3 files changed, 159 insertions(+), 157 deletions(-) create mode 100644 hosts/intelnuc/nginx-work.nix diff --git a/flake.lock b/flake.lock index 2a45d9c..28efd72 100644 --- a/flake.lock +++ b/flake.lock @@ -796,11 +796,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1716080992, - "narHash": "sha256-Izmwja4KDHh4ST9XgbYye4xOmStCoQycmkUyjRSXsoI=", + "lastModified": 1716081545, + "narHash": "sha256-ypSvXHziqSlX/dafHm0SWS2TiaAEoswWr/0LrzPC8Xc=", "ref": "refs/heads/main", - "rev": "c395b0cf31b8fdea5c903af6338143feed848e77", - "revCount": 31, + "rev": "33beddf3a50f2a15266f847e298b50ce54077ef8", + "revCount": 33, "type": "git", "url": "ssh://git@github.com/deltathetawastaken/secrets.git" }, diff --git a/hosts/intelnuc/nginx-work.nix b/hosts/intelnuc/nginx-work.nix new file mode 100644 index 0000000..afb47b4 --- /dev/null +++ b/hosts/intelnuc/nginx-work.nix @@ -0,0 +1,154 @@ +{ inputs, ... }: +{ + services.nginx.enable = true; + services.nginx.virtualHosts."grafana" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; + + serverName = "graf1.local"; + serverAliases = [ "${inputs.secrets.work.graf-url}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.graf-url}; + ''; + locations."/api/live/ws".extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass https://${inputs.secrets.work.graf-url}; + ''; + }; + + services.nginx.virtualHosts."keycloak" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; + serverName = "${inputs.secrets.work.keycloak}"; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.keycloak}; + ''; + }; + + services.nginx.virtualHosts."kibana" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; + serverName = "kibana.local ${inputs.secrets.work.kibana}"; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://${inputs.secrets.work.kibana}; + ''; + }; + services.nginx.virtualHosts."zabbix" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ''; + serverName = "zabbix.local"; + serverAliases = [ "${inputs.secrets.work.zabbix-url}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.zabbix}; + ''; + }; + services.nginx.virtualHosts."prox-1" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + proxy_ssl_verify off; + ''; + serverName = "prox-1.local"; + serverAliases = [ "${inputs.secrets.work.prox-1.name}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.prox-1.ip}; + ''; + }; + services.nginx.virtualHosts."prox-2" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + proxy_ssl_verify off; + ''; + serverName = "prox-2.local"; + serverAliases = [ "${inputs.secrets.work.prox-2.name}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.prox-2.ip}; + ''; + }; + services.nginx.virtualHosts."prox-3" = { + forceSSL = false; + listen = [ + {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP + {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS + ]; + extraConfig = '' + ssl_certificate /run/secrets/cert; + ssl_certificate_key /run/secrets/key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + proxy_ssl_verify off; + ''; + serverName = "prox-3.local"; + serverAliases = [ "${inputs.secrets.work.prox-3.name}" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://${inputs.secrets.work.prox-3.ip}; + ''; + }; +} \ No newline at end of file diff --git a/hosts/intelnuc/system.nix b/hosts/intelnuc/system.nix index 112d811..4ffe8d0 100644 --- a/hosts/intelnuc/system.nix +++ b/hosts/intelnuc/system.nix @@ -2,6 +2,7 @@ { imports = [ ./hardware.nix + ./nginx-work.nix inputs.secrets.nixosModules.intelnuc ]; @@ -77,159 +78,6 @@ ]; }; - services.nginx.enable = true; - services.nginx.virtualHosts."grafana" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ''; - - serverName = "graf1.local"; - serverAliases = [ "${inputs.secrets.work.graf-url}" ]; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.graf-url}; - ''; - locations."/api/live/ws".extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_pass https://${inputs.secrets.work.graf-url}; - ''; - }; - - services.nginx.virtualHosts."keycloak" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ''; - serverName = "${inputs.secrets.work.keycloak}"; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.keycloak}; - ''; - }; - - services.nginx.virtualHosts."kibana" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ''; - serverName = "kibana.local ${inputs.secrets.work.kibana}"; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass http://${inputs.secrets.work.kibana}; - ''; - }; - services.nginx.virtualHosts."zabbix" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ''; - serverName = "zabbix.local"; - serverAliases = [ "${inputs.secrets.work.zabbix-url}" ]; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.zabbix}; - ''; - }; - services.nginx.virtualHosts."prox-1" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - proxy_ssl_verify off; - ''; - serverName = "prox-1.local"; - serverAliases = [ "${inputs.secrets.work.prox-1.name}" ]; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.prox-1.ip}; - ''; - }; - services.nginx.virtualHosts."prox-2" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - proxy_ssl_verify off; - ''; - serverName = "prox-2.local"; - serverAliases = [ "${inputs.secrets.work.prox-2.name}" ]; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.prox-2.ip}; - ''; - }; - services.nginx.virtualHosts."prox-3" = { - forceSSL = false; - listen = [ - {port = 80; addr = "0.0.0.0"; ssl = false;} # Listen on port 80 for HTTP - {port = 443; addr = "0.0.0.0"; ssl = true;} # Listen on port 443 for HTTPS - ]; - extraConfig = '' - ssl_certificate /run/secrets/cert; - ssl_certificate_key /run/secrets/key; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - proxy_ssl_verify off; - ''; - serverName = "prox-3.local"; - serverAliases = [ "${inputs.secrets.work.prox-3.name}" ]; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass https://${inputs.secrets.work.prox-3.ip}; - ''; - }; - - services.forgejo = { enable = true; settings = {