🚀 big update:
added logging to all nginx routes added loki, promtail to scrape nginx logs turned i2pd back on, updated my websites version upgraded all hosts to 24.05 forgejo added bigger limit to upload limit due to docker images privacy frontends: added priviblur libreddit -> redlib added biblioreads ddns-updater, changed credentials but there is a bug with porkbun added penpot brought back anonymousoverflow added readme privacy respecting frontends
This commit is contained in:
parent
b6107679d1
commit
9216cbbf62
258
flake.lock
258
flake.lock
|
@ -21,6 +21,22 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"backend": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1714162491,
|
||||
"narHash": "sha256-ncbQIX1XB2XL8lRrIyVzvloev/yuMAeT7O2S1sky1No=",
|
||||
"owner": "TeamPiped",
|
||||
"repo": "Piped-Backend",
|
||||
"rev": "d67e50b5b8aa1b44930574cf67a420f75a08d1e2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "TeamPiped",
|
||||
"repo": "Piped-Backend",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -61,6 +77,93 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1710146030,
|
||||
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_3": {
|
||||
"inputs": {
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701680307,
|
||||
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_4": {
|
||||
"locked": {
|
||||
"lastModified": 1631561581,
|
||||
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"frontend": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1717236695,
|
||||
"narHash": "sha256-F/tWsF+StCKi+HQg1CtxVZNCOXG2o7ufhC2IezbSF2s=",
|
||||
"owner": "TeamPiped",
|
||||
"repo": "Piped",
|
||||
"rev": "f94d56c16540282266b94d33c5a865268e255a70",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "TeamPiped",
|
||||
"repo": "Piped",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"gradle2nix": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717114617,
|
||||
"narHash": "sha256-zYYnEIpJAST9tm7A58FG+XOuKEDnH8WUGKcXfsTCsoM=",
|
||||
"owner": "tadfisher",
|
||||
"repo": "gradle2nix",
|
||||
"rev": "a9353317959b7627a5754c6863e58231988f548a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "tadfisher",
|
||||
"ref": "v2",
|
||||
"repo": "gradle2nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"home-manager": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
|
@ -163,27 +266,142 @@
|
|||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1716633019,
|
||||
"narHash": "sha256-xim1b5/HZYbWaZKyI7cn9TJCM6ewNVZnesRr00mXeS4=",
|
||||
"lastModified": 1717144377,
|
||||
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9d29cd266cebf80234c98dd0b87256b6be0af44e",
|
||||
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-23.11",
|
||||
"ref": "nixos-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1716769173,
|
||||
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "9ca3f649614213b2aaf5f1e16ec06952fe4c2632",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1702151865,
|
||||
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"piped": {
|
||||
"inputs": {
|
||||
"backend": "backend",
|
||||
"frontend": "frontend",
|
||||
"gradle2nix": "gradle2nix",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"pnpm2nix": "pnpm2nix",
|
||||
"proxy": "proxy"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1717288685,
|
||||
"narHash": "sha256-yVKs0wx84eNn01TymHUxp+D2ayoHSNe2HfYwlqo2b2g=",
|
||||
"owner": "Defelo",
|
||||
"repo": "piped-nix",
|
||||
"rev": "12259e1f04e8f981fc0953b1500879de86ca3099",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Defelo",
|
||||
"repo": "piped-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"pnpm2nix": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_3",
|
||||
"nixpkgs": "nixpkgs_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1706694632,
|
||||
"narHash": "sha256-ytyTwNPiUR8aq74QlxFI+Wv3MyvXz5POO1xZxQIoi0c=",
|
||||
"owner": "nzbr",
|
||||
"repo": "pnpm2nix-nzbr",
|
||||
"rev": "0366b7344171accc2522525710e52a8abbf03579",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nzbr",
|
||||
"repo": "pnpm2nix-nzbr",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"proxy": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1717106863,
|
||||
"narHash": "sha256-N6F6PLg3e78NW/b/c+jI7skUyc9hyClc1MSDaNO8aCo=",
|
||||
"owner": "TeamPiped",
|
||||
"repo": "piped-proxy",
|
||||
"rev": "aad4375921bca890b927f6d4c50dcebd0b65cc2d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "TeamPiped",
|
||||
"repo": "piped-proxy",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"agenix": "agenix",
|
||||
"home-manager": "home-manager_2",
|
||||
"i2pd-exporter": "i2pd-exporter",
|
||||
"microvm": "microvm",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"piped": "piped",
|
||||
"scribe": "scribe"
|
||||
}
|
||||
},
|
||||
"scribe": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_4",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708785571,
|
||||
"narHash": "sha256-s44+L6GSNHI4rBXiICyN64V1gT5WBIELNbR5R/2GH4A=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "8dda4233ac3a817ccf29c3da3a8b25ddcdffa8ce",
|
||||
"revCount": 137,
|
||||
"type": "git",
|
||||
"url": "https://git.sr.ht/~edwardloveall/scribe"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.sr.ht/~edwardloveall/scribe"
|
||||
}
|
||||
},
|
||||
"spectrum": {
|
||||
|
@ -231,6 +449,36 @@
|
|||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_4": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
|
|
17
flake.nix
17
flake.nix
|
@ -2,7 +2,7 @@
|
|||
description = "4o1x5 infrastructure/homelab";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
|
||||
home-manager = {
|
||||
url = "github:nix-community/home-manager/release-23.11";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
@ -12,6 +12,16 @@
|
|||
url = "git+https://git.4o1x5.dev/4o1x5/i2pd-exporter";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
piped = {
|
||||
url = "github:Defelo/piped-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
scribe = {
|
||||
url = "git+https://git.sr.ht/~edwardloveall/scribe";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
|
||||
microvm = {
|
||||
url = "github:astro/microvm.nix";
|
||||
|
@ -27,13 +37,14 @@
|
|||
, i2pd-exporter
|
||||
, microvm
|
||||
, agenix
|
||||
, scribe
|
||||
, piped
|
||||
}:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
|
||||
pink = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
|
@ -56,6 +67,8 @@
|
|||
./root.nix
|
||||
./secrets/carbon.nix
|
||||
agenix.nixosModules.default
|
||||
scribe.nixosModules.default
|
||||
piped.nixosModules.default
|
||||
home-manager.nixosModules.home-manager
|
||||
{
|
||||
home-manager.useGlobalPkgs = true;
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
{ pkgs, ... }: {
|
||||
#
|
||||
imports = [
|
||||
./hardware-configuration.nix
|
||||
|
||||
|
@ -13,7 +12,10 @@
|
|||
./services/routes/openproject.nix
|
||||
./services/routes/hydra.nix
|
||||
./services/routes/csengo.nix
|
||||
./services/routes/penpot.nix
|
||||
./services/routes/matrix.nix
|
||||
./services/routes/learningpulsedev.nix
|
||||
|
||||
|
||||
#./services/ai.nix
|
||||
|
||||
|
@ -25,7 +27,7 @@
|
|||
# privacy services
|
||||
|
||||
./services/privacy/libreddit.nix
|
||||
#./services/privacy/safetwitch.nix
|
||||
./services/privacy/safetwitch.nix
|
||||
#./services/privacy/piped.nix
|
||||
./services/privacy/breezewiki.nix
|
||||
./services/privacy/gothub.nix
|
||||
|
@ -38,12 +40,18 @@
|
|||
./services/privacy/libremdb.nix
|
||||
./services/privacy/librey.nix
|
||||
./services/privacy/dumb.nix
|
||||
./services/privacy/priviblur.nix
|
||||
#./services/privacy/biblioreads.nix
|
||||
#./services/privacy/proxitok.nix
|
||||
#./services/privacy/scribe.nix
|
||||
#./services/privacy/searxng.nix
|
||||
#./services/privacy/wikiless.nix
|
||||
|
||||
|
||||
# monitoring
|
||||
./services/monitoring/exporters/node.nix
|
||||
./services/monitoring/exporters/smartctl.nix
|
||||
./services/monitoring/promtail.nix
|
||||
];
|
||||
networking.hostName = "carbon";
|
||||
networking.domain = "4o1x5.dev";
|
||||
|
|
|
@ -26,6 +26,10 @@
|
|||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:3000";
|
||||
};
|
||||
extraConfig = ''
|
||||
client_max_body_size 8192M;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -38,13 +42,12 @@
|
|||
settings = {
|
||||
container = {
|
||||
# TODO fix: networking
|
||||
# instead of using host, create a subnet that cannot contat other server on my network to avoid being haxxed
|
||||
# instead of using host, create a subnet that cannot contact other server on my network to avoid being haxxed
|
||||
network = "host";
|
||||
};
|
||||
};
|
||||
labels = [
|
||||
"ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
|
||||
|
||||
];
|
||||
name = config.networking.domain;
|
||||
};
|
||||
|
|
|
@ -1,33 +1,46 @@
|
|||
{ pkgs, ... }: {
|
||||
{ pkgs, config, lib, ... }: {
|
||||
|
||||
|
||||
networking.firewall = {
|
||||
allowedTCPPorts = [ config.services.promtail.configuration.server.http_listen_port ];
|
||||
allowedUDPPorts = [ config.services.promtail.configuration.server.http_listen_port ];
|
||||
};
|
||||
|
||||
#$ var/ sudo setfacl -R -m u:promtail:rX log
|
||||
#$ sudo chown promtail:promtail /tmp/positions.yaml
|
||||
#$ sudo usermod -a -G systemd-journal promtail
|
||||
# makeshift permission since promtail by default has no permission to read /var
|
||||
|
||||
services.promtail = {
|
||||
enable = true;
|
||||
configuration =
|
||||
{
|
||||
server = {
|
||||
http_listen_port = 0;
|
||||
http_listen_port = 6177;
|
||||
grpc_listen_port = 0;
|
||||
log_level = "debug";
|
||||
};
|
||||
positions = {
|
||||
filename = "/tmp/positions.yaml";
|
||||
};
|
||||
|
||||
clients = [
|
||||
{ url = "https//32.54.31.99:3100/api/prom/push"; }
|
||||
{
|
||||
url = "http://32.54.31.99:3100/loki/api/v1/push";
|
||||
tenant_id = 1;
|
||||
}
|
||||
];
|
||||
|
||||
scrape_configs = [
|
||||
{
|
||||
job_name = "system";
|
||||
pipeline_stages = [
|
||||
{ replace = { expression = "(?:[0-9]{1,3}\\.){3}([0-9]{1,3})"; replace = "***"; }; }
|
||||
];
|
||||
job_name = "nginx";
|
||||
static_configs = [
|
||||
{
|
||||
targets = [ "localhost" ];
|
||||
labels = {
|
||||
job = "nginx_access_log";
|
||||
job = "nginx";
|
||||
host = "carbon";
|
||||
agent = "promtail";
|
||||
__path__ = "/var/log/nginx/json_access.log";
|
||||
__path__ = ''/var/log/nginx/*-access.log'';
|
||||
};
|
||||
}
|
||||
];
|
||||
|
@ -36,4 +49,3 @@
|
|||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -1,7 +1,79 @@
|
|||
{ pkgs, inputs, config, ... }:
|
||||
let
|
||||
# define logging format in json
|
||||
# https://grafana.com/grafana/dashboards/12559-loki-nginx-service-mesh-json-version/
|
||||
log_format = ''
|
||||
log_format json_analytics escape=json '{'
|
||||
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
|
||||
'"connection": "$connection", ' # connection serial number
|
||||
'"connection_requests": "$connection_requests", ' # number of requests made in connection
|
||||
'"pid": "$pid", ' # process pid
|
||||
'"request_id": "$request_id", ' # the unique request id
|
||||
'"request_length": "$request_length", ' # request length (including headers and body)
|
||||
'"remote_addr": "$remote_addr", ' # client IP
|
||||
'"remote_user": "$remote_user", ' # client HTTP username
|
||||
'"remote_port": "$remote_port", ' # client port
|
||||
'"time_local": "$time_local", '
|
||||
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
|
||||
'"request": "$request", ' # full path no arguments if the request
|
||||
'"request_uri": "$request_uri", ' # full path and arguments if the request
|
||||
'"args": "$args", ' # args
|
||||
'"status": "$status", ' # response status code
|
||||
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
|
||||
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
|
||||
'"http_referer": "$http_referer", ' # HTTP referer
|
||||
'"http_user_agent": "$http_user_agent", ' # user agent
|
||||
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
|
||||
'"http_host": "$http_host", ' # the request Host: header
|
||||
'"server_name": "$server_name", ' # the name of the vhost serving the request
|
||||
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
|
||||
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
|
||||
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
|
||||
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
|
||||
'"upstream_response_time": "$upstream_response_time", ' # time spend receiving upstream body
|
||||
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
|
||||
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
|
||||
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
|
||||
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
|
||||
'"scheme": "$scheme", ' # http or https
|
||||
'"request_method": "$request_method", ' # request method
|
||||
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
|
||||
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
|
||||
'"gzip_ratio": "$gzip_ratio", '
|
||||
'"http_cf_ray": "$http_cf_ray",'
|
||||
'"geoip_country_code": "$geoip2_data_country_code"'
|
||||
'}';
|
||||
|
||||
'';
|
||||
# geoip2 module to get countries from addresses
|
||||
geoip2 = ''
|
||||
geoip2 /etc/GeoLite2-Country.mmdb {
|
||||
auto_reload 5m;
|
||||
$geoip2_metadata_country_build metadata build_epoch;
|
||||
$geoip2_data_country_code default=US source=$remote_addr country iso_code;
|
||||
$geoip2_data_country_name country names en;
|
||||
}
|
||||
|
||||
geoip2 /etc/GeoLite2-City.mmdb {
|
||||
$geoip2_data_city_name default=London city names en;
|
||||
}
|
||||
|
||||
'';
|
||||
in
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
additionalModules = [ pkgs.nginxModules.geoip2 ];
|
||||
|
||||
# add logging to config
|
||||
commonHttpConfig = ''
|
||||
${geoip2}
|
||||
${log_format}
|
||||
'';
|
||||
|
||||
#access_log /var/log/nginx/json_access.log json_analytics;
|
||||
# ^^ adds logging to every host
|
||||
|
||||
virtualHosts = {
|
||||
|
||||
"www.${config.networking.domain}" = {
|
||||
|
@ -11,6 +83,10 @@
|
|||
locations."/" = {
|
||||
root = pkgs.callPackage ../services/website/default.nix { };
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
|
||||
"${config.networking.domain}" = {
|
||||
|
@ -20,12 +96,14 @@
|
|||
locations."/" = {
|
||||
root = pkgs.callPackage ../services/website/default.nix { };
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
error_page 404 /404.html;
|
||||
deny 3.1.202.244;
|
||||
deny 170.64.219.93;
|
||||
deny 91.215.85.43;
|
||||
client_max_body_size 900M;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -8,8 +8,8 @@
|
|||
"7344:8080"
|
||||
];
|
||||
environment = {
|
||||
APP_URL = "https://.anonymousoverflow.4o1x5.dev";
|
||||
# TODO add JTW_SIGNING_KEY to work
|
||||
APP_URL = "https://anonymousoverflow.4o1x5.dev";
|
||||
JWT_SIGNING_SECRET = "${config.age.secrets.anonymousoverflow.path}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -21,6 +21,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:7344";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -10,9 +10,9 @@
|
|||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
|
||||
"biblioreads.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
|
|
@ -16,6 +16,13 @@
|
|||
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:7382";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
rewrite ^/www.pinterest.com$ http://binternet.${config.networking.domain}/ permanent;
|
||||
rewrite ^/pinterest.com$ http://binternet.${config.networking.domain}/ permanent;
|
||||
'';
|
||||
# ^^^ libreddirect for some reason forgets to delete the pinterest domain
|
||||
# fixing this bug
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -17,6 +17,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:1584";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -17,6 +17,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:8332";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -29,6 +29,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:4032";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,21 +1,24 @@
|
|||
{ pkgs, config, ... }: {
|
||||
|
||||
|
||||
# todo redlib instead of libreddit
|
||||
services.libreddit = {
|
||||
enable = true;
|
||||
address = "127.0.0.1";
|
||||
port = 3672;
|
||||
package = pkgs.redlib;
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
# Privacy services
|
||||
"libreddit.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:3672";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -26,6 +26,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:7345";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -36,6 +36,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:3345";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -8,26 +8,11 @@
|
|||
backend = {
|
||||
port = 5632;
|
||||
database = {
|
||||
# TODO fix
|
||||
#TODO SECRET
|
||||
host = "127.0.0.1";
|
||||
username = "piped-backend";
|
||||
passwordFile = ./piped;
|
||||
database = "piped-backend";
|
||||
passwordFile = config.age.secrets.piped.path;
|
||||
|
||||
createLocally = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
enableTCPIP = true;
|
||||
ensureDatabases = [ "piped-backend" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "piped-backend";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs, config, ... }: {
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
|
||||
# todo fix, requires a config file....
|
||||
priviblur = {
|
||||
image = "quay.io/pussthecatorg/priviblur:latest";
|
||||
ports = [
|
||||
|
@ -11,7 +11,6 @@
|
|||
};
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
|
||||
"priviblur.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
@ -24,5 +23,4 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Auto-generated using compose2nix v0.2.0-pre.
|
||||
{ pkgs, lib, ... }:
|
||||
{ pkgs, lib, config, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
|
@ -61,7 +61,7 @@
|
|||
};
|
||||
systemd.services."podman-proxitok-signer" = {
|
||||
serviceConfig = {
|
||||
Restart = lib.mkOverride 500 "\"no\"";
|
||||
Restart = lib.mkOverride 500 "no";
|
||||
};
|
||||
after = [
|
||||
"podman-network-docker-compose_proxitok.service"
|
||||
|
@ -86,6 +86,7 @@
|
|||
LATTE_CACHE = "/cache";
|
||||
REDIS_HOST = "proxitok-redis";
|
||||
REDIS_PORT = "6379";
|
||||
APP_URL = "https://proxitok.${config.networking.domain}";
|
||||
};
|
||||
volumes = [
|
||||
"proxitok-cache:/cache:rw"
|
||||
|
@ -108,9 +109,10 @@
|
|||
"--security-opt=no-new-privileges:true"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services."podman-proxitok-web" = {
|
||||
serviceConfig = {
|
||||
Restart = lib.mkOverride 500 "\"no\"";
|
||||
Restart = lib.mkOverride 500 "no";
|
||||
};
|
||||
after = [
|
||||
"podman-network-docker-compose_proxitok.service"
|
||||
|
|
|
@ -34,6 +34,9 @@
|
|||
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:2355";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -29,7 +29,7 @@
|
|||
# Request URL
|
||||
PRIVACY_URL = "true";
|
||||
# Device Type (User agent)
|
||||
PRIVACY_DEVICE = "false";
|
||||
PRIVACY_DEVICE = "true";
|
||||
|
||||
PRIVACY_DIAGNOSTICS = "false";
|
||||
};
|
||||
|
@ -44,6 +44,9 @@
|
|||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:4312";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{ pkgs, config, ... }:
|
||||
{
|
||||
virtualisation.oci-containers.containers = {
|
||||
# TODO fix routing
|
||||
|
||||
safe-twitch-frontend = {
|
||||
image = "codeberg.org/safetwitch/safetwitch:latest";
|
||||
ports = [
|
||||
|
@ -22,7 +20,7 @@
|
|||
"7100:7100"
|
||||
];
|
||||
environment = {
|
||||
URL = "sf.${config.networking.domain}";
|
||||
URL = "https://sf.${config.networking.domain}";
|
||||
PORT = "7100";
|
||||
};
|
||||
};
|
||||
|
@ -30,26 +28,27 @@
|
|||
services.nginx = {
|
||||
|
||||
virtualHosts = {
|
||||
"safetwitch.${config.networking.domain}" =
|
||||
{
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:8280";
|
||||
};
|
||||
};
|
||||
"sf.${config.networking.domain}" = {
|
||||
"safetwitch.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:7100";
|
||||
proxyPass = " http://127.0.0.1:8280";
|
||||
};
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
"sf.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:7100";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -5,10 +5,12 @@
|
|||
enable = true;
|
||||
appDomain = "scribe.${config.networking.domain}";
|
||||
port = 7283;
|
||||
# TODO fix since it's readable by nix store...
|
||||
|
||||
# TODO , systemd doesnt like this, neither does it actually include the secrets
|
||||
environmentFile = ''
|
||||
GITHUB_PERSONAL_ACCESS_TOKEN= ${builtins.readFile config.age.secrets.github-token.path}
|
||||
GITHUB_USERNAME= ${builtins.readFile config.age.secrets.github-username.path}
|
||||
GITHUB_PERSONAL_ACCESS_TOKEN=${config.age.secrets.github-token.path}
|
||||
GITHUB_USERNAME=${config.age.secrets.github-username.path}
|
||||
SECRET_KEY_BASE=${config.age.secrets.scribe-secret.path}
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
{ pkgs, config, ... }: {
|
||||
|
||||
# TODO rework the whole thing
|
||||
virtualisation.oci-containers.containers = {
|
||||
|
||||
searxng = {
|
||||
|
@ -7,11 +7,6 @@
|
|||
ports = [
|
||||
"3345:3000"
|
||||
];
|
||||
# TODO implement limiter
|
||||
#volumes = [
|
||||
# "/home/carbon/searxng.yml:/etc/searxng:rw"
|
||||
#];
|
||||
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,118 +0,0 @@
|
|||
# Auto-generated using compose2nix v0.2.0-pre.
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
"wikiless.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://127.0.0.1:8180";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Containers
|
||||
virtualisation.oci-containers.containers."wikiless" = {
|
||||
image = "ghcr.io/metastem/wikiless:latest";
|
||||
environment = {
|
||||
REDIS_HOST = "redis://172.4.0.5:6379";
|
||||
};
|
||||
ports = [
|
||||
"127.0.0.1:8180:8080/tcp"
|
||||
];
|
||||
dependsOn = [
|
||||
"wikiless_redis"
|
||||
];
|
||||
log-driver = "journald";
|
||||
extraOptions = [
|
||||
"--cap-drop=ALL"
|
||||
"--hostname=wikiless"
|
||||
"--ip=172.4.0.6"
|
||||
"--network-alias=wikiless"
|
||||
"--network=docker-compose_wikiless_net"
|
||||
"--security-opt=no-new-privileges:true"
|
||||
];
|
||||
};
|
||||
systemd.services."podman-wikiless" = {
|
||||
serviceConfig = {
|
||||
Restart = lib.mkOverride 500 "always";
|
||||
};
|
||||
after = [
|
||||
"podman-network-docker-compose_wikiless_net.service"
|
||||
];
|
||||
requires = [
|
||||
"podman-network-docker-compose_wikiless_net.service"
|
||||
];
|
||||
partOf = [
|
||||
"podman-compose-docker-compose-root.target"
|
||||
];
|
||||
wantedBy = [
|
||||
"podman-compose-docker-compose-root.target"
|
||||
];
|
||||
};
|
||||
virtualisation.oci-containers.containers."wikiless_redis" = {
|
||||
image = "redis:latest";
|
||||
user = "nobody";
|
||||
log-driver = "journald";
|
||||
extraOptions = [
|
||||
"--cap-add=DAC_OVERRIDE"
|
||||
"--cap-add=SETGID"
|
||||
"--cap-add=SETUID"
|
||||
"--cap-drop=ALL"
|
||||
"--hostname=wikiless_redis"
|
||||
"--ip=172.4.0.5"
|
||||
"--network-alias=wikiless_redis"
|
||||
"--network=docker-compose_wikiless_net"
|
||||
"--security-opt=no-new-privileges:true"
|
||||
];
|
||||
};
|
||||
systemd.services."podman-wikiless_redis" = {
|
||||
serviceConfig = {
|
||||
Restart = lib.mkOverride 500 "always";
|
||||
};
|
||||
after = [
|
||||
"podman-network-docker-compose_wikiless_net.service"
|
||||
];
|
||||
requires = [
|
||||
"podman-network-docker-compose_wikiless_net.service"
|
||||
];
|
||||
partOf = [
|
||||
"podman-compose-docker-compose-root.target"
|
||||
];
|
||||
wantedBy = [
|
||||
"podman-compose-docker-compose-root.target"
|
||||
];
|
||||
};
|
||||
|
||||
# Networks
|
||||
systemd.services."podman-network-docker-compose_wikiless_net" = {
|
||||
path = [ pkgs.podman ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
ExecStop = "${pkgs.podman}/bin/podman network rm -f docker-compose_wikiless_net";
|
||||
};
|
||||
script = ''
|
||||
podman network inspect docker-compose_wikiless_net || podman network create docker-compose_wikiless_net --subnet=172.4.0.0/16
|
||||
'';
|
||||
partOf = [ "podman-compose-docker-compose-root.target" ];
|
||||
wantedBy = [ "podman-compose-docker-compose-root.target" ];
|
||||
};
|
||||
|
||||
# Root service
|
||||
# When started, this will automatically create all resources and start
|
||||
# the containers. When stopped, this will teardown all resources.
|
||||
systemd.targets."podman-compose-docker-compose-root" = {
|
||||
unitConfig = {
|
||||
Description = "Root target generated by compose2nix.";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
};
|
||||
}
|
||||
|
|
@ -13,6 +13,7 @@
|
|||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -2,22 +2,36 @@
|
|||
|
||||
services.nginx = {
|
||||
virtualHosts = {
|
||||
"lpdev.${config.networking.domain}" =
|
||||
{
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://32.54.31.99:8181";
|
||||
};
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
'';
|
||||
"lpdev.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://32.54.31.99:8181";
|
||||
};
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
"lpdev-eureka.${config.networking.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = " http://32.54.31.99:8761";
|
||||
};
|
||||
extraConfig = ''
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@ in
|
|||
};
|
||||
extraConfig = ''
|
||||
client_max_body_size 9000M;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
"${fqdn}" = {
|
||||
|
@ -33,6 +34,7 @@ in
|
|||
locations."/_matrix".proxyPass = "http://32.54.31.241:8008";
|
||||
locations."/_synapse".proxyPass = "http://32.54.31.241:8008";
|
||||
locations."= /.well-known/matrix/client" .extraConfig = mkWellKnown clientConfig;
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -13,6 +13,7 @@
|
|||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
access_log /var/log/nginx/$server_name-access.log json_analytics;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
pkgs.stdenv.mkDerivation rec {
|
||||
name = "website";
|
||||
version = "0.1.25";
|
||||
version = "0.1.29";
|
||||
src = /home/grape/code/4o1x5/website;
|
||||
|
||||
buildInputs = [ pkgs.hugo ];
|
||||
|