🚀 big update:

added logging to all nginx routes
added loki, promtail to scrape nginx logs
turned i2pd back on,
updated my websites version
upgraded all hosts to 24.05
forgejo added bigger limit to upload limit due to docker images
privacy frontends:
    added priviblur
    libreddit -> redlib
    added biblioreads

ddns-updater, changed credentials but there is a bug with porkbun
added penpot
brought back anonymousoverflow
added readme privacy respecting frontends
This commit is contained in:
Barna Máté 2024-06-03 02:06:02 +02:00
parent b6107679d1
commit 9216cbbf62
44 changed files with 610 additions and 374 deletions

View file

@ -21,6 +21,22 @@
"type": "github"
}
},
"backend": {
"flake": false,
"locked": {
"lastModified": 1714162491,
"narHash": "sha256-ncbQIX1XB2XL8lRrIyVzvloev/yuMAeT7O2S1sky1No=",
"owner": "TeamPiped",
"repo": "Piped-Backend",
"rev": "d67e50b5b8aa1b44930574cf67a420f75a08d1e2",
"type": "github"
},
"original": {
"owner": "TeamPiped",
"repo": "Piped-Backend",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
@ -61,6 +77,93 @@
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1631561581,
"narHash": "sha256-3VQMV5zvxaVLvqqUrNz3iJelLw30mIVSfZmAaauM3dA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "7e5bf3925f6fbdfaf50a2a7ca0be2879c4261d19",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"frontend": {
"flake": false,
"locked": {
"lastModified": 1717236695,
"narHash": "sha256-F/tWsF+StCKi+HQg1CtxVZNCOXG2o7ufhC2IezbSF2s=",
"owner": "TeamPiped",
"repo": "Piped",
"rev": "f94d56c16540282266b94d33c5a865268e255a70",
"type": "github"
},
"original": {
"owner": "TeamPiped",
"repo": "Piped",
"type": "github"
}
},
"gradle2nix": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1717114617,
"narHash": "sha256-zYYnEIpJAST9tm7A58FG+XOuKEDnH8WUGKcXfsTCsoM=",
"owner": "tadfisher",
"repo": "gradle2nix",
"rev": "a9353317959b7627a5754c6863e58231988f548a",
"type": "github"
},
"original": {
"owner": "tadfisher",
"ref": "v2",
"repo": "gradle2nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -163,27 +266,142 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1716633019,
"narHash": "sha256-xim1b5/HZYbWaZKyI7cn9TJCM6ewNVZnesRr00mXeS4=",
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9d29cd266cebf80234c98dd0b87256b6be0af44e",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1716769173,
"narHash": "sha256-7EXDb5WBw+d004Agt+JHC/Oyh/KTUglOaQ4MNjBbo5w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9ca3f649614213b2aaf5f1e16ec06952fe4c2632",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"piped": {
"inputs": {
"backend": "backend",
"frontend": "frontend",
"gradle2nix": "gradle2nix",
"nixpkgs": [
"nixpkgs"
],
"pnpm2nix": "pnpm2nix",
"proxy": "proxy"
},
"locked": {
"lastModified": 1717288685,
"narHash": "sha256-yVKs0wx84eNn01TymHUxp+D2ayoHSNe2HfYwlqo2b2g=",
"owner": "Defelo",
"repo": "piped-nix",
"rev": "12259e1f04e8f981fc0953b1500879de86ca3099",
"type": "github"
},
"original": {
"owner": "Defelo",
"repo": "piped-nix",
"type": "github"
}
},
"pnpm2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1706694632,
"narHash": "sha256-ytyTwNPiUR8aq74QlxFI+Wv3MyvXz5POO1xZxQIoi0c=",
"owner": "nzbr",
"repo": "pnpm2nix-nzbr",
"rev": "0366b7344171accc2522525710e52a8abbf03579",
"type": "github"
},
"original": {
"owner": "nzbr",
"repo": "pnpm2nix-nzbr",
"type": "github"
}
},
"proxy": {
"flake": false,
"locked": {
"lastModified": 1717106863,
"narHash": "sha256-N6F6PLg3e78NW/b/c+jI7skUyc9hyClc1MSDaNO8aCo=",
"owner": "TeamPiped",
"repo": "piped-proxy",
"rev": "aad4375921bca890b927f6d4c50dcebd0b65cc2d",
"type": "github"
},
"original": {
"owner": "TeamPiped",
"repo": "piped-proxy",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"home-manager": "home-manager_2",
"i2pd-exporter": "i2pd-exporter",
"microvm": "microvm",
"nixpkgs": "nixpkgs_2"
"nixpkgs": "nixpkgs_2",
"piped": "piped",
"scribe": "scribe"
}
},
"scribe": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1708785571,
"narHash": "sha256-s44+L6GSNHI4rBXiICyN64V1gT5WBIELNbR5R/2GH4A=",
"ref": "refs/heads/main",
"rev": "8dda4233ac3a817ccf29c3da3a8b25ddcdffa8ce",
"revCount": 137,
"type": "git",
"url": "https://git.sr.ht/~edwardloveall/scribe"
},
"original": {
"type": "git",
"url": "https://git.sr.ht/~edwardloveall/scribe"
}
},
"spectrum": {
@ -231,6 +449,36 @@
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

View file

@ -2,7 +2,7 @@
description = "4o1x5 infrastructure/homelab";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
home-manager = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
@ -12,6 +12,16 @@
url = "git+https://git.4o1x5.dev/4o1x5/i2pd-exporter";
inputs.nixpkgs.follows = "nixpkgs";
};
piped = {
url = "github:Defelo/piped-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
scribe = {
url = "git+https://git.sr.ht/~edwardloveall/scribe";
inputs.nixpkgs.follows = "nixpkgs";
};
microvm = {
url = "github:astro/microvm.nix";
@ -27,13 +37,14 @@
, i2pd-exporter
, microvm
, agenix
, scribe
, piped
}:
let
system = "x86_64-linux";
in
{
nixosConfigurations = {
pink = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
@ -56,6 +67,8 @@
./root.nix
./secrets/carbon.nix
agenix.nixosModules.default
scribe.nixosModules.default
piped.nixosModules.default
home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;

View file

@ -1,5 +1,4 @@
{ pkgs, ... }: {
#
imports = [
./hardware-configuration.nix
@ -13,7 +12,10 @@
./services/routes/openproject.nix
./services/routes/hydra.nix
./services/routes/csengo.nix
./services/routes/penpot.nix
./services/routes/matrix.nix
./services/routes/learningpulsedev.nix
#./services/ai.nix
@ -25,7 +27,7 @@
# privacy services
./services/privacy/libreddit.nix
#./services/privacy/safetwitch.nix
./services/privacy/safetwitch.nix
#./services/privacy/piped.nix
./services/privacy/breezewiki.nix
./services/privacy/gothub.nix
@ -38,12 +40,18 @@
./services/privacy/libremdb.nix
./services/privacy/librey.nix
./services/privacy/dumb.nix
./services/privacy/priviblur.nix
#./services/privacy/biblioreads.nix
#./services/privacy/proxitok.nix
#./services/privacy/scribe.nix
#./services/privacy/searxng.nix
#./services/privacy/wikiless.nix
# monitoring
./services/monitoring/exporters/node.nix
./services/monitoring/exporters/smartctl.nix
./services/monitoring/promtail.nix
];
networking.hostName = "carbon";
networking.domain = "4o1x5.dev";

View file

@ -26,6 +26,10 @@
locations."/" = {
proxyPass = " http://127.0.0.1:3000";
};
extraConfig = ''
client_max_body_size 8192M;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};
@ -38,13 +42,12 @@
settings = {
container = {
# TODO fix: networking
# instead of using host, create a subnet that cannot contat other server on my network to avoid being haxxed
# instead of using host, create a subnet that cannot contact other server on my network to avoid being haxxed
network = "host";
};
};
labels = [
"ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
];
name = config.networking.domain;
};

View file

@ -1,33 +1,46 @@
{ pkgs, ... }: {
{ pkgs, config, lib, ... }: {
networking.firewall = {
allowedTCPPorts = [ config.services.promtail.configuration.server.http_listen_port ];
allowedUDPPorts = [ config.services.promtail.configuration.server.http_listen_port ];
};
#$ var/ sudo setfacl -R -m u:promtail:rX log
#$ sudo chown promtail:promtail /tmp/positions.yaml
#$ sudo usermod -a -G systemd-journal promtail
# makeshift permission since promtail by default has no permission to read /var
services.promtail = {
enable = true;
configuration =
{
server = {
http_listen_port = 0;
http_listen_port = 6177;
grpc_listen_port = 0;
log_level = "debug";
};
positions = {
filename = "/tmp/positions.yaml";
};
clients = [
{ url = "https//32.54.31.99:3100/api/prom/push"; }
{
url = "http://32.54.31.99:3100/loki/api/v1/push";
tenant_id = 1;
}
];
scrape_configs = [
{
job_name = "system";
pipeline_stages = [
{ replace = { expression = "(?:[0-9]{1,3}\\.){3}([0-9]{1,3})"; replace = "***"; }; }
];
job_name = "nginx";
static_configs = [
{
targets = [ "localhost" ];
labels = {
job = "nginx_access_log";
job = "nginx";
host = "carbon";
agent = "promtail";
__path__ = "/var/log/nginx/json_access.log";
__path__ = ''/var/log/nginx/*-access.log'';
};
}
];
@ -36,4 +49,3 @@
};
};
}

View file

@ -1,7 +1,79 @@
{ pkgs, inputs, config, ... }:
let
# define logging format in json
# https://grafana.com/grafana/dashboards/12559-loki-nginx-service-mesh-json-version/
log_format = ''
log_format json_analytics escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"pid": "$pid", ' # process pid
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"remote_port": "$remote_port", ' # client port
'"time_local": "$time_local", '
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"request": "$request", ' # full path no arguments if the request
'"request_uri": "$request_uri", ' # full path and arguments if the request
'"args": "$args", ' # args
'"status": "$status", ' # response status code
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"http_host": "$http_host", ' # the request Host: header
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spend receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"request_method": "$request_method", ' # request method
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio", '
'"http_cf_ray": "$http_cf_ray",'
'"geoip_country_code": "$geoip2_data_country_code"'
'}';
'';
# geoip2 module to get countries from addresses
geoip2 = ''
geoip2 /etc/GeoLite2-Country.mmdb {
auto_reload 5m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code default=US source=$remote_addr country iso_code;
$geoip2_data_country_name country names en;
}
geoip2 /etc/GeoLite2-City.mmdb {
$geoip2_data_city_name default=London city names en;
}
'';
in
{
services.nginx = {
enable = true;
additionalModules = [ pkgs.nginxModules.geoip2 ];
# add logging to config
commonHttpConfig = ''
${geoip2}
${log_format}
'';
#access_log /var/log/nginx/json_access.log json_analytics;
# ^^ adds logging to every host
virtualHosts = {
"www.${config.networking.domain}" = {
@ -11,6 +83,10 @@
locations."/" = {
root = pkgs.callPackage ../services/website/default.nix { };
};
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
"${config.networking.domain}" = {
@ -20,12 +96,14 @@
locations."/" = {
root = pkgs.callPackage ../services/website/default.nix { };
};
extraConfig = ''
error_page 404 /404.html;
deny 3.1.202.244;
deny 170.64.219.93;
deny 91.215.85.43;
client_max_body_size 900M;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};

View file

@ -8,8 +8,8 @@
"7344:8080"
];
environment = {
APP_URL = "https://.anonymousoverflow.4o1x5.dev";
# TODO add JTW_SIGNING_KEY to work
APP_URL = "https://anonymousoverflow.4o1x5.dev";
JWT_SIGNING_SECRET = "${config.age.secrets.anonymousoverflow.path}";
};
};
};
@ -21,6 +21,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7344";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -10,9 +10,9 @@
];
};
};
services.nginx = {
virtualHosts = {
"biblioreads.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;

View file

@ -16,6 +16,13 @@
locations."/" = {
proxyPass = " http://127.0.0.1:7382";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
rewrite ^/www.pinterest.com$ http://binternet.${config.networking.domain}/ permanent;
rewrite ^/pinterest.com$ http://binternet.${config.networking.domain}/ permanent;
'';
# ^^^ libreddirect for some reason forgets to delete the pinterest domain
# fixing this bug
};
};
};

View file

@ -17,6 +17,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:1584";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -17,6 +17,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:8332";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -29,6 +29,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:4032";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -1,21 +1,24 @@
{ pkgs, config, ... }: {
# todo redlib instead of libreddit
services.libreddit = {
enable = true;
address = "127.0.0.1";
port = 3672;
package = pkgs.redlib;
};
services.nginx = {
virtualHosts = {
# Privacy services
"libreddit.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:3672";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -26,6 +26,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7345";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -36,6 +36,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:3345";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -8,26 +8,11 @@
backend = {
port = 5632;
database = {
# TODO fix
#TODO SECRET
host = "127.0.0.1";
username = "piped-backend";
passwordFile = ./piped;
database = "piped-backend";
passwordFile = config.age.secrets.piped.path;
createLocally = false;
};
};
};
services.postgresql = {
enable = true;
enableTCPIP = true;
ensureDatabases = [ "piped-backend" ];
ensureUsers = [
{
name = "piped-backend";
ensureDBOwnership = true;
}
];
};
}

View file

@ -1,7 +1,7 @@
{ pkgs, config, ... }: {
virtualisation.oci-containers.containers = {
# todo fix, requires a config file....
priviblur = {
image = "quay.io/pussthecatorg/priviblur:latest";
ports = [
@ -11,7 +11,6 @@
};
services.nginx = {
virtualHosts = {
"priviblur.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
@ -24,5 +23,4 @@
};
};
};
}

View file

@ -1,5 +1,5 @@
# Auto-generated using compose2nix v0.2.0-pre.
{ pkgs, lib, ... }:
{ pkgs, lib, config, ... }:
{
services.nginx = {
@ -61,7 +61,7 @@
};
systemd.services."podman-proxitok-signer" = {
serviceConfig = {
Restart = lib.mkOverride 500 "\"no\"";
Restart = lib.mkOverride 500 "no";
};
after = [
"podman-network-docker-compose_proxitok.service"
@ -86,6 +86,7 @@
LATTE_CACHE = "/cache";
REDIS_HOST = "proxitok-redis";
REDIS_PORT = "6379";
APP_URL = "https://proxitok.${config.networking.domain}";
};
volumes = [
"proxitok-cache:/cache:rw"
@ -108,9 +109,10 @@
"--security-opt=no-new-privileges:true"
];
};
systemd.services."podman-proxitok-web" = {
serviceConfig = {
Restart = lib.mkOverride 500 "\"no\"";
Restart = lib.mkOverride 500 "no";
};
after = [
"podman-network-docker-compose_proxitok.service"

View file

@ -34,6 +34,9 @@
locations."/" = {
proxyPass = " http://127.0.0.1:2355";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -29,7 +29,7 @@
# Request URL
PRIVACY_URL = "true";
# Device Type (User agent)
PRIVACY_DEVICE = "false";
PRIVACY_DEVICE = "true";
PRIVACY_DIAGNOSTICS = "false";
};
@ -44,6 +44,9 @@
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:4312";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};

View file

@ -1,8 +1,6 @@
{ pkgs, config, ... }:
{
virtualisation.oci-containers.containers = {
# TODO fix routing
safe-twitch-frontend = {
image = "codeberg.org/safetwitch/safetwitch:latest";
ports = [
@ -22,7 +20,7 @@
"7100:7100"
];
environment = {
URL = "sf.${config.networking.domain}";
URL = "https://sf.${config.networking.domain}";
PORT = "7100";
};
};
@ -30,26 +28,27 @@
services.nginx = {
virtualHosts = {
"safetwitch.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:8280";
};
};
"sf.${config.networking.domain}" = {
"safetwitch.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7100";
proxyPass = " http://127.0.0.1:8280";
};
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
"sf.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:7100";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};
};
}

View file

@ -5,10 +5,12 @@
enable = true;
appDomain = "scribe.${config.networking.domain}";
port = 7283;
# TODO fix since it's readable by nix store...
# TODO , systemd doesnt like this, neither does it actually include the secrets
environmentFile = ''
GITHUB_PERSONAL_ACCESS_TOKEN= ${builtins.readFile config.age.secrets.github-token.path}
GITHUB_USERNAME= ${builtins.readFile config.age.secrets.github-username.path}
GITHUB_PERSONAL_ACCESS_TOKEN=${config.age.secrets.github-token.path}
GITHUB_USERNAME=${config.age.secrets.github-username.path}
SECRET_KEY_BASE=${config.age.secrets.scribe-secret.path}
'';
};

View file

@ -1,5 +1,5 @@
{ pkgs, config, ... }: {
# TODO rework the whole thing
virtualisation.oci-containers.containers = {
searxng = {
@ -7,11 +7,6 @@
ports = [
"3345:3000"
];
# TODO implement limiter
#volumes = [
# "/home/carbon/searxng.yml:/etc/searxng:rw"
#];
};
};

View file

@ -1,118 +0,0 @@
# Auto-generated using compose2nix v0.2.0-pre.
{ pkgs, lib, ... }:
{
services.nginx = {
virtualHosts = {
"wikiless.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://127.0.0.1:8180";
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};
};
# Containers
virtualisation.oci-containers.containers."wikiless" = {
image = "ghcr.io/metastem/wikiless:latest";
environment = {
REDIS_HOST = "redis://172.4.0.5:6379";
};
ports = [
"127.0.0.1:8180:8080/tcp"
];
dependsOn = [
"wikiless_redis"
];
log-driver = "journald";
extraOptions = [
"--cap-drop=ALL"
"--hostname=wikiless"
"--ip=172.4.0.6"
"--network-alias=wikiless"
"--network=docker-compose_wikiless_net"
"--security-opt=no-new-privileges:true"
];
};
systemd.services."podman-wikiless" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-docker-compose_wikiless_net.service"
];
requires = [
"podman-network-docker-compose_wikiless_net.service"
];
partOf = [
"podman-compose-docker-compose-root.target"
];
wantedBy = [
"podman-compose-docker-compose-root.target"
];
};
virtualisation.oci-containers.containers."wikiless_redis" = {
image = "redis:latest";
user = "nobody";
log-driver = "journald";
extraOptions = [
"--cap-add=DAC_OVERRIDE"
"--cap-add=SETGID"
"--cap-add=SETUID"
"--cap-drop=ALL"
"--hostname=wikiless_redis"
"--ip=172.4.0.5"
"--network-alias=wikiless_redis"
"--network=docker-compose_wikiless_net"
"--security-opt=no-new-privileges:true"
];
};
systemd.services."podman-wikiless_redis" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
};
after = [
"podman-network-docker-compose_wikiless_net.service"
];
requires = [
"podman-network-docker-compose_wikiless_net.service"
];
partOf = [
"podman-compose-docker-compose-root.target"
];
wantedBy = [
"podman-compose-docker-compose-root.target"
];
};
# Networks
systemd.services."podman-network-docker-compose_wikiless_net" = {
path = [ pkgs.podman ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "${pkgs.podman}/bin/podman network rm -f docker-compose_wikiless_net";
};
script = ''
podman network inspect docker-compose_wikiless_net || podman network create docker-compose_wikiless_net --subnet=172.4.0.0/16
'';
partOf = [ "podman-compose-docker-compose-root.target" ];
wantedBy = [ "podman-compose-docker-compose-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."podman-compose-docker-compose-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
}

View file

@ -13,6 +13,7 @@
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};

View file

@ -14,6 +14,7 @@
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};

View file

@ -2,22 +2,36 @@
services.nginx = {
virtualHosts = {
"lpdev.${config.networking.domain}" =
{
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.99:8181";
};
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
"lpdev.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.99:8181";
};
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
"lpdev-eureka.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = " http://32.54.31.99:8761";
};
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};
};
}

View file

@ -24,6 +24,7 @@ in
};
extraConfig = ''
client_max_body_size 9000M;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
"${fqdn}" = {
@ -33,6 +34,7 @@ in
locations."/_matrix".proxyPass = "http://32.54.31.241:8008";
locations."/_synapse".proxyPass = "http://32.54.31.241:8008";
locations."= /.well-known/matrix/client" .extraConfig = mkWellKnown clientConfig;
};
};
};

View file

@ -16,6 +16,7 @@
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};

View file

@ -19,6 +19,7 @@
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};

View file

@ -13,6 +13,7 @@
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};

View file

@ -2,7 +2,7 @@
pkgs.stdenv.mkDerivation rec {
name = "website";
version = "0.1.25";
version = "0.1.29";
src = /home/grape/code/4o1x5/website;
buildInputs = [ pkgs.hugo ];